Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntuforums.org Hacked

Posted by Soulskill on from the another-one-falls dept.

satuon writes "The popular Ubuntu Forums site is now displaying a message saying there was a security breach. What is currently known: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."

146 comments

  1. EL OH EL by Anonymous Coward · · Score: -1

    Nelson - Ha Ha!

  2. Ummm... by russbutton · · Score: 1

    It's good the Ubuntu Forums has alerted us that this breach has occurred and that we need to change our passwords. It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

    I'd change my password if there were a way to do it.

    1. Re:Ummm... by interkin3tic · · Score: 5, Funny

      Personally, I'm trying to remember which password I used on it.

      Reminds me of an old joke: a man looks glum, his friend asks what's wrong.
      The man says "I got a call from some guy, he said to stop sleeping with his wife or he'd kill me."
      Friend "Oh, that's too bad."
      Man: "The worst part is, he didn't say who his wife was."

    2. Re:Ummm... by DFurno2003 · · Score: -1

      Aren't all services down anyway? I'm sure there will be a forced password change prior to restoration.

    3. Re:Ummm... by Anonymous Coward · · Score: 0

      Check your browser password store.

    4. Re:Ummm... by davetv · · Score: 5, Interesting

      I wonder when they are going to email the userbase with this announcement. I have received no email from them. Perhaps the hacker could alert the userbase as a community spirited gesture.

    5. Re:Ummm... by Anonymous Coward · · Score: 1

      Oh, yeah, here's a link. I guess it was Charlie's wife. Thanks.

    6. Re:Ummm... by Anonymous Coward · · Score: 0

      The passwords will be scrambled, and resent through email once the forums are back up.

    7. Re:Ummm... by ancientt · · Score: 1, Flamebait

      My first thought: "Oh crap, that's me." I use a few passwords across multiple sites, basically determining how unique and how complicated by how much I consider a breach a danger and how much I trust the site to keep the password info secure. Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login, and don't trust them much. Still, I tend to trust Unix minded people to care about security.

      This means I might have been silly enough to use a password I care to keep secret, so I checked. Nope. Obviously I thought they were idiots to set up their own system and used a password so bad it is obvious that I don't even care if a random guess might get it. I don't use Ubuntu but I have and sometimes I might want to comment in a forum when issues cross distributions.

      I hope others learn from this.. but I don't hold out tremendous hope.

      --
      B) Eliminate all the stupid users. This is frowned upon by society.
    8. Re:Ummm... by hairyfeet · · Score: 0, Flamebait

      I'll get hate but the irony is so moist i honestly don't care...can we all LOAO now? I mean storing IN PLAIN TEXT? What good is that "vaunted Linux security" if the forums are being run by goobers that store fricking passwords in plain text! This is a PERFECT example of what I've been saying for years, its NOT the OS, any OS can be as secure or as insecure as can be, it ALL comes down to what is sitting between keyboard and chair.

      Please please PLEASE tell me at the very least the fools in charge of that site has been told to hit the bricks, yes? After all if ANY other company or place did something THAT stupid you'd be calling for their heads, right? But just the fact that you are saying "It's good the Ubuntu Forums has alerted us that this breach has occurred" makes me feel the community is using their "do as I say NOT as I do strategy" because if this were Sony or Apple or MSFT, even if the service was free, every Linux user would be screaming about how fricking pathetic storing in plain text in 2013 is and how they needed to be shown the door.

      So I'll be personally interested if the screaming about bad security practices and vile towards foolish behavior will be directed toward their own, or if the community will just pretend that its totally okay when THEY do it, just not when anybody else does it.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    9. Re:Ummm... by russbutton · · Score: 1

      From what I read, no passwords were in plain text. The crackers that breached the forum got encrypted passwords, but chances are they've got a password cracker strong enough to break the encryption.

      S**t happens. I keep my passwords in an encrypted safe on my desktop machine and when I get a chance to update my Ubuntu forums password, I will.

      I've had worse stuff happen to me. I figure to save my annoyance chips for something important.

    10. Re:Ummm... by MiG82au · · Score: 2

      Do you know how to fucking read?
      "The passwords are not stored in plain text."

    11. Re:Ummm... by Rockoon · · Score: 0

      Yes, they werent in plaintext..

      However a lot of people seem to not understand that thats quite useless in and of itself.

      The best case is if they were using a salted lossy hash system.

      Its counter-intuitive, but throwing away part of the hashed value actually increases user security because more possible hash collisions means that the actual password the user chose is obscured in instances such as this. Thats exactly how UNIX DES password systems worked in the days when /etc/passwd actually contained password information. The gist was the even if you got the contents of the file, and then found a hash collision for a particular account, that you still probably didnt know the original password. You could log into that account on that machine, but that didnt likely help logging in anywhere else even if the user used the same password everywhere.

      --
      "His name was James Damore."
    12. Re:Ummm... by Anonymous Coward · · Score: 0

      Are you mentally challenged as well as trolling? Didn't you even read the summary?

    13. Re:Ummm... by Anonymous Coward · · Score: 2, Interesting

      Ubuntu forum sounds like the Linux Mint forum - can never change password, or much else that matters. I recall registering on Ubuntu, so I had better check on this!

      BTW, I have reason to suspect that LM forum has also been hacked - at least 3 months ago. An email address that never got spam and was used to register there, is starting to collect spam....

    14. Re:Ummm... by JustOK · · Score: 0

      apt get mypassword or sudo get my password

      --
      rewriting history since 2109
    15. Re: Ummm... by Anonymous Coward · · Score: 1

      Throwing away part of the hash value does very little to improve security. The likelihood of two short (15 char) ASCII strings hashing to the same value even if shortened is small.

    16. Re:Ummm... by philip.paradis · · Score: 3, Insightful

      Transmitting passwords in cleartext over email is an absolutely terrible practice, and is only made slightly worse by doing so when account holders may not realize anything has happened and thus may be significantly delayed in visiting their accounts to change their passwords once again.

