Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu Servers Hacked

Posted by CmdrTaco on from the zomg-alert-the-media dept.

An anonymous reader noted that "Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems. Canonical blames the community, saying they were community hosted, and were poorly maintained. However, kernel upgrades couldn't be done because of poor backwards compatibility with the very hardware that Canonical had sponsored! While people point fingers at each other it is pretty clear that both sides are equally to blame, the community administrators for practicing bad security practices, such as using unencrypted FTP transfers with accounts, not properly maintaining the system. However Canonical should have been well aware of what they are hosting. The question remains, if any of the files distributed to users have been compromised. A major blow for Canonical though who are attempting to enter the business market with Ubuntu Server."

12 of 330 comments (clear)

  1. sftp by SolusSD · · Score: 3, Insightful

    it amazes me that people even use the plain old ftp protocol for anything important. sftp has been around forever.

    1. Re:sftp by burner · · Score: 4, Insightful

      rsync works great for many use cases when transfers really need to be resumed.

      --
      MRSH-Recording device, corned beef sandwich with kraut, seafaring bird, and the foamy top of a beverage.
  2. how ironic by Anonymous Coward · · Score: 4, Insightful

    had these been windows servers we would have heard cries of a flaky operating system being the problem. in this case, since they're linux servers, we hear that the fault lays on the administrators of the boxen for not hardening the systems?

  3. Re:sorry... by ZachPruckowski · · Score: 5, Insightful

    Oh, from the sounds of it, all that you say is well-warranted. They were running a version of Ubuntu from October of 2005, which was obsoleted in April of this year, and they weren't using encryption. This is security 101, and they didn't do it. This does sound a lot more like an administration problem than a software problem.

    Ultimately, I'd say that if this does wind up being an admin problem, then Ubuntu Server will not suffer. The bottom line is that a poorly administered server is a hacker target regardless of the OS.

  4. Re:Following the M$ example. Re:BWAHAHAHA... by abigor · · Score: 3, Insightful

    Okay, so your assertion of fact was really just an enormous assumption. Thanks for the clarification.

  5. Re:I would like to read a report by Frosty+Piss · · Score: 4, Insightful

    I don't think documenting the discovery process is going to do anyone any favors.

    Isn't that part of the Linux/Microsoft Double Standard? Now, if Microsoft this type of issue and had been less than totally open about the cause and methods, you know as well as I do that there would be a high-pitched wailing from the Slashdot World.

    --
    If you want news from today, you have to come back tomorrow.
  6. To put this into perspective... by AndyCR · · Score: 3, Insightful

    Thousands of Windows machines get exploited every day, and there's barely a word said about it. 3 Linux machines are exploited, and it's "OH MY GOSH!!111". I don't know whether this is a good thing, a bad thing, or, my best guess, both.

    --
    If there's anyone I hate more than stupid people, it's intellectuals.
  7. Re:Hacked... by Lord+Ender · · Score: 5, Insightful

    Language changes with time. This particular word has changed meanings (or at least got a new meaning) in the English language. You don't have to like that fact, but bitching on slashdot isn't going to change that fact.

    People in the industry are aware that "hack" used to mean "cleverly manipulate a device into doing something its designers did not intend." People also know that "wherefor" used to mean "why." In both cases, the original definitions no longer apply.

    Language changes. You'll get over it. There are more important battles to fight.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  8. How right you are! by spun · · Score: 4, Insightful

    I've never seen a paid individual make a stupid mistake like this. The captain of the Exxon Valdez was a volunteer with the Red Cross on a humanitarian mission. The Challenger and Columbia were piloted by kids from space camp. The original Tacoma Narrows bridge was designed by volunteers with Habitat for Humanity.

    On the other hand, we all know that segregation & apartheid were both ended by paid professionals. If you want something big done right, only paid professionals can do it.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  9. Re:I am what I am and it is what it is. by Anonymous Coward · · Score: 3, Insightful

    What you are is a paranoid narcissist who is too immature to hold a rational discussion.

    Here we are, talking about a serious security breach at a prominent Linux distributor, and all you can muster is a hissy fit because not enough people are blaming Microsoft for it.

    It's not clever. It's certainly not constructive. Worst of all, it reflects poorly on the community you claim to serve.

    You're the rhetorical equivalent of a brick-throwing protester at a WTO meeting, foolishly believing that vandalism and insulting slogans will right the injustices of the world, while earning nothing but contempt from the very people you're trying to convert to your cause. Luckily for you, the "riot police" on Slashdot are only armed with Troll and Flamebait mods.

  10. Re:I would like to read a report by mickwd · · Score: 5, Insightful

    "The funniest one is still one where one of my coworkers nuked /lib on a fairly important machine unintentionally"

    "He never got a root password for an important server after that incident. In hindsight, that was a funny incident, and a valuable lesson to us all (we all became paranoid of rereading what we just typed)."

    I hope the decision to deny him root access was based on more than that one unintentional incident. It could have happened to any of you. After all, why else would it be a "valuable lesson" to you ? Isn't the person who made that mistake the least likely to make it again ? And you did also say you "could fill about a 100 pages on my own from stupid things I've done".

  11. Re:Turns out the whole reason for the attack was.. by bealzabobs_youruncle · · Score: 3, Insightful
    See, this is what I'm talking about, you automatically go on defensive if anyone has any honest criticism of Ubuntu. I think I stated some of my issues pretty clearly, but Ubuntu supporters now have thinner skin than Apple users in the 90s. I'm a huge fan of a simple and clean Gnome interface, but I'm against trying to bury the CLI and refusing to learn how to do things properly. I'm against mindlessly installing stuff via Automatix (especially close source and binary blobs) without honestly understanding what you are doing and what the implications are (note several Ubuntu devs agree with this point).

    Again, I am pointing at the community more than the developers, who have provided a great distro that has provided a much needed kick in the pants to other distros to improve their usability. Fedora is my favorite example, and my distro of choice again, since they had to face some stiff competition to stay relevant.

    Ubuntu was about a clean interface with best of breed apps, solid documentation and a community that balanced ease of use with best practices. When someone wandered into the forums with a "noob" question we avoided the "RTFM newb-sauce" stuff and helped them, as well as re-enforcing best practices and linking where to get better information. We didn't point them to untested scripts or recommend subverting security for ease of use, but that is a regular event these days. Shuttleworth wanted "free as in speech" software that was "free as in beer" for everyone, but now to court Windows users he considers installing binary blobs and distributing closed source software? The "Unofficial Ubuntu FAQ" used to handle this stuff very well while not polluting (or introducing possible legal issues) to the distro. I recall Shuttleworth at Debian conferences with his hat in his hand explaining how he wants to help and work with the community, but if you mention this on the Ubuntu forums you have people suggesting that they don't need Debian or the GNU tools? This is an ignorant and arrogant user base that needs to be educated, and in some instances policed.

    The original intent of Ubuntu was great, it just needs to get back on course. I much prefer apt to yum, I hope this wakes up the right people and I will gladly give Ubuntu a shot again.