Ubuntu Servers Hacked 330
An anonymous reader noted that "Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems. Canonical blames the community, saying they were community hosted, and were poorly maintained. However, kernel upgrades couldn't be done because of poor backwards compatibility with the very hardware that Canonical had sponsored! While people point fingers at each other it is pretty clear that both sides are equally to blame, the community administrators for practicing bad security practices, such as using unencrypted FTP transfers with accounts, not properly maintaining the system. However Canonical should have been well aware of what they are hosting. The question remains, if any of the files distributed to users have been compromised. A major blow for Canonical though who are attempting to enter the business market with Ubuntu Server."
sorry... (Score:2, Insightful)
who the hell places such exposed servers like these on the net without applying security patches and following simple rules? yeah, the freaking old hardware, compab problems, i sure understand that. but then make a fuss 'bout it. threat to stop maintaining the hardware if the networks cards aren't changed. if that REALLY is the only problem with the hardware which prevented updates, then i just don't understand how the hell this could happen. NICs, even though this would be no consumer hardware, aren't that expensive. if my employees servers were hacked because i did not mind telling him that some crappy piece of hardware prevented me from keeping uptodate with security, i would kindly be removed from my desk. period.
sftp (Score:4, Insightful)
how ironic (Score:4, Insightful)
Re:sorry... (Score:5, Insightful)
Ultimately, I'd say that if this does wind up being an admin problem, then Ubuntu Server will not suffer. The bottom line is that a poorly administered server is a hacker target regardless of the OS.
Re:Following the M$ example. Re:BWAHAHAHA... (Score:2, Insightful)
They got arrogant, cocky and lazy. They let their security slip on things a Windows uers wouldn't use or care about (ex. FTP vs SFTP, from a user perspective, the difference is minimal).
Does your reality distortion field go so far as to say that Windows is causing functional breakage in Linux now? Geeze. Lemme guess, you are gonna add global warming, wars, AIDS, ebola and the common cold to the list as well, right?
Heck, fairly certain that ftp wasn't active by default on my last install of Ubuntu (I know SFTP was though).
FTP vs SFTP - maintainer arogance/incompetance
Kernel couldn't be upgraded given the hardware supplied by Ubuntu's owning company - the companies own problems
Re:Following the M$ example. Re:BWAHAHAHA... (Score:4, Insightful)
Re:I would like to read a report (Score:5, Insightful)
Isn't that part of the Linux/Microsoft Double Standard? Now, if Microsoft this type of issue and had been less than totally open about the cause and methods, you know as well as I do that there would be a high-pitched wailing from the Slashdot World.
Re:New NIC, Anyone? (Score:2, Insightful)
Re:how ironic (Score:2, Insightful)
Re:Windoze access should be read only / password f (Score:1, Insightful)
Re:sftp (Score:5, Insightful)
To put this into perspective... (Score:3, Insightful)
Re:Idiot (Score:2, Insightful)
I don't think you know what he thinks it really means. I think he want's to use hacking as a generic term, for doing stuff as in "I hacked together a working PC form all the junk in my basement" or "I hacked that new feature into my existing code.", and so the poster and many people who like using the word hacker for themselves but don't want others to immediately associate themselves with criminal hackers, tried to coin a new term for those people, "crackers". And while that term never caught on people who want you to call criminal hackers crackers, will always make issue of calling them hackers in the hope that one day they might call themselves hackers, with out any of the negative connotations.
Interestingly enough many people who take that position try to use defend their strictly non-criminal activity use of the word by citing the famous MIT non computer hacks. The irony of this of course is that many of those involved minor criminal activity like breaking and entering.
Prevent Windoze at the packet filter (Score:3, Insightful)
You can back up your policy in the packet filter.
In iptables, look up osf and --genre.
For pf, look up osfp.
Re:Hacked... (Score:5, Insightful)
People in the industry are aware that "hack" used to mean "cleverly manipulate a device into doing something its designers did not intend." People also know that "wherefor" used to mean "why." In both cases, the original definitions no longer apply.
