BerliOS Hosting Site Hacked
The BerliOS open source software portal was compromised and recently had its home page defaced, but no disclosure has been made on the site.
Rather than seeing the news from BerliOS, users have had to find out through LWN and Heise. There's no information on the attack at all on the developer services page and there seems to be no information on the front page either since the defaced page was removed.
According to the defaced home page, the site has been compromised since 2005. The attackers that defaced the site aren't the same as the attackers who compromised the site initially. The attackers claimed to have access to the Subversion (SVN) host and download/FTP host on BerliOS.
BerliOS site admin Jörg Schilling, known primarily for his cdrtools packages, has reportedly said he sees no reason to issue a warning or more information about the attack because he hasn't found evidence of tampering with any of the software distributed on BerliOS. That may be so. Nevertheless, users should be made aware of a compromise and the scope of damage even if there is no obvious tampering.
This is not the first time a FLOSS hosting site has been hacked, and probably won't be the last. High-profile public sites are going to be attacked, and occasionally those attacks will succeed. The hosting parties should do everything possible to prevent this, but also should be willing to provide a full disclosure of how the attack was accomplished and what will be done to remedy the problem.
BerliOS (short for Berlin Open Source) hosts hundreds of FLOSS projects. It's a very important resource for the FLOSS community, and we hope that BerliOS will provide details of the attack soon.
Joe 'Zonker' Brockmeier is a longtime FLOSS advocate, and currently works for Novell as the community manager for openSUSE. Prior to joining Novell, Brockmeier worked as a technology journalist covering the open source beat for a number of publications, including Linux Magazine, Linux Weekly News, Linux.com, UnixReview.com, IBM developerWorks, and many others.