Forgot your password?
typodupeerror
Security It's funny.  Laugh. IT

Fox News' FTP Password Anyone? 611

Posted by CmdrTaco
from the fair-and-balanced dept.
An anonymous reader writes "While browsing around the Fox News website, I found that directory indexes are turned on. So, I started following the tree up, until I got to /admin. Eventually, I found my way into /admin/xml_parser/zdnet/, in which, there is a shell script. Seeing as it's a shell script, and I use Linux, I took a peek. Inside, is a username and password to an FTP. So, of course, I tried to login. The result? Epic fail on Fox's part. And seriously, what kind of password is T1me Out. This is just pathetic." It's already been changed of course, but that's still pretty amusing.
This discussion has been archived. No new comments can be posted.

Fox News' FTP Password Anyone?

Comments Filter:
  • by Mark_in_Brazil (537925) on Monday July 23, 2007 @09:09AM (#19954783)
    Dude, why didn't you look around for the bug that makes them misreport the news so horribly that a majority of FOX News viewers still believes Iraq was responsible for 9/11 and Saddam had WMDs when the US invaded?
    • Re:Wasted chance (Score:5, Insightful)

      by mwvdlee (775178) on Monday July 23, 2007 @09:13AM (#19954833) Homepage
      Because now we know; it was just some hacker prank.
      • Re: (Score:3, Interesting)

        by MindKata (957167)
        ... And when they get hacked, they can get ton's of free publicity telling the whole world of the dangers of hackers... They would probably be only too happy to get hacked, for all the extra free news coverage it would get them on other networks.
        • by Anonymous Coward on Monday July 23, 2007 @10:06AM (#19955511)
          they can get ton's of free publicity

          Now, is that "ton is of free publicity", or does Mr. Ton have a lot of "of free publicity" that he could potentially give to you?
    • by niceone (992278) * on Monday July 23, 2007 @09:14AM (#19954839) Journal
      Hey, that's not a bug - it's a feature.
    • Re: (Score:2, Funny)

      by Anonymous Coward
      "T1me Out"... that's the kind of password an idiot would use on his luggage!
    • Re:Wasted chance (Score:5, Informative)

      by include($dysmas) (729935) on Monday July 23, 2007 @09:27AM (#19954987)
      the usual call to RTFA ... this is from the lame "the DoD are after me for using vista" site, who approved it ffs? read the article they link to (and link directly next time, stop paying them in ads!), its an account to grab files from zdnet, not an account into fox news, does it even have write access? dont let the facts get in the way of alarmist bs tho
    • by N8F8 (4562)
      Or the brainwash program over at CNN that convinced 2/3 of the country the reason we invaded Iraq the second time was WMD. Can we say staw man?
  • HaHa (Score:5, Funny)

    by Anonymous Coward on Monday July 23, 2007 @09:10AM (#19954787)
    You're going to jail and slashdot is getting shut down. It's a federal offense to interfere with an official government propaganda outlet.
  • Nice... (Score:5, Funny)

    by x3rc3s (954149) on Monday July 23, 2007 @09:11AM (#19954801)
    Enjoy your stay in gitmo!
  • by Anonymous Coward on Monday July 23, 2007 @09:14AM (#19954835)
    Now the question is, was it changed by Fox or someone else.
  • by forgotten_my_nick (802929) on Monday July 23, 2007 @09:16AM (#19954861)
    That is all we need, months of stories how "evil hackers got into Fox network"

    Followed up with "Hackers: Evil and must be stopped?" to linking hacking to Obama, a danger to your kids and finally Hackers gone wild at Spring break.
    • by hoggoth (414195)
      Chris Hanson is moving to FOX to host Dateline: To Catch A Hacker.
    • Re: (Score:3, Interesting)

      by Red Flayer (890720)

      and finally Hackers gone wild at Spring break.
      If that video is similar to any of the other Spring break videos I've "heard about", I do not want to see it.

      Either that, or we need to begin teaching nubile drunken 22-year-olds to hack.
      • Re: (Score:3, Funny)

        by sammy baby (14909)
        You missed another possibility: that we'll be throwing beads at pasty, flabby geeks to get them to put their clothes back on.
    • Re: (Score:3, Insightful)

      by TerranFury (726743)

      linking hacking to Obama

      Nice typo. Confusing a Democratic candidate with Al Quaeda's head demagogue? Apropos, given we're talking about Fox.

