Sunday, March 4, 2012

46 comments:

  1. Thanks, Homakov. You helped make GitHub better.

    ReplyDelete
  2. Seriously mate, you should be happy they haven't sent the FBI after you.

    Next time, don't be a dick.

    ReplyDelete
  3. You should have used an other account ...

    ReplyDelete
  4. What did you do?
    Your account is still up...

    ReplyDelete
  5. FBI really? He lives in Russia

    ReplyDelete
  6. Yes, FBI, really.

    http://nymag.com/daily/intel/2012/01/megaupload-shut-down-by-fbi.html

    ReplyDelete
  7. Appreciate your work. You did not exploit it for malicious purposes, you deserve the notoriety, and GitHub itself should realise that this benefits them as well. As long as it's not done with malicious intent, how an exploit is made apparent is immaterial.

    ReplyDelete
  8. Yeah I would have suspended your account too. You didn't report this to them, you acted like a jerk in order to further support an argument you were having with an unrelated team.

    ReplyDelete
  9. As if the FBI would be interested in such a trifling case. Given the non-malicious way Egor pointed out security vulnerabilities in a way that would get them fixed, fast, he earns some recognition.

    ReplyDelete
  10. Fuck Github if they suspend your account. You're the guy who gave those "rockstar devs" a life lesson.

    ReplyDelete
  11. Well, i feel that somewhat u right, somewhat u wrong.
    u need to understand that everyone product/service/open source has their own way how it should work.

    btw what dont you create ur own github? rival of github. i sure ppl who agree with u definitely support ur product. just my 2 cent.

    ReplyDelete
  12. Bah, you guys are so overprotective. What? Someone pointed out the Emperor has no clothes? The sheer gall!

    Get a grip on yourselves, you whiny assholes.

    Spasibo, Egor!

    A

    ReplyDelete
  13. It‘s fine if you aren’t an English speaker, but if that’s the case, then don't say “English: Fluent in both written and verbal skills” when you’re clearly not.

    ReplyDelete
  14. That's just not the ethical way to report security issues, AndreiW. Unless you're intent on taking a company down, you report your issues to the company privately first, and when it is either resolved or a sufficient amount of time has passed you post what you found. To do otherwise is completely unethical and a bit of a dick move, especially if you 'love' the target.

    ReplyDelete
  15. Alyosha VasilievaMarch 4, 2012 at 3:22 PM

    Megaupload was operating in US, run from a country with very similar copyright laws to US.

    ReplyDelete
  16. Everyone blaming him not reporting it: https://github.com/rails/rails/issues/5228 he did. And he was called a troll. Github admins/whoever are responsible are dicks here, not the guy who found the flaw.

    ReplyDelete
  17. Alyosha VasilievaMarch 4, 2012 at 3:28 PM

    @"That's just not the ethical way to report security issues, AndreiW."

    Fuсk your ethics

    ReplyDelete
  18. He reported it in a public medium with details before privately reporting it to github themselves. That's the issue.

    ReplyDelete
  19. He did not report it in a public medium first. This bug (https://github.com/rails/rails/issues/5228) was filed and closed after they ignored him. This public demonstration was AFTER he attempted to privately address the issue.

    The fact that people are even bringing the FBI into this is sickening. I will not stand for my country acting like a goddamned bully, so anyone threatening him about being a dick needs to shut the fuck up, because the people that should have paid attention to this issue are clearly at fault, not a brilliant young programmer who had to break into the website just to get a bunch of morons to listen to him.

    But people are more concerned about being right than being pragmatic, because apparently that article that was all over HN has already been forgotten.

    ReplyDelete
  20. Don't fret bro, you are a hero! They should hire you, stupid pricks!

    ReplyDelete
  21. Fuck off attention whore.

    ReplyDelete
  22. Github y u r diks
    homakov pow3r!

    ReplyDelete
  23. they already reactivated your account.

    https://github.com/blog/1069-responsible-disclosure-policy

    ReplyDelete
  24. @Erik:
    https://github.com/blog/1069-responsible-disclosure-policy

    He reported it privately. For that, he should be applauded. They worked to fix what he reported. He THEN went and exploited another bug without reporting this and posted the steps online. Not to mention that this is a *3 day timeframe* we're talking about, which is NOT ENOUGH time to deem something as ignored.

    ReplyDelete
  25. Looking at this thread https://github.com/rails/rails/issues/5228 you can see that he tried to report the issue but they ried to talk him out of it... THEN he posted here.

    ReplyDelete
  26. Honestly, you didn't leave them much choice in the matter and some other companies would have done much worse than suspend your account. Github is a business and you knowingly exploited a security vulnerability (regardless of your motives), they had to suspend you.

    That being said, you did bring this issue to light and that led to it being fixed, so personally I want to say thank you for making my repositories on Github safer.

    I think Github was right to suspend your account considering the circumstances, and I think they were also right to reinstate your account once they determined that no real harm was done or intended.

    ReplyDelete
  27. GitHub must hire you and send some gifts.

