Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ubuntuforums.org Hacked

Soulskill posted about a year ago | from the another-one-falls dept.

Security 146

satuon writes "The popular Ubuntu Forums site is now displaying a message saying there was a security breach. What is currently known: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."

cancel ×

146 comments

Sorry! There are no comments related to the filter you selected.

EL OH EL (-1)

Anonymous Coward | about a year ago | (#44340287)

Nelson - Ha Ha!

Ummm... (1)

russbutton (675993) | about a year ago | (#44340303)

It's good the Ubuntu Forums has alerted us that this breach has occurred and that we need to change our passwords. It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

I'd change my password if there were a way to do it.

Re:Ummm... (5, Funny)

interkin3tic (1469267) | about a year ago | (#44340365)

Personally, I'm trying to remember which password I used on it.

Reminds me of an old joke: a man looks glum, his friend asks what's wrong.
The man says "I got a call from some guy, he said to stop sleeping with his wife or he'd kill me."
Friend "Oh, that's too bad."
Man: "The worst part is, he didn't say who his wife was."

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44340433)

Check your browser password store.

Re:Ummm... (1)

Anonymous Coward | about a year ago | (#44340509)

Oh, yeah, here's a link. I guess it was Charlie's wife. Thanks.

Re:Ummm... (0)

JustOK (667959) | about a year ago | (#44341019)

apt get mypassword or sudo get my password

Re:Ummm... (1)

DFurno2003 (739807) | about a year ago | (#44340393)

Aren't all services down anyway? I'm sure there will be a forced password change prior to restoration.

Re:Ummm... (5, Interesting)

davetv (897037) | about a year ago | (#44340467)

I wonder when they are going to email the userbase with this announcement. I have received no email from them. Perhaps the hacker could alert the userbase as a community spirited gesture.

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44340681)

The passwords will be scrambled, and resent through email once the forums are back up.

Re:Ummm... (3, Insightful)

philip.paradis (2580427) | about a year ago | (#44341095)

Transmitting passwords in cleartext over email is an absolutely terrible practice, and is only made slightly worse by doing so when account holders may not realize anything has happened and thus may be significantly delayed in visiting their accounts to change their passwords once again.

Re:Ummm... (1)

Celene (2991449) | about a year ago | (#44341733)

*shrug* There isnt any better way to do it. If you post a link, your screwed too, anyone can click on it to reset the password. If you dont scramble the passwords, and make everyone change it on re-login, then the hackers can do that too.

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44341889)

The link can be made such that it only works once.
The email can be sent encrypted to your public key.
The pasword-change code can be sent to your cellphone number, with a generic url sent to your email.

Sending plaintext passwords via email is an awful idea and there are plenty of better ways.

Not everyone has a public key or cell phone (1)

tepples (727027) | about a year ago | (#44342051)

The link can be made such that it only works once.

For the attacker before the mail even gets to the intended user.

The email can be sent encrypted to your public key.

For those people who have the discretionary income to fly to key signing parties.

The pasword-change code can be sent to your cellphone number

For people who already pay hundreds of dollars a month for cell phone service. A lot of households still share a POTS house phone among members because it's cheaper than a cell phone with unlimited minutes per person.

Re:Not everyone has a public key or cell phone (1)

Anonymous Coward | about a year ago | (#44342311)

Same AC.

That wasn't intended to be an exhaustive list, just a proof by contradiction that the OP was incorrect when he or she said, "there isnt any better way to do it."

I know that providing secure account-recovery options for public websites is hard. If you want to be able to do better than plaintext passwords though email, it is likely to require some additional development prior to the breach.

Sending a plaintext password through email has the following bad properties (non-exhaustive):

1. Anyone between the forum's SMTP server and your mail host may now have your password
2. You cannot detect if one of these people recorded your password
3. Depending on the system, you may not be able to detect if the interceptor has actually used your password
4. You can only invalidate the data they collected by changing your password
5. You are exposed for the interval of time from when the email is first sent until you do change your password.
6. Someone who has compromised your email account and no other account of yours can fully impersonate you in the reset protocol.

Each of the alternatives I proposed addresses at least one of these, trading off with compromises in ease of use, simplicity, or the amount of pre-work required (affecting ease of implementation post-breach). There is plenty of research in this space. Sending passwords by email is among the weakest ways to implement a lost-password protocol.

