Feeds

back to article SourceForge applies global password reset after hack attack

Open-source code repository SourceForge has advised users to change their passwords following a concerted hacking attack. The attack, launched last Wednesday, targeted developer infrastructure and involved the compromise of SourceForge.net servers. SourceForge detected the attack and quickly disabled CVS, ishell, file uploads, …

COMMENTS

This topic is closed for new posts.
Thumb Up

Better safe than sorry

No cover up. Everyone involved was contacted, intrusion was detected early and appropriate measures were taken in a timely fashion. Password reset was painless. Job well done i would say.

8
0

This post has been deleted by a moderator

Title

And there I sat over the weekend wondering who in the world would try to hack an open source website and for which reason...

So far I'm coming up empty...

0
0

@Guus Leeuw:

To incorporate some malicious code in projects hosted there.

Just like their SSHD was modded, so could be any of the projects hosted there if they had compromised SF accounts.

1
0
Silver badge

'Sobvious

The Rabid Right on both sides of the pond have blamed Open Source for the existance of Wikileaks. They have said that pretty much anything 'open' must be a danger as it isn't controllable directly either by huge multinationals or by governments. It isn't under the control of such outfits as NewsCorp and anything Fox so becomes and remains an enemy of the state.

Also that the script kiddes who have been causing a little bit of hassle are getting thier tools for nothing.

T.P.T.B. need to know who is in charge, who is repsonsible, who they can blame, who they can pillory and belittle, who they can frame for these attacks against 'common decency and democracy'.

They still haven't bloody got it, have they?

1
0

spam?

One easy reason would be to have a few extra spamming servers - I remember some article saying that a compromised linux server is a very reliable master for a spambot net :-) the irony...

0
0
Unhappy

The web form to ask for reset is broken

I understand the rationale, but the reset process is a little broken.

I can't reset my password as it seems to be linked to the email address from my previous employer. I do not have access to this mailbox as they saw fit to close our office and make us all redundant in August 2009.

Unfortunately the form that deals with this kind of problem seems to be broken and keeps validating the email address field that it has hidden instead of the boxes to give relevant info to assist you. i.e. if you fill in the email before choosing the option to recover your account, it sends a password reset to that email address anyway, if you don't fill it in, it complains that you haven't done so :-(

I've emailed them, so hopefully it's something that they can fix easily as I'm sure I won't be the only person in this situation.

0
1
FAIL

wrong e-mail

errr, if it's linked to the wrong account then, err, PEBKAC?

0
1
WTF?

Problem is with a broken feature of the form

As I said, the form is broken. The I'm referring to is supposed to be for those who can't remember what email address they used. The field it validates is one that gets hidden and /should/ be empty. If it is empty, then sending the reset details fails.

I freely admit that I should have updated my email address before this happened, but that doesn't change the issue of the very functionality designed for idiots such as myself being broken.

0
0
Gold badge

@Craig Chambers

There was I getting a tad pissed off with the intermittant drizzle of "please ensure your details are up to date" requests that turn up in my inbox.

I shall be more tolerant of people reminding me of the bleedin' obvious in the light of that.

1
0

@TeeCee

Yup, my bad. Obviously I didn't receive any emails reminding me to keep up to date, but it's an oversight on my part anyway.

0
0
Pirate

Linux Is Ready To Duke It Out

+ AppArmor

+ SE Linux

+ iptables

+ SQUID (http and more) Proxy

+ lots of Secure Programming Languages

All the dire predictions of security experts now quickly come to fruition.

0
0
Bronze badge

Not enforcing a shiny new one

"So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password."

It's not enforcing a shiny new password though, I just successfully set my old one again, which should be prevented if a compromise is suspected.

0
0
Stop

@druck: So ?

You are incapable of inventing a new one ? Go to Windows please. Don't touch this commie Open-Source evil thing. It will require you to use your brain, ya know.

0
1
This topic is closed for new posts.