

Did GitHub Suspend Egor Homakov account? - VuongN
http://homakov.blogspot.com/2012/03/im-disappoint-github.html
I hope this isn't the beginning of something ugly with GitHub.
======
vasco
Suspending him only shows that if a vulnerability exists (and they always do)
in the future people won't go about it so openly because what they'll get for
their troubles will be an account suspension. The guy could have done real
harm if he kept silent and used it maliciously, chose not to, and got
suspended. Github should pay him for finding the vulnerability instead!

~~~
rdtsc
Actually now that they've suspended him, I kind of wish did some real damage.
The whole 'get hung for a lamb' saying.

That is why I don't really believe in 'white hat hacker' label. Organization
when humiliated by their vulnerability strike back and treat the white hacker
as a criminal. Or I guess since he actually modified a file or to instead of
just publicly commented about the theoretical vulnerability, he is now a gray
hat hacker ... ? But if he just blogged about the vulnerability without
proving it, he wouldn't have been taken seriously and less people would have
believed him (did you know about this guy before this happened? I didn't).

That is why I think, as an individual, if you hack, always be a black hat
hacker. Organizations do not have mercy and will not treat you with respect if
you just break in to point out a problem to try to help them. So might as well
do some real damage, hide and or profit from it, by selling it on a black
market.

(Note, not saying that I condone, or personally agree with such activities,
just proposing a better course of actions for those who do).

~~~
shiven
How does anyone know he hasn't placed a thousand backdoors elsewhere on GH?
This could have been just the harmless shot across the bow. The real vulns
being traded in the online underground market now (or in the near future)?

~~~
petenixey
GitHub themselves acknowledged that he only compromised 3 accounts and none of
them seriously: [https://github.com/blog/1068-public-key-security-
vulnerabili...](https://github.com/blog/1068-public-key-security-
vulnerability-and-mitigation).

Seeing the comments he made days prior to this and also knowing what an
appalling security vulnerability attr_accessible is I'm very pleased he did
this. The issue needs to be addressed and for some reason everyone's been
sweeping it under the carpet.

The guy was clear and resonable in the earlier bugs and suggestions he posted
and then simply escalated them (with no harm done) to illustrate the issue.

Frankly this is a whole less worrying than firesheep and way more easily
addressable.

~~~
arkitaip
Are they assuming he only used one account?

~~~
mef
Presumably Github is currently auditing their db for keys added to
organizations by users who are not admins of those organizations.

------
ricardobeat
Well, this is not exactly what I expected to find in the ToS:

 _GitHub, in its sole discretion, has the right to suspend or terminate your
account and refuse any and all current or future use of the Service, or any
other GitHub service, for any reason at any time. Such termination of the
Service will result in the deactivation or deletion of your Account or your
access to your Account, and the forfeiture and relinquishment of all Content
in your Account. GitHub reserves the right to refuse service to anyone for any
reason at any time_

That means my company's code can be wiped out by GH at any time, for any
reason. Please don't hurt me :(

~~~
ricardobeat
This other part is fun too:

 _Verbal, physical, written or other abuse (including threats of abuse or
retribution) of any GitHub customer, employee, member, or officer will result
in immediate account termination._

What if a GitHub employee cuts me in traffic and I shout _f--- you!_? My
account could be lawfully terminated if the guy finds my twitter handle.

God, I hate law. I'm sure github folks have good intentions and operate on
good will, but reading this stuff gives me shivers.

~~~
pavel_lishin
> God, I hate law.

Sure, but how do you feel about the alternative?

~~~
ricardobeat
Honest, just, trustworthy, good, happy, well behaved humans? That would be
great.

~~~
masklinn
That's not the alternative to law, that's an alternative to humanity's current
state itself.

The alternative to law is "I've got a bigger stick, you shut your face or I do
it for you", where "stick" is not a metaphor for lawyers on retainer but an
actual stick.

~~~
cglace
Isn't that the definition of how our laws are enforced? They have the bigger
stick. So we do what they say.

~~~
goblin89
That's an oversimplification. We have a big virtual stick, which we use to
make some guys to register what we want on paper and give other guys real big
sticks so that they will tell us to do what _we_ actually wanted. At least,
that's how it's supposed to work, I guess. (And it's also oversimplification.)

