Fox News' FTP Password Anyone?

An anonymous reader writes "While browsing around the Fox News website, I found that directory indexes are turned on. So, I started following the tree up, until I got to /admin. Eventually, I found my way into /admin/xml_parser/zdnet/, in which, there is a shell script. Seeing as it's a shell script, and I use Linux, I took a peek. Inside, is a username and password to an FTP. So, of course, I tried to login. The result? Epic fail on Fox's part. And seriously, what kind of password is T1me Out. This is just pathetic." It's already been changed of course, but that's still pretty amusing.

Re:Wasted chance

[mwvdlee]

Because now we know; it was just some hacker prank.

what's wrong with T1me Out

[wheretheicegrows]

I'm not that much into security, so I hope I don't sound "pathetic", but I was wondering what's wrong with the 'T1me Out' password. I'd say all company passwords I've ever had were no harder than that, and none of them had a space in it. And honestly how many of you guys use a password like YwMCU07D?

Re:Wasted chance

[Cryophallion]

Fox news definately has some perspective issues - but WMD's isn't one of them. Even CLINTON believed they were there. Not trying to start a war - I am just sick of hearing about WMD's, when we all thought they were there. Iraq as the cause for 9/11 though - that's a crazy concept.

http://www.truthorfiction.com/rumors/b/bushlied. htm

I'm no lawyer, but...

[TodMinuit]

Just because you find the key to my car lying on the street doesn't mean you can go for a joy ride.

Let's see here

[Anonymous Coward]

Random corporation has bad security: Brief blurb about how corporations should take better care of their security infrastructure in order to make sure that leaks/intrusions don't happen. Perhaps even a person or two giving advice in the form of which files to edit and what to change.

Corporation that people don't like has bad security: Note after note about how evil the company is and that they're idiots in the highest sense.

Ridiculous summary

[the computer guy nex]

1) The password has probably been around for awhile with no one guessing it. What exactly was wrong with it? Uppercase/lowercase/numbers, combination of multiple words, it is at least moderately strong.

2) Why the hell are you blaming Fox? You think the entire company sat in a conference room and decided on a security scheme and a password?

3) Why did this deserve front page news? Exploits like this are found on a daily basis, and ones much more humorous/interesting/newsworthy.

Re:what's wrong with T1me Out

[TodMinuit]

Seriously, though, that's the form you should be using for passwords, especially critical ones or ones that are public-facing. Get yourself a good password manager (TealSafe, SplashID) and just keep generating new passwords for all your systems.

I think it's a moot point. Here, the password wasn't the failure. It could have been d41d8cd98f00b204e9800998ecf8427e and it wouldn't have made a difference.

Completely random password, whatever!

[morgan_greywolf]

Dictionary words with letters replaced by numbers: not enough entropy. In this case however, not even a completely random password would have saved them.

Bingo! Never, ever, ever! NEVER store a password in plaintext in a script. Not ever. That's always a huge security issue, because you never know who is going to read the file. If you need unattended logins, there's SSH, Kerberos/GSSAPI, whatever.

4chan

[stick-boy]

this originated on 4chan.org's /b/ late last night (NSFW.) the shell script was a small script for uploading to a ziff-davis ftp server, it wasn't actually a fox ftp password (look at the directory name the shell script was found in, and i'm sure z-d appreciates this too.) also, there was an image directory that had directory listing turned on too. i didn't stick around long enough to see if any /b/tards found anything interesting in there, but i know an image dump was being made.

Re:what's wrong with T1me Out

[ndixon]

There's nothing really wrong with the password (though a smart dictionary-based search could discover it).

There is something very wrong with writing the password down, in plain text, on a public-facing server and assuming that no-one will be able to see it.

Re:Wasted chance

[Rakshasa Taisab]

There's also a difference between 'believing they're there' and 'going to war cause you know they're there, no matter what others think about your plans'.

Re:what's wrong with T1me Out

[Legion303]

"And honestly how many of you guys use a password like YwMCU07D?"

Great--now you've got 8 people making the same joke.

