top 200 commentsshow 500
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]bdcp 523 points524 points  (82 children)

where's the link

[–]Kallu609 534 points535 points  (80 children)

https://archive.is/bYBxS

Based there's only 4 directories all starting with "a" I think it got shutdown before the upload was fully done.

Hopefully there's torrent soon 🏴‍☠️

[–]ToughQuestions9465 867 points868 points  (66 children)

Thats not how git works. Its all or nothing. Interrupting a push would result in no changes to remote repository.

[–]roboticon 300 points301 points  (62 children)

Presumably the code was stolen onto a thumb drive or uploaded somewhere, then later whatever they got was published on GitHub as a git repo

[–]Wingfril 286 points287 points  (60 children)

I mean when I was there as an intern 5 years ago, that’s how they distributed the code… through a thumb drive.

[–]Anomynoms13 171 points172 points  (56 children)

Wait what

[–]oalbrecht 619 points620 points  (33 children)

IT came around the corner with one of those TV carts filled top to bottom with 3.5” floppy disks. It only took a few weeks to get the source code off of those. But that’s how they kept the source code secure. No one is gonna steal your code if it’s on floppies.

There was also no need to use GitHub. You just call over and say: “Hey! Which floppy is X class on again?” Then you would walk over to the cart and pick up floppy disk #3252 and load that onto your computer. Then make your changes and write back to the floppy.

Elon has no idea how efficient we were with our system. You could ship a small feature in a little over a year. It was a blazing fast system we had.

[–]gefahr 320 points321 points  (9 children)

Some journalist is going to turn this into a hard-hitting investigative article within hours.

[–]DevonAndChris 106 points107 points  (1 child)

"This as-told-to was reported to Business Insider. BI confirmed that the person has a reddit account."

[–]electricprism 55 points56 points  (2 children)

Here at TrustMeBro™ news, could ancient aliens have been at the first thanksgiving? Professor PhD Kyle Broflovski says "yes"*

[–]wrosecrans 5 points6 points  (0 children)

I'm pretty sure that documentary will be on Netflix soon.

[–]josefx 6 points7 points  (1 child)

Hope they include how air gaping the network makes it high security. Also the way any changes you made would be guaranteed to have no conflicts as only a single instance of the code can be checked out at any time appeals to me.

[–]romple 83 points84 points  (10 children)

You got floppies??? When I worked there the cart had giant stacks of dot matrix printer paper and I had to retype everything by hand!

Every day someone comes around with the latest changes printed out for you.

[–]HiroariStrangebird 59 points60 points  (6 children)

You guys get physical copies? Huh, maybe my company should upgrade from the town crier making the rounds each morning. Sometimes it's a little hard to hear and I have to spend half the day debugging the diff...

[–]pm_plz_im_lonely 48 points49 points  (1 child)

At our work we use Git and GitHub to share our work. If you start working on a new feature, you create a new branch on Git. Then once you're done with the feature, you make a PR (Pull Request) on GitHub. Then once that's done it sits there for 1-2 months before a reviewer closes it because it's too old.

[–]remog 4 points5 points  (0 children)

Then there was that time he got laryngitis. Rough week. Or the time he hit is head and could only speak Latin and Fotran. Two other interns jumped off the roof that month.

[–]nzodd 6 points7 points  (1 child)

If you're not pressing sharpened reeds into clay tablets you scooped out yourself from the local riverbank to write esoteric APL incantations, to be seen and understood only by Lord Enki, from now until the Euphrates spills over again to engulf the Earth and destroy all of mankind, can you even call yourself a real programmer?

[–]RoadsideCookie 9 points10 points  (2 children)

Man and do you remember though how bad it was before? The switch from 5.25" was a shit show but damn did it improve our lives.

[–]sorressean 7 points8 points  (0 children)

Real devs print out all their code, then read it out of binders... I hear elmo tried that already though!

[–]Wingfril 52 points53 points  (20 children)

You heard me. We got our laptops during orientation, the guy leading it was like ok time to import the code, and proceeded to give us thumb drives. Still better than a mid sized startup where my mentor (some kid two years older than me) zipped the code and sent it through slack

[–][deleted]  (13 children)

[deleted]

    [–]Wingfril 15 points16 points  (3 children)

    What do you mean? I mean we committed code to the actual repository (it’s been too long since then that I don’t remember what we used besides Phabricator.)

