back to article Ubuntuforums.org cracker promises no password release

“Sputn1k_”, the entity held responsible for stealing 1.8m passwords from ubuntuforums.org, appears to have reassured the world s/he doesn't plan to do anything bad with the credentials. Someone or something using the Sputn1k_ name used Twitlonger to post the following missive: “You can stop worrying about your passwords. Yes, …

COMMENTS

This topic is closed for new posts.

MD5?

I'm no crypto expert, but surely paid forum software can do better than md5? I know it's double hashed and salted, but still it would take very little effort from vbulletin to use a better algorithm.

Also a lot of the time improvements made will only effect the one web site with their custom db, but here one bit of effort on vbulletin side would improve many forums security all over the web.

0
0
Silver badge

Re: MD5?

Free software can do better than MD5. I don’t think this was the real problem here. I'd guess that there was some injection hole left open. Once that’s done its largely irrelevant which encryption method is used, and which salts as the cracker probably has pretty much full access to the DB.

It is possible to set these things up with a lot more security - but there is a pay off between security and maintainability and hence cost and a paid for one has profits on top which tend to make it more insecure in the long run.

1
0
Silver badge

Re: MD5?

I doubt the MD5 vs. SAH-1 etc argument is important, as I suspect large-ish rainbow tables already exist for most common hash functions. At least it was salted, which is more than some DB leaks have shown, though how much entropy the salt has is not stated in the article and that probably is the major factor in the effort to recover a significant number of original passwords.

2
0
Silver badge

Re: MD5?

"It is possible to set these things up with a lot more security - but there is a pay off between security and maintainability and hence cost and a paid for one has profits on top which tend to make it more insecure in the long run."

My experience as a sysamdin is that web "devs" simply chuck things together and if it works, move onto something else. Security isn't even an afterthought.

This is why so many webswervers end up compromised: Crap code, crap attitude. As much as we lock down the OS environment around the webserver it's completely undermined by application coders.

The only practical solution is to treat Webservers as disposable & firewall the hell out of the things - in AND outbound.

2
0
Anonymous Coward

Re: MD5?

VBulletin is all php based? I was under the impression that md5 was long out of fashion in the php world. Sounds like VBulletin need to get their act together.

2
0
Boffin

Speaking from experience

vBulletin is really really crap at security. The password hashing algorithm is really only the tip of the iceberg. The thing is, once you get control of AdminCP, the server is essentially yours (up to permissions of the SuExec user). You can upload and execute files, run queries, likely even send emails if that's on the same machine as Apache. And what's protecting this tresure trove, you ask? A password prompt and nothing else. No SSL, no guessing usernames (admins are listed on the site), that one text field is literally all that stands between a hacker and complete control of your box.

Not to mention cookies of course. which in vB sometimes don't even get marked as HttpOnly. Yes, that means a bit of XSS could comprimise the entire machine. Starting to see the whole iceberg?

5
0
Flame

He's still a tool.

- and I'm being polite here - for doing what he did. For pities sake, it's not like Ubuntu are a third world despotic nation, hell bent on subjugating native tribes with WMD, is it? No, they work as volunteers to release a fairly effective FREE alternative to Windows, iOS, et al, which is used by millions (well, tens of thousands, anyhow) around the globe. And this spotty-faced git decides, on a whim, to upset the apple cart and screw them over? Doesn't bloody matter f he's not going to use the passwords. Doesn't matter much if they were salted, peppered, or covered in tomato sauce: He was wrong to do what he did. End of.

17
8
Silver badge

Re: He's still a tool.

The chuch and the slaughterhouse are equal targets, the principal remains the same. Once you are throught the locked gates however what you do with the "swag" is very important.

There is no point in saying that Sputn1ck was wrong because it does not change the fact that the deed has been done. It is far more imoportant to discuss what can be done in order to prevent further replication or how to avoid making the swag worthwhile.

3
0
PM.
Meh

Re: He's still a tool.

Firstly Ubuntu is a commercial company that lives off selling their product and support , so they're not exactly volunteers.

Secondly some organizations choose Ubuntu over Windows for security sake.

( Like , say , Tibetan activists )

Perhaps such actions can open some eyes and provoke some thought ,

because _real_ adversaries will not advertise their breach all over the Internet ...

3
3

Re: He's still a tool.

Not quite - Canonical is a commercial company, which produces Ubuntu.

However - is ubuntuforums.org actually a Canonical-owned site? Genuine question as I don't know. My impression from these articles was that it was an independent, volunteer-run site.

