Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntuforums.org Hacked

Posted by Soulskill on from the another-one-falls dept.

satuon writes "The popular Ubuntu Forums site is now displaying a message saying there was a security breach. What is currently known: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."

73 of 146 comments (clear)

  1. Ummm... by russbutton · · Score: 1

    It's good the Ubuntu Forums has alerted us that this breach has occurred and that we need to change our passwords. It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

    I'd change my password if there were a way to do it.

    1. Re:Ummm... by interkin3tic · · Score: 5, Funny

      Personally, I'm trying to remember which password I used on it.

      Reminds me of an old joke: a man looks glum, his friend asks what's wrong.
      The man says "I got a call from some guy, he said to stop sleeping with his wife or he'd kill me."
      Friend "Oh, that's too bad."
      Man: "The worst part is, he didn't say who his wife was."

    2. Re:Ummm... by davetv · · Score: 5, Interesting

      I wonder when they are going to email the userbase with this announcement. I have received no email from them. Perhaps the hacker could alert the userbase as a community spirited gesture.

    3. Re:Ummm... by Anonymous Coward · · Score: 1

      Oh, yeah, here's a link. I guess it was Charlie's wife. Thanks.

    4. Re:Ummm... by ancientt · · Score: 1, Flamebait

      My first thought: "Oh crap, that's me." I use a few passwords across multiple sites, basically determining how unique and how complicated by how much I consider a breach a danger and how much I trust the site to keep the password info secure. Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login, and don't trust them much. Still, I tend to trust Unix minded people to care about security.

      This means I might have been silly enough to use a password I care to keep secret, so I checked. Nope. Obviously I thought they were idiots to set up their own system and used a password so bad it is obvious that I don't even care if a random guess might get it. I don't use Ubuntu but I have and sometimes I might want to comment in a forum when issues cross distributions.

      I hope others learn from this.. but I don't hold out tremendous hope.

      --
      B) Eliminate all the stupid users. This is frowned upon by society.
    5. Re:Ummm... by russbutton · · Score: 1

      From what I read, no passwords were in plain text. The crackers that breached the forum got encrypted passwords, but chances are they've got a password cracker strong enough to break the encryption.

      S**t happens. I keep my passwords in an encrypted safe on my desktop machine and when I get a chance to update my Ubuntu forums password, I will.

      I've had worse stuff happen to me. I figure to save my annoyance chips for something important.

    6. Re:Ummm... by MiG82au · · Score: 2

      Do you know how to fucking read?
      "The passwords are not stored in plain text."

    7. Re:Ummm... by Anonymous Coward · · Score: 2, Interesting

      Ubuntu forum sounds like the Linux Mint forum - can never change password, or much else that matters. I recall registering on Ubuntu, so I had better check on this!

      BTW, I have reason to suspect that LM forum has also been hacked - at least 3 months ago. An email address that never got spam and was used to register there, is starting to collect spam....

    8. Re: Ummm... by Anonymous Coward · · Score: 1

      Throwing away part of the hash value does very little to improve security. The likelihood of two short (15 char) ASCII strings hashing to the same value even if shortened is small.

    9. Re:Ummm... by philip.paradis · · Score: 3, Insightful

      Transmitting passwords in cleartext over email is an absolutely terrible practice, and is only made slightly worse by doing so when account holders may not realize anything has happened and thus may be significantly delayed in visiting their accounts to change their passwords once again.

      --
      Write failed: Broken pipe
    10. Re:Ummm... by bonehead · · Score: 2

      It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

      I'm not too terribly concerned about changing that password right away.

      What would be nice is if when this happens, companies would tell users HOW the passwords were being stored. "Not plain text" isn't nearly enough information. Should I discover that my password there is also used on other sites, it would be nice to be able to guage the level of urgency that is appropriate for changing the password on those other sites. Should I expect my password to be cracked in 5 minutes or 5 days? Can I do my password changing tomorrow evening? Or do I need to change my plans for the day and get on it ASAP?

      No, "not plain text" is not a sufficient level of information to provide to the users.

    11. Re:Ummm... by resurrectedstar · · Score: 1

      *shrug* There isnt any better way to do it. If you post a link, your screwed too, anyone can click on it to reset the password. If you dont scramble the passwords, and make everyone change it on re-login, then the hackers can do that too.