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44342069)

The email can be sent encrypted to your public key.

Ubuntu users worldwide: "Public key?! What the hell are you talking about?! I'm going back to Windows..."

The pasword-change code can be sent to your cellphone number, with a generic url sent to your email.

Do you often give your cellphone number to random websites?
BTW: Some people don't have cellphones.

You need a phone number to sign up for Facebook (1)

tepples (727027) | about a year ago | (#44342147)

BTW: Some people don't have cellphones.

Some people don't have Internet. In any case, you already need your own phone number to sign up for Facebook unless you still have access to a university e-mail address.

Re:Ummm... (1, Flamebait)

ancientt (569920) | about a year ago | (#44340741)

My first thought: "Oh crap, that's me." I use a few passwords across multiple sites, basically determining how unique and how complicated by how much I consider a breach a danger and how much I trust the site to keep the password info secure. Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login, and don't trust them much. Still, I tend to trust Unix minded people to care about security.

This means I might have been silly enough to use a password I care to keep secret, so I checked. Nope. Obviously I thought they were idiots to set up their own system and used a password so bad it is obvious that I don't even care if a random guess might get it. I don't use Ubuntu but I have and sometimes I might want to comment in a forum when issues cross distributions.

I hope others learn from this.. but I don't hold out tremendous hope.

Re:Ummm... (1)

tepples (727027) | about a year ago | (#44342075)

Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login

This shopping cart [philshobbyshop.com] uses OpenID and Google sign-in, but OpenID sign-in doesn't work for Yahoo! because Yahoo!'s OpenID provider uses redirects for the verification step and PHP cURL doesn't follow redirects if an open_basedir is set.

Re:Ummm... (0, Flamebait)

hairyfeet (841228) | about a year ago | (#44340759)

I'll get hate but the irony is so moist i honestly don't care...can we all LOAO now? I mean storing IN PLAIN TEXT? What good is that "vaunted Linux security" if the forums are being run by goobers that store fricking passwords in plain text! This is a PERFECT example of what I've been saying for years, its NOT the OS, any OS can be as secure or as insecure as can be, it ALL comes down to what is sitting between keyboard and chair.

Please please PLEASE tell me at the very least the fools in charge of that site has been told to hit the bricks, yes? After all if ANY other company or place did something THAT stupid you'd be calling for their heads, right? But just the fact that you are saying "It's good the Ubuntu Forums has alerted us that this breach has occurred" makes me feel the community is using their "do as I say NOT as I do strategy" because if this were Sony or Apple or MSFT, even if the service was free, every Linux user would be screaming about how fricking pathetic storing in plain text in 2013 is and how they needed to be shown the door.

So I'll be personally interested if the screaming about bad security practices and vile towards foolish behavior will be directed toward their own, or if the community will just pretend that its totally okay when THEY do it, just not when anybody else does it.

Re:Ummm... (1)

russbutton (675993) | about a year ago | (#44340795)

From what I read, no passwords were in plain text. The crackers that breached the forum got encrypted passwords, but chances are they've got a password cracker strong enough to break the encryption.

S**t happens. I keep my passwords in an encrypted safe on my desktop machine and when I get a chance to update my Ubuntu forums password, I will.

I've had worse stuff happen to me. I figure to save my annoyance chips for something important.

Re:Ummm... (0)

Rockoon (1252108) | about a year ago | (#44340893)

Yes, they werent in plaintext..

However a lot of people seem to not understand that thats quite useless in and of itself.

The best case is if they were using a salted lossy hash system.

Its counter-intuitive, but throwing away part of the hashed value actually increases user security because more possible hash collisions means that the actual password the user chose is obscured in instances such as this. Thats exactly how UNIX DES password systems worked in the days when /etc/passwd actually contained password information. The gist was the even if you got the contents of the file, and then found a hash collision for a particular account, that you still probably didnt know the original password. You could log into that account on that machine, but that didnt likely help logging in anywhere else even if the user used the same password everywhere.

Re: Ummm... (1)

Anonymous Coward | about a year ago | (#44341087)

Throwing away part of the hash value does very little to improve security. The likelihood of two short (15 char) ASCII strings hashing to the same value even if shortened is small.

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44341241)

They got encrypted passwords? WTF, passwords should NOT BE STORED, not in plain text and not even encrypted. encryption is the wrong technology for the job, they should be hashes only.

