/home/loser is with permissions 755, default umask 0022 on multiuser machines this sucks much. on a multiuser debian mirror we found a lot of data, including the wordpress password of the admin.