Ubuntu forums hacked; 1.82M logins, email addresses stolen

“Canonical, the company behind the Ubuntu operating system, has suffered a massive data breach on its forums. All usernames, passwords, and email addresses were stolen.”

see Ubuntu forums hacked; 1.82M logins, email addresses stolen.

That’s a bit embarrassing. I’m sure. Apparently they use a non-free PHP script, vBulletin, and it had a similar problem three years ago. I hope Canonical did not fail to patch it.

In any event, one wonders why Canonical chose to use non-free PHP code instead of phpBB or Wikimedia or some other Free Software. Surely code they could run, examine, modify and distribute would be more robust. vBulletin’s licence does permit running, examination, and modification but not distribution. Presumably the FLOSS codes would have a lot more eyes on them, finding vulnerabilities and fixing them.

From Canonical:
“Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.
The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.
Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.
Progress report
2013-07-20 2011UTC: Reports of defacement
2013-07-20 2015UTC: Site taken down, this splash page put in place while investigation continues.”

One interesting bit in all this. If they have 1.8 million posting on the forums, they must have an order of magnitude or more users actually reading the forums. Canonical is reaching a lot of people and should put a bit more effort into providing security. The black hackers are like sharks in the water when a site is popular.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , . Bookmark the permalink.

19 Responses to Ubuntu forums hacked; 1.82M logins, email addresses stolen

  1. bw says:

    as if there were a difference…

    You can google around for things like this:

    http://www.ericsink.com/No_Programmers.html

    that talk around the subject, but the distinction that I have comes from the practices of the company that I worked at and is a Fortune 500 software company (not Microsoft).

    There the term “programmer” is used for utility code writers who usually have some sort of 2 year associate degree in IT. If a problem is stated in enough detail along with a solution, they are effective in creating a module that takes problem parameters and produces a valid solution.

    Developers are a much higher paid category and come with bachelor and advanced degrees and/or some expertise in science and engineering fields pertinent to the software being developed. For example a development team responsible for an anesthesiology history tracking product that I worked on had code writers but also a couple of surgical nurses and an anesthesiologist who provided the product vision and interacted with the code builders. The general engineering background of the code developers had to encompass some degree of understanding of the chemistry, physics, and math that went into the product AI and presentation. Not a job for the lightly educated.

  2. bw says:

    I stated that ‘certificates’ and ‘resumes’ are worthless. Never said that education is worthless or not worth paying for, in fact, I have a high disdain for people that fail to continue their education, even after college

    Weren’t you the one who posted: “Schools and bw, want you to believe that you need more education because they want your money. … Why should someone drop tens of thousands of dollars on a piece of paper, when they could be out working”

    For that matter certificates and resumes are the way that one conveys proof that the education has been obtained. I think you need to go back to school and get an education.

  3. Ted says:

    “As a Microsoft troll your words are worthless bw. ”

    Change the record, will you? Why not try actually proving him wrong or debating with him instead of just denouncing all he says as worthless?

    At least he adds something to the thread that makes it worth reading. You, on the other hand, add only noise.

  4. ram wrote, “it was only salted hashes that were compromized”.

    That’s not much comfort. With the e-mail addresses, ones interesting to the intruder will fall within days to various cracking algorithms: password sieves, brute-force, and Moore’s Law. Even if the user changes passwords, any pattern identified may render the new password weak once the old one is cracked.

  5. ram says:

    At least it was only salted hashes that were compromized. Not really that much of an issue.

  6. bw wrote, “Putzing around for 10000 hours can maybe make you a programmer, but not a developer” as if there were a difference…

  7. dougman says:

    Golf, bridge player and M$ troll:

    Do not put words in my mouth, or try to misquote me, it simply will not work.

    In review of the past blog entry, located at : http://mrpogson.com/2013/07/11/floss-will-be-the-default-software-for-higher-education-in-france

    I stated that ‘certificates’ and ‘resumes’ are worthless. Never said that education is worthless or not worth paying for, in fact, I have a high disdain for people that fail to continue their education, even after college.

    Oh and sorry to piss in your M$ cornflakes BW, but since this blog posting is about Ubuntu. Canonical is crowdsourcing the Ubuntu Edge phone. Simply one, walks up and drops the phone in a dock and away you go on the web. Once you’re ready to leave for the day, you remove the phone from the dock and it reverts to Android.

    No desktop, No laptop and I suspect once this takes off, Google and other OEMs will follow. BYE BYE M$.

    http://www.indiegogo.com/projects/ubuntu-edge

    Decent video showing the docking/undocking: http://www.youtube.com/watch?v=wzc0uMXGFBY

  8. matchrocket says:

    “Go to a state school if you cannot afford better.”
    As a Microsoft troll your words are worthless bw. As a bigot they are poison.

  9. bw says:

    BW, the M$ apologist, thinks we are idiots

    You are the one going around saying that education is not worth paying for. I think that makes you a self-proclaimed idiot and you can hardly fault anyone for agreeing with you.

    that right there speaks volumes

    It sure does. Volumes about your lack of understanding of real software development, that is.

    Putzing around for 10000 hours can maybe make you a programmer, but not a developer. Go to a good school and get an engineering degree first. Go to a state school if you cannot afford better. Then spend a while doing something actually useful. Then come back and offer an opinion about what it takes to become a developer.

  10. dougman says:

    I will also add that NT kernel development is running at a slower pace than Linux development.

    The below link explains it all, worth a read.

    https://news.ycombinator.com/item?id=5689391

  11. dougman says:

    BW, the M$ apologist, thinks we are idiots and rather disregard – overlook past, present and future M$ failures.