When a server authenticates to another server (1)

tepples (727027) | about a year ago | (#44342113)

I agree with you that something reversible like encryption is not the best primitive to protect a shared secret when users are logging in to a server, such as the case in the article. But when the server is itself logging in to another server, it still needs to store a shared secret reversibly. For example, this secret might be an API key used by the payment processor to charge a credit card or a transaction ID used by the payment processor to refund a charge.

Re:Ummm... (2)

MiG82au (2594721) | about a year ago | (#44340797)

Do you know how to fucking read?
"The passwords are not stored in plain text."

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44342327)

And what does it mean in practise? Were the passwords stored in ROT13 encoded form? Or as per user salted hashes?

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44340935)

Are you mentally challenged as well as trolling? Didn't you even read the summary?

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44341221)

Are you mentally challenged as well as trolling?

If you'd read any of the guy's other posts, you'd know the answer to that question is "yes, yes, oh God yes".

Re:Ummm... (2, Interesting)

Anonymous Coward | about a year ago | (#44341005)

Ubuntu forum sounds like the Linux Mint forum - can never change password, or much else that matters. I recall registering on Ubuntu, so I had better check on this!

BTW, I have reason to suspect that LM forum has also been hacked - at least 3 months ago. An email address that never got spam and was used to register there, is starting to collect spam....

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44341229)

It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

You might want to try reading that again: you are strongly encouraged to change the password on the other service ASAP. i.e.: we don't know which other services you're using on the intertubes (Gmail, MSN, Yahoo! etc.), but if you use the same password *there* then you should go *there* immediately to change it.

Re:Ummm... (0)

Anonymous Coward | about a year ago | (#44341465)

It would have been best to email everyone registered on the forums. I just found out about this on slashdot. Bad form in dealing with a security breach in my opinion. Oh well, it was time to change the passwords anyway.

Re:Ummm... (2)

bonehead (6382) | about a year ago | (#44341685)

It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

I'm not too terribly concerned about changing that password right away.

What would be nice is if when this happens, companies would tell users HOW the passwords were being stored. "Not plain text" isn't nearly enough information. Should I discover that my password there is also used on other sites, it would be nice to be able to guage the level of urgency that is appropriate for changing the password on those other sites. Should I expect my password to be cracked in 5 minutes or 5 days? Can I do my password changing tomorrow evening? Or do I need to change my plans for the day and get on it ASAP?

No, "not plain text" is not a sufficient level of information to provide to the users.

Re:Ummm... (1)

Anonymous Coward | about a year ago | (#44342225)

If they were using vbulletin defaults the answer is md5(md5(password) . salt)

The problem I have is I don't know if I had an account on the forums or if I did, what the password was. So until they bring it back up I won't know if I need to change any other passwords.

That's what you get for running Ubuntu (0, Troll)

ilikenwf (1139495) | about a year ago | (#44340305)

Especially on servers... Not only is all the crap installed by default annoying, but it probably leaves a lot of nice security holes too.

Using other distros not related to Ubuntu, but based on Debian or really anything else is always a better option.

Re:That's what you get for running Ubuntu (1)

russbutton (675993) | about a year ago | (#44340325)

Feeling a little self-righteous tonight are we?

Re:That's what you get for running Ubuntu (0)

ilikenwf (1139495) | about a year ago | (#44340329)

Are you by chance Mark Shuttleworth?

Re:That's what you get for running Ubuntu (1)

russbutton (675993) | about a year ago | (#44340345)

Shuttleworth? Me? I've been called a lot of things in my life, but that's not one of them.

I wouldn't mind being him. His bank account is a *LOT* better than mine.

Re:That's what you get for running Ubuntu (0)

Anonymous Coward | about a year ago | (#44340447)

I think you can't honestly say that anymore, since you were just called that.

Re:That's what you get for running Ubuntu (1)

russbutton (675993) | about a year ago | (#44340485)

I'm still trying to figure out if I'm a chicken or an egg...

Re:That's what you get for running Ubuntu (0)

Anonymous Coward | about a year ago | (#44340399)

Carpe diem.

