Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GitHub Hacked

samzenpus posted more than 2 years ago | from the crack-in-the-wall dept.

Security 202

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

cancel ×

202 comments

Sorry! There are no comments related to the filter you selected.

That's what you get (5, Funny)

For a Free Internet (1594621) | more than 2 years ago | (#39247191)

That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.

The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.

Re:That's what you get (5, Funny)

dunkelfalke (91624) | more than 2 years ago | (#39247453)

Dude, it is far worse than you imagine. The guy is obviously Russian. The Russians are coming!

Re:That's what you get (0)

Anonymous Coward | more than 2 years ago | (#39247489)

Whoosh.

Re:That's what you get (0)

Anonymous Coward | more than 2 years ago | (#39247533)

Yea, uhhh, same you to you.

No, that's what you get for using a dying language (5, Funny)

Barbara, not Barbie (721478) | more than 2 years ago | (#39247985)

... among other things.

Ruby on Rails - the perfect blend of poor performance (Ruby) and gaping holes (Rails).

What no Guantanamo Bay for him? (5, Insightful)

stillpixel (1575443) | more than 2 years ago | (#39247193)

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

Re:What no Guantanamo Bay for him? (5, Insightful)

vlm (69642) | more than 2 years ago | (#39247331)

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
What I guess intelligence trumps mass panic and ignorance.

You have to realize this isn't some random dude, but a guy "well known" as having an octocat tattoo on his arm...

http://homakov.blogspot.com/2011/07/octocat-tattoo.html [blogspot.com]

Re:What no Guantanamo Bay for him? (5, Interesting)

timeOday (582209) | more than 2 years ago | (#39247427)

The real question is whether other more nefarious individuals preceded him undetected.

Re:What no Guantanamo Bay for him? (0)

Anonymous Coward | more than 2 years ago | (#39247577)

TBH I'm sure they have. This vulnerability has floated around closed circles for a long time...

Re:What no Guantanamo Bay for him? (1)

Anonymous Coward | more than 2 years ago | (#39247469)

So an octocat tattoo will protect people from being detailed without trial in Guantanamo Bay?

Re:What no Guantanamo Bay for him? (1)

vlm (69642) | more than 2 years ago | (#39247615)

For those who don't get the "joke" he's about as close to being an insider as a outsider can be.
It would be kind of like Alan Cox posting a GIT commit in the 3.0 series using Linus's account for April Fools Day, although thats technically wrong, no ones going to freak out, or at least his odds of waterboarding are no greater than any other random innocent civilian, in other words too high in an absolute sense, but in a relative sense pretty low odds... Actually putting this in writing probably ruins the chances of Alan and Linus doing this as a april fools joke...

Re:What no Guantanamo Bay for him? (1)

Anonymous Coward | more than 2 years ago | (#39247785)

Such is the power of the Octocat.

Re:What no Guantanamo Bay for him? (1)

pinfall (2430412) | more than 2 years ago | (#39247413)

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

Incorrect assumption. Although there is a passive, appreciate communiy behind such an effort, you will see a joint effort by Italian, European and American authorities to eliminate this violation. Start with international wire fraud, malicious intent to harm, and move down the list to sopa-like attrocities such as violating terms of a website and you've got life in prison. Give them 5 more years of legislation and we'll have Texas-style hangings for these incredibly threatening comical hackers.

I heard a joke once: Man goes to doctor. Says he's depressed. Says life is harsh and cruel. Says he feels all alone in a threatening world. Doctor says,"Treatment is simple. The great clown Pagliacci is in town tonight. Go see him. That should pick you up." Man bursts into tears. Says,"But doctor... I am Pagliacci." Good joke. Everybody laugh. Roll on snare drum. Curtains.

Re:What no Guantanamo Bay for him? (0)

Anonymous Coward | more than 2 years ago | (#39247921)

Hey don't be so sure, there is likely a SWAT team outside his house in a few minutes.
Hell, anti-terror squad. He could be hacking with WMDs for all we know! THE HORROR!

