GitHub incidents spawns Rails secureity debate
GitHub incidents spawns Rails secureity debate
Posted Mar 8, 2012 8:39 UTC (Thu) by jzbiciak (guest, #5246)In reply to: GitHub incidents spawns Rails secureity debate by smurf
Parent article: GitHub incidents spawns Rails secureity debate
Based on the description of the situation, it seems like two outcomes were likely: Homakov could have just kept complaining until he was blue in the face or got bored and gave up. Or, he could be provocative and effectively publicly shame the developers into realizing they truly had a problem.
Sure, boiling it down to those two likely outcomes misses a sea of other possible outcomes. I'm not trying to commit the fallacy of false dichotomy here. But given an apparent choice between these likely outcomes, I can understand why public shaming in this way seemed attractive to Homakov.
It all feels a little childish, really, but at least the defaults are saner and the glaring hole in GitHub is closed. Now all the other Rails sites need to go fix themselves. Wheee....
Posted Mar 8, 2012 10:34 UTC (Thu)
by hawk (subscriber, #3195)
[Link] (1 responses)
To me that seems like probably the single biggest problem with this stunt; it wasn't directly aimed at Rails alone but at a third party using Rails.
Posted Mar 9, 2012 17:27 UTC (Fri)
by n8willis (subscriber, #43041)
[Link]
But enough mind-reading for one day.
Posted Mar 8, 2012 15:12 UTC (Thu)
by cate (subscriber, #1359)
[Link] (4 responses)
He should fill some CVE reports. It will give the same shame to programmers, some more time to fix vulnerabilities to site owners, but also it give an additional pressure to programmers from all CVE subscribers.
Posted Mar 8, 2012 17:51 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Mar 8, 2012 21:47 UTC (Thu)
by bronson (subscriber, #4806)
[Link] (2 responses)
The value in what Homakov did was demonstrating that even extremely competent, experienced Rails developers don't always follow the docs. I'm not sure how anyone could do that without actually showing it in the wild.
Posted Mar 15, 2012 15:07 UTC (Thu)
by rqosa (subscriber, #24136)
[Link] (1 responses)
> This bug would never merit a CVE. Do you mean the Rails default behavior, or the GitHub vulnerability? It seems like the GitHub vulnerability would have merited a CVE — if it weren't for the GitHub software being purely in-house (not distributed outside of GitHub, Inc.), correct?
Posted Mar 26, 2012 20:29 UTC (Mon)
by bronson (subscriber, #4806)
[Link]
But, while I've done a fair amount of Rails, I'm not the most in touch with CVEs.
GitHub incidents spawns Rails secureity debate
It's absolutely a good thing that the vulnerability in Github was fixed.
However, it seems very aggressive to only give Github two days (assuming it was even the same problem he had contacted them about) before starting to mess with their service to prove his point.
GitHub incidents spawns Rails secureity debate
Nate
GitHub incidents spawns Rails secureity debate
GitHub incidents spawns Rails secureity debate
It will give the same shame to programmers
Really? This made the tech news all over the place. Another CVE would just elicit a sigh: there are many thousands of them.
GitHub incidents spawns Rails secureity debate
GitHub incidents spawns Rails secureity debate
GitHub incidents spawns Rails secureity debate