Skip to main content

A short diary to alert those in this community who are members of the Ubuntuforums.org website that, according to OMG! Ubuntu:

‘Every user’s local username, password, and email address [were stolen] from the Ubuntu Forums database’ Canonical say in a statement posted on the website, adding that while the ‘passwords (stolen) are not stored in plain text’ those who use the same password on other services should ‘change the password on the other service[s] ASAP.’

While data from the Forums has been compromised they stress that other services, such as Ubuntu One and Launchpad, ‘are not affected by the breach’.

Apparently the breach occurred because the system administrators apparently hadn't kept the bulletin board software up to date.  Interestingly, the software being used by the Ubuntu Forums admins was not open source.  The impact of the breach was compounded because the site administrators also failed to use a strong password protection routine - so the passwords were being stored in a relatively easy to hack fashion.

There is an anecdotal report of the email list having been released into "the wild".

So, if you're one of those one password for every website folks (and you use ubuntuforums.org, reputation.com or livingsocial.com which hacked earlier this year), change your passwords.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Tip Jar (23+ / 0-)

    Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

    by Hey338Too on Sun Jul 21, 2013 at 02:45:23 PM PDT

  •  This is why we need stronger (6+ / 0-)

    privacy laws.

  •  At one time I was guilty (6+ / 0-)

    of using the same password on multiple websites. It was just too hard to keep track otherwise. Then I discovered the free KeePass password manager.

    Now I can easily generate and track a unique password for every website.

    Here's a link to the KeePass website.

    The only trouble with retirement is...I never get a day off!

    by Mr Robert on Sun Jul 21, 2013 at 03:16:37 PM PDT

  •  Ultimately, passwords, even if strong, (8+ / 0-)

    are not going to protect privacy for much longer.

    Hackers are getting better at break through the barriers. I have a friend who is an expert in security privacy issues, and we discuss this regularly. Passwords aren't going to protect people for much longer than a few more years is what I am being told.

    There needs to be multiple authenticity strategies to protect security in this way, but also, as you said, updating software etc, which can be hard.

     I read somewhere that for every 500 lines of hacker code, security professionals must create 10,000 lines of code to keep the hackers out.

  •  These organizations should be *very* sue-able (3+ / 0-)
    Recommended by:
    Hey338Too, ferment, blueoasis

    I know that this organization is dedicate to an open source, low personal cost model, etc., etc.  But here's the thing . . .

    If you want to play on a major forum like this one, then you're required to remit personal information.  If Unbuntuforums.org sees fit to collect that sensitive information, by god they'd better see that it's kept rock solid safe.

    Either that or literally pay the price.

    Another beautiful day in Surveillance Nation.

    by thenekkidtruth on Sun Jul 21, 2013 at 04:28:54 PM PDT

  •  Protecting users. (2+ / 0-)
    Recommended by:
    wayoutinthestix, Hey338Too

    The strength of a password storage scheme fundamentally relies on the amount of computing power necessary to encode (or "hash") a password.  It became common to use the MD5 or SHA* hash functions for this, but because those are designed to run efficiently, it turns out that with specialized software and modern graphic cards billions of tries can be made against a password per second. Sadly, ubuntuforums was apparently using MD5.

    Hashing functions intended for password storage are deliberately wasteful of computing resources. The consensus seems to be to use scrypt, bcrypt, or PBKDF2. Having chosen bcrypt for my projects, part of what I like about it is that it can be easily tuned over time to require more computing power. So maybe every six months or so you increase the strength of the system and when your users log in you test their password with the old strength and, if it matches, reencode with the new strength, perhaps suggesting a password change to boot.  Some recommend scrypt over bcrypt as it makes RAM a factor in hash computation as well, though it was still a bit too new for me to be comfortable with it.

    But as a user there's just no way of knowing whether or not a server is storing passwords competently. Most don't, I would guess. Under any circumstances the best defense as a user is choosing strong passwords, using different passwords for each site, and changing them regularly. The changing them regularly part is because it becomes a matter of time once an attacker has figured out how to steal a user database, and because it seems damned near impossible for anybody to create a system where the user database does not become stolen at some point.

  •  That's the problem with software like vbullitin (2+ / 0-)
    Recommended by:
    Hey338Too, ferment

    Staying current means losing all your customizations a lot of the time.   I run an Invision based site and know the problem all too well.   In order to keep their software from looking old and dated by default, they have to push out new releases every few years that break all your custom themes and modifications.   Upgrading means having to redo you whole site.  Not upgrading means you're at a security risk.  

    It's not fair to criticize ubuntu for using commercial forum software though.  Phpbb doesn't scale to communities of that size, and requires even more mods to get functionality that comes with other software by default.

  •  Thanks for the heads-up (3+ / 0-)
    Recommended by:
    blueoasis, Hey338Too, ferment

    I'm a member of that forum and will change my password, but fortunately I use unique strong passwords, so little risk to other accounts.

    I will also push this to some other network & site admins I know.'

    Let this be a hard lesson to Canonical, if they want to avoid becoming another Ruby on Rails, they need to strengthen the backend services.

    Dan Goodin has a post up about this.

    Also, it seems the recent outages on Apple Forums were also due to an intrusion. Interesting.

    My personal VPN logs hundreds of intrusion attempts per month with less than 20 users! Most I assume to be from bots. Thank God/whomever for Kapersky Labs.

    400ppm : what about my daughter's future?

    by koNko on Mon Jul 22, 2013 at 02:52:23 AM PDT

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site