back to article Ubuntu forums breached, 1.8m passwords pinched

Ubuntuforums.org, the Linux distribution's online community, has shut down for maintenance after a security breach. It's not a pretty one: the site's operators say “Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.” The good news is that “The …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Trollface

    I forsee an NSA public relations drive, whereby sputnik gets doxed within 24h.

    Then the Prez can appear on the whiteouse lawn for another bombastic speech.

    1. Anonymous Coward
      Anonymous Coward

      Another day, another Linux site bites the dust....Should have used a more secure OS....

      1. This post has been deleted by its author

        1. This post has been deleted by its author

          1. Anonymous Coward
            Anonymous Coward

            Re: @TheVogon - let me help you

            Why not wrote about something you know about? Let me help you:-

            Oh freddled gruntbuggly/thy micturations are to me

            As plurdled gabbleblotchits on a lurgid bee.

            Groop I implore thee, my foonting turlingdromes.

            And hooptiously drangle me with crinkly bindlewurdles,

            Or I will rend thee in the gobberwarts with my blurglecruncheon, see if I don't!

            1. g e
              Pint

              @AC & chums

              I note we're still awaiting enlightenment from your vast IT experience(s) on what the replacement ultra-secure OS should be.

              Well, you've had enough time to at least get to Wikipedia...

              My money's on someone touretting 'MacOS' or 'BSD'. In which you've failed cos I said them first even though I'd use neither. So there.

              Pints for everyone bar you.

              1. Anonymous Coward
                Anonymous Coward

                Re: @AC & chums

                "I note we're still awaiting enlightenment from your vast IT experience(s) on what the replacement ultra-secure OS should be."

                BSD or Windows Server 2012 would both be a much more secure choice for an Internet facing server.

            2. Anonymous Coward
              Anonymous Coward

              Re: @TheVogon - let me help you

              Lyshus!

          2. Anonymous Coward
            Anonymous Coward

            Re: @AC:Another day, another Linux site bites the dust.

            Those are all administration failings, not security flaws.

            If you worked your way up from a callcentre into IT, and never studied computer science (at university or by yourself) then you might not see the difference, but it's there.

            Also, SEL isn't a hack.

            1. Anonymous Coward
              Anonymous Coward

              Re: @AC:Another day, another Linux site bites the dust.

              "Those are all administration failings, not security flaws."

              According to the defacement statistics, most Linux based website attacks exploit OS security flaws.

              "Also, SEL isn't a hack."

              It's a bodge then. And it still doesn't fix the broken SUDO model - which Windows uses constrained delegation for.

      2. Peter Gathercole Silver badge

        @AC 21:35

        If you can't differentiate between the OS and an application that runs on the OS (the forum software), then I suggest that you go and do some education.

        Any application that runs it's own authentication mechanism, regardless of the OS it runs on, has the same degree of vulnerability.

        I have an account on that site, but is it using the lowest grade of password that I use, so any site that may share the same password is probably not going to have any serious consequences to me.

        1. Putonghua73

          Re: @AC 21:35

          QFT!

          Received an email this morning informing me about the hack. Similar to Peter, I use different passwords (and strengths) for different sites:

          1. email: unique

          2. financial institutions: mixture of shared and unique amongst different financial institutions, but strong password with different layers of login credentials

          3. forums: couple of usernames and shared password (certain forums have a different shared password)

          Needless to say that passwords used in one group are NOT used for another group i.e. I do NOT use a password that I use for financial institutions that I use forums.

          However, this is a good wake-up call to delete Internet presence i.e. account info for those sites that I rarely / no longer use.

          1. Jim 59
            Childcatcher

            Re: @AC 21:35

            Thanks for sharing your password strategy with the whole internet. Good job we commentards are an honest lot.

      3. Fatman
        FAIL

        RE: Should have used a more secure OS....

        Is that YOU, Loverock Davidson????

        If so, go crawl back under your rock.

    2. andreas koch
      Black Helicopters

      @ Destroy All Monsters -

      <trolldinner>

      Just why the American president or his NSA would be even remotely concerned about a hack of an open source related website eludes me. Wouldn't Sputn1k be more likely on their payroll?

      </trolldinner>

      ;-)

      1. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: @ Destroy All Monsters -

          Really, AC 2:56? The combined might of Redmond and Apple want to destroy the fearsome threat posed by Ubuntu Phone, and decide to... filch passwords from the user forum?

          What ever happened to just having some people whacked? Kids these days...

          1. Antonymous Coward
            WTF?

            Re: @ Destroy All Monsters -

            Sorry DW, didn't mean to pull the rug out from under you, just had forgotten to mention AK's NSA angle!.. a bit rude I thought considering I'm replying to him!

            Yes, really.

            Are you seriously suggest that murder is a better approach to monopolism than a spot of remote and trivial (as you seem to consider it) FUD slinging? Haven't you any knowledge of how MS has operated throughout its history? It has phorm for exactly this sort of crap you know. Convictions.

            Or is your argument that a giant software company which has spent the last decade hurling billions of bucks into desperate bids to muscle in on the mobile sector, with no significant success, couldn't have any interest in the (F)OSS "cancer" (as its CEO calls it) entering the market?

            They've even fucked their current Windows (the family jewels) cycle in their desperate drive to shoehorn their userbase onto their cloudtastic vision of the future. Gimped it into some sort of me-too app based chimera of what iOS/Android does. Cloud based subscription services. Apps. That's how the others... the successful growing players are doing it. Subscription services are the only way MS has an consumer future. Make Windows like them. Lock mobile devices onto "Win"RT, its self locked onto the MS app store. Eureka!

            Microsoft's traditional desktop stronghold is shrinking. Mobile is eating it alive. MS appears to have bet the farm on imitating the mobile incumbents. So far this has failed but it still seems to be plan A, B and C. MS hasn't got there yet but they're certainly still trying! They've got $billion writedown THIS QUARTER to show for it.

            MUST. GET. THE. PLEBS. ONTO. AN. MS. APP. STORE. SUBSCRIPTION. MODEL.

            So the prospect of an OPEN mobile OS without the appstore-lockin mechanism becoming established in the sector BEFORE Microsoft makes any inroads couldn't threaten MS's me-too survival plan? The "cancer" COULD well be about to "disrupt" the mobile market, making Microsoft's heir apparent obsolete before it even takes hold. Ubuntu and Mozilla have been attracting significant interest within the industry and among the public. They have OEM and carrier outreach projects which seem to be attracting more interest than MS's! No one at MS could have noticed this? No one at MS could feel their plans for the future might be threatened by this? No one at MS might want to nip the cancer in the bud, before it infects the mobile sector? Pull the other one. They'd be negligent if they didn't. So what can MS do about this very real THREAT? Buy them out? That's always worked throughout MS's history, from the origins of DOS to present... not so great with (F)OSS "cancer" though, is it: You buy to smother, they fork and invest your beeelions into their new project. Bugger. So where does that leave MS? Well, they've always had one other tactic: FUD. So this can't possibly be FUD. How "paranoid". The pixies must have done it just for the lulz. The timing is just a coincidence. No possibility of any other explanation. We can all sleep safely in Stepmond again tonight.

            Anyway, enough rambling on about the bleeding obvious. How is the suggestion that MS might be up to something underhanded even contentious these days, after 30 years of it?

            I'm not posting as AC by the way. Not that AC anyway.

      2. Antonymous Coward
        Black Helicopters

        Re: @ Destroy All Monsters -

        Interesting timing. Just as Ubuntu Phone seems (seemed?) to be starting to pick up some momentum...

        http://www.phoronix.com/scan.php?page=news_item&px=MTQxNTg

        The Forum isn't the only thing to have been taken down. The "Ubuntu Edge" countdown timer (which was to end TOMORROW) has disappeared from the ubuntu.com homepage.

