Consulting: Sakurity Twitter: @homakov Personal: EgorHomakov.com
Thanks, Homakov. You helped make GitHub better.
Seriously mate, you should be happy they haven't sent the FBI after you.Next time, don't be a dick.
You should have used an other account ...
What did you do?Your account is still up...
FBI really? He lives in Russia
Yes, FBI, really.http://nymag.com/daily/intel/2012/01/megaupload-shut-down-by-fbi.html
Appreciate your work. You did not exploit it for malicious purposes, you deserve the notoriety, and GitHub itself should realise that this benefits them as well. As long as it's not done with malicious intent, how an exploit is made apparent is immaterial.
Yeah I would have suspended your account too. You didn't report this to them, you acted like a jerk in order to further support an argument you were having with an unrelated team.
As if the FBI would be interested in such a trifling case. Given the non-malicious way Egor pointed out security vulnerabilities in a way that would get them fixed, fast, he earns some recognition.
Fuck Github if they suspend your account. You're the guy who gave those "rockstar devs" a life lesson.
Well, i feel that somewhat u right, somewhat u wrong.u need to understand that everyone product/service/open source has their own way how it should work.btw what dont you create ur own github? rival of github. i sure ppl who agree with u definitely support ur product. just my 2 cent.
Bah, you guys are so overprotective. What? Someone pointed out the Emperor has no clothes? The sheer gall!Get a grip on yourselves, you whiny assholes.Spasibo, Egor!A
It‘s fine if you aren’t an English speaker, but if that’s the case, then don't say “English: Fluent in both written and verbal skills” when you’re clearly not.
That's just not the ethical way to report security issues, AndreiW. Unless you're intent on taking a company down, you report your issues to the company privately first, and when it is either resolved or a sufficient amount of time has passed you post what you found. To do otherwise is completely unethical and a bit of a dick move, especially if you 'love' the target.
Megaupload was operating in US, run from a country with very similar copyright laws to US.
Everyone blaming him not reporting it: https://github.com/rails/rails/issues/5228 he did. And he was called a troll. Github admins/whoever are responsible are dicks here, not the guy who found the flaw.
@"That's just not the ethical way to report security issues, AndreiW."Fuсk your ethics
He reported it in a public medium with details before privately reporting it to github themselves. That's the issue.
He did not report it in a public medium first. This bug (https://github.com/rails/rails/issues/5228) was filed and closed after they ignored him. This public demonstration was AFTER he attempted to privately address the issue.The fact that people are even bringing the FBI into this is sickening. I will not stand for my country acting like a goddamned bully, so anyone threatening him about being a dick needs to shut the fuck up, because the people that should have paid attention to this issue are clearly at fault, not a brilliant young programmer who had to break into the website just to get a bunch of morons to listen to him.But people are more concerned about being right than being pragmatic, because apparently that article that was all over HN has already been forgotten.
Don't fret bro, you are a hero! They should hire you, stupid pricks!
Fuck off attention whore.
Github y u r diks homakov pow3r!
they already reactivated your account.https://github.com/blog/1069-responsible-disclosure-policy
@Erik:https://github.com/blog/1069-responsible-disclosure-policyHe reported it privately. For that, he should be applauded. They worked to fix what he reported. He THEN went and exploited another bug without reporting this and posted the steps online. Not to mention that this is a *3 day timeframe* we're talking about, which is NOT ENOUGH time to deem something as ignored.
Looking at this thread https://github.com/rails/rails/issues/5228 you can see that he tried to report the issue but they ried to talk him out of it... THEN he posted here.
Honestly, you didn't leave them much choice in the matter and some other companies would have done much worse than suspend your account. Github is a business and you knowingly exploited a security vulnerability (regardless of your motives), they had to suspend you.That being said, you did bring this issue to light and that led to it being fixed, so personally I want to say thank you for making my repositories on Github safer.I think Github was right to suspend your account considering the circumstances, and I think they were also right to reinstate your account once they determined that no real harm was done or intended.
GitHub must hire you and send some gifts.