      --
      Write failed: Broken pipe
    17. Re:Ummm... by Anonymous Coward · · Score: 0

      Are you mentally challenged as well as trolling?

      If you'd read any of the guy's other posts, you'd know the answer to that question is "yes, yes, oh God yes".

    18. Re:Ummm... by Anonymous Coward · · Score: 0

      It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

      You might want to try reading that again: you are strongly encouraged to change the password on the other service ASAP. i.e.: we don't know which other services you're using on the intertubes (Gmail, MSN, Yahoo! etc.), but if you use the same password *there* then you should go *there* immediately to change it.

    19. Re:Ummm... by Anonymous Coward · · Score: 0

      They got encrypted passwords? WTF, passwords should NOT BE STORED, not in plain text and not even encrypted. encryption is the wrong technology for the job, they should be hashes only.

    20. Re:Ummm... by Anonymous Coward · · Score: 0

      It would have been best to email everyone registered on the forums. I just found out about this on slashdot. Bad form in dealing with a security breach in my opinion. Oh well, it was time to change the passwords anyway.

    21. Re:Ummm... by bonehead · · Score: 2

      It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

      I'm not too terribly concerned about changing that password right away.

      What would be nice is if when this happens, companies would tell users HOW the passwords were being stored. "Not plain text" isn't nearly enough information. Should I discover that my password there is also used on other sites, it would be nice to be able to guage the level of urgency that is appropriate for changing the password on those other sites. Should I expect my password to be cracked in 5 minutes or 5 days? Can I do my password changing tomorrow evening? Or do I need to change my plans for the day and get on it ASAP?

      No, "not plain text" is not a sufficient level of information to provide to the users.

    22. Re:Ummm... by resurrectedstar · · Score: 1

      *shrug* There isnt any better way to do it. If you post a link, your screwed too, anyone can click on it to reset the password. If you dont scramble the passwords, and make everyone change it on re-login, then the hackers can do that too.

    23. Re:Ummm... by Anonymous Coward · · Score: 0

      The link can be made such that it only works once.
      The email can be sent encrypted to your public key.
      The pasword-change code can be sent to your cellphone number, with a generic url sent to your email.

      Sending plaintext passwords via email is an awful idea and there are plenty of better ways.

    24. Re:Ummm... by Anonymous Coward · · Score: 0

      The email can be sent encrypted to your public key.

      Ubuntu users worldwide: "Public key?! What the hell are you talking about?! I'm going back to Windows..."

      The pasword-change code can be sent to your cellphone number, with a generic url sent to your email.

      Do you often give your cellphone number to random websites?
      BTW: Some people don't have cellphones.

    25. Re:Ummm... by tepples · · Score: 1

      Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login

      This shopping cart uses OpenID and Google sign-in, but OpenID sign-in doesn't work for Yahoo! because Yahoo!'s OpenID provider uses redirects for the verification step and PHP cURL doesn't follow redirects if an open_basedir is set.

    26. Re:Ummm... by Anonymous Coward · · Score: 1

      If they were using vbulletin defaults the answer is md5(md5(password) . salt)

      The problem I have is I don't know if I had an account on the forums or if I did, what the password was. So until they bring it back up I won't know if I need to change any other passwords.

    27. Re:Ummm... by Anonymous Coward · · Score: 0

      And what does it mean in practise? Were the passwords stored in ROT13 encoded form? Or as per user salted hashes?

    28. Re:Ummm... by lxs · · Score: 2

      I did, but they were all out of browser passwords. I did get two security questions for the price of one, which was nice.

    29. Re:Ummm... by Anonymous Coward · · Score: 1

      They got encrypted passwords?

      Or, far more likely, whoever said that wasn't being super-pedantic with terminology and actually meant hashed.

    30. Re:Ummm... by maxwell+demon · · Score: 1

      *shrug*
      There isnt any better way to do it.
      If you post a link, your screwed too, anyone can click on it to reset the password.
      If you dont scramble the passwords, and make everyone change it on re-login, then the hackers can do that too.

      If the password to a service is sent in the clear to your email, anyone who manages to get read access to your email also gets access to that service. Even if he isn't the one who originally cracked the password of the service. That's worse than if only the original hackers can do so.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    31. Re:Ummm... by maxwell+demon · · Score: 1

      Actually, a cryptographic hash could be considered lossy encryption.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    32. Re:Ummm... by coastin · · Score: 2

      If you still don't remember your password send a password recovery request to the NSA. I understand they have great support for things we all loose track of.

      --
      I lost my sig...
    33. Re:Ummm... by smash · · Score: 1

      Presumably, they mean to change your password if you use the same one on other sites. The site itself is likely OFFLINE for forensic analysis. Install a password manager (I use both 1passord and Keepass - keepass is open source, cross platform and free, so no excuse). Make all passwords 100% random and unique. Move on.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    34. Re:Ummm... by smash · · Score: 1

      I used to do the same. However, what you are doing doesn't scale. You can't remember all the passwords, and certainly not enough to really be secure. And if you need to change one? It's a pain in the arse. So... don't try and do something impossible. Use a password manager, so you can use fully random passwords of the strongest length available on each site, and reset them without having to reprogram your brain. Keepass is free and open source.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    35. Re:Ummm... by bonehead · · Score: 1

      This is why using a password manager is a good idea. Just pick a secure one.

      Without a good password manager, it is virtually impossible to practice good password procedures. (long, non-dictionary passwords. unique passwords for every site, etc....)

      The one that I use not only has a pretty good password generator, but will also warn me about sites that I'm using the same password on, and provide me with a list of other sites where I'm using that password. So for me, the problem you're describing took about 20 seconds to pin down the answer to.

    36. Re:Ummm... by WuphonsReach · · Score: 1

      You need to segregate your passwords into a few buckets:

      - The OMG I'm screwed bucket. Things like your financial passwords, administration account and primary email account passwords. Those should be memorable, complex (mix of upper/lower/numbers at a minimum), as long as reasonably possible (at least 10-12 chars, 15-18 would be better). Don't ever reuse one of those elsewhere. If you save them to a file, use a text file where you have pasted in a GPG encryption ASCII encoded block. Never save them in plain text. Keep a copy in a sealed envelope in your safe deposit box or personal safe. Don't let the browser remember them. (In general, you can probably remember most of these with a bit of effort as there's only a small handful of passwords that fall into this category.)

      - The ones that would let someone impersonate you, in a place that matters such as a public event or in business. This includes anything that is tied to a payment method. For these, you want to go random (shell script, rolling dice, whatever) and go long (15-30 characters) with mixed-case, numbers and symbols. Every site should have a unique password, with no reuse between sites. It doesn't matter much if you use Keypass or Mozilla's password safe or GPG to store them, as long as you secure that storage with a long passphrase. I suggest keeping a backup of those passwords in a text file protected with GPG (one file per account/site).

      - The sites that just don't matter. Most forums or any website where you aren't tying a payment method to the account. Generate a random password and let the browser remember it. A password reset is only a click away and if someone does hack the site and get your password (or its hash), all they have is a long string of gibberish that isn't used anywhere else.

      (Note the common theme, don't reuse passwords.)

      --
      Wolde you bothe eate your cake, and have your cake?
    37. Re:Ummm... by Anonymous Coward · · Score: 0

      I got an email about it from them last week.

    38. Re:Ummm... by louic · · Score: 1

      No problem. Just wait until your password gets posted on pastebin.

    39. Re:Ummm... by Anonymous Coward · · Score: 0

      Ha! - the time it would take to decrypt 2 x MD5 with a salt, for 1.82 mil. users. I suspect if the perp has any malicious intent (which he says he hasn't) he would find interesting email addresses and lurk those passwords out.

    40. Re: Ummm... by Onymous+Coward · · Score: 1

      Ah, that makes sense.

      And if you had even 10 passwords that hashed the same, you'd still be able to tell the real password from the gobbledygook of the others (unless they were randomly chosen).

      And anyway, other systems that used the same hashing technique would still be vulnerable to each of the lot of colliding passwords.

  3. That's what you get for running Ubuntu by ilikenwf · · Score: 0, Troll

    Especially on servers... Not only is all the crap installed by default annoying, but it probably leaves a lot of nice security holes too.

    Using other distros not related to Ubuntu, but based on Debian or really anything else is always a better option.

    1. Re:That's what you get for running Ubuntu by russbutton · · Score: 1

      Feeling a little self-righteous tonight are we?

    2. Re:That's what you get for running Ubuntu by ilikenwf · · Score: 0

      Are you by chance Mark Shuttleworth?

    3. Re:That's what you get for running Ubuntu by Anonymous Coward · · Score: -1

      yes and it only took about 10 years! What crappy software that forum software must have been running on and it's obvious from all the massive amounts of information on the breach that it was the OS and not the forum software which was the case. douche

    4. Re:That's what you get for running Ubuntu by russbutton · · Score: 1

      Shuttleworth? Me? I've been called a lot of things in my life, but that's not one of them.

      I wouldn't mind being him. His bank account is a *LOT* better than mine.

    5. Re:That's what you get for running Ubuntu by akh · · Score: 4, Informative

      Um, what? For the base server install you get no network services installed whatsoever (not even SSHd). As for size, a base install of the current server version of Ubuntu is ~64MB of disk space IIRC. That's hardly what I'd call bloated.

      --
      Accept Eris as your Fnord and personally sate her
    6. Re:That's what you get for running Ubuntu by Anonymous Coward · · Score: 0

      Carpe diem.

    7. Re:That's what you get for running Ubuntu by NobleSavage · · Score: 4, Insightful

      I assume that the forum software was hacked. I believe they ran vBulletin which is often hacked. Nothing indicates the underlying OS was hacked.

    8. Re:That's what you get for running Ubuntu by Anonymous Coward · · Score: 0

      I think you can't honestly say that anymore, since you were just called that.

    9. Re:That's what you get for running Ubuntu by russbutton · · Score: 1

      I'm still trying to figure out if I'm a chicken or an egg...

    10. Re:That's what you get for running Ubuntu by Anonymous Coward · · Score: 0

      It'd be really funny if they were hacked through VNC, but it is more likely just the forum software itself that is holy.

    11. Re:That's what you get for running Ubuntu by Anonymous Coward · · Score: 0

      Not only is all the crap installed by default annoying, but it probably leaves a lot of nice security holes too.

      As opposed to Windows Server which installs 27GB of totally secure pure-OS and no other bug-ridden crap.

    12. Re:That's what you get for running Ubuntu by Anonymous Coward · · Score: 0

      Except that like its parent operating system, Debina, *no one* euses the base install. A few people doing micro-installations on very limited hardware, perhaps, but most wind up installing basic tools like OpenSSH for remote logins, aptitude for package management (which brings in X windows), SNMP for monitoring, and in this case databases and web tools to run the forums.

      Talking about a "base install" for such a system is like talking about a family home that consists of one closet, a can of beans, and an electric light bulb to cook on.

    13. Re:That's what you get for running Ubuntu by Anonymous Coward · · Score: 1

      Except that like its parent operating system, Debina, *no one* euses the base install.

      That's Debian! Deb + Ian!

      ... aptitude for package management (which brings in X windows)...

      No, it doesn't.

  4. But.... Linux is more secure than Windows! by Anonymous Coward · · Score: -1

    I call bullshit. This is clearly a lie brought to you by Microsoft and Apple and the Government. Everyone knows that Linux can't be hacked.