        Coincidence? Course it is. There couldn't possibly be any possibility of any connection between "Sputn1k" and Redmond's (or Cupertino's) FUD dept... Could there?

        Must. Destroy. Evil. Communist. GPL. Software. Cancer.

        As for any possibility of any NSA interest... well, as we all know, the incumbents (Apple, Google & Microsoft) bend over backwards to give the NSA access to all our data. So clearly the NSA couldn't possibly have any interest at all in the possibility of some (F)OSS upstart upsetting the status quo.

        /trolldessert

    3. Alan Brown Silver badge

      Who needs the NSA? There are a lot of volunteers on the site and many of them have more than sufficient abilities to track down a script kiddy.

      A inpromptu BBQ party on the miscreant's front lawn works wonders for making the point about anonymity on the Internet.

      WRT other comments: just about all forum sites have holes and virtually all the holes are in the forum software itself (wikis are particularly bad). In most cases user details get lifted without even touching the security of the underlayng webserver.

  2. Steve Knox
    Happy

    MMMmmmm

    Salted hash....

    1. Anonymous Coward
      Anonymous Coward

      Re: MMMmmmm

      Corned beef, or hashish?

      Just wondering.

      MMMmmmm....

  3. Antoinette Lacroix
    Devil

    Good riddance

    Every time one does a search, even remotely related to anything Unix, the first 20 results mostly lead to totally irrelevant drivel from Ubuntu forums. Their lusers level of noobishness and RTFM-refusal is simply unbearable. Maybe he/she couldn't stand it any longer.

    1. andreas koch
      Thumb Up

      @ Antoinette Lacroix - Re: Good riddance

      RTFM about search manipulation. Using -ubuntu might help you being less upset.

    2. Cliff

      Re: Good riddance

      If it helps, Google is ever-helpful by ranking sites you visit often more highly than those you don't, so it gets you in a loop. There is no 'first page of Google' only 'first page of Google for you', I don't get Ubuntu forums when I search linuxy things.

    3. Anonymous Coward
      Facepalm

      Re: Good riddance

      "Their lusers level of noobishness and RTFM-refusal is simply unbearable."

      Thank you, Mr. Lacroix, for so eloquently exemplifying the self-righteousness and arrogance that has kept me away from Linux for nigh on a dozen years.

      1. Mystic Megabyte
        Linux

        Re: Good riddance

        >>"Their lusers level of noobishness and RTFM-refusal is simply unbearable."

        I reply to questions on the Ubuntu Forum and many people who post there are too lazy or stupid to search for answers. Also for many English is not their first language and they struggle to formulate their wishes.

        But interestingly they all seem to be sick of Windows and are trying to use an OS that is free and does not get hacked every ten seconds. (presumably mostly by the NSA!)

        I gave up using Windows when I spent more time keeping it going than using it

        On the upside, there are many intelligent posters and I have learnt a lot from them.

        Microsoft's main problem is that nobody trusts them any more.

        >>"Thank you, Mr. Lacroix, for so eloquently exemplifying the self-righteousness and arrogance that has kept me away from Linux for nigh on a dozen years."

        You profess to be in IT and make a statement that dumb? You are either a shill or an idiot.

        Never try to learn French or German. Some of those nationals may be arrogant.

        1. Anonymous Coward
          Anonymous Coward

          Re: Good riddance

          On occasion I have to use the Ubuntu forums, and I often find it a trying experience. One of the biggest issues is the amount of "difficult" questions asked and just ignored, one of the next biggest problems is the easy ones with patronising "you're too stupid to understand" answers. How do you expect people to learn, if you tell them things like "you're too stupid to get this"?

          As for "Microsoft's main problem is that nobody trusts them any more." you did notice the bit in the article where they said that Ubuntu forums had 20k active users? That's a long way off everone and it's another attitude that puts people off. The amount of comments which have a "windoze is shite" or the amount of commentators who feel the necessity to have "Windoze is shite" in their sig, is frankly counter productive to the community and the FOSS movement as a whole..

