That is why I don't really believe in 'white hat hacker' label. Organization when humiliated by their vulnerability strike back and treat the white hacker as a criminal. Or I guess since he actually modified a file or to instead of just publicly commented about the theoretical vulnerability, he is now a gray hat hacker ... ? But if he just blogged about the vulnerability without proving it, he wouldn't have been taken seriously and less people would have believed him (did you know about this guy before this happened? I didn't).
That is why I think, as an individual, if you hack, always be a black hat hacker. Organizations do not have mercy and will not treat you with respect if you just break in to point out a problem to try to help them. So might as well do some real damage, hide and or profit from it, by selling it on a black market.
(Note, not saying that I condone, or personally agree with such activities, just proposing a better course of actions for those who do).
Supposedly, a white hat hacker is someone hired (or at least, legally authorized) by the company itself to test their security by trying to break in.
You can point your fingers to vulnerabilities every day full time just to make the web a better place and many will thank you for this but much more will just threaten you or file a complaint.
This is one of the main motivation behind the no more free bugs movement: http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
Seeing the comments he made days prior to this and also knowing what an appalling security vulnerability attr_accessible is I'm very pleased he did this. The issue needs to be addressed and for some reason everyone's been sweeping it under the carpet.
The guy was clear and resonable in the earlier bugs and suggestions he posted and then simply escalated them (with no harm done) to illustrate the issue.
Frankly this is a whole less worrying than firesheep and way more easily addressable.
Actually, that was my original point. If he is already treated as a criminal and a hacker, might as well profit from it. Instead of trying to disclose it publicly and get treated as a criminal, might as well sell it on the black market, don't tell anyone about it and at least profit from all this work.
He might have been stupid to do this, and a bit childish in his approach, but he did not go about it in a way that's reasonably interpreted as malice.
As a Github user, it angers me that they've responded in this way.
In my opinion: an appropriate response is that, once a talented teenager pen tester is identified, to pay some attention to him/her and guide their abilities. Maybe you can create a private bounty program for them and provide some rules to abide by or even teach them how to do things correctly in an adult world.
Suspending their account immediately might actually be a good initial slap on the wrist for a teenager. Going forward, I would reinstate their account after some guidance has been provided. Especially for someone who is such a fan of GH.
I think that Western countries have a culture of villainizing teenagers who have some technical ability in pen testing. This needs to change in a way that those talents are guided in a more positive direction. Rather than tasking FBI to send teenagers to jail, why not put these talents to work disrupting China's extensive cyber offensive? Maybe this is why China is kicking our collective butts in cyber security.
GitHub, in its sole discretion, has the right to suspend
or terminate your account and refuse any and all current or
future use of the Service, or any other GitHub service, for
any reason at any time. Such termination of the Service will
result in the deactivation or deletion of your Account or
your access to your Account, and the forfeiture and
relinquishment of all Content in your Account. GitHub
reserves the right to refuse service to anyone for any
reason at any time
That means my company's code can be wiped out by GH at any time, for any reason. Please don't hurt me :(
Verbal, physical, written or other abuse (including threats of abuse or retribution) of any GitHub customer, employee, member, or officer will result in immediate account termination.
What if a GitHub employee cuts me in traffic and I shout f--- you!? My account could be lawfully terminated if the guy finds my twitter handle.
God, I hate law. I'm sure github folks have good intentions and operate on good will, but reading this stuff gives me shivers.
So if you even threaten to verbally abuse me (a Github customer), your Github account will be immediately terminated. Sweet.
Seriously, this is why no one reads TOS.
Guess they should terminate this one, then:
Sure, but how do you feel about the alternative?
The alternative to law is "I've got a bigger stick, you shut your face or I do it for you", where "stick" is not a metaphor for lawyers on retainer but an actual stick.
I think you mean so that they will tell other people to do what we wanted. Also, that doesn't change the fact that those with lesser power will be in a worse position to enact change. They will usually be on the losing end of "the stick".
No, actually I meant us, but more as a whole. We all vote for laws that are mostly applicable to ourselves (except foreign policy). This is, of course, in theory.
I agree, though, that it's harder to enforce change if you don't have any perceivable stick. People in power can control elections, after all, and there's not enough transparency about what happens ‘at the top’.
Rationalisation is truly the root of all evil and you're falling for it. If violence is not OK then the context shouldn't dictate exemptions. Most members of society call it arrest when a police officer forcefully restrains someone and locks them in a cage. Some of us call a spade a spade and use the proper word for it, which is kidnapping. It's easy to side with the biggest gang in the land, everyone else does it, right?