~~~
cglace
"give other guys real big sticks so that they will tell us to do what we
actually wanted"

I think you mean so that they will tell other people to do what we wanted.
Also, that doesn't change the fact that those with lesser power will be in a
worse position to enact change. They will usually be on the losing end of "the
stick".

~~~
goblin89
> they will tell other people to do what we wanted

No, actually I meant us, but more as a whole. We all vote for laws that are
mostly applicable to ourselves (except foreign policy). This is, of course, in
theory.

I agree, though, that it's harder to enforce change if you don't have any
perceivable stick. People in power can control elections, after all, and
there's not enough transparency about what happens ‘at the top’.

------
ricardobeat
Remember when Zed Shaw took down GitHub for purely personal reasons,
disturbing service for millions? I don't remember him getting suspended, his
account is live and well at <http://github.com/zedshaw>

<http://sheddingbikes.com/posts/1306816425.html>

~~~
ceol
Did Zed do that on purpose, though? He was continuously added to a troll repo
with no way to block the guy, so he spammed his repo with commits and fake
branch merges, but I don't think he crashed GitHub on purpose.

------
T-Winsnes
So if I got this right, this is the order of how things happened.

1\. Egor finds a vulnerability and reports it.
<https://github.com/rails/rails/issues/5228>

2\. It gets ignored and he is being called a troll.

3\. He proves that he was right by doing a harmless commit to to the rails
master repo.

4\. The vulnerability gets fixed quickly as it got the focus of the community.

5\. His account gets suspended

Not sure I agree with the suspension.

~~~
lunarscape
Except he also opened a closed issue, compromised 2 other accounts and
impersonated another user, something he admits to in his blog.

~~~
adharmad
Were his other actions (impersonating another user, compromising other
accounts) also to demonstrate vulnerabilities or just unnecessary semi-
malicious actions on his part?

~~~
lunarscape
They were not malicious but, imho, they crossed the line. It's not be too
difficult to justify something simple like opening a closed issue but once he
did things that interfered with other peoples accounts that's the point at
which I feel no sympathy for for him being suspended.

------
abalone
He has a get out of jail free card.

<http://homakov.blogspot.com/2011/07/octocat-tattoo.html>

~~~
muyuu
In his master commit he commented that next tattoo would be real :-D

------
chbrown
Why is someone who can hack Github working for $30/hr on oDesk? @Egor, quit
selling yourself short!

~~~
user2634
4500 USD / month is great money for 18 year old in Russia. It's 10 times usual
wage.

~~~
homakov
I wouldn't say 'great' but decent and ok.

------
eli
Not sure that's the call I would have made, but hacking into other users'
accounts does seem like a pretty valid reason for account termination.

~~~
rubynerd
If I was in their shoes, I would have made the same call: he hacked into users
accounts and threatened to do more damage, quick, bust out the bargepole

I would be very concerned about this backfiring, but, I would hack Rails a
little to report when anybody attempts to use this glitch and wire that into
Hubot(TM), so if he does attempt to use this same hole again, the devs are
warned instantly

~~~
jaredonline
Suspending his account doesn't make any sense. He could easily sign up with
another email account. Set up a new set of keys on another computer and he's
back at it. GH should be working with him instead... he obviously knows what
he's doing.

~~~
rubynerd
That's the purpose of sending attempted uses of this exploit straight to the
highest place possible: so if he does, they know

Working with him to do what? He pissed about a little with WebInspector, it
doesn't make him a security consultant

He threatened to do more damage to your site, why wouldn't you suspend someone
like that?

------
kpanghmc
What's to prevent Egor from setting up a new account and using it to exploit
the vulnerability he's found?

~~~
rdtsc
That is why this just seems like petty bureaucratic revenge. It looks good for
PR purposes and placates other users ("look we got rid of the problem, the
hacker has been eliminated").

~~~
stock_toaster
I think it is more likely they need to verify that he only did what is
currently known about and nothing else (such as if he had granted himself
access to some private repos, for instance). Much safer to suspend/terminate
his account first just in case. They are likely combing access logs, etc.
Maybe they will reinstate it later after a review. Who knows other than
Github.

It could also be to reduce legal culpability. If they left his account enabled
and he _had_ granted himself access, and later did more damage, they might be
liable for negligence? Not sure. IANAL, etc.

~~~
rdtsc
> It could also be to reduce legal culpability.

Ok that makes sense. In light of that they most likely acted rationally and
correctly.