Re:Wasted chance

[dcollins]

This isn't about believing in WMDs before the invasion. This is about believing that we found WMDs AFTER the invasion. In an October 2003 poll, for example, 7 months after the invasion, 33% of Fox viewers said that the U.S. had actually physically found WMDs in the course of the invasion. That's 10% higher than the next most confused media viewership. This is what some of us would really love to see explained by you "nothing to see here" apologists. Or else, it sounds like you still maintain that's a reasonable belief today?

http://www.americanassembler.com/issues/media/docs /Media_10_02_03_Report.pdf [americanassembler.com]

Weapons of Mass Destruction
As discussed, when respondents were asked whether the US has "found Iraqi weapons of mass destruction" since the war had ended, 22% of all respondents over June-September mistakenly thought this had happened. Once again, Fox viewers were the highest with 33% having this belief. A lower 19-23% of viewers who watch ABC, NBC, CBS, and CNN had the perception that the US has found WMD. Seventeen percent of those who primarily get their news from print sources had the misperception, while only 11% of those who watch PBS or listen to NPR had it.

Re:Wasted chance

[Thrip]

Wow, you are seriously rewriting history, dude. Don't you remember all those statements by the administration claiming they had proof they couldn't show us, and then coming out with a few lame fuzzy satellite photos of trailers and shit? A lot of people didn't buy it at the time -- including me and most of the people I know. I mean, no one doubts that Iraq had once had some hairy weapons programs (find me a government that hasn't), but it was seriously hard to believe they had anything that would threaten the US. Just because you were suckered, you're saying "we all thought..."? Come on, learn from your mistake and move on.

Re:Wasted chance

[jollyreaper]

Fox news definately has some perspective issues - but WMD's isn't one of them. Even CLINTON believed they were there. Not trying to start a war - I am just sick of hearing about WMD's, when we all thought they were there. Iraq as the cause for 9/11 though - that's a crazy concept.

No, you colossal boob, not everyone thought there were WMD's. First, don't lump chemical and biological with nuclear. Yes, I know analysts do it but I think it unfairly magnifies the threat level of the BC in NBC.

The specific charge Bush used to get our panties in a wad was nuclear weapons. "We don't want the smoking gun to be in the form of a mushroom cloud." Yellow cake uranium, lie. Aluminum tubes, lie. The CIA was giving Bush solid intel but he and his team refused to accept it. Cheney and his cronies cherry-picked raw intel for the most sensationalistic shit they could find, regardless of whether it was true or not.

When you say "most people assumed Saddam had WMD" you really mean "Most people assumed he had some leftover chemical or biological shit", not that he had nukes ready to strike the west in 45 minutes. The consensus before 9-11, a consensus backed by Powell, was that the US policy of Iraqi containment was working.

I'm sick of lies and lying liars. I'm sick of people who rewrite the facts to justify doing something and then rewrite history to protect themselves from that fuckup.

Wasted chance

[oldmacdonald]

But people like simple stories with comic book villains...

Oh the irony!

Re:Wasted chance

[Guuge]

Anyone looking just at the inspectors' reports would not believe that Saddam had "stockpiles of weapons of mass destruction" as was claimed by some. You don't get stockpiles from "losing track of the actual truth". you don't get mass destruction from a few ancient chemical weapons.

Using the advantage of hindsight, the answer is obvious; just follow the money. The Bush administration had a significant financial motivation for the invasion, so they hyped it in any way they could. (Example: Nigerian yellowcake scandal) It appears that the systematic distortions caused you to lose track of the actual truth.

But I don't expect you to learn any life lessons from this. People like stories with comic book villains and if seeing Saddam as evil, omnipotent, and omniscient makes your universe make sense, whatever. [Here's where I make some insulting generalization about you, but even I have too much good taste for that.]

Password

[eebra82]

"And seriously, what kind of password is T1me Out. This is just pathetic."

What's wrong with it? Uppercase, lowercase and numbers. Looks safe to me. If you had a thousand years to figure it out on your own, would have succeeded?

