
Commit that changed my life - charlieok
http://egorhomakov.com/post/44506887852/commit-that-changed-my-life
======
brokentone
I was never against Egor, I don't know that he had a lot to apologize for --
but others do. Either way it's very mature of him to offer apologies. Shows
personal growth while learning and demonstrating very succinct security POCs.
This kid is one to keep your eyes on.

Egor, if you make it to NYC, let me buy you a drink.

~~~
homakov
thanks! i'm already choosing a flight for June :)

~~~
carterschonwald
Awesome. Feel free to hit me up at well when you're in NYC! Stumbling into
doing what you really love is .... magical. Consulting is a lot of work, make
sure you have your work pipelined far ahead of time yet avoid overloading
yourself!

Sounds like you've had a benignly interesting year and learned a lot. What
more could someone want?

~~~
misiti3780
Ill drink some beers in NYC also

------
rubyrescue
Ironically, people said he should have handled the commit differently, and
perhaps he should have.

But here we are talking about him 1 year later. I think he probably shouldn't
have done it, but on which side of the pg/YC _line of creative subversion_ did
his stunt actually fall?

~~~
mpyne
Well let's be fair, we're talking about him because he didn't rest on his
laurels, he's been out there doing more and more.

Personally I thought it was hilarious, you can hardly _be_ more gentle in the
process of 0wning a system like that and as I recall he did try to warn them
beforehand.

------
InclinedPlane
In my impetuous 20s I did something similar. I was rather ... well, rude,
really in pointing out a major security flaw on the forums of one of the more
famous tech sites. Things devolved from there and I ended up being banned,
though they did fix the problem rapidly even so. Since then I've learned the
value of tact.

~~~
homakov
I agree about responsible disclosure but that problem had many facets, and I
was rather trying to point out rails problem, sadly, using github hole.

~~~
InclinedPlane
It's a fine line sometimes. I think your commit is mostly defensible. It's
really an open question. What do you do when you point out a serious security
issue and it doesn't get the attention it deserves? I think your commit
definitely proved that the issue was being downplayed far too much. Is there
some better middle ground? If proving a vulnerability results in it getting
fixed overnight and merely describing it results in it getting fixed never
then what's the right course of action?

------
itafroma
The Hacker News discussion from a year ago about the original incident:
<http://news.ycombinator.com/item?id=3663197>

------
purephase
This guy keeps popping-up. Very impressive for a years worth of work. We
should be lucky to have someone willing to do this so openly, even after the
rebuff from the community. He could have easily gone black hat and we'd all be
the worse for it.

------
redact207
How interesting he ended up in Mui Ne in Vietnam - it's one of the places I've
been considering for a quit-your-job-and-focus-on-launching spot.

Mui Ne is a very small coastal town around 200KM East of Ho Chi Minh city.
Although tiny, constant off-shore winds has increasingly made it the kite-
surfing capital of SE Asia. Living expenses are cheap, and I've calculated a
pretty comfortable lifestyle for USD1,200 pm (YMMV).

His post is somewhat testament to a usable internet connection.

~~~
homakov
mui ne is not so cheap because of tons of russian tourists coming. I used to
spend $2k/month here. but my apart is in the middle of it and it was winter
(high season). Internet is pretty decent too!

------
glitchdout
And here are all of Homakov's achievements this year:
<http://homakov.blogspot.pt/2013/03/contributions-2012.html>

Pretty impressive!

~~~
vishaltelangre
<3 (y) Keep up such great job, Homakov.

------
niggler
I'm waiting for Egor to spend some time with nodejs ... would like to see what
he finds

~~~
NuZZ
Heh, been thinking myself of open sourcing an ecommerce site I'm building from
scratch in node. Not sure if it would be good or bad.

The benifits of course being; a learning resource for newbs, a good
transparent portfolio piece, easy collaboration with strangers on what is best
etc. Downsides being; exposing potential security holes, embarrassment due to
facepalm worthy pieces of logic in code (really, a plus) etc.

~~~
yuchi
do you have any economic reasons to keep it closed? If the answer is no, then
push it open source. Full stop. It's a gain for everyone.

------
artursapek
That consulting site is so MVP. I love it.

~~~
homakov
that design costs $10k, appreciate it!

~~~
artursapek
Trust me - as a design student, seeing talented people not care about design
can be very refreshing. Keep on keeping on my friend.

~~~
homakov
I really REALLY care about design. I think it matters a lot. But so far don't
have much spare time / money to get something decent. too busy these days :/

~~~
andreif
It's just perfect for mobile, thanks.

------
Aardwolf
The post links to this:
[https://github.com/rails/rails/commit/b83965785db1eec019edf1...](https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57)

And I have a rant about that: I wanted to see the date when that commit was
done. But all it says as "date" is: "a year ago".

Why? Why can it not say the actual date? "A year ago", what does that mean? I
want to know which month and day, even the time!

~~~
vito
If you hover over them the full time shows up as a tooltip at least.

~~~
uxp
Adding different resource identifiers to the url can also retrieve different
commit formats:

Email Patch:
[https://github.com/rails/rails/commit/b83965785db1eec019edf1...](https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57.patch)

Unified Diff:
[https://github.com/rails/rails/commit/b83965785db1eec019edf1...](https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57.diff)

------
jmathai
I imagine the Internet will be kind and you'll go on to do great things.

We've all done things we regret and deserve apologies. It's not the mistake
that defines you but how you respond afterwards.

------
shadowsun7
Egor, if you're ever in Singapore, please hit me up. I'll organize a meetup
via NUS Hackers at the National University of Singapore. Would be interesting
to let other university-level students hear about your experience.

(My email address's on my personal site (which, in turn, may be found on my
profile)).

------
warmwaffles
This was a fun day of Github notifications being sent to me constantly because
I made a comment pretty early

------
danso
I kept a list of the best things I read in 2012. This github commit was near
the top of it...everything about it, from its technical insight to how
spectacularly (in an attention-grabbig sense) it was executed, to how it spoke
about the constant conflict between "read the documentation" and "save the
developers from themselves"...fantastic.

I loved the commit from the future :)
<https://github.com/rails/rails/issues/5239>

------
nicholassmith
The argument with security research is how do you responsibly deal with the
knowledge when people aren't listening? Well, in this case starting a fire to
prove there's smoke wasn't the best decision. It takes a lot to admit you were
wrong publicly and offer a mea culpa, and a lot to not get disheartened and
stop researching. Kudos Egor, I'm sure I'm not the only person watching your
work with interest.

------
MojoJolo
I read almost all the notes in the Github page and it lasted for months. There
are different sides shown.

BTW, I think travelling cost and need so much money. I wonder what are Egor's
source of income. Don't know him that much so I just assumed consulting
(Sakurity) is just his source of income. Also, if Egor is in South East Asia
at the moment, he should visit the Philippines!

------
mikek
What's the backstory on this?

~~~
InclinedPlane
He discovered a major vulnerability in github and pointed it out by making a
commit to the rails master repository (which has rather obvious serious
repercussions from a security standpoint).

~~~
asveikau
My recollection (though I don't know much about rails and this is just going
from memory) is that he attempted to make an argument to the rails team for
more secure defaults in parameter parsing and for the framework to steer apps
towards more secure use. When they brushed him off and said it was ultimately
the caller's responsibility to use it right, he exploited github to make his
point.

------
Lucadg
you've got a Singha beer in Bangkok too :) I worked a lot of time with a great
Russian developer until year. Took him to Mexico to work together (no visa
requirements) for 3 months. He came from Siberia and I showed him the ocean
for the first time then we travelled by car around the country. So far the
russians are the best for me, seriously. Would love to meet you.

~~~
homakov
i know Siberia guys. if you show him the ocean - he is happy for the rest of
his life!

see you in BKK

------
adrianmsmith
"I left St Petersburg, Russia. I see no future for myself in my country",
Could you elaborate?

~~~
homakov
ugly weather + no prospectives for IT + unsafe streets

I had a decent Rails job there but I have... "ambitions". Just wanna take over
the world

------
bonzoesc
Egor, thanks for your writing about the OAuth 2 standard! I've implemented
that a few times in the last year and would be in serious trouble (not
immediately, but when somebody notices) without your writings.

------
jnazario
glad to see you growing, egor.

------
tantalor
Somebody just hire him, amiright?

~~~
lhnz
Why be hired when you can consult?

~~~
throwawayG9
How does that work? I never understood what a consultant does exactly. Offers
advice?

~~~
homakov
I have no idea what _other_ consultants do. What I do: try to
hack(penetration), propose ways to secure your app, explain risks and steps to
be made..

~~~
throwawayG9
Good to know, thanks Egor!

