Suspending him only shows that if a vulnerability exists (and they always do) in the future people won't go about it so openly because what they'll get for their troubles will be an account suspension. The guy could have done real harm if he kept silent and used it maliciously, chose not to, and got suspended. Github should pay him for finding the vulnerability instead!
Actually now that they've suspended him, I kind of wish did some real damage. The whole 'get hung for a lamb' saying.
That is why I don't really believe in 'white hat hacker' label. Organization when humiliated by their vulnerability strike back and treat the white hacker as a criminal. Or I guess since he actually modified a file or to instead of just publicly commented about the theoretical vulnerability, he is now a gray hat hacker ... ? But if he just blogged about the vulnerability without proving it, he wouldn't have been taken seriously and less people would have believed him (did you know about this guy before this happened? I didn't).
That is why I think, as an individual, if you hack, always be a black hat hacker. Organizations do not have mercy and will not treat you with respect if you just break in to point out a problem to try to help them. So might as well do some real damage, hide and or profit from it, by selling it on a black market.
(Note, not saying that I condone, or personally agree with such activities, just proposing a better course of actions for those who do).
That is why I don't really believe in 'white hat hacker' label. Organization when humiliated by their vulnerability strike back and treat the white hacker as a criminal.
Supposedly, a white hat hacker is someone hired (or at least, legally authorized) by the company itself to test their security by trying to break in.
I thought it was more of a moral label than anything else. One who find vulnerabilities but doesn't exploit them or doesn't do it with a malicious purpose vs. the ones that do it with malice, Of course you can't read someone's mind, but you can see the actions and go from there. It looks extremely unlikely that this is a case of hacking for profit or to cause harm.
When you hack something, even with good intents, you always end exposing yourself to some form of retorsion.
You can point your fingers to vulnerabilities every day full time just to make the web a better place and many will thank you for this but much more will just threaten you or file a complaint.
How does anyone know he hasn't placed a thousand backdoors elsewhere on GH? This could have been just the harmless shot across the bow. The real vulns being traded in the online underground market now (or in the near future)?
Seeing the comments he made days prior to this and also knowing what an appalling security vulnerability attr_accessible is I'm very pleased he did this. The issue needs to be addressed and for some reason everyone's been sweeping it under the carpet.
The guy was clear and resonable in the earlier bugs and suggestions he posted and then simply escalated them (with no harm done) to illustrate the issue.
Frankly this is a whole less worrying than firesheep and way more easily addressable.
It is possible but why would he disclose it then if he was trading it on the black market? Kind would shot himself in the foot then since the vulnerability would be fixed and the price of it would go down to 0.
Actually, that was my original point. If he is already treated as a criminal and a hacker, might as well profit from it. Instead of trying to disclose it publicly and get treated as a criminal, might as well sell it on the black market, don't tell anyone about it and at least profit from all this work.
Agreed. He used an account trivially tied to himself, and posted publicly with his full name and picture on his blog explaining what he did, after having complained about the existence of this problem in public in the past (though apparently not specifically about Github).
He might have been stupid to do this, and a bit childish in his approach, but he did not go about it in a way that's reasonably interpreted as malice.
As a Github user, it angers me that they've responded in this way.
I think another issue is that as much as we adults want every white hat hacker to discreetly file a vulnerability report to a designated email address, teenagers, just won't ever do this! That is just the way things are. When you are young, you want to brag about things publicly without really thinking about your actions. I also think a vast majority of teenage pen testers have illusions that their exploits will lead to job offers.
In my opinion: an appropriate response is that, once a talented teenager pen tester is identified, to pay some attention to him/her and guide their abilities. Maybe you can create a private bounty program for them and provide some rules to abide by or even teach them how to do things correctly in an adult world.
Suspending their account immediately might actually be a good initial slap on the wrist for a teenager. Going forward, I would reinstate their account after some guidance has been provided. Especially for someone who is such a fan of GH.
I think that Western countries have a culture of villainizing teenagers who have some technical ability in pen testing. This needs to change in a way that those talents are guided in a more positive direction. Rather than tasking FBI to send teenagers to jail, why not put these talents to work disrupting China's extensive cyber offensive? Maybe this is why China is kicking our collective butts in cyber security.