I would say it's safer than 'xXsa425Vff', because 'T1me Out' is easy to remember. That way, you don't have to ask your co-workers what it is in case you forget it. Plus, I'm sure they're changing the password from time to time. It's unlikely 'T2me Out', however. :)

From the same people who ruined finger

[Anonymous Coward]

Aw, crap. Now there'll be another round of armchair security experts saying "You should turn off directory indexes!" and easily-led sysadmins actually doing it, and we'll have that many fewer sites where you can bypass the broken navigation to actually find things through the directory indexes.

Directory indexes, on a properly-run site, are a Good Thing and should be encouraged. They are and should be turned on by default in real httpd software. Anything secret that's accessible through a directory index would also be accessible by guessing the URL - so security has to be enforced by 403 Forbidden, not by "nobody will know the URL," anyway. Don't disable directory indexes unless you have a really good reason - and if you think you have a really good reason, especially if you think it has something to do with some kind of "security," then you're probably wrong.

NEWS FLASH: Left-Wing Fascists mod parent off-topc

[E++99]

A post on the newsworthiness of the main article is not off-topic. Should be modded back up.

Gentoo and reverse marketting

[Anonymous Coward]

Gentoo's main optimization is a social one.

Mentioning Gentoo on Slashdot is guaranteed to bring out the clueless from their cubbyholes, a very worthwhile property on a site now overrun by tech wannabes. That makes article pre-filtering very easy.

Gentoo users know what properties really matter to them, but that doesn't go on the marketting/advocacy blurb. The references to speed optimization are there ... for other reasons, and they target other people. I call it Darwinian De-selection.

And it works just great: the Gentoo forums are almost entirely free of the clueless.

Enjoy!

Re:Wasted chance

[Anonymous Coward]

biological and chemical weapons aren't the sort of things you just throw out. If he disposed of them he should have had proof (disposal facilities, appropriate waste by-products, etc.) He had none of those.

Re:Wasted chance

[GrayCalx]

Anyone looking just at the inspectors' reports would not believe that Saddam had "stockpiles of weapons of mass destruction" as was claimed by [the MI5, the Mossad, and the CIA].

Just to be accurate as possible I've updated that sentence for you.

Re:Password

[Carewolf]

So someone, somewhere is telling people that passwords that contain upper and lower-case and numbers are good passwords?? They _just_ forget to tell you that if the upper-letter is the first letter of a word, and the number is an easily predictable substitute, when you gain ABSOLUTELY NOTHING!

Yes, this password would be cracked in 5-20 seconds by an average password cracker.

Re:Wasted chance

[AndersOSU]

I'm not the OP, but I believe it.

Having biological and chemical weapons lying around is a liability waiting to happen. They're hard to control, and hard to account for. (Sir, the warehouse reports that we have 5,347,761 moles of VX gas available.)

Disposing of them is environmentally hazardous. For instance, you don't really know that much about the products of the disposal reaction. Check out [delawareonline.com] one story about how the disposal is problematic. (check out how many related stories there are in the side bar.)

Besides, if we needed to, how hard would it be to make more?

Re:Wasted chance

[quanticle]

Let's shed all our defenses and leave ourselves vulnerable to an attack by Canadia.

I'm so sick of hearing that argument. Disarmament of nuclear weapons != complete disarmament. Even if we get rid of all our ICBMs and chemical and biological weapons, we'll still have enough nukes to destroy any other country three times over, backed up by the finest conventional military in the world.

Face it: with the fall of the Soviet Union, there is no reason for America to be spending so time and money maintaining weapons of mass destruction. We should decommission half of them and spend that money on parts of the military that actually need the attention - like the Marines and Army.

Re:Wasted chance

[Don853]

But I don't expect you to learn any life lessons from this. People like stories with comic book villains and if seeing Saddam as evil, omnipotent, and omniscient makes your universe make sense, whatever. [Here's where I make some insulting generalization about you, but even I have too much good taste for that.]

Idle curiosity: Do you think a smart-assed remark about how you, unlike the other guy, are too good for personal attacks is something other than a personal attack?

Re:Wasted chance

[enjerth]

What, you thought that they were going to go in there with guns blazing and then, when there is no government or law left, just leave town?

The plan to establish a democratic government in Iraq was a part of the plan from the start. And now it's just what they have left to do.