GitHub hacked (0, Funny)

Anonymous Coward | more than 2 years ago | (#39247223)

So, somebody hacked into a computer system to gain access to open source software. Brilliant.

Re:GitHub hacked (5, Informative)

larry bagina (561269) | more than 2 years ago | (#39247367)

github paid accounts can have private repositories.

Re:GitHub hacked (2)

Electricity Likes Me (1098643) | more than 2 years ago | (#39247999)

Indeed, I know a few people who are working on some commercial software with one. This is kind of a big deal (although the risk that someone made subtle alterations to say, the Linux kernel, is also a very big deal).

Re:GitHub hacked (0)

Anonymous Coward | more than 2 years ago | (#39248195)

although the risk that someone made subtle alterations to say, the Linux kernel, is also a very big deal.

And would be spotted by GIT right on the first integrity check ...

Re:GitHub hacked (4, Informative)

rioki (1328185) | more than 2 years ago | (#39248493)

Actually not, if it is a legit commit as Linus... That is the extent he can fake any account...

Re:GitHub hacked (2)

jeffmeden (135043) | more than 2 years ago | (#39247493)

So, somebody hacked into a computer system to gain access to open source software. Brilliant.

If you can't imagine a way that unfettered access to *alter* an exceptionally popular piece of software, virtually undetected, would be useful to someone with unscrupulous intent, then good for you for being so pure of heart. However, in the rest of the world, access like that can be absolutely devastating.

Re:GitHub hacked (3, Interesting)

vlm (69642) | more than 2 years ago | (#39247845)

If you can't imagine a way that unfettered access to *alter* an exceptionally popular piece of software, virtually undetected

I can't imagine a way to do that with git. Sorry, its just pretty hard to do, especially "virtually undetected". git just doesn't work that way. Probably a hell of a lot easier and more likely to succeed and frankly cheaper to get commit rights "the right way" and then sneak in 100 perfectly legit real world commits and just one with an intentional bug or issue or whatever. Now, if by "... alter ... popular ... software.." you mean something like modify the github site and user provided data itself to point to some images on some .ru domain that include yet another drive by MSIE exploit, sure that could probably have been done. But the git hosted projects are basically safe, assuming anyone is actually using them.

Which brings up an interesting attack vector, if you find generic abandoned mp3 player number 2352 on sf or github and "take it over" by whatever means, then you could put weird stuff into it without anyone noticing since no one git pulls it. This could be a problem.

Re:GitHub hacked (1)

gmuslera (3436) | more than 2 years ago | (#39247507)

Looked more like that showed a vulnerability on it.

The real danger are the ones that could had been exploiting it and didn't announced that... and then, modified some obscure core component in a not very monitored repository to introduce a trojan or backdoor into some widely deployed open souce software based on it (i.e. not sure if that problem would make able to mask a commit as one from a trusted and active developer)

Re:GitHub hacked (1)

cavreader (1903280) | more than 2 years ago | (#39247723)

The real danger was the people who knew of the vulnerability for quite a while and did nothing to fix it.

Nice hacker (1)

fluffythedestroyer (2586259) | more than 2 years ago | (#39247225)

Well this is an ironic situation. Good thing he had good intentions lol. I find it funny that since this guy hacked github and they fixed it. But seriously, shouldn't people hire hackers like him to make projects move faster ? l Sincerely believe that if they "work" together, projects would move faster for sure lol.

Re:Nice hacker (5, Informative)

vlm (69642) | more than 2 years ago | (#39247405)

I find it funny that since this guy hacked github

See that's the problem. He didn't hack github. There is a wide open door in scaffolded rails apps. I am somewhat involved in rails development and even I know this, but "most people don't care". The problem in as few words as possible is a lack of input sanitation and/or more or less is the equivalent of allowing SQL injection. Makes for easy scaffolding and rollout. All you need to do is tell rails which attributes people should and should not be able to F with, which is trivially easy and impossible to default without turning rails into a fully cognitive AI system smarter than the programmers who refuse to declare which attributes are sensitive and which are not....

The phrases you don't know to google for are "mass assignment protection" and attr_accessible and attr_protected

http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1 [enlightsolutions.com]

Re:Nice hacker (0)

Anonymous Coward | more than 2 years ago | (#39247743)

Mod parent up.

Re:Nice hacker (5, Insightful)

NonUniqueNickname (1459477) | more than 2 years ago | (#39248055)

This is NOTHING like lack of sanitizing or SQL injection.

Suppose your object has fields "name" and "is_special", and the web form only exposed "name" because "is_special" isn't supposed to be changed by regular users. The hacker who knows "is_special" exists, adds an "is_special" field to the web form on his browser and submits it. The developer probably uses "update_attributes" to process the form, and with default Rails settings it will commit the new "is_special" value to the database (properly sanitized, of course).

To prevent this, the developer may switch the settings to white-list, and provide a list of safe attributes for mass-assignment (update_attributes being one of the mass-assignment methods). Some people believe white-list mode should be the default settings. The hacker, probably being one of these people, found a great way to make his point that even seasoned Rails developers could use a push towards using white-lists.

gnu gift does that (-1)

Anonymous Coward | more than 2 years ago | (#39247239)

Its been around for years

http://www.gnu.org/software/gift/

Re:gnu gift does that (0)

Anonymous Coward | more than 2 years ago | (#39247571)

duuuuude, wrong thread

Yet another reason... (0, Troll)

Anonymous Coward | more than 2 years ago | (#39247241)

...to never use Ruby on Rails or trust any developer who uses it. Such a horrid framework backed by the most elitist pricks I've ever seen. I'm glad they got hacked. The more negative press they get to better. Kick those faux devs out on to the street.

To those Mac fanboys out there who think they are "developers". Grow up, use a real OS, and use a real goddamn language and framework.

Also, GitHub sucks. This should be obvious by their choice of framework to run their site.

Linux security or trust (0, Insightful)

Anonymous Coward | more than 2 years ago | (#39247243)

This lowers the trust of the Linux source a notch. Who can really go over every line of code in the source to make sure someone hasn't already snuck in something malicious years ago?

Although the advantage of open source is that more eyes can go over it.

Re:Linux security or trust (0)

Andy Dodd (701) | more than 2 years ago | (#39247477)

What does this have to do with Linux? The vulnerability was in Rails - and I must say, the attitude of the Rails developers of "We don't have to make the defaults restrictive - let the user secure their app" is a poor one.

Oh, the linked commit is not the only funny one - after this guy's initial report was blown off by the Rails team - https://github.com/rails/rails/issues/5239 [github.com]

Re:Linux security or trust (0)

Anonymous Coward | more than 2 years ago | (#39247835)

What does this have to do with Linux?

2nd line of the summary:

to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others.

Re:Linux security or trust (5, Informative)

TheRaven64 (641858) | more than 2 years ago | (#39247957)

That's idiocy on the part of the submitter. Linux is mirrored on github, and it was the authoritative repository for a while after kernel.org was hacked, but now it is not the authoritative repository and patches from there will not be pulled into the official tree unchecked.

Re:Linux security or trust (0, Redundant)

Anonymous Coward | more than 2 years ago | (#39247645)

Nice FUD you got there. Be a shame if anything were to happen to it...

Every patch added to the Linux kernel is (and always has been) reviewed, scrutinized, tested, and prodded by some of the best system programmers in the world. And there's an informal web of trust in place as well. Joe Random Hacker can't just pop up one day and toss a patch over the fence and get it accepted into the mainline kernel. Linus does not accept code from a developer who doesn't have some kind of track record in the community. (Or one who isn't sponsored/mentored by the same.) It's not fool proof (we still have occasional bugs and security vulnerabilities), but it has worked quite effectively for 20 years.

Also, github is not where the main kernel development happens.

Finally, since it's impossible to add something to a git repository without it appearing in the logs (regardless of the github website's security flaws), it would be trivial to simply revert a questionable patch.

Re:Linux security or trust (4, Informative)

Anonymous Coward | more than 2 years ago | (#39247687)

That is rather easy to answer. Git is a distributed version control system such that you can't make changes without it being noticed by the real authors. See ... http://git-scm.com/about ... for a better explanation. To get something malicious into the code you will need to get into the primary lieutenants source trees.

