Feeds

back to article '1337 hacker' scrawls all over careless coders' SourceForge sites

Someone claiming to be a "1337 hacker" has defaced programming projects hosted by SourceForge.net Web pages for the network utility Angry IP Scanner and other open-source software hosted by the online coding vault were altered by the infiltrator. The individual responsible claimed the websites were "hacked" using a "backdoor", …

COMMENTS

This topic is closed for new posts.

Cue smart alec responses ...

... about how it would never have happened to some competent person like the commentard. Fact is it can happen to anyone and we often see people complain about lost data being the fault of the system, because the data owner is so 1337 they'd never be hacked or phished ... oh wait a minute.

9
0
Anonymous Coward

This is what happens when you use Linux.

5
14
Anonymous Coward

...this is what happens when you use Linux ....

and do not know what you are doing or basic Linux/UNIX shell.

6
1
Stop

Re: ...this is what happens when you use [insert operating system here] ....

and do not know what you are doing

3
0
Anonymous Coward

Re: ...this is what happens when you use Linux ....

Whereas on Windows it sets secure permissions by default....And lets you change PROPER ACLs via a nice GUI.

You can't even get proper ACLs on Linux without running an 'experimental' filesystem in NFS 4.1....

1
2

Leet or not...

How sad are you when your contribution to society is sabotaging other people's work. Losers.

7
5
Silver badge

Re: Leet or not...

Sabotage?

I think the message was that there had been no sabotage - just a warning to others that they ensure to keep their flies zipped up.

5
2
Silver badge

Re: Leet or not...

Some louts jumped over your back fence and defaced your property.

You'd thank them for pointing out your security is not up to scratch?

While it probably isn't sabotage (since so functional damage was done), it is surely vandalism.

2
0

Re: Leet or not...

Yes, vandalism would've been a much better description. My bad.

0
0

Re: Leet or not...

I think it's more equivalent to a couple of chavs walking through your open back gate and sticking a post-it to your door advising you to invest in a lock.

0
0
FAIL

Re: Leet or not...

Well better that he put a nice message there instead of people with less morals that would add some malicious backdoor to a trusted program on the site that would have infected a pile of people who would give the program permissions to install it if asked for it.

0
0
Bronze badge

Not hacking...

As per title, this can hardly be considered hacking.

It's like saying you hacked into someone's PC, using the username and password they kept on a post note hidden in their desk drawer.

2
3
Silver badge

@Phil

Why wouldn't it be?

If you always keep the keys to your house under the floormat and someone found and used those to enter your house without your permission, most likely to steal things? It might be a dumb mistake on your end that this happened in the first place but in the end its still described as someone breaking into your house.

0
0
Bronze badge

Re: @Phil

It wouldn't be for the same reason that someone picking up the spare key from under your mat and letting themselves in wouldn't be 'Breaking and Entering' since there is no 'breaking' involved.

To qualify as hacking requires some level of technical work to defeat,bypass,override or otherwise circumvent security measures. Reading an unsecured file, then typing in the plain text username and password found within it, hardly qualifies as any of those I would say.

Not saying it's morally or legally right, anymore than someone letting themselves into your house with the poorly hidden spare key is.

But calling the perpetrator a hacker is like calling the person who used your key "a highly intelligent and elusive cat burgler".

2
1
Silver badge

Re: Snooping not Hacking

I would argue that this is not hacking, there were no locks picked and no doors were forced.

Giving the world "read" permission is not the same as denying the world permission.

Technically I would call it an open invitation to snooping and they got "snooped".

0
0

Re: Not hacking...

Its a bit like walking down the street and trying every car door until you find an open one, then pissing on the seats and leaving a not saying thank me for just pissing and not talking a dump.

5
1
Bronze badge

Re: Not hacking...

Not really John.

If you don't do the pissing, and just leave a note saying "thank me for not stealing your radio/car" you're part way there.

But to make your comparison even more accurate, the car would also have to be locked, but with the key on the floor next to it.

2
0
Silver badge

Re: defeat,bypass,override or otherwise circumvent security measures.

and yet, for all of the ingenuity that may be involved in some clever hack, it essentially boils down to a way to find that key that was hidden under a rock. So I'd say this is the very distillation of hacking, and all the more humiliating for its simplicity. For it to have been truly "not hacking" the site would need to have been configured with anonymous login enabled. (Don't laugh, I once worked somewhere that a Sr. Level Technical manager saw no issues with that. On an world + dog accessible IP address no less.)

0
0
Pirate

Re: @Phil

"It might be a dumb mistake on your end that this happened in the first place but in the end its still described as someone breaking into your house."

I don't believe it's breaking and entering. Maybe unlawful entry followed by burglary of a domicile.

That's just my uneducated opinion though.

0
0
Anonymous Coward

facepalm!!

"...each affected project had files that could be accessed by anyone on the web (rw-r--r-- in Unix parlance) and that these documents contained usernames and passwords for editing the project."

This is incredible, really.

How does the saying goes again, about the security benefits of having many eyes looking at the source code?

Well that doesn't work out so well if every pair of eyes is looking the wrong way

3
2
Gav
Holmes

Re: facepalm!!

So... having all these sites tagged and easy to locate through google, SourceForge has now told everyone how to access them. They don't say they fixed the file permissions, so until the owners of the sites do anything they are effectively wide-open to anyone.

Perhaps not a good idea. Hmm?

0
2
Silver badge

Re: facepalm!!

"How does the saying goes again, about the security benefits of having many eyes looking at the source code?

...except that this wasn't the source code, but some admin stuff that should not have been publicly available.

2
0
Anonymous Coward

not just the developers fault

Sourceforge need to take some blame for this as well. The files are held on their site, they should have some responsibility for the security of the site (and files on it). They should be flagging files with incorrect permissions or at least world readable or setuid if for no other reason than to check the integrity of their site.

I agree if the owners of the files are lax and endanger their own files safety thats their problem but if it could have a knock on effect to your site, why risk it by just letting it happen without knowing about it? Too many files being hosted on the site as a reason not to do this is not really a valid response from the admins.

1
4

Umask is your friend.

1
0
Bronze badge
Mushroom

And RSI is the likely result...

0
0
Bronze badge
Linux

re: Umask is your friend.

Just running "find . -perm /007" occasionally to see what files you have kicking around that have any sort of "world" permissions isn't an onerous task. Presumably that's going to be popular with SourceForge admins this week.

0
0
Anonymous Coward

umask

Use it, that is all.

0
0

Cloud?

Another issue with the cloud? Easy to find and exploit bugs for multiple sites without going outside an IP block. Check.

0
1
This topic is closed for new posts.