Yeah I expected this as many github-ers are also HNers and it looks like this PR battle is not theirs to win this time (there is some backlash happening). This is good, they listen to developers and I think that is a good decision. As ultimately developers are their customers (either indepent ones or the ones working for large companies).
Well, this is not exactly what I expected to find in the ToS:
GitHub, in its sole discretion, has the right to suspend
or terminate your account and refuse any and all current or
future use of the Service, or any other GitHub service, for
any reason at any time. Such termination of the Service will
result in the deactivation or deletion of your Account or
your access to your Account, and the forfeiture and
relinquishment of all Content in your Account. GitHub
reserves the right to refuse service to anyone for any
reason at any time
That means my company's code can be wiped out by GH at any time, for any reason. Please don't hurt me :(
Verbal, physical, written or other abuse (including threats of abuse or retribution) of any GitHub customer, employee, member, or officer will result in immediate account termination.
What if a GitHub employee cuts me in traffic and I shout f--- you!? My account could be lawfully terminated if the guy finds my twitter handle.
God, I hate law. I'm sure github folks have good intentions and operate on good will, but reading this stuff gives me shivers.
> Verbal, physical, written or other abuse (including threats of abuse or retribution) of any GitHub customer, employee, member, or officer will result in immediate account termination.
That's not the alternative to law, that's an alternative to humanity's current state itself.
The alternative to law is "I've got a bigger stick, you shut your face or I do it for you", where "stick" is not a metaphor for lawyers on retainer but an actual stick.
That's an oversimplification. We have a big virtual stick, which we use to make some guys to register what we want on paper and give other guys real big sticks so that they will tell us to do what we actually wanted. At least, that's how it's supposed to work, I guess. (And it's also oversimplification.)
"give other guys real big sticks so that they will tell us to do what we actually wanted"
I think you mean so that they will tell other people to do what we wanted. Also, that doesn't change the fact that those with lesser power will be in a worse position to enact change. They will usually be on the losing end of "the stick".
> they will tell other people to do what we wanted
No, actually I meant us, but more as a whole. We all vote for laws that are mostly applicable to ourselves (except foreign policy). This is, of course, in theory.
I agree, though, that it's harder to enforce change if you don't have any perceivable stick. People in power can control elections, after all, and there's not enough transparency about what happens ‘at the top’.
No, with laws you can appeal them. You can argue with words (not fists). Decisions are made by neutral third parties. There are rules about what evidence is allowed to be used against you, both that the evidence has to be true and has to be obtained in a proper manner.
So the only difference is that there's some inane talking performed by some of the most highly paid people in society who argue not on morality but on stupid technicalities as a prelude to sticks being taken out and my fellow men and women being beaten.
Rationalisation is truly the root of all evil and you're falling for it. If violence is not OK then the context shouldn't dictate exemptions. Most members of society call it arrest when a police officer forcefully restrains someone and locks them in a cage. Some of us call a spade a spade and use the proper word for it, which is kidnapping. It's easy to side with the biggest gang in the land, everyone else does it, right?
These arguments are in the same vein as those used by the British to justify colonialism, which is that they built roads, rail and developed the economies of those countries. While true, it doesn't change the fact that a line was overstepped and the action was oppressive at it's core. The effects of such actions ripple through the generations. And so it is with our legal system.
To protect (the rich from the poor) and serve (those with money).
Any legal system has flaws. But not having a legal system makes it an anarchy, and I would argue that that causes far more violence. The hope behind law is that it will not be violated. The theoretical underpinning of law that I support makes the point that law should reduce total violence.
If you say that violence is not OK, and context shouldn't dictate exemptions, can I believe that you think violence in self defense is wrong? If that is not your position, legal punishments seem to be that abstracted with respect to time, location, and direct facts.
Didn't have time to respond to the central points in your reply last time.
If you look at the statistics for the re-offending rate post-incarceration, you will find them to be alarmingly high. We have a system which is designed to reduce crime but does not do it's job properly.
