back to article SourceForge applies global password reset after hack attack

Open-source code repository SourceForge has advised users to change their passwords following a concerted hacking attack. The attack, launched last Wednesday, targeted developer infrastructure and involved the compromise of SourceForge.net servers. SourceForge detected the attack and quickly disabled CVS, ishell, file uploads …

COMMENTS

This topic is closed for new posts.
  1. Syren Baran
    Thumb Up

    Better safe than sorry

    No cover up. Everyone involved was contacted, intrusion was detected early and appropriate measures were taken in a timely fashion. Password reset was painless. Job well done i would say.

  2. This post has been deleted by a moderator

  3. Guus Leeuw

    Title

    And there I sat over the weekend wondering who in the world would try to hack an open source website and for which reason...

    So far I'm coming up empty...

    1. Elmer Phud

      'Sobvious

      The Rabid Right on both sides of the pond have blamed Open Source for the existance of Wikileaks. They have said that pretty much anything 'open' must be a danger as it isn't controllable directly either by huge multinationals or by governments. It isn't under the control of such outfits as NewsCorp and anything Fox so becomes and remains an enemy of the state.

      Also that the script kiddes who have been causing a little bit of hassle are getting thier tools for nothing.

      T.P.T.B. need to know who is in charge, who is repsonsible, who they can blame, who they can pillory and belittle, who they can frame for these attacks against 'common decency and democracy'.

      They still haven't bloody got it, have they?

    2. anger

      @Guus Leeuw:

      To incorporate some malicious code in projects hosted there.

      Just like their SSHD was modded, so could be any of the projects hosted there if they had compromised SF accounts.

    3. Ignazio

      spam?

      One easy reason would be to have a few extra spamming servers - I remember some article saying that a compromised linux server is a very reliable master for a spambot net :-) the irony...

  4. Craig Chambers
    Unhappy

    The web form to ask for reset is broken

    I understand the rationale, but the reset process is a little broken.

    I can't reset my password as it seems to be linked to the email address from my previous employer. I do not have access to this mailbox as they saw fit to close our office and make us all redundant in August 2009.

    Unfortunately the form that deals with this kind of problem seems to be broken and keeps validating the email address field that it has hidden instead of the boxes to give relevant info to assist you. i.e. if you fill in the email before choosing the option to recover your account, it sends a password reset to that email address anyway, if you don't fill it in, it complains that you haven't done so :-(

    I've emailed them, so hopefully it's something that they can fix easily as I'm sure I won't be the only person in this situation.

    1. THUFIR HAWAT
      FAIL

      wrong e-mail

      errr, if it's linked to the wrong account then, err, PEBKAC?

      1. Craig Chambers
        WTF?

        Problem is with a broken feature of the form

        As I said, the form is broken. The I'm referring to is supposed to be for those who can't remember what email address they used. The field it validates is one that gets hidden and /should/ be empty. If it is empty, then sending the reset details fails.

        I freely admit that I should have updated my email address before this happened, but that doesn't change the issue of the very functionality designed for idiots such as myself being broken.

  5. TeeCee Gold badge

    @Craig Chambers

    There was I getting a tad pissed off with the intermittant drizzle of "please ensure your details are up to date" requests that turn up in my inbox.

    I shall be more tolerant of people reminding me of the bleedin' obvious in the light of that.

    1. Craig Chambers

      @TeeCee

      Yup, my bad. Obviously I didn't receive any emails reminding me to keep up to date, but it's an oversight on my part anyway.

  6. Ubuntu Is a Better Slide Rule
    Pirate

    Linux Is Ready To Duke It Out

    + AppArmor

    + SE Linux

    + iptables

    + SQUID (http and more) Proxy

    + lots of Secure Programming Languages

    All the dire predictions of security experts now quickly come to fruition.

  7. druck Silver badge

    Not enforcing a shiny new one

    "So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password."

    It's not enforcing a shiny new password though, I just successfully set my old one again, which should be prevented if a compromise is suspected.

  8. Ubuntu Is a Better Slide Rule
    Stop

    @druck: So ?

    You are incapable of inventing a new one ? Go to Windows please. Don't touch this commie Open-Source evil thing. It will require you to use your brain, ya know.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019