Announcement

Collapse
No announcement yet.

Ubuntu Forums Get Breached, 2 Million Users/Emails/IPs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • nomadewolf
    replied
    Originally posted by Amarildo View Post

    You've been wondering all alone, I presume, Mr "Nomad".
    I see what you did there.
    I guess no one cares about great philosophical questions anymore...

    Leave a comment:


  • Amarildo
    replied
    Originally posted by rockworldmi View Post
    Time to use OpenBSD...
    OpenBSD's core is VERY secure. However, IRC they don't do code review on 3rd-party packages e.g. the KDE stuff.

    Leave a comment:


  • DrYak
    replied
    Originally posted by Dick Palmer View Post

    Doesn't strike me as that bad... "No passwords were compromised" so presumably they had appropriately salted/hashed and/or segregated authentication in place...
    With modern hardware (very fast GPU or dedicated FPGA) and modern approach (using patterns and probabilty in addition to classical dictionnaries and mods to brute force, instead of stupidly using sequencial combinations like 'AAAAA' 'AAAAB', 'AAAAC'...)
    even salted/hashed passwords aren't really a challenge.

    The only real valid challenge :
    - using a proper KDF (key derivation function) like PBKDF-2, or even better like Scrypt and Argon2, instead of simply hashing with SHA-1 like everyone else is doing.
    (SHA-1 / SHA-2 / SHA-3 : are designed to run as fast as possible with as least resource as possible so they can be used on hardware like even smart-cards)
    (KDF are designed to be intentionally slow - PBKDF-2 use a variable number of rounds - and intentionally resource-hungry - Scrypt and Argon2 have a second parameters selecting a variable buffer of RAM making them inappropriate for cheap GPU/FPGA acceleration)


    So either :
    - the passwords are protected with Scrypt or Argon2
    (and better: the passwords are appropriately segregated on a different place)

    - or they are completely underestimating modern cracking possibility.

    Leave a comment:


  • FuturePilot
    replied
    Originally posted by Up123 View Post

    Definitely not.

    They should really consider outsourcing their forums.
    It started out as a completely independent entity. Then Canonical eventually took it over.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by boxie View Post

    I was thinking more about having a whole bunch of different domains and having the password manager fetch a new random email address on a random sub domain of a random domain and having that simply forward onto your primary account.

    if you are going to have all your eggs in one basket (password manager) you may as well go whole hog!
    That'd require paying for multiple domains for what may be overkill. I'd rather stay with a single top-level domain and make time for my planned milter script which will allow me to make multiple e-mail addresses fully transparent by maintaining an SQL table of valid From<->To mappings, modifying outgoing From addresses and incoming To addresses, and validaing the Fro, addresses on incoming mail after To has passed SPF checks.

    Leave a comment:


  • rockworldmi
    replied
    And why not use decentralised forum or like retroshare? It's better hack proof..

    Leave a comment:


  • rockworldmi
    replied
    Time to use OpenBSD...

    Leave a comment:


  • Alcoholic_Nate
    replied
    Originally posted by boxie View Post

    I was thinking more about having a whole bunch of different domains and having the password manager fetch a new random email address on a random sub domain of a random domain and having that simply forward onto your primary account.

    if you are going to have all your eggs in one basket (password manager) you may as well go whole hog!
    I have my own domain. I outsource my email to Tuffmail, https://www.tuffmail.com/ Tuffmail gives me a single box with a certain amount of storage. I can create as many email addresses as I want and they all go into that box. If I start getting spam I just check the headers and see which addresses got compromised. If an address gets spammy I can delete it and make a new one. Tuffmail truly has one of the most amazing spam control features ever. I have never got a spam on my real address. My Ubuntu Forum email address is [email protected] Who cares if it gets into the hands of the hackers. It's fake and not monitored.

    Leave a comment:


  • boxie
    replied
    Originally posted by ssokolow View Post

    That's actually what I've been doing for a while now... though it began more as an anti-spam measure. (I give each site an e-mail alias which can be revoked like an API key if it leaks and, because they're all unique, I can tell exactly who got compromised.)
    I was thinking more about having a whole bunch of different domains and having the password manager fetch a new random email address on a random sub domain of a random domain and having that simply forward onto your primary account.

    if you are going to have all your eggs in one basket (password manager) you may as well go whole hog!

    Leave a comment:


  • linuxforall
    replied
    Originally posted by Scellow View Post
    That's what happens when you only distribute outdated package, and release LTS OS

    Ubuntu it's time to change
    In that case Red Hat, Debian and CentOS users who run even older packages are doomed.

    Leave a comment:

Working...
X