GitHub Hacked

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

That's what you get

[For+a+Free+Internet]

That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.

The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.

Re:That's what you get

[dunkelfalke]

Dude, it is far worse than you imagine. The guy is obviously Russian. The Russians are coming!

Re:That's what you get

Whoosh.

Re:That's what you get

Yea, uhhh, same you to you.

Re:That's what you get

Ruby just got railed in the ass.

Let this be a lesson. Kiddy toys like Ruby On Rails are for personal websites... not grown up "webscale" stuff.

Re:That's what you get

[hairyfeet]

I KNEW it, its them damned Ruskies again! Fall of the wall my ass, its all a commie plot to let our guards down! We should have listened to the greatest American that had ever lived, General George Patton, hired them damned Nazis sons of bitches, put their asses in Sherman tanks and pointed their asses towards Moscow! That would have taught 'em who's boss! Now even our computers aren't safe from them damned reds!

What no Guantanamo Bay for him?

[stillpixel]

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

Re:What no Guantanamo Bay for him?

[vlm]

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
What I guess intelligence trumps mass panic and ignorance.

You have to realize this isn't some random dude, but a guy "well known" as having an octocat tattoo on his arm...

http://homakov.blogspot.com/2011/07/octocat-tattoo.html

Re:What no Guantanamo Bay for him?

[pinfall]

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

Incorrect assumption. Although there is a passive, appreciate communiy behind such an effort, you will see a joint effort by Italian, European and American authorities to eliminate this violation. Start with international wire fraud, malicious intent to harm, and move down the list to sopa-like attrocities such as violating terms of a website and you've got life in prison. Give them 5 more years of legislation and we'll have Texas-style hangings for these incredibly threatening comical hackers.

I heard a joke once: Man goes to doctor. Says he's depressed. Says life is harsh and cruel. Says he feels all alone in a threatening world. Doctor says,"Treatment is simple. The great clown Pagliacci is in town tonight. Go see him. That should pick you up." Man bursts into tears. Says,"But doctor... I am Pagliacci." Good joke. Everybody laugh. Roll on snare drum. Curtains.

Re:What no Guantanamo Bay for him?

[timeOday]

The real question is whether other more nefarious individuals preceded him undetected.

Re:What no Guantanamo Bay for him?

So an octocat tattoo will protect people from being detailed without trial in Guantanamo Bay?

Re:What no Guantanamo Bay for him?

TBH I'm sure they have. This vulnerability has floated around closed circles for a long time...

Re:What no Guantanamo Bay for him?

[vlm]

For those who don't get the "joke" he's about as close to being an insider as a outsider can be.
It would be kind of like Alan Cox posting a GIT commit in the 3.0 series using Linus's account for April Fools Day, although thats technically wrong, no ones going to freak out, or at least his odds of waterboarding are no greater than any other random innocent civilian, in other words too high in an absolute sense, but in a relative sense pretty low odds... Actually putting this in writing probably ruins the chances of Alan and Linus doing this as a april fools joke...

Re:What no Guantanamo Bay for him?

Such is the power of the Octocat.

Re:What no Guantanamo Bay for him?

Hey don't be so sure, there is likely a SWAT team outside his house in a few minutes.
Hell, anti-terror squad. He could be hacking with WMDs for all we know! THE HORROR!

Re:What no Guantanamo Bay for him?

[TheNinjaroach]

Because of its distributed and decentralized nature, it would be very difficult to sneak any changes into a project or its history undetected. Every other copy of the project repo will begin screaming "foul play" when their developers try to sync.

Re:What no Guantanamo Bay for him?

[abigor]

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
What I guess intelligence trumps mass panic and ignorance.

That's exactly wrong. GH freaked out and banned his account after the Rails team repeatedly closed his bug reports. This story has been on Hacker News for a while now, so you can head there for the full story. His account was eventually reinstated after it was made clear to GH that they behaved poorly.

Re:What no Guantanamo Bay for him?

[Jozza+The+Wick]

Sounds like an example of that ancient Vulcan proverb... only Nixon could go to China.

Re:What no Guantanamo Bay for him?

The more distributed and decentralized the project, the more likely commits will slip by.

Remember, this is GitHub._Hub_. For many projects it's effectively the master branch, much like in an SVN setup.

Re:What no Guantanamo Bay for him?

[DarwinSurvivor]

The very page you linked to quotes him as saying it's fake.

Re:What no Guantanamo Bay for him?

Oh you'd be surprised at what you could find on the public repositories inside source code, Google API keys, passwords, private certificates...

Re:What no Guantanamo Bay for him?

[cnvandev]

Not exactly - he was suspended while they investigated the incident, not when he reported the bug. As they explained on their blog yesterday, their standard procedure is to suspend accounts that get into this kind of thing until they investigate the incident to see if there was anything malicious happening. They determined there wasn't so they reactivated his account. I'd say GitHub handled the situation excellently.

Re:What no Guantanamo Bay for him?

http://twitter.com/#!/homakov/status/176476394455437312

"Thank you all,sweethearts! For support, and shit too. One more thing to clarify. That tattoo is kind of fake made with henna. eat vegetables"

Re:What no Guantanamo Bay for him?

[makomk]

Not really. Suppose you sneak in a boring-sounding commit from one of the core developers of a project. That developer probably won't notice because it's lost amongst the other commits, and even though no-one else will be able to push changes until they merge the malicious commit into their own copies, that's so common in a multi-user repository that all the developers will probably do it without a moment's hesitation.

Re:What no Guantanamo Bay for him?

The core developer will notice as soon as he tries to sync his local branch, because Github would have a commit - from him! - that he doesn't have locally.

GitHub hacked

So, somebody hacked into a computer system to gain access to open source software. Brilliant.

Re:GitHub hacked

[larry+bagina]

github paid accounts can have private repositories.

Re:GitHub hacked

[jeffmeden]

So, somebody hacked into a computer system to gain access to open source software. Brilliant.

If you can't imagine a way that unfettered access to *alter* an exceptionally popular piece of software, virtually undetected, would be useful to someone with unscrupulous intent, then good for you for being so pure of heart. However, in the rest of the world, access like that can be absolutely devastating.

Re:GitHub hacked

[gmuslera]

Looked more like that showed a vulnerability on it.

The real danger are the ones that could had been exploiting it and didn't announced that... and then, modified some obscure core component in a not very monitored repository to introduce a trojan or backdoor into some widely deployed open souce software based on it (i.e. not sure if that problem would make able to mask a commit as one from a trusted and active developer)

Re:GitHub hacked

[cavreader]

The real danger was the people who knew of the vulnerability for quite a while and did nothing to fix it.

Re:GitHub hacked

[vlm]

If you can't imagine a way that unfettered access to *alter* an exceptionally popular piece of software, virtually undetected

I can't imagine a way to do that with git. Sorry, its just pretty hard to do, especially "virtually undetected". git just doesn't work that way. Probably a hell of a lot easier and more likely to succeed and frankly cheaper to get commit rights "the right way" and then sneak in 100 perfectly legit real world commits and just one with an intentional bug or issue or whatever. Now, if by "... alter ... popular ... software.." you mean something like modify the github site and user provided data itself to point to some images on some .ru domain that include yet another drive by MSIE exploit, sure that could probably have been done. But the git hosted projects are basically safe, assuming anyone is actually using them.