  • by wheretheicegrows (996432) on Monday July 23, 2007 @09:17AM (#19954867)
    I'm not that much into security, so I hope I don't sound "pathetic", but I was wondering what's wrong with the 'T1me Out' password. I'd say all company passwords I've ever had were no harder than that, and none of them had a space in it. And honestly how many of you guys use a password like YwMCU07D?
    • by AlHunt (982887) on Monday July 23, 2007 @09:21AM (#19954925) Homepage Journal
      >And honestly how many of you guys use a password like YwMCU07D?

      Great - now I have to go change all my passwords.

    • by Enry (630)
      > And honestly how many of you guys use a password like YwMCU07D?

      <joke>That's on my luggage.</joke>

      Seriously, though, that's the form you should be using for passwords, especially critical ones or ones that are public-facing. Get yourself a good password manager (TealSafe, SplashID) and just keep generating new passwords for all your systems.
    • by realkiwi (23584)

      And honestly how many of you guys use a password like YwMCU07D?
      Me. You realize you can't use that password anymore?
    • by Errtu76 (776778)
      I do; caps/numbers/special chars. But i agree, 'T1me Out' would be a good choice. Even Microsoft's own Password checker [microsoft.com] thinks it's a pretty good choice ;)
    • by asliarun (636603) on Monday July 23, 2007 @09:31AM (#19955035)
      I agree, and my personal experience with corporate passwords has been the same. I'm sure this would disturb security geeks at various levels (or get them salivating!), but I don't see this as a *huge* loophole since most of the systems are inside the corporate firewall anyway. IMHO, this is about as big a security threat as an employee or a contractor copying sensitive data (which the password is protecting) and trying to profit from it illegally.

      A system that I was managing once started crashing, and further investigation revealed that the password of an upstream system had been changed. When we contacted the admin team of the offending application, they informed us that they had upgraded the password from 123 to the "highly secure" (in their words) 234.
    • by ndixon (184723) on Monday July 23, 2007 @09:35AM (#19955099)
      There's nothing really wrong with the password (though a smart dictionary-based search could discover it).

      There is something very wrong with writing the password down, in plain text, on a public-facing server and assuming that no-one will be able to see it.
    • I use my own password generator [movetoiceland.com] (source code [movetoiceland.com]) to generate secure and easy to remember passwords. It's really handy because I have accounts on a bunch of machines at work and I can't use passwords that are too hard to remember in case I need to scp from one machine to another.

    • Re: (Score:3, Informative)

      by Opportunist (166417)
      Current "dictionary crackers" already take care of "leet speak". I.e. they do contain "words" like h8, sk8er and so on. And of course they do try single character replacements like 1 for I and 2 for Z and so on.

      In other words, yes, this password was prone to be dict'ed.
    • by Legion303 (97901) on Monday July 23, 2007 @09:48AM (#19955261) Homepage
      "And honestly how many of you guys use a password like YwMCU07D?"

      Great--now you've got 8 people making the same joke.
    • Re: (Score:3, Informative)

      by mewyn (663989)
      Well, the main problem with using "T1meOut" is it's very easily attacked by a weighted dictionary attack. All dictionary attacks take care of common numerical replacements and capitalization. The next issue is weight of the words. Time and out are rather common words in the english language, and even more common when used together. In the case of a full random password, or a word password with randomness interjected, it'd be a lot less crackable than "T1meOut". A much better password would be something
      • Re: (Score:3, Insightful)

        by Fred Ferrigno (122319)

        In that case, the words are still there, you just have to memorize the capitalization and non-word components, which honestly isn't hard, people just think it is.

        Define "hard". Since I know I'm me, passwords are an annoying speed bump in the best case scenario. In the worst case, a password I can't remember is worthless, no matter how strong it is.

        Password Nazis these days are really frigging annoying. The most annoying rule I keep coming across is "no more than N letters in a row". Obviously that's meant to make it harder to use a dictionary word, but it trips me up frequently even though I never use dictionary words. I'd wager most people use mostly the same non-

    • Re: (Score:3, Interesting)

      by eth1 (94901)
      YwMCU07D?

