Page 1 of 16 12311 ... LastLast
Results 1 to 10 of 155

Thread: SSO login general chat thread

  1. #1
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    SSO login general chat thread

    I've moved all the chat and other stuff from the SSO login sticky to here. This thread is for general discussion about SSO login. Please confine any posts to the sticky to suggestions for amendments/additions to the first post there.

    If you have inadvertently created a duplicate account, or need an admin to deal with a problem with your account related to SSO login, please post in the Resolution Centre, giving the username of your old account.
    Last edited by coffeecat; August 3rd, 2013 at 11:53 AM.

    Please do not PM me about your forum account unless you have been asked to. The correct place to contact an admin about your account is here.

  2. #2
    Join Date
    Jul 2013
    Beans
    0

    Re: Login now by means of Ubuntu One SSO only

    Okay, I'm not trying to be too critical here, but this seems like a step in the wrong direction security wise. Your forum software got hacked. It happens, and as someone that runs a forum as well, I've had it happen to me before, though on a much smaller scale. The immediate reaction is to try to increase security through any means necessary, and that's the right step; however, tying together our forum logins with our Ubuntu One accounts seems like it has the potential to link together potentially insecure forum software with an account that for many people contains a lot more sensitive information than they would ever have with just a standard forums account.

    Ubuntu One, unless I'm mistaken, potentially has credit card info, private cloud storage files, and a record of purchases that people have made as well. I've personally not used it for any of these things, but I'm sure there are quite a few people who have. If I did have that kind of info stored in there, I'd be gravely concerned about it being linked with a forum that was just compromised, no matter what level of new security was just added to it. That's just me though...

  3. #3
    Join Date
    Jul 2013
    Beans
    0

    Re: Login now by means of Ubuntu One SSO only

    Hmm. Just one extra note here: 'BLFLpb3' is very definitely not a nickname I chose anywhere for my account. I'm not sure if that's some kind of randomly generated name that it gave me to protect my identity, or if it's a bug with your login system. In either case, I apparently can't edit it at all because my account is too new.

    The migration process you have setup for people seems very un-intuitive here. Hopefully this doesn't come across at me having too much of an ego here, but I'm pretty certain that if I'm struggling to wade through all this, there's quite a number of other users who are too.

  4. #4
    Join Date
    May 2012
    Beans
    277

    Re: Login now by means of Ubuntu One SSO only

    Actually the move to Ubuntu sso is actually a good move, unlike vbullitin the culprit of the issues that made the foums go down ubuntu one and its sso services are their own thing seperate from most other components.
    Sure its extra steps now but its not that big of a deal.

  5. #5
    Join Date
    Apr 2008
    Location
    LOCATION=/dev/random
    Beans
    5,767
    Distro
    Ubuntu Development Release

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by MadmanRB View Post
    Actually the move to Ubuntu sso is actually a good move, unlike vbullitin the culprit of the issues that made the foums go down ubuntu one and its sso services are their own thing seperate from most other components.
    Sure its extra steps now but its not that big of a deal.
    +1

    By switching to using SSO with Ubuntu One the potential for damage is decreased.

    If the forums are ever hacked again then there is now no password information stored on the forums server at all, not even in hashed form.
    Cheesemill

  6. #6
    Join Date
    Nov 2009
    Location
    Doiminican Republic
    Beans
    24
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by MadmanRB View Post
    Actually the move to Ubuntu sso is actually a good move, unlike vbullitin the culprit of the issues that made the foums go down ubuntu one and its sso services are their own thing seperate from most other components.
    Sure its extra steps now but its not that big of a deal.
    Very good move. SSO is more secure. And the accounts will be linked.

  7. #7
    Join Date
    Jul 2013
    Beans
    0

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by MadmanRB View Post
    Actually the move to Ubuntu sso is actually a good move, unlike vbullitin the culprit of the issues that made the foums go down ubuntu one and its sso services are their own thing seperate from most other components.
    Sure its extra steps now but its not that big of a deal.
    The problem is that by using it at all here, there's some kind of cross authentication being used between the forums and an Ubuntu One account. I'm sure that they kept security in mind when designing the system that allows the two to talk to each other, but there's always that remote possibility that an insecurity on the forums could result in tokens being grabbed that let attackers backpedal into the Ubuntu One account of a user through something like a cross site scripting attack.

    Even if the new system is designed 100% correctly to prevent this though, it still just doesn't give me a warm fuzzy feeling having the two linked together.

    Maybe I'm just paranoid though.

  8. #8
    Join Date
    May 2010
    Location
    South Gloucestershire, UK
    Beans
    1,749
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by j2bv16 View Post
    Very good move. SSO is more secure. And the accounts will be linked.
    Agreed.

    And despite the problems that some users seem to be having, what we have been told to do when logging in for the first time does work. I've reset my Ubuntu One email address back to what it was previously, logged out of the forums and logged back in again and all is well.

  9. #9
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Login now by means of Ubuntu One SSO only

    @BLFLpb3, it's possible that the reason the system chose an apparently random string for your username is that you did not fill in the username field in the Ubuntu One SSO account - only the real name field. I've taken this up with Canonical sysadmins to find a workaround. In the meantime, pm me with 3 alternative choices for your forum username and I can change your account details accordingly.

    Please also confirm whether or not this assumption is correct - that your SSO username is a blank field. We need this to be sure we're on the right track.

    Please do not PM me about your forum account unless you have been asked to. The correct place to contact an admin about your account is here.

  10. #10
    hLtbPDh is offline Ubuntu Green Coffee Beans
    Join Date
    Jul 2013
    Beans
    0

    Re: Login now by means of Ubuntu One SSO only

    After years of interaction with other members on this forum, we get to know each other by our usernames. Now that we don't have access to them, we have no idea who we are talking to, or who is replying to us. We can't find each other on these forums any more. We may still recognize the moderators, but how will they know us? There were relationships built here on this forum that have now been erased by some arbitrary policy somebody came up with in a state of panic. That policy may have been a good idea, but maybe the implementation process could have been thought through and checked out a little more thoroughly.

    Creating an Ubuntu One account with the same email address was no guarantee that the accounts would be associated. Someone should have looked into that more carefully. Also, the usernames didn't come out as expected either. The username hLtbPDh is in no way a variation of Luxx, Luxx1, Luxx2. I'm seeing more of these wierd names on the forums and wonder how many people are feeling as lost as I do in a place that was once a kind "home" where we felt like part of a family. This is really a mess.

    Considering the urgency of the fixing the breach, I hope someone is also working on a way to remedy the damage caused by the fix. It is no less severe than the original breach, and may actually be worse.

Page 1 of 16 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •