Open-source code repository SourceForge has advised users to change their passwords following a concerted hacking attack. The attack, launched last Wednesday, targeted developer infrastructure and involved the compromise of SourceForge.net servers. SourceForge detected the attack and quickly disabled CVS, ishell, file uploads …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Monday 31st January 2011 12:44 GMT Syren Baran

Better safe than sorry

No cover up. Everyone involved was contacted, intrusion was detected early and appropriate measures were taken in a timely fashion. Password reset was painless. Job well done i would say.

8 0
Monday 31st January 2011 13:18 GMT Guus Leeuw

Title

And there I sat over the weekend wondering who in the world would try to hack an open source website and for which reason...

So far I'm coming up empty...

0 0
1. Monday 31st January 2011 13:34 GMT Elmer Phud
  
  'Sobvious
  
  The Rabid Right on both sides of the pond have blamed Open Source for the existance of Wikileaks. They have said that pretty much anything 'open' must be a danger as it isn't controllable directly either by huge multinationals or by governments. It isn't under the control of such outfits as NewsCorp and anything Fox so becomes and remains an enemy of the state.
  
  Also that the script kiddes who have been causing a little bit of hassle are getting thier tools for nothing.
  
  T.P.T.B. need to know who is in charge, who is repsonsible, who they can blame, who they can pillory and belittle, who they can frame for these attacks against 'common decency and democracy'.
  
  They still haven't bloody got it, have they?
  
  1 0
2. Monday 31st January 2011 13:34 GMT anger
  
  @Guus Leeuw:
  
  To incorporate some malicious code in projects hosted there.
  
  Just like their SSHD was modded, so could be any of the projects hosted there if they had compromised SF accounts.
  
  1 0
3. Monday 31st January 2011 16:07 GMT Ignazio
  
  spam?
  
  One easy reason would be to have a few extra spamming servers - I remember some article saying that a compromised linux server is a very reliable master for a spambot net :-) the irony...
  
  0 0
Monday 31st January 2011 13:32 GMT Craig Chambers

The web form to ask for reset is broken

I understand the rationale, but the reset process is a little broken.

I can't reset my password as it seems to be linked to the email address from my previous employer. I do not have access to this mailbox as they saw fit to close our office and make us all redundant in August 2009.

Unfortunately the form that deals with this kind of problem seems to be broken and keeps validating the email address field that it has hidden instead of the boxes to give relevant info to assist you. i.e. if you fill in the email before choosing the option to recover your account, it sends a password reset to that email address anyway, if you don't fill it in, it complains that you haven't done so :-(

I've emailed them, so hopefully it's something that they can fix easily as I'm sure I won't be the only person in this situation.

0 1
1. Monday 31st January 2011 16:56 GMT THUFIR HAWAT
  
  wrong e-mail
  
  errr, if it's linked to the wrong account then, err, PEBKAC?
  
  0 1
  1. Tuesday 1st February 2011 16:01 GMT Craig Chambers
    
    Problem is with a broken feature of the form
    
    As I said, the form is broken. The I'm referring to is supposed to be for those who can't remember what email address they used. The field it validates is one that gets hidden and /should/ be empty. If it is empty, then sending the reset details fails.
    
    I freely admit that I should have updated my email address before this happened, but that doesn't change the issue of the very functionality designed for idiots such as myself being broken.
    
    0 0
Monday 31st January 2011 14:18 GMT TeeCee

@Craig Chambers

There was I getting a tad pissed off with the intermittant drizzle of "please ensure your details are up to date" requests that turn up in my inbox.

I shall be more tolerant of people reminding me of the bleedin' obvious in the light of that.

1 0
1. Monday 31st January 2011 14:44 GMT Craig Chambers
  
  @TeeCee
  
  Yup, my bad. Obviously I didn't receive any emails reminding me to keep up to date, but it's an oversight on my part anyway.
  
  0 0
Monday 31st January 2011 15:19 GMT Ubuntu Is a Better Slide Rule

Linux Is Ready To Duke It Out

+ AppArmor

+ SE Linux

+ iptables

+ SQUID (http and more) Proxy

+ lots of Secure Programming Languages

All the dire predictions of security experts now quickly come to fruition.

0 0
Tuesday 1st February 2011 12:09 GMT druck

Not enforcing a shiny new one

"So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password."

It's not enforcing a shiny new password though, I just successfully set my old one again, which should be prevented if a compromise is suspected.

0 0
Tuesday 1st February 2011 13:53 GMT Ubuntu Is a Better Slide Rule

@druck: So ?

You are incapable of inventing a new one ? Go to Windows please. Don't touch this commie Open-Source evil thing. It will require you to use your brain, ya know.

0 1