October 4, 2005 10:55 AM PDT

Firefox promo site taken down by hackers

Related Stories

Firefox marketing site hacked

July 15, 2005
Spread Firefox, the marketing Web site for the open-source Firefox Web browser, has been hacked again and is expected to be offline until later this month.

The cyber break-in was discovered this week, according to a notice sent Tuesday by the Spread Firefox team to registered users of the Web site. The breach was limited to SpreadFirefox.com and did not affect the main Mozilla.org Web site or Mozilla software, according to the e-mailed message.

Spread Firefox place holder

The server that hosts the Spread Firefox Web site was compromised by attackers who attempted to exploit a security vulnerability in TWiki, according to the notice. TWiki is open-source software for the collaborative authoring of online pages called "wikis".

This is the second time the site has been hacked via a flaw in software used to run the Web site. In July, the marketing site was compromised by attackers who exploited an unpatched security hole in PHP. The Drupal content management system used by the site is written in the PHP scripting language.

After the July attack, Mozilla instituted procedures to ensure that it would not overlook any more security fixes. "Unfortunately, those procedures overlooked the installation of the TWiki software, since it is not used by the main Spread Firefox site," the Spread Firefox team said in its notice.

The Firefox marketing Web site has been taken offline and will be rebuilt from scratch, according to the e-mail. "When the system is rebuilt, all the software will be audited to ensure that security updates will be applied in a timely manner," the team wrote.

The latest attack likely did not expose any user information, according to the e-mail. Still, people should change their password when the site comes back online, the team suggested. Spread Firefox's Web site should be back online circa Oct. 15, according to a notice on the site.

The hack is an additional embarrassment to Mozilla, which has emphasized security as a main selling point for its Firefox Web browser.

Spread Firefox is the online Firefox marketing hub. Mozilla has successfully used the site to mobilize volunteers to popularize the browser through free marketing techniques such as Web site buttons and by collecting money for an ad in The New York Times.

46 comments

Join the conversation!
Add your comment
Are their admins the same people that ...
Just curious, are their admins the same people that manage Firefox?
Posted by nrlz (98 comments )
Reply Link Flag
Somebody hand me a napkin...
There's irony dripping off this thing and all over the place.
Posted by ejevo (134 comments )
Link Flag
RE
I doubt the people who administer the webserver are the same ones who manage the development of Firefox.
Posted by unknown unknown (1951 comments )
Link Flag
Not as far as I know
NT
Posted by Kelson (64 comments )
Link Flag
no, but asa will take credit for anything
sad really
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Are their admins the same people that ...
Just curious, are their admins the same people that manage Firefox?
Posted by nrlz (98 comments )
Reply Link Flag
Somebody hand me a napkin...
There's irony dripping off this thing and all over the place.
Posted by ejevo (134 comments )
Link Flag
RE
I doubt the people who administer the webserver are the same ones who manage the development of Firefox.
Posted by unknown unknown (1951 comments )
Link Flag
Not as far as I know
NT
Posted by Kelson (64 comments )
Link Flag
no, but asa will take credit for anything
sad really
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Well...
I suppose one could say that the Microsoft fanboys were right... in one since. The more popular Firefox gets the more it or things related to it will be targeted by hackers.
Posted by System Tyrant (1453 comments )
Reply Link Flag
Well...
I suppose one could say that the Microsoft fanboys were right... in one since. The more popular Firefox gets the more it or things related to it will be targeted by hackers.
Posted by System Tyrant (1453 comments )
Reply Link Flag
WHAT'S SO NEW ABOUT THIS
Security people think thay can make a living by providing security to the sites of the others. But the Hackers are not so impressed by the efforts of the Security people. When they bring down the sites of the security people they do so simply to show to the people, using the security software, that the software will not work. It is a shame that it does not scare the IT people. They continue the software of the security bpeople. May be they have no other choice. Without it the hackers would have an open season on the IT people.