Which brings up an interesting attack vector, if you find generic abandoned mp3 player number 2352 on sf or github and "take it over" by whatever means, then you could put weird stuff into it without anyone noticing since no one git pulls it. This could be a problem.

Re:GitHub hacked

[Electricity+Likes+Me]

Indeed, I know a few people who are working on some commercial software with one. This is kind of a big deal (although the risk that someone made subtle alterations to say, the Linux kernel, is also a very big deal).

Re:GitHub hacked

although the risk that someone made subtle alterations to say, the Linux kernel, is also a very big deal.

And would be spotted by GIT right on the first integrity check ...

Re:GitHub hacked

[rioki]

Actually not, if it is a legit commit as Linus... That is the extent he can fake any account...

Re:GitHub hacked

[DarwinSurvivor]

Linus (who WROTE git) would probably find it suspicious that a commit he supposedly made to github wasn't present in his personal git tree.

Re:GitHub hacked

[lgw]

Sorry, its just pretty hard to do, especially "virtually undetected". git just doesn't work that way.

So you're pretty safe, unless someone used a hack that gave him admin access over where the source code for git was stored, and might subtly change the way git works so that it's not so safe after all. Oh, wait ...

A successful "Thompson hack" would be devastating, git adds a new vector vector for one, and this is one heck of a scary vulnerability to be ignored by the maintainers (fortunately, they did fix rapidly once this stunt happened - but what happened in the past?)

Re:GitHub hacked

[DrXym]

It wouldn't be "undetected". There would be a log of your change sitting in the github repo and any clone which pulled from it. In a high activity project that commit might go unnoticed or unreviewed but it would be in the log and potentially someone could spot it and revert it.

The issues is a privilege escalation exploit. Git has no permissions model whatsoever. If you can access a git repo you can do anything you like to it with any name or address you like. Git doesn't care at all. Instead you're supposed to use something like ssh+git, or GitHub or Gitolite etc to act as a gatekeeper and enforce permissions or access to the project. I assume the exploit author figured a way to con GitHub into letting him do anything to the project by bypassing this permissions check in some manner. Perhaps that involves passing a malformed cert, screwing around with cookies or otherwise breaking the permissions in a way that gave him the role he was after to do his commit, or perhaps it was a bug in the admin forms for the website which allowed him to grant those permissions to himself.

Re:GitHub hacked

Linus (who WROTE git) would probably find it suspicious that a commit he supposedly made to github wasn't present in his personal git tree.

You might be right, but anytime you're relying on the fact that someone will "probably find" something, you're fucked.

Re:GitHub hacked

[kangsterizer]

But would he actually look at all commits? Nope, hundred, thousands, you gotta trust where its coming from if it said signed off by .

But hey, there's more. We invented a way to make sure "signed off" is _actually_ the person who say they signed off. It's called a cryptographic signature. And it's generally implemented through GnuPG.

It happens that GIT now support per commit GPG signature for this reason (after telling me so many times "oh we don't see the point for implementing it"). Regardless, if everyone signs the commits and everyone checks the signatures locally via a list of people you trust for commits, any other commit will get rejected/you get a fat warning, etc.

The point with this is that you should be able to pull from anywhere, GitHub, a ssh server, anywhere, and be able to trust the commits. Otherwise, distributed development doesn't make sense security-wise. GitHub got "compromised" this time, it will be another host the next time (or them again), there is no "its fixed now".
Bugs exist, bugs are there, bugs will be there too. You just haven't discovered them yet. So, do use commit signing.

Re:GitHub hacked

I believe that github's major source of revenue is hosting private repositories and I can guarantee that I would never trust someone who sat on this kind of vulnerability to keep my private code private, regardless of if this specific vulnerability was fixed or not.

Re:GitHub hacked

[LiquidFire_HK]

But git is stored in git, so to sneak stuff into it in order to break git's security, you would have to break git's security first.

On the other hand, hiding malicious changes in otherwise legit-looking commits is a whole different issue that has nothing to do with github or git.

Re:GitHub hacked

[lgw]

But git is stored in git, so to sneak stuff into it in order to break git's security, you would have to break git's security first.

With this flaw, couldn't you commit to the git codebase as Linus (or anyone legit) though? Of course, whomever you impersonated might notice.

On the other hand, hiding malicious changes in otherwise legit-looking commits is a whole different issue that has nothing to do with github or git.

Well, you'd need to do this once the normal way to break git, but having done that the 'hiding' part would become trivial (well, with git's tools).

Re:GitHub hacked

[mwvdlee]

everyone checks the signatures locally via a list of people you trust for commits

Somehow this screams "bad idea" to me.

Re:GitHub hacked

With this flaw, couldn't you commit to the git codebase as Linus (or anyone legit) though? Of course, whomever you impersonated might notice.

Not "might". Will notice.

The next time Linus tries to push to the repository, Git will complain about push only allowing "fast-forward" commits, and that he needs to do a pull before the push. Linus will then say "WTF? My copy is the master, this cannot happen", and start looking at the problem.

Nice hacker

[fluffythedestroyer]

Well this is an ironic situation. Good thing he had good intentions lol. I find it funny that since this guy hacked github and they fixed it. But seriously, shouldn't people hire hackers like him to make projects move faster ? l Sincerely believe that if they "work" together, projects would move faster for sure lol.

Re:Nice hacker

[vlm]

I find it funny that since this guy hacked github

See that's the problem. He didn't hack github. There is a wide open door in scaffolded rails apps. I am somewhat involved in rails development and even I know this, but "most people don't care". The problem in as few words as possible is a lack of input sanitation and/or more or less is the equivalent of allowing SQL injection. Makes for easy scaffolding and rollout. All you need to do is tell rails which attributes people should and should not be able to F with, which is trivially easy and impossible to default without turning rails into a fully cognitive AI system smarter than the programmers who refuse to declare which attributes are sensitive and which are not....

The phrases you don't know to google for are "mass assignment protection" and attr_accessible and attr_protected

http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1

Re:Nice hacker

Mod parent up.

Re:Nice hacker

[NonUniqueNickname]

This is NOTHING like lack of sanitizing or SQL injection.

Suppose your object has fields "name" and "is_special", and the web form only exposed "name" because "is_special" isn't supposed to be changed by regular users. The hacker who knows "is_special" exists, adds an "is_special" field to the web form on his browser and submits it. The developer probably uses "update_attributes" to process the form, and with default Rails settings it will commit the new "is_special" value to the database (properly sanitized, of course).

To prevent this, the developer may switch the settings to white-list, and provide a list of safe attributes for mass-assignment (update_attributes being one of the mass-assignment methods). Some people believe white-list mode should be the default settings. The hacker, probably being one of these people, found a great way to make his point that even seasoned Rails developers could use a push towards using white-lists.

Re:Nice hacker

[TheNinjaroach]

This is NOTHING like lack of sanitizing or SQL injection.

Yes, the act of processing user-supplied data in an unintended manner is exactly what "lack of sanitizing" means.

