
Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
Ubuntu forums is back, you now need to use Ubuntu's SSO [single sign on] service..... let's hope that is safe ;)
Ubuntu SSO is merely an OpenID scheme. Canonical, Ltd. have given some details (on http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mo...) about the breakin, but not said a lot. They say that the intruder through unspecified (possibly unknown) means gained possession of UbuntuForums moderator credentials, and then leveraged those credentials to make modifications to the vBulletin software used to run the site. Most of this is not very surprising... because it's vBulletin, an almost canonical (sorry!) example of poorly written PHP Web application with an abymsmal security history and no real prospects for a better one. They say they've done a few things I certainly would have also done and wonder why they hadn't done ages ago: 1. Applied an AppArmour profile to vBulletin. 2. Restricted the ability to post raw HTML. 3. Cut off most non-local ways to add new vBulletin 'hooks'. 4. Enabled aging out of inactive privileged acconts. 5. Finally gotten around to trying to lock down PHP itself. 6. Requiring HTTPS for privileged account access. I can't see that the switch to OpenID-based auth ('Ubuntu SSO') improves site security. Seems more likely that this is just an attempt to consolidate services with their proprietary-software-based online 'stores' (Canonical Store, Ubuntu One, Ubuntu One Music Store, and so on) and drive traffic to them. What they have _not_ done is ditch an abysmal PHP developed application that was and is their fundamental problem. (I do sympathise. Having to do a forced migration would be very painful.)