The Hackers have shown that the only way to deter them is to take their power of hacking away from them as discussed at
<a class="jive-link-external" href="http://www.newerawisp.blogspot.com/" target="_newWindow">http://www.newerawisp.blogspot.com/</a>

The time for a browser that creates new roles for clients and servers has come.

It is not only the security that should force this development. It is also the piracy. It keeps the Music Company busy bringing law suits against those it suspects of piracy. But Wall street Journal Dated September 28, 2005 reported that these music Companies sued Baidu.com, the Chinese Search Engine because it makes it too eay for the downloading of Music. I've asked these music Companies to send me the nmes and addresses of these courts, the case numbers, the names and addresses of the defendants and the names and addresses of the lawyers involved so I can make a motion to the effect that the Music Companies can end piracy if they wanted to by financially supporting the development of the browser that will bannish the piracy for ever.
Posted by newerawisp (47 comments )
Reply Link Flag
RE
They were able to hack the site because a flaw in the wiki software they were using didn't have the latest patches applied. If you know what a wiki is it's certainly not security software.

"When they bring down the sites of the security people they do so simply to show to the people, using the security software, that the software will not work. It is a shame that it does not scare the IT people. They continue the software of the security bpeople. May be they have no other choice. Without it the hackers would have an open season on the IT people."

Security is a back and forth process. A developer releases the software, it gets attack, and the developer patches the holes. We haven't found a process yet for making totally secure software.
The only secure computer is one that's unplugged. Then it's just an expensive paper weight.

"The time for a browser that creates new roles for clients and servers has come."

What is that suppose to mean? I don't where you found that blog, but some of suggestion are completely absurd.


"I've asked these music Companies to send me the nmes and addresses of these courts, the case numbers, the names and addresses of the defendants and the names and addresses of the lawyers involved so I can make a motion to the effect that the Music Companies can end piracy if they wanted to by financially supporting the development of the browser that will bannish the piracy for ever."

Unless a judge seals the records those documents are a matter public record. It's not how ever the music companies job to provide them to you. Unless you're part of the suit the only thing you can do is file an Amicus Curiae (friend of the court) brief. "FRAP 29. BRIEF OF AN AMICUS CURIAE A brief of an amicus curiae may be filed only if accompanied by written consent of all parties, or by leave of court granted on motion or at the request of the court, except that consent or leave shall not be required when the brief is presented by the United States or an officer or agency thereof, or by a State, Territory or Commonwealth. The brief may be conditionally filed with the motion for leave. A motion for leave shall identify the interest of the applicant and shall state the reasons why a brief of an amicus curiae is desirable. Save as all parties otherwise consent, any amicus curiae shall file its brief within the time allowed the party whose position as to affirmance or reversal the amicus brief will support unless the court for cause shown shall grant leave for a later filing, in which event it shall specify within what period an opposing party may answer. A motion of an amicus curiae to participate in the oral argument will be granted only for extraordinary reasons." Rule 29. Federal Rules of Appellate Procedure.

Banishing piracy is not as easy as you seem to think it is. There is more to the internet than just browsers.
Posted by unknown unknown (1951 comments )
Link Flag
WHAT'S SO NEW ABOUT THIS
Security people think thay can make a living by providing security to the sites of the others. But the Hackers are not so impressed by the efforts of the Security people. When they bring down the sites of the security people they do so simply to show to the people, using the security software, that the software will not work. It is a shame that it does not scare the IT people. They continue the software of the security bpeople. May be they have no other choice. Without it the hackers would have an open season on the IT people.

The Hackers have shown that the only way to deter them is to take their power of hacking away from them as discussed at
<a class="jive-link-external" href="http://www.newerawisp.blogspot.com/" target="_newWindow">http://www.newerawisp.blogspot.com/</a>

The time for a browser that creates new roles for clients and servers has come.

It is not only the security that should force this development. It is also the piracy. It keeps the Music Company busy bringing law suits against those it suspects of piracy. But Wall street Journal Dated September 28, 2005 reported that these music Companies sued Baidu.com, the Chinese Search Engine because it makes it too eay for the downloading of Music. I've asked these music Companies to send me the nmes and addresses of these courts, the case numbers, the names and addresses of the defendants and the names and addresses of the lawyers involved so I can make a motion to the effect that the Music Companies can end piracy if they wanted to by financially supporting the development of the browser that will bannish the piracy for ever.
Posted by newerawisp (47 comments )
Reply Link Flag
RE
They were able to hack the site because a flaw in the wiki software they were using didn't have the latest patches applied. If you know what a wiki is it's certainly not security software.

"When they bring down the sites of the security people they do so simply to show to the people, using the security software, that the software will not work. It is a shame that it does not scare the IT people. They continue the software of the security bpeople. May be they have no other choice. Without it the hackers would have an open season on the IT people."

Security is a back and forth process. A developer releases the software, it gets attack, and the developer patches the holes. We haven't found a process yet for making totally secure software.
The only secure computer is one that's unplugged. Then it's just an expensive paper weight.

"The time for a browser that creates new roles for clients and servers has come."

What is that suppose to mean? I don't where you found that blog, but some of suggestion are completely absurd.


"I've asked these music Companies to send me the nmes and addresses of these courts, the case numbers, the names and addresses of the defendants and the names and addresses of the lawyers involved so I can make a motion to the effect that the Music Companies can end piracy if they wanted to by financially supporting the development of the browser that will bannish the piracy for ever."

Unless a judge seals the records those documents are a matter public record. It's not how ever the music companies job to provide them to you. Unless you're part of the suit the only thing you can do is file an Amicus Curiae (friend of the court) brief. "FRAP 29. BRIEF OF AN AMICUS CURIAE A brief of an amicus curiae may be filed only if accompanied by written consent of all parties, or by leave of court granted on motion or at the request of the court, except that consent or leave shall not be required when the brief is presented by the United States or an officer or agency thereof, or by a State, Territory or Commonwealth. The brief may be conditionally filed with the motion for leave. A motion for leave shall identify the interest of the applicant and shall state the reasons why a brief of an amicus curiae is desirable. Save as all parties otherwise consent, any amicus curiae shall file its brief within the time allowed the party whose position as to affirmance or reversal the amicus brief will support unless the court for cause shown shall grant leave for a later filing, in which event it shall specify within what period an opposing party may answer. A motion of an amicus curiae to participate in the oral argument will be granted only for extraordinary reasons." Rule 29. Federal Rules of Appellate Procedure.

Banishing piracy is not as easy as you seem to think it is. There is more to the internet than just browsers.
Posted by unknown unknown (1951 comments )
Link Flag
Open Source hacked again
Where are all of the open source hypocrites now?

Before, we heard how it was always "Micro$haft" software that was insecure, buggy, etc.

Then, we get a few reports of Apache and Firefox having flaws, "but they get fixed faster than MS products."

Now, we see the same site (using only open source software) getting hacked for the 2nd. time and is down until later this month!

Where are all of the lame open source advocates who claim that the software is inherently more secure? Where are all of the "M$" bashers?

To be honest, I'm sick of all of the open source hype (especially the FireFox hype and how 'secure' it is.)

I've stuck with Windows XP and IE (with auto-updates on) and haven't had *one* problem with security.

I'm not saying open source stuff sucks, but it isn't the holy grail that the zealots make it out to be.

I'm sure there will be those that blamed it on the admins., (in the same way that MS fans blamed it on admins.), but fair is fair: Open Source was hacked because of security *flaws*.

&lt;/rant&gt;
Posted by DrakeLoneStar (22 comments )
Reply Link Flag
And
And how many times have the various Microsoft sites been hacked?

More than twice?

Considering Firefox is a 1.0 release and is on par with IE 7.0 for security Id say they're off to a good start.

When open source has had 20 years to work on security like proprietary software then we can make comparisons.

Because right now your laughing at the preschooler for not being able beat a college student in a fight.

Funny thing is the kids holding his own.
Posted by Fray9 (547 comments )
Link Flag
Read the article
Last time it got shutdown it was because security patches hadn't been applied to PHP. In this case they didn't apply a patch for the wiki software they were using. Remember SQLSlammer it was successful because people didn't apply patches. If anything this demonstrates the need to keep software update by applying patch from the developer. The weakest link in computer security is often the user.


