Slashdot Mirror
Ubuntu Servers Hacked
An anonymous reader noted that "Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems. Canonical blames the community, saying they were community hosted, and were poorly maintained. However, kernel upgrades couldn't be done because of poor backwards compatibility with the very hardware that Canonical had sponsored! While people point fingers at each other it is pretty clear that both sides are equally to blame, the community administrators for practicing bad security practices, such as using unencrypted FTP transfers with accounts, not properly maintaining the system. However Canonical should have been well aware of what they are hosting. The question remains, if any of the files distributed to users have been compromised. A major blow for Canonical though who are attempting to enter the business market with Ubuntu Server."
Spambuntu
You keep using that word. I do not think it means what you think it means.
This isn't the only Linux distro security breach being disclosed recently. One of Gentoo's web applications was compromised and they are investigating it:
http://bugs.gentoo.org/show_bug.cgi?id=187971
This is just a transitional feature designed to make Windows users more comfortable using Ubuntu.
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Since this is a community based, open source project, I would love in the near future (after the investigation and cleanup are done) to read about how they determined that the machines were compromised, what the attackers did, and more importantly, how Ubuntu cleaned them up...
This could really help the community as a whole, and I know I would enjoy reading it..
What are we going to do tonight Brain?
Ubuntu made a boobootu
Politics is Treachery, Religion is Brainwashing
The real test is how they react to this, and how they clean up their mess. Everyone screws up, but what separates good people from bad is how they react to problems and screw-ups.
It sounds like that part at least is still underway, with a meeting (FTA) in "#ubuntu-locoteams on Tuesday, August 14, 2007 at 2:00PM UTC". Seeing as that's yesterday, we should probably reserve judgement a day or two to see how they respond.
administrators, but:
who the hell places such exposed servers like these on the net without applying security patches and following simple rules? yeah, the freaking old hardware, compab problems, i sure understand that. but then make a fuss 'bout it. threat to stop maintaining the hardware if the networks cards aren't changed. if that REALLY is the only problem with the hardware which prevented updates, then i just don't understand how the hell this could happen. NICs, even though this would be no consumer hardware, aren't that expensive. if my employees servers were hacked because i did not mind telling him that some crappy piece of hardware prevented me from keeping uptodate with security, i would kindly be removed from my desk. period.
An update last week hosed by /boot partition. I haven't found any mention of this happening in any of the Ubuntu Forums. Anyone know if this could be related?
My blog
it amazes me that people even use the plain old ftp protocol for anything important. sftp has been around forever.
The article itself doesn't mention a lot more than the summary. What really puzzles me is this part: "and no upgrades past breezy due to problems with the network cards and later kernels."
From the Breezy Badger release notes: Linux 2.6.12.6
So how come there's a problem in getting that driver going under 2.6.22 (for example)?
Indeed!
Say what??? Are they nuts? Were they also using telnet?
So lets say that I installed a fresh copy of fiesty fawn last night, and was doing updates from about 8pm until 11pm EST (yes it took so long, the servers were THAT slow, and this is probably why). Should I be at all worried that the system might be compromised?
The poster is highlighting an almost completely irrelevant issue, how many security flaws are accessible in the kernel remotely? Its the applications on top, either incredibly bad administration leaving a hole, unencrypted passwords flying over the network, or regular easily guessed passwords.
Yes, its going to be inconvenient administration wise, but its not that difficult to upgrade the distribution and leave the kernel behind. The caveat is having to be extra secure on admitting remote users to protect against known local exploits.
Bruce
Bruce Perens.
It's all the same. You can lock up a system tighter than a dolphins ass, but no security in the world can mitigate pebkac.
boycott slashdot February 10th - 17th check out: altSlashdot.org
had these been windows servers we would have heard cries of a flaky operating system being the problem. in this case, since they're linux servers, we hear that the fault lays on the administrators of the boxen for not hardening the systems?
1. Accuse Microsoft of making insecure procuts and being bloodsucking capitalist vampires.
2. Praise Linux for being secure and community-made, and hence non-profit.
3. Shift blame around when security is compromised since nobody knows who's really accountable.
4. ???
5. Global Linux hegemony.
Seriously, better late than never.
No software is perfect,no package is absolutely secure.
Its good that these servers were compromised and detected too[i hope withing time].
This means either admins are not doing their job properly or the culprit packages are buggy.
Either way it is an eye opener to the community and especially Canonical.
This calls for better auditing and more effort to be put into security on Ubuntu server systems as well as packages which make their way into Ubuntu.
This may possibly mean more work for Ubuntu package maintainers and in turn a better product[not the perfect one but a better one].
-- "Genius is 1% inspiration and 99% perspiration" - TAE --
"...but the M$ campus gets hacked all the time."
Do you have evidence for this? Particularly for the "all the time" part.
It's like NT all over again. God only knows what bad things they can do with that.