Re:That's what you get for running Ubuntu (-1)

Anonymous Coward | about a year ago | (#44340339)

yes and it only took about 10 years! What crappy software that forum software must have been running on and it's obvious from all the massive amounts of information on the breach that it was the OS and not the forum software which was the case. douche

Re:That's what you get for running Ubuntu (4, Informative)

akh (240886) | about a year ago | (#44340349)

Um, what? For the base server install you get no network services installed whatsoever (not even SSHd). As for size, a base install of the current server version of Ubuntu is ~64MB of disk space IIRC. That's hardly what I'd call bloated.

Re:That's what you get for running Ubuntu (0)

Anonymous Coward | about a year ago | (#44341787)

Except that like its parent operating system, Debina, *no one* euses the base install. A few people doing micro-installations on very limited hardware, perhaps, but most wind up installing basic tools like OpenSSH for remote logins, aptitude for package management (which brings in X windows), SNMP for monitoring, and in this case databases and web tools to run the forums.

Talking about a "base install" for such a system is like talking about a family home that consists of one closet, a can of beans, and an electric light bulb to cook on.

Re:That's what you get for running Ubuntu (1)

Anonymous Coward | about a year ago | (#44342173)

Except that like its parent operating system, Debina, *no one* euses the base install.

That's Debian! Deb + Ian!

... aptitude for package management (which brings in X windows)...

No, it doesn't.

Why bring in aptitude? (1)

tepples (727027) | about a year ago | (#44342277)

aptitude for package management (which brings in X windows)

Why bring in aptitude? I thought that from the command line, apt-get did the same thing.

Talking about a "base install" for such a system is like talking about [camping]

How much does OpenSSH + the basic LAMP stack add to the base install?

Re:That's what you get for running Ubuntu (4, Insightful)

NobleSavage (582615) | about a year ago | (#44340419)

I assume that the forum software was hacked. I believe they ran vBulletin which is often hacked. Nothing indicates the underlying OS was hacked.

forum software != Operating system (0)

Anonymous Coward | about a year ago | (#44340453)

holy fuck, are you retarded.. and I prefer windows.

Re:That's what you get for running Ubuntu (0)

Anonymous Coward | about a year ago | (#44340559)

It'd be really funny if they were hacked through VNC, but it is more likely just the forum software itself that is holy.

Re:That's what you get for running Ubuntu (0)

Anonymous Coward | about a year ago | (#44341239)

Not only is all the crap installed by default annoying, but it probably leaves a lot of nice security holes too.

As opposed to Windows Server which installs 27GB of totally secure pure-OS and no other bug-ridden crap.

But.... Linux is more secure than Windows! (-1)

Anonymous Coward | about a year ago | (#44340311)

I call bullshit. This is clearly a lie brought to you by Microsoft and Apple and the Government. Everyone knows that Linux can't be hacked.

/sarcasm

ts1 (-1)

Anonymous Coward | about a year ago | (#44340319)

tsop tsrif. parc ho

Should have used Windows. (1, Offtopic)

jellomizer (103300) | about a year ago | (#44340321)

I Guess these guys should have used Windows.
Bla Bla Bla...

Really Folks the OS or how the software is license doesn't equate to security or quality. Treat every system that is open to the outside world as potentially vulnerable to attack and make sure your logins and passwords are completely encrypted even in your database. If you can see then it is vulnerable. As well you better be sure you use some salting in your hashing as well

Re:Should have used Windows. (1)

geekamole (1966386) | about a year ago | (#44340357)

The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

Re:Should have used Windows. (1)

HJED (1304957) | about a year ago | (#44340375)

Or just being safe even if the passwords are salted, given that in the same line it also says that the passwords were not in plaintext.

Re:Should have used Windows. (1)

illaqueate (416118) | about a year ago | (#44340405)

passwords are rarely in plain text. the issue is if it's not salted then the passwords can be discovered by looking at a precalculated table (rainbow table). so it would be useful to know whether or not it's salted

Re:Should have used Windows. (1)

Anonymous Coward | about a year ago | (#44340531)

It isn't useful at all. For all you know the attackers could be bruteforcing your salted password hash right now, so the only sane thing to do is change the password.

Re:Should have used Windows. (3, Interesting)

Rockoon (1252108) | about a year ago | (#44340931)

Salting helps against rainbow tables, but its irrelevant to the integrity of the password itself.

