back to article Scrum.org hacked, may have lost crypto keys and some user data

Scrum.org, the Scrum certification and training site run by Scrum co-creator Ken Schwaber, appears to have contacted users to warn them of a nasty security breach. Reg reader "KB" has sent us an email sent to Scrum.org members and customers that says "On May 26, 2016, we noticed an issue with the Scrum.org website outgoing …

  1. Anonymous Coward
    Anonymous Coward

    Storing passwords that can be decrypted...

    ...with the keys stored on your server. Will people never learn?

    1. Anonymous Coward
      Anonymous Coward

      Re: Storing passwords that can be decrypted...

      Why use two-way encryption at all for passwords, rather than salted hashing? Why would you ever need to recover the password; what are you going to do, email it to a forgetful user or something?

      1. Anonymous Coward
        Anonymous Coward

        Re: Storing passwords that can be decrypted...

        I think it's because they've been smoking salted hash instead of using it for their crypto.

    2. Aodhhan

      Re: Storing passwords that can be decrypted...

      yeah, it's a shame isn't it?

      Considering the extent of the compromise, I have to wonder about their defense in-depth strategy.

      Especially when there isn't anything which triggers alarms and bells when a local account is created on a public facing server.

      Also... in this day and age, start using web hosting applications coded in HTML 5.

      ..and I will ROFLMAO if we find out it's built using something like WordPress.

      1. Vic

        Re: Storing passwords that can be decrypted...

        I will ROFLMAO if we find out it's built using something like WordPress.

        DotNetNuke...

        Vic.

  2. Nate Amsden

    so don't blame devops

    blame cloud instead?

    got it.

  3. Pascal Monett Silver badge
    Trollface

    Don't go dissing DevOps

    Why ?

    I get that the vuln came from a supplier package - but who's to say that said package wasn't developed using DevOps ?

    DevOps is just the new name for brainstorming something and implementing it before analyzing all the possible consequences. Sounds like a DevOps package to me.

    1. VinceH
      Trollface

      Re: Don't go dissing DevOps

      "Sounds like a DevOps package to me."

      Yeah, but was it hyper-converged, though? That must surely be the question on everyone's lips.

  4. Doctor Syntax Silver badge

    "Don't go dissing DevOps: a supplier has 'fessed up to a website vuln"

    That's not a good enough reason.

  5. Zippy's Sausage Factory

    Given my experience of "scrum masters"

    this sort of level of competence sounds about usual for anyone whose undertaken their qualifications...

    1. Anonymous Coward
      Anonymous Coward

      Re: Given my experience of "scrum masters"

      The exams are horrendously prescriptive when I thought the whole idea was to be 'agile'. I'm surprised the material and exams don't stipulate the colour of your underwear to be a 'scrum master'. Frankly, the concept is so simple and obvious that you could learn it in a few hours. The exams are very contrived just so they can make money putting you through it.

  6. Anonymous Coward
    Anonymous Coward

    Too 'agile' to put in decent security were they?

    This is what happens when you allow loud-mouthed self-loving over-opinionated egocentric content-free jerk-arsed consultants to build and run a website without the benefit or insights of real developers. Go agile! Go agile! Go agile!

    Twats.

  7. TheSkunkyMonk

    I have a friend who teaches IT/Programming in far off lands after many years of doing the same in the UK, the man didn't even know what a RFC was until a few month ago :( I fear for the future of our IT Professionals

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like