Friends don't help friends install M$ junk.
Ten to one, we hear next week that some large repository of Student papers is vulnerable too.
This doesn't sound like a hack at all. If "[they] started attacking the other servers", it sounds more like a virus than a hacker. That is, if the servers were genuinely attacking the other servers. It's an exploited weakness nonetheless.
The game.
With signatures in place, and verification by default when packages are installed, you'd need more than just breaking into a server to cause serious damage.
Ubuntu seems to have something in place already, but from my look at it, doesn't seem nearly as insistent on security as it should be.
So you're saying that Ubuntu is especially open to insecurity by association?
Perhaps that's an attack vector that needs more attention. Sure, you can focus on FTP, but a system is more than the sum of its parts. How insecure is it to leave a system accessible to Windows users on any front?
What the HELL is going on here? This isn't just an 'oops', this is really, really friggen lazy! Last I checked, 3Com and Intel still have about a billion NICs out there in the great wide world. Hell, I could mail them a few myself...
No?
Linux systems are only as secure as the admins who manage them.
:)
And for bonus "hate" points, even MS servers can be secure if they are admined probably. Don't worry though, I have my flame suit on.
The price is always right if someone else is paying.
Heh heh, the malicious person doesn't even need money as a motivator. In this particular case, I don't see how anyone would profit anyway, at least monetarily.
To the making of books there is no end, so let's get started
As one of the people affected by this issue, I'd like to give some clarification on this. Firstly, the servers affected were Local Community (LoCo) Team servers, of which I maintain ubuntu-us.org While I'm personally annoyed that the site is down (given it was on the front page of Digg last week), these servers are far from "production" servers; they host LoCo team resources and websites. I'd like to know what "compromised" software would have been downloaded by users, given that these servers did not host user repositories, and for the most part hosted news pages, blogs, and localized documentation. The issues were twofold: the servers were not upgraded past breezy, leaving them open to vulnerabilities after Breezy's EOL; LoCo team users were running an array of web applications (Drupal, Wordpress, Mediawiki, etc), but not updating their systems with new security patches. Top that with ftp logins and no ssh keys, and you have yourself a problem. Canonical is moving the installs to their facilities, retrieving the data, and building the installs (including the aformentioned web applications) from scratch, assuming that everything has been compromised. Hopefully in the next few days this will all be over.
It has nothing to do with dumbing it down for Windows users making it insecure, although I admit, this case is again a demonstration that the bigest secuirty hole on a computer is the lump of carbon/hydrogen/oxygen located between the keyboard and the chair.
They got arrogant, cocky and lazy. They let their security slip on things a Windows uers wouldn't use or care about (ex. FTP vs SFTP, from a user perspective, the difference is minimal).
Does your reality distortion field go so far as to say that Windows is causing functional breakage in Linux now? Geeze. Lemme guess, you are gonna add global warming, wars, AIDS, ebola and the common cold to the list as well, right?
Heck, fairly certain that ftp wasn't active by default on my last install of Ubuntu (I know SFTP was though).
FTP vs SFTP - maintainer arogance/incompetance
Kernel couldn't be upgraded given the hardware supplied by Ubuntu's owning company - the companies own problems
Okay, maybe Canonical gave them hardware that was not ... or ... was ... okay, this is just difficult to conceptualize.
The NIC's worked fine with version A.
The NIC's did not work with version B. Where's the bug report?
Breezy - this is where they stopped.
+ 6 months - Dapper - LTS, where is the bug report?
+ 12 months - Edgy - a bug report?
+ 18 months - Feisty - a bug report?
If you just CANNOT apply a patch then you HAVE TO make sure that EVERYTHING else is locked down AND INCREASE YOUR MONITORING OF THAT SYSTEM.
It looks like the admins made too many mistakes. I can fault Canonical IF there was a bug report filed and pursued.
Everything else is the admins' fault. No matter how stable and secure a system is, and by default Ubuntu ships with no open ports, a bad admin can break it.
Well, if they _did_ get broken into all the time, then that would be pretty embarrassing. The last thing they would want to do is publicize the fact, so it only makes sense that they would cover it up and say nothing about it.
Since nobody has _ever_ said anything about frequent break-ins, it's clear that they must be happening.
Why am I the only person who can see how obvious this is?
Linux servers don't get hacked. Period.
The game.
I wonder if these are the same servers that Ubuntu users get updates from.
If they were successfully attacked by the threat level of script kiddies, then it's likely that they were compromised earlier by higher threat levels, eg. large corporations or governments. Such a crude method of spreading speaks of a zombie net, and would have been harmless to Ubuntu's users, but the bad guys from other threat models may have created backdoors, keyloggers, and other rootkits on every updaters' computer.
Not that the big fish won't be able to work their way back in once Ubuntu is back up, but at least we'll have a reprieve and they'll have to use more resources.
