Your SlideShare is downloading. ×
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
The Compromise of GitHub
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Compromise of GitHub

513

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
513
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript

    • 1. The Compromise of GitHub An Ethical Post-mortem
    • 2. On March 1st, GitHub user Egor Homakov (homakov) posted an issue to the Ruby onRails issue tracker expressing concern about a security vulnerability in the Rails source. https://github.com/rails/rails/issues/5228
    • 3. After a response by Rails contributor Piotr Sarnacki, the issue was closed without a fix. https://github.com/rails/rails/issues/5228
    • 4. 1001 years from now,Homakov opened a new issue. (You read that right.)https://github.com/rails/rails/issues/5239
    • 5. He then made a commit (code change) to the Rails master branch, adding a file stating “github pwned. again. :(“ http://tinyurl.com/7bflmnv
    • 6. Normally, only core team members are allowed to commit directly to a repository on GitHub.In an announcement on his blog, Homakov announced that hehad administrator-level access to every repository on GitHub. http://homakov.blogspot.com/2012/03/egor-stop- hacking-gh.html
    • 7. Upon recognizing the exploit, GitHubfixed the error and suspended homakov. https://github.com/blog/1068-public-key-security- vulnerability-and-mitigation
    • 8. homakov quickly responded on his blog,recognizing that he ‘behaved like a jerk’http://homakov.blogspot.com/2012/03/im-disappoint- github.html
    • 9. After reviewing what happened, GitHub reinstated his account.
    • 10. Three Ethical Questions
    • 11. This vulnerability was the default behavior for all Rails applications.Is it the responsibility of the Rails team to their users to choose secure behavior by users? Consider http://tinyurl.com/6qwr4s7
    • 12. Homakov brought up the issue well in advance of actually using the ‘sploit. Did he overstep his bounds? Is unsolicited ‘white hat’ hacking okay?
    • 13. After the fact, many users were very concerned that GitHub had failed to protect the security of its users.The mass assignment bug is a known (if somewhat obscure) vulnerability in Rails. Did GitHub drop the ball by not securing their application against this exploit?

    ×