Re:Wasted chance

[PFI_Optix]

Did the president pick the joint chiefs and the top-level CIA people? (serious question, I don't know off the top of my head).

Not everyone who has the president's ear is appointed by him. He showed some bad judgment prior to the invasion and obviously some of his appointees were poor picks given our post-9/11 hindsight. My point is that there wasn't a crystal-clear picture either way prior to invasion, and Bush's vision was even more filtered because those he most trusted were unwilling or unable to tell him the whole story.

Iraq was big stupid mess from day one, no doubt about that. But let's not try to paint the whole administration as malicious warmongering tyrants when in all reality they're just inept shoot-from-the-hip bureaucrats.

The sad thing is, I really don't believe we'd have been much better with either of our presidential alternatives: I think Gore would have found a completely different way to bungle things after 9/11 and make someone miserable (probably us) and Kerry would probably have really fouled up the occupation...yes, even more than Bush.

Re:Wasted chance

[plague3106]

Iraq did 9/11? Who cares. Saddam gone is good for the world dudes. Just ask the Saudis how they feel about it....

Well using 9/11 to invade Iraq isn't really that great of a cause; if you had so many good reasons, why did Bush try to link Saddam to 9/11? Just use one of the many good reasons already there.

As far as asking what the Saudis think, I really don't give a shit what they think. When a government can arrest and kill a woman because you saw her ankle, I don't really care if that government feels "safe" or not.

Re:Wasted chance

[vtcodger]

***Fox news definately has some perspective issues - but WMD's isn't one of them. Even CLINTON believed they were there. Not trying to start a war - I am just sick of hearing about WMD's, when we all thought they were there. ***

This is utter and completely unmitigated nonsense. 'We' most certainly did NOT all know that Iraq had WMDs. In fact most of the people in the world except those systematically misinformed by the American Media were pretty sure Iraq did not have such weapons. That's why (unlike Afghanistan) the US was largely unable to cajole, extort, intimidate, bribe, or con any major country except Britain into strongly supporting the invasion of Iraq. The 'Coalition" had less than 50 members. Many of them have no meaningful presence and the majority of them are places like Palau and Moldova with GDPs smaller than South Dakota. For example, officially Turkey is a member of the coalition. But in fact, Turkdy turned down a whopping bribe to participate meaningfully in the fiasco. Even Canada -- which usually sticks with the US -- passed on this one.

There were UN inspectors on the ground from November 2002 on until they were directed to leave for their own safety just before the US invasion in March 2003. Their efforts were not being impeded. They found no sign of nuclear, chemical, or biological weapons or of programs to make them (http://www.cbsnews.com/stories/2003/03/17/iraq/ma in544280.shtml )

You should be asking why you did not know in early 2003 what most of the world knew. If you were getting your news from Fox News, that would explain part of the problem. (Surely you are not still listening to those clowns?). But that's only part of the problem.

Flamebait!

[lag00natic]

Yawn... just another opportunity to feed the flames for all the liberals on /. Reading through all the replies that have nothing to do with the original article and just focus on bashing conservatives and the content of the stories run by the network proves my point. It's getting old guys/gals... really old.

Re:4chan

[Anonymous Coward]

Lies, it was ebaumsworld.com!

Re:Wasted chance

[mr_mischief]

In fact, the victory over Saddam's forces and the effort to remove him from power was a cakewalk. It's keeping order in the aftermath that's proving difficult.

Re:Wasted chance

[CodeBuster]

33% of Fox viewers said that the U.S. had actually physically found WMDs in the course of the invasion

Unfortunately, the issue is not as black and white as the pundits on either side would like you to believe. There is, unfortunately, some wiggle room that gets used to support either one side or the other depending upon the speaker. The problem lies in the strictness of one's definition of WMDs and the categorization by some people of certain chemical weapons as WMDs despite the fact that such weapons are orders or magnitude less destructive than say the nuclear weapons that they are grouped with. Now, having said that it *is* true that US forces in Iraq have, from time to time, come across the odd Artillery shell filled with mustard or even a binary form of sarin in one case (used as a roadside bomb and a couple of US soldiers experienced minor symptoms, but no deaths). At best one could say that such finds are execeedingly rare and do not in and of themselves constitute evidence of a vast and active program on the part of Saddam to develop and use these weapons in the years immediately prior to the invasion. However, proof is proof and if even one shell is found then the number of "WMDs" was not zero and that is why the pundits continue arguing the points. This is splitting hairs maybe but if one argues that there were absolutely *no* WMDs in Iraq prior to the invasion then strictly speaking that person would be wrong. The problem lies in the use of absolutes in argumentation where even one counter-example disproves the argument.