    /sarcasm

  5. ts1 by Anonymous Coward · · Score: -1

    tsop tsrif. parc ho

  6. Should have used Windows. by jellomizer · · Score: 1, Offtopic

    I Guess these guys should have used Windows.
    Bla Bla Bla...

    Really Folks the OS or how the software is license doesn't equate to security or quality. Treat every system that is open to the outside world as potentially vulnerable to attack and make sure your logins and passwords are completely encrypted even in your database. If you can see then it is vulnerable. As well you better be sure you use some salting in your hashing as well

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Should have used Windows. by geekamole · · Score: 1

      The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

    2. Re:Should have used Windows. by HJED · · Score: 1

      Or just being safe even if the passwords are salted, given that in the same line it also says that the passwords were not in plaintext.

      --
      null
    3. Re:Should have used Windows. by illaqueate · · Score: 1

      This kind of breach is usually just bugs in the forum software or the server software they run on.

    4. Re:Should have used Windows. by illaqueate · · Score: 1

      passwords are rarely in plain text. the issue is if it's not salted then the passwords can be discovered by looking at a precalculated table (rainbow table). so it would be useful to know whether or not it's salted

    5. Re:Should have used Windows. by Anonymous Coward · · Score: 1

      It isn't useful at all. For all you know the attackers could be bruteforcing your salted password hash right now, so the only sane thing to do is change the password.

    6. Re:Should have used Windows. by tlhIngan · · Score: 3, Interesting

      The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

      No, because cracking passwords, even salted one, is ridiculously easy. Hell, take a well salted database, a stolen password list, and a way to compute the password. You can probably find a good chunk of accounts with the basic set of passwords.

      Salting just prevents the use of rainbow tables, which means cracking passwords takes a few hours instead of a few seconds. Hell, you probably could use one of those bitcoin miner ASICs to do it - cracking passwords is really just computing hashes, and the R&D in computing hashes faster and faster means hashed and salted passwords are getting easier to crack.

      Ars Technica details it better.
      http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

      http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

    7. Re:Should have used Windows. by Anonymous Coward · · Score: 3, Informative

      Here you go, tlhIngan. If it's so easy, provide the password or a collision in the next 3 days.

        tlhIngan:$6$PsLtDfSP$SISVIa7tbcxdIN6StnZMF.l6Vw1/mZFIrKmNUAidG7k090l5bLUqBZF/ItMU2A0RzhHQyMnH40t67tIVl.6VB0:15907:0:99999:7:::

      I'll even cheat and tell you it's a combination of upper, lower, punctuation and numbers...

    8. Re:Should have used Windows. by Anonymous Coward · · Score: 0

      I suspect the issue is that the database was compromised, which means that the hashed-passwords AND the salts were stolen.

      That means they can brute-force with the correct salt to compare against the hash, and recover passwords.

    9. Re:Should have used Windows. by skegg · · Score: 1

      cracking passwords, even salted one, is ridiculously easy

      Not necessarily true.

      If the user has used a very common password, then it's likely.

      However if it's an uncommon password that's hashed using something like bcrypt with a decent number of rounds, then it's far from "ridiculously easy".

    10. Re:Should have used Windows. by Rockoon · · Score: 3, Interesting

      Salting helps against rainbow tables, but its irrelevant to the integrity of the password itself.

      The important thing is that the hash is lossy so that even if salt+"abc613" hashes to the value in the database, that there is no reason to believe that "abc613" was actually the password the user was using.. He could have been using "manbearpig", for example. This is a case where longer hash values actually helps the hacker/cracker.

      I dont pretend to know what the optimal size of the stored hash should be in order to protect the users passwords, but I think its almost certainly less than 32 bits. 32-bits is wide enough that attempting to find a hash collision at the login prompt is still silly, while also making the information gleaned from a brute force attack of the hash values almost useless.

      --
      "His name was James Damore."
    11. Re:Should have used Windows. by Anonymous Coward · · Score: 0

      Done!

      But I've got the same password on my luggage, so I won't write it here.

    12. Re:Should have used Windows. by auric_dude · · Score: 1
      Butterfly Labs bit-miner kit faq would suggest that their ASIC chips can not be subverted into password cracking tools

      Can these devices be used for anything else like password cracking? A No, their function is limited to high speed encryption validation in the specific double step sha256 protocol. It's not useful for any purpose related to rainbow tables or password recovery.

      http://www.butterflylabs.com/bitforce-sc-faq/

    13. Re:Should have used Windows. by Anonymous Coward · · Score: 0

      32 bits is small enough that an offline attack with a stolen password file will succeed.

    14. Re:Should have used Windows. by Anonymous Coward · · Score: 0

      A 32 bit hash? Are you high?

      That can be cracked easily.

      I use 512 bit SHA2 with a 256 bit hashed salt and have had zero issues.

      It is also very fast even with 'slow' languages like python or ruby.

    15. Re:Should have used Windows. by Anonymous Coward · · Score: 0

      Well if they were smart enough to include some pepper(something tells me they weren't - php + ubuntu = epic moron) it might be difficult. The better question is who gives a shit? It is not like anything bad is going to happen if they do crack a few or all of the passwords.

    16. Re:Should have used Windows. by Anonymous Coward · · Score: 0

      Here is an example of a 32 bit hash: 08e80285

      A 512 bit hash: edf8c5dc32 acf23d13d 5ababfef2fc 2f7429fa142 9e74cb16e3 225e29fe7536 4a4e6124afc8a3 77199d0618b0e1 4dca40c97f7d14a dc64c714d3738b 35608a94 /. retarded parsing made me break it up

      Which is going to have fewer collisions and which will take longer to brute-force?

