Concerns over the security of the Ubuntu Linux distribution arose this week, when five out of eight community-run servers sponsored by Canonical had to shut down.
The servers had "started attacking other systems," according to an Ubuntu newsletter. The issue first came to light on Saturday, when Ubuntu users voiced concern over a problem with local community (loco) hosted servers.
London-based Canonical moved quickly to minimize the issue and reassure users that the operating system is secure.
"This is not a problem with our production servers," Gerry Carr, marketing manager of Canonical, told ZDNet UK, sister site of CNET News.com. The issue was with "loco servers that we pay for but that do not sit in our data center." As a result, the security in Canonical's data center was "in no way compromised by these attacks," Carr said.
While the company "held its hand up" in regard to the problem, it completely rejected any implication that user security had been compromised, Carr said.
"Any (implication), and there has been some, that this episode has, or had, any bearing on our enterprise readiness or the Ubuntu downloads is so completely wide of the mark as to miss the point entirely," he said. "It has nothing to do with downloaded copies of Ubuntu; it is separate servers on a separate network in a separate location."
But the company did accept that the servers had been poorly managed. The problem arose because the responsibility for security lay "between Canonical and the community," Carr said.
"Most of the time," this was just as it should be, Carr said, but "server management is maybe not one of those times."
The issue is one for the community to decide, he said. "Either the loco servers come into our data center and are subject to our standard, rigorous security and management, or they sit completely outside of it and are run by the community."
I thought that was only for lowly Windows admins to worry about. Security was breached because of poor managment (at least that's how I read this story). Every OS has to be managed.
Any operating system that uses ftp with usernames with no ssl or anything is likely going to be hacked since usernames and passwords are sent out in clear text. You may as well be telling everyone "Hey here is my username and password come on and hack me". That was the problem if you look on the Canonical/ ubuntu site you'll find the systems were using ftp rather than ssh like they should have been. Also they weren't getting security updates either because something wasn't working properly.
Let that be a lesson not to use ftp or telnet on a public network or you'll likely get hacked. Those tools should be banned.
...but you know the really funny part of this story? It's all the MSFT astroturfers scrambing to post something like "ZOMG y00 gotZ h@x0rd!" when in reality they couldn't even be arsed to read the article.
I think we should sit back and watch 'em squeal in ignorance for awhile...
OS doesn't matter if the owner doesn't maintain it
In the case we have here, the company responsible for the servers admitted to doing a very poor job of maintenance, running an unpatched older version of Ubuntu that then got hacked.
Is that Ubuntu's fault? Well, not the fault of the OS, that's for sure. The server has to be kept updated to be secure. The irony is that it was Ubuntu's own server being colo'd at another facility. I would have thought they would know better, but it shows anyone can slip up now and then.
I do not blame the OS nor anyone else who uses it. I do blame the managers of the servers affected for not being responsible in keeping their systems up to date.
This can happen to any OS, be that OSX, Linux, BSD, Windows, or even.... OS2/Warp. Anything that is allowed to run without maintenance will eventually die on you. It's the same way with cars. Don't change the oil and you might have a breakdown sometime in the future.
The real title should have been, "Server compromised due to inadequate maintenance." That doesn't sound as exciting though. Make it sound like it's the fault of the OS and you'll get the religious zealots out in force here to say how this is all Microsoft/Apple/Linux's fault.
It isn't, but there are some people here who will try to spin it every way possible except towards the truth.
Obviously, this isn't an issue with Ubuntu. It could happen with any OS. The real story is that if it had been Windows, the usual subjects would have immediately chimed in with how insecure windows is, blah blah blah. You know who you are querty, penguinista, decider. If it were windows, no way in the world you would have said it was a simple administration issue. That's what the windows fanboys are laughing about. Because the facts are, all systems must be managed.
Because Linux is stable it is a nice target for addware pushers. Linux itself is more secure because it is less common but any application running on the machine can potentially be an open door. Most users are not aware if their machine is being used to send junk E mails to other people.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
Run your password in plain text across the public internet, and don't do any security patches fro months and see what happens, with ANY OS.
Make a real slam if you are going to slam, like maybe that they trusted people who don't know what they are doing to run the servers.
Wait, nevermind...
I dual boot Windows XP home and Ubuntu.
Linux kicks windows butt all over the yard.
I came to that conclusion myself. Thank you.
The OS doesn't matter when the admin/owner isn't doing their job.
Let that be a lesson not to use ftp or telnet on a public network or you'll likely get hacked. Those tools should be banned.
I think we should sit back and watch 'em squeal in ignorance for awhile...
...(hands over bag) popcorn?
/P
Can you be any more stupid sending someones username and password in an unsecure email?
Is that Ubuntu's fault? Well, not the fault of the OS, that's for sure. The server has to be kept updated to be secure. The irony is that it was Ubuntu's own server being colo'd at another facility. I would have thought they would know better, but it shows anyone can slip up now and then.
I do not blame the OS nor anyone else who uses it. I do blame the managers of the servers affected for not being responsible in keeping their systems up to date.
This can happen to any OS, be that OSX, Linux, BSD, Windows, or even.... OS2/Warp. Anything that is allowed to run without maintenance will eventually die on you. It's the same way with cars. Don't change the oil and you might have a breakdown sometime in the future.
The real title should have been, "Server compromised due to inadequate maintenance." That doesn't sound as exciting though. Make it sound like it's the fault of the OS and you'll get the religious zealots out in force here to say how this is all Microsoft/Apple/Linux's fault.
It isn't, but there are some people here who will try to spin it every way possible except towards the truth.