Ubuntu Forums - FYI

Basil Chupin blchupin at iinet.net.au
Tue Jul 23 15:11:58 UTC 2013 

On 22/07/13 19:47, Patrick Asselman wrote:
> On 2013-07-21 19:13, Istimsak Abdulbasir wrote:
>> On Jul 21, 2013 10:28 AM, "Basil Chupin" <blchupin at iinet.net.au> wrote:
>>> On 21/07/13 23:32, compdoc wrote:
>>>
>>>>> Doesn't really answer the question: what system is this vBulletin 
>>>>> being
>>>> run on? Windows?
>>>>
>>>> I doubt a community that loves linux would run their systems on 
>>>> windows.
>>>
>>> What I am surprised about is that I would have expected an avalanche 
>>> of posts stating that vBulletin is being run on a server using Linux 
>>> but so far no one has come up with such an assurance which indicates 
>>> to me that Windows is involved.
>>>
>>> What is that (?)annual competition for hackers where the first prize 
>>> offered is the latest model of a well known brand of laptop and 
>>> where, at all such competitions, the first system to be hacked is 
>>> Windows (the last time it took someone less than 2 minutes to hack 
>>> it) followed by Apple, which took a just a bit longer, and Linux has 
>>> yet to be hacked?
>>>
>>> BC
>>
>> Nothing is unhackable. It does not matter what system you use, linux,
>> windows or MacOS. All it takes is time and determination. Linux is by
>> far the best system to use for security implementation. It has many
>> options. The well known one is requiring root privilege for system
>> configuration. That is if the user knows what they are doing.
>>
>> In the case of the ubuntu forums, vbulletin was the victim and it was
>> said that this software was outdated. Why canonical did not recognize
>> this is a big question. Even on a secure system, if the user or admin
>> don't take all the necessary steps to insure strong security, then
>> anything can be hacked. This is not a reason. Remember, the system
>> offers option of security. It is the user that needs to know how to
>> use it.
>>
>
> I agree with the statement that nothing is unhackable. But I doubt 
> Linux is the best system to use for secure implementations. It all 
> depends on what you are trying to achieve with the system. There are 
> far more secure systems than Linux, but most of them don't run a web 
> server on the internet ;-)
>
> The cause is indeed said to be due to vBulletin forum software that 
> had not received the latest security patches. ref: 
> http://www.omgubuntu.co.uk/2013/07/ubuntu-forum-hacked-users-advised-to-change-passwords 
>  This does not necessarily mean that the Ubuntu team was lax, security 
> patches are released all the time. It may just mean this hacker 
> exploited faster than they patched.
>
> The hacker goes by the nickname of "Sputn1k_". His(?) Twitter account 
> was taken offline, but he has twittered "You can stop worrying about 
> your passwords. Yes, they were encrypted. Encrypted with the default 
> vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not 
> be the strongest, when you're dealing with 1.8m users it would take a 
> very long time to get anywhere with the hashes. You don't have to 
> worry about a DB leak. That isn't how I like to do things." Of course 
> if you are clever you dont trust what this person says and take your 
> own precautions regardless ;)   Google cache may still work as 
> reference: 
> http://webcache.googleusercontent.com/search?q=cache:Tv6iViVq598J:https://twitter.com/Sputn1k_+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a
>
> Why hackers do this? I can think of a few reasons. If you are lucky 
> they do it to show that a site needs better security, and that is all. 
> More realistically they do it to harvest active email addresses that 
> they can sell to spammers. Sometimes hackers want to get attention and 
> put up some political statement on a much-visited site. Some hackers 
> may want to get into a system and place a backdoor entrance so they 
> can come back later and maybe modify some source code (but those are 
> not likely to deface a page like this). Worst case, they will analyse 
> the obtained data in detail, try to decode passwords, and try and make 
> the most of it.
>
> @BC: you really need to read up on system security, considering the 
> naive statements you are making!

Don't be a smartarse.

BC

-- 
Using openSUSE 12.3, KDE 4.11.0 & kernel 3.10.1-3 on a system with-
AMD FX 8-core 3.6/4.2GHz processor
16GB PC14900/1866MHz Quad Channel Corsair "Vengeance" RAM
Gigabyte AMD3+ m/board; Gigabyte nVidia GTX550Ti 1GB DDR5 GPU

More information about the ubuntu-users mailing list