Canonical dismisses Ubuntu security concerns

Concerns over the security of the Ubuntu Linux distribution arose this week, when five out of eight community-run servers sponsored by Canonical had to shut down.

The servers had "started attacking other systems," according to an Ubuntu newsletter. The issue first came to light on Saturday, when Ubuntu users voiced concern over a problem with local community (loco) hosted servers.

London-based Canonical moved quickly to minimize the issue and reassure users that the operating system is secure.

"This is not a problem with our production servers," Gerry Carr, marketing manager of Canonical, told ZDNet UK, sister site of CNET News.com. The issue was with "loco servers that we pay for but that do not sit in our data center." As a result, the security in Canonical's data center was "in no way compromised by these attacks," Carr said.

While the company "held its hand up" in regard to the problem, it completely rejected any implication that user security had been compromised, Carr said.

"Any (implication), and there has been some, that this episode has, or had, any bearing on our enterprise readiness or the Ubuntu downloads is so completely wide of the mark as to miss the point entirely," he said. "It has nothing to do with downloaded copies of Ubuntu; it is separate servers on a separate network in a separate location."

But the company did accept that the servers had been poorly managed. The problem arose because the responsibility for security lay "between Canonical and the community," Carr said.

"Most of the time," this was just as it should be, Carr said, but "server management is maybe not one of those times."

The issue is one for the community to decide, he said. "Either the loco servers come into our data center and are subject to our standard, rigorous security and management, or they sit completely outside of it and are run by the community."

The issue is outlined in detail in an e-mail from Ubuntu's community manager, Jono Bacon.

Colin Barker of ZDNet UK reported from London.

[WJeansonne]

Yeah, right! Oh Linux is so more secure, LOL!!

Sounds like FOSS spin to me. What a joke.

[amadensor]

How much?

Were you paid to make that comment? It smells like astroturf.

Run your password in plain text across the public internet, and don't do any security patches fro months and see what happens, with ANY OS.

Make a real slam if you are going to slam, like maybe that they trusted people who don't know what they are doing to run the servers.

[tgrenier]

managment maes an OS secure

I thought that was only for lowly Windows admins to worry about. Security was breached because of poor managment (at least that's how I read this story). Every OS has to be managed.

[FutureGuy]

I thought Linux can't be hacked!!!!

fall down laughing..

[ethana2]

Brilliant comment!

I expect you've tried it for yourself and come to your own conclusions based on facts?
Wait, nevermind...

I dual boot Windows XP home and Ubuntu.
Linux kicks windows butt all over the yard.
I came to that conclusion myself. Thank you.

[Vegaman_Dan]

Anything can be hacked

If you're running a server that is out of date and not maintained properly, it just makes it that much more easy for it to be compromised.

The OS doesn't matter when the admin/owner isn't doing their job.

[gardion07]

Hard to protect against stupid choices

Any operating system that uses ftp with usernames with no ssl or anything is likely going to be hacked since usernames and passwords are sent out in clear text. You may as well be telling everyone "Hey here is my username and password come on and hack me". That was the problem if you look on the Canonical/ ubuntu site you'll find the systems were using ftp rather than ssh like they should have been. Also they weren't getting security updates either because something wasn't working properly.

Let that be a lesson not to use ftp or telnet on a public network or you'll likely get hacked. Those tools should be banned.

[Penguinisto]

True that...

...but you know the really funny part of this story? It's all the MSFT astroturfers scrambing to post something like "ZOMG y00 gotZ h@x0rd!" when in reality they couldn't even be arsed to read the article.

I think we should sit back and watch 'em squeal in ignorance for awhile...

...(hands over bag) popcorn?

/P

[SiXiam]

Both Sprint and ICall sent my username + passoword in and email

What is a matter with these companies?

Can you be any more stupid sending someones username and password in an unsecure email?

[Vegaman_Dan]

OS doesn't matter if the owner doesn't maintain it

In the case we have here, the company responsible for the servers admitted to doing a very poor job of maintenance, running an unpatched older version of Ubuntu that then got hacked.

Is that Ubuntu's fault? Well, not the fault of the OS, that's for sure. The server has to be kept updated to be secure. The irony is that it was Ubuntu's own server being colo'd at another facility. I would have thought they would know better, but it shows anyone can slip up now and then.

I do not blame the OS nor anyone else who uses it. I do blame the managers of the servers affected for not being responsible in keeping their systems up to date.

This can happen to any OS, be that OSX, Linux, BSD, Windows, or even.... OS2/Warp. Anything that is allowed to run without maintenance will eventually die on you. It's the same way with cars. Don't change the oil and you might have a breakdown sometime in the future.

The real title should have been, "Server compromised due to inadequate maintenance." That doesn't sound as exciting though. Make it sound like it's the fault of the OS and you'll get the religious zealots out in force here to say how this is all Microsoft/Apple/Linux's fault.

It isn't, but there are some people here who will try to spin it every way possible except towards the truth.

[gp2792]

The real story

Obviously, this isn't an issue with Ubuntu. It could happen with any OS. The real story is that if it had been Windows, the usual subjects would have immediately chimed in with how insecure windows is, blah blah blah. You know who you are querty, penguinista, decider. If it were windows, no way in the world you would have said it was a simple administration issue. That's what the windows fanboys are laughing about. Because the facts are, all systems must be managed.

[random753]

Linux is not hacked, but aplications running are.

Because Linux is stable it is a nice target for addware pushers. Linux itself is more secure because it is less common but any application running on the machine can potentially be an open door. Most users are not aware if their machine is being used to send junk E mails to other people.