Re:Linux security or trust (4, Informative)

Kjella (173770) | more than 2 years ago | (#39247703)

The master branch isn't on github, if there was any tampering a trivial check against Linus' master branch would see if there'd been any extra git commits. Nobody has to go through more than that. By the way, it's also impossible to insert an "old" commit in git because you'd have to reapply every subsequent patch and all the ids would change. But I guess that you're scaremongering and the mods are either clueless or feeding the troll.

Re:Linux security or trust (4, Funny)

pankkake (877909) | more than 2 years ago | (#39247907)

Thankfully, no serious projects are hosted on GitHub.

Re:Linux security or trust (4, Informative)

autocracy (192714) | more than 2 years ago | (#39248135)

This was brought up when kernel.org was compromised last year. The decentralized nature of git makes that really hard to sneak by, especially if you use the kind of process controls that the Linux kernel uses. Legitimate commits go through maintainers, and maintainers will definitely flip if they see code pulls into their repository that they didn't commit. Some deeper discussion about how you can't just sneak things into the past history is here: http://security.stackexchange.com/a/6771/836 [stackexchange.com]

Re:Linux? Since when? (2)

miknix (1047580) | more than 2 years ago | (#39248271)

"Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others.

Linux??? Can we mod summary as troll? Linux has its origin repository in kernel.org and is distributed over cloned repositories all over the world including my laptop. One can't simply inject a commit into one of those repositories (such as github) and expect it to automatically propagate into kernel.org.

Furthermore, even if you manage to inject a commit into some random project at Github, high are the chances that it would be detected by another developer. Who commits to a repository without reading the commit history?
Now, this Rails vulnerability is rather serious and deserves attention but this article is just plain FUD against github. Congratulations!

Re:Linux security or trust (1)

MightyYar (622222) | more than 2 years ago | (#39248389)

Who can really go over every line of code in the source to make sure someone hasn't already snuck in something malicious years ago?

Your local repository of git?

Strategic software (5, Insightful)

aglider (2435074) | more than 2 years ago | (#39247247)

I think it's time to think about repository for strategic software, like Linux, GCC and so on.
Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

Re:Strategic software (3, Insightful)

cr_nucleus (518205) | more than 2 years ago | (#39247605)

Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

Well, as far as git goes, you can't make changes undetected because all commits are signed and all clones of a repository have the whole history log.

Re:Strategic software (3, Interesting)

FunkyELF (609131) | more than 2 years ago | (#39247629)

I think the use of Git makes it pretty safe to begin with.
If someone gained access to do commits to what people consider as the "master" repo, any tampering would have to be done at the head because of all the hashes.
Hopefully the maintainer would realize this the next time they go to push to it Git would tell them that the remote is ahead of them by X commits.
In the case of Linux, I think Linus is the only one who pushes to the master branch, so he would notice.

No way (1)

Anonymous Coward | more than 2 years ago | (#39247715)

Not with git.

Git is designed from start make any such messing with the source code instantly evident. That's because every developer has a full copy of the source code _and_ history, cryptographically signed. So if anybody changed a comma in any file it will be _immediately_ evident. Much more than a red cloud around you in a public pool. It also makes losing the history of the code virtually impossible (I mean git, not the red stuff around you).

Hacked vs Cracked (-1, Troll)

qrwe (625937) | more than 2 years ago | (#39247255)

Please respect this, once and for all, when posting stuff like this: "Hacking" is NOT "Cracking"! http://www.geek.com/forums/topic/hacking-and-cracking [geek.com]

Re:Hacked vs Cracked (-1)

Anonymous Coward | more than 2 years ago | (#39247293)

I refuse! He was hacking, hacking, hacking!
 
Seriously guy? Let it go. No one who cares knows and no one who knows cares.

Re:Hacked vs Cracked (0)

Anonymous Coward | more than 2 years ago | (#39247549)

I care.

