To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39168181,00.htm

Ubuntu security concerns sparked
Rogue servers go on the attack...

By Colin Barker

Published: Friday 17 August 2007

Concerns over the security of the Ubuntu Linux distribution arose when five out of eight community-run servers sponsored by Canonical had to shut down.

The servers had "started attacking other systems", according to an Ubuntu newsletter. The issue first came to light at the weekend, when Ubuntu users voiced concern over a problem with local community (loco) hosted servers.

Canonical moved quickly to minimise the issue and reassure users that the operating system is secure.

Gerry Carr, marketing manager of Canonical, said: "This is not a problem with our production servers." The issue was with "loco servers that we pay for but that do not sit in our data centre", he said. As a result, the security in Canonical's data centre was "in no way compromised by these attacks".

While the company "held its hand up" in regard to the problem, it completely rejects any implication that user security was compromised, Carr said.

He said: "Any [implication], and there has been some, that this episode has, or had, any bearing on our enterprise readiness or the Ubuntu downloads is so completely wide of the mark as to miss the point entirely. It has nothing to do with downloaded copies of Ubuntu; it is separate servers on a separate network in a separate location."

But the company did accept that the servers had been poorly managed. The problem arose because the responsibility for security lay "between Canonical and the community", Carr said.

Most of the time this was just as it should be, Carr said, but "server management is maybe not one of those times".

The issue is one for the community to decide, he added: "Either the loco servers come into our data centre and are subject to our standard, rigorous security and management, or they sit completely outside of it and are run by the community."

Colin Barker writes for ZDNet UK