Re:Nice hacker

[vlm]

Also, the process of carefully crafting weird http traffic to insert unexpected things is exactly the process for SQL injection, except obviously strange non-developer intended attributes are being inserted instead of "sql EOL character followed by big sql fun" from a classic sql injection attack. Its a very close analogy... The meta-rule that both specific rules lives under is if you're depending on the general internet public to send you something, you can expect someone out there to send you some absolutely crazy stuff and you better be prepared for absolutely anything. If you're not planning on getting UTF-16 encoded XML with embedded COBOL source code for an Intercal interpreter, there's someone in China coding it up right now, so you better get ready for it...

His alternative way to describe how it works and at least one way to avoid it was pretty good, regardless of his analogy analysis skills... I though "as few words as possible" and "more or less the equivalent" was about as wishy washy as I could be when tossing an analogy out there. True, I may have a low /. UID, but I wasn't exactly Moses reading the commandments off the tablets there... And if I was I'd have better commandments than this one...

Re:Nice hacker

[Saxophonist]

I've barely worked with Rails, but from what you're describing, isn't this bug somewhat like the security problems with register_globals in PHP, which started defaulting to "off" almost a decade ago?

Everything old is new again...

Re:Nice hacker

register_globals was even removed from PHP 5.4

Re:Nice hacker

[NonUniqueNickname]

I was thinking sanitation as in string sanitation and SQL injection as in '); drop table students; --. Thanks for pointing out the bigger picture, TheNinjaroach, vlm. I retract the word "NOTHING" from my previous post.

gnu gift does that

Its been around for years

http://www.gnu.org/software/gift/

Re:gnu gift does that

duuuuude, wrong thread

Yet another reason...

...to never use Ruby on Rails or trust any developer who uses it. Such a horrid framework backed by the most elitist pricks I've ever seen. I'm glad they got hacked. The more negative press they get to better. Kick those faux devs out on to the street.

To those Mac fanboys out there who think they are "developers". Grow up, use a real OS, and use a real goddamn language and framework.

Also, GitHub sucks. This should be obvious by their choice of framework to run their site.

Re:Yet another reason...

I use a Mac (well, my laptop is a mac, at least), and I program in Ada. That's definitely a "real goddamn language".

Linux security or trust

This lowers the trust of the Linux source a notch. Who can really go over every line of code in the source to make sure someone hasn't already snuck in something malicious years ago?

Although the advantage of open source is that more eyes can go over it.

Re:Linux security or trust

[Andy+Dodd]

What does this have to do with Linux? The vulnerability was in Rails - and I must say, the attitude of the Rails developers of "We don't have to make the defaults restrictive - let the user secure their app" is a poor one.

Oh, the linked commit is not the only funny one - after this guy's initial report was blown off by the Rails team - https://github.com/rails/rails/issues/5239

Re:Linux security or trust

Nice FUD you got there. Be a shame if anything were to happen to it...

Every patch added to the Linux kernel is (and always has been) reviewed, scrutinized, tested, and prodded by some of the best system programmers in the world. And there's an informal web of trust in place as well. Joe Random Hacker can't just pop up one day and toss a patch over the fence and get it accepted into the mainline kernel. Linus does not accept code from a developer who doesn't have some kind of track record in the community. (Or one who isn't sponsored/mentored by the same.) It's not fool proof (we still have occasional bugs and security vulnerabilities), but it has worked quite effectively for 20 years.

Also, github is not where the main kernel development happens.

Finally, since it's impossible to add something to a git repository without it appearing in the logs (regardless of the github website's security flaws), it would be trivial to simply revert a questionable patch.

Re:Linux security or trust

That is rather easy to answer. Git is a distributed version control system such that you can't make changes without it being noticed by the real authors. See ... http://git-scm.com/about ... for a better explanation. To get something malicious into the code you will need to get into the primary lieutenants source trees.

Re:Linux security or trust

[Kjella]

The master branch isn't on github, if there was any tampering a trivial check against Linus' master branch would see if there'd been any extra git commits. Nobody has to go through more than that. By the way, it's also impossible to insert an "old" commit in git because you'd have to reapply every subsequent patch and all the ids would change. But I guess that you're scaremongering and the mods are either clueless or feeding the troll.

Re:Linux security or trust

What does this have to do with Linux?

2nd line of the summary:

to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others.

Re:Linux security or trust

[pankkake]

Thankfully, no serious projects are hosted on GitHub.

Re:Linux security or trust

[TheRaven64]

That's idiocy on the part of the submitter. Linux is mirrored on github, and it was the authoritative repository for a while after kernel.org was hacked, but now it is not the authoritative repository and patches from there will not be pulled into the official tree unchecked.

Re:Linux security or trust

[autocracy]

This was brought up when kernel.org was compromised last year. The decentralized nature of git makes that really hard to sneak by, especially if you use the kind of process controls that the Linux kernel uses. Legitimate commits go through maintainers, and maintainers will definitely flip if they see code pulls into their repository that they didn't commit. Some deeper discussion about how you can't just sneak things into the past history is here: http://security.stackexchange.com/a/6771/836

Re:Linux security or trust

[MightyYar]

Who can really go over every line of code in the source to make sure someone hasn't already snuck in something malicious years ago?

Your local repository of git?

Re:Linux security or trust

Who can really go over every line of code in the source to make sure someone hasn't already snuck in something malicious years ago?

If you had been paying attention to the kernel.org fiasco, you'd know it's not a who but a what. The what is git and the way it's used for distributed development. Also any decent project will be running automated testing and static analysis. Even legitimate changes often don't make it past (grumble grumble fuck'n test bot). Not that there aren't a lot of who's out there too (Damn you Dr. Seuss!).

There's a lot going against such malicious intent. Most of which is lacking from many commercial closed source offerings which, btw, also get hacked fairly regularly. It just isn't all out in the open for you to see. Open source projects tend to be a bit more honest about fucking up. That's why you hear about it more.

One final thought, why go to such great lengths to insert a back door (and wait maybe 6 months or more to see it deployed) when so many software products already have sufficient holes in them? Misconfigurations are big. So are known security issues that live on in outdated software (bad non updating admins). Add in the typical armature hour fuckups many sites have when the inexperienced decides to dabble with custom forms... yeah it's way easier to just to use existing exploits and fuckups.

Re:Linux security or trust

[lgw]

If git itself is hacked cleverly enough, pulling in an innocuous change to the linix source using get also pulls in the malicious code secretly. Someone might catch it by inspection with other tools - or might not! This is why "Thompson hacks" are scary - if you can mess with the basic tools, you can be very subtle.

Re:Linux security or trust

[TheRaven64]

In this case, however, git itself was not hacked. The web interface of github was hacked.

Re:Linux security or trust

[lgw]

Allowing one to commit a change to git as Linus, or whoever, yes? Or to any git project, really. How do you know for sure what's been hacked in the considerable time between this vulnerability being understood in hacker circles, and this atention-getting stunt. We can hope that "many eyes" would make it hard to sneak something in, but that's no guarantee. At least that door is closed now.