I host projects on github. I'm glad someone like him figured it out in a decent way instead of some scumbag criminal.

Re:Hacked vs Cracked (0)

Anonymous Coward | more than 2 years ago | (#39247377)

The word means what it means now. Sorry. Hacking and cracking are the same thing now. The words meaning has changed. You can thank 30 years of Hollywood movies and 24 hour news for that.

The 'maker' community really shows more what 'hacker' used to mean. You can still use 'that is a cool hack'. But hack, that even has changed to mean 'quick and dirty will probably break at some point'. If one of my co-workers say to me 'i hacked this together' it is usually followed quickly by 'it will probably break'.

You are going to have to let it go, or change hollywoods mindeset and all the news networks mindset in using the 'proper' word (good luck with that).

Re:Hacked vs Cracked (1)

schnikies79 (788746) | more than 2 years ago | (#39247397)

Words change. Either move on with everyone else or be left behind.

Your choice.

Re:Hacked vs Cracked (0)

Anonymous Coward | more than 2 years ago | (#39247543)

I choose left behind.

Re:Hacked vs Cracked (0)

Anonymous Coward | more than 2 years ago | (#39247705)

Dafenatily.

Re:Hacked vs Cracked (2)

nigelegin (2012434) | more than 2 years ago | (#39247415)

In this situation, the term hacking is the correct usage of the term. As per your posted link,

"Hackers will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in."

Homakov only made superficial changes to allow him to commit a snide remark to illustrate and publicize the inherent weakness in a cloud storage system used by many independent developers and commercial entities.

In almost any other situation I would side with you on the horrible misuse/overuse of the term "hacking".

Re:Hacked vs Cracked (1)

vlm (69642) | more than 2 years ago | (#39247491)

the inherent weakness in a cloud storage system

You may want to look at what he actually did. The problem is people who don't understand "mass assignment protection" dumping rails apps on the internet with CRUD functionality and "sensitive" portions of the data.

There's an inherent conflict between just being able to scaffold something up "instantly" and keeping certain attributes locked away from the average users, and this inherent conflict has never been decisively resolved. Any time you have a tool that makes it easy to CRUD, you're going to end up with people going too far and not protecting anything. Going crazy and locking it down is just going to make the 99% of users who don't need it fork, and the 1% who do need it only putting in enough effort to re-open it.

Re:Hacked vs Cracked (1)

Anrego (830717) | more than 2 years ago | (#39247769)

At this point this is practically a troll.

The battle is over and we lost. Insisting on differentiating between hacking and cracking is just silly now. The word never caught on and never will.

Re:Hacked vs Cracked (1)

qrwe (625937) | more than 2 years ago | (#39247847)

It is not troll. A spade is always a spade, whatever else you may want to call it.

AH, STUPID MOTHERTRUCKERS !! (-1)

Anonymous Coward | more than 2 years ago | (#39247299)

I mean, stupid motherfuckers !! It's idiots like them that that gets idiots like YOU get OWNED !!

distributed (5, Insightful)

StripedCow (776465) | more than 2 years ago | (#39247307)

Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

Re:distributed (0)

Anonymous Coward | more than 2 years ago | (#39247579)

Extra, it has SHA-1 hash, so the intrusion is easily detectable.

Re:distributed (0)

MadKeithV (102058) | more than 2 years ago | (#39247807)

Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

The truly malicious might blatantly compromise the main repository, and "helpfully" provide poisoned recovery source from multiple already-compromised external sources.

Re:distributed (0)

Anonymous Coward | more than 2 years ago | (#39248515)

you don't have any idea how GIT works, do you ? or maybe you are FUDding ?

two words: distributed [wikipedia.org] and Cryptographic authentication of history [git-scm.com]

Re:distributed (2)

MadKeithV (102058) | more than 2 years ago | (#39248665)

you don't have any idea how GIT works, do you ? or maybe you are FUDding ?

two words: distributed [wikipedia.org] and Cryptographic authentication of history [git-scm.com]

No, I have no idea the cryptographic details of GIT works - I was responding to the information in the post above mine with a hypothetical evil genius scenario in my limited understanding of DVCS (i.e. copies of stuff in multiple places). I am happy to read that it seems the developers of GIT are smarter than those that developed Sourcesafe. Which isn't a herculean feat.

I felt a great disturbance in the Force (5, Funny)

Anonymous Coward | more than 2 years ago | (#39247311)

...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.

Just wait a few years, Ruby on fails will strike back!

Yeah, Ruby sucks (0)

Anonymous Coward | more than 2 years ago | (#39247315)

In a related story, the sun rose in the east today.

Gosh, Github.com runs Linux: Isn't it 'secure'? (-1)

Anonymous Coward | more than 2 years ago | (#39247333)

Apparently not, and despite all the years of bullshit on /. that Linux = Secure, is just that - complete bullshit, & this is just another example thereof.

http://uptime.netcraft.com/up/graph?site=github.com [netcraft.com]

Complete bullshit, to further the agendas of the desperate (who have only 1.19% of marketshare on PC Server & Desktops vs. Windows' 95% of better)...

ANDROID on smartphones does the rest (and it IS a Linux) and there's NO QUESTION it's being "shredded" on the security front too (and yet /.'er propoganda for DECADES NOW says Linux = Secure? LMAO, bullshit!).

Truth on /. get moddowns in effete retaliation? (-1)

Anonymous Coward | more than 2 years ago | (#39247425)

That's the "best you've got" vs. truths here -> http://it.slashdot.org/comments.pl?sid=2707867&cid=39247333 [slashdot.org]

Re:Gosh, Github.com runs Linux: Isn't it 'secure'? (0)

Gaygirlie (1657131) | more than 2 years ago | (#39247463)

Whoa, whoa, someone really goes on a tangent there! You're saying that if there's for example a security vulnerability in e.g. Spotify I can just go around saying it just proves how insecure whole Windows is?

No, this isn't a security vulnerability in Linux, this was a vulnerability on Github's Ruby on rails - installation, nothing more. Ruby on rails is useable on multiple platforms, too, so this would have been just as big a security issue if they ran it on Windows.

Geesh, you ACs and your ignorant comments..

Cut your bullshit please (-1)

Anonymous Coward | more than 2 years ago | (#39247755)

Github.com runs Linux, and everyone here says Linux = Secure. How come they were broken into then? Don't they KNOW how to write secure code and secure the OS?? Apparently not.

(The funniest part is you're making EXCUSES, nothing more)

Especially after all those years-to-decade here of "Linux is Secure" b.s., that this breakin (amongst others such as this too with the Linux sourcecode repository @ KERNEL.ORG being broken into also in the not too distant past -> http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ [theregister.co.uk] ) exemplifies as pure bullshit.

"Geesh, you ACs and your ignorant comments.." - by Gaygirlie (1657131) on Monday March 05, @09:52AM (#39247463) Homepage

Geesh, you Penguins and your ignorance of how to secure an Operating System and/or server OR how to write secure code... ANDROID only proves MORE OF THE SAME, period.

Re:Gosh, Github.com runs Linux: Isn't it 'secure'? (0)

Anonymous Coward | more than 2 years ago | (#39248709)

Peter, APK, my love,

You forgot to sign your incoherent rant, that's unusual, especially as per you vs. your mad yourself

Your Precious

it could have been worse (0)

NynexNinja (379583) | more than 2 years ago | (#39247337)

he could have added a one character integer overflow to net/ipv4/tcp_input.c

The response of 99.9% of humanity: (2, Insightful)

tpstigers (1075021) | more than 2 years ago | (#39247341)

What's GitHub?

Re:The response of 99.9% of humanity: (5, Insightful)

Lunaritian (2018246) | more than 2 years ago | (#39247371)

This is Slashdot, the 99.9% doesn't come here

Re:The response of 99.9% of humanity: (5, Funny)

project5117 (2550152) | more than 2 years ago | (#39247445)

This is Slashdot, the 99.9% doesn't come here

Slashdot, home of the 0.1%.