    12. Re:Ummm... by tepples · · Score: 1

      Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login

      This shopping cart uses OpenID and Google sign-in, but OpenID sign-in doesn't work for Yahoo! because Yahoo!'s OpenID provider uses redirects for the verification step and PHP cURL doesn't follow redirects if an open_basedir is set.

    13. Re:Ummm... by Anonymous Coward · · Score: 1

      If they were using vbulletin defaults the answer is md5(md5(password) . salt)

      The problem I have is I don't know if I had an account on the forums or if I did, what the password was. So until they bring it back up I won't know if I need to change any other passwords.

    14. Re:Ummm... by lxs · · Score: 2

      I did, but they were all out of browser passwords. I did get two security questions for the price of one, which was nice.

    15. Re:Ummm... by Anonymous Coward · · Score: 1

      They got encrypted passwords?

      Or, far more likely, whoever said that wasn't being super-pedantic with terminology and actually meant hashed.

    16. Re:Ummm... by maxwell+demon · · Score: 1

      *shrug*
      There isnt any better way to do it.
      If you post a link, your screwed too, anyone can click on it to reset the password.
      If you dont scramble the passwords, and make everyone change it on re-login, then the hackers can do that too.

      If the password to a service is sent in the clear to your email, anyone who manages to get read access to your email also gets access to that service. Even if he isn't the one who originally cracked the password of the service. That's worse than if only the original hackers can do so.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    17. Re:Ummm... by maxwell+demon · · Score: 1

      Actually, a cryptographic hash could be considered lossy encryption.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    18. Re:Ummm... by coastin · · Score: 2

      If you still don't remember your password send a password recovery request to the NSA. I understand they have great support for things we all loose track of.

      --
      I lost my sig...
    19. Re:Ummm... by smash · · Score: 1

      Presumably, they mean to change your password if you use the same one on other sites. The site itself is likely OFFLINE for forensic analysis. Install a password manager (I use both 1passord and Keepass - keepass is open source, cross platform and free, so no excuse). Make all passwords 100% random and unique. Move on.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    20. Re:Ummm... by smash · · Score: 1

      I used to do the same. However, what you are doing doesn't scale. You can't remember all the passwords, and certainly not enough to really be secure. And if you need to change one? It's a pain in the arse. So... don't try and do something impossible. Use a password manager, so you can use fully random passwords of the strongest length available on each site, and reset them without having to reprogram your brain. Keepass is free and open source.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    21. Re:Ummm... by bonehead · · Score: 1

      This is why using a password manager is a good idea. Just pick a secure one.

      Without a good password manager, it is virtually impossible to practice good password procedures. (long, non-dictionary passwords. unique passwords for every site, etc....)

      The one that I use not only has a pretty good password generator, but will also warn me about sites that I'm using the same password on, and provide me with a list of other sites where I'm using that password. So for me, the problem you're describing took about 20 seconds to pin down the answer to.

    22. Re:Ummm... by WuphonsReach · · Score: 1

      You need to segregate your passwords into a few buckets:

      - The OMG I'm screwed bucket. Things like your financial passwords, administration account and primary email account passwords. Those should be memorable, complex (mix of upper/lower/numbers at a minimum), as long as reasonably possible (at least 10-12 chars, 15-18 would be better). Don't ever reuse one of those elsewhere. If you save them to a file, use a text file where you have pasted in a GPG encryption ASCII encoded block. Never save them in plain text. Keep a copy in a sealed envelope in your safe deposit box or personal safe. Don't let the browser remember them. (In general, you can probably remember most of these with a bit of effort as there's only a small handful of passwords that fall into this category.)

      - The ones that would let someone impersonate you, in a place that matters such as a public event or in business. This includes anything that is tied to a payment method. For these, you want to go random (shell script, rolling dice, whatever) and go long (15-30 characters) with mixed-case, numbers and symbols. Every site should have a unique password, with no reuse between sites. It doesn't matter much if you use Keypass or Mozilla's password safe or GPG to store them, as long as you secure that storage with a long passphrase. I suggest keeping a backup of those passwords in a text file protected with GPG (one file per account/site).

      - The sites that just don't matter. Most forums or any website where you aren't tying a payment method to the account. Generate a random password and let the browser remember it. A password reset is only a click away and if someone does hack the site and get your password (or its hash), all they have is a long string of gibberish that isn't used anywhere else.

