Well I appreciate, as David Millington said, people need to learn etc and experience is the best teacher etc but I am a bit disappointed - you'd have to wonder if it wasn't really sorted out properly yesterday after all.
Regardless, I hope they can sort it out quickly for once and for all. I can imagine the kind of panic and confusion this would create in the minds of clients, end user customers and upper managers etc. :-(
They'd better have a simple message on a static page excusing for being off line, then this shit. It is almost impossible to hijack a simple webpage, otherwise they should have someone guarding it all the time and change machine when this happens, and in the meantime reinstall the hacked machine.
It is all very unpleasant, but a company does not have to go through this when it does not want it.
This costs customers. Who trust a software producer who cannot run safe software himself.
Bert Verhees chances are they hacked the server or account, not the web page. Only question is how isolated this server was, and if it was in-house or not (ie if it can be used to attack other servers)
Rick Wheeler I think they will probably give some feedback about it. Anyway, I think there is a lot of over reaction about this. From the top of my head: PayPal, Ashley Madison, CNN,Yahoo mail, WhatsApp were all hacked in the last 12 month or so. Syrian and Palestinian hackers alone broke in more than one hundred well known companies web servers. This Linux vulnerability is FAR more serious than Embarcadero website's and you are probably clicking on a link on a web page hosted on a vulnerable Linux web server right now, without even knowing it.
Alexandre Machado Perhaps you are right about the over reaction UNLESS they were able to steal personal and CC information which most of us entrust with EMB.
In fact since they now brag on their website that over 3 million developers choose Delphi/RAD Studio the temptation will be very high for hackers to continue their pursuit.
I'd be more comfortable if EMB would employ an external security agency to plug up the holes in their systems.
Rick Wheeler stealing of personal information is always serious. What I meant about over reaction is "I don't trust EMB tools because their web site was hacked" or "Their web master is stupid" nonsense. Where are the Python fans here? Python is also vulnerable to the glibc exploit, so probably Python is also crap, isn't it? PHP is also vulnerable but it is already crap, no need to enforce it :-)
Uwe Raabe agree - maybe they had a good look around and found there was nothing worth stealing so just defaced the website instead. Alexandre Machado I agree this will certainly not affect my decision to buy their products and I think it would be an overreaction if it did.
Good point, Uwe Raabe, hackers want to be seen, it is like terrorism, not for profit but for visibility, and to show that it is possible, to show that we are vulnerable. We cannot know how vulnerable we really are. We don't know the details, and we will only get to know them if it unevitable to let us know.
Rick Wheeler but you have to go through their hacked infrastructure to download/install/register their products.
Until I see a statement detailing which parts of their infrastructure are safe (including grade B or better TLS), I won't install their products.
It's not hard to put a proper TLS in front of internal http. https://pluimers.com does that. Even though it makes little sense, you can even do it for external links: https://pluimers.com/wiert is nothing but a shell around http://wiert.me as an experiment if it would word (as the paid WordPress.com cheaply fails to put the proper domain information https://wiert.me).
At least if it blamed the Freemasons and Illuminati for Javascript, I could somewhat get behind this new Embarcadero website. I mean, on the plus side, it's not selling Delphi Pro for $12K dollars anymore. And the new logo is cooler than the helmet... it's got some fire like FireMonkey...
But which one of the new employees listed is replacing Alan Bauer? Unknown Al? Darkshadow?
Rick Wheeler "I agree this will certainly not affect my decision to buy their products and I think it would be an overreaction if it did. "
I'll post here tomorrow the full story of that Delphi security flaw and how they (eventually) fixed it, then you tell me if you've changed your mind. You guys don't realize how little priority the current gang at EMBT places on security.
Jeroen Wiert Pluimers Jeroen, you've been warning them for how many months now about how insecure the website is? They never fixed it, now this. There's no concern for security at EMBT. You get a nice big "I told you so."
Joseph Mitzen the name of the former chief scientist is Allen Bauer. You're so anxious to externalize your joy due to recent events on EMBT website....
Alexandre Machado I'm trying to find something to laugh about because this is otherwise not funny. We don't know if they have e-mails, passwords or credit card information; there's no joy in that. I've lost money before from my checking account thanks to a hacked website.
Joseph Mitzen I'm not sure if the two are correlated so a "told you so" (which I hardly say as I hate them) is not in place, but surely a statement (any: just a "we working on it" would be fine) is overdue.
Jeroen Wiert Pluimers you raised a good point about the downloads so will be interested to see what the official response is from EMB. Joseph Mitzen I'm interested in security maybe I've not thought through how this affects me directly. Will be interested in yr further comments.
The fact that other sites have been hacked does not lessen the seriousness of this. The fact that other software has vulnerabilities does not mean that we should regard vulnerabilities as being acceptable and of no consequence.
What I'd like to see is an official response. Where is it? At the very least we should by now have had a response to say that the hack is being investigated. That the site was put back up and then hacked again indicates that the reaction so far has been poor.
And in slower time Emba need to restore confidence. For me that will take the involvement of a respected external agency. There's clear evidence that the in-house staff at Emba are not sufficiently competent to deal with internet security. They need to get some experts to help them.