    The main thrust or gist or what I posted, is simply this. Motivational drive via monetary reward is not salient to producing software. By pointing this out and then looking at Linux growth, one can see the writing on the wall.

    Anyone can start developing and contributing to FLOSS and I mean anyone. If you want to be a software developer plan on 10000+ hrs to become an outlier or virtuoso , this equates to ~3.5years, 8-hours a day non-stop.

    Software development is undergoing a major change away from a fully closed software process towards a process that incorporates open source software in products and services.

    On average, iOS developers get $5,200 per month from their apps, Android developers get $4,700, and Windows Phone developers get $3,600. So this leaves iOS and Android, but starting with iOS cost money, so only Android is available.

    I had my first Android app, just two hours after I wondered how hard it would be to develop for Android AND at no cost to me, that right there speaks volumes.

  12. bw says:

    Wikipedia scaled. Encarta did not

    You read too much into this. Encarta was a product that was offered for a time and sold a lot of copies and made a lot of money for Microsoft. Eventually, it became passé and vanished from view. Time marches on and new products replace the old. Take Xbox for example.

    PCs are being supplanted in some instances by phones and tablets. That is just the nature of things. You cannot attribute that to Linux, it is a phenomenon unto itself.

    Maybe Microsoft will disappear someday entirely, maybe it will morph into something else. Microsoft today is vastly different from the Microsoft that sold PC-DOS to IBM in 1981. It is thousands of times larger and covers a vast array of products, most of which are market leaders.

    Microsoft’s founders and managers and developers from the PC DOS days are incredibly wealthy and set for life. Maybe they rue the changes that have happened over the years, maybe not, but whatever they do, they do in physical comfort due to their success.

    Ballmer may have to someday just close the office, have a beer with his pals, and just say “*** it all” and board his yacht and set out for the Hawaiians to soothe his soul. Or maybe they will have another record year next year. I don’t know for sure.

  13. dougman wrote of Encarta and Wikipedia. Encarta antedated Wikipedia by ages. At it’s prime, “In 2008, the complete English version, Encarta Premium, consisted of more than 62,000 articles,[1] numerous photos and illustrations, music clips, videos, interactive contents, timelines, maps & atlas and homework tools.”

    By comparison, Wikipedia has 4.28million content pages and counting. I know in 2005, the content was able to fit on a few CDs. I made local copies for schools. Now, it takes a server-farm to hold it all and a download of the XML is 42gB uncompressed. Then there are all those images…

    Wikipedia scaled. Encarta did not. M$ was the bottleneck. FLOSS scales. non-Free software does not often because the gatekeeper trying to rake off profits for everything throws water on the fire of human creativity.

  14. dougman says:

    Off subject, but relevant nonetheless.

    Wikipedia has been a collaborative effort with thousands of contributors providing useful information for free, while Encarta was formed for a profit venture by the world’s dominant (at least at the time) software company. Wikipedia succeeded due to these efforts and Encarta went out of business.

    When M$ built Encarta no one would have thought that Wikipedia would beat them out, not even the economists. This is where Linux will prevail in the long-term. In time, I can see M$ building a Office Suite and Windows OS on-top of a Linux distribution, same thing done with Android and ChromeOS.

    Replace, ‘Encarta’ with ‘Microsoft’ and ‘Wikipedia’ with ‘Linux’, then you will see what where this ends up.

    Daniel Pink stated in his book, “Drive” what truly motivates people, and its not bribes, kickbacks, bonuses, commissions or even money. Imagine the horror! Anyways its a good read. 🙂

    http://www.youtube.com/watch?v=u6XAPnuFjJc

  15. Excellent links, dougman.

    Quoting TFA: “Now that people have a choice of devices, it turns out that a full-blown personal computer is often not the most cost-effective, convenient, or simplest way to do what a user wants to do.”

    Precisely written. Even M$ knew that was coming when they worried about P3’s not needing upgrading for ages back in the 1990s. M$ just could not adapt. They tried to react but they suffered from their own inertia. FLOSS is agile and light by comparison.

    Here’s another from Slate, “Microsoft couldn’t imagine being bested by upstart punks” M$ was bested by Google’s search, Google’s Android/Linux, Linux, of course, tons of FLOSS applications and millions of developers.

  16. dougman wrote, “if there are 1.82M actively engaged users, then 1.82M users divided by 20% is 9.1M readers.”

    That’s a law to compare productivity. The productivity of a reader is near zero in regards to a forum. On my blog there are more than ten readers for every commentator.

    Some stats: Since the beginning this blog has had 16 views per comment made but the past week 90% of visitors commented. Most of those comments were filtered out as spam. The valid comments were about 2% of visitors.

    So, I would estimate that Canonical has more than 20 million users judging by the activity on the forums. Another factor is that some of the accounts may be old/stagnant and many may be from system administrators representing hundreds/thousands of users. I do know that Ubuntu GNU/Linux is used by a lot of folks who may never visit the forums because most people are not computer-geeks and Ubuntu GNU/Linux is sold on retail shelves and used in schools, governments and businesses.

  17. bw says:

    Using Pogson’s 1.5 billion PC users worldwide, that’s a little over a half percent, which matches pretty well with internet stats regarding Linux. Ubuntu is far an away the most popular distribution in those states.

  18. dougman says:

    Using Pareto’s 80/20 Law, if there are 1.82M actively engaged users, then 1.82M users divided by 20% is 9.1M readers.

Leave a Reply