      2. g e
        Meh

        @David W

        I bet Lacroix hangs out in #Perl on Efnet (that's on IRC to the rest of us), cynically telling people who've already searched everywhere else to 'go RTFM you moron and stop wasting our time'.

        When after all, #perl is a last bloody resort anyway for Perl clues because of the social dysfunctionals that inhabit it exhibiting precisely that dickhead behaviour.

    4. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    Wouldn't have happened with Windows 8...

    ...not enough users.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wouldn't have happened with Windows 8...

      I think you will find that Windows 8 already has a couple of orders of magnitude more users than Ubuntu....

      1. Paul 129
        Joke

        Re: Wouldn't have happened with Windows 8...

        "I think you will find that Windows 8 already has a couple of orders of magnitude more users than Ubuntu...."

        Only due to ignorance! :-P

        (Actually, I have yet to find a client that thinks windows 8 is ok. They universally seem to hate it, not even Vista got it this bad! Maybe I need more clients! )

        1. Anonymous Coward
          Anonymous Coward

          Re: Wouldn't have happened with Windows 8...

          Ignorance of what Paul 129?

          I suggest you do need more customers and ones not influenced by your own views. Ever put them on Win 8 and helped them use it? It really does work even if you stick with a mouse all of the time.

          1. Rebajas

            Re: Wouldn't have happened with Windows 8...

            No, it doesn't.

          2. Paul 129
            Big Brother

            Re: Wouldn't have happened with Windows 8...

            I'm offended that you would think I don't take the time to look after my clients. With windows 8 I have provided more initial support than ever before.

            Unfortunately most of my clients are well, 'the unwashed masses', and metros schizophrenic nature plus M$ forcing their online services down peoples throats (IMHO) are causing issues.

            One well meaning old dear had ADSL issues, so the email system prompted her for a password. She just enters all her account details again, what she thinks is right. OMG the mess from that simple little misunderstanding!

            I could list a long line of, only win8 bugs that I have encountered, but hey every windows version is the same, initially.

            The thing that I was commenting on was the fact that, from my experience, when vista came in you had people complementing it(+), people reserving their comments(=), and people being derogatory about it(-).

            With windows 8 I've only had people reserving their comments(=) or being derogatory about it(-).

            How about you taking the time and listening to what people say

      2. Antonymous Coward
        Paris Hilton

        Re: Wouldn't have happened with Windows 8...

        I think you will find that Windows 8 already has a couple of orders of magnitude more users than Ubuntu....

        "Accidentally" confusing (downgradable) landfill licences with "users" again RICHTO?

        Paris cos she probably has more users than Win8

        1. Anonymous Coward
          Anonymous Coward

          Re: Wouldn't have happened with Windows 8...

          ""Accidentally" confusing (downgradable) landfill licences with "users" again RICHTO?"

          Evidence of any significant volume of users downgrading to Windows 7? Somehow I doubt it....

  5. Jubbi
    Linux

    Time to...

    Upgrade to IIS 8.0?

  6. ecofeco Silver badge
    Facepalm

    DOH!

    Amazing.

    1. Anonymous Coward
      Anonymous Coward

      Re: DOH!

      What I find amazing is that there's been NO MENTION of EXACTLY THE SAME thing being done at fApple just a few days ago.

      Curious.

      1. Anonymous Coward
        Anonymous Coward

        Re: DOH!

        Ah, no, it has finally broken:

        http://www.theregister.co.uk/2013/07/22/apple_pulls_dev_centre_after_intrusion_attempt/

        Just "better?" incident obfuscation procedures at Apple Inc. by the sound of things.

  7. Anonymous Coward
    Anonymous Coward

    This is wen we find out

    That the Ubuntu forums were powered by IIS

    1. Anonymous Coward
      Anonymous Coward

      Re: This is wen we find out

      Unlikely - IIS is pretty secure these days. It is much more likely a LAMP flavour.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is wen we find out

        Pretty certain last time I looked into server security they were pretty much as good / bad as each other. They both had severe vulnerabilities, and the number of hacked servers was pretty much a 50/50 split. Effectively as bad as each other. Most of the vulnerabilities are injected by either poor configuration or the applications on the web server.

