Gun-wielding penguin takes over Ubuntu Forums, waves AK-47 at Linux users everywhere

Mark Shuttleworth is famous for two things: for being the first African in space, and for founding Canonical, the company behind Ubuntu Linux.

→ I know it’t not really Ubuntu Linux. It’s Ubuntu, a computing platform based on GNU/Linux and including lots more besides. But we shall call it “Ubuntu Linux” as a sort of handy abbreviation.

Ubuntu was arguably the first Linux distro to attract the attention of ungeeks, to provide an installer that tended to “just work” without any jargon, and to gain a foothold of any sort amongst the type of user that would otherwise perfectly happily have paid for Windows or OS X.

As a result, it spawned a range of online forums dedicated to supporting and nurturing its large fan base, handily collated into the Ubuntu Forums portal.

Ubuntu Forums is bankrolled by Canonical, and should look something like this:

Over the weekend, however, it looked like this:

(That’s supposed to be Tux, the penguin mascot of Linux, waving an AK-like assault weapon in his flippers.)

By now, the day after the attack, there’s just a breach alert holding page put up by Canonical:

It’s hard to imagine what the hackers hoped to achieve by taking out a bunch of free forums for a free distro of a free operating system.

Some commenters in the Twittersphere can’t find rhyme or reason either, and have let rip with opprobrious tweets to make their displeasure known:

Of course, one perfectly likely explanation for the hack is clear from Canonical’s mea culpa letter: for the personally identifiable information (PII) that it yielded.

Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.

With close to 2 million signed-up members, that could mean a lot more spam for a lot of people.

And for those who have chosen poor passwords, the stolen password database could mean worse than that.

Canonical stated that:

The passwords are not stored in plain text, they are stored as salted hashes.

It might have been handy if Canonical had said what sort of salting-and-hashing was used, to give some idea of how quickly an attacker could try a dictionary of passwords against the stolen data.

On the other hand, if you change your password as soon as the Forums come back on line (and it’s likely Canonical will force everybody to do so anyway, for safety’s sake), and you haven’t used the same password anywhere else, you ought to be OK.

Here’s our advice:

  • When you choose a password, don’t pick anything obvious. Attackers put the most likely passwords at the top of their dictionary lists, so the tougher your password, the later it will fall, if at all.
  • Don’t use the same password on multiple sites. Doing so means that your login details on the most important site are at risk from an attack on the least secure one.
  • If you store password databases, use a strong salt-and-hash system (e.g. bcrypt, scrypt or PBKDF2) that makes it much harder and slower for attackers to go through their password dictionary, but not so slow that it’s impracticable to verify individual passwords when your users login.