An anarchy does not imply chaos, merely a lack of hierarchy (the word's roots are "an" - not and "arkhē" - power, authority) . The main argument for Anarchism is that power corrupts, so this system aims to rid a society of corruption by making it impossible to corrupt anyone by keeping everyone on the same level. It's mind boggling that the one political system which preaches absolute equality is often labeled as the most dangerous one, whereas a system which preaches greed and individuality at the cost of everyone else's welfare is "the best system we have".
Looking at the root causes of violence, theft of property and other oppressive actions, they appear to be caused by the inherent inequality of our socioeconomic system. For example, people with dopamine deficiencies tend towards delinquent behavior (e.g. stealing), dopamine deficiencies are caused by excessive drug use and drug use is caused by an inability to cope with one's environment. I would argue that all criminal issues are health issues at their core and that the legal system we currently have treats the effects and not the causes.
I think that a better system would only use violence as a last resort during a situation and never retroactively (e.g. stop a man from killing another man but don't use violence after the situation is defused, including arresting the person). When considering the point that these criminals are behaving in a violent way because they feel threatened and that the police officers are behaving in a violent way because they also feel threatened, it becomes hard to label either of them as good or bad. They're just reacting to their environment but they are, nonetheless, essentially in the same state and performing the same actions. They are, however, both ignorant of the true effects of their actions.
In other words, dig into the causes of crime and try to empathize with the criminals and you'll find that they aren't much different to everyone else, except in the way they have been treated.
Ofcourse, there are edge cases where people are violent due to genetic defects and so are not treatable. I think that the only way to handle these cases is to legitimize their feelings and give them a way to vent without hurting anyone. Give them jobs as butchers or hunters or something.
Either way, driving mental health issues out of the mainstream and marginalizing these people makes it far harder to treat them properly and solve the problem. It's the same issue as with drug prohibition - some countries are finally starting to see drug use as a health, not criminal, issue and they are seeing huge benefits from this (e.g. Portugal). The next logical step is to start approaching other criminal issues in the same way.
> The law usually serves whomever has more money and power.
Not necessarily. Of course, when you need more money and power, that's why groups like the EFF exist. To fight for you.
> In the end, the masses are still powerless.
SOPA passed then, right? Please. This attitude of yours does more harm. Those with the "money and power" would love for you to think this way. Defeatism helps more than money.
As it stands, the law gives us amazing power.
That being said, GitHub has every right to dictate the conditions of their use. You, as a user, have a right to not use their service if you disagree. In fact, this allows competitors to provide their services to you (and their are competitors to GitHub).
That's certainly true for the code, but Github is more than just that. Think of the commit-comments, issues, pull requests, private messages and wiki pages. I guess you could create backups of most of these things with the API, but who does that?
I do. Well, not private messages, but the rest of it (including all the forks). Checked into branches of the git repository so any clone has all the data.
You still have it and all of its history on your own machine. Git is distributed, a central web-based repository like GitHub is useful but not needed. At all.
Remember when Zed Shaw took down GitHub for purely personal reasons, disturbing service for millions? I don't remember him getting suspended, his account is live and well at http://github.com/zedshaw
Did Zed do that on purpose, though? He was continuously added to a troll repo with no way to block the guy, so he spammed his repo with commits and fake branch merges, but I don't think he crashed GitHub on purpose.
Were his other actions (impersonating another user, compromising other accounts) also to demonstrate vulnerabilities or just unnecessary semi-malicious actions on his part?
They were not malicious but, imho, they crossed the line. It's not be too difficult to justify something simple like opening a closed issue but once he did things that interfered with other peoples accounts that's the point at which I feel no sympathy for for him being suspended.
Downvoted for pointing out what the OP conveniently ignores? Or downvoted for daring to even appear to go against the hivemind?
Edit: I guess that answers that question. As pointed out in other threads the response to this has shown that HN is no different to other sites and not in a good way. I wasn't even being critical in my original comment but the very suggestion of dissent against the mainstream response is deemed non-conforming enough to warrant anonymous downvoting. That 'hivemind' mentality is the reason I left Reddit. At least others have pointed out this more eloquently than I in relation to this incident.
If you actually read my comments you would see I say the exact opposite- that's it's easy to justify opening the issue. My original comment just highlighted the fact the parent conveniently left out details, simplifying the narrative intentionally in my opinion.
