

Notice of security breach on Ubuntu Forums site - denzil_correa
http://blog.canonical.com/2013/07/21/notice-of-security-breach-on-ubuntu-forums-site/?utm_source=ubunteu&amp;utm_medium=url_shortner&amp;utm_term=breach-notificiation&amp;utm_campaign=shortner

======
ams6110
I have a slight style critique of this announcement, and other consumer-
oriented messages from tech companies: drop the word "user."

"User" sounds nerdy and impersonal. Consider addressing the affected person
directly, using "you" or "your." It is at the same time friendlier and more
attention-getting. I would have written:

We take information security and _your_ privacy very seriously, and apologise
for the breach and ensuing inconvenience.

At this time,

We have confirmed the attackers were able to access _your_ email addresses and
hashed passwords on the Forums site. While the passwords were not stored in
plain text, good practice dictates that _you_ should assume the passwords have
been accessed and change them. If _you_ used the same password on other
services _you_ should immediately change that password.

...etc.

------
dobbsbob
Annoying how Ubuntu gives zero details. Does Ubuntu use bcrypt on their
forums? Are they using Ubuntu server to host the forums and if so should all
other Ubuntu server admins be notified how security was breached?

------
nawitus
I wonder what hash function they used.

~~~
harrytuttle
It was vBulletin and PHP so the hash function is as follows:

$hash=MD5(MD5($password)+$salt)

These guys think it is incredibly fun to crack Vbulletin passwords as well:

[http://forum.md5decrypter.co.uk/default.aspx](http://forum.md5decrypter.co.uk/default.aspx)

------
egwor
why aren't all these web sites using openid or some derivation thereof? It
seems time to move away from sites trying to do security(specifically login
credentials) themselves. As we've seen numerous professional web sites have
been hacked and we have to go and change password(s).

What's stopping it? Are we developers too proud to admit that there is
something that we can't do 100% perfectly and it is best left to someone else?

~~~
jiggy2011
Have everything tied to my gmail account? No thanks.

~~~
egwor
That's not really what I meant. A number of places support openid; we use that
for logging in and password management. If something goes wrong we change the
password in one place. Gmail is just one provider; as is facebook. I'm sure
that there are more.

As for your gmail account comment: since most people point their emails to
gmail anyway, everything is tied to their gmail account anyway. (e.g. password
resets)

~~~
jiggy2011
Whenever I sign into something with openID it signs me into all google
services on that account, that's a pain in the ass as I have multiple google
accounts for different things.

If it's separate then at least I can rebind that account to another email
address if I choose, such as one I host myself for example. Otherwise if my
google account gets closed for whatever reason then I lose all of these other
accounts.

You can of course use a different provider but you're looking at either using
some other internet giant or hosting your own openID crap which I'd rather
have to do.

~~~
jeena
You can always host your own openID sollution.

------
harrytuttle
Well this is the motivation I needed to sort out my lazy password handling.

I've just gone through everything and changed to unique passwords stored in
KeyPassX.