3
0

This post has been deleted by its author

Re: He's still a tool.

PM -

OK, so they sell products to businesses. Big deal. Their distros are still free for personal use, last I checked (which was about five minutes ago, as it happens).

Anyhow, let's see if I have you right on the implied commentary you gave, a couple of posts above:

If I've got you right, you're saying that if you're a commercial entity, then you're fair game for abuse, hacking, and criminal activities designed to really bugger things up for you and your clients/customers, whether or not you are a small, medium, or large biz, or a mega corporation; further, it matters not a jot if you're considered ethical, morally rudderless, good, evil, or anywhere else on the planetary moral compass, if you make a profit, you're fair game. Is that correct? If not, please elaborate?

6
0
Anonymous Coward

Re: He's still a tool.

The problem here would seem to be vbulletin.. the o/s would seem to be irrelevant at this point in time.

2
0

Re: He's still a tool.

The domain is registered to Canonical Ltd., so I'm guessing they do manage the site.

0
0
Anonymous Coward

Re: He's still a tool.

"The domain is registered to Canonical Ltd"

Server in UK? [ 1 ]

That'll be Computer Misuse Act Section 3 perhaps? [ 2 ]

I wonder what kind of mood Mr Shuttleworth is in right now...

0
0

Re: He's still a tool.

"FREE alternative to Windows, iOS"

Really? I can install Ubuntu on my iPhone? How?

(No, I don't actually want to do such a thing, for various reasons, but I think you're barking up the wrong tree there. MacOS would seem to be a reasonable suggestion, but not iOS.)

1
0

Re: He's still a tool.

You can put Android on your Iphone if you value security.

0
2
PM.

Re: He's still a tool.

Richard, I would agree with you if he hacked Debian or Centos , a true non profit idealist org. And Canonical ? They are in it for money, purely. Rarely they contribute something back to Linux community.

Suppose I saw a sleeping guard and I put a flower in a barrel of his gun. Would this be a criminal act -? Perhaps. But he provides some service to the public and does it for money, so should better get his acts together..

0
0

Re: He's still a tool.

*Mutter* It's Roger, not "Richard", Fred.

Putting a flower into the muzzle (and thus down the barrel) of a rifle is unlikely to cause anything other than an amusing photo. It's hardly likely to be a criminal act. Criminally stupid, maybe, but criminally illegal? Not likely.

So, a company that makes a profit is fair game, then? Why? As to Canonical being in it purely for the money, and failing to re-contributing to the Linux community. Um. Not so. Remember, they give their distro away free for *personal use*. It may not be contributing to the community in the form of code, etc, but it's still one hell of a lost leader, as there is absolutely no guarantee that those 'customers' are likely to be IT buyers for their companies, is there?

In any case, this idiot didn't go after Canonical themselves, oh no. He went after their community forums - he went after the users, not Canonical. Try excusing that, if you can.

Again, he's still a tool. And that's being icily polite about it.

2
2
Facepalm

Re: He's still a tool.

Sorry, you're right, MacOS, not iOS. My bad. I just couldn't think what the darn thing was called, not being a fruit fanboi like some others on this august (well, robust, anyhow!) place ;-)

1
1
PM.

Re: He's still a tool.

Hi Roger,

Sorry for that name mistake.

With rest we'd have to agree to disagree ;-)

1
0

Re: He's still a tool.

Apology accepted, thank you :-)

Given that I'm one of those who's been affected by the actions of this... individual... I think you'll also understand my viewpoint on him.

And he's still a tool.

0
1
Silver badge

Ah yes, ethical hacking, .....

..showing respect for the place you are visiting. Take nothing but database snapshots, leave nothing but messages.

3
0

So this is what Dell meant when they talked about Project Sputn1k_

1
0
g e
Silver badge
Meh

Ohhh so s/he's doing us a _favour_

Well that's just dandy then.

1
1

Whether this Sputn1k_ fancies himself a whitehat or a blackhat, at the end of the day, the end users personal data will be more secured when Canonical fixes the exploits that allowed the data theft. The implied suggestion that hackers should be morally upstanding and only expose the personal data of customers of big bad governments or large corporates with deep pockets is naive and ethically warped.

0
0

Typical leftie

This is the result of the typical self-entitled, anarchist leftie mindset. Probably a regular at these forums.

0
0
Trollface

Re: Typical leftie

Really? and there was I, a transport worker, liberal-minded socialist, and firm believer in law being applied somewhere to the right of Genghis Kahn, thinking that I was the only confused leftie around here ;-)

1
0
This topic is closed for new posts.

Forums