Yes, I sleep in my tin foil nightcap.
Firstly these servers were not "Canonical Hosted" as the anonymous readers suggests. They were hosted in a DC which Canonical paid for, but the community maintained them. So Canonical system admins had very little to do with them.
My site - http://screencasts.ubuntu.com was one of them that was affected, so I was of course concerned that there might be some data loss. I only use SCP to copy files up to the site, and logon with my ssh key, so don't think that all Ubuntu community members are using FTP, weak passwords and really old software, it only takes _one_ though to naff it up for everyone else.
The Canonical system admins (on top of the work they already do) migrated the services from those servers to their own DC very quickly. My site went down on Tuesday and was back by Friday. For free hosting and oodles of bandwidth, I'm happy with that downtime - for a community site.
"...but the M$ campus gets hacked all the time." Do you have evidence for this? Particularly for the "all the time" part.
No, but if M$ can't guard their precious source code, what can they guard?
Friends don't help friends install M$ junk.
Yes, it means exactly what he thinks it means. This whole thing with calling hackers "security researchers" is just silly beyond belief. Both of these little peccadilloes in terminology are reasons that no one who really counts takes the Slashsnot crowd very seriously.
I think the answer to that is obvious:
1. Hack Ubuntu servers
2. ?
3. Profit
It sounds like a compromise based on using a flaw in an ftp daemon to exploit a kernel flaw to escalate privileges. The question I'd have is which ftp daemon were they running? FTP - even the old, unencrypted kind - IMHO can be run with tight security if you choose a daemon that can run in chroot with virtual-account privilege separation for each user. A few daemons do that, and do it well, most don't. So was this a known-problematic ftp daemon that Ubuntu's Loco servers were running, or a fresh exploit against one of the better daemons?
As for the suggestions that sftp is better, OpenSSH's version of sftp requires a shell account for each user - something good ftp daemon's don't. There are shells like scponly that are pretty good at chrooting each user's shell account - but not necessarily perfect. There are a lot more administrative steps in setting that up than for an ftp account, which if not quite done right can compromise security. FTP's maturity - again with the right daemon - can be a security advantage, over all.
"with their freedom lost all virtue lose" - Milton
Sir, somewhere in the fully-indexed and data-mined future, your descendants will be publicly shamed and ridiculed because of your post.
I suppose they'll have no choice but to flee to deeper waters.
Rich And Stupid is not so bad as Working For Rich And Stupid.
Please mod this -1, I don't agree with him.
Okay, so your assertion of fact was really just an enormous assumption. Thanks for the clarification.
"Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems."
In Soviet Russia, server attack you?
Beware: In C++, your friends can see your privates!
This dumb Windows user uses sftp to connect to all of his servers. I don't know where you're trying to go with this troll...
I don't respond to AC's.
So wait, this old hardware has no PCI slots? No USB ports? Nothing that could allow one to simply NOT USE THE UNSUPPORTED NIC CARD???
I wonder if they could use some of my NE2000 NICs. They should be compatible. I'll even toss in some 50 ohm terminations.
The truth shall set you free!
Well, I heard that Ubuntu isn't very good at that either...
uhh...that's what happens when you try to make your linux distro work like windows....
Who said it was a bug? It could be as easy as someone password sniffing on a remote network saw a user log in to the Ubuntu server's FTP service. Once they had a username and password, logging onto the box and running a spam/DoS script against other servers is easy. It's not a bug, it's just an insecure method of accessing a box. Kind of like putting a huge lock on your front door, then leaving the key under the mat.
http://www.mhall119.com
I used to be an ardent Ubuntu supporter but since Dapper and the wider adoption there has been too much emphasis on making things more Windows-like and less on best practices throughout the Ubuntu community (note I said the community, not the developers). Stuff like Automatix and the general feeling that any script that or line of code that is posted on the Ubuntu forums is guaranteed safe has led to lax standards. I've brought this up a couple times and any valid discussion quickly descends into a flame-fest and the mods (rightly so) lock it down.
The Ubuntu community has bent over backwards so far to prove they can include everyone they lost site of many of the things that make Linux a better choice for many people; time to get back to fundamentals and best practices, the sooner the better. Stop worrying about besting Windows at every silly thing (ahem, desktop transparency), stop trying to include aunt Tilly (who is never going to "switch" anyway) and remember that some things take more effort but are often worth it.
How insecure is it to leave a system accessible to Windows users on any front?
I won't give an gnu/linux account to any windows user because a minimum of 25% of them are part of a keylogging botnet. They are liable to access my machines from windoze and things go downhill from there, even if they use a better client. A system is only as strong as it's weakest link.
Ubuntu itself is dangerous because it includes non free software like Adobe Flash, but this should not be of concern to business users. These dangers are orders of magnitudes smaller than those faced by windoze users, but Ubuntu needs more shelter and care than Debian itself. No gnu/linux system is in danger of being auto-rooted like a windoze machine. Business users should continue their move to gnu/linux systems like Ubuntu.
Friends don't help friends install M$ junk.
Next on Fox...
It is just became obvious recently that open source publishes their breaks as they are, because they can't actually hide anything. I bet breaks in coorporation servers are so frequent that is common practise to be silent about them.
In mean time, there is a tradeoff between having one, LTS release which has rather old kernel with old drivers and new one, which has 18 month support but has everything up to date, including also unstable stuff of course. But in fact it doesn't even mather, because admin is who in charge.
So Linux is more secure than Windows? You bet. Then why such break-ins happens? Because of lazy or hobbist admins who have no time or maybe not enough knowledge to lock down server to protect it from attacks. To lock down such Windows server/workstation is much harder because of "black box" mentality such software has. But it is also possible.
So in resume - those are admins who are gulty persons here. Ubuntu Dapper and Feisty are secure enough releases to keep them locked down without causing trouble for services. And ohh, be careful to which persons you give access to and have good password management system.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
Off and on over the past two months I would download packages and get that message. I wonder if the server compromise has anything to do with it.
Well it is only a bug in that they where still using FTP. FTP should be as dead as Telnet. SCP is far more secure and should be the only way one can up load a file to a system. FTP is fine for downloads but that is about it.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
You made a good argument, but when you use terms like "Windoze" you lose credibility.
If we don't fight for ourselves no one will.
Heh, so this is different from every day on /. how?
That is not dead which can eternal lie, And with strange aeons even death may die.
A past EOL OS, ineffective settings, and less than skilled admins. It couldn't get much worse no matter what system was being used. This is no more Ubuntu's fault than it would be Microsoft's fault if a Windows user gets hacked while surfing using an unpatched computer with the C:\ set as shared and no firewall.
The exact same thing has more likely than not happened to countless businesses all over the world when they got someone who knew just enough to be dangerous to set up their network. I know of one small business that has their office computers networked over wireless,and the guy who set it up didn't have a clue about security, so I doubt the connection is that secure.
It is difficult to get a man to understand something when his job depends on not understanding it.
Thousands of Windows machines get exploited every day, and there's barely a word said about it. 3 Linux machines are exploited, and it's "OH MY GOSH!!111". I don't know whether this is a good thing, a bad thing, or, my best guess, both.
If there's anyone I hate more than stupid people, it's intellectuals.
Indeed. I have to question the security of a software company which not only leaves it's source code in public FTP, but, after others discover this mistake, ASKS THEM TO MIRROR IT!
It boggles the mind.
If there's anyone I hate more than stupid people, it's intellectuals.
I've seen this hundreds of times, but never bothered with it.
You made a good argument, but when you use terms like "Windoze" you lose credibility.
People who can't see though my wording probably won't believe the argument anyway. Brainwashing is strangely dehumanizing like that. The victims lose their sense of humor as well as reason. The term "windoze" implies both of those losses and that people who continue to use it are asleep at the wheel.
Friends don't help friends install M$ junk.
You can back up your policy in the packet filter.
In iptables, look up osf and --genre.
For pf, look up osfp.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
No, it's a command as in shutdown -h now which is precisely what happened ;)
"Linux is for noobs"-The new MS fud strategy
u don't think we went to the moon why not tell louis armstrong to his face .
"The complete lack of evidence is the surest sign that the conspiracy is working."
- Jack Handey
"Since this is a community based, open source project, I would love in the near future (after the investigation and cleanup are done) to read about how they determined that the machines were compromised, what the attackers did, and more importantly, how Ubuntu cleaned them up..."
What utter bollocks. It's pretty clear from even the limited information on the Ubuntu wiki that the root cause of the compromise was incompetent systems administrators engaging in extremely lax security practises - account based ftp access? In 2007?
Can you spell "looser"?
Please don't post that signature. I caught a couple of words as I glanced by and nearly had to be rushed to the ER.
With volunteers, they can work as long as the group is pretty well motivated. A volunteer admin can do a superior job if they feel that there is enough prestige associated with them doing things well. You do have to find the good people though, just as you would do with a paid employee.
-- Using the preview button since 2005
When someone hacked MS and got a copy of their source code it was headline news.
I am surprised no one reports how oftem Linux source code is taken from company servers, they must get hacked constantly compared to MS.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Well yeah, you can say it's a "bug" in the process. But that's not something a code review is going to help with, which was the AC's contention.
http://www.mhall119.com
That isn't very logical. Everyone knows that Windows is a poor OS, and the term Windoze has been around for well over a decade, for historical reasons (Windows is sloooow) that everyone can still identify with (when Windows runs sloooow even on decent hardware, while other modern OSes work fine) :(
which is totally what she said
I've never seen a paid individual make a stupid mistake like this. The captain of the Exxon Valdez was a volunteer with the Red Cross on a humanitarian mission. The Challenger and Columbia were piloted by kids from space camp. The original Tacoma Narrows bridge was designed by volunteers with Habitat for Humanity.
