科技回声

9 条评论

GuiA将近 12 年前

>The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.<p>Translation: the passwords were stored using dumb MD5/SHA1. Seriously, it's 2013, why can't 99% of the web get their act together when it comes to password hashing?

评论 #6077245 未加载

spindritf将近 12 年前

It's an opportunity to finally kill it off and stop polluting google results.

评论 #6077798 未加载

评论 #6077426 未加载

elchief将近 12 年前

This is how much effort it takes to have a BCrypt (strong, slow, salted hash) database user system in Spring (not that they used Spring):<p><pre><code> <http auto-config='true'> <intercept-url pattern="/**" access="ROLE_USER" /> </http> <beans:bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder" /> <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" /> <password-encoder ref="passwordEncoder" /> </authentication-provider> </authentication-manager> </code></pre> StackExchange's AskUbuntu.com is pretty good, as you can use OpenId, and if someone (illegally) hacks Google we are all fucked anways.

nnwa将近 12 年前

That'd be the admin panel on their vbulletin installation which has been publicly facing for more than a year.

wldlyinaccurate将近 12 年前

vBulletin is (and always has been) terribly insecure. Only way to beef up security is to lock down admin panels, e.g. IP-restrict them.

评论 #6077909 未加载

评论 #6077051 未加载

评论 #6077638 未加载

amccloud将近 12 年前

So far they are handling this better than Apple.

keithpeter将近 12 年前

ubuntuforums.org timing out as of now but are we sure this is a malicious attack and not simply downtime?<p>If it is an attack, it just means a time bandit for the admins I suppose...

评论 #6076666 未加载

评论 #6076636 未加载

评论 #6076580 未加载

评论 #6076642 未加载

评论 #6076606 未加载

orblivion将近 12 年前

So are they going to email their user base to warn them to change their passwords? I thought I had an account at some point and I didn't get an email.

lvs将近 12 年前

aren't ubuntu forums based on <a href="http://moinmo.in" rel="nofollow">http://moinmo.in</a>?

评论 #6076810 未加载

评论 #6076820 未加载

9 条评论

GuiA将近 12 年前

评论 #6077245 未加载

spindritf将近 12 年前

It's an opportunity to finally kill it off and stop polluting google results.

评论 #6077798 未加载

评论 #6077426 未加载

elchief将近 12 年前

nnwa将近 12 年前

That'd be the admin panel on their vbulletin installation which has been publicly facing for more than a year.

wldlyinaccurate将近 12 年前

vBulletin is (and always has been) terribly insecure. Only way to beef up security is to lock down admin panels, e.g. IP-restrict them.

评论 #6077909 未加载

评论 #6077051 未加载

评论 #6077638 未加载

amccloud将近 12 年前

So far they are handling this better than Apple.

keithpeter将近 12 年前

ubuntuforums.org timing out as of now but are we sure this is a malicious attack and not simply downtime?<p>If it is an attack, it just means a time bandit for the admins I suppose...

评论 #6076666 未加载

评论 #6076636 未加载

评论 #6076580 未加载

评论 #6076642 未加载

评论 #6076606 未加载

orblivion将近 12 年前

So are they going to email their user base to warn them to change their passwords? I thought I had an account at some point and I didn't get an email.

lvs将近 12 年前

aren't ubuntu forums based on <a href="http://moinmo.in" rel="nofollow">http://moinmo.in</a>?

评论 #6076810 未加载

评论 #6076820 未加载

Ubuntu forums hacked

9 条评论

Ubuntu forums hacked

9 条评论