He didn't hack into any others' accounts, he simply (mis)used the service from his own. Suspending him is useless for security as he could set up another account in minutes.
I think the accounts mean organisations. For instance, he exploited this vulnerability to add his public key to the authorised rails user keys. He probably did this to two other "accounts". His exploit wasn't logging in or impersonating any other accounts AFAIK.
If I was in their shoes, I would have made the same call: he hacked into users accounts and threatened to do more damage, quick, bust out the bargepole
I would be very concerned about this backfiring, but, I would hack Rails a little to report when anybody attempts to use this glitch and wire that into Hubot(TM), so if he does attempt to use this same hole again, the devs are warned instantly
There was a post about doing the pragmatic thing versus the right thing on HN a little while ago. I can't think of a better scenario to illustrate that than this.
By pushing him out you create moral hazard for future users who discover vulnerabilities. You also, in the near term, risk pissing off the guy who found the vulnerability which could result in very real blowback.
I'm basing this on the assumption that he didn't do anything malicious, i.e. outside his own account. If he did then his near-term risk profile changes dramatically and the move would have been rational.
Funny, I thought you were going to argue that the other way. That the "right" thing to do is start a dialogue with him, but the pragmatic thing is to ban his account at least until you sort things out on your end. Guess that just shows how tricky these issues are.
Given a hacker who found a vulnerability, exploited it within his account, and publicised it we can conclude that (1) he is smart (or lucky), (2) he does not pose an immediate malicious threat, and (3) he has the potential to become a serious problem.
Engaging with him carries the benefit of understanding the vulnerability while opening a dialogue that mitigates the hacker mutating into a serious problem. It carries the cost of not being able to claim, as GH did, that it pro-actively identified the vulnerability and thus looking weak. It carries the risk of giving the hacker time to rummage through more of the system.
Suspending him carries the benefit of being able to look strong while mitigating the risk of the hacker causing further damage. It carries the cost of losing a lot of emotional lee-way and thus future conversational runway with the hacker. It thus increases the risk of him turning into a serious problem in the shadows. There is also the risk that future users who happen upon vulnerabilities will think twice about publishing their finding under their real name.
Given, as many here have pointed out, that he can create a new account and be equally damaging (the risk is a property of him, not his account), the suspension offers no tangible benefit long-run benefit above that of managing perceptions. I don't know how sensitive GH's user base is to the perception of security.
The unknown here is whether GH has evidence that he acted maliciously, i.e. modified repos in accounts whose owners didn't give him permission to modify.
Suspending his account doesn't make any sense. He could easily sign up with another email account. Set up a new set of keys on another computer and he's back at it. GH should be working with him instead... he obviously knows what he's doing.
That is why this just seems like petty bureaucratic revenge. It looks good for PR purposes and placates other users ("look we got rid of the problem, the hacker has been eliminated").
I think it is more likely they need to verify that he only did what is currently known about and nothing else (such as if he had granted himself access to some private repos, for instance). Much safer to suspend/terminate his account first just in case. They are likely combing access logs, etc. Maybe they will reinstate it later after a review. Who knows other than Github.
It could also be to reduce legal culpability. If they left his account enabled and he had granted himself access, and later did more damage, they might be liable for negligence? Not sure. IANAL, etc.
His account has been reinstated, Github has patched their service, and the Rails team has committed a patch with new defaults. All in less than eight hours. Let's move on.
Think this was meant as a short term move. They got a patch out in an hour. Suspending his account atleast stopped him for 5 minutes while they were working on it and prevented further immediate harm. Sure, anything over an hour it wouldn't stop him, but it sent a signal.
Can't say it is a douche move from GH since they are protecting their users' best interests. The facts are: Egor has a way to cause damage to GH. I don't think GH would sit there wondering whether he would do the ethical thing.
_If_ something had happened then the reaction would have been totally different. "Why didn't GH ban him when they could have before the damage was done?"