On the other hand, we all know that segregation & apartheid were both ended by paid professionals. If you want something big done right, only paid professionals can do it.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Bloody wants to be with a name like that. I'd be sorely underwhelmed if I ran it and an ASCII cow just echoed my words back at me.
Yeah, NOBODY uses unencrypted FTP anymore... *sigh*
-John Mark
Hyperic Community Manager
Isn't this what makes Ubuntu, well, Ubuntu?
If it were geared toward 'more effort' it would be Debian, would it not?
True, but it has gone a little out of balance, it walked a fine line in the early days but has gone off the "ease of use" cliff lately. This is mostly a community issue and can be steered back to the right place with some leadership. You can balance an easy introduction and not try to AOL-ify Linux.
"The complete lack of evidence is the surest sign that the conspiracy is working."
- Jack Handey
LOL!
Ya know, I've probably read or owned and one time or another most of the works quoted in Bartlett's Familiar Quotations, but reading this makes me want to trade it all in a for single leather-bound edition of Deep Thoughts.
The term 'poopyhead' has been around for a lot longer than that. Does it make it any more or less mature?
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Do you have a specific complaint, or is just it that the uncool kids are getting into the clubhouse? If you think the interface has gotten oversimplified, switch to kubuntu.
Done with slashdot, done with nerds, getting a life.
Probably not. But I have to wonder if they where using FTP where they also using telnet?
FTP and telnet's time have passed. They are useful for a very limited sub set of users.
SCP and SSH are the LEAST that anyone should do as far securly accessing a remote server.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
There is no patch for human stupidity.
Klingon Software is not released, it escapes, inflicting terrible damage onto the enemy as it does
Since nobody has _ever_ said anything about frequent break-ins, it's clear that they must be happening.
Lol
Of course lack of evidence, doesn't mean it didn't happen either.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I've often wondered why we have this lingering hold on FTP and Telnet. I brought up switching to SSH instead of Telnet years ago at my company, our equipment could do it, but got shot down because "it may have it's own insecurities. "
I'm sure it does, but hacking it is a lot less trivial then some cleartext crap. If they can hack SSH, they probably coulda hacked Telnet in half the time.
Especially when X continues to make my 3.2Ghz PC look like a 386 running Win3.1
I sure can. Can you spell "loser"?
To everyone their own sever! Just kidding, but imagine that: Too old hardware so you can't upgrade? Never again with hardware virtualization. No I know that this probabely wouldn't work with very old hardware, because the performance loss would be too great, but remember this, when setting up your next system. Time to get into Xen! They promise almost no performance loss with the new processors.
Fuck off spammer, nobody wants to hear about your shitty security site. Kudos for pretending your spam is some sort of hardcore throwdown.
Me, I scored 438 whatzits on the whoozometer, and none of you rhesus monkeys can beat my score!
Again, I am pointing at the community more than the developers, who have provided a great distro that has provided a much needed kick in the pants to other distros to improve their usability. Fedora is my favorite example, and my distro of choice again, since they had to face some stiff competition to stay relevant.
Ubuntu was about a clean interface with best of breed apps, solid documentation and a community that balanced ease of use with best practices. When someone wandered into the forums with a "noob" question we avoided the "RTFM newb-sauce" stuff and helped them, as well as re-enforcing best practices and linking where to get better information. We didn't point them to untested scripts or recommend subverting security for ease of use, but that is a regular event these days. Shuttleworth wanted "free as in speech" software that was "free as in beer" for everyone, but now to court Windows users he considers installing binary blobs and distributing closed source software? The "Unofficial Ubuntu FAQ" used to handle this stuff very well while not polluting (or introducing possible legal issues) to the distro. I recall Shuttleworth at Debian conferences with his hat in his hand explaining how he wants to help and work with the community, but if you mention this on the Ubuntu forums you have people suggesting that they don't need Debian or the GNU tools? This is an ignorant and arrogant user base that needs to be educated, and in some instances policed.
The original intent of Ubuntu was great, it just needs to get back on course. I much prefer apt to yum, I hope this wakes up the right people and I will gladly give Ubuntu a shot again.
Lack of absence of evidence may or may not be the same as lack of evidence of absence.
not a celeron per chance?
LOL
britches???
Debian isn't geared towards 'more effort' or else tools like apt wouldn't have come out of the project. It's geared towards doing things at a high quality, which often necessitates some time and effort to get right. The grandparent's point about automatix is a valid one. Many Ubuntu devs are also Debian devs, and so they carry the emphasis on quality with them, which is why the restricted device manager is as good as it is, in contrast to automatix.
