|
|
Subscribe / Log in / New account

Sourceforge Attack: Full Report

[Posted January 30, 2011 by jake]

Sourceforge.net briefly reported an attack on its infrastructure on Thursday January 27 that resulted in some services (CVS, interactive ssh shells, and others) being suspended. More details were released on January 29, which show that the attack exploited a privilege escalation to root in one of the Sourceforge services. "It’s better to be safe than sorry, so we’ve decided to perform a comprehensive validation of project data from file releases, to SCM commits. We will compare data [against] pre-attack backups, and will identify changed and added. We will review that data, and will will also refer anything suspicious to individual project teams for further assessment as needed. [...] The validation work is a precaution, because while we don’t have evidence of any data tampering, we’d much prefer to burn a bunch of CPU cycles verifying everything than to discover later that some extra special trickery lead to some undetected badness."
to post comments

Sourceforge Attack: Full Report

Posted Jan 31, 2011 17:33 UTC (Mon) by b7j0c (guest, #27559) [Link]

if only they had disabled the idiotic download redirect

Sourceforge Attack: Full Report

Posted Jan 31, 2011 23:26 UTC (Mon) by rbrito (guest, #66188) [Link] (1 responses)

From the blog post, they have conjectured of removing the CVS access and offering the SVN for those that still want a centralized VCS.

Some of the responses on that blog post seem to indicate a strong resistance to move from CVS (probably the Windows people use tools to interact with their CVS repositories?).

The consistency point is yet another one where git helps the users a lot, for you'd just have to compare a few sha1 hashes and you'd be done to check if there was any corruption in that repository.

The users themselves would also quickly notice if something strange happened in this regard, when trying to use their repositories (fork, pull, push, merge etc.).

I don't know if sourceforge allows something like github's forking a repository and keeping a personal copy, or if they only allow repositories attached to projects...

BTW, for those that are familiar, are other DVCSes the same way as git, with hashes and so on?

Sourceforge Attack: Full Report

Posted Feb 1, 2011 12:02 UTC (Tue) by dpotapov (guest, #46495) [Link]

> are other DVCSes the same way as git, with hashes and so on?

Mercurial uses SHA1 hashes in the same way as git, and both of them borrowed this idea from Monotone. Bazaar also uses SHA1 for integrity checking, but it relies UUIDs to identify revisions. If you signed your revisions in Bazaar (with gpg), they cannot be forged, but I don't know Bazaar well enough to tell what happens with non-signed revisions.


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds