Better safe than sorry
No cover up. Everyone involved was contacted, intrusion was detected early and appropriate measures were taken in a timely fashion. Password reset was painless. Job well done i would say.
Open-source code repository SourceForge has advised users to change their passwords following a concerted hacking attack. The attack, launched last Wednesday, targeted developer infrastructure and involved the compromise of SourceForge.net servers. SourceForge detected the attack and quickly disabled CVS, ishell, file uploads …
The Rabid Right on both sides of the pond have blamed Open Source for the existance of Wikileaks. They have said that pretty much anything 'open' must be a danger as it isn't controllable directly either by huge multinationals or by governments. It isn't under the control of such outfits as NewsCorp and anything Fox so becomes and remains an enemy of the state.
Also that the script kiddes who have been causing a little bit of hassle are getting thier tools for nothing.
T.P.T.B. need to know who is in charge, who is repsonsible, who they can blame, who they can pillory and belittle, who they can frame for these attacks against 'common decency and democracy'.
They still haven't bloody got it, have they?
I understand the rationale, but the reset process is a little broken.
I can't reset my password as it seems to be linked to the email address from my previous employer. I do not have access to this mailbox as they saw fit to close our office and make us all redundant in August 2009.
Unfortunately the form that deals with this kind of problem seems to be broken and keeps validating the email address field that it has hidden instead of the boxes to give relevant info to assist you. i.e. if you fill in the email before choosing the option to recover your account, it sends a password reset to that email address anyway, if you don't fill it in, it complains that you haven't done so :-(
I've emailed them, so hopefully it's something that they can fix easily as I'm sure I won't be the only person in this situation.
As I said, the form is broken. The I'm referring to is supposed to be for those who can't remember what email address they used. The field it validates is one that gets hidden and /should/ be empty. If it is empty, then sending the reset details fails.
I freely admit that I should have updated my email address before this happened, but that doesn't change the issue of the very functionality designed for idiots such as myself being broken.
"So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password."
It's not enforcing a shiny new password though, I just successfully set my old one again, which should be prevented if a compromise is suspected.