Sophos Cloud Optix
Ubuntu Linux users can relax.
Maybe.
Someone claiming to be behind the weekend’s Ubuntu Forums gun-toting-penguin takeover means no harm, s/he said in a TwitLonger post.
The person, going by the name of “Sputn1k_”, says to stop fretting about the password cracking, already, though s/he is enjoying the “rage tweets”.
The encryption used to secure the 1.8 million filched users’ local usernames, passwords, and email addresses might not be top-notch, but it’s good enough to slow the cracking enough to make it tedious, Sputn1k_ says.
Besides, Sputn1k_ muses, s/he just doesn’t swing that way.
At least, one hopes, Sputn1k_ doesn’t swing that way when sticking a fork into a bunch of online forums, filled with data from volunteers who lend their time and effort to contribute to people’s use of a free operating system (which severs the chains that would otherwise bind consumers to Microsoft and Apple, of course).
The philosophy of Sputn1k_ on the matter:
"You can stop worrying about your passwords. Yes, they were encrypted. Encrypted with the default vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be the strongest, when you're dealing with 1.8m users it would take a very long time to get anywhere with the hashes. You don't have to worry about a DB leak. That isn't how I like to do things."
If you hadn’t heard of the Ubuntu Forums takeover, it goes like this:
Ubuntu is an operating system based on the Linux kernel.
It gives non-technical people the freedom to run their PCs on something other than Apple’s Mac OS or Windows.
Ubuntu’s rated to be the most popular Linux distro of them all, according to various surveys, such as DistroWatch (here’s a writeup from 2012).
Over the weekend, the typical Forum page was replaced by an image of the Linux penguin mascot doctored to have an assault weapon clutched in its flippers. The image was branded with Sputn1k_’s handle.
As of Tuesday, the site was still down as people were working to reinstall the forums, according to the information systems team.
This is not, evidently, his/her first time at messing with websites. But Sputn1k_ has no “REAL malicious” intent, s/he says:
"If I do get into a website, most of the time there's no REAL malicious intentions. Grab the database, leave a message. That's it. I don't like to over-do things.
Not terribly malicious. Just, evidently, sort of.
At least most of the time.
Gee, does that make you feel better?
I hope not.
I hope you take Paul Ducklin’s advice and change your password.
Make sure it’s strong. If you’re one of the non-techies who use Ubuntu’s distribution because, well, you’re non-techie, that might not be the easiest admonition to follow.
Do what other non-techies (and even techies!) do, then: use a password manager.
It will cook up convoluted passwords, but better still, you don’t have to remember them, or write them down, or brand them into your pet’s backside, as you can set it up to fill in passwords more or less automatically.
Win-win, yes?
Regarding Sputn1k_’s claim that this fiddling has no “real” malicious intent, I would suggest that poking at a site to discover vulnerabilities can be socially redemptive, if you aren’t a jerk about it.
That includes responsible disclosure. It does not include skewering things and thus making support staff sweat bullets.
Join the open-source community. That’s one socially acceptable utilization of hacking skills.
Fie on all else, including smarmy intentions. A pox upon your hackery.
Oh, and if this posting on TwitLonger is by yet another jokester and not the one who took over the Forums…?
Double fie for making me waste my time to write this and for wasting readers’ time to read it.
Images of penguin and password courtesy of Shutterstock.
"Double fie for making me waste my time to write this and for wasting readers' time to read it."
🙁
This cracker must run Windows; who would exploit a Linux community forum? Good or bad intent, this is bad form. Script kiddie alert!
"who would exploit a Linux community forum?"
Oh, I don't know, someone who was board and noticed that the security was not up to par? There are plenty of hackers that are more than happy to hack Linux community. In a way it is good. If no one ever poked the Linux people then they get too comfortable. You know, like the Mac users. Both Mac and Linux people like to have this holier than thou attitude thinking they are invincible.
Having said that, I use Windows, Linux and Mac computers. So no, I'm not just some Windows fan boy.
Don't paint all Mac users the same. We're not. Besides, you said you yourself are a Mac user.
Yeah, I can be bit hard on Mac users. It is the result of working with couple of guys who are best described as "Mac cultists". You know the type, they believe Macs are perfect, must always have newest iGadget soon as it is out, even have the Apple logos plastered on their cars……
Macs are good machines and have their place. I just get really annoyed with the Apple fans who seem to think Apple products float down from heaven. They are not really better than PCs, they are just different. Somethings Macs are better at, other things PCs handle better.
Outside of trying to understand the mind of the hacker, if you feel the need to unencrypt something, why not try bitcoin, maybe the time factor is the problem. I'm sure lots of people have hacked sites and some have even told the admin to improve security however. I always felt that hackers served the purpose of improving security, but sometimes it seems that the internet will never be secure.
This cracker must run Windows; who would exploit a Linux community forum? Good or bad intent, this is bad form. Script kiddie alert!