North Korea

[number6x]

You make a very good point.

North Korea is also part of the "Axis of Evil". However they have WMD's and some pretty nasty long range missiles. They may not be able to strike The US, but they could devastate South Korea, Japan and Taiwan. We keep begging North Korea to please, pretty please, come to the negotiating table. No talk of invasion there.

Sadam complied with the U.N. inspections we demanded. Grudgingly but he complied. He ended his weapons programs and allowed us and our allies to control two thirds of his air space. (All of this had to be forced on him, but he complied).

So the moral of the story?

If you are an evil dictatorship, do not comply with The US and its allies. Build up your arsenal and become as powerfull and as dangerous as possible. The US only invades weaklings. The US begs for negotiations with the dangerous crackpots.

I believe Iran watched all of this unfold. The way Sadam and Iraq complied, and were rewarded with invasion. The way North Korea refused to comply and became more dangerous, and gets more and more aid on its terms.

This is why Iran has restarted its nuclear program.

Pretty good foreign policy we have, huh?

Re:Wasted chance

[gad_zuki!]

Rotting shells from the iraq-iran conflict is not at all why Bush claimed to go to war. playing them up to be "WMDs found in Iraq" is willful ignorance. Removing the context from the claim is as good as lying. Again.

This is like the local police saying 'We're going to raid every home in your town because of illegal arms.' They end up finding a broken revolver pistol from the 50s buried in a garbage pile. Claiming 'SEE THEY FOUND GUNS' is being a complete idiot.

Re:Wasted chance

[Guuge]

Why wouldn't Saddam do the same?

Because he has no self-interest in getting deposed.

Re:Great all we need.

[TerranFury]

linking hacking to Obama

Nice typo. Confusing a Democratic candidate with Al Quaeda's head demagogue? Apropos, given we're talking about Fox.

Asshole! People like you are ruining the Internet.

[Anonymous Coward]

Directory listing was once a delightful part of web browsing. There is no more efficient way of finding files.

But now, one after one, sites which do not restrict directory listing are disappearing forever.

Why? Because of snotty punk assholes like "anonymous reader", who stumble upon some quasi-personal file (the same file six dozen other individuals saw but then respectfully moved on from before him) then BITCH and BLATHER about it repeatedly until everybody is made to know just how pathetically COOL HE IS for having found it.

Re:Wasted chance

[Darby]

Iraq was big stupid mess from day one, no doubt about that. But let's not try to paint the whole administration as malicious warmongering tyrants when in all reality they're just inept shoot-from-the-hip bureaucrats.

How about we actually pay attention instead of your course of ignore all the facts to try and excuse the administration for their premeditated malicious actions?

Go read the 2000 paper by the Project For a New American Century titled "Rebuilding America's Defenses" signed by Rumsfeld, Cheney, Wolfowitz, Jeb Bush, George Bush Senior and many other members of Bush's original administration and hangers on. Pay attention to the parts where they talk about their plan to invade Iraq to "ensure future US economic world domination in the coming century", their understanding that the American people wouldn't buy their bullshit, so they would need to hope for an attack on the US on the level of Pearl Harbor which they could then misuse as an excuse to invade Iraq.

How about you stop talking about the subject when you obviously don't know a damn thing about it since you couldn't even be bothered to read the position papers published by the very people you're attempting to defend.
Think about how stupid that makes you to do something so completely ridiculous.

In short, since their own published plans paint them as exactly malicious warmongering tyrants how about you stop making up complete nonsense in order to defend them from their own fucking words which you never even read?

