undefined | Better HN

0 pointsBenjaminCoe14y ago0 comments

This clearly was malicious:

* it provides a how to for other individuals to repeat the attack, in a public forum.

* it was made against an innocent third-party.

* I doubt steps were taken to contact the third-party.

* it was made on a Sunday morning. making it difficult to scramble and get a fix out the door.

"Clearly the Rails core team were not willing to consider any kind of changes to improve the situation"

The ticket was opened three days ago. Are you advocating that if an issue isn't resolved in an open-source project, in under a week, the individual raising the issue should be able to publicly attack anyone using the project?

Also, I'll put this gem of a quote out there:

"not only github is vulnerable this way - I found a lots of rails apps that are waiting for my hack! Yeah, it is only start" (mwahahahaha).

0 comments

jsnell14y ago

Whether it was malicious depends on the motives, and it's very hard for me to see where the malice is. To me it looks more like he just wanted to bring attention to the issue in order to get it fixed.

I already agreed that GitHub were innocent bystanders and that the timing was unfortunate. But if getting publicity to the issue was the main point, it's also easy to see why GitHub was the perfect target. I also already explained why it could make perfect sense to demonstrate the vulnerability in a public manner rather than just disclose it to one of the many sites suffering from the problem. None of that is a sign of malice, it's at most bad judgement.

The ticket having been opened only three days ago would be a good point if it hadn't also been closed and declared to be working as intended with a pointer to a previously closed bug about the same issue.

BenjaminCoeOP14y ago

I think you're winning me over to Egor's actions being more irresponsible and misguided than malicious -- chalk it up to him being 18.

I'm finding it pretty hard to stay mad at someone with this tattoo:

http://homakov.blogspot.com/2011/07/octocat-tattoo.html

alexbell14y ago

Agreed. Immature - certainly. I don't think his actions were done with malicious intent. Maybe insolent, but that only counts in the military. If he wanted to he could have made his point in a far more malicious manner.

And the octocat tattoo... How can you not like a guy with an octocat tattoo!

momoro14y ago

He could probably have made a lot of money from this if he hadn't disclosed it. A lot of people store various secret keys along with their apps on github. Many people even have entire repositories of secret keys. By taking access to these repos (if he could get access to private repots) he could likely have gotten access to apps from which he could have taken money.

j / k navigate · click thread line to collapse