To be clear: we all had (past tense, as I'm assuming GitHub effectively fixed it) that "way to cause damage to GH"; it isn't a bug that Egor was hoarding, or that only he was in a position to exploit. You can argue all you want that he deserved to have his account banned (I might even agree with you, although I haven't come to a conclusion on that yet), but to claim that it was some kind of required protection that people would legitimately be able to complain about had they not done it is silly: he can still do the damage from a new account, and someone else can do that damage even if he didn't want to.
I'm sorry but I have to defend Egor here. Here's how you actually report a vulnerability, demonstrated by dfranke here on HN -> http://news.ycombinator.com/item?id=639976
What Egor did was to violate sensible disclosure rules. He should have contacted GitHub in private, created a test repo and demonstrated his exploit there, rather than impersonate users and compromise multiple accounts.
If I was in Github's shoes and I was trying to figure out what damage was done, the first step would be to suspend the account doing the damage to make sure no further surprises were headed my way.
What I would like to know is if this is permanent or just till github completes their security audit. It doesn't seem like homakov intended or caused any real harm, although it was a bit immature to draw attention to the vulnerability that way.
I think from a PR point of view with respect to the rest of the developer community you might have lost this one. You didn't eliminate the threat posed by him as an individual because he can create a new account.
(Note: as far as your enterprise or big-corp clients, you probably did the right thing, because that is what they would have done and that is what they expected. So if they are the clients who put bread on your table, then you have acted correctly)
What I think you could have done better (and I speak as a developer not a corporate client): issue a public note saying something to the effect of "Thanks for finding this out, maybe you'd like to interview with us. But please, everyone, do not do it this way, this is against TOS and most likely illegal. Here is is the email where to report these things and we will make sure to give you full credit after we fix the problem".
A lot of the fire could have been cooled with the suspension notice being accompanied with (ideally preceded by) a personal note to Egor. The absence of that is what makes this seem more like a GoDaddy firing-from-the-hip move than a rationally thought out one.
The hacker reported the vulnerbility responsibly but was ignored. Now you've suspended his account even though he did no harm. It looks from the outside like you suspended his account because he embarrassed you and doesn't have the public clout of someone like Zed Shaw, who also demonstrated a vulnerability (and, unlike this case, caused some downtime) yet faced no similar reprisal.
He didn't delete or break anything, yet got the issue raised and fixed near-instantly. That strikes me as responsible. Stop parroting buzzwords - nobody likes a pedant.
To be honest, rather than taking it out on a 18-year-old messing around for bragging rights, you really should have ripped a new one into the Rails people. They knew of this problem (two bug reports were filed and closed) and completely dropped the ball. Now, this kid was noisy but harmless, and it did report the bug; someone else might have found the same hole (or read the same bugs) and exploited it silently for weeks.
This was really the worst option: you've taught a kid to keep his mouth shut next time he finds a hole. It will be much safer for him to sell it on the black market for a quick buck.
I'm no Rails expert, but I tend to like the OpenBSD philosophy: if you ship with default options that are known to be insecure, you have a security bug.
I know security is always a trade-off, but when your largest and most famous testimonials, with all their mad skillz and street cred, still manage to get it so spectacularly wrong, it's clear that the core engine is as guilty as any other component.
That's what PHP programmers were saying for years regarding magic_quotes (which didn't actually make things less secure). That this is apparently the default behaviour of Rails... yeah, it's a security issue.
I see why you'd want to suspend his account while you are fixing the hole. And I can see that it sucks that you got caught in the crossfire. And that reporting the bug quietly instead of announcing it to the whole world would cause much less headache.
OTOH after reading the rails bug report I think that homakov's only option was to make a high profile demonstration and basically shame the Rails devs into fixing it. I realize that it's incredibly shitty for you, but I'm afraid they'd just write it off if he kept it quiet.
In case you didn't see his bio, he's 18 years old. I'm not a fan of what he did, but frankly, his behavior is probably better than mine would've been at that age + circumstance.
He clearly violated their Terms Of Service. If you like and enjoy a service, exploiting it to prove a point is not the way to do it. It takes no time to spot the clause about exploiting the service.
Legally, it wouldn't be good to have a TOS and then not enforce it. You never how that could bite you later on if you get dragged into a dispute.
All this "they should give it back when they're done" is pointless. You can't reward stupid behavior.