Thank you for showing the bug!Sometimes, the only way to get someone to stop endangering the community is to show the amount of damage which would be possible.There are people whose future might depend on github being secure. If a higher value is at stake, waiting for the sensibilities of a company is nogo.After all, someone with a rather sinister agenda could have used the bugs to introduce all kinds of backdoors into programs.
For what it's worth, thank you.No matter what your approach was, you could've exploited this in a different matter. But you didn't.Now for future discovered security issues or bugs, I think you should try to privately contact the company in question and give them some time to act.A security issue as the one discovered should be addressed immediately. Companies should not be trying to figure out how to squeeze this into their busy schedules; it should be their main highest priority task.Once the issue has been solved, I guess it's mandatory that you write about it and explain your findings; maybe this way, programmers can learn a thing or two about how secure their so called "vault" is.
I'm a paying customer of Github and I want them to make my code safe which they didn't, I fully appreciate your actions.
GitHub! Why you no A-Hub?
Great job mate.Keep it up ! Don't listen to those dick heads blaming you.You did the right thing.
I support you Egor. Love you.
Egor, leave ruby and rails, it's a bad community, you're clearly better than that, go to python, it's a far better community.
http://techcrunch.com/2008/01/01/zed-shaw-puts-the-smack-down-on-the-rails-community/ MOVE TO PYTHON EGOR. RAILS/RUBY IS A BAD COMMUNITY
You shouldn't care about that. Their bug, their problem, you just wanted to help.
I like you.
Saw Egor's comments on github, this guy was just trying to do a good thing but got ignored. Typical arrogance of rockstar devs I guess
The course of action was legit. The devs didn't pay attention so he had to make this bug a priority SOMEHOW, because of the severity of it.
Hi Egor,I just learned what you have done thanks to a french web site; I really think that you have done the right thing to do, and the github admins should be ashamed to have ignore a critical security issue.This is a very typical case in France, where security issues are too many times ignored when someone found one; and if the same person try to hack the system in order to show how important the issue is, or just to be listen, then he is send to jail instead of being hired in order to improve the security of the system he founds issues on...What a crazy world... so, once again, you did the right thing, thanks !
Spasibo, Egor! You acted honourably.I agree with Roberto (above) when he said, "I am a paying customer of Github and I want them to make my code safe which they didn't, I fully appreciate your actions."If you had the 38 years in the trenches of IT (think ww1 or the battle for Stalingrad), you would have known that ANYTHING you did would have stepped on somebody's dick.Dick-Stepping is a refined sport not for the inexperienced. You were a Engineer, thinking like one, trying to be helpful,and had no idea that you were playing "Kick the Dick."You unintentionally stepped on a bunch of dicks, some of whom were, to be sure, practiced Corporate Politicians who will say and do anything to seem blameless, a trait most common among IT "managers".I worry now about Github. A "White Hat" throws up a security issue - and not a small one - and they flip out and go to ground. They then start a disinformation campaign. They then claim victory, and bellow about their wonderful Openness Policy. Best Wishes my young friend. You can at least "live with yourself" for having done the right thing for the right people, and we appreciate it.- HUGOC/C++, R, j2ee, hard-edge BI - Integrationsw/ Pantaho and or Palo, MS-BI stackwonderful/bloody SAS; js/flex/flash Tableau. 24/7 Decision Analysis, High Value Decisions under continuslly changing uncertainty eg. negotiation Big Data and more interesting, BI-informrd business process.
Anonymous said...GitHub must hire you and send some gifts.March 5, 2012 2:44 AMThat's not enough.At the very least you are due from GITHUB a very public apology for the outrageous language GITHUB used to describe you, and the silly threats they made about involving the FBI when by that time the facts were out in the open!! You are also due a CHECK for your time and trouble _especially_ your time during their attacks against your reputation.Frankly there are a lot of people pissed enough to "out" GITHUB as just another corporate outfit with a "screw you," anti-coder attitude.I'd be happy to take our business elsewhere until the do the right thing to a coder they screwed!!
Maybe it's time to hack and build a light open git repo service since github begins being not so cool. They'd better thanked you instead of being snobby like that.
don't be disappointed, try with another account as simple as H2o :)ruby on rails development company