I wonder if that user was setup a while ago as a way of getting update messages 
to the mailing list (maybe in the very early days of JIRA before notification 
schemes).  I'd suggest we disable the account.

-Grant

On Apr 13, 2010, at 8:08 PM, sebb wrote:

> On 14/04/2010, Uwe Schindler <u...@thetaphi.de> wrote:
>> Hi Grant,
>> 
>> It is that user, who is assigned to the very early JIRA issues, e.g.:
>> https://issues.apache.org/jira/browse/LUCENE-1
>> 
>> I changed the password of this user in response to that email (for 
>> security), but I think we should simply let infra remove it. The problem is, 
>> almost anybody can instruct JIRA to reset the password and let JIRA send it 
>> again to the "email" which is the public java-dev list. And then it is 
>> public again.
> 
> If the user is still needed (for whatever reason) maybe the user can
> be disabled, or maybe they can be removed from the list of users who
> have update access to the JIRA.
> 
> But so long as the user is not an administrator, then it's no
> different really from any other account that can be created by Joe
> Public.
> 
>> Uwe
>> 
>> -----
>> Uwe Schindler
>> H.-H.-Meier-Allee 63, D-28213 Bremen
>> http://www.thetaphi.de
>> eMail: u...@thetaphi.de
>> 
>> 
>>> -----Original Message-----
>>> From: Grant Ingersoll [mailto:gsi...@gmail.com] On Behalf Of Grant
>>> Ingersoll
>>> Sent: Wednesday, April 14, 2010 1:50 AM
>>> To: java-dev@lucene.apache.org
>>> Subject: Re: issues.apache.org compromised: please update your
>>> passwords
>>> 
>>> FYI, this is for real.  Some have asked me if it is made up.  I don't
>>> know who owns that user, so we should ask on infra, I suspect.  Also,
>>> this applies to all  user accounts too on JIRA.
>>> 
>>> On Apr 13, 2010, at 12:25 PM, r...@apache.org wrote:
>>> 
>>>> Dear Lucene Developers,
>>>> 
>>>> You are receiving this email because you have a login, 'java-
>>> d...@lucene.apache.org', on the Apache JIRA installation,
>>> https://issues.apache.org/jira/
>>>> 
>>>> On April 6 the issues.apache.org server was hacked. The attackers
>>> were able to install a trojan JIRA login screen and later get full root
>>> access:
>>>> 
>>>> https://blogs.apache.org/infra/entry/apache_org_04_09_2010
>>>> 
>>>> We are assuming that the attackers have a copy of the JIRA database,
>>> which includes a hash (SHA-512 unsalted) of the password
>>>> you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If
>>> the password you set was not of great quality (eg. based on a
>>> dictionary word), it
>>>> should be assumed that the attackers can guess your password from the
>>> password hash via brute force.
>>>> 
>>>> The upshot is that someone malicious may know both your email address
>>> and a password of yours.
>>>> 
>>>> This is a problem because many people reuse passwords across online
>>> services. If you reuse passwords across systems, we urge you to change
>>>> your passwords on ALL SYSTEMS that might be using the compromised
>>> JIRA password. Prime examples might be gmail or hotmail accounts,
>>> online
>>>> banking sites, or sites known to be related to your email's domain,
>>> lucene.apache.org.
>>>> 
>>>> Naturally we would also like you to reset your JIRA password. That
>>> can be done at:
>>>> 
>>>> 
>>> https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?usern
>>> ame=java-...@lucene.apache.org
>>>> 
>>>> We (the Apache JIRA administrators) sincerely apologize for this
>>> security breach. If you have any questions, please let us know by
>>> email.
>>>> We are also available on the #asfinfra IRC channel on
>>> irc.freenode.net.
>>>> 
>>>> 
>>>> Regards,
>>>> 
>>>> The Apache Infrastructure Team
>>>> 
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
>>>> For additional commands, e-mail: java-dev-h...@lucene.apache.org
>>>> 
>>> 
>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
>>> For additional commands, e-mail: java-dev-h...@lucene.apache.org
>> 
>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: java-dev-h...@lucene.apache.org

Reply via email to