Re: [MLUG] Ubuntu forums -- hacked....

Ubuntu forums is back, you now need to use Ubuntu's SSO [single sign on] service..... let's hope that is safe ;) Cheers A.

Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
Ubuntu forums is back, you now need to use Ubuntu's SSO [single sign on] service..... let's hope that is safe ;)
Ubuntu SSO is merely an OpenID scheme. Canonical, Ltd. have given some details (on http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mo...) about the breakin, but not said a lot. They say that the intruder through unspecified (possibly unknown) means gained possession of UbuntuForums moderator credentials, and then leveraged those credentials to make modifications to the vBulletin software used to run the site. Most of this is not very surprising... because it's vBulletin, an almost canonical (sorry!) example of poorly written PHP Web application with an abymsmal security history and no real prospects for a better one. They say they've done a few things I certainly would have also done and wonder why they hadn't done ages ago: 1. Applied an AppArmour profile to vBulletin. 2. Restricted the ability to post raw HTML. 3. Cut off most non-local ways to add new vBulletin 'hooks'. 4. Enabled aging out of inactive privileged acconts. 5. Finally gotten around to trying to lock down PHP itself. 6. Requiring HTTPS for privileged account access. I can't see that the switch to OpenID-based auth ('Ubuntu SSO') improves site security. Seems more likely that this is just an attempt to consolidate services with their proprietary-software-based online 'stores' (Canonical Store, Ubuntu One, Ubuntu One Music Store, and so on) and drive traffic to them. What they have _not_ done is ditch an abysmal PHP developed application that was and is their fundamental problem. (I do sympathise. Having to do a forced migration would be very painful.)

On 2/08/2013 3:35 PM, Rick Moen wrote:
Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
Ubuntu forums is back, you now need to use Ubuntu's SSO [single sign on] service..... let's hope that is safe ;)
Ubuntu SSO is merely an OpenID scheme.
Yes, not a fan of OpenID ... I much prefer to have a specific login to each and every service I use and not have any /generic/ use login, such as SSO when it is possible. With OpenID, you also need to have "referrer" header enabled, but 3rd party cookies can remain off. I normally have referrer headers turned off, along with other privacy measures.
I can't see that the switch to OpenID-based auth ('Ubuntu SSO') improves site security. Seems more likely that this is just an attempt to consolidate services with their proprietary-software-based online 'stores' (Canonical Store, Ubuntu One, Ubuntu One Music Store, and so on) and drive traffic to them.
What they have _not_ done is ditch an abysmal PHP developed application that was and is their fundamental problem. (I do sympathise. Having to do a forced migration would be very painful.)
Thanks Rick for your excellent analysis, I fully agree with you. Can you also post your email to MLUG? I can re-post it there if you want. This post is cross posting to both lists.... Kind Regards AndrewM

Andrew McGlashan writes:
With OpenID, you also need to have "referrer" header enabled, but 3rd party cookies can remain off. I normally have referrer headers turned off, along with other privacy measures.
Does it break with polipo's "censorReferer=maybe" option (send a referer iff its hostname matches the requested page)? The idea is to not break sites that need Referer, but still make life (slightly) harder for google and friends.

On 2/08/2013 11:22 PM, Trent W. Buck wrote:
Andrew McGlashan writes:
With OpenID, you also need to have "referrer" header enabled, but 3rd party cookies can remain off. I normally have referrer headers turned off, along with other privacy measures.
Does it break with polipo's "censorReferer=maybe" option (send a referer iff its hostname matches the requested page)?
Let me know..... I use this: https://addons.mozilla.org/en-US/firefox/addon/change-referer-button/ This one gives me an immediate visual as to it's status so that I can immediately see if I've left it on. Kind Regards AndrewM

Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
Let me know.....
I use this: https://addons.mozilla.org/en-US/firefox/addon/change-referer-button/
This one gives me an immediate visual as to it's status so that I can immediately see if I've left it on.
Nice. My 'take back the Web' toolkit for Firefox/Iceweasel will probably add the above. It presently includes: NoScript (essential, keystone tool -- and it pays to tweak its Preferences) RequestPolicy AdBlock Plus BeefTaco CertificateWatch OptimizeGoogle User Agent Switcher HTTPS-Everywhere Noted without comment: http://www.wired.com/threatlevel/2013/08/pressure-cooker/ (Remember, if the kindly gentlemen of the constabulary ask you why you like privacy, the canonical rejoinder before referring them to your attorney is to ask if any of their windows at home have drapes, and why.) -- Cheers, EMACS May Alienate Clients and Supporters Rick Moen rick@linuxmafia.com McQ! (4x80)

On 3/08/2013 8:58 AM, Rick Moen wrote:
Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
Let me know.....
I use this: https://addons.mozilla.org/en-US/firefox/addon/change-referer-button/
This one gives me an immediate visual as to it's status so that I can immediately see if I've left it on.
Nice.
My 'take back the Web' toolkit for Firefox/Iceweasel will probably add the above. It presently includes:
NoScript (essential, keystone tool -- and it pays to tweak its Preferences)
Check
RequestPolicy
Check
AdBlock Plus
AdBlock Edge (doesn't have /acceptable/ adverts, which ADP has)
BeefTaco
CertificateWatch
Looks interesting.
OptimizeGoogle
????
User Agent Switcher
Not for me.... ;)
HTTPS-Everywhere
Check.
Noted without comment: http://www.wired.com/threatlevel/2013/08/pressure-cooker/
(Remember, if the kindly gentlemen of the constabulary ask you why you like privacy, the canonical rejoinder before referring them to your attorney is to ask if any of their windows at home have drapes, and why.)
Check. Cheers AndrewM

Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
AdBlock Edge (doesn't have /acceptable/ adverts, which ADP has)
Interesting. I was behind on the news. Thanks.
BeefTaco
As you are perhaps already aware, these are not the same thing in a couple of respects. First, Disconnect is a fairly complex piece of software, installed as a browser extension, that aims to intercept tracking requests and selectively ignore them with per-site whitelisting and blacklisting controls. BeefTaco, by contrast, is purely and simply a set of preemptive HTTP cookies (with effectively infinite expire times) one loads to prevent known tracking cookies from being deposited. Second, Disconnect is (in part) proprietary software.
CertificateWatch
Looks interesting.
I am not entirely convinced it does The Right Thing, or even how best to consistently use the information it provides, but its seems like a useful tweak: Again, like BeefTaco, it has the benefit of being a simple concept implemented in open source: It pops up to inform you that an SSL cert or attestation has changed. That's it. That's all it does. It's up to you to decide whether the change is worrisome or not -- but at least you know and are not gliding along in blissful ignorance, not knowing that (say) Reputable Ltd. attested to a cert yesterday, and that it's been replaced today by a different cert signed by some obscure certificate authority owned by Ukrainian mobsters. In other words, it's a first step in getting away from the 'Somebody your browser designer once considered reputable signed thsi cert, so that's all you deserve to know' model of HTTPS.
OptimizeGoogle
????
Seems to have been orphaned. Discussed here: http://forums.mozillazine.org/viewtopic.php?f=19&t=2263049

My 'take back the Web' toolkit for Firefox/Iceweasel will probably add the above. It presently includes:
NoScript (essential, keystone tool -- and it pays to tweak its Preferences) ... HTTPS-Everywhere
Isn't HTTPS-Everywhere derived from NoScript's functionality anyway? https://www.eff.org/https-everywhere (See related projects) http://noscript.net/faq#STS

Quoting Anthony Hogan (anthony-luv@hogan.id.au):
Isn't HTTPS-Everywhere derived from NoScript's functionality anyway?
https://www.eff.org/https-everywhere (See related projects) http://noscript.net/faq#STS
No, it's not. I'm very fond of NoScript, but its STS functions cannot accomplish the bulk of what HTTTS Everywhere's rulesets do.

Andrew McGlashan writes:
On 2/08/2013 11:22 PM, Trent W. Buck wrote:
Andrew McGlashan writes:
With OpenID, you also need to have "referrer" header enabled, but 3rd party cookies can remain off. I normally have referrer headers turned off, along with other privacy measures.
Does it break with polipo's "censorReferer=maybe" option (send a referer iff its hostname matches the requested page)?
Let me know.....
Unlikely, since I avoid sites that require login. What I've read of OAuth and OpenID didn't inspire me with confidence, either. It seems to me the obvious way to get that functionality is to Kerberize web browsers and web apps. OTOH, SPNEGO also made me go "ew!" Also I stopped using polipo a couple of years ago, because it was crashing too much and breaking too many sites. (For example, Wikipedia now returns no content if your query contains no User-Agent at all.)

Quoting Trent W. Buck (twb@cyber.com.au):
Also I stopped using polipo a couple of years ago, because it was crashing too much and breaking too many sites. (For example, Wikipedia now returns no content if your query contains no User-Agent at all.)
My preferred value for User-Agent remains 'W3C standards are important. Stop f---ing obsessing over user-agent already.' See: 'User Agent' on http://linuxmafia.com/kb/Web -- Cheers, If you're going to play the game properly, Rick Moen you'd better know every rule. rick@linuxmafia.com -- Sen. Barbara Jordan (D-Texas) McQ! (4x80)

Rick Moen <rick@linuxmafia.com> writes:
Quoting Trent W. Buck (twb@cyber.com.au):
Also I stopped using polipo a couple of years ago, because it was crashing too much and breaking too many sites. (For example, Wikipedia now returns no content if your query contains no User-Agent at all.)
My preferred value for User-Agent remains 'W3C standards are important. Stop f---ing obsessing over user-agent already.'
See: 'User Agent' on http://linuxmafia.com/kb/Web
Yes, that's exactly what I do now (sans elision). http://www.cyber.com.au/~twb/.curlrc http://www.cyber.com.au/~twb/.wgetrc http://www.cyber.com.au/~twb/.w3m/config http://www.cyber.com.au/~twb/.config/midori/config Occasionally that causes problems, too -- I noticed that Atlassian Crucible completely fails to work in midori, where I set that... but it works fine in GtkLauncher, the test browser that ships with the webkitgtk library that midori is using. It occurred to me (after it was too late to confirm) the most likely case was Crucible sending different content depending on U-A.

Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
Can you also post your email to MLUG? I can re-post it there if you want. This post is cross posting to both lists....
You are very welcome to repost it there, Andrew. (I am not subscribed to that list. You'd perhaps be astonished at some to which I'm a member, but that's not among them. ;-> )
participants (4)
-
Andrew McGlashan
-
Anthony Hogan
-
Rick Moen
-
twb@cyber.com.au