That would actually be the sane, reasonable position which is pretty much diametrically opposed to your own.

Re:what's wrong with T1me Out

[Fred Ferrigno]

In that case, the words are still there, you just have to memorize the capitalization and non-word components, which honestly isn't hard, people just think it is.

Define "hard". Since I know I'm me, passwords are an annoying speed bump in the best case scenario. In the worst case, a password I can't remember is worthless, no matter how strong it is.

Password Nazis these days are really frigging annoying. The most annoying rule I keep coming across is "no more than N letters in a row". Obviously that's meant to make it harder to use a dictionary word, but it trips me up frequently even though I never use dictionary words. I'd wager most people use mostly the same non-alpha characters and the current push for "strong" passwords likely makes them just as common as Q or X.

I've often wondered if all these rules designed to make passwords harder to guess actually limit the search space, making it easier to guess passwords. For example, when my university introduced its new password rules, they offered the example password "hP!bD;825" for Happy Birthday 8/25. How many people do you think simply used hP!bD; and their birthday? How many people will use an otherwise vulnerable password but tweak it in a completely predictable way to pass the filter? qW!eR!tY anyone?

Re:North Korea

[Himring]

Welcome to diplomacy. Watch out for bad guys.

What I find funny is that it appears most of the folks here think gaming and inveigling in diplomacy and war started when bush took office. News flash: this stuff's been going on for a few years (try millennia). I recommend a good game of Civ. It'll whet the appetite.

What amazes me most isn't that the U.S. is playing ball, hard ball, with the world, it's that all you folks think it started with Bush, that Clinton didn't do it or that the next one won't either -- be it either party.

You have your way with a country that you can. You make peace with the stronger and devour the weaker. You train for war during peace and you ally with strong allies during conflict. We don't invade N.Korea for one reason and one reason only: China. We did that. Bad mojo. China is too much. Even Nixon knew this. He made it pax cuz he knew they were the big time coming up.

These are rules boys. They're just rules. It's just the rules of love. Oh, sure, you can go against the rules of love and you'll pay for it. Get mushy with her. When she says she needs a break, call her more often. When she goes out with another guy, go and cry to her. Yea, they dig that.

Didn't you guys have dad's with backbones? Suck it up. Look at it for what it is. The big dog can't avoid fights cuz they come at him. The biggest nation on earth can't avoid conflicts and will always have them (all other empires always have -- it's what they do).

I read an article that testosterone levels are 20% lower now than they were 40 or 50 years ago. I believe it.

I mean sheez. Go watch 300....

Re:Wasted chance

[Washizu]

"The sad thing is, I really don't believe we'd have been much better with either of our presidential alternatives: I think Gore would have found a completely different way to bungle things after 9/11 and make someone miserable (probably us) and Kerry would probably have really fouled up the occupation...yes, even more than Bush."

You can't go to war with the President you'd like to have, only the one you've got.

In all seriousness, I know this is just an opinion but what could you possibly base this on?

I built weapons of mass destruction for the USA.

[Anonymous Coward]

Actually the US did find small stock piles of gas agents and one centrifuge that is used to enrich uranium. Not the massive infrastructure that was claimed to be sure but that statement that NO WMD where found is also false. The claim is that the gas agents where miss placed when the Iraqis where destroying them under UN supervision.
I know that I will get flamed for this but it is the truth.

What you've described is not "Weapons of Mass Destruction". I can claim some expertise here as I personally helped construct America's nuclear arsenal; I worked on Harpoon, Peacekeeper and the Navy Standard Missile among others.

What you've described is a sad, pathetic attempt at a weapons system (gas) that's been obsolete for nearly a century and a piece of scientific equipment (a centrifuge).

That's not WMD, by any stretch. You could release all that gas in Washington DC on a busy workday and there'd be a few dozen casualties. An equal volume of dynamite or amatol could do more damage (though in either case delivery would be extremely difficult, since placement would be critical).

I am not intending to flame you, merely to correct you. "Mass Destruction" is not something that any weapon Saddam ever possessed could inflict. He wanted to build superguns and buy nuclear technology, but was prevented from doing so long before Bush II's invasion.