Re:Linux security or trust

[TheRaven64]

A commit made on github by Linus is not automatically pulled into kernel.org. It will be reviewed and merged. Most likely someone would say 'Linus, why did you commit here when you are in charge of the upstream repository? That was a strange thing to do' and he would say 'I did not to that, let us inspect the diff and see if someone has done something malicious'. It's pretty easy to spot this kind of thing...

Strategic software

[aglider]

I think it's time to think about repository for strategic software, like Linux, GCC and so on.
Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

Re:Strategic software

[cr_nucleus]

Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

Well, as far as git goes, you can't make changes undetected because all commits are signed and all clones of a repository have the whole history log.

Re:Strategic software

[FunkyELF]

I think the use of Git makes it pretty safe to begin with.
If someone gained access to do commits to what people consider as the "master" repo, any tampering would have to be done at the head because of all the hashes.
Hopefully the maintainer would realize this the next time they go to push to it Git would tell them that the remote is ahead of them by X commits.
In the case of Linux, I think Linus is the only one who pushes to the master branch, so he would notice.

Re:Strategic software

[sardaukar_siet]

Software survives. If not, it's not good enough. You propose placing it in isolation - that does not breed resilience.

Re:Strategic software

You're wasting your breath. Aglider didn't read or understand how git saved the day with the kernel.org fiasco, what makes you think you'll reach him this time around? His posts oozes out from under the rock he lives and seals the hole behind it so that no amount of information and insight can reach him.

Here's to his next +5 Insightful from moderators that live under the same rock.

Re:Strategic software

[lindi]

Are all commits really signed? I though you could only sign tags.

Re:Strategic software

Wrong. Git is _auditable_ and _verifiable_. But Git can't magically make people notice a commit if they're not interested. For more projects it'd be trivial to slip in a commit, especially when you can make it look like it's coming from someone else.

Re:Strategic software

[mortonda]

Yes, the id of every commit is a cryptographic hash of the contents of that commit, which inherently includes the state before it; if you tried to insert a commit in the middle of the commit tree, all the id's would change, or not compute... Hard to say what would happen, because it just won't work. The tools would all scream at you. It would be very obvious, if it could even be done.

They may not all be "signatures" in the sense of identifying who committed it, but it *does* validate the consistency of the source tree and the commit.

Re:Strategic software

Yes, the US Department of Homeland Security should manage this key strategic repository and full-body scan all commits to ensure there are no hidden bombs or weapons of mass destruction.

Re:Strategic software

[aglider]

You got it right. That was my goal and I got it.
But you failed to get my point: the fun.

Hacked vs Cracked

[qrwe]

Please respect this, once and for all, when posting stuff like this: "Hacking" is NOT "Cracking"! http://www.geek.com/forums/topic/hacking-and-cracking

Re:Hacked vs Cracked

I refuse! He was hacking, hacking, hacking!
 
Seriously guy? Let it go. No one who cares knows and no one who knows cares.

Re:Hacked vs Cracked

The word means what it means now. Sorry. Hacking and cracking are the same thing now. The words meaning has changed. You can thank 30 years of Hollywood movies and 24 hour news for that.

The 'maker' community really shows more what 'hacker' used to mean. You can still use 'that is a cool hack'. But hack, that even has changed to mean 'quick and dirty will probably break at some point'. If one of my co-workers say to me 'i hacked this together' it is usually followed quickly by 'it will probably break'.

You are going to have to let it go, or change hollywoods mindeset and all the news networks mindset in using the 'proper' word (good luck with that).

Re:Hacked vs Cracked

[schnikies79]

Words change. Either move on with everyone else or be left behind.

Your choice.

Re:Hacked vs Cracked

[nigelegin]

In this situation, the term hacking is the correct usage of the term. As per your posted link,

"Hackers will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in."

Homakov only made superficial changes to allow him to commit a snide remark to illustrate and publicize the inherent weakness in a cloud storage system used by many independent developers and commercial entities.

In almost any other situation I would side with you on the horrible misuse/overuse of the term "hacking".

Re:Hacked vs Cracked

[vlm]

the inherent weakness in a cloud storage system

You may want to look at what he actually did. The problem is people who don't understand "mass assignment protection" dumping rails apps on the internet with CRUD functionality and "sensitive" portions of the data.

There's an inherent conflict between just being able to scaffold something up "instantly" and keeping certain attributes locked away from the average users, and this inherent conflict has never been decisively resolved. Any time you have a tool that makes it easy to CRUD, you're going to end up with people going too far and not protecting anything. Going crazy and locking it down is just going to make the 99% of users who don't need it fork, and the 1% who do need it only putting in enough effort to re-open it.

Re:Hacked vs Cracked

I choose left behind.

Re:Hacked vs Cracked

I care.

I host projects on github. I'm glad someone like him figured it out in a decent way instead of some scumbag criminal.

Re:Hacked vs Cracked

Dafenatily.

Re:Hacked vs Cracked

[Anrego]

At this point this is practically a troll.

The battle is over and we lost. Insisting on differentiating between hacking and cracking is just silly now. The word never caught on and never will.

Re:Hacked vs Cracked

[qrwe]

It is not troll. A spade is always a spade, whatever else you may want to call it.

Re:Hacked vs Cracked

[DeathFromSomewhere]

Always?

Re:Hacked vs Cracked

[qrwe]

Touché! :-)

Re:Hacked vs Cracked

[Deathmoo]

This guy should be given a medal. It's not often people will take personal risks for the greater good. Even some of those his actions were to benefit the most aren't properly thankful. I tip my hat to you sir.

Re:Hacked vs Cracked

And next we're taking back porch monkey.

And Those homosexuals have no right to use the word gay.

And what's with spam protection? I don't need protect'n from no meat in a can, thank you.

Does no one understands how language works? First meaning only! It's been that way since the beginning of time! Why are you all looking at me as if I'm ignorant?

Re:Hacked vs Cracked

Please respect this, once and for all, when posting stuff like this: "Hacking" is NOT "Cracking"!
http://www.geek.com/forums/topic/hacking-and-cracking

Are you on Hack-cocaine?

Re:Hacked vs Cracked

It is not troll. A spade is always a spade, whatever else you may want to call it.

And in the US most people will look at you funny and then hand you a shovel .

The definition of "hacker" and "cracker" you are referring to has been deprecated by Pop Culture and language shift. Just as the word "gay" no longer means "happy and carefree", and (at least in the US) the term "faggot" no longer refers to a small stick of wood.

A "cracker" is one of the following, in modern language:
1. A type of bread product.
2. A racial slur for a white person
3. A person who breaks into, i.e. 'cracks', safes or vaults.

A "hacker" is a person who perpetrates computer break-ins. The word comes with a negative connotation, if you want to refer to the older definition of "hacker" you have to qualify it or use a different term such as "Security Researcher".

Get with it, or get left behind.

AH, STUPID MOTHERTRUCKERS !!

I mean, stupid motherfuckers !! It's idiots like them that that gets idiots like YOU get OWNED !!

distributed

[StripedCow]

Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

Re:distributed

Extra, it has SHA-1 hash, so the intrusion is easily detectable.

Re:distributed

[MadKeithV]

Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

The truly malicious might blatantly compromise the main repository, and "helpfully" provide poisoned recovery source from multiple already-compromised external sources.

Re:distributed

you don't have any idea how GIT works, do you ? or maybe you are FUDding ?

two words: distributed and Cryptographic authentication of history

Re:distributed

[MadKeithV]

you don't have any idea how GIT works, do you ? or maybe you are FUDding ?

two words: distributed and Cryptographic authentication of history

No, I have no idea the cryptographic details of GIT works - I was responding to the information in the post above mine with a hypothetical evil genius scenario in my limited understanding of DVCS (i.e. copies of stuff in multiple places). I am happy to read that it seems the developers of GIT are smarter than those that developed Sourcesafe. Which isn't a herculean feat.

Re:distributed

[TheNinjaroach]

This informative and highly-modded comment appears to be lost on so many other highly-modded (but incorrect) posts.

Re:distributed

The truly malicious might blatantly compromise the main repository, and "helpfully" provide poisoned recovery source from multiple already-compromised external sources.

You can not do that if the sources trees are using Git. That is part of the original design of Git. To compromise the code you have to compromise the original authors code along with their public key. Repositories could be hosted servers that could be freely editable by the world. And the code would be easy to verify original.

Re:distributed

[makomk]

It's also used for distributed development, which means that usually all the copies of the source and history information have pulled from the upstream GitHub repository and will contain any malicious code that was committed to it.

I felt a great disturbance in the Force

...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.

Just wait a few years, Ruby on fails will strike back!

Yeah, Ruby sucks

In a related story, the sun rose in the east today.

Gosh, Github.com runs Linux: Isn't it 'secure'?

Apparently not, and despite all the years of bullshit on /. that Linux = Secure, is just that - complete bullshit, & this is just another example thereof.

http://uptime.netcraft.com/up/graph?site=github.com

Complete bullshit, to further the agendas of the desperate (who have only 1.19% of marketshare on PC Server & Desktops vs. Windows' 95% of better)...

ANDROID on smartphones does the rest (and it IS a Linux) and there's NO QUESTION it's being "shredded" on the security front too (and yet /.'er propoganda for DECADES NOW says Linux = Secure? LMAO, bullshit!).

Re:Gosh, Github.com runs Linux: Isn't it 'secure'?

[Gaygirlie]

Whoa, whoa, someone really goes on a tangent there! You're saying that if there's for example a security vulnerability in e.g. Spotify I can just go around saying it just proves how insecure whole Windows is?

No, this isn't a security vulnerability in Linux, this was a vulnerability on Github's Ruby on rails - installation, nothing more. Ruby on rails is useable on multiple platforms, too, so this would have been just as big a security issue if they ran it on Windows.

Geesh, you ACs and your ignorant comments..

Re:Gosh, Github.com runs Linux: Isn't it 'secure'?

Peter, APK, my love,

You forgot to sign your incoherent rant, that's unusual, especially as per you vs. your mad yourself

Your Precious

Re:Gosh, Github.com runs Linux: Isn't it 'secure'?

Git was written by Linus - the inventor of Lunix. It's a fact that Microsoft Windows is 67% more secure than Lunix which is why do many of my clients gave up on their forays in to Lunix. Yesterday I wiped my last installation of Lunix from my computer. Within 37 hours I was happily running Windows 7, and my glout cleared up. Coincidence? I think not.

Want to stick with Lunix! I'll be by my loving God's side, laughing at you as you burn in Hell. Wait, is this thing on?

Re:Gosh, Github.com runs Linux: Isn't it 'secure'?

Have you ever considered being ontopic instead of being a troll?

it could have been worse

[NynexNinja]

he could have added a one character integer overflow to net/ipv4/tcp_input.c

Re:it could have been worse

[tuffy]

Which would be noticed the next time anyone does a push to the repository. There'd be an unexpected non-fast-forward push, and git would force developers to deal with it by default.

The response of 99.9% of humanity:

[tpstigers]

What's GitHub?

Re:The response of 99.9% of humanity:

[Lunaritian]

This is Slashdot, the 99.9% doesn't come here

Re:The response of 99.9% of humanity:

Why do you read slashdot?

Re:The response of 99.9% of humanity:

[project5117]

This is Slashdot, the 99.9% doesn't come here

Slashdot, home of the 0.1%.

Re:The response of 99.9% of humanity:

[vlm]

This is Slashdot, the 99.9% doesn't come here

Getting close, UID 2018246, I see that 1e9*0.001 = 6000000 so apparently you show we're more than 1/3 of the way there... What is the largest /. UID and how does it compare to six million? I donno how to account for astroturfing and spam and gnaa accounts, on the other hand lots of people read and few open accounts to write, so we're probably breaking into the 99.9% range.

Re:The response of 99.9% of humanity:

[specific]

You must be new here.

Re:The response of 99.9% of humanity:

[gnapster]

Plus, the number is probably slightly inflated by slashdot users who periodically create new accounts just to check and see the current count.

Also, Don't forget the 0.0001 * $WORLD_POPULATION accounts that are owned by Michael Kristopeit.

Re:The response of 99.9% of humanity:

And don't forget the zillions of neglected ACs!

I feel like Zoidberg around here sometimes.

Re:The response of 99.9% of humanity:

[TubeSteak]

Slashdot, home of the 0.1%.

Slashdot, home of the 0.03% with UID's below 7 digits

Re:The response of 99.9% of humanity:

[Hyperhaplo]

Millions? There's only one of you.. and boy are you prolific... and somewhat talented. Up at all hours, hammer and tongs sometimes.. you can go for weeks on end posting all sorts of enlightened prose along with complete bullshit.

My hat off to you, Anonymous Coward, without you /. just wouldn't be the same.

Just like Github isn't exactly the same as it was before

wow how come I commit in master? O_o

Re:The response of 99.9% of humanity:

[thunderclap]

A redneck wal-mart.

Real Hacker

[stanlyb]

This guy is very good example of what the real hacker is, and what they should be. Kudos man.

Re:Real Hacker

This guy is very good example of what the real hacker is, and what they should be. Kudos man.

No. Just no. I believe the way this is supposed to work (depending on whether it is the site config that is bad (a) or the source that needed fixing (b) is:
a. Notify the site that a problem with security exists and show them how it could be exploited. Not do something childish and make "comical commits".
b. If you know how, create a patch to fix the problem and submit it for review. If you don't know how to fix it, notify the project of the problem and how it can be exploited.

Just because it is open source is no reason to go about it in a childish manner.

Re:Real Hacker

Yes. Just yes.

He did a. They ignored him.

He did b, too. He filed a ticket. The ticket got closed, just like that.

He could've just done nothing and waited for someone to mess up Github. Instead he shouted louder.

More props to this guy.

And btw his Octocat tattoo is henna (meaning fake, not a real tatttoo), to all you attention-deficit idiots.

Re:Real Hacker

Wow, you really have no idea how this works do you?

a. Notify the site that a problem with security exists and show them how it could be exploited. Not do something childish and make "comical commits".

