Speak of the devil… Ubuntu forums hacked

I had only done a blog on Linux yesterday, and there is already some more news of obvious incompetence in the Linux world. The forums of Ubuntu, the most popular Linux distribution, have been hacked. Currently there is an announcement with the following message:

Ubuntu Forums is down for maintenance

There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated regularly with progress reports.

What we know

  • Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.
  • The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.
  • Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.

Progress report

  • 2013-07-20 2011UTC: Reports of defacement

  • 2013-07-20 2015UTC: Site taken down, this splash page put in place while investigation continues.

The site was also defaced with the following page, by someone calling himself @Sputn1k_:

UbuntuForumsHacked

Apparently the hacker was able to exploit an older version of Vbulletin. If the largest distributor of linux is not even capable of keeping up with security patches for their own forum, that is a bad sign. Perhaps they just thought they were secure, because they were running linux? I thought that myth was already busted. Oh well…MythBusted

Advertisements
This entry was posted in Software news and tagged , , , , , , , , , , , . Bookmark the permalink.

14 Responses to Speak of the devil… Ubuntu forums hacked

  1. sam says:

    i’m a linux user and still happy that ubuntu forums are taken down

  2. Veda says:

    Ubuntu is not the best linux distro that really depends on what your planning to do with it.
    For general usage by someone with minimal interrest in OS or their guts I’d advice Mint.

  3. MacOS9 says:

    @Veda, I agree. For people who just want to get work done on a computer and don’t care much for the internals of the system, or hate using the terminal, best stick with the OS that came installed on the ‘pjuter, meaning Windows or OS X, or – if you really must – give the Ubuntu-based Mint a whirl (the long-term-support version….not the ones that change every six months). Best also stay away from the Debian-based Mint too since odd things sometimes happen with the rolling updates (I wont be bothering with that one or any rolling distros any time soon). In short: Windows, OS X, or Mint LTS with backports enabled. And maybe one day PC-BSD will become fast, slim, and usable…ah, one can always wish.

  4. rafraîchissant says:

    [OFF-TOPIC] Scali, what you say about the accusations that are made against BSD on blog “BSD, the truth?
    The charges he makes against BSD are true or are thing of GNU fanboy ?

    • Scali says:

      It’s just fanboy rantings… BSD was around long before GNU was. You can easily find the proper info about most things in newsgroup archives etc.

      • rafraîchissant says:

        Scali, the blog “BSD, the truth” made ​​me very confused because contains claims that does meaning.
        For example, it says that “developers are often abused by top OpenBSD officials close to de Raadt or even worse, by de Raadt himself”, reference:http://aboutthebsds.wordpress.com/2013/01/25/20/.

        One of the reasons of expulsion of Theo de Raadt of NetBSD was the abuse against users and developers of NetBSD.

        The same blog also says that “BSD projects by contrast grow much slow or are stagnant”.

        Charles Hannum (one of the founders of NetBSD) tells us that ‘The NetBSD Project has stagnated to the point of irrelevance. reference:http://mail-index.netbsd.org/netbsd-users/2006/08/30/0016.html

        Correct me where I’m wrong, please.

      • Scali says:

        Ah, you are showing your true colours.
        I was referring to some of the things they posted about how BSD allegedly stole code from GNU (when it can be easily verified that the BSD project has been around longer, and their various examples were around in the BSD codebase before GNU).

        The things you are posting may be true, but that doesn’t make everything on that blog true. Theo de Raadt… I said myself that he stole The Owl’s no-execute code. Then again, I’m a FreeBSD user, and don’t really care about NetBSD or OpenBSD. It’s funny how GNU/linux fanboys think of all the BSDs as the same OS, as if they are just distributions. Shows how little they understand about the BSD world they try to criticize.

        Anyway, this blog is not for such discussions, so unless you have something technical and/or to contribute, I suggest we stop here.

      • rafraîchissant says:

        Scali, the videos that the blog “BSD, the Truth” shows against BSD are false information? For example:
        The supposed video that shows that BSD is insecure. reference: http://aboutthebsds.wordpress.com/2014/01/03/more-demonstrations-which-show-that-bsd-is-insecure/
        The supposed video that shows that NetBSD is insecure and flawed. reference:http://aboutthebsds.wordpress.com/2013/05/14/netbsd-proven-insecure-and-flawed/

      • Scali says:

        Stop bothering me. Do soms research and make up your own mind.

  5. rafraîchissant says:

    “Scali wrote:
    But well, if even the main linux kernel developer is like that, things look bleak, very bleak. ”

    I agree with this statement.
    Linus Torvalds said something that according to Andrew Tanenbaum, Linus did not know that he doesn’t know what he’s talking about. reference:http://linuxfr.org/nodes/88229/comments/1291183

    Scali, please post an post about BSD and says what are the false claims that the site BSD the truth says against BSD to prevent more people from getting confused as I was confused.

    • Scali says:

      Sadly John Carmack does it too. He talks about Direct3D as if he knows anything about it. But the things he says sound like he has not kept up with D3D at least since version 9.
      Apparently he just buys a lot of AMD’s claims about Mantle, and counters with OpenGL extensions, even though a lot of things have already been implemented in D3D10 (such as performing validation at initialization stage, not at runtime… or various changes to the API to reduce the number of calls required for specific operations, eg by memory-mapping constant buffers and such).

  6. rafraîchissant says:

    What security tool that Ubuntu Forums should have used
    to not be hacked?

    • Scali says:

      There is no way to ensure that you can’t be hacked. However, they could have avoided this particular hack by simply keeping their Vbulletin forum software up-to-date.

      • rafraîchissant says:

        Scali wrote:
        “I had only done a blog on Linux yesterday, and there is already some more news of obvious incompetence in the Linux world.”

        Who is has competence?
        Debian, Slackware, etc

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s