Over the weekend, hackers attacked Embarcadero web site. The hack was confined to the Website CMS front end, which also serves the start page banner. The network was not accessed, and NO customer or internal data was exposed or compromised. The issue was identified and fixed.
They ought to write it with kbmmw. Then it wouldnot be hacked ☺ Been running 24x7 for years with lots and lots of hacking attempts with no success at all.
Jim McKeeth Thanks for the tidbit... now, since the IDE serves up HTTP content, how about some analysis of the content served by the IDEs on our work machines? Can you confirm with 100% certainty that the IDE displayed content was not compromised in any way? If not, have you done an analysis of what exactly was altered during this attack? If so, does that altered content pose any risk to our machines or our networks? What are you doing in the future to prevent such attacks? What are your plans for further securing the content displayed within the IDE which has been shown to be a possible attack vector? I would suggest at this point that everyone disable the Welcome Page that displays this vulnerable content in an unsecure manner...wouldn't you? http://wiert.me/2016/03/14/delphi-disable-or-change-your-welcome-page-to-not-use-the-embarcadero-site-as-that-site-has-been-hacked-twice-this-weekend/
Darian Miller We are having a number of discussions on how to do better and prevent this from happening again. If you have some specific questions you can follow up with me offline jim.mckeeth@embarcadero.com and I can put you in touch with others that can address specific concerns.
Well I appreciate, as David Millington said, people need to learn etc and experience is the best teacher etc but I am a bit disappointed - you'd have to wonder if it wasn't really sorted out properly yesterday after all.
ReplyDeleteRegardless, I hope they can sort it out quickly for once and for all. I can imagine the kind of panic and confusion this would create in the minds of clients, end user customers and upper managers etc. :-(
Javier Hernández I have heard that Palestine has a couple of webmasters working for free.
ReplyDelete/sub and grab popcorn
ReplyDeleteThey'd better have a simple message on a static page excusing for being off line, then this shit. It is almost impossible to hijack a simple webpage, otherwise they should have someone guarding it all the time and change machine when this happens, and in the meantime reinstall the hacked machine.
ReplyDeleteIt is all very unpleasant, but a company does not have to go through this when it does not want it.
This costs customers. Who trust a software producer who cannot run safe software himself.
Bert Verhees chances are they hacked the server or account, not the web page. Only question is how isolated this server was, and if it was in-house or not (ie if it can be used to attack other servers)
ReplyDeleteDon't visit emba websites at the moment. The danger of getting some viruses is very high!
ReplyDelete/...
ReplyDelete...meanwhile you may want to visit http://www.lazarus-ide.org/
ReplyDeleteI'm really worried!!!
ReplyDelete/hacked
ReplyDeleteilluminati confirmed
ReplyDeletehttp://thehackernews.com/2016/02/glibc-linux-flaw.html
ReplyDelete"Oh god! It's better get away of all Linux servers"
"Oh, I think they should fire someone today"
"I bet only morons are writing glibc code nowadays"
http://www.ibtimes.co.uk/nasa-hack-anonsec-attempts-crash-222m-drone-releases-secret-flight-videos-employee-data-1541254
ReplyDelete"Crap! NASA was hacked! Only idiots work on NASA these days!"
"NASA devs have been all offshored, that's why!"
Alexandre Machado those links are very interesting thanks for sharing.
ReplyDeleteI wonder if there will be an official response from EMB?
Rick Wheeler I think they will probably give some feedback about it. Anyway, I think there is a lot of over reaction about this. From the top of my head: PayPal, Ashley Madison, CNN,Yahoo mail, WhatsApp were all hacked in the last 12 month or so. Syrian and Palestinian hackers alone broke in more than one hundred well known companies web servers. This Linux vulnerability is FAR more serious than Embarcadero website's and you are probably clicking on a link on a web page hosted on a vulnerable Linux web server right now, without even knowing it.
ReplyDeleteAlexandre Machado Perhaps you are right about the over reaction UNLESS they were able to steal personal and CC information which most of us entrust with EMB.
ReplyDeleteIn fact since they now brag on their website that over 3 million developers choose Delphi/RAD Studio the temptation will be very high for hackers to continue their pursuit.
I'd be more comfortable if EMB would employ an external security agency to plug up the holes in their systems.
Rick Wheeler stealing of personal information is always serious. What I meant about over reaction is "I don't trust EMB tools because their web site was hacked" or "Their web master is stupid" nonsense. Where are the Python fans here? Python is also vulnerable to the glibc exploit, so probably Python is also crap, isn't it? PHP is also vulnerable but it is already crap, no need to enforce it :-)
ReplyDeleteIf I were planning to steal any information from a website by some hack, I would camouflage that hack as best as possible.
ReplyDeleteUwe Raabe agree - maybe they had a good look around and found there was nothing worth stealing so just defaced the website instead.
ReplyDeleteAlexandre Machado I agree this will certainly not affect my decision to buy their products and I think it would be an overreaction if it did.
