'1337 hacker' scrawls all over careless coders' SourceForge sites Someone claiming to be a "1337 hacker" has defaced programming projects hosted by SourceForge.net Web pages for the network utility Angry IP Scanner and other open-source software hosted by the online coding vault were altered by the infiltrator. The individual responsible claimed the websites were "hacked" using a "backdoor …
... about how it would never have happened to some competent person like the commentard. Fact is it can happen to anyone and we often see people complain about lost data being the fault of the system, because the data owner is so 1337 they'd never be hacked or phished ... oh wait a minute.
Why wouldn't it be?
If you always keep the keys to your house under the floormat and someone found and used those to enter your house without your permission, most likely to steal things? It might be a dumb mistake on your end that this happened in the first place but in the end its still described as someone breaking into your house.
It wouldn't be for the same reason that someone picking up the spare key from under your mat and letting themselves in wouldn't be 'Breaking and Entering' since there is no 'breaking' involved.
To qualify as hacking requires some level of technical work to defeat,bypass,override or otherwise circumvent security measures. Reading an unsecured file, then typing in the plain text username and password found within it, hardly qualifies as any of those I would say.
Not saying it's morally or legally right, anymore than someone letting themselves into your house with the poorly hidden spare key is.
But calling the perpetrator a hacker is like calling the person who used your key "a highly intelligent and elusive cat burgler".
and yet, for all of the ingenuity that may be involved in some clever hack, it essentially boils down to a way to find that key that was hidden under a rock. So I'd say this is the very distillation of hacking, and all the more humiliating for its simplicity. For it to have been truly "not hacking" the site would need to have been configured with anonymous login enabled. (Don't laugh, I once worked somewhere that a Sr. Level Technical manager saw no issues with that. On an world + dog accessible IP address no less.)
"It might be a dumb mistake on your end that this happened in the first place but in the end its still described as someone breaking into your house."
I don't believe it's breaking and entering. Maybe unlawful entry followed by burglary of a domicile.
That's just my uneducated opinion though.
"...each affected project had files that could be accessed by anyone on the web (rw-r--r-- in Unix parlance) and that these documents contained usernames and passwords for editing the project."
This is incredible, really.
How does the saying goes again, about the security benefits of having many eyes looking at the source code?
Well that doesn't work out so well if every pair of eyes is looking the wrong way
So... having all these sites tagged and easy to locate through google, SourceForge has now told everyone how to access them. They don't say they fixed the file permissions, so until the owners of the sites do anything they are effectively wide-open to anyone.
Perhaps not a good idea. Hmm?
Sourceforge need to take some blame for this as well. The files are held on their site, they should have some responsibility for the security of the site (and files on it). They should be flagging files with incorrect permissions or at least world readable or setuid if for no other reason than to check the integrity of their site.
I agree if the owners of the files are lax and endanger their own files safety thats their problem but if it could have a knock on effect to your site, why risk it by just letting it happen without knowing about it? Too many files being hosted on the site as a reason not to do this is not really a valid response from the admins.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