      (Note the common theme, don't reuse passwords.)

      --
      Wolde you bothe eate your cake, and have your cake?
    23. Re:Ummm... by louic · · Score: 1

      No problem. Just wait until your password gets posted on pastebin.

    24. Re: Ummm... by Onymous+Coward · · Score: 1

      Ah, that makes sense.

      And if you had even 10 passwords that hashed the same, you'd still be able to tell the real password from the gobbledygook of the others (unless they were randomly chosen).

      And anyway, other systems that used the same hashing technique would still be vulnerable to each of the lot of colliding passwords.

  2. Should have used Windows. by jellomizer · · Score: 1, Offtopic

    I Guess these guys should have used Windows.
    Bla Bla Bla...

    Really Folks the OS or how the software is license doesn't equate to security or quality. Treat every system that is open to the outside world as potentially vulnerable to attack and make sure your logins and passwords are completely encrypted even in your database. If you can see then it is vulnerable. As well you better be sure you use some salting in your hashing as well

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Should have used Windows. by geekamole · · Score: 1

      The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

    2. Re:Should have used Windows. by HJED · · Score: 1

      Or just being safe even if the passwords are salted, given that in the same line it also says that the passwords were not in plaintext.

      --
      null
    3. Re:Should have used Windows. by illaqueate · · Score: 1

      This kind of breach is usually just bugs in the forum software or the server software they run on.

    4. Re:Should have used Windows. by illaqueate · · Score: 1

      passwords are rarely in plain text. the issue is if it's not salted then the passwords can be discovered by looking at a precalculated table (rainbow table). so it would be useful to know whether or not it's salted

    5. Re:Should have used Windows. by Anonymous Coward · · Score: 1

      It isn't useful at all. For all you know the attackers could be bruteforcing your salted password hash right now, so the only sane thing to do is change the password.

    6. Re:Should have used Windows. by tlhIngan · · Score: 3, Interesting

      The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

      No, because cracking passwords, even salted one, is ridiculously easy. Hell, take a well salted database, a stolen password list, and a way to compute the password. You can probably find a good chunk of accounts with the basic set of passwords.

      Salting just prevents the use of rainbow tables, which means cracking passwords takes a few hours instead of a few seconds. Hell, you probably could use one of those bitcoin miner ASICs to do it - cracking passwords is really just computing hashes, and the R&D in computing hashes faster and faster means hashed and salted passwords are getting easier to crack.

      Ars Technica details it better.
      http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

      http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

    7. Re:Should have used Windows. by Anonymous Coward · · Score: 3, Informative

      Here you go, tlhIngan. If it's so easy, provide the password or a collision in the next 3 days.

        tlhIngan:$6$PsLtDfSP$SISVIa7tbcxdIN6StnZMF.l6Vw1/mZFIrKmNUAidG7k090l5bLUqBZF/ItMU2A0RzhHQyMnH40t67tIVl.6VB0:15907:0:99999:7:::

      I'll even cheat and tell you it's a combination of upper, lower, punctuation and numbers...

    8. Re:Should have used Windows. by skegg · · Score: 1

      cracking passwords, even salted one, is ridiculously easy

      Not necessarily true.

      If the user has used a very common password, then it's likely.

      However if it's an uncommon password that's hashed using something like bcrypt with a decent number of rounds, then it's far from "ridiculously easy".

    9. Re:Should have used Windows. by Rockoon · · Score: 3, Interesting

      Salting helps against rainbow tables, but its irrelevant to the integrity of the password itself.

      The important thing is that the hash is lossy so that even if salt+"abc613" hashes to the value in the database, that there is no reason to believe that "abc613" was actually the password the user was using.. He could have been using "manbearpig", for example. This is a case where longer hash values actually helps the hacker/cracker.

      I dont pretend to know what the optimal size of the stored hash should be in order to protect the users passwords, but I think its almost certainly less than 32 bits. 32-bits is wide enough that attempting to find a hash collision at the login prompt is still silly, while also making the information gleaned from a brute force attack of the hash values almost useless.