      Hint: not the 32 bit hash

      32 bit? lawl

    17. Re:Should have used Windows. by Anonymous Coward · · Score: 0

      yeah and how many forums online are hashing passwords with bcrypt with fifteen or twenty passes? hint: basically damn all. the ubuntuforums probably used md5 with a couple of passes. which isn't that tricky to crack even on consumer-grade equipment.

    18. Re:Should have used Windows. by Rockoon · · Score: 1

      Which is going to have fewer collisions and which will take longer to brute-force?

      Except that when someone brute forces that 512 bit hash, the they know the exact password because the password wasnt anywhere near as long as the damn 64 byte hash.

      That then leads to every place that the user used the password being vulnerable. In other words, you did not do the user a favor by using the 512 bit hash. You instead fucked the user over by using a 512 bit hash because the only thing you did was slow the attacker down. You didnt do due diligence to prevent the attacker from knowing the password.

      Yes, 2^512 is a big number. Guess what? Nobody is using passwords that effectively utilize that space. In practice for the case of 8 byte passwords, the search space is only about 48 bits in size (uppercase, lowercase, numeric, a few symbols) not the 512 that you are jizzing over. A 25 GPU setup has been benchmarked at 63 billion SHA hashes per second. Thats an upper limit of 4467 seconds to brute force a password.

      Hash collisions is a SECURITY FEATURE. You want that brute force to produce millions or billions of collisions, so that the users actual password is still unknown.

      --
      "His name was James Damore."
    19. Re:Should have used Windows. by Rockoon · · Score: 1

      I use 512 bit SHA2 with a 256 bit hashed salt and have had zero issues.

      A 25 GPU setup has been benchmarked at 63 billion SHA hashes per second.

      How long are these passwords? 8 characters, with uppercase, lowercase, numeric, and a few symbols? yeah.. thats search space is about 2^48 in size. it is irrelevant that you used a 256-bit hash in that regard.

      Upper bound on brute forcing an 8-character SHA hashed password is 4467 seconds. The problem is that there will be exactly 1 result after the entire 8-character brute force because you used a 256-bit hash, and that 1 result will be the exact password of the user.. making every single place that the user used the password vulnerable.

      --
      "His name was James Damore."
    20. Re:Should have used Windows. by Rockoon · · Score: 1

      32 bits is small enough that an offline attack with a stolen password file will succeed.

      Offline attacks will always succeed because the search space is smaller than you think. 8 character alphanumeric with a few symbols is about 48 bits of entropy supplied by the user. A 25 GPU setup has been clocked at 63 billion SHA hashes per second, so about a 4467 second upper limit to the time it takes to try 100% of the possibilities.

      --
      "His name was James Damore."
  7. you are strongly encouraged to change the password by Anonymous Coward · · Score: 0

    AKA: we didn't use bcrypt, and just base64 encoded the passwords. Prepare to get buttraped.

  8. Adobe Flash mob? by Anonymous Coward · · Score: 0

    Well, I hope they insert a fucking fix for Youtube. It still doesn't work on U.

  9. Nice. by Anonymous Coward · · Score: 0

    It looks like at some point in the past I must have actually signed up to the forums (though I barely, if ever, used them). Hopefully they have some kind of "delete inactive accounts" thing set up, because I really don't want spam on behalf of, of all things, fucking Ubuntu. But I'm guessing they don't. Could they have not just protected the e-mail addresses just a little bit fucking better? I don't care about the password, because it's generic as all hell, but I will be pissed if now I become a spam target.

  10. Password Policy by HJED · · Score: 1

    Does anyone remember what password policy the forums had, trying to work out which password I was using for it.

    --
    null
    1. Re:Password policy by Anonymous Coward · · Score: 3, Informative

      I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!

      Because that's a totally accurate way of judging their security. Sarcasm aside, it's possible to use hashes badly (like unsalted MD5) and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable (because the vast majority of attacks involve revealing database information, not executing code or downloading files).

      Guess what the best advice is? Use a different password for every site.

    2. Re:Password policy by Anonymous Coward · · Score: 0

      They use vbullitin so it's probably just a salted md5 hash.

    3. Re:Password Policy by Pieroxy · · Score: 1

      Does anyone remember what password policy the forums had, trying to work out which password I was using for it.

      It's probably the one in your sig.

      --
      Write boring code, not shiny code!
    4. Re:Password policy by Pieroxy · · Score: 1

      Guess what the best advice is? Use a different password for every site.

      I ran out of memory at 65536. I guess I'm just 16 bits wide.

      --
      Write boring code, not shiny code!
    5. Re:Password policy by Rockoon · · Score: 1

      and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable

      No. Just no. It is not possible to ENCRYPT the passwords so that they are secure. Encryption is the WRONG TOOL for storing passwords, because with encryption then is ultimately unencryptable and therefore someone can know for certain what your password is.

      To be quite specific, I want there to be billions of "passwords" that hash to the same value thats in their database for my account, so that even when an attacker finds a collision he still won't know what I fucking use for a password.

      --
      "His name was James Damore."
    6. Re:Password policy by readingaccount · · Score: 1

      Your sarcasm was misguided anyway. The point is that if your original password can be sent to you in an email, it means they must be storing the password in plain-text anyway - if they're doing that, it doesn't bode well for the rest of their security implementations.

    7. Re:Password policy by Anonymous Coward · · Score: 0

      Won't all those billions of matching passwords be deemed correct if someone tries to use them to log in to your account?
      If not, why not store _every_ password as the same value?

    8. Re:Password policy by aliquis · · Score: 1

      RUN!!!

      Do that help?