Re:The response of 99.9% of humanity: (1)

vlm (69642) | more than 2 years ago | (#39247529)

This is Slashdot, the 99.9% doesn't come here

Getting close, UID 2018246, I see that 1e9*0.001 = 6000000 so apparently you show we're more than 1/3 of the way there... What is the largest /. UID and how does it compare to six million? I donno how to account for astroturfing and spam and gnaa accounts, on the other hand lots of people read and few open accounts to write, so we're probably breaking into the 99.9% range.

Re:The response of 99.9% of humanity: (1)

gnapster (1401889) | more than 2 years ago | (#39247947)

Plus, the number is probably slightly inflated by slashdot users who periodically create new accounts just to check and see the current count.

Also, Don't forget the 0.0001 * $WORLD_POPULATION accounts that are owned by Michael Kristopeit.

Re:The response of 99.9% of humanity: (0)

Anonymous Coward | more than 2 years ago | (#39248153)

And don't forget the zillions of neglected ACs!

I feel like Zoidberg around here sometimes.

Re:The response of 99.9% of humanity: (1)

specific (963862) | more than 2 years ago | (#39247555)

You must be new here.

Re:The response of 99.9% of humanity: (0)

Anonymous Coward | more than 2 years ago | (#39247373)

Why do you read slashdot?

The response of 99.9% of Web Developers (1)

tommeke100 (755660) | more than 2 years ago | (#39247565)

Matt Damon

Real Hacker (5, Insightful)

stanlyb (1839382) | more than 2 years ago | (#39247355)

This guy is very good example of what the real hacker is, and what they should be. Kudos man.

Re:Real Hacker (-1)

Anonymous Coward | more than 2 years ago | (#39247535)

This guy is very good example of what the real hacker is, and what they should be. Kudos man.

No. Just no. I believe the way this is supposed to work (depending on whether it is the site config that is bad (a) or the source that needed fixing (b) is:
a. Notify the site that a problem with security exists and show them how it could be exploited. Not do something childish and make "comical commits".
b. If you know how, create a patch to fix the problem and submit it for review. If you don't know how to fix it, notify the project of the problem and how it can be exploited.

Just because it is open source is no reason to go about it in a childish manner.

Re:Real Hacker (5, Informative)

Anonymous Coward | more than 2 years ago | (#39247789)

Yes. Just yes.

He did a. They ignored him.

He did b, too. He filed a ticket. The ticket got closed, just like that.

He could've just done nothing and waited for someone to mess up Github. Instead he shouted louder.

More props to this guy.

And btw his Octocat tattoo is henna (meaning fake, not a real tatttoo), to all you attention-deficit idiots.

Re:Real Hacker (0, Flamebait)

Anonymous Coward | more than 2 years ago | (#39248501)

And btw his Octocat tattoo is henna (meaning fake, not a real tatttoo), to all you attention-deficit idiots.

On behalf of all the attention-deficit idiots, I would like to thank you for the pedantic douchebag side of the story. It really adds to the conversation.

Re:Real Hacker (0)

Anonymous Coward | more than 2 years ago | (#39247795)

Wow, you really have no idea how this works do you?

a. Notify the site that a problem with security exists and show them how it could be exploited. Not do something childish and make "comical commits".

Until you can prove that the server side application IS vulnerable to your attack, you have no proof.
If you called General Motors this morning, and told them that you "knew of a possible attack vector" for their brand new webapp, they'd hang up the phone on you.
Commit a comical change to the app at the highest level you have access to, and leave a calling card: you'll get a call back from their department head in a few hours.

b. If you know how, create a patch to fix the problem and submit it for review. If you don't know how to fix it, notify the project of the problem and how it can be exploited.

Just because you know how to exploit a vulnerability, does not require you to "be the good person" to fix it. All you should do as someone concerned about the security of someone else is let them know how you did it.
If they can't solve the issue and would LIKE you to assist them in fixing it; they'll ask.