"I may not have morals, but I have standards."
http://www.gentoo.org/
Pile of stuff down at gentoo.org due to a possible command injection vulnerability in their webapp. This doesn't seem to have made any waves.
Forgive me. What I meant to say was the inverse: Ubuntu is geared towards 'less effort'. Or at a minimum they tend to make as many decisions as possible on your behalf, more so than debian seems to, from my point of view.
Better?
My stint with debian ended when I answered a question incorrectly during 'apt-get upgrade'. My fault, to be sure, but the system was hosed none the less. Ubuntu has yet to allow me to make the same sort of critical error. And I appreciate that.
Sounds like you need to upgrade your 4mb PCI graphics card
My blog. Good stuff (when I remember to update it). Read it.
Uh-oh, he's emphasizing the irony of this, and the irony is towards linux!!! FLAMEBAIT, TROLL, OVERRATED, quick, mod him down untill someone sees it!!!
/MAJOR SARCASM
My aunt Tilly actually did switch, although only for a few weeks. Bought a mac after that.
Buzz off, adults are talking.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
On my company's server, I solved the attempted SSH break-in problem by disabling password logins via SSH altogether. Only publicKey logins are allowed. The break-in attempts have completely stopped (or at least they are turned away so quickly that there's not even a security log message for them).
Only a few computers have my public/private key pair on them (the private key is encrypted, of course), and I keep an extra copy on a USB thumb drive in case of emergency. If someone needs access to the server, I can use one of the existing logins to install their public key so that they can login.
I highly recommend this solution to anyone who can manage it. It's much more straightforward than trying to maintain blacklists.
--Stuart
Since when is it a problem for someone to gain access to the source code for something that is open source anyway? Is there any reason for Ubuntu to worry about how well guarded the code is?
Curious about Storage and Virtualization? Check out
Just wait until _you_ get sued because something was not free/open.
Something on this magnitude was bound to happen.. The real question will be how many end users will be afflicted, and what do this mean for relationships with dell and others?
> See, this is what I'm talking about, you automatically go on defensive if anyone has any honest criticism of Ubuntu.
No, honest criticism is about actually having specifics to point at, not "zomg, they winblozified it into AOL for all the n00bs!" I suppose I am too sensitive, since I let myself be trolled. Anyway, I'm not an Ubuntu user, I'm back to using vanilla Debian, because it fit my needs better on the server end of things.
As for Automatix, I'd say the Ubuntu community at large is also quite solidly against using it.
Done with slashdot, done with nerds, getting a life.
Linking to your own comments instead of linking to TFA = Fail.
You can't take the sky from me.
You aren't too sensitive, but you did ignore the examples I gave in both post. And up until last week the most frequent answer on the Ubuntu forums for many questions was "use Automatix". The only way you can say find trolling is if you completely ignore the rest of my post and seize on a single sentence.
Poopyhead has no relevance or humour in this situation, unless perchance, someone had a bird shit on their head.. in which case it would be a little funny. Especially if their real surname was Poppyhead or something like that. So there. >_>
which is totally what she said
"Fuck off spammer, nobody wants to hear about your shitty security site." - by Anonymous Coward on Wednesday August 15, @02:47PM (#20239851)
8 acd2823a55216081bf694304b09df&p=375355#post375355
i ntsCISToolResult84735.jpg
/.)... not unexpected @ all!... apk
First of all: CIS Tool is not "my shitty security site", it's a program that's been noted by SANS & COMPUTERWORLD, as legit/valid & yes, useful.
I found it INCREDIBLY useful, in helping me to secure my Windows Server 2003 SP #2 system here (above where I had it initially, around a 60.500 score, up to 76.500 iirc, later & FINALLY, to an 84.735/100 score)...
In fact, I found it SO useful?
That I did a post @ a widely travelled forums (techpowerup.com) to show Windows users HOW TO GET THE SAME SCORE & LEVEL OF SECURITY I HAVE, right here:
APK "12 step program" 4 a secure Windows NT-based OS (2000/XP/Server 2003/VISTA):
http://forums.techpowerup.com/showthread.php?s=4e
(What's in that thread, is FAR MORE COMPREHENSIVE than you find in most articles on "how to secure windows" by FAR... & it just works & much of its based on what CIS TOOL had me do, though it helps only SO FAR, you can figure out the rest, based on that post of mine @ techpowerup.com!)
PROOF OF MY SCORE ON CIS TOOL, a multiplatform test of security (noted by SANS & COMPUTERWORLD):
http://img.techpowerup.org/070618/APK14SecurityPo
(& I would like to see *NIX folks' results on CIS TOOL as well (it IS multiplatform & java driven - it runs on Solaris, FreeBSD, Linux of many kinds, & yes, Windows NT-based OS'))...
A fair challenge & it is one, that EVERYONE here can learn by, in fact...
