August 16, 2007 11:07 AM PDT

Canonical dismisses Ubuntu security concerns

Concerns over the security of the Ubuntu Linux distribution arose this week, when five out of eight community-run servers sponsored by Canonical had to shut down.

The servers had "started attacking other systems," according to an Ubuntu newsletter. The issue first came to light on Saturday, when Ubuntu users voiced concern over a problem with local community (loco) hosted servers.

London-based Canonical moved quickly to minimize the issue and reassure users that the operating system is secure.

"This is not a problem with our production servers," Gerry Carr, marketing manager of Canonical, told ZDNet UK, sister site of CNET News.com. The issue was with "loco servers that we pay for but that do not sit in our data center." As a result, the security in Canonical's data center was "in no way compromised by these attacks," Carr said.

While the company "held its hand up" in regard to the problem, it completely rejected any implication that user security had been compromised, Carr said.

"Any (implication), and there has been some, that this episode has, or had, any bearing on our enterprise readiness or the Ubuntu downloads is so completely wide of the mark as to miss the point entirely," he said. "It has nothing to do with downloaded copies of Ubuntu; it is separate servers on a separate network in a separate location."

But the company did accept that the servers had been poorly managed. The problem arose because the responsibility for security lay "between Canonical and the community," Carr said.

"Most of the time," this was just as it should be, Carr said, but "server management is maybe not one of those times."

The issue is one for the community to decide, he said. "Either the loco servers come into our data center and are subject to our standard, rigorous security and management, or they sit completely outside of it and are run by the community."

The issue is outlined in detail in an e-mail from Ubuntu's community manager, Jono Bacon.

Colin Barker of ZDNet UK reported from London.

See more CNET content tagged:
Ubuntu, data center, community, server, security

15 comments

Join the conversation!
Add your comment
Yeah, right! Oh Linux is so more secure, LOL!!
Sounds like FOSS spin to me. What a joke.
Posted by WJeansonne (480 comments )
Reply Link Flag
How much?
Were you paid to make that comment? It smells like astroturf.

Run your password in plain text across the public internet, and don't do any security patches fro months and see what happens, with ANY OS.

Make a real slam if you are going to slam, like maybe that they trusted people who don't know what they are doing to run the servers.
Posted by amadensor (248 comments )
Link Flag
managment maes an OS secure
I thought that was only for lowly Windows admins to worry about. Security was breached because of poor managment (at least that's how I read this story). Every OS has to be managed.
Posted by tgrenier (256 comments )
Reply Link Flag
I thought Linux can't be hacked!!!!
fall down laughing..
Posted by FutureGuy (742 comments )
Reply Link Flag
Brilliant comment!
I expect you've tried it for yourself and come to your own conclusions based on facts?
Wait, nevermind...

I dual boot Windows XP home and Ubuntu.
Linux kicks windows butt all over the yard.
I came to that conclusion myself. Thank you.
Posted by ethana2 (348 comments )
Link Flag
Anything can be hacked
If you're running a server that is out of date and not maintained properly, it just makes it that much more easy for it to be compromised.

The OS doesn't matter when the admin/owner isn't doing their job.
Posted by Vegaman_Dan (6683 comments )
Link Flag
Hard to protect against stupid choices
Any operating system that uses ftp with usernames with no ssl or anything is likely going to be hacked since usernames and passwords are sent out in clear text. You may as well be telling everyone "Hey here is my username and password come on and hack me". That was the problem if you look on the Canonical/ ubuntu site you'll find the systems were using ftp rather than ssh like they should have been. Also they weren't getting security updates either because something wasn't working properly.

Let that be a lesson not to use ftp or telnet on a public network or you'll likely get hacked. Those tools should be banned.
Posted by gardion07 (1 comment )
Reply Link Flag
True that...
...but you know the really funny part of this story? It's all the MSFT astroturfers scrambing to post something like "ZOMG y00 gotZ h@x0rd!" when in reality they couldn't even be arsed to read the article.

I think we should sit back and watch 'em squeal in ignorance for awhile...

...(hands over bag) popcorn?

/P
Posted by Penguinisto (5042 comments )
Link Flag
Both Sprint and ICall sent my username + passoword in and email
What is a matter with these companies?

Can you be any more stupid sending someones username and password in an unsecure email?
Posted by SiXiam (69 comments )
Link Flag
OS doesn't matter if the owner doesn't maintain it
In the case we have here, the company responsible for the servers admitted to doing a very poor job of maintenance, running an unpatched older version of Ubuntu that then got hacked.

Is that Ubuntu's fault? Well, not the fault of the OS, that's for sure. The server has to be kept updated to be secure. The irony is that it was Ubuntu's own server being colo'd at another facility. I would have thought they would know better, but it shows anyone can slip up now and then.

I do not blame the OS nor anyone else who uses it. I do blame the managers of the servers affected for not being responsible in keeping their systems up to date.

This can happen to any OS, be that OSX, Linux, BSD, Windows, or even.... OS2/Warp. Anything that is allowed to run without maintenance will eventually die on you. It's the same way with cars. Don't change the oil and you might have a breakdown sometime in the future.

The real title should have been, "Server compromised due to inadequate maintenance." That doesn't sound as exciting though. Make it sound like it's the fault of the OS and you'll get the religious zealots out in force here to say how this is all Microsoft/Apple/Linux's fault.

It isn't, but there are some people here who will try to spin it every way possible except towards the truth.
Posted by Vegaman_Dan (6683 comments )
Reply Link Flag
The real story
Obviously, this isn't an issue with Ubuntu. It could happen with any OS. The real story is that if it had been Windows, the usual subjects would have immediately chimed in with how insecure windows is, blah blah blah. You know who you are querty, penguinista, decider. If it were windows, no way in the world you would have said it was a simple administration issue. That's what the windows fanboys are laughing about. Because the facts are, all systems must be managed.
Posted by gp2792 (176 comments )
Link Flag
Linux is not hacked, but aplications running are.
Because Linux is stable it is a nice target for addware pushers. Linux itself is more secure because it is less common but any application running on the machine can potentially be an open door. Most users are not aware if their machine is being used to send junk E mails to other people.
Posted by random753 (17 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.