link to the twitter incident

[Imported from Trac: page TracSecurityOverview, version 2]
2010-01-09 16:58:41 +00:00 · 2010-01-09 16:58:41 +00:00 · 18ee108e6c
parent ed35617b3c
commit 18ee108e6c
1 changed files with 2 additions and 3 deletions
--- a/TracSecurityOverview.md
+++ b/TracSecurityOverview.md
@ -5,7 +5,7 @@ This is just a quick'n'dirty document to help users make informed decisions abou

 ## Recommendations

-  * Don't use a password which you use elsewhere.  (See: Twitter incident)  [Find ref.]FIXME:
+  * Don't use a password which you use elsewhere.  (See: [Twitter incident](@@http://testgrid.allmydata.org:3567/file/URI:CHK:nm72blax6oqt3fui3dnrhahszq:wcpjaneyqzf4bw752izfey44abql6ywync2vweejsmnohyiwkkia:3:10:275196/@@named=/the-anatomy-of-the-twitter-attack.html@@)) (the short story is that there were no technical security flaws, but users used the same creds on an "unimportant" service as well as a different critical service, so the attacker could escalate the attack across services.)
  * Don't expect the ticket database to be non-corrupt or reliable or persistent.
    * Backup the ticket database and wiki pages regularly!  Use snapshots so corruption does not overwrite correct data. 

@ -24,5 +24,4 @@ This is just a quick'n'dirty document to help users make informed decisions abou
 ## To Do

  * Search for existing Trac security references.
-  * Verify that plaintext passwords are stored.
-  * Find Twitter incident ref (the short story is that there were no technical security flaws, but users used the same creds on an "unimportant" service as well as a different critical service, so the attacker could escalate the attack across services.)
+  * Verify that plaintext passwords are stored.