      --
      "His name was James Damore."
    10. Re:Should have used Windows. by auric_dude · · Score: 1
      Butterfly Labs bit-miner kit faq would suggest that their ASIC chips can not be subverted into password cracking tools

      Can these devices be used for anything else like password cracking? A No, their function is limited to high speed encryption validation in the specific double step sha256 protocol. It's not useful for any purpose related to rainbow tables or password recovery.

      http://www.butterflylabs.com/bitforce-sc-faq/

    11. Re:Should have used Windows. by Rockoon · · Score: 1

      Which is going to have fewer collisions and which will take longer to brute-force?

      Except that when someone brute forces that 512 bit hash, the they know the exact password because the password wasnt anywhere near as long as the damn 64 byte hash.

      That then leads to every place that the user used the password being vulnerable. In other words, you did not do the user a favor by using the 512 bit hash. You instead fucked the user over by using a 512 bit hash because the only thing you did was slow the attacker down. You didnt do due diligence to prevent the attacker from knowing the password.

      Yes, 2^512 is a big number. Guess what? Nobody is using passwords that effectively utilize that space. In practice for the case of 8 byte passwords, the search space is only about 48 bits in size (uppercase, lowercase, numeric, a few symbols) not the 512 that you are jizzing over. A 25 GPU setup has been benchmarked at 63 billion SHA hashes per second. Thats an upper limit of 4467 seconds to brute force a password.

      Hash collisions is a SECURITY FEATURE. You want that brute force to produce millions or billions of collisions, so that the users actual password is still unknown.

      --
      "His name was James Damore."
    12. Re:Should have used Windows. by Rockoon · · Score: 1

      I use 512 bit SHA2 with a 256 bit hashed salt and have had zero issues.

      A 25 GPU setup has been benchmarked at 63 billion SHA hashes per second.

      How long are these passwords? 8 characters, with uppercase, lowercase, numeric, and a few symbols? yeah.. thats search space is about 2^48 in size. it is irrelevant that you used a 256-bit hash in that regard.

      Upper bound on brute forcing an 8-character SHA hashed password is 4467 seconds. The problem is that there will be exactly 1 result after the entire 8-character brute force because you used a 256-bit hash, and that 1 result will be the exact password of the user.. making every single place that the user used the password vulnerable.

      --
      "His name was James Damore."
    13. Re:Should have used Windows. by Rockoon · · Score: 1

      32 bits is small enough that an offline attack with a stolen password file will succeed.

      Offline attacks will always succeed because the search space is smaller than you think. 8 character alphanumeric with a few symbols is about 48 bits of entropy supplied by the user. A 25 GPU setup has been clocked at 63 billion SHA hashes per second, so about a 4467 second upper limit to the time it takes to try 100% of the possibilities.

      --
      "His name was James Damore."
  3. Re:That's what you get for running Ubuntu by russbutton · · Score: 1

    Feeling a little self-righteous tonight are we?

  4. Re:That's what you get for running Ubuntu by russbutton · · Score: 1

    Shuttleworth? Me? I've been called a lot of things in my life, but that's not one of them.

    I wouldn't mind being him. His bank account is a *LOT* better than mine.

  5. Re:That's what you get for running Ubuntu by akh · · Score: 4, Informative

    Um, what? For the base server install you get no network services installed whatsoever (not even SSHd). As for size, a base install of the current server version of Ubuntu is ~64MB of disk space IIRC. That's hardly what I'd call bloated.

    --
    Accept Eris as your Fnord and personally sate her
  6. Password Policy by HJED · · Score: 1

    Does anyone remember what password policy the forums had, trying to work out which password I was using for it.

    --
    null
    1. Re:Password policy by Anonymous Coward · · Score: 3, Informative

      I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!

      Because that's a totally accurate way of judging their security. Sarcasm aside, it's possible to use hashes badly (like unsalted MD5) and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable (because the vast majority of attacks involve revealing database information, not executing code or downloading files).

      Guess what the best advice is? Use a different password for every site.

    2. Re:Password Policy by Pieroxy · · Score: 1

      Does anyone remember what password policy the forums had, trying to work out which password I was using for it.

      It's probably the one in your sig.

      --
      Write boring code, not shiny code!
    3. Re:Password policy by Pieroxy · · Score: 1

      Guess what the best advice is? Use a different password for every site.

      I ran out of memory at 65536. I guess I'm just 16 bits wide.

      --
      Write boring code, not shiny code!
    4. Re:Password policy by Rockoon · · Score: 1

      and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable

      No. Just no. It is not possible to ENCRYPT the passwords so that they are secure. Encryption is the WRONG TOOL for storing passwords, because with encryption then is ultimately unencryptable and therefore someone can know for certain what your password is.

      To be quite specific, I want there to be billions of "passwords" that hash to the same value thats in their database for my account, so that even when an attacker finds a collision he still won't know what I fucking use for a password.

      --
      "His name was James Damore."
    5. Re:Password policy by readingaccount · · Score: 1

      Your sarcasm was misguided anyway. The point is that if your original password can be sent to you in an email, it means they must be storing the password in plain-text anyway - if they're doing that, it doesn't bode well for the rest of their security implementations.

    6. Re:Password policy by aliquis · · Score: 1

      RUN!!!

      Do that help?

    7. Re:Password policy by Ice+Station+Zebra · · Score: 2

      This is the finding the needle in a stack of needles approach to password protection.

    8. Re:Password policy by readingaccount · · Score: 1

      Don't worry about it. He accused me of being young and naieve about computers (which is interesting, since I code on FPGAs for a living), as if he's some amazing gift to the computing world.

      I fucking hate people who talk down strangers like this.

  7. Re:That's what you get for running Ubuntu by NobleSavage · · Score: 4, Insightful

    I assume that the forum software was hacked. I believe they ran vBulletin which is often hacked. Nothing indicates the underlying OS was hacked.

  8. Forums the new lowest hanging fruit by Anonymous Coward · · Score: 1

    Forum attacks have increased in recent years and it seems to be the newest go-to vulnerability. This is not platform specific so no need to just bash Linux or even Ubuntu specifically. Really, its time for people to get serious about Forums and mailing list software where security is concerned. All of us know forum software is among the most used and abused software out there but mostly just underfunded. I invite all of you progressive thinkers out there to take this staple of development and communication to the next level because I for one would gladly pay license fees for an efficient and secure forum platform. I don't care what the excuse is 90% of the time for why it happened its always watered down to some story about someone forgetting to do something within the realm of conceivable human error- the fact is it happens too many times and I don't feel safe registering on most forums nowadays. So lets make a difference we can do this BETTER.

  9. Password policy by readingaccount · · Score: 4, Interesting

    The passwords are not stored in plain text

    You'd hope so. That would be standard policy you'd assume by now (hashes are easy), but apparently it's still important to mention this given there are still way too many outfits storing plain-text passwords in their systems.

    I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!

  10. Re:That's what you get for running Ubuntu by russbutton · · Score: 1

    I'm still trying to figure out if I'm a chicken or an egg...

  11. Re:But Linux is more secure with many eyes! by Anonymous Coward · · Score: 2, Insightful

    Forum passwords were stolen via the forum software. Where does Linux come into this? Do you have the faintest clue what you're talking about?

  12. Re:you are strongly encouraged to change the passw by Rockoon · · Score: 1

    Neither of you seem to have any idea what the security implications are.

    --
    "His name was James Damore."
  13. Re:Phew by ls671 · · Score: 1

    Me too I use:
    passSlashdot
    passUbuntu
    passGmail
    etc.

    --
    Everything I write is lies, read between the lines.
  14. Re:But Linux is more secure with many eyes! by Anonymous Coward · · Score: 3, Informative

    Wrong

  15. Re:you are strongly encouraged to change the passw by Anonymous Coward · · Score: 1

    It probably wasn't much better than that. Don't know if it's still current, but the Javascript of their login form used to do this:

    <form id="navbar_loginform" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)" method="post" action="login.php?do=login">

  16. Not everyone has a public key or cell phone by tepples · · Score: 1

    The link can be made such that it only works once.

    For the attacker before the mail even gets to the intended user.

    The email can be sent encrypted to your public key.

    For those people who have the discretionary income to fly to key signing parties.

    The pasword-change code can be sent to your cellphone number

    For people who already pay hundreds of dollars a month for cell phone service. A lot of households still share a POTS house phone among members because it's cheaper than a cell phone with unlimited minutes per person.

    1. Re:Not everyone has a public key or cell phone by Anonymous Coward · · Score: 1

      Same AC.

      That wasn't intended to be an exhaustive list, just a proof by contradiction that the OP was incorrect when he or she said, "there isnt any better way to do it."