      Wimp. Real men use
      dd if=/dev/random bs=1024 count=1 | passwd --stdin
  • by BHearsum (325814) on Monday July 23, 2007 @09:20AM (#19954915) Homepage
    That password would've been satisfactory if it was kept better.
  • by SilentChris (452960) on Monday July 23, 2007 @09:23AM (#19954935) Homepage
    In all fairness (do they even deserve it?), the password listed in the script is for ZDNet's FTP, not Fox. Still pretty embarrassing, but it's not going to hurt Fox at all (I imagine it could have hurt CNet/ZDNet). And it definitely could've hurt the relationship between both corporations' IT departments.

    There seems to be a string of these lately between content aggregators. About a month ago there was that page on MS's site endorsing Linux. Turns out the content was from another site (I think, actually, CNet).

    Not to say I'm not totally surprised. In this day when about 50% of someone's site is content from somebody else, it's not surprising there's snafus. I'm just waiting for the day when one of the sites leaves up SSH logins for another.
  • It Works (Score:2, Informative)

    by Eddi3 (1046882)
    Actually, as of this post, the ftp server can still be accessed with the same username and password from the script.

  • Let's see here (Score:4, Insightful)

    by Anonymous Coward on Monday July 23, 2007 @09:29AM (#19955017)
    Random corporation has bad security: Brief blurb about how corporations should take better care of their security infrastructure in order to make sure that leaks/intrusions don't happen. Perhaps even a person or two giving advice in the form of which files to edit and what to change.

    Corporation that people don't like has bad security: Note after note about how evil the company is and that they're idiots in the highest sense.
  • Ridiculous summary (Score:5, Insightful)

    by the computer guy nex (916959) on Monday July 23, 2007 @09:29AM (#19955021)
    1) The password has probably been around for awhile with no one guessing it. What exactly was wrong with it? Uppercase/lowercase/numbers, combination of multiple words, it is at least moderately strong.

    2) Why the hell are you blaming Fox? You think the entire company sat in a conference room and decided on a security scheme and a password?

    3) Why did this deserve front page news? Exploits like this are found on a daily basis, and ones much more humorous/interesting/newsworthy.
  • 4chan (Score:4, Insightful)

    by stick-boy (73731) <jason.arends@[ ]il.com ['gma' in gap]> on Monday July 23, 2007 @09:35AM (#19955095) Homepage
    this originated on 4chan.org's /b/ late last night (NSFW.) the shell script was a small script for uploading to a ziff-davis ftp server, it wasn't actually a fox ftp password (look at the directory name the shell script was found in, and i'm sure z-d appreciates this too.) also, there was an image directory that had directory listing turned on too. i didn't stick around long enough to see if any /b/tards found anything interesting in there, but i know an image dump was being made.
  • I dunno... should I feel pity for their webmaster or consider it natural selection that he will most likely get a "you won't find a job in this country anymore" letter?
  • by TheReallyMadScientis (1131215) on Monday July 23, 2007 @09:46AM (#19955237)
    ...to doing 'fair and balanced' journalism.
  • by Anonymous Coward on Monday July 23, 2007 @10:17AM (#19955677)
    Aw, crap. Now there'll be another round of armchair security experts saying "You should turn off directory indexes!" and easily-led sysadmins actually doing it, and we'll have that many fewer sites where you can bypass the broken navigation to actually find things through the directory indexes.

    Directory indexes, on a properly-run site, are a Good Thing and should be encouraged. They are and should be turned on by default in real httpd software. Anything secret that's accessible through a directory index would also be accessible by guessing the URL - so security has to be enforced by 403 Forbidden, not by "nobody will know the URL," anyway. Don't disable directory indexes unless you have a really good reason - and if you think you have a really good reason, especially if you think it has something to do with some kind of "security," then you're probably wrong.
  • by youthoftoday (975074) on Monday July 23, 2007 @12:22PM (#19957519) Homepage Journal
    I was once visiting the offices of a design firm that was doing some work for Disney. As far as I remember, the procedure for adding new content was:

    - Email the admins (with password), requesting an upload opportunity giving detail of content and approval reference
    - Admins create FTP account on a purpose-built server
    - Admins send back time-sensitive FTP details
    - Design company uploads to FTP server
    - Committees review content, send authorization to admins
    - Admins upload content.

    And this was for already-approved work. Kinda puts this level of security to shame...

Never trust a computer you can't repair yourself.

Working...