These arguments are in the same vein as those used by the British to justify colonialism, which is that they built roads, rail and developed the economies of those countries. While true, it doesn't change the fact that a line was overstepped and the action was oppressive at it's core. The effects of such actions ripple through the generations. And so it is with our legal system.
To protect (the rich from the poor) and serve (those with money).
If you say that violence is not OK, and context shouldn't dictate exemptions, can I believe that you think violence in self defense is wrong? If that is not your position, legal punishments seem to be that abstracted with respect to time, location, and direct facts.
If you look at the statistics for the re-offending rate post-incarceration, you will find them to be alarmingly high. We have a system which is designed to reduce crime but does not do it's job properly.
An anarchy does not imply chaos, merely a lack of hierarchy (the word's roots are "an" - not and "arkhē" - power, authority) . The main argument for Anarchism is that power corrupts, so this system aims to rid a society of corruption by making it impossible to corrupt anyone by keeping everyone on the same level. It's mind boggling that the one political system which preaches absolute equality is often labeled as the most dangerous one, whereas a system which preaches greed and individuality at the cost of everyone else's welfare is "the best system we have".
Looking at the root causes of violence, theft of property and other oppressive actions, they appear to be caused by the inherent inequality of our socioeconomic system. For example, people with dopamine deficiencies tend towards delinquent behavior (e.g. stealing), dopamine deficiencies are caused by excessive drug use and drug use is caused by an inability to cope with one's environment. I would argue that all criminal issues are health issues at their core and that the legal system we currently have treats the effects and not the causes.
I think that a better system would only use violence as a last resort during a situation and never retroactively (e.g. stop a man from killing another man but don't use violence after the situation is defused, including arresting the person). When considering the point that these criminals are behaving in a violent way because they feel threatened and that the police officers are behaving in a violent way because they also feel threatened, it becomes hard to label either of them as good or bad. They're just reacting to their environment but they are, nonetheless, essentially in the same state and performing the same actions. They are, however, both ignorant of the true effects of their actions.
In other words, dig into the causes of crime and try to empathize with the criminals and you'll find that they aren't much different to everyone else, except in the way they have been treated.
Ofcourse, there are edge cases where people are violent due to genetic defects and so are not treatable. I think that the only way to handle these cases is to legitimize their feelings and give them a way to vent without hurting anyone. Give them jobs as butchers or hunters or something.
Either way, driving mental health issues out of the mainstream and marginalizing these people makes it far harder to treat them properly and solve the problem. It's the same issue as with drug prohibition - some countries are finally starting to see drug use as a health, not criminal, issue and they are seeing huge benefits from this (e.g. Portugal). The next logical step is to start approaching other criminal issues in the same way.
Having no law would be a form of anarchy. People with more money and power would still rule.
The groups that Anarchy would promote would be different than having law would promote. In the end, the masses are still powerless.
Not necessarily. Of course, when you need more money and power, that's why groups like the EFF exist. To fight for you.
> In the end, the masses are still powerless.
SOPA passed then, right? Please. This attitude of yours does more harm. Those with the "money and power" would love for you to think this way. Defeatism helps more than money.
As it stands, the law gives us amazing power.
That being said, GitHub has every right to dictate the conditions of their use. You, as a user, have a right to not use their service if you disagree. In fact, this allows competitors to provide their services to you (and their are competitors to GitHub).
push to bitbucket! Its also free!
It seems only fair that if I'm allowed to cancel my account with no notice and no reason that they at least have the ability to do the same.
If in doubt, ask your lawyers to have a look at it and get a legal opinion.
1. Egor finds a vulnerability and reports it. https://github.com/rails/rails/issues/5228
2. It gets ignored and he is being called a troll.
3. He proves that he was right by doing a harmless commit to to the rails master repo.
4. The vulnerability gets fixed quickly as it got the focus of the community.
5. His account gets suspended
Not sure I agree with the suspension.
Edit: I guess that answers that question. As pointed out in other threads the response to this has shown that HN is no different to other sites and not in a good way. I wasn't even being critical in my original comment but the very suggestion of dissent against the mainstream response is deemed non-conforming enough to warrant anonymous downvoting. That 'hivemind' mentality is the reason I left Reddit. At least others have pointed out this more eloquently than I in relation to this incident.
Hint: it's NOT 40 hours per week. It's not consistent. And there is that little thing called opportunity cost.
To be even close to $54k pa you might need to charge ~$100
do you have any evidence for your assertion? (and why the downvote? i'm just reporting the facts....)