The important thing is that the hash is lossy so that even if salt+"abc613" hashes to the value in the database, that there is no reason to believe that "abc613" was actually the password the user was using.. He could have been using "manbearpig", for example. This is a case where longer hash values actually helps the hacker/cracker.

I dont pretend to know what the optimal size of the stored hash should be in order to protect the users passwords, but I think its almost certainly less than 32 bits. 32-bits is wide enough that attempting to find a hash collision at the login prompt is still silly, while also making the information gleaned from a brute force attack of the hash values almost useless.

Re:Should have used Windows. (3, Interesting)

tlhIngan (30335) | about a year ago | (#44340571)

The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

No, because cracking passwords, even salted one, is ridiculously easy. Hell, take a well salted database, a stolen password list, and a way to compute the password. You can probably find a good chunk of accounts with the basic set of passwords.

Salting just prevents the use of rainbow tables, which means cracking passwords takes a few hours instead of a few seconds. Hell, you probably could use one of those bitcoin miner ASICs to do it - cracking passwords is really just computing hashes, and the R&D in computing hashes faster and faster means hashed and salted passwords are getting easier to crack.

Ars Technica details it better.
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ [arstechnica.com]

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ [arstechnica.com]

Re:Should have used Windows. (3, Informative)

Anonymous Coward | about a year ago | (#44340645)

Here you go, tlhIngan. If it's so easy, provide the password or a collision in the next 3 days.

  tlhIngan:$6$PsLtDfSP$SISVIa7tbcxdIN6StnZMF.l6Vw1/mZFIrKmNUAidG7k090l5bLUqBZF/ItMU2A0RzhHQyMnH40t67tIVl.6VB0:15907:0:99999:7:::

I'll even cheat and tell you it's a combination of upper, lower, punctuation and numbers...

Re:Should have used Windows. (0)

Anonymous Coward | about a year ago | (#44342217)

Done!

But I've got the same password on my luggage, so I won't write it here.

Re:Should have used Windows. (1)

skegg (666571) | about a year ago | (#44340859)

cracking passwords, even salted one, is ridiculously easy

Not necessarily true.

If the user has used a very common password, then it's likely.

However if it's an uncommon password that's hashed using something like bcrypt [wikipedia.org] with a decent number of rounds, then it's far from "ridiculously easy".

Re:Should have used Windows. (0)

Anonymous Coward | about a year ago | (#44340737)

I suspect the issue is that the database was compromised, which means that the hashed-passwords AND the salts were stolen.

That means they can brute-force with the correct salt to compare against the hash, and recover passwords.

Re:Should have used Windows. (1)

illaqueate (416118) | about a year ago | (#44340397)

This kind of breach is usually just bugs in the forum software or the server software they run on.

you are strongly encouraged to change the password (0)

Anonymous Coward | about a year ago | (#44340327)

AKA: we didn't use bcrypt, and just base64 encoded the passwords. Prepare to get buttraped.

Re:you are strongly encouraged to change the passw (0)

Anonymous Coward | about a year ago | (#44340757)

I don't get it. If passwords were not in plain text, what should mean they are encrypted, you should not have need to change passwords in other stupid services.

So the passwords WERE in plain text format so crackers got passwords and email addresses in clear form that they can use them.

Canonical just doesn't care about anyones security unless you pay them.

Re:you are strongly encouraged to change the passw (1)

Rockoon (1252108) | about a year ago | (#44340939)

Neither of you seem to have any idea what the security implications are.

Re:you are strongly encouraged to change the passw (1)

Anonymous Coward | about a year ago | (#44341253)

It probably wasn't much better than that. Don't know if it's still current, but the Javascript of their login form used to do this:

<form id="navbar_loginform" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)" method="post" action="login.php?do=login">

Re:you are strongly encouraged to change the passw (0)

Anonymous Coward | about a year ago | (#44342279)

It probably wasn't much better than that. Don't know if it's still current, but the Javascript of their login form used to do this:

<form id="navbar_loginform" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)" method="post" action="login.php?do=login">

That's probably just to avoid sending the password over the wire in clear text.

If they always use that, including on the signup page, they wouldn't even have your password in the first place, only the md5hash of your login + password.

Adobe Flash mob? (0)

Anonymous Coward | about a year ago | (#44340335)

Well, I hope they insert a fucking fix for Youtube. It still doesn't work on U.

