Open-source code repository SourceForge has advised users to change their passwords following a concerted hacking attack. The attack, launched last Wednesday, targeted developer infrastructure and involved the compromise of SourceForge.net servers. SourceForge detected the attack and quickly disabled CVS, ishell, file uploads, …
Better safe than sorry
No cover up. Everyone involved was contacted, intrusion was detected early and appropriate measures were taken in a timely fashion. Password reset was painless. Job well done i would say.
And there I sat over the weekend wondering who in the world would try to hack an open source website and for which reason...
So far I'm coming up empty...
To incorporate some malicious code in projects hosted there.
Just like their SSHD was modded, so could be any of the projects hosted there if they had compromised SF accounts.
The Rabid Right on both sides of the pond have blamed Open Source for the existance of Wikileaks. They have said that pretty much anything 'open' must be a danger as it isn't controllable directly either by huge multinationals or by governments. It isn't under the control of such outfits as NewsCorp and anything Fox so becomes and remains an enemy of the state.
Also that the script kiddes who have been causing a little bit of hassle are getting thier tools for nothing.
T.P.T.B. need to know who is in charge, who is repsonsible, who they can blame, who they can pillory and belittle, who they can frame for these attacks against 'common decency and democracy'.
They still haven't bloody got it, have they?
One easy reason would be to have a few extra spamming servers - I remember some article saying that a compromised linux server is a very reliable master for a spambot net :-) the irony...
The web form to ask for reset is broken
I understand the rationale, but the reset process is a little broken.
I can't reset my password as it seems to be linked to the email address from my previous employer. I do not have access to this mailbox as they saw fit to close our office and make us all redundant in August 2009.
Unfortunately the form that deals with this kind of problem seems to be broken and keeps validating the email address field that it has hidden instead of the boxes to give relevant info to assist you. i.e. if you fill in the email before choosing the option to recover your account, it sends a password reset to that email address anyway, if you don't fill it in, it complains that you haven't done so :-(
I've emailed them, so hopefully it's something that they can fix easily as I'm sure I won't be the only person in this situation.
errr, if it's linked to the wrong account then, err, PEBKAC?
Problem is with a broken feature of the form
As I said, the form is broken. The I'm referring to is supposed to be for those who can't remember what email address they used. The field it validates is one that gets hidden and /should/ be empty. If it is empty, then sending the reset details fails.
I freely admit that I should have updated my email address before this happened, but that doesn't change the issue of the very functionality designed for idiots such as myself being broken.
There was I getting a tad pissed off with the intermittant drizzle of "please ensure your details are up to date" requests that turn up in my inbox.
I shall be more tolerant of people reminding me of the bleedin' obvious in the light of that.
Yup, my bad. Obviously I didn't receive any emails reminding me to keep up to date, but it's an oversight on my part anyway.
Linux Is Ready To Duke It Out
+ SE Linux
+ SQUID (http and more) Proxy
+ lots of Secure Programming Languages
All the dire predictions of security experts now quickly come to fruition.
Not enforcing a shiny new one
"So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password."
It's not enforcing a shiny new password though, I just successfully set my old one again, which should be prevented if a compromise is suspected.
@druck: So ?
You are incapable of inventing a new one ? Go to Windows please. Don't touch this commie Open-Source evil thing. It will require you to use your brain, ya know.