I would be very concerned about this backfiring, but, I would hack Rails a little to report when anybody attempts to use this glitch and wire that into Hubot(TM), so if he does attempt to use this same hole again, the devs are warned instantly
By pushing him out you create moral hazard for future users who discover vulnerabilities. You also, in the near term, risk pissing off the guy who found the vulnerability which could result in very real blowback.
I'm basing this on the assumption that he didn't do anything malicious, i.e. outside his own account. If he did then his near-term risk profile changes dramatically and the move would have been rational.
Given a hacker who found a vulnerability, exploited it within his account, and publicised it we can conclude that (1) he is smart (or lucky), (2) he does not pose an immediate malicious threat, and (3) he has the potential to become a serious problem.
Engaging with him carries the benefit of understanding the vulnerability while opening a dialogue that mitigates the hacker mutating into a serious problem. It carries the cost of not being able to claim, as GH did, that it pro-actively identified the vulnerability and thus looking weak. It carries the risk of giving the hacker time to rummage through more of the system.
Suspending him carries the benefit of being able to look strong while mitigating the risk of the hacker causing further damage. It carries the cost of losing a lot of emotional lee-way and thus future conversational runway with the hacker. It thus increases the risk of him turning into a serious problem in the shadows. There is also the risk that future users who happen upon vulnerabilities will think twice about publishing their finding under their real name.
Given, as many here have pointed out, that he can create a new account and be equally damaging (the risk is a property of him, not his account), the suspension offers no tangible benefit long-run benefit above that of managing perceptions. I don't know how sensitive GH's user base is to the perception of security.
The unknown here is whether GH has evidence that he acted maliciously, i.e. modified repos in accounts whose owners didn't give him permission to modify.
Working with him to do what? He pissed about a little with WebInspector, it doesn't make him a security consultant
He threatened to do more damage to your site, why wouldn't you suspend someone like that?
It could also be to reduce legal culpability. If they left his account enabled and he had granted himself access, and later did more damage, they might be liable for negligence? Not sure. IANAL, etc.
Ok that makes sense. In light of that they most likely acted rationally and correctly.
If they were thorough enough to fix it everywhere in their code is a different matter, though.
Take away the good, move on from the bad, and get back to making software better instead of treating the OSS community like a soap opera.
But it didn't stop anyone else - and Egor at least very clearly showed that he was not malicious.
_If_ something had happened then the reaction would have been totally different. "Why didn't GH ban him when they could have before the damage was done?"
Uh? It takes about 5mn to create a new GH account and push a new set of keys, it's not like killing his account does anything aside from annoying him.
What Egor did was to violate sensible disclosure rules. He should have contacted GitHub in private, created a test repo and demonstrated his exploit there, rather than impersonate users and compromise multiple accounts.
If I was in Github's shoes and I was trying to figure out what damage was done, the first step would be to suspend the account doing the damage to make sure no further surprises were headed my way.
(Note: as far as your enterprise or big-corp clients, you probably did the right thing, because that is what they would have done and that is what they expected. So if they are the clients who put bread on your table, then you have acted correctly)
What I think you could have done better (and I speak as a developer not a corporate client): issue a public note saying something to the effect of "Thanks for finding this out, maybe you'd like to interview with us. But please, everyone, do not do it this way, this is against TOS and most likely illegal. Here is is the email where to report these things and we will make sure to give you full credit after we fix the problem".
There was no malicious intent from those comments - and he's done you a favour.
If his account doesn't get reinstated - Github has become something I didn't think it would whilst the founders were still in the business.
It's bad PR with your core demographic.
Did github run over your dog or something?
This was really the worst option: you've taught a kid to keep his mouth shut next time he finds a hole. It will be much safer for him to sell it on the black market for a quick buck.
I know security is always a trade-off, but when your largest and most famous testimonials, with all their mad skillz and street cred, still manage to get it so spectacularly wrong, it's clear that the core engine is as guilty as any other component.
The user has a flag to secure by default, I personally think that is enough. https://github.com/rails/rails/issues/5228#issuecomment-4300...
In other words, Rails actually does have a flag to make the mass assignment feature secure by default. But this flag defaults to 'false'.
I see why you'd want to suspend his account while you are fixing the hole. And I can see that it sucks that you got caught in the crossfire. And that reporting the bug quietly instead of announcing it to the whole world would cause much less headache.
OTOH after reading the rails bug report I think that homakov's only option was to make a high profile demonstration and basically shame the Rails devs into fixing it. I realize that it's incredibly shitty for you, but I'm afraid they'd just write it off if he kept it quiet.
Legally, it wouldn't be good to have a TOS and then not enforce it. You never how that could bite you later on if you get dragged into a dispute.
All this "they should give it back when they're done" is pointless. You can't reward stupid behavior.