Ubuntu Forums - FYI
iceblink at seti.nl
Mon Jul 22 09:47:06 UTC 2013
On 2013-07-21 19:13, Istimsak Abdulbasir wrote:
> On Jul 21, 2013 10:28 AM, "Basil Chupin" <blchupin at iinet.net.au>
>> On 21/07/13 23:32, compdoc wrote:
>>>> Doesn't really answer the question: what system is this vBulletin
>>> run on? Windows?
>>> I doubt a community that loves linux would run their systems on
>> What I am surprised about is that I would have expected an avalanche
>> of posts stating that vBulletin is being run on a server using Linux
>> but so far no one has come up with such an assurance which indicates
>> to me that Windows is involved.
>> What is that (?)annual competition for hackers where the first prize
>> offered is the latest model of a well known brand of laptop and where,
>> at all such competitions, the first system to be hacked is Windows
>> (the last time it took someone less than 2 minutes to hack it)
>> followed by Apple, which took a just a bit longer, and Linux has yet
>> to be hacked?
> Nothing is unhackable. It does not matter what system you use, linux,
> windows or MacOS. All it takes is time and determination. Linux is by
> far the best system to use for security implementation. It has many
> options. The well known one is requiring root privilege for system
> configuration. That is if the user knows what they are doing.
> In the case of the ubuntu forums, vbulletin was the victim and it was
> said that this software was outdated. Why canonical did not recognize
> this is a big question. Even on a secure system, if the user or admin
> don't take all the necessary steps to insure strong security, then
> anything can be hacked. This is not a reason. Remember, the system
> offers option of security. It is the user that needs to know how to
> use it.
I agree with the statement that nothing is unhackable. But I doubt
Linux is the best system to use for secure implementations. It all
depends on what you are trying to achieve with the system. There are far
more secure systems than Linux, but most of them don't run a web server
on the internet ;-)
The cause is indeed said to be due to vBulletin forum software that had
not received the latest security patches. ref:
This does not necessarily mean that the Ubuntu team was lax, security
patches are released all the time. It may just mean this hacker
exploited faster than they patched.
The hacker goes by the nickname of "Sputn1k_". His(?) Twitter account
was taken offline, but he has twittered "You can stop worrying about
your passwords. Yes, they were encrypted. Encrypted with the default
vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be
the strongest, when you're dealing with 1.8m users it would take a very
long time to get anywhere with the hashes. You don't have to worry about
a DB leak. That isn't how I like to do things." Of course if you are
clever you dont trust what this person says and take your own
precautions regardless ;) Google cache may still work as reference:
Why hackers do this? I can think of a few reasons. If you are lucky
they do it to show that a site needs better security, and that is all.
More realistically they do it to harvest active email addresses that
they can sell to spammers. Sometimes hackers want to get attention and
put up some political statement on a much-visited site. Some hackers may
want to get into a system and place a backdoor entrance so they can come
back later and maybe modify some source code (but those are not likely
to deface a page like this). Worst case, they will analyse the obtained
data in detail, try to decode passwords, and try and make the most of
@BC: you really need to read up on system security, considering the
naive statements you are making!
More information about the ubuntu-users