Until you can prove that the server side application IS vulnerable to your attack, you have no proof.
If you called General Motors this morning, and told them that you "knew of a possible attack vector" for their brand new webapp, they'd hang up the phone on you.
Commit a comical change to the app at the highest level you have access to, and leave a calling card: you'll get a call back from their department head in a few hours.

b. If you know how, create a patch to fix the problem and submit it for review. If you don't know how to fix it, notify the project of the problem and how it can be exploited.

Just because you know how to exploit a vulnerability, does not require you to "be the good person" to fix it. All you should do as someone concerned about the security of someone else is let them know how you did it.
If they can't solve the issue and would LIKE you to assist them in fixing it; they'll ask.

This is all just common sense. If I walked up to you on the street and took your picture, I expect you wouldn't want me trying to tell you "how to prevent this happening in the future" and "I think you have a problem with people taking pictures of you"

Re:Real Hacker

He did that and, being rails devs, they blew him off...

https://github.com/rails/rails/issues/5228

Just because it is open source is no reason to go about it in a childish manner.

When dealing with children..

All kidding aside, I this was just the right amount of childish for the situation. I loved it!

Re:Real Hacker

[Anrego]

Except he did both a and b, and they basically told him to go pound sand.

c. Demonstrate the vulnerability in a somewhat childish yet harmless and hilarious manner. Give everyone a good laugh, raise more awareness of the issue, and give the rails yet more security related black eyes!

Seems reasonable enough to me!

Re:Real Hacker

And btw his Octocat tattoo is henna (meaning fake, not a real tatttoo), to all you attention-deficit idiots.

On behalf of all the attention-deficit idiots, I would like to thank you for the pedantic douchebag side of the story. It really adds to the conversation.

Re:Real Hacker

Actually NO, I completely disagree with you. Finding a security hole is being nice, informing the _right_ people is just asking for community service to be handed to you. Except when a judge hands it to you, people don't expect a smile on your face doing it. What this user did was basically the same thing, minus the community service, and putting this on the "DO NOW" list.

In a commercial setting, just shutup. Period. If you must be a good samaritan, go anonymously report to a reporter or such to inform the company. And don't be irrirtated that they didn't take you seriously.

The fact is most businesses are extremly childish about this subject but they got expensive lawyers who will make your life a living hell.

Truth on /. get moddowns in effete retaliation?

That's the "best you've got" vs. truths here -> http://it.slashdot.org/comments.pl?sid=2707867&cid=39247333

Lucky it was a white hat

[GameboyRMH]

That could've gone a lot worse...and to think many stupid countries are trying to make such benevolent activities illegal.

Surprise

These days the only way to get some guys to fix their code is to pwn it.

rails people

https://github.com/rails/rails/issues/5228
is a very sad thing to read. basically, he reported this really awful default behavior days ago, and got brushed off by rails maintainers.

The devs were notified and ignored it

[dnwq]

The best thing is this comment by a developer closing Homakov's original bug report, two days before Homakov hacked in:

fxn commented 3 days ago

There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

Thanks!

Apparently GitHub's own admin isn't "pro" enough...

Re:The devs were notified and ignored it

[MadKeithV]

Apparently GitHub's own admin isn't "pro" enough...

I tried reading that thread but the language is convoluted and I know next-to-nothing about rails - am I reading it right - the devs were essentially saying "pro users know how to secure their installs!" and then got pwned themselves with the exact hack that Homakov had reported?

Re:The devs were notified and ignored it

[dnwq]

Not precisely right: the devs were saying "good users know how to secure their installs" and then Homakov demonstrated just how untrue this was by breaking into what is probably the world's most important and professionally-run Ruby on Rails server, i.e., GitHub. That Rails itself is hosted on GitHub just makes it funnier.

Re:The devs were notified and ignored it

[Medievalist]

am I reading it right - the devs were essentially saying "pro users know how to secure their installs!" and then got pwned themselves with the exact hack that Homakov had reported?

You're reading it right. And he actually had to blatantly pwn them repeatedly before they would deign to take notice, and even then they didn't do anything abou it until they got ridiculed across the entire Internet.

Makes the (broken) PHP development community look relatively sane.

Re:The devs were notified and ignored it

He opened that on rails/rails, though. The issue is:

a) Rails has a built-in feature to prevent this bug
b) Github is not using that feature

The bug is a proposal to add the feature to Rails by default.

He intentionally failed to submit the vulnerability to the Github admins because he wanted to use their site as an example as to why the feature should be default. That's a hilarious way of going about things, but eh

Re:The devs were notified and ignored it

Actually, it looks like he was saying that the benefits of the current configuration outweigh the benefits of the proposed alternative.

The response of 99.9% of Web Developers

[tommeke100]

Matt Damon

I LOL'ed.

"To use the find_mass_assignment plugin, simply install it from GitHub as follows:"

lol.

I'll just put this here

[eternaldoctorwho]

Aliens.

Well *All* the code is fine.

Fortunately, GIT itself, which is a replicated central code revision system, isn't vulnerable to single point repository attack. Thus, he could've injected something, but *any* of the developers would've noticed when they tried to sync local and remote repos. (In fact, this is probably how his commit was discovered.)

So, for all you worry-worts complaining about possible code injections into src, there shouldn't be anything to worry about.

No way

Not with git.

Git is designed from start make any such messing with the source code instantly evident. That's because every developer has a full copy of the source code _and_ history, cryptographically signed. So if anybody changed a comma in any file it will be _immediately_ evident. Much more than a red cloud around you in a public pool. It also makes losing the history of the code virtually impossible (I mean git, not the red stuff around you).

Cut your bullshit please

Github.com runs Linux, and everyone here says Linux = Secure. How come they were broken into then? Don't they KNOW how to write secure code and secure the OS?? Apparently not.

(The funniest part is you're making EXCUSES, nothing more)

Especially after all those years-to-decade here of "Linux is Secure" b.s., that this breakin (amongst others such as this too with the Linux sourcecode repository @ KERNEL.ORG being broken into also in the not too distant past -> http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ ) exemplifies as pure bullshit.

"Geesh, you ACs and your ignorant comments.." - by Gaygirlie (1657131) on Monday March 05, @09:52AM (#39247463) Homepage

Geesh, you Penguins and your ignorance of how to secure an Operating System and/or server OR how to write secure code... ANDROID only proves MORE OF THE SAME, period.

Re:Cut your bullshit please

[NotBorg]

Steve? Is that you? You know when you wave your arms and dance like a monkey people laugh at you!

No, that's what you get for using a dying language

[Barbara,+not+Barbie]

... among other things.

Ruby on Rails - the perfect blend of poor performance (Ruby) and gaping holes (Rails).

WTF were they smoking?

[miketheanimal]

OK, the blog is slashdot'd at the moment, but lets see if I have this right. Basically, you take an active record and just copy values from the POST data into it and then save it ... and this is the default behaviour? Do I have that right because, is so .... .... dear god, what were the ruby-on-rails people smoking when they thought that was a clever idea, its puts ROR on a level with PHP and its magic global variables. Note only that, but what were the github people smoking, the same? Using an insane facility is doubly insane. Methinks a lot of people need to go and read some web design stuff and realise that active records (or models - django users take not) are not synonymous with the "Model" (business logic) in MVC.

Re:WTF were they smoking?

[gl4ss]

Pardon some of my ignorance but isn't the point of using "smart" frameworks that you wouldn't need to worry about that stuff since the framework should _know_ what parameters it's asking the users browser to submit?

surely there has to be a framework designed with that in mind? "serve the user this blabla page that has these blabla input boxes"-> from the response just read those.

seems that rails(and how github was using it) was moving business logic to random users computers and effectively taking them as a trusted part of the system? maybe the devs should spend more time playing online games and seeing crack cheaters.

Re:WTF were they smoking?

[psydeshow]

Pardon some of my ignorance but isn't the point of using "smart" frameworks that you wouldn't need to worry about that stuff since the framework should _know_ what parameters it's asking the users browser to submit?

surely there has to be a framework designed with that in mind? "serve the user this blabla page that has these blabla input boxes"-> from the response just read those.

seems that rails(and how github was using it) was moving business logic to random users computers and effectively taking them as a trusted part of the system? maybe the devs should spend more time playing online games and seeing crack cheaters.

As I understand it, Rails isn't taking just any fields that a user submits. It's actually checking the fields against the model and only assigning the ones it recognizes. So yeah, it "knows" the parameters it is seeing and they are all valid so we're good to go.

Except that there are fields in any model that the user *shouldn't* be able to change via form. And lo, there is a mechanism in Rails to flag those fields in the model so that this sort of things doesn't happen: attr_accessible flags.

But attr_accessible is simplistic, and doesn't take into account that some users can change fields that others can't. Developers *should* be marking up the model for the most restricted case and then using manual assignments for users with elevated privilege. But compared to banging out a model and dropping it in and having everything just work, that's a pain in the ass.

Unless the framework can make assumptions about how access control works (att_accessible_admin, attr_accessible_editor, attr_accessible_guest etc), there is no easy way around the problem.

Re:WTF were they smoking?

[AlXtreme]

Except that there are fields in any model that the user *shouldn't* be able to change via form. And lo, there is a mechanism in Rails to flag those fields in the model so that this sort of things doesn't happen: attr_accessible flags.

Madness... when defining the form you explicitly define which attributes of the model may be submitted and modified and everything else is ignored. Forms should be the filter between the crap a user may submit and your precious model.

Django does this right in my eyes: allowed attributes need to be stated in the Form if you don't want all fields displayed. If you have different types of users present those users a different form with corresponding list of attributes and additional validation. Subclassing forms makes this trivial to implement and you explicitly whitelist those fields that are allowed to be modified by a particular user.

Not that Django is perfect, but I'm amazed that RoR requires/required blacklisting model attributes instead of handling this explicitly in the form. Kudos to the hacker for outing this design-flaw.

lol @ Ruby security

But Ruby is just so much more...PRODUCTIVE! Once again we learn the error of trusting Ruby scripters with the security of our systems.

Re:Linux? Since when?

[miknix]

"Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others.

Linux??? Can we mod summary as troll? Linux has its origin repository in kernel.org and is distributed over cloned repositories all over the world including my laptop. One can't simply inject a commit into one of those repositories (such as github) and expect it to automatically propagate into kernel.org.

Furthermore, even if you manage to inject a commit into some random project at Github, high are the chances that it would be detected by another developer. Who commits to a repository without reading the commit history?
Now, this Rails vulnerability is rather serious and deserves attention but this article is just plain FUD against github. Congratulations!

He got the results he wanted

[Tchaik]

At least the message was understood loud and clear... It took a couple of hours and a commit to Rails was made to change the default: https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38

Chumps: You can't moddown truth to hide it

http://it.slashdot.org/comments.pl?sid=2707867&cid=39247333

Chumps: Moddowns do NOT hide facts/truth

Here -> http://it.slashdot.org/comments.pl?sid=2707867&cid=39247333 OR here -> http://it.slashdot.org/comments.pl?sid=2707867&cid=39247755

PHP

This is what happens when you use a piece of shit language like PHP to build real applications... PHP just isn't up to the job. Why on Earth they would even consider using PHP is beyond me.

Re:PHP

[tibman]

like facebook? hardly anyone uses that piece of crap.

Re:PHP

[DarwinSurvivor]

I'm fairly certain the amount of PHP in your standard Ruby on Rails installation is relatively minor.

Re:PHP

hardly anyone uses that piece of crap

Half right

Re:PHP

[DaVince21]

Have you heard the stories about what a huge clusterfuck the Facebook code is?

Frank Drebin knows what to do.

[Beelzebud]

http://youtu.be/5NNOrp_83RU

Re:No, that's what you get for using a dying langu

I see you trollin'.

Best "Penguins" have is more off-topic bullshit?

Funny your crap doesn't disprove what's noted here-> http://it.slashdot.org/comments.pl?sid=2707867&cid=39247333 and here-> http://it.slashdot.org/comments.pl?sid=2707867&cid=39247755 now, does it?

Nope.

Why don't you spend time teaching the dolts @ KERNEL.ORG and GITHUB.COM just exactly HOW to write secure code then instead of trolling douchebag?

They obviously need such instruction, or does the fact they were busted into!

(Now,who KNOWS what kind of "Open SORES source" you'll be getting now & what sort of bushwhacks are built into it after those break-ins)...

However/Then again: That's assuming YOU actually know how to do that, but trolls like yourself, 9/10 times? Useless "armchair QB's" @ best/most.

Your stupidity only proves my points even more, AND, more importantly? ANDROID, & these breakins only do moreso as to MY points I posted...

* Thank you!

So RoR got saved thanks to Git this time...

People are playing apologists for RoR, all singing together: "nothing to see here, thanks to Git Linux (and all the other projects hosted here) shall not get pwned".

Now I agree with the Git part, and that is a very good thing that any wannabe hacker trying to inject a backdoor by modifying Linux shall be caught near-instantly thanks to Git's (very secure) nature.

But shouldn't all these apologists step back a bit and admit that there's a very serious issue here: RoR's security model full of holes?

Like... RoR. Exploit. Anyone?

Gosh, where ae all the rail fans?

[SmallFurryCreature]

Everytime a PHP story is posted, the rail fans rant about PHP's insecurity... yet here a massive flaw in rails basic design has rendered every single rails project out there vulnerable... wonder if the rail fans will acknowledge this massive failure AND the rail team slow response to this in the future. Doubt it.

But don't worry. I will remind them ;)

The lesson here? Never claim your project is more secure because someone somewhere is browsing your root directory right now.

irresponsible

[rilian4]

Why do people who gain such knowledge insist on pulling this kind of crap. Why not just attempt to disclose the bug to the site owners and let them fix it. If they refuse, post the info publicly to force their hand. Defacing a project on the site is like a 3 year finding a crayon and looking up and seeing that there's a wall to draw on.

Re:irresponsible

[Zironic]

He did disclose the publically.
The developers thought it was working as intended.
He hacked the site to show that they're morons.
They patched the issue.

Re:irresponsible

Why do people who gain such knowledge insist on pulling this kind of crap.

For the same reason dipshits like you don't read the fucking article?

Re:No, that's what you get for using a dying langu

I'm told you can find lots of low performance and gaping holes in Las Vegas, too.

Didn't tokens/nounces solve this 15 years ago?