    9. Re:Password policy by Anonymous Coward · · Score: 0

      Really?
      Saying that the absence of plain text password recovery is a indicator of good security is like saying that something not tasting that much like shit is an indicator of good cooking. Saying that the presence of plain text password recovery is an indicator of bad security is like saying that a tsunami might lead to mold problems in cellars.
      You must be young and inexperienced or having little to do with computers in general... these are things that people found mentionworthy in the 1970s, and only naive individuals or those with no grasp of information security regard them as criteria in the current millenium (which are sadly quite a lot, though luckily mostly found outside of server rooms).
      Anyhow, the GGP comment is just silly (the derivation of plain text recovery -> plain text storage is genious) and deserves the sarcasm it got.

      captcha: imperil

    10. Re:Password policy by Ice+Station+Zebra · · Score: 2

      This is the finding the needle in a stack of needles approach to password protection.

    11. Re:Password policy by Anonymous Coward · · Score: 0

      I found it a good hint I was in the wrong spot when after I registered an account with a new service they automatically emailed me the password I selected in plain text. And to make matters worse they put their service desk on the CC for that email.

    12. Re:Password policy by Anonymous Coward · · Score: 0

      Saying that the absence of plain text password recovery is a indicator of good security is like saying that something not tasting that much like shit is an indicator of good cooking.

      That's nice, but he didn't actually say that.

      Saying that the presence of plain text password recovery is an indicator of bad security is like saying that a tsunami might lead to mold problems in cellars.

      Doesn't matter what it's "like", it's pretty unambiguously true.

    13. Re:Password policy by Anonymous Coward · · Score: 0

      Reread the whole comment, the point is that the sarcasm is well deserved.
      The second part you quoted may be unambiguously true, but it's a piece of advice as useful as nipples on a breastplate (GRRM gratia).

      captcha: accent

    14. Re:Password policy by Anonymous Coward · · Score: 0

      I found it a good hint I was in the wrong spot when after I registered an account with a new service they automatically emailed me the password I selected in plain text. And to make matters worse they put their service desk on the CC for that email.

      Please tell us what service so the rest of us can avoid it.

    15. Re:Password policy by Anonymous Coward · · Score: 0

      The second part you quoted may be unambiguously true, but it's a piece of advice as useful as nipples on a breastplate (GRRM gratia).

      So if someone says something that you already know, you break out the "you must be young and inexperienced" rage?

    16. Re:Password policy by readingaccount · · Score: 1

      Don't worry about it. He accused me of being young and naieve about computers (which is interesting, since I code on FPGAs for a living), as if he's some amazing gift to the computing world.

      I fucking hate people who talk down strangers like this.

  11. Forums the new lowest hanging fruit by Anonymous Coward · · Score: 1

    Forum attacks have increased in recent years and it seems to be the newest go-to vulnerability. This is not platform specific so no need to just bash Linux or even Ubuntu specifically. Really, its time for people to get serious about Forums and mailing list software where security is concerned. All of us know forum software is among the most used and abused software out there but mostly just underfunded. I invite all of you progressive thinkers out there to take this staple of development and communication to the next level because I for one would gladly pay license fees for an efficient and secure forum platform. I don't care what the excuse is 90% of the time for why it happened its always watered down to some story about someone forgetting to do something within the realm of conceivable human error- the fact is it happens too many times and I don't feel safe registering on most forums nowadays. So lets make a difference we can do this BETTER.

    1. Re:Forums the new lowest hanging fruit by Anonymous Coward · · Score: 0

      Why to bash Linux operating system if the security hole is in WWW server, SQL server or somewhere else?

      Very rarely there are security flaws exploitted in operating systems, they are most secured and checked pieces of software. Instead 99.x% of security holes have been in totally different softwares than in operating systems.

      But if you knock operating system security, you get access to everything as operating system runs all other processes and threads and you get direct access to everything.

  12. forum software != Operating system by Anonymous Coward · · Score: 0

    holy fuck, are you retarded.. and I prefer windows.

  13. Password policy by readingaccount · · Score: 4, Interesting

    The passwords are not stored in plain text

    You'd hope so. That would be standard policy you'd assume by now (hashes are easy), but apparently it's still important to mention this given there are still way too many outfits storing plain-text passwords in their systems.

    I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!

  14. What's Frustrating by Anonymous Coward · · Score: 0

    A lot of distro forums don't provide you with the ability to delete your account. These include Linux Mint, Arch and Archbang.

  15. do I have an account by Anonymous Coward · · Score: 0

    So how do I know if I have at some stage in the past made an account on the forum?

  16. How should I know what password I used? by Anonymous Coward · · Score: 0

    I have an account but have no idea what the password is. I wish they would just email us our own hash.

  17. Phew by Anonymous Coward · · Score: 0

    Well thank god I've not used the same password on anything since about 1997.

    Sadly the dangers of using the same password on multiple accounts is something I had to learn the hard way back then, but I learned my lesson.

    1. Re:Phew by ls671 · · Score: 1

      Me too I use:
      passSlashdot
      passUbuntu
      passGmail
      etc.

      --
      Everything I write is lies, read between the lines.
    2. Re:Phew by Anonymous Coward · · Score: 0

      These days that's one of the first things people try.

      The first thing if the password they get ends in the site you're on.

  18. Passwords by Anonymous Coward · · Score: 0

    I can't remember which of my 3 passwords I used in that forum, so I don't know which other services I need to change my password ... Could they post the list in plain text so I could check it?

  19. But Linux is more secure with many eyes! by Anonymous Coward · · Score: -1

    But Linux is more secure with many eyes!

    1. Re:But Linux is more secure with many eyes! by Anonymous Coward · · Score: 2, Insightful

      Forum passwords were stolen via the forum software. Where does Linux come into this? Do you have the faintest clue what you're talking about?

    2. Re:But Linux is more secure with many eyes! by Anonymous Coward · · Score: 0

      But the forum was Open Source software with many eyes,,, ;)

    3. Re:But Linux is more secure with many eyes! by Anonymous Coward · · Score: 3, Informative

      Wrong

  20. Re:you are strongly encouraged to change the passw by Anonymous Coward · · Score: 0

    I don't get it. If passwords were not in plain text, what should mean they are encrypted, you should not have need to change passwords in other stupid services.