------
heimidal
His account has been reinstated, Github has patched their service, and the
Rails team has committed a patch with new defaults. All in less than eight
hours. Let's move on.

~~~
skeletonjelly
Move on? There's no lessons we can take away from this?

~~~
heimidal
There are certainly lessons to be taken away, but this whole thing has
devolved into a witch hunt.

Take away the good, move on from the bad, and get back to making software
better instead of treating the OSS community like a soap opera.

------
VuongN
Is this supposed to prevent him from doing further damage? I hope this isn't
the beginning of something ugly with GH.

~~~
kenkam
Can't say it is a douche move from GH since they are protecting their users'
best interests. The facts are: Egor has a way to cause damage to GH. I don't
think GH would sit there wondering whether he would do the ethical thing.

_If_ something had happened then the reaction would have been totally
different. "Why didn't GH ban him when they could have before the damage was
done?"

~~~
saurik
To be clear: we all had (past tense, as I'm assuming GitHub effectively fixed
it) that "way to cause damage to GH"; it isn't a bug that Egor was hoarding,
or that only he was in a position to exploit. You can argue all you want that
he deserved to have his account banned (I might even agree with you, although
I haven't come to a conclusion on that yet), but to claim that it was some
kind of required protection that people would legitimately be able to complain
about had they not done it is silly: he can still do the damage from a new
account, and someone else can do that damage even if he didn't want to.

------
sriramk
I'm sorry but I have to defend Egor here. Here's how you actually report a
vulnerability, demonstrated by dfranke here on HN ->
<http://news.ycombinator.com/item?id=639976>

What Egor did was to violate sensible disclosure rules. He should have
contacted GitHub in private, created a test repo and demonstrated his exploit
there, rather than impersonate users and compromise multiple accounts.

If I was in Github's shoes and I was trying to figure out what damage was
done, the first step would be to suspend the account doing the damage to make
sure no further surprises were headed my way.

------
mtkd
They should be hiring him.

------
narsil
What I would like to know is if this is permanent or just till github
completes their security audit. It doesn't seem like homakov intended or
caused any real harm, although it was a bit immature to draw attention to the
vulnerability that way.

~~~
marshray
I think it's interesting how sometimes the "immature" course of action is what
brings the greatest good.

------
xpaulbettsx
In the future, if folks find vulnerabilities in GitHub, please report them via
an Email to security@github.com or support@github.com.

~~~
rdtsc
Or if you want to keep your account, don't tell GitHub, but sell the
vulnerability on black market and make some profit off of it.

~~~
holman
We will never, ever suspend or ban accounts that follow responsible
disclosure. Ever.

~~~
rdtsc
I think from a PR point of view with respect to the rest of the developer
community you might have lost this one. You didn't eliminate the threat posed
by him as an individual because he can create a new account.

(Note: as far as your enterprise or big-corp clients, you probably did the
right thing, because that is what they would have done and that is what they
expected. So if they are the clients who put bread on your table, then you
have acted correctly)

What I think you could have done better (and I speak as a developer not a
corporate client): issue a public note saying something to the effect of
"Thanks for finding this out, maybe you'd like to interview with us. But
please, everyone, do not do it this way, this is against TOS and most likely
illegal. Here is is the email where to report these things and we will make
sure to give you full credit after we fix the problem".

~~~
JumpCrisscross
A lot of the fire could have been cooled with the suspension notice being
accompanied with (ideally preceded by) a personal note to Egor. The absence of
that is what makes this seem more like a GoDaddy firing-from-the-hip move than
a rationally thought out one.

------
rurounijones
His account has been unsuspended.

[https://github.com/rails/rails/commit/b83965785db1eec019edf1...](https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57#commitcomment-1041295)

------
espeed
Don't suspend him -- hire him.

------
aquarin
This is really childish attitude. Egor grow up.

~~~
munaf
In case you didn't see his bio, he's 18 years old. I'm not a fan of what he
did, but frankly, his behavior is probably better than mine would've been at
that age + circumstance.

~~~
aquarin
In most countries (including Russia) this is considered a criminal behavior.

------
krobertson
He clearly violated their Terms Of Service. If you like and enjoy a service,
exploiting it to prove a point is not the way to do it. It takes no time to
spot the clause about exploiting the service.

Legally, it wouldn't be good to have a TOS and then not enforce it. You never
how that could bite you later on if you get dragged into a dispute.

All this "they should give it back when they're done" is pointless. You can't
reward stupid behavior.