This is all just common sense. If I walked up to you on the street and took your picture, I expect you wouldn't want me trying to tell you "how to prevent this happening in the future" and "I think you have a problem with people taking pictures of you"

Re:Real Hacker (0)

Anonymous Coward | more than 2 years ago | (#39247861)

He did that and, being rails devs, they blew him off...

https://github.com/rails/rails/issues/5228 [github.com]

Just because it is open source is no reason to go about it in a childish manner.

When dealing with children..

All kidding aside, I this was just the right amount of childish for the situation. I loved it!

Re:Real Hacker (5, Informative)

Anrego (830717) | more than 2 years ago | (#39247925)

Except he did both a and b, and they basically told him to go pound sand.

c. Demonstrate the vulnerability in a somewhat childish yet harmless and hilarious manner. Give everyone a good laugh, raise more awareness of the issue, and give the rails yet more security related black eyes!

Seems reasonable enough to me!

Lucky it was a white hat (1)

GameboyRMH (1153867) | more than 2 years ago | (#39247441)

That could've gone a lot worse...and to think many stupid countries are trying to make such benevolent activities illegal.

Surprise (0)

Anonymous Coward | more than 2 years ago | (#39247451)

These days the only way to get some guys to fix their code is to pwn it.

rails people (0)

Anonymous Coward | more than 2 years ago | (#39247501)

https://github.com/rails/rails/issues/5228
is a very sad thing to read. basically, he reported this really awful default behavior days ago, and got brushed off by rails maintainers.

The devs were notified and ignored it (5, Interesting)

dnwq (910646) | more than 2 years ago | (#39247545)

The best thing is this comment by a developer closing Homakov's original bug report [github.com] , two days before Homakov hacked in:

fxn commented 3 days ago

There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

Thanks!

Apparently GitHub's own admin isn't "pro" enough...

Re:The devs were notified and ignored it (2)

MadKeithV (102058) | more than 2 years ago | (#39247775)

Apparently GitHub's own admin isn't "pro" enough...

I tried reading that thread but the language is convoluted and I know next-to-nothing about rails - am I reading it right - the devs were essentially saying "pro users know how to secure their installs!" and then got pwned themselves with the exact hack that Homakov had reported?

Re:The devs were notified and ignored it (4, Interesting)

dnwq (910646) | more than 2 years ago | (#39248031)

Not precisely right: the devs were saying "good users know how to secure their installs" and then Homakov demonstrated just how untrue this was by breaking into what is probably the world's most important and professionally-run Ruby on Rails server, i.e., GitHub. That Rails itself is hosted on GitHub just makes it funnier.

I LOL'ed. (0)

Anonymous Coward | more than 2 years ago | (#39247573)

"To use the find_mass_assignment plugin, simply install it from GitHub as follows:"

lol.

I'll just put this here (1)

eternaldoctorwho (2563923) | more than 2 years ago | (#39247625)

Aliens. [memegenerator.net]

Well *All* the code is fine. (1)

Anonymous Coward | more than 2 years ago | (#39247635)

Fortunately, GIT itself, which is a replicated central code revision system, isn't vulnerable to single point repository attack. Thus, he could've injected something, but *any* of the developers would've noticed when they tried to sync local and remote repos. (In fact, this is probably how his commit was discovered.)

So, for all you worry-worts complaining about possible code injections into src, there shouldn't be anything to worry about.

WTF were they smoking? (5, Insightful)

miketheanimal (914328) | more than 2 years ago | (#39247989)

OK, the blog is slashdot'd at the moment, but lets see if I have this right. Basically, you take an active record and just copy values from the POST data into it and then save it ... and this is the default behaviour? Do I have that right because, is so .... .... dear god, what were the ruby-on-rails people smoking when they thought that was a clever idea, its puts ROR on a level with PHP and its magic global variables. Note only that, but what were the github people smoking, the same? Using an insane facility is doubly insane. Methinks a lot of people need to go and read some web design stuff and realise that active records (or models - django users take not) are not synonymous with the "Model" (business logic) in MVC.

lol @ Ruby security (0)

Anonymous Coward | more than 2 years ago | (#39248139)

But Ruby is just so much more...PRODUCTIVE! Once again we learn the error of trusting Ruby scripters with the security of our systems.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>