    So the passwords WERE in plain text format so crackers got passwords and email addresses in clear form that they can use them.

    Canonical just doesn't care about anyones security unless you pay them.

  21. Re:you are strongly encouraged to change the passw by Rockoon · · Score: 1

    Neither of you seem to have any idea what the security implications are.

    --
    "His name was James Damore."
  22. Re:you are strongly encouraged to change the passw by Anonymous Coward · · Score: 1

    It probably wasn't much better than that. Don't know if it's still current, but the Javascript of their login form used to do this:

    <form id="navbar_loginform" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)" method="post" action="login.php?do=login">

  23. vBulletin - a crock of shit by Anonymous Coward · · Score: 0

    That's what they get for using vBulletin rather than using a FLOSS product they could audit.

    How about using PHPBB3, a product which was thoroughly audited during development? Or how about adding a forum extension to Launchpad?

  24. Thank you LastPass! by reedk · · Score: 0

    Now I *know* the gobbledygook password you generated for me is not compromising me anywhere else on the net. I have no financial interest in LastPass; just a big fan.

  25. Not everyone has a public key or cell phone by tepples · · Score: 1

    The link can be made such that it only works once.

    For the attacker before the mail even gets to the intended user.

    The email can be sent encrypted to your public key.

    For those people who have the discretionary income to fly to key signing parties.

    The pasword-change code can be sent to your cellphone number

    For people who already pay hundreds of dollars a month for cell phone service. A lot of households still share a POTS house phone among members because it's cheaper than a cell phone with unlimited minutes per person.

    1. Re:Not everyone has a public key or cell phone by Anonymous Coward · · Score: 1

      Same AC.

      That wasn't intended to be an exhaustive list, just a proof by contradiction that the OP was incorrect when he or she said, "there isnt any better way to do it."

      I know that providing secure account-recovery options for public websites is hard. If you want to be able to do better than plaintext passwords though email, it is likely to require some additional development prior to the breach.

      Sending a plaintext password through email has the following bad properties (non-exhaustive):

      1. Anyone between the forum's SMTP server and your mail host may now have your password
      2. You cannot detect if one of these people recorded your password
      3. Depending on the system, you may not be able to detect if the interceptor has actually used your password
      4. You can only invalidate the data they collected by changing your password
      5. You are exposed for the interval of time from when the email is first sent until you do change your password.
      6. Someone who has compromised your email account and no other account of yours can fully impersonate you in the reset protocol.

      Each of the alternatives I proposed addresses at least one of these, trading off with compromises in ease of use, simplicity, or the amount of pre-work required (affecting ease of implementation post-breach). There is plenty of research in this space. Sending passwords by email is among the weakest ways to implement a lost-password protocol.

    2. Re:Not everyone has a public key or cell phone by Anonymous Coward · · Score: 0

      startssl.com Free key signing.

    3. Re:Not everyone has a public key or cell phone by smash · · Score: 1

      Most of the general public don't understand any of the other options. The idea of a password reset link via email is that you use this password TEMPORARILY to get access to the account only. So. Click password reset link, keep email program open, wait for email, log in and reset password. If someone is that sophisticated that they can sniff my email on the way through, recognise a forum login and log into it before I do whilst i'm sitting here waiting for the reset email, they can have it.

      Banks? Yes, this isn't good enough.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  26. When a server authenticates to another server by tepples · · Score: 1

    I agree with you that something reversible like encryption is not the best primitive to protect a shared secret when users are logging in to a server, such as the case in the article. But when the server is itself logging in to another server, it still needs to store a shared secret reversibly. For example, this secret might be an API key used by the payment processor to charge a credit card or a transaction ID used by the payment processor to refund a charge.

  27. You need a phone number to sign up for Facebook by tepples · · Score: 1

    BTW: Some people don't have cellphones.

    Some people don't have Internet. In any case, you already need your own phone number to sign up for Facebook unless you still have access to a university e-mail address.

    1. Re:You need a phone number to sign up for Facebook by Anonymous Coward · · Score: 0

      BTW: Some people don't have cellphones.

      Some people don't have Internet.

      People who don't have Internet rarely signup on random websites, so I fail see your point.

      In any case, you already need your own phone number to sign up for Facebook unless you still have access to a university e-mail address.

      I don't really care what you need to signup on Facebook. We're talking about ubuntuforums.org.

    2. Re:You need a phone number to sign up for Facebook by tepples · · Score: 1
      Trying to explain my points a bit more explicitly:

      People who don't have Internet rarely signup on random websites, so I fail see your point.

      Some might claim that people with home Internet are more likely to have a cell phone.

      I don't really care what you need to signup on Facebook. We're talking about ubuntuforums.org.

      One of the possibilities was that ubuntuforums.org might either A. adopt similar auth to Facebook or B. just rely on Facebook login.

    3. Re:You need a phone number to sign up for Facebook by Anonymous Coward · · Score: 0

      False.

      Well, unless they changed that in the last fourteen months or so. When I finally signed up for that stupid site, it pestered me to give them a cellphone number, but I never did. Just an email address.

    4. Re:You need a phone number to sign up for Facebook by Anonymous Coward · · Score: 0

      Trying to explain my points a bit more explicitly:

      People who don't have Internet rarely signup on random websites, so I fail see your point.

      Some might claim that people with home Internet are more likely to have a cell phone.

      "More likely" != "everyone".
      And just because I got a cellphone doesn't mean I want to give my number to a random website. Why would I? So hackers can get my phone number too? Isn't it enough that the get my email address? Do they also want my day of birth, my snailmail address and my blood type?

      I don't really care what you need to signup on Facebook. We're talking about ubuntuforums.org.

      One of the possibilities was that ubuntuforums.org might either A. adopt similar auth to Facebook or B. just rely on Facebook login.