Nice. (0)

Anonymous Coward | about a year ago | (#44340385)

It looks like at some point in the past I must have actually signed up to the forums (though I barely, if ever, used them). Hopefully they have some kind of "delete inactive accounts" thing set up, because I really don't want spam on behalf of, of all things, fucking Ubuntu. But I'm guessing they don't. Could they have not just protected the e-mail addresses just a little bit fucking better? I don't care about the password, because it's generic as all hell, but I will be pissed if now I become a spam target.

Password Policy (1)

HJED (1304957) | about a year ago | (#44340387)

Does anyone remember what password policy the forums had, trying to work out which password I was using for it.

Re:Password Policy (1)

Pieroxy (222434) | about a year ago | (#44340719)

Does anyone remember what password policy the forums had, trying to work out which password I was using for it.

It's probably the one in your sig.

Forums the new lowest hanging fruit (1)

Anonymous Coward | about a year ago | (#44340423)

Forum attacks have increased in recent years and it seems to be the newest go-to vulnerability. This is not platform specific so no need to just bash Linux or even Ubuntu specifically. Really, its time for people to get serious about Forums and mailing list software where security is concerned. All of us know forum software is among the most used and abused software out there but mostly just underfunded. I invite all of you progressive thinkers out there to take this staple of development and communication to the next level because I for one would gladly pay license fees for an efficient and secure forum platform. I don't care what the excuse is 90% of the time for why it happened its always watered down to some story about someone forgetting to do something within the realm of conceivable human error- the fact is it happens too many times and I don't feel safe registering on most forums nowadays. So lets make a difference we can do this BETTER.

Re:Forums the new lowest hanging fruit (0)

Anonymous Coward | about a year ago | (#44340769)

Why to bash Linux operating system if the security hole is in WWW server, SQL server or somewhere else?

Very rarely there are security flaws exploitted in operating systems, they are most secured and checked pieces of software. Instead 99.x% of security holes have been in totally different softwares than in operating systems.

But if you knock operating system security, you get access to everything as operating system runs all other processes and threads and you get direct access to everything.

Password policy (4, Interesting)

readingaccount (2909349) | about a year ago | (#44340457)

The passwords are not stored in plain text

You'd hope so. That would be standard policy you'd assume by now (hashes are easy), but apparently it's still important to mention this given there are still way too many outfits storing plain-text passwords in their systems.

I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!

Re:Password policy (3, Informative)

Anonymous Coward | about a year ago | (#44340667)

I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!

Because that's a totally accurate way of judging their security. Sarcasm aside, it's possible to use hashes badly (like unsalted MD5) and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable (because the vast majority of attacks involve revealing database information, not executing code or downloading files).

Guess what the best advice is? Use a different password for every site.

Re:Password policy (1)

Pieroxy (222434) | about a year ago | (#44340723)

Guess what the best advice is? Use a different password for every site.

I ran out of memory at 65536. I guess I'm just 16 bits wide.

Re:Password policy (1)

Rockoon (1252108) | about a year ago | (#44340973)

and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable

No. Just no. It is not possible to ENCRYPT the passwords so that they are secure. Encryption is the WRONG TOOL for storing passwords, because with encryption then is ultimately unencryptable and therefore someone can know for certain what your password is.

To be quite specific, I want there to be billions of "passwords" that hash to the same value thats in their database for my account, so that even when an attacker finds a collision he still won't know what I fucking use for a password.

Re:Password policy (0)

Anonymous Coward | about a year ago | (#44341163)

Won't all those billions of matching passwords be deemed correct if someone tries to use them to log in to your account?
If not, why not store _every_ password as the same value?

Re:Password policy (2)

Ice Station Zebra (18124) | about a year ago | (#44341435)

This is the finding the needle in a stack of needles approach to password protection.

Re:Password policy (1)

readingaccount (2909349) | about a year ago | (#44341009)

Your sarcasm was misguided anyway. The point is that if your original password can be sent to you in an email, it means they must be storing the password in plain-text anyway - if they're doing that, it doesn't bode well for the rest of their security implementations.

