Thread: Lessons from the Ubuntu Forums breach

  1. #1
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446

    Lessons from the Ubuntu Forums breach

    Ubuntu Forums Hacked, 2 Million Users' Details Stolen - OMG! Ubuntu!

    1.
    vBulletin is the Wordpress of web forums.

    2.
    Dear fellow cBoarders, if you are involved in large projects that offer a plugin API and you mean to support large databases of user personal information, please, just please, do not introduce regressions into your plugin API with almost every single version you release. You are putting an extra burden into your plugin developers who may not have the time to fix or even check their code every time you do an update, but you are also forcing your plugin developers to constantly maintain their code and with that increase the opportunity for new bugs to emerge.

    3.
    Dear fellow cBoarders, in addition to the above, if you are involved in these type of projects also consider that hashed and salted passwords is a mundane feature these days that is both easy to implement and expected. In other words, thank you for it, but we don't consider you special. Personal identifiable information must be hashed and salted too. When putting up the scenario that your server application is eventually going to be breached, you should be fully aware that the hacker should not get access to such identifiable information as IP addresses and email accounts, especially when linked to each other. Not only are you contributing to the continued existence and growth of the spam business, but you are also risking the security of individuals living in authoritarian regimes that can now be more easily linked to their online persona.

    4.
    Dear fellow cBoarders, if you are instead running third-party servers, serving millions of users, know that you will be breached. Not if, but when. So, do everyone a favor and reduce the "when" window by at least keeping an eye on any security advisory notes. Because there is nothing that will look worse on you than being breached because of a KNOWN security vulnerability on a plugin that you didn't disable or patched yourself. And one day -- I hope sooner than later -- people will start taking these business to court. Put up your roadshow on the backs of third-party software all you want, but act responsibly. Don't put on your users all the damage of your irresponsible service management. They will eventually fight back. This is becoming tiring.

    5.
    At this rate, haveibeenpwned.com will soon list every single email address in the world.
    Last edited by Mario F.; 07-19-2016 at 07:24 PM.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  2. #2
    C++ Witch laserlight's Avatar
    Join Date
    Oct 2003
    Location
    Singapore
    Posts
    28,412
    Quote Originally Posted by Mario F.
    Personal identifiable information must be hashed and salted too. When putting up the scenario that your server application is eventually going to be breached, you should be fully aware that the hacker should not get access to such identifiable information as IP addresses and email accounts, especially when linked to each other.
    I don't see how that is going to work, unless the personal identifiable information is say, the answer to one of those "secret questions" used in password recovery, though I have my doubts about the benefits of that password recovery approach in the first place. I guess for more general personal identifiable information, encryption could be used with the key stored separately to make life a bit harder for an attacker, but a server level breach or some kinds of code injection coupled with SQL injection could defeat that.
    Quote Originally Posted by Bjarne Stroustrup (2000-10-14)
    I get maybe two dozen requests for help with some sort of programming or design problem every day. Most have more sense than to send me hundreds of lines of code. If they do, I ask them to find the smallest example that exhibits the problem and send me that. Mostly, they then find the error themselves. "Finding the smallest program that demonstrates the error" is a powerful debugging tool.
    Look up a C++ Reference and learn How To Ask Questions The Smart Way

  3. #3
    Master Apprentice phantomotap's Avatar
    Join Date
    Jan 2008
    Posts
    5,108
    I don't see how that is going to work, unless the personal identifiable information is say, the answer to one of those "secret questions" used in password recovery, though I have my doubts about the benefits of that password recovery approach in the first place.
    O_o

    Username: You can separate the concepts of identifier and credentials. The identifier can be the "Display Name" or similar which can be used for any operations not directly related to credentials. The username can be hashed with fuzzy logic against a common salt to find a set of salts specific to each identifier thus increasing the work necessary to discover the relationship between identifier, username, and password.

    Mail/Telephone: If you don't need to send periodic messages, you can just store a hash of the associated mail/telephone which only adds an extra field to a recovery form. If you do need to send periodic messages, you can use a separate translation system or systems to forward messages to the user requiring attacks across multiple services to actually discover any association between identifier and mail/telephone.

    Name/Address: Don't. If "Don't." truly isn't an option, you are pretty screwed. You probably need the actual name and address if you are doing commerce or something where "Don't." is not viable. You could, as you say, use encryption/decryption with stored keys. I just don't see the layer as meaningful if you can't offload the knowledge to a different service.

    Soma
    “Salem Was Wrong!” -- Pedant Necromancer
    “Four isn't random!” -- Gibbering Mouther

  4. #4
    Guest
    Guest
    I've been a long time member on that forum too, and it certainly made me think. It revitalized my plans to slowly migrate away from my dependence on one single email account, no matter how safe two-factor auth might make it. Virtually everything I do online, such as other website/forum accounts, YouTube, all my contacts, product purchases, cloud backups, is tied to my GMail account. The thought of somehow losing it – whether it be through a hack, glitch or terms-of-service violation on my part – is rather concerning.

  5. #5
    Registered User MutantJohn's Avatar
    Join Date
    Feb 2013
    Posts
    2,665
    Well, looks like a couple of my accounts have been pwned in the past... I guess it's time to update my passwords on my critical sites (i.e. my bank XD).

  6. #6
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    Use a password manager and keep that master password safe on e.g. a yubikey.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. C Lessons
    By vurdlak in forum C Programming
    Replies: 8
    Last Post: 02-18-2006, 05:49 PM
  2. c lessons on the computer?
    By Unregistered in forum C Programming
    Replies: 2
    Last Post: 07-03-2002, 12:22 PM
  3. english lessons
    By Driveway in forum A Brief History of Cprogramming.com
    Replies: 14
    Last Post: 06-30-2002, 09:38 PM
  4. fyshing lessons
    By doubleanti in forum A Brief History of Cprogramming.com
    Replies: 32
    Last Post: 02-17-2002, 11:14 AM

Tags for this Thread