Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Community Hosted Servers Compromised (Ubuntu)
ubuntu.com ^

Posted on 08/15/2007 8:55:12 AM PDT by N3WBI3

Community Hosted Servers Compromised

This last week, 5 of the 8 servers that are loco hosted but Canonical sponsored, had to be shut down due to reports that they were actively attacking other machines. These servers were found to [WWW] have a variety of problems including, but not limited to, missing security patches, FTP (not sftp, without SSL) was being used to access the machines, and no upgrades past breezy due to problems with the network cards and later kernels. Loco teams will be given a choice to: a. migrate to the Canonical data center, or b. stay on the hosted/outsourced servers. Each option has its good and bad points. Jono Bacon has therefore called for a meeting to discuss these issues. The meeting will be in IRC #ubuntu-locoteams on Tuesday, August 14, 2007 at 2:00PM UTC.


TOPICS: Computers/Internet
KEYWORDS: opensource; powned; ubuntu

1 posted on 08/15/2007 8:55:17 AM PDT by N3WBI3
[ Post Reply | Private Reply | View Replies]

To: N3WBI3; ShadowAce; Tribune7; frogjerk; Salo; LTCJ; Calvinist_Dark_Lord; amigatec; Fractal Trader; ..

OSS PING


2 posted on 08/15/2007 8:55:31 AM PDT by N3WBI3 (Light travels faster than sound. This is why some people appear bright until you hear them speak....)
[ Post Reply | Private Reply | To 1 | View Replies]

To: N3WBI3

Exactly how are companies supposed to have confidence in Ubuntu when they can let a completely preventable, totally dumb screw-up like this happen?


3 posted on 08/15/2007 9:54:35 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat

Yup, this is awful press especially as it was completely preventable! (1) Make sure you get compatible hardware and (2) *never* use unencrypted network services


4 posted on 08/15/2007 10:01:01 AM PDT by N3WBI3 (Light travels faster than sound. This is why some people appear bright until you hear them speak....)
[ Post Reply | Private Reply | To 3 | View Replies]

To: antiRepublicrat; N3WBI3
Well, it's hardly fair to blame the distribution when it seems to have been mismanaged. Even the best security is still subject to (the failure of)the human element.

Not that I'm trying to make excuses, but this sort of press release could just have easily have had Microsoft, Apple, whatever, as the target.

5 posted on 08/15/2007 10:41:33 AM PDT by Brujo (Quod volunt, credunt.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: N3WBI3

The only valid purpose of FTP is for anonymous file access. Similarly, the only valid purpose of telnet is as a network testing tool. (i.e., telnet host1.whatver.com 443) Anyone still using FTP with user/pass authentication needs to be dragged out behing a building and beaten with a lead pipe.


6 posted on 08/15/2007 10:48:40 AM PDT by zeugma (If I eat right, don't smoke and exercise, I might live long enough to see the last Baby Boomer die.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Brujo

Not fair, but it will result in bad press..


7 posted on 08/15/2007 10:51:00 AM PDT by N3WBI3 (Light travels faster than sound. This is why some people appear bright until you hear them speak....)
[ Post Reply | Private Reply | To 5 | View Replies]

To: N3WBI3

I just started running ubuntu at home. I’ll think I’ll stick with it over winxp and it’s never ending stream of updates.


8 posted on 08/15/2007 10:55:11 AM PDT by lwd (Fear and Loathing in Liberal Land: Hunter-Thompson 2008)
[ Post Reply | Private Reply | To 1 | View Replies]

To: lwd
I’ll think I’ll stick with it over winxp and it’s never ending stream of updates.

Recent fresh install of Windows XP SP2. First Windows update, 89 updates at about 180 MB, not including new versions of the updater. Second update, IIRC around a dozen more, third update a few more. Funny, first time around it installs .NET 1.1, next time the SP for 1.1, next time an update to that SP.

Something's wrong here.

9 posted on 08/15/2007 11:55:50 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 8 | View Replies]

To: lwd

“I just started running ubuntu at home. I’ll think I’ll stick with it over winxp and it’s never ending stream of updates.”

Umm, Linux and the assorted software packages also have a “never ending stream of updates”, or at least they do if you’re maintaining proper security. Though I’ve belonged to a LUG for almost 10 years, I can’t forsee that I’ll ever use Linux as a primary desktop again. It was fun back when 95/98 was the target to beat, and ‘nix desktops still looked very distinctive (hello, OpenStep!), and running a Linux desktop was, well, fun. Those days are gone. Sorry, but OS X just beats the hell out of it now. I get all the of the goodies underneath (including the BASH shell), with the best user experience in computing on top. Xcode just owns any other GCC front end. Love Linux for servers (longtime Debian guy on servers), but as far as I’m concerned, desktop Linux has been one big mismanaged pile of shiite. GNOME and KDE are still nothing but knockoffs of Windows, which was a knockoff of the Mac. And the militancy of the GPL3 people doesn’t sit well with me anymore. The older I get, the more attractive BSD is starting to look as a server system.


10 posted on 08/15/2007 2:25:22 PM PDT by DesScorp
[ Post Reply | Private Reply | To 8 | View Replies]

To: zeugma

Okay..... I admit that I subscribe to this tech list so I can “learn”. I hardly ever post except to ask a question, so with that said, understand I am not challenging what you are saying, just wanting info to learn and understand....

My question is: I hear you saying using FTP is bad. Please explain why so I can learn.


11 posted on 08/18/2007 2:56:22 AM PDT by Apple Pan Dowdy (... as American as Apple Pie)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Apple Pan Dowdy
Okay..... I admit that I subscribe to this tech list so I can “learn”. I hardly ever post except to ask a question, so with that said, understand I am not challenging what you are saying, just wanting info to learn and understand....

No problem at all. Sometimes it is easy for nerds like myself to forget sometimes that other folks don't have to deal with the stuff that I do, which leads me to be lazy sometimes when I talk about something. 

My question is: I hear you saying using FTP is bad. Please explain why so I can learn.

The bottom line problem with FTP is really simple. The passwords are sent "in the clear", meaning that anyone who is running software that can "listen" to the chatter on an ethernet link, (I use such software often for troubleshooting network issues), can see both your username, password and the site you are connecting to. This is not a good thing. Way back in the early days of the net, when things were much more civil and trusting, it wasn't such a big issue. These days, there are baddies everywhere so we have to guard against them. Rather than using FTP, there are some alternative programs that you can use that actually encrypt the link between the two computers, even when passing the username/password so someone who might be trying to 'listen in', wouldn't be able to see anything they could use. SCP is the program most often used for this kind of file transfer, though there are others.

Now, I'm not saying that FTP is completely useless, because it isn't. For anonymous file downloads, it rocks because the protocol is fairly efficient, and you can be pretty certain that everyone has some form of FTP on their computer. Many moons ago, you'd use programs like kermit, x-modem, z-modem and others, but they've generally fallen out of favor, though I have seen kermit used even today in very specialized circumstances. Your browser uses anonymous FTP file downloads for some types of file downloads. What happens is that the username used with this type of access will be either "anonymous" or "ftp", with the password as either your email address, or some other random string. The key here is that you're not really authenticating someone with the username/password, which is why it doesn't matter if someone can read it because it wasn't encrypted.

I'm hoping my explanation is clearer this time :-) Anytime you have a question feel free to ask. If I don't know the answer I'll make up something good instead!

12 posted on 08/18/2007 2:42:13 PM PDT by zeugma (If I eat right, don't smoke and exercise, I might live long enough to see the last Baby Boomer die.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: zeugma
The bottom line problem with FTP is really simple. The passwords are sent "in the clear", meaning that anyone who is running software that can "listen" to the chatter on an ethernet link, (I use such software often for troubleshooting network issues), can see both your username, password and the site you are connecting to.

Do you have any idea why, so far as I've been able to tell, there's been no effort at creating a standard for halfway-secure web password authentication short of using https://?

To be sure, real https:// is more secure than something like the somewhat ad-hoc proposal here, but what I'm describing here would still be much better than nothing.

To start with, a user who's creating an account on a system must start with some sort of password. This requirement could be handled by having the system randomly generate a default password and email it to the user. The email could be intercepted, but since email gets routed separately from http traffic, there is still some level of security there.

The next step would be to allow the user to log in. For this step, the server would send a small random data payload to the client. The client would encrypt the payload using an MD5 of the operator's password concatenated with some identifier appropriate to the service, and send it back. The server could then verify it for correctness.

The final step would be to allow the user to change his passcode. In this case, the server would perform a password validation as before, but the client's data packet would also include the MD5 of his new passcode (with serivce identifier concatenated), encrypted using the MD5 of the old passcode.

The net effect would be that somebody who intercepted the "welcome" email and every other password-change request would be able to impersonate the user. An attacker who didn't get every password-change request would be unable to decipher any after the one he missed.

The level of security added by doing something like this wouldn't be sufficient for things like banking, but would be good for sites like FR which presently send passwords in the clear.

13 posted on 02/15/2008 4:38:58 PM PST by supercat
[ Post Reply | Private Reply | To 12 | View Replies]

To: zeugma
Similarly, the only valid purpose of telnet is as a network testing tool. (i.e., telnet host1.whatver.com 443)

It's also perfectly fine as an entertainment tool, for telnet services that don't need a higher level of security than a typical username/password website like FR.

14 posted on 02/15/2008 4:40:24 PM PST by supercat
[ Post Reply | Private Reply | To 6 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson