Over the week-end, I received an email from Mollom notifying me that they had discovered a security breach. According to their official blog post on the matter, the breach was discovered on August 21st. Mollom is a service managed by Acquia, a commercial open source software company providing products, services, and technical support for the open source Drupal social publishing system. The service works in a similar fashion to Akismet in that it scans messages such as comments to determine whether or not they are spam.
This is an important security notice from the Mollom team. On August 21, we identified a breach of one of our Mollom servers. Our subsequent investigation showed that unauthorized users gained access to Mollom servers and were potentially able to access Mollom data. Today we have closed the security loophole used to gain access and taken measures designed to prevent future breaches.
Data that may have been compromised includes usernames, account contact information, passwords, Mollom public and private keys, and billing transaction logs. PayPal account information was NOT stored on the affected servers.
At this time, we have no evidence that any malicious activity took place with customer data. To help assure this continues to be the case, in addition to the measures described above, we have changed all Mollom user account passwords.
Mollom has automatically reset all user account passwords to access the administrative interface. This means you’ll need to access the following URL in order to reset your password.
The bottom line is if you signed up to use Mollom free or as a paid customer, you should reset your password and keep a close eye on your financial records, especially if you have or had a paid account even though credit card information was not stored on the affected server. The unauthorized access was NOT a direct result of a vulnerability within Drupal. If any additional information is discovered during their investigation, the Mollom team will continue to update the blog post.
As I’ve mentioned elsewhere, we can tell a lot more about how a vehicle is really made, and especially what kind of people are behind the product, by looking at the aftermath of the typical fender-bender or other accident/incident, than we can by looking at it on the showroom floor and letting the sales staff ‘inform’ us.
Mollum’s response to this server-related security issue follows the usual, nominally wholesome & responsible track. Unfortunately, this popular track is designed & operated to be long on generalities & abstractions, short on actionable information & facts, and leaves the customer-base with what boils down to ‘trust us’, in making their forward-going decisions.
Mollum’s partly-good, but importantly/critically non-useable (ie, “useless”) communications are very typical of those who run servers for any of a wide range of public services/businesses.
Real details & facts are lacking. Specifically, eg in this case, what was this 3rd party software, which Mollum says was the key to the exploit? Is there, or is there not, any indication or clue, whether the breach is actually ‘explained’ by the use/presence of said 3rd party product? Can we, or can we not, tell one way or the other?
Entities who run servers in public contexts – all such servers, at all levels & for all purposes – very typically take on the full-blown cloak & dagger aura of the NSA (of Edward Snowden fame), or the CIA or FBI (but without the armed interdiction aspect) intelligence agencies, when it comes to what is & isn’t actually going on with their server environment …. upon which the rest of us end up being more than a bit inordinately dependent, and about which we are kept too ignorant.
In most ordinary server-contexts, this Top Secret affectation is “unwarranted” *, and our general security would be improved, with a more Open attitude that provides more “real” information to everyone. In fact, under well-known & celebrated Open Source principles, we would fully expect that fewer of these kinds of breaches would happen in the first place, if more details about server-installations were accessible to more eyeballs.
In plain language, unless you are actually the NSA, NSA-grade security-attitude is not only misplaced — it’s counterproductive, in pragmatic practice.
(* All real security systems are multi-tiered. Top Secret, Secret, Confidential, etc. Professional security is never one-size-fits-all … but you wouldn’t guess that, looking at the attitudes under which everyday, run-of-the-mill servers are managed. This inappropriate deployment of ‘attitude’ does not improve security. On the contrary.)