Re:Password policy (0)

Anonymous Coward | about a year ago | (#44341423)

Really?
Saying that the absence of plain text password recovery is a indicator of good security is like saying that something not tasting that much like shit is an indicator of good cooking. Saying that the presence of plain text password recovery is an indicator of bad security is like saying that a tsunami might lead to mold problems in cellars.
You must be young and inexperienced or having little to do with computers in general... these are things that people found mentionworthy in the 1970s, and only naive individuals or those with no grasp of information security regard them as criteria in the current millenium (which are sadly quite a lot, though luckily mostly found outside of server rooms).
Anyhow, the GGP comment is just silly (the derivation of plain text recovery -> plain text storage is genious) and deserves the sarcasm it got.

captcha: imperil

Re:Password policy (0)

Anonymous Coward | about a year ago | (#44341619)

Saying that the absence of plain text password recovery is a indicator of good security is like saying that something not tasting that much like shit is an indicator of good cooking.

That's nice, but he didn't actually say that.

Saying that the presence of plain text password recovery is an indicator of bad security is like saying that a tsunami might lead to mold problems in cellars.

Doesn't matter what it's "like", it's pretty unambiguously true.

Re:Password policy (0)

Anonymous Coward | about a year ago | (#44341969)

Reread the whole comment, the point is that the sarcasm is well deserved.
The second part you quoted may be unambiguously true, but it's a piece of advice as useful as nipples on a breastplate (GRRM gratia).

captcha: accent

Re:Password policy (0)

Anonymous Coward | about a year ago | (#44340697)

They use vbullitin so it's probably just a salted md5 hash.

Re:Password policy (1)

aliquis (678370) | about a year ago | (#44341249)

RUN!!!

Do that help?

Re:Password policy (0)

Anonymous Coward | about a year ago | (#44341535)

I found it a good hint I was in the wrong spot when after I registered an account with a new service they automatically emailed me the password I selected in plain text. And to make matters worse they put their service desk on the CC for that email.

Re:Password policy (0)

Anonymous Coward | about a year ago | (#44342375)

I found it a good hint I was in the wrong spot when after I registered an account with a new service they automatically emailed me the password I selected in plain text. And to make matters worse they put their service desk on the CC for that email.

Please tell us what service so the rest of us can avoid it.

What's Frustrating (0)

Anonymous Coward | about a year ago | (#44340463)

A lot of distro forums don't provide you with the ability to delete your account. These include Linux Mint, Arch and Archbang.

do I have an account (0)

Anonymous Coward | about a year ago | (#44340617)

So how do I know if I have at some stage in the past made an account on the forum?

How should I know what password I used? (0)

Anonymous Coward | about a year ago | (#44340633)

I have an account but have no idea what the password is. I wish they would just email us our own hash.

Phew (0)

Anonymous Coward | about a year ago | (#44340671)

Well thank god I've not used the same password on anything since about 1997.

Sadly the dangers of using the same password on multiple accounts is something I had to learn the hard way back then, but I learned my lesson.

Re:Phew (1)

ls671 (1122017) | about a year ago | (#44341125)

Me too I use:
passSlashdot
passUbuntu
passGmail
etc.

Passwords (0)

Anonymous Coward | about a year ago | (#44340709)

I can't remember which of my 3 passwords I used in that forum, so I don't know which other services I need to change my password ... Could they post the list in plain text so I could check it?

But Linux is more secure with many eyes! (-1)

Anonymous Coward | about a year ago | (#44340739)

But Linux is more secure with many eyes!

Re:But Linux is more secure with many eyes! (2, Insightful)

Anonymous Coward | about a year ago | (#44340829)

Forum passwords were stolen via the forum software. Where does Linux come into this? Do you have the faintest clue what you're talking about?

Re:But Linux is more secure with many eyes! (0)

Anonymous Coward | about a year ago | (#44340871)

But the forum was Open Source software with many eyes,,, ;)

Re:But Linux is more secure with many eyes! (3, Informative)

Anonymous Coward | about a year ago | (#44341237)

Wrong [wikipedia.org]

vBulletin - a crock of shit (0)

Anonymous Coward | about a year ago | (#44341827)

That's what they get for using vBulletin rather than using a FLOSS product they could audit.

How about using PHPBB3, a product which was thoroughly audited during development? Or how about adding a forum extension to Launchpad?

Thank you LastPass! (1)

reedk (43097) | about a year ago | (#44341945)

Now I *know* the gobbledygook password you generated for me is not compromising me anywhere else on the net. I have no financial interest in LastPass [lastpass.com] ; just a big fan.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>