      I know that providing secure account-recovery options for public websites is hard. If you want to be able to do better than plaintext passwords though email, it is likely to require some additional development prior to the breach.

      Sending a plaintext password through email has the following bad properties (non-exhaustive):

      1. Anyone between the forum's SMTP server and your mail host may now have your password
      2. You cannot detect if one of these people recorded your password
      3. Depending on the system, you may not be able to detect if the interceptor has actually used your password
      4. You can only invalidate the data they collected by changing your password
      5. You are exposed for the interval of time from when the email is first sent until you do change your password.
      6. Someone who has compromised your email account and no other account of yours can fully impersonate you in the reset protocol.

      Each of the alternatives I proposed addresses at least one of these, trading off with compromises in ease of use, simplicity, or the amount of pre-work required (affecting ease of implementation post-breach). There is plenty of research in this space. Sending passwords by email is among the weakest ways to implement a lost-password protocol.

    2. Re:Not everyone has a public key or cell phone by smash · · Score: 1

      Most of the general public don't understand any of the other options. The idea of a password reset link via email is that you use this password TEMPORARILY to get access to the account only. So. Click password reset link, keep email program open, wait for email, log in and reset password. If someone is that sophisticated that they can sniff my email on the way through, recognise a forum login and log into it before I do whilst i'm sitting here waiting for the reset email, they can have it.

      Banks? Yes, this isn't good enough.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  17. When a server authenticates to another server by tepples · · Score: 1

    I agree with you that something reversible like encryption is not the best primitive to protect a shared secret when users are logging in to a server, such as the case in the article. But when the server is itself logging in to another server, it still needs to store a shared secret reversibly. For example, this secret might be an API key used by the payment processor to charge a credit card or a transaction ID used by the payment processor to refund a charge.

  18. You need a phone number to sign up for Facebook by tepples · · Score: 1

    BTW: Some people don't have cellphones.

    Some people don't have Internet. In any case, you already need your own phone number to sign up for Facebook unless you still have access to a university e-mail address.

    1. Re:You need a phone number to sign up for Facebook by tepples · · Score: 1
      Trying to explain my points a bit more explicitly:

      People who don't have Internet rarely signup on random websites, so I fail see your point.

      Some might claim that people with home Internet are more likely to have a cell phone.

      I don't really care what you need to signup on Facebook. We're talking about ubuntuforums.org.

      One of the possibilities was that ubuntuforums.org might either A. adopt similar auth to Facebook or B. just rely on Facebook login.

    2. Re:You need a phone number to sign up for Facebook by smash · · Score: 1

      Unless they changed it in the last couple of years, no you don't. I (still) don't have my number in facebeook.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  19. Re:That's what you get for running Ubuntu by Anonymous Coward · · Score: 1

    Except that like its parent operating system, Debina, *no one* euses the base install.

    That's Debian! Deb + Ian!

    ... aptitude for package management (which brings in X windows)...

    No, it doesn't.

  20. Why bring in aptitude? by tepples · · Score: 1

    aptitude for package management (which brings in X windows)

    Why bring in aptitude? I thought that from the command line, apt-get did the same thing.

    Talking about a "base install" for such a system is like talking about [camping]

    How much does OpenSSH + the basic LAMP stack add to the base install?

  21. Re:That's what you get... by king+neckbeard · · Score: 1

    Most likely, it was a a vulnerabiilty in something higher up in the system, PHP or the forum software they were using. This would have happened regardless of OS if they didn't engage in the practice of updating their software every time there is a known vulnerability.

    --
    This is my signature. There are many like it, but this one is mine.
  22. Re:4 years?! In the future?! by smash · · Score: 1

    2011-2015 = 8:11pm to 8:15pm.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  23. Re:4 years?! In the future?! by Stalks · · Score: 1

    The hate is amusing. It was a JOKE.

  24. Radical technology, indeed. Paper.. by doccus · · Score: 1

    Wow. has *everybody* forgotten about plain old paper? I got sick of forgetting passwords, so wrote (printed, actually) them down on paper. I have a highly encrypted file where I store the digital master for reprinting or updates to the list. The only inconvenient bit about it is that i can't copy and paste from a paper list, and copy/paste is a secure way to enter a password.. it makes keyloggers useless. Don't lose the paper, or forget the master password for the digital backup, though. I did once ;-(