Language changes. You'll get over it. There are more important battles to fight.
How right you are! (Score:5, Insightful)
On the other hand, we all know that segregation & apartheid were both ended by paid professionals. If you want something big done right, only paid professionals can do it.
Re:I am what I am and it is what it is. (Score:3, Insightful)
Here we are, talking about a serious security breach at a prominent Linux distributor, and all you can muster is a hissy fit because not enough people are blaming Microsoft for it.
It's not clever. It's certainly not constructive. Worst of all, it reflects poorly on the community you claim to serve.
You're the rhetorical equivalent of a brick-throwing protester at a WTO meeting, foolishly believing that vandalism and insulting slogans will right the injustices of the world, while earning nothing but contempt from the very people you're trying to convert to your cause. Luckily for you, the "riot police" on Slashdot are only armed with Troll and Flamebait mods.
Re:I would like to read a report (Score:3, Insightful)
Some people care about these details and some don't. The parent apparently thinks there's nothing to learn. I disagree. There might be something really interesting in this case. But even if its just a comedy of errors or highlights issues we've known about for years, there is still value. It serves as a reminder for why we take the additional effort to do things "right."
And so... typical to Slashdot and other public forums... I voice disagreement with the parent poster. It seems we don't have a single voice on the issue. Sorry if that disrupts your concept of Slashdot.
Re:I would like to read a report (Score:5, Insightful)
"He never got a root password for an important server after that incident. In hindsight, that was a funny incident, and a valuable lesson to us all (we all became paranoid of rereading what we just typed)."
I hope the decision to deny him root access was based on more than that one unintentional incident. It could have happened to any of you. After all, why else would it be a "valuable lesson" to you ? Isn't the person who made that mistake the least likely to make it again ? And you did also say you "could fill about a 100 pages on my own from stupid things I've done".
Re:I would like to read a report (Score:3, Insightful)
You mean the high-pitched wailing from the Slashdot World actually stops at some point?
Re:Hacked... (Score:3, Insightful)
Re:Hacked... (Score:1, Insightful)
Re:Idiot (Score:2, Insightful)
An individual or a group can try to make a term mean one thing or another thing, however until popular support for that definition is accepted it's still just wishful thinking.
As long as I can recall, in the world of computers and main stream media, a "hacker" is a person attempting to circumvent security measures for nefarious purposes (i.e. a Black Hat). Does this mean that you can't tilt at windmills? No. Just keep in mind that you may never win that battle. Can't hurt for trying, though, right? I mean, it's not like anyone is being arrested for being a "hacker" or anything. Oh...wait...
Re:Turns out the whole reason for the attack was.. (Score:3, Insightful)
Again, I am pointing at the community more than the developers, who have provided a great distro that has provided a much needed kick in the pants to other distros to improve their usability. Fedora is my favorite example, and my distro of choice again, since they had to face some stiff competition to stay relevant.
Ubuntu was about a clean interface with best of breed apps, solid documentation and a community that balanced ease of use with best practices. When someone wandered into the forums with a "noob" question we avoided the "RTFM newb-sauce" stuff and helped them, as well as re-enforcing best practices and linking where to get better information. We didn't point them to untested scripts or recommend subverting security for ease of use, but that is a regular event these days. Shuttleworth wanted "free as in speech" software that was "free as in beer" for everyone, but now to court Windows users he considers installing binary blobs and distributing closed source software? The "Unofficial Ubuntu FAQ" used to handle this stuff very well while not polluting (or introducing possible legal issues) to the distro. I recall Shuttleworth at Debian conferences with his hat in his hand explaining how he wants to help and work with the community, but if you mention this on the Ubuntu forums you have people suggesting that they don't need Debian or the GNU tools? This is an ignorant and arrogant user base that needs to be educated, and in some instances policed.
The original intent of Ubuntu was great, it just needs to get back on course. I much prefer apt to yum, I hope this wakes up the right people and I will gladly give Ubuntu a shot again.
Re:BWAHAHAHA... (Score:2, Insightful)