"Open Source was hacked because of security *flaws*."

Where did people from the Mozilla or other open source software projects say their software was flawless? The Mozilla Foundation promoted Firefox as more secure not totally secure.
Posted by unknown unknown (1951 comments )
Link Flag
Open source hypocrite here
The exploited software, Twiki, was installed on the server but was not used by the public website. There was a fix available for the vulnerability, but the administrator had not applied it. The update was overlooked because the Twiki software isnt used by the public site.

Info taken from
<a class="jive-link-external" href="http://www.mozillazine.org/talkback.html?article=7479" target="_newWindow">http://www.mozillazine.org/talkback.html?article=7479</a>

The open source software was not at fault, the system administrator was. Not unlike the virus that affected so many MS servers not that long ago (cant remember the virus, Im thinking Sober), there was already a fix available but system administrators had not applied it.

You cant blame the software for an exploited vulnerability if there is a fix available for the vulnerability and the system administrator neglects to apply it. On the other hand, you can blame the software vendor for multiple un-fixed vulnerabilities and vulnerability fixes that break something else (i.e. open other vulnerabilities). Insert the obligatory Microsoft reference.
Posted by Nathan Lunn (113 comments )
Link Flag
Straw Man
Wow, your post has "straw man" written all over it.

Sadly, in today's polarizing climate, that's the highest level of debate many people get to see.

(Hmm, that would be a great idea for a browser extension: something that could analyze statements, identify logical fallacies, and label them. It might make message boards a lot more fun!)

As for your highly-exaggerated points, other posters have already responded to them, and I see no reason to add "me too."
Posted by Kelson (64 comments )
Link Flag
Amen
You're preaching to the choir here.

I've started replying to flamer comments with a message titled "Gratuitous Flamer Alert - &lt;username&gt;_01" and a polite message such as "You are interfering with exchange of information of professionals, please knock it off." I'm hoping others will do the same.
Posted by cscoder (51 comments )
Link Flag
Firefox security hype
You're obviously a Usenet troll spreading FUD on Cnet. Windows and IE have always had, and still have far more bugs and vulnerabilites than any *nix system. As a browser, Firefox is as vulnerable as the OS it is running on - which means it is far more secure on a Linux system than it is on a virus prone, extremely hackable Windows system (why do you think you have to run updates every day?)

Besides this, I don't believe for a second that you've never had any problems. I've worked on Windows computers for 15 years and not one has run consistently throughout its lifecycle; much less until the next regurgitated Windows release (95 to 98, 98 to 2000, 2000 to XP).

Windows is crapware. You are stupid enough to pay for it and believe it is good software. (I have a DeLorean I'd like to sell you.)

That being said, an idiot like you pays people like me to fix your broken Windows system.

Or do you think GeekSquad is in business because they fix Linux systems? Ha!
Posted by netguynw (4 comments )
Link Flag
Open Source hacked again
Where are all of the open source hypocrites now?

Before, we heard how it was always "Micro$haft" software that was insecure, buggy, etc.

Then, we get a few reports of Apache and Firefox having flaws, "but they get fixed faster than MS products."

Now, we see the same site (using only open source software) getting hacked for the 2nd. time and is down until later this month!

Where are all of the lame open source advocates who claim that the software is inherently more secure? Where are all of the "M$" bashers?

To be honest, I'm sick of all of the open source hype (especially the FireFox hype and how 'secure' it is.)

I've stuck with Windows XP and IE (with auto-updates on) and haven't had *one* problem with security.

I'm not saying open source stuff sucks, but it isn't the holy grail that the zealots make it out to be.

I'm sure there will be those that blamed it on the admins., (in the same way that MS fans blamed it on admins.), but fair is fair: Open Source was hacked because of security *flaws*.

&lt;/rant&gt;
Posted by DrakeLoneStar (22 comments )
Reply Link Flag
And
And how many times have the various Microsoft sites been hacked?

