Mark Shuttleworth is famous for two things: for being the first African in space, and for founding Canonical, the company behind Ubuntu Linux.
→ I know it’t not really Ubuntu Linux. It’s Ubuntu, a computing platform based on GNU/Linux and including lots more besides. But we shall call it “Ubuntu Linux” as a sort of handy abbreviation.
Ubuntu was arguably the first Linux distro to attract the attention of ungeeks, to provide an installer that tended to “just work” without any jargon, and to gain a foothold of any sort amongst the type of user that would otherwise perfectly happily have paid for Windows or OS X.
As a result, it spawned a range of online forums dedicated to supporting and nurturing its large fan base, handily collated into the Ubuntu Forums portal.
Ubuntu Forums is bankrolled by Canonical, and should look something like this:
Over the weekend, however, it looked like this:
(That’s supposed to be Tux, the penguin mascot of Linux, waving an AK-like assault weapon in his flippers.)
By now, the day after the attack, there’s just a breach alert holding page put up by Canonical:
It’s hard to imagine what the hackers hoped to achieve by taking out a bunch of free forums for a free distro of a free operating system.
Some commenters in the Twittersphere can’t find rhyme or reason either, and have let rip with opprobrious tweets to make their displeasure known:
Of course, one perfectly likely explanation for the hack is clear from Canonical’s mea culpa letter: for the personally identifiable information (PII) that it yielded.
Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.
With close to 2 million signed-up members, that could mean a lot more spam for a lot of people.
And for those who have chosen poor passwords, the stolen password database could mean worse than that.
Canonical stated that:
The passwords are not stored in plain text, they are stored as salted hashes.
It might have been handy if Canonical had said what sort of salting-and-hashing was used, to give some idea of how quickly an attacker could try a dictionary of passwords against the stolen data.
On the other hand, if you change your password as soon as the Forums come back on line (and it’s likely Canonical will force everybody to do so anyway, for safety’s sake), and you haven’t used the same password anywhere else, you ought to be OK.
Here’s our advice:
- When you choose a password, don’t pick anything obvious. Attackers put the most likely passwords at the top of their dictionary lists, so the tougher your password, the later it will fall, if at all.
- Don’t use the same password on multiple sites. Doing so means that your login details on the most important site are at risk from an attack on the least secure one.
- If you store password databases, use a strong salt-and-hash system (e.g. bcrypt, scrypt or PBKDF2) that makes it much harder and slower for attackers to go through their password dictionary, but not so slow that it’s impracticable to verify individual passwords when your users login.
Wow! Kind of surprised Canonical not doing that already! (I know – how many times do you have to tell peole?)
I quit using it personally when they switched from Gnome desktop to that other "thing" for a desktop and using Mint distro now. Hmm. Maybe I should check and make sure what Mint are doing… Everytime you assume someone is smarter than that – they're not!
You can still get the new Gnome desktop and drop unity all together.
The guy who did this said in a Twitter post (account now gone) that the passwords were hashed “with the default vBulletin hashing algorithm (md5(md5($pass).$salt))”
It looks like the same guy who took down the yogscast site a couple weeks ago.
Canonical did piss a lot of its long-term users off when it put spyware in by default.
Some people have commented "why attack a free open source project" – the opposite to that could be "why did Canonical turn on its users."
"t's hard to imagine what the hackers hoped to achieve"
No it's not. The dude stole 1.8 million passwords, with their associated names and email addresses. Chances are, a not-insignificant number of those users use that password for other services, likely their email. Once they have control of the email, you can use the 'forgot my password' at other websites (like, I dunno…online banking) to get a reset link sent to the email address.
It's a pretty standard tactic.
Just pointing out that the AK wielding Penguin originally belonged to the music producer, Ephixa.
Shh, we troll erryone.