The Compromise of GitHub

701 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
701
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • The Compromise of GitHub

    1. 1. The Compromise of GitHub An Ethical Post-mortem
    2. 2. On March 1st, GitHub user Egor Homakov (homakov) posted an issue to the Ruby onRails issue tracker expressing concern about a security vulnerability in the Rails source. https://github.com/rails/rails/issues/5228
    3. 3. After a response by Rails contributor Piotr Sarnacki, the issue was closed without a fix. https://github.com/rails/rails/issues/5228
    4. 4. 1001 years from now,Homakov opened a new issue. (You read that right.)https://github.com/rails/rails/issues/5239
    5. 5. He then made a commit (code change) to the Rails master branch, adding a file stating “github pwned. again. :(“ http://tinyurl.com/7bflmnv
    6. 6. Normally, only core team members are allowed to commit directly to a repository on GitHub.In an announcement on his blog, Homakov announced that hehad administrator-level access to every repository on GitHub. http://homakov.blogspot.com/2012/03/egor-stop- hacking-gh.html
    7. 7. Upon recognizing the exploit, GitHubfixed the error and suspended homakov. https://github.com/blog/1068-public-key-security- vulnerability-and-mitigation
    8. 8. homakov quickly responded on his blog,recognizing that he ‘behaved like a jerk’http://homakov.blogspot.com/2012/03/im-disappoint- github.html
    9. 9. After reviewing what happened, GitHub reinstated his account.
    10. 10. Three Ethical Questions
    11. 11. This vulnerability was the default behavior for all Rails applications.Is it the responsibility of the Rails team to their users to choose secure behavior by users? Consider http://tinyurl.com/6qwr4s7
    12. 12. Homakov brought up the issue well in advance of actually using the ‘sploit. Did he overstep his bounds? Is unsolicited ‘white hat’ hacking okay?
    13. 13. After the fact, many users were very concerned that GitHub had failed to protect the security of its users.The mass assignment bug is a known (if somewhat obscure) vulnerability in Rails. Did GitHub drop the ball by not securing their application against this exploit?

    ×