      They are of course welcome to do so. If they do, a lot of people won't sign up.

      But then again, it's an Ubuntu forum, so we probably wouldn't signup anyway.

    5. Re:You need a phone number to sign up for Facebook by smash · · Score: 1

      Unless they changed it in the last couple of years, no you don't. I (still) don't have my number in facebeook.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  28. Why bring in aptitude? by tepples · · Score: 1

    aptitude for package management (which brings in X windows)

    Why bring in aptitude? I thought that from the command line, apt-get did the same thing.

    Talking about a "base install" for such a system is like talking about [camping]

    How much does OpenSSH + the basic LAMP stack add to the base install?

  29. Re:you are strongly encouraged to change the passw by Anonymous Coward · · Score: 0

    It probably wasn't much better than that. Don't know if it's still current, but the Javascript of their login form used to do this:

    <form id="navbar_loginform" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)" method="post" action="login.php?do=login">

    That's probably just to avoid sending the password over the wire in clear text.

    If they always use that, including on the signup page, they wouldn't even have your password in the first place, only the md5hash of your login + password.

  30. That's what you get... by Anonymous Coward · · Score: 0

    Should have used NetBSD.

    1. Re:That's what you get... by king+neckbeard · · Score: 1

      Most likely, it was a a vulnerabiilty in something higher up in the system, PHP or the forum software they were using. This would have happened regardless of OS if they didn't engage in the practice of updating their software every time there is a known vulnerability.

      --
      This is my signature. There are many like it, but this one is mine.
  31. 4 years?! In the future?! by Stalks · · Score: 0
    From http://ubuntuforums.org/announce.html...

    2013-07-20 2011UTC: Reports of defacement
    2013-07-20 2015UTC: Site taken down, this splash page put in place while investigation continues.

    It took 4 years after they were notified until they took the site down, in the future.

    1. Re:4 years?! In the future?! by Anonymous Coward · · Score: 0

      It took 4 years

      What a brainfart. It took them 4 minutes.

    2. Re:4 years?! In the future?! by smash · · Score: 1

      2011-2015 = 8:11pm to 8:15pm.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    3. Re:4 years?! In the future?! by Stalks · · Score: 1

      The hate is amusing. It was a JOKE.

  32. Note your post's downmodded immediately? by Anonymous Coward · · Score: -1

    Little asshole "Penguins" around here SCREAM how "the fix is in" on everything in the world (and, they're right on that much - it is, sadly: Bent statistics, sockpuppet supporters fake reviews & all) but, when you SPEAK TRUTH ABOUT THEIR SHIT? They do the EXACT SAME as those they bitch about: "Quick - cover up that truth that makes us look the bullshit artist 'FUD' spreaders WE HAVE BEEN FOR MORE THAN A DECADE ON SLASHDOT!" and the downmod of YOUR POST, proves it. They're hypocritical little pots calling a kettle black that will do ANYTHING to further their own agenda (hoping their OS of choice gets more market share & thus more job possibles for them) and no better than the bodies they themselves bitch about.

  33. What? Must be new practice, if true by Anonymous Coward · · Score: 0

    I don't really use facebook. Signed up about a year ago, to see what it was, but never put any private information there. No photos, no friends, no anything. I didn't use my real name, but something close. My real name is extremely rare - only 1 other person in the world has it and we're related somehow. His middle initial is different.

    Anyway, facebook doesn't have my real name, any phone number, the email address I gave them is used for nothing - except facebook to have ... it redirects twice to get to an emailbox that I actually see.

    When did facebook start requiring a phone number?
    Just curious. These days I only have a SIP account for phoning out to normal numbers. No POTS phone, no cell phone.

    I'm still confused that people are soooo hard up for dates as to use facebook/twitter/whatever at all. See a pretty girl,. walk over and ask her out - she says yes or no. Simple.

  34. Dumbasses by Anonymous Coward · · Score: 0

    That is what they get from using PHP running on a shitty debian(which itself is shitty) derivative.

    Piling shit on top of shit and then shitting on that pile usually results in a nasty mess.

    Grats, you earned it

  35. Uh - NEVER give out a phone number by Anonymous Coward · · Score: 0

    Never. I've never given my cell number out.
    I've never given my home number out.

    I give out a g-voice number with which I can filter incoming crap. The google-voice account isn't connected to any accounts that I use for anything else. Definitely NOT used for gmail.

  36. blunder by Anonymous Coward · · Score: 0

    I was notified by email early today, I use lastpass to generate new passwds so probably uneffected, but there must be plenty of red faces over at ubuntu forums

  37. Radical technology, indeed. Paper.. by doccus · · Score: 1

    Wow. has *everybody* forgotten about plain old paper? I got sick of forgetting passwords, so wrote (printed, actually) them down on paper. I have a highly encrypted file where I store the digital master for reprinting or updates to the list. The only inconvenient bit about it is that i can't copy and paste from a paper list, and copy/paste is a secure way to enter a password.. it makes keyloggers useless. Don't lose the paper, or forget the master password for the digital backup, though. I did once ;-(

  38. with micro$oft riding into the sunset, by Anonymous Coward · · Score: 0

    what is left for a hacker?

  39. Important information from Ubuntuforums.org by Anonymous Coward · · Score: 0

    Just got a email from them ::

    ---------- Forwarded message ----------
    From: Ubuntu forums
    Date: 23 July 2013 23:02
    Subject: Important information from Ubuntuforums.org
    To:
    Hello,

    You are receiving this message because you have an account registered with this address on ubuntuforums.org.

    The Ubuntu forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted copy of your password from the forum database.

    If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.

    The ubuntuforums.org website is currently offline and we are working to restore this service. Please take the time to change your ubuntuforums.org account password when service is restored.

    We apologize for any inconvenience to the Ubuntu community, thank you for your understanding.

    The Canonical Sysadmins.