Ubuntu Linux users can relax.
The person, going by the name of “Sputn1k_”, says to stop fretting about the password cracking, already, though s/he is enjoying the “rage tweets”.
The encryption used to secure the 1.8 million filched users’ local usernames, passwords, and email addresses might not be top-notch, but it’s good enough to slow the cracking enough to make it tedious, Sputn1k_ says.
Besides, Sputn1k_ muses, s/he just doesn’t swing that way.
At least, one hopes, Sputn1k_ doesn’t swing that way when sticking a fork into a bunch of online forums, filled with data from volunteers who lend their time and effort to contribute to people’s use of a free operating system (which severs the chains that would otherwise bind consumers to Microsoft and Apple, of course).
The philosophy of Sputn1k_ on the matter:
"You can stop worrying about your passwords. Yes, they were encrypted. Encrypted with the default vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be the strongest, when you're dealing with 1.8m users it would take a very long time to get anywhere with the hashes. You don't have to worry about a DB leak. That isn't how I like to do things."
If you hadn’t heard of the Ubuntu Forums takeover, it goes like this:
Ubuntu is an operating system based on the Linux kernel.
It gives non-technical people the freedom to run their PCs on something other than Apple’s Mac OS or Windows.
Ubuntu’s rated to be the most popular Linux distro of them all, according to various surveys, such as DistroWatch (here’s a writeup from 2012).
Over the weekend, the typical Forum page was replaced by an image of the Linux penguin mascot doctored to have an assault weapon clutched in its flippers. The image was branded with Sputn1k_’s handle.
As of Tuesday, the site was still down as people were working to reinstall the forums, according to the information systems team.
This is not, evidently, his/her first time at messing with websites. But Sputn1k_ has no “REAL malicious” intent, s/he says:
"If I do get into a website, most of the time there's no REAL malicious intentions. Grab the database, leave a message. That's it. I don't like to over-do things.
Not terribly malicious. Just, evidently, sort of.
At least most of the time.
Gee, does that make you feel better?
I hope not.
I hope you take Paul Ducklin’s advice and change your password.
Make sure it’s strong. If you’re one of the non-techies who use Ubuntu’s distribution because, well, you’re non-techie, that might not be the easiest admonition to follow.
Do what other non-techies (and even techies!) do, then: use a password manager.
It will cook up convoluted passwords, but better still, you don’t have to remember them, or write them down, or brand them into your pet’s backside, as you can set it up to fill in passwords more or less automatically.
Regarding Sputn1k_’s claim that this fiddling has no “real” malicious intent, I would suggest that poking at a site to discover vulnerabilities can be socially redemptive, if you aren’t a jerk about it.
That includes responsible disclosure. It does not include skewering things and thus making support staff sweat bullets.
Join the open-source community. That’s one socially acceptable utilization of hacking skills.
Fie on all else, including smarmy intentions. A pox upon your hackery.
Oh, and if this posting on TwitLonger is by yet another jokester and not the one who took over the Forums…?
Double fie for making me waste my time to write this and for wasting readers’ time to read it.Follow @NakedSecurity