Good point, Uwe Raabe, hackers want to be seen, it is like terrorism, not for profit but for visibility, and to show that it is possible, to show that we are vulnerable. We cannot know how vulnerable we really are. We don't know the details, and we will only get to know them if it unevitable to let us know.
ReplyDeleteEric Grange and to investigate any correlation with the Japanese advertising on the community site.
ReplyDeleteRick Wheeler but you have to go through their hacked infrastructure to download/install/register their products.
ReplyDeleteUntil I see a statement detailing which parts of their infrastructure are safe (including grade B or better TLS), I won't install their products.
It's not hard to put a proper TLS in front of internal http. https://pluimers.com does that. Even though it makes little sense, you can even do it for external links: https://pluimers.com/wiert is nothing but a shell around http://wiert.me as an experiment if it would word (as the paid WordPress.com cheaply fails to put the proper domain information https://wiert.me).
At least if it blamed the Freemasons and Illuminati for Javascript, I could somewhat get behind this new Embarcadero website. I mean, on the plus side, it's not selling Delphi Pro for $12K dollars anymore. And the new logo is cooler than the helmet... it's got some fire like FireMonkey...
ReplyDeleteBut which one of the new employees listed is replacing Alan Bauer? Unknown Al? Darkshadow?
Ralf Stocker "
ReplyDeleteDon't visit emba websites at the moment. The danger of getting some viruses is very high!"
But then where will the Russians buy their software to write their viruses with? THAT'S BITING THE HAND THAT FEEDS YOU.
Sergey Kasandrov "...meanwhile you may want to visit http://www.lazarus-ide.org/"
ReplyDeleteWhere at least any viruses or trojans or antisemitic web pages will have their source code available! ;-)
Rick Wheeler "I agree this will certainly not affect my decision to buy their products and I think it would be an overreaction if it did. "
ReplyDeleteI'll post here tomorrow the full story of that Delphi security flaw and how they (eventually) fixed it, then you tell me if you've changed your mind. You guys don't realize how little priority the current gang at EMBT places on security.
Jeroen Wiert Pluimers Jeroen, you've been warning them for how many months now about how insecure the website is? They never fixed it, now this. There's no concern for security at EMBT. You get a nice big "I told you so."
ReplyDeleteJoseph Mitzen the name of the former chief scientist is Allen Bauer. You're so anxious to externalize your joy due to recent events on EMBT website....
ReplyDeleteAlexandre Machado I'm trying to find something to laugh about because this is otherwise not funny. We don't know if they have e-mails, passwords or credit card information; there's no joy in that. I've lost money before from my checking account thanks to a hacked website.
ReplyDeleteJoseph Mitzen I'm not sure if the two are correlated so a "told you so" (which I hardly say as I hate them) is not in place, but surely a statement (any: just a "we working on it" would be fine) is overdue.
ReplyDeleteJeroen Wiert Pluimers you raised a good point about the downloads so will be interested to see what the official response is from EMB.
ReplyDeleteJoseph Mitzen I'm interested in security maybe I've not thought through how this affects me directly. Will be interested in yr further comments.
The fact that other sites have been hacked does not lessen the seriousness of this. The fact that other software has vulnerabilities does not mean that we should regard vulnerabilities as being acceptable and of no consequence.
ReplyDeleteWhat I'd like to see is an official response. Where is it? At the very least we should by now have had a response to say that the hack is being investigated. That the site was put back up and then hacked again indicates that the reaction so far has been poor.
And in slower time Emba need to restore confidence. For me that will take the involvement of a respected external agency. There's clear evidence that the in-house staff at Emba are not sufficiently competent to deal with internet security. They need to get some experts to help them.
Sergey Kasandrov FPC can't compile my code. - Not even for a non-visual project. Their Generics are incomplete.
ReplyDeleteOver the weekend, hackers attacked Embarcadero web site. The hack was confined to the Website CMS front end, which also serves the start page banner. The network was not accessed, and NO customer or internal data was exposed or compromised. The issue was identified and fixed.
ReplyDeleteThey ought to write it with kbmmw. Then it wouldnot be hacked ☺ Been running 24x7 for years with lots and lots of hacking attempts with no success at all.
ReplyDeleteJim McKeeth Thanks for the tidbit... now, since the IDE serves up HTTP content, how about some analysis of the content served by the IDEs on our work machines? Can you confirm with 100% certainty that the IDE displayed content was not compromised in any way? If not, have you done an analysis of what exactly was altered during this attack? If so, does that altered content pose any risk to our machines or our networks? What are you doing in the future to prevent such attacks? What are your plans for further securing the content displayed within the IDE which has been shown to be a possible attack vector? I would suggest at this point that everyone disable the Welcome Page that displays this vulnerable content in an unsecure manner...wouldn't you? http://wiert.me/2016/03/14/delphi-disable-or-change-your-welcome-page-to-not-use-the-embarcadero-site-as-that-site-has-been-hacked-twice-this-weekend/
ReplyDeleteDarian Miller We are having a number of discussions on how to do better and prevent this from happening again. If you have some specific questions you can follow up with me offline jim.mckeeth@embarcadero.com and I can put you in touch with others that can address specific concerns.
ReplyDelete