BerliOS compromised

[Posted January 13, 2010 by corbet]

The BerliOS repository site has been compromised; indeed, it appears it has been compromised since 2005. What little information is available can be found from this (German) Heise article (Google translation) and a screen shot from the defaced site. According to the BerliOS system admin (a certain Jörg Schilling), no data has been tampered with, but those who have worked with or gotten code from BerliOS might want to be careful regardless.

Update: the Heise article is now available in English.

BerliOS compromised

Posted Jan 13, 2010 16:25 UTC (Wed) by drag (guest, #31333) [Link] (1 responses)

Sucks for people that depend on BerliOS. Although it looks like the defacers
had a point.

Also it points out another good reason why people should use a distributed
version control system like git.

BerliOS compromised

Posted Jan 13, 2010 17:25 UTC (Wed) by smurf (subscriber, #17840) [Link]

Not only distributed, but also integrity-checked. SVN is neither.

Poor Jörg

Posted Jan 13, 2010 17:01 UTC (Wed) by xav (guest, #18536) [Link] (3 responses)

Poor Jörg.
I wonder if his immense ego will withstand the shame ?

Poor Jörg

Posted Jan 13, 2010 17:08 UTC (Wed) by clugstj (subscriber, #4020) [Link] (2 responses)

I'm not sure his ego could be harmed.

Well he seems sure it's OK, he's not even telling the users...

Posted Jan 13, 2010 17:46 UTC (Wed) by alex (subscriber, #1355) [Link] (1 responses)

From the (translated article): "So far it but I can discover no traces of
intrusion to the changed data. "I therefore see no reason at present to a
warning," said Jörg Schilling,"

Well he seems sure it's OK, he's not even telling the users...

Posted Jan 13, 2010 19:12 UTC (Wed) by kirkengaard (guest, #15022) [Link]

<sarcasm> Everyone knows only maliciously exploited security flaws require warnings ... or policy/practice changes. This is apparently not one; it must be a feature. </sarcasm>

BerliOS compromised

Posted Jan 13, 2010 18:00 UTC (Wed) by joey (guest, #328) [Link] (2 responses)

For anyone who wants to fully appreciate the screenshot:

http://mako.cc/copyrighteous/20070919-00

BerliOS compromised

Posted Jan 13, 2010 18:13 UTC (Wed) by jordi (guest, #14325) [Link]

Ah, no wonder that image was ringing a bell...

BerliOS compromised

Posted Jan 14, 2010 13:31 UTC (Thu) by jond (subscriber, #37669) [Link]

Yes, that gave me a chuckle :)

BerliOS compromised

Posted Jan 13, 2010 19:55 UTC (Wed) by proski (subscriber, #104) [Link] (7 responses)

sheep.berlios.de runs a five years old kernel:

Linux sheep 2.4.21-303-smp4G #1 SMP Tue Dec 6 12:33:10 UTC 2005 i686 i686 i386 GNU/Linux

BerliOS compromised

Posted Jan 13, 2010 20:09 UTC (Wed) by amacater (subscriber, #790) [Link] (6 responses)

Five year old kernel - that presumably supports SCSI properly and is
therefore able to render proper support to cdrecord.

Joerg has a down on Linux distributions: this sort of thing is _PRECISELY_
why Linux distributions provide security updates and suggest that you apply
them. Something with a security team, an openness on bugs and a commitment
to long term support, meeting the needs of users and Free software _and_
multi-platform? I really suggest Joerg re-assess Debian :)

BerliOS compromised

Posted Jan 13, 2010 22:21 UTC (Wed) by nix (subscriber, #2304) [Link] (3 responses)

Why isn't he running OpenSolaris, anyway? :)

BerliOS compromised

Posted Jan 13, 2010 23:19 UTC (Wed) by sb (subscriber, #191) [Link] (2 responses)

The BerliOS web server does run some version of Solaris, maybe it was a cdrecord development box at some point :-)

To give some credit where it is due, BerliOS has provided our project with very good service over the last two years, with less downtime than projects hosted by a certain large and well-known "competitor" seemed to suffer, and with none of the commercial annoyances. And it had git and hg support much sooner too.

BerliOS compromised

Posted Jan 13, 2010 23:58 UTC (Wed) by JoeF (guest, #4486) [Link] (1 responses)

And it had git and hg support much sooner too.

From a comment by Joerg in the article's comment section, it seems that he doesn't quite like git, though:
http://www.heise.de/security/news/foren/S-Re-hmmpf-immer-positiv-sehen/forum-172426/msg-17925786/read/

BerliOS compromised

Posted Jan 14, 2010 10:47 UTC (Thu) by sb (subscriber, #191) [Link]

Well, Jörg is certainly entitled to his opinion, whatever it is that he's talking about. But it looks like he needs to read this part of the git manual and maybe also this thread.

FWIW, and from looking at the support and feature request tickets, I don't think that he's particularly involved with the day to day maintenance of BerliOS.

What I would really like to see from BerliOS is a slightly faster git server and an additional download mirror or three. I'm sure there are universities etc. that would be happy to do the mirroring, maybe some SunSITEs? :-) And Trac support would be nice too. Otherwise, we've been pretty happy.

BerliOS compromised

Posted Jan 14, 2010 1:06 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

Please no. The last thing Debian needs is any more contact or connection with this guy.

BerliOS compromised

Posted Jan 14, 2010 1:58 UTC (Thu) by nix (subscriber, #2304) [Link]

Hasn't he been banned from bugs.debian.org or something? (Or was he just
asked to go away and stop spamming it? I know *someone* was banned from
b.d.o but I can't remember if it was Joerg.)

BerliOS compromised

Posted Jan 14, 2010 1:31 UTC (Thu) by ikm (guest, #493) [Link]

So that's why I couldn't login to shell.berlios.de today! Though git.berlios.de still let me in, and /home/groups is available there as well.

It's understandable they got pwned, their security always felt a bit lax. But it has always been a very nice and warm place. Partially it is exactly because of their security approach -- they don't cut the oxygen for all projects if there's one misbehaving. Say what you want about Jorg, but Berlios is done right.

BerliOS compromised

Posted Jan 14, 2010 12:39 UTC (Thu) by dw (subscriber, #12017) [Link]

As a Berlios user (in the developer sense), I can appreciate the sentiment of this defacement. Berlios has been flaky since at least 2004, and the only time I had reason to use it recently (about 3 weeks ago), their download server was down for several hours.