More than twice?

Considering Firefox is a 1.0 release and is on par with IE 7.0 for security Id say they're off to a good start.

When open source has had 20 years to work on security like proprietary software then we can make comparisons.

Because right now your laughing at the preschooler for not being able beat a college student in a fight.

Funny thing is the kids holding his own.
Posted by Fray9 (547 comments )
Link Flag
Read the article
Last time it got shutdown it was because security patches hadn't been applied to PHP. In this case they didn't apply a patch for the wiki software they were using. Remember SQLSlammer it was successful because people didn't apply patches. If anything this demonstrates the need to keep software update by applying patch from the developer. The weakest link in computer security is often the user.


"Open Source was hacked because of security *flaws*."

Where did people from the Mozilla or other open source software projects say their software was flawless? The Mozilla Foundation promoted Firefox as more secure not totally secure.
Posted by unknown unknown (1951 comments )
Link Flag
Open source hypocrite here
The exploited software, Twiki, was installed on the server but was not used by the public website. There was a fix available for the vulnerability, but the administrator had not applied it. The update was overlooked because the Twiki software isnt used by the public site.

Info taken from
<a class="jive-link-external" href="http://www.mozillazine.org/talkback.html?article=7479" target="_newWindow">http://www.mozillazine.org/talkback.html?article=7479</a>

The open source software was not at fault, the system administrator was. Not unlike the virus that affected so many MS servers not that long ago (cant remember the virus, Im thinking Sober), there was already a fix available but system administrators had not applied it.

You cant blame the software for an exploited vulnerability if there is a fix available for the vulnerability and the system administrator neglects to apply it. On the other hand, you can blame the software vendor for multiple un-fixed vulnerabilities and vulnerability fixes that break something else (i.e. open other vulnerabilities). Insert the obligatory Microsoft reference.
Posted by Nathan Lunn (113 comments )
Link Flag
Straw Man
Wow, your post has "straw man" written all over it.

Sadly, in today's polarizing climate, that's the highest level of debate many people get to see.

(Hmm, that would be a great idea for a browser extension: something that could analyze statements, identify logical fallacies, and label them. It might make message boards a lot more fun!)

As for your highly-exaggerated points, other posters have already responded to them, and I see no reason to add "me too."
Posted by Kelson (64 comments )
Link Flag
Amen
You're preaching to the choir here.

I've started replying to flamer comments with a message titled "Gratuitous Flamer Alert - &lt;username&gt;_01" and a polite message such as "You are interfering with exchange of information of professionals, please knock it off." I'm hoping others will do the same.
Posted by cscoder (51 comments )
Link Flag
Firefox security hype
You're obviously a Usenet troll spreading FUD on Cnet. Windows and IE have always had, and still have far more bugs and vulnerabilites than any *nix system. As a browser, Firefox is as vulnerable as the OS it is running on - which means it is far more secure on a Linux system than it is on a virus prone, extremely hackable Windows system (why do you think you have to run updates every day?)

Besides this, I don't believe for a second that you've never had any problems. I've worked on Windows computers for 15 years and not one has run consistently throughout its lifecycle; much less until the next regurgitated Windows release (95 to 98, 98 to 2000, 2000 to XP).

Windows is crapware. You are stupid enough to pay for it and believe it is good software. (I have a DeLorean I'd like to sell you.)

That being said, an idiot like you pays people like me to fix your broken Windows system.

Or do you think GeekSquad is in business because they fix Linux systems? Ha!
Posted by netguynw (4 comments )
Link Flag
Asa Dolter is a tool
I'd guess if he wasn't such a cocky ****** than things wouldn't happen to his website?
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
If you're going to insult the man
at least have the courtesy to spell his name right.
Posted by Nathan Lunn (113 comments )
Link Flag
Asa Dolter is a tool
I'd guess if he wasn't such a cocky ****** than things wouldn't happen to his website?
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
If you're going to insult the man
at least have the courtesy to spell his name right.
Posted by Nathan Lunn (113 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.