I know it's not that commonly used by webapps but 15 years or so there have been extensive explanation as to how you could cryptographically sign every single POST request so that: a) fixed input parameters could not be modified b) no additional parameters could be added to the POST and c) restriction could be put on what 'user supplied' input parameters could contain.

Are the RoR developers *that* clueless?

Re:Best "Penguins" have is more off-topic bullshit

Their off topic illogical trolling only proves your points even more APK (with their weak mod downs too), rest assured on that account.

They KNEW about this vulnerability?

[msobkow]

When did Microsoft and Oracle start doing Open Source maintenance? Or did the GitHub team download their development principles and follow those instead of doing security reviews?

Both Microsoft and Oracle are notorious for leaving reported bugs open for years unless someone demonstrates an effective exploit using the bug. But historically, Open Source projects have taken such risks seriously and closed the holes long before an exploit showed up.

To me, that "constant maintenance" aspect of open source is it's biggest selling point compared to closed-source products. Not only can people review code and find weaknesses, they can either fix them or submit them as bugs for a project, secure in the knowledge that it will be dealt with.

Apparently that's not the case with all OSS projects. And that's a shame -- because aside from vendor lock-in, this has always been one of the most important "features" that the OSS cognoscenti have preached.

I consider the application of timely repairs and updates so important to security that I built a system whose primary purpose is not to develop initial core application code, but to apply such fixes to all projects under maintenance!

Re:They KNEW about this vulnerability?

[Myen]

There are two groups of developers here.

Ruby on Rails, the framework, had developers that knew about this general class of vulnerabilities - it's easy to write code that ends up being buggy.

GitHub, the web site (that runs on Rails, and hosts the Rails source repository), knew about the general class of vulnerabilities but not that they had these particular instances of them.

It appears that Homakov tried to get Rails to change the defaults so that these things can't happen unless you ask for them, and was rejected as making the framework more difficult for prototyping use; the opinion on the bug was something along the lines of "the developer using the framework should be protecting against this". He then demonstrated in frustration that this was a bad default, since GitHub is one of the leading sites using the framework and is developed by people generally thought of as knowing what they are doing.

It appears that this has worked and the opinion of the framework developers have changed, and no real damage was done, other than possibly reputation.

GitHub, overall, seemed to be collateral damage.

P.S. I don't think GitHub is open source; Ruby on Rails is.

Re:No, that's what you get for using a dying langu

[steveb3210]

This isn't actually a hole in rails..  If you use mass assignment, you need to protect attributes you don't want assigned with attr_protected on your model.

If you don't want people to do this:

@user.update_attributes({:favorite_color => 'blue', :password => 'hacked'})

You need to do this:

class User < ActiveRecord::Base
  attr_protected :password
end

Look @ your off topic troll stupidity

Here (proving his points for him, since you resort to that) -> http://it.slashdot.org/comments.pl?sid=2707867&cid=39250601

Ruby on Fails ?

/ducks

"I'm Bender from Future"

from https://github.com/rails/rails/issues/5239

I'm Bender from Future

ALL UR ISSUES ARE BELONG TO US

geez. github y u SO open?

...made my day.

How do you verify your git repo?

[loom_weaver]

To calm any fears that no rogue commits have been added as a result of this hack?

Is git log enough and looking at the last datetime stamp?

github runs on gentoo?

must have emerge world and it updated rails config files /ducks

Re:Linux? Since when?

[Wraithlyn]

Couldn't resist

Re:No, that's what you get for using a dying langu

[kwerle]

While it's true that it was sloppy coding, it is also true that the default is not really safe - and it probably should be.

LOL, the "Penguin trolls" modded down again?

They're still trying to hide your posts apk via moddowns with no computer-based technical information to justify the downmod. They're pitiful. All they have is their off-topic illogical "comebacks" vs. facts you posted. This is how you know you beat the hell out of them once again as usual.

APK blew away the Penguins yet again, lol

They're still trying to hide your posts apk via moddowns with no computer-based technical information to justify the downmod. They're pitiful chumps. All the Penguins have is their off-topic illogical "comebacks" vs. facts you posted. This is how you know you beat the hell out of them once again as usual.

"Desperate Penguins resort 2 desperate measures"

Like continuing trying to hide your posts apk via moddowns with no computer-based technical information to justify the downmod. They're pitiful and this evidences it. All they have is their off-topic illogical "comebacks" vs. facts you posted. This is how you know you beat the hell out of them once again as usual.

In defense of Rails...

[edelbrp]

In defense of Rails, this isn't a bug, vulnerability, exploit or weakness of RoR its self. The "update_attributes" functionality on a model (which writes new values to a database row) has to be used very carefully. Anybody worth their salt with RoR should know that. If you blindly pass a unsanitized/unfiltered hash directly from the submission from a user to update_attributes, you are definitely asking for trouble and/or are lazy/ignorant at best, imho.

Re:In defense of Rails...

[makomk]

As far as I can tell, the entire point of update_attributes is that it's easy to pass unsanitized data directly from a user request to it and this makes rapid development of Rails applications simpler. Supposedly pretty much no major Rails applications get this right, so it's not surprising the one hosting the Rails Git repository doesn't either.

Re:In defense of Rails...

[edelbrp]

As far as I can tell, you don't know RoR. A reasonable RoR programmer doesn't pass unfiltered input anywhere in the app, especially to something like update_attributes. I avoid update_attributes entirely for that reason.

Re:Linux? Since when?

[miknix]

That pretty much summarizes it :P quite funny also, thank you!

In soviet russia....

Internet hacks YOU!

Re:No, that's what you get for using a dying langu

[Eunuchswear]

This isn't actually a hole in rails.. If you use mass assignment,[...]

No. The problem is that any idiot who thinks he doesn't need to sanitise user input is going to get fucked.

And did.

Re:Linux? Since when?

[Wraithlyn]

I've been spending too much time on Reddit, where 70% of communication is done with memes. (The rest are puns)

Re:No, that's what you get for using a dying langu

[steveb3210]

So if he just told the model that this is a protected attribute, he would have been fine... Its not hard to do this and its a bug like any other bug, not some systematic problem with Rails itself.

Re:No, that's what you get for using a dying langu

[Eunuchswear]

So, you'd rather go with a system that uses fail-deadly than fail-safe.

Ok.

Wrong target re: individuals preceded him...

[Fubari]

Don't think github. Think about other interesting Ruby on Rails sites. Suppose you could access them all quiet-like. For a longgg time. For example: 1: Basecamp 2: Twitter 3: Hulu 4: Groupon 5: Justin.tv 6: Shopify 7: Campfire 8: Penny Arcade 9: Guitar Hero 10: Wayfaring (from a 2011 top-ten list of RR sites: http://www.railshosting.org/the-top-10-sites-built-with-ruby-on-rails )

Based on TFA I thought the hack was more about a default flaw with Ruby on Rails key signing, not anything that was specific to github.

Because of its distributed and decentralized nature, it would be very difficult to sneak any changes into a project or its history undetected. Every other copy of the project repo will begin screaming "foul play" when their developers try to sync.

The real question is whether other more nefarious individuals preceded him undetected.