        Personally my home server is on Hiawatha. I'm not skilled enough to configure and keep updated a secure Apache distro, can't be bothered to shell out for another windows box, secure, easy to maintain, and it's not one of the 'big two' so a little harder to target.

        1. Anonymous Coward
          Anonymous Coward

          Re: This is wen we find out

          >and it's not one of the 'big two' so a little harder to target.

          Security through obscurity :)

        2. Anonymous Coward
          Anonymous Coward

          Re: This is wen we find out

          "They both had severe vulnerabilities"

          But they are an order of magnitude greater in number on the LAMP stack.

          "and the number of hacked servers was pretty much a 50/50 split."

          Nope - even adjusting for market share, you are several times more likely to get hacked on a Linux based internet facing server: http://www.zone-h.org/news/id/4737

  8. Tom 7

    Is it a Linux fault

    or just some shit coding in the DB/server pages from someone who learned their stuff in a modern university using MS software as a training tool?

    After all computing is easy isn’t it?

    Does sound pretty bad - they salt and encrypt the passwords but not the other stuff?

  9. Anonymous Coward
    Anonymous Coward

    time for a ground change?

    Seems like once a month a read on this journal about some large organisation having it user db (passwords salted or not) being swiped. And I'll bet there are many more breaches besides that don't get reported.

    I'm sure they all lost their data for a wide variety of 'good' reasons and I'm sure most of them when to great lengths to protect their data. But evidently, their measures are not working.

    Sounds to me like the whole security thing needs to be re-invented from the ground up. A fool proof, fail safe architecture. Sounds grand, I know. But I bet there are big-bucks/much-kudos to be made by anyone who comes up with it.

  10. Anonymous Coward
    Anonymous Coward

    (quietly goes off to check)

    Just reviewed my password for the Ubuntu forum and it was sufficiently bizarre, complex weird, unrelated to anything else I've ever used it was quite nice to see.

    Having hundreds of passwords is a bit of drag until these sorts of things come up.

    Wonder when the first large "Single sign-in" (google/openid/yahoo etc) compromise will hit.

    I assume it already has, just not big enough to leave a media crater.

    1. Anonymous Coward
      Anonymous Coward

      Re: (quietly goes off to check)

      Frankly that given that my Yahoo password (which was not a dictionary word) was "guessed" by someone in India and I know several other people who had Yahoo accounts which apparently got compromised I suspect that Yahoo have had a security breach.... they either haven't noticed it or wont admit to it.

    2. Anonymous Coward
      Alert

      Re: (quietly goes off to check)

      @AC 10:31 - >"Just reviewed my password for the Ubuntu forum and it was sufficiently bizarre, complex weird, unrelated to anything else I've ever used it was quite nice to see."

      Me also - and I am very upset that the hackers have now stolen my treasured Ubuntu forums password - "12345678". I fear what those evil hackers will do with my 5 posts from 2008 on trying to get Adobe Acrobat Pro working under Wine.

      Fortunately, I don't use the same password for my banking websites. I got smart with those and added the "special character" - "12345678!"

  11. Amorous Cowherder
    Facepalm

    “if you were using the same password as your Ubuntu Forums one on another service..."

    You're a bit of prat!

  12. tttonyyy

    Post from Sputnik_ on twitlonger

    http://www.twitlonger.com/show/n_1rlft0d

    Seems he's not planning on leaking the DB.

    He also says, "most of the time there's no REAL malicious intentions". Some of the time it is malicious then? What a lovely guy.

    1. Anonymous Coward
      Anonymous Coward

      Re: Post from Sputnik_ on twitlonger

      But we do know now that it was vbulletin... so was it a bug in that or a screw up by ubuntu?

This topic is closed for new posts.

Other stories you might like