    ReplyDelete
  28. Thank you for showing the bug!

    Sometimes, the only way to get someone to stop endangering the community is to show the amount of damage which would be possible.

    There are people whose future might depend on github being secure. If a higher value is at stake, waiting for the sensibilities of a company is nogo.

    After all, someone with a rather sinister agenda could have used the bugs to introduce all kinds of backdoors into programs.

    ReplyDelete
  29. For what it's worth, thank you.
    No matter what your approach was, you could've exploited this in a different matter. But you didn't.

    Now for future discovered security issues or bugs, I think you should try to privately contact the company in question and give them some time to act.
    A security issue as the one discovered should be addressed immediately. Companies should not be trying to figure out how to squeeze this into their busy schedules; it should be their main highest priority task.

    Once the issue has been solved, I guess it's mandatory that you write about it and explain your findings; maybe this way, programmers can learn a thing or two about how secure their so called "vault" is.

    ReplyDelete
  30. I'm a paying customer of Github and I want them to make my code safe which they didn't, I fully appreciate your actions.

    ReplyDelete
  31. Reinstated: https://github.com/blog/1069-responsible-disclosure-policy

    ReplyDelete
  32. GitHub! Why you no A-Hub?

    ReplyDelete
  33. Great job mate.Keep it up ! Don't listen to those dick heads blaming you.You did the right thing.

    ReplyDelete
  34. I support you Egor. Love you.

    ReplyDelete
  35. Egor, leave ruby and rails, it's a bad community, you're clearly better than that, go to python, it's a far better community.

    ReplyDelete
  36. http://techcrunch.com/2008/01/01/zed-shaw-puts-the-smack-down-on-the-rails-community/

    MOVE TO PYTHON EGOR. RAILS/RUBY IS A BAD COMMUNITY

    ReplyDelete
  37. You shouldn't care about that.
    Their bug, their problem, you just wanted to help.

    ReplyDelete
  38. Saw Egor's comments on github, this guy was just trying to do a good thing but got ignored. Typical arrogance of rockstar devs I guess

    ReplyDelete
  39. The course of action was legit. The devs didn't pay attention so he had to make this bug a priority SOMEHOW, because of the severity of it.

    ReplyDelete
  40. Hi Egor,

    I just learned what you have done thanks to a french web site;

    I really think that you have done the right thing to do, and the github admins should be ashamed to have ignore a critical security issue.

    This is a very typical case in France, where security issues are too many times ignored when someone found one; and if the same person try to hack the system in order to show how important the issue is, or just to be listen, then he is send to jail instead of being hired in order to improve the security of the system he founds issues on...

    What a crazy world... so, once again, you did the right thing, thanks !

    ReplyDelete
  41. Spasibo, Egor! You acted honourably.

    I agree with Roberto (above) when he said, "I am a paying customer of Github and I want them to make my code safe which they didn't, I fully appreciate your actions."

    If you had the 38 years in the trenches of IT (think ww1 or the battle for Stalingrad), you would have known that ANYTHING you did would have stepped on somebody's dick.

    Dick-Stepping is a refined sport not for the inexperienced. You were a Engineer, thinking like one, trying to be helpful,and had no idea that you were playing "Kick the Dick."

    You unintentionally stepped on a bunch of dicks, some of whom were, to be sure, practiced Corporate Politicians who will say and do anything to seem blameless, a trait most common among IT "managers".

    I worry now about Github. A "White Hat" throws up a security issue - and not a small one - and they flip out and go to ground. They then start a disinformation campaign. They then claim victory, and bellow about their wonderful Openness Policy.

    Best Wishes my young friend. You can at least "live with yourself" for having done the right thing for the right people, and we appreciate it.

    - HUGO
    C/C++, R, j2ee,
    hard-edge BI - Integrations
    w/ Pantaho and or Palo, MS-BI stack
    wonderful/bloody SAS; js/flex/flash Tableau. 24/7 Decision Analysis, High Value Decisions under continuslly changing uncertainty eg. negotiation
    Big Data and more interesting, BI-informrd business process.

    ReplyDelete
  42. Anonymous said...

    GitHub must hire you and send some gifts.
    March 5, 2012 2:44 AM

    That's not enough.

    At the very least you are due from GITHUB a very public apology for the outrageous language GITHUB used to describe you, and the silly threats they made about involving the FBI when by that time the facts were out in the open!! You are also due a CHECK for your time and trouble _especially_ your time during their attacks against your reputation.

    Frankly there are a lot of people pissed enough to "out" GITHUB as just another corporate outfit with a "screw you," anti-coder attitude.

    I'd be happy to take our business elsewhere until the do the right thing to a coder they screwed!!

    ReplyDelete
  43. Maybe it's time to hack and build a light open git repo service since github begins being not so cool. They'd better thanked you instead of being snobby like that.

    ReplyDelete
  44. don't be disappointed, try with another account as simple as H2o :)


    ruby on rails development company

    ReplyDelete