"Kudos for pretending your spam is some sort of hardcore throwdown." - by Anonymous Coward on Wednesday August 15, @02:47PM (#20239851)
No pretending @ all: Just facts... ones you can SEE/VERIFY, per my last post (parent to yours I am replying to now in fact), yourself & yes, above in THIS reply to you.
As to others here who have used various evasions in taking the CIS TOOL test?
Heh, want a list of over 27-30 of them by now??
I can produce it, with relative ease (via my bookmarks/favs)... just ask!
APK
P.S.=> Yea, "great reply" that, full of technical know-how &/or insight... not (more like an exercise in profanity)!
Ah... you're just "#31" in my list of evaders of taking the CIS Tool multiplatform test of security (by yet another *NIX user @
is the fingerpointing. I work at a major dedicated server hosting company in tech support. We see hacked Linux boxen all day long--usually just relatively harmless PHP hacks, as opposed to actual rooting. The usual solution is to "reprovision" the server and start from scratch--as opposed to analysing the attack vector, patching it, and THEN perhaps starting from scratch.
No internet server box can ever be 100% secure. The tale is told in how the owner reacts to the hack. Fingerpointing is not helpful or encouraging. Owning up to the problem and fixing it, is.
expandfairuse.org
What a load of misinformation. Both in the article and in the comments. Reading the comments, one would think that the core Ubuntu repositories were compromised, and that Canonical tried to hide it.
This was published in the Ubuntu Weekly News before it hit slashdot and Canonical held a public meeting about it. The freakin' article links to an official Ubuntu wiki.
This had nothing to do with the Security at Canonical, or Ubuntu Server, but everything to do with the processes around Canonical sponsorship of community servers.
Full Disclosure: I work for Canonical, but know nothing about this issue, except what has been made public. I speak only for myself and do not represent the opinions of Canonical.
Rick
You're just "#31" in my list of evaders of taking the CIS Tool multiplatform test of security
/.)
OH I'M SO FUCKING PROUD! It's good to know your list of "evaders" is so easily expanded. I thought it might have been made up of real people who actually talked about how secure their boxes were but then backed down or something. Hah! I should have known it was just anyone who responded to you evar!
Or did you include the people you posted this shit at, 'cause they "evaded" you by browsing at +5 and so not reading your posts at all? If you forgot to add them, do it now! It'll make your e-penis bragging number SO MUCH MORE IMPRESSIVE, DIPSHIT.
(by yet another *NIX user @
Says who? I'm glad to see I've become another phantom enemy vanquished in your feeble little mind. It gives me a real sense of accomplishment, you know? Like if I had posting long-winded rambling bullshit about some website and gloated about how many people I've imaginary-defeated with my longwinded anonymous score:0 posts that nobody sees.
I feel so special. Please respond again and tell me how badly I lost! It's fuckin' HILARIOUS!
A LOT of crap "falls through the cracks" with those people.
Which is why I'm running openSUSE 10.2 now.
Not QUITE as much crap falls through the cracks with Novell.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Okay, so your assertion of fact was really just an enormous assumption. Thanks for the clarification.
Memory + pattern recognition = intelligence, and some assumptions are safer than others.
Given the above, it's fair to say that the chances that M$ is virus and botnet free on any given day is virtually no existant. Another way to put that is that someone on the M$ campus is hacked everyday.
You can keep your denials to yourself because they contradict people's experience and common sense in an offensive way, better known as a bald faced and insultingly stupid lie.
Friends don't help friends install M$ junk.
How old are you, sir?
Automatix in particular is a fantastic story of why I avoid forums. Automatix began life as a bash script under a different title by someone other than "arnieboy", and shared by a sticky forum thread. A marginal step up from guides telling you what commands to run to enable various things, etc. Based on a fundamental misunderstanding of copyright, licensing and the GPL, Automatix was born as a fork of this script, featuring numerous dubious personalizations that might be okay for arnieboy to accept but aren't good suggestions (such as enabling a root account). The forum admins have regularly played an active role, playing favorites amongst the various tools. Automatix at one point had it's own 3rd party project sub forum, where apparently traditional Ubuntu Code of Conduct did not apply ("his forum, his rules"). Eventually automatix was blamed for the failed upgrade of a number of users, and some people took to abusing a "popular searches" front page widget to advertise the phrase "automatix sucks", which was eventually fixed by telling the software that "automatix" was too common a word to search for, I think at the author's request.
As things stand now, Automatix has it's own forum and remains mostly antagonistic towards criticism. It's functionality has been largely dupplicated though it still serves a purpose, to commit copyright infringement via w32codecs etc. Ubuntu has tools that function very similar to Automatix' normal behavior, and in some cases improve upon it. The codec detection stuff in totem is helpful, as you don't need to know about Automatix to learn how to make things work, though it doesn't install w32codecs. And the most significant, repeated complaint has not been solved: Automatix has scheduled for themselves a single week with which to test all bugs and upgrade flaws -- they plan to release one week before gutsy is published.
A number of forum posts relating to this history have gone missing, which I disagree with. The proper thing to do in the face of misconduct is confront it and denounce it, not hide it by deletion. You might have the right to be offended by what people say, but not the right to erase history. Instead of the forums, use mailing lists and IRC when you feel like being sociable with other linux users, and launchpad's bugs and answers services if you have a problem.
I Browse at +4 Flamebait
Open Source Sysadmin
Interesting details xeno, that fills in the historical gaps I missed when I left Ubuntu in early 2006, mostly due to the board riots. I could not agree more with your assessment of the board mods, disagreeing is one thing, deleting valid portions of topics is out of line.
LOL
The fact is, 99% of those that talk of a million eyes constantly pouring over OSS code haven't looked at even one line of code (of projects they don't directly contribute to) themselves. The million eyes thing is a myth. I guarantee you that 90% of slashdotters haven't looked at linux code any more than they have windows code.
-- "I never gave these stories much credence." - HAL 9000
Only wimps use tape backup: _real_ men just upload their important stuff on ftp, and let the rest of the world mirror it ;)
-Linus Torvalds
Check out my sysadmin blog!
I would do that, too, if I weren't so afraid of others seeing how ugly my working copy is...
If there's anyone I hate more than stupid people, it's intellectuals.
They want their joke back.
Hwæt wilt oew?
You can't talk about Wikipedia's flaws on Wikipedia
wrong Armstrong....
"OH I'M SO FUCKING PROUD! It's good to know your list of "evaders" is so easily expanded" - by Anonymous Coward on Wednesday August 15, @10:18PM (#20244641)
/.:
/. no less.
I see you believe in strengthening your 'personal qualities', such as your mastery of eloquent speech. "Practice makes perfect"... note the profanity, yet again!
"Says who? I'm glad to see I've become another phantom enemy vanquished in your feeble little mind." - by Anonymous Coward on Wednesday August 15, @10:18PM (#20244641)
Ok, I suppose that your use of profanity every other word, indicates your mind is mighty? And, like I believe I stated in this exchange with you?? I can post the URL's of those, easily as evidence to the contrary... would you like those to examine???
I wouldn't call it "vanquishing" anyone - more of an example of *NIX folks that like to say this, here @
"(Insert *NIX variant here) is more secure or more securable than Windows"
Type stuff, running when it comes time to 'back up their bluster' & put their monies where their mouth is, & taking a multiplatform test of security that tests analogs present in both systems (such as access control to configuration &/or state keeping files) types, *NIX vs. Windows NT-based ones.
"It gives me a real sense of accomplishment, you know? Like if I had posting long-winded rambling bullshit about some website and gloated about how many people I've imaginary-defeated with my longwinded anonymous score:0 posts that nobody sees." - by Anonymous Coward on Wednesday August 15, @10:18PM (#20244641)
Nobody sees? It's funny, I have one that is ongoing here with a fellow that is easily 50++-60++ or more replies now, on this very subject... here @
His name's SanityInAnarchy, & I am overcoming every one of his objections in fact, as to his trying this test, & he's giving in on MOST of his "objections" already @ this point.
Only 1-2 more to go in fact... & I'll overcome them as well, as I have his others.
How can this be "imagination", if I post MANY examples anyone can check on, on that note!
Such as SanityInAnarchy's exchange with myself, + others where I had to overcome various objections folks that use *NIX here had, & still, they in those kept evading posting a result on this multiplatform test of security in CIS TOOL (which has been noted by BOTH computerworld AND SANS, as to its purpose, validity, & usage)??
Just ask - I can post those, if you like, as I stated before... I have most of all of the URL's on that note, bookmarked/fav'd here.
"I feel so special. Please respond again and tell me how badly I lost! It's fuckin' HILARIOUS!" - by Anonymous Coward on Wednesday August 15, @10:18PM (#20244641)
Well, now that you're done with your "f'ing rant" lol (you ARE done now, right?)... Well, why don't you download CIS TOOL, & see how your *NIX setup does on it?
APK
P.S.=> You MAY not like the result though, so, go easy on yourself on your *NIX rig... so you don't "blow a gasket" or something, because I strongly suspect your score on your *NIX rig will be substantially lower than mine is on the multiplatform test of security known as CIS TOOL... lol! apk
I don't see how they are to blame.
Scott
©20014 angrykeyboarder & Elmer Fudd. All Wights Wesewved
Frankley, I've never bothered paying attention to the boards, rightly recognizing them as instant newb magnets that are unfortunately a waste of my time. But the Automatix stuff prompted me to read more about this, and investigate. What I found was a string of quoted posts deleted, and plenty of bad grammar from developers telling people to take their criticism and shove it. Simply put, Automatix is software written by Poisonous People.
I Browse at +4 Flamebait
Open Source Sysadmin