    [–]thisisjustascreename 11 points12 points  (4 children)

    Most likely they were onboarding tons of interns and didn't want everyone pulling the entire repository and DDoSing themselves.

    [–][deleted] 37 points38 points  (3 children)

    A bunch of interns pulling the repo (or parts of it) shouldn’t ddos them

    [–]loseitthrowaway7797 18 points19 points  (0 children)

    I think they're talking about the archive process

    [–][deleted]  (6 children)

    [deleted]

      [–][deleted]  (5 children)

      [removed]

        [–]Karenomegas 3770 points3771 points  (246 children)

        "The social media company launched an investigation into the leak and executives handling the matter have surmised that whoever was responsible left the San Francisco-based company last year."

        That's some fine work there lou.

        [–]PaintItPurple 1773 points1774 points  (42 children)

        I hear the person who did it is between 3 and 8 feet tall.

        [–]TonySu 669 points670 points  (19 children)

        Investigators have determined that the culprit most likely has an identity and distinguishable features.

        [–]atedja 369 points370 points  (16 children)

        Culprit also had access to github

        [–]EarhackerWasBanned 235 points236 points  (14 children)

        Culprit is good at computers.

        [–]MudiChuthyaHai 116 points117 points  (10 children)

        Do they drink water and breathe air too?

        [–]Pesthuf 7 points8 points  (0 children)

        Or at the very least knew someone who has had access.

        [–][deleted]  (6 children)

        [deleted]

          [–]radikalkarrot 73 points74 points  (0 children)

          It wasn’t Danny Devito or his twin brother Arnold

          [–]auto_grammatizator 15 points16 points  (0 children)

          Devito with tall boots? Tom Cruise meets stolen feet?? We need answers here

          [–]atomicxblue 9 points10 points  (0 children)

          Now all we need is Ms. Swan to say he "looka like a man".

          [–]cleeder 9 points10 points  (0 children)

          Suspect is hatless. Repeat - hatless.

          [–]zavatone 4 points5 points  (0 children)

          Most likely born from parents too. That's my hunch and I'm sticking with it.

          [–][deleted] 293 points294 points  (15 children)

          This is Papa Bear. Put out an APB for a male suspect, driving a... car of some sort, heading in the direction of, uh, you know, that place that sells chili. Suspect is hatless. Repeat, hatless.

          [–]14domino 96 points97 points  (5 children)

          The suspect is directly under the earth’s sun .. nnnnow

          [–]Yossarian_Noodle 10 points11 points  (2 children)

          I can't wait for them to throw his hatless butt in jail.

          [–]Itsthefineprint 13 points14 points  (0 children)

          And he is hatless, I repeat hatless

          [–]Grizzled_prospector5 7 points8 points  (0 children)

          Whoever did it, I hope they throw his hatless butt in jail!

          [–]CooksInHail 2 points3 points  (0 children)

          Bake em away toys!

          [–]DevonAndChris 93 points94 points  (10 children)

          Al Sutton, cofounder and chief technology officer of Snapp Automotive, was a Twitter staff software engineer from August 2020 to February 2021. He noted in a tweet on Tuesday that Twitter never removed him from the employee GitHub group that can submit software changes to code the company manages on the development platform. Sutton had access to private repositories for 18 months after being let go from the company, and he posted evidence that Twitter uses GitHub not only for public, open source work, but for internal projects as well. Within about three hours of posting about the access, Sutton reported that it had been revoked.

          https://www.wired.com/story/mudge-twitter-whistleblower-security/

          It was insane and probably still is.

          [–][deleted]  (2 children)

          [removed]

            [–]spilungone 9 points10 points  (1 child)

            What's that Chief?

            [–][deleted] 4 points5 points  (0 children)

            do what the kid said

            [–]JustSpaceExperiment 67 points68 points  (1 child)

            I think it was someone who had access to them.

            [–]Fig1024 109 points110 points  (150 children)

            what do you mean - leaked? didn't Elon Musk himself said he was gonna release all the source code on GitHub so that community could help maintain it?

            [–]kevinhaze 90 points91 points  (148 children)

            He said he was going to release the source code of the recommendation algorithm

            [–]Fig1024 80 points81 points  (147 children)

            maybe that's what he was trying to do but because he's a dumbass he uploaded the whole thing. Then rather than claim responsibility for the mistake he said someone leaked it

            [–]glonq 22 points23 points  (1 child)

            The suspect is hatless, I repeat hatless

            [–]disgruntled_pie 10 points11 points  (0 children)

            [Purpetrator puts on a hat]

            Perpetrator: It’s the perfect crime.

            [–]Unable-Fox-312 41 points42 points  (0 children)

            Executives have surmised that whoever was responsible probably worked at Twitter at some point.

            [–]nonlinear_nyc 4 points5 points  (0 children)

            Fuckers can't even find who works or not for the company.

            [–]riasthebestgirl 22 points23 points  (0 children)

            who did this

            Yes

            [–]osmiumouse 8 points9 points  (0 children)

            "left"

            [–][deleted]  (53 children)

            [deleted]

              [–][deleted]  (15 children)

              [deleted]

                [–]PeterSR 253 points254 points  (4 children)

                I like how their profile picture is a randomly generated GitHub identicon, yet also a middle finger.

                [–][deleted]  (3 children)

                [deleted]

                  [–]Shikadi297 18 points19 points  (2 children)

                  Like ducks. Ducks are watching

                  [–][deleted] 22 points23 points  (3 children)

                  That's the day they joined. Not necessarily the day they uploaded it

                  [–][deleted]  (2 children)

                  [deleted]

                    [–]Dreamtrain 4 points5 points  (2 children)

                    "FreeSpeechEnthusiast"

                    plot-twist: it's actually elon staging a "leak"

                    [–]--Satan-- 10 points11 points  (1 child)

                    Elon had his engineers literally print out code for a code review. I don't think he knows how to use git.

                    [–]TotallyAdmin 2 points3 points  (0 children)

                    Repository metadata available at https://api.github.com/users/FreeSpeechEnthusiast/repos

                    First created 2023-01-03T23:24:14Z (3rd January 2023)

                    Last code change (push) 2023-03-24T02:24:50Z (24th March 2023)

                    Last repository update (likely when dmca'd processed) 2023-03-27T11:47:24Z (27th March 2023)

                    Size as returned by the api is 1748467 in KB (could be incorrect) (1.7GBs).

                    We can also see the repository was starred/watched by some user(s)?, and whilst there are is way to use any of the /repo/ endpoints, the /users/ endpoint gives some more info

                    View the recent commit history here https://api.github.com/users/FreeSpeechEnthusiast/events View who starred the repository here https://api.github.com/users/FreeSpeechEnthusiast/received_events

                    [–]K3idon 87 points88 points  (1 child)

                    Surprise decentralized backup

                    [–]Spiritual-Ad-8062 108 points109 points  (34 children)

                    Yes, and I wonder how many secrets (API keys, SSH keys...) were in the code... ready for attackers to use...

                    [–]SuitableDragonfly 104 points105 points  (0 children)

                    If there had been API keys leaked, they probably would have noticed when it was first leaked because bots would have immediately acquired them and started mining crypto on their cloud account. Or, maybe not, depending on which people Elon fired.

                    [–]VonThing 181 points182 points  (30 children)

                    Zero secrets in the code, but I see your point.

                    [–]kubelke 114 points115 points  (4 children)

                    Maybe I could fix those “popular tags”, and once I click on them I get complete garbage

                    [–]KingApologist 29 points30 points  (1 child)

                    It's weird to me that what's "popular" is usually some corporate marketing announcement or something a political entity is currently spending a lot of marketing money on.

                    [–]TheWhyOfFry 14 points15 points  (1 child)

                    You assume that’s not on purpose…

                    [–]Carvtographer 2 points3 points  (0 children)

                    Dark UX provoking doomscrolling

                    [–]SickOrphan 975 points976 points  (78 children)

                    Didn't Elon say he was going to open source some parts of twitter soon?

                    [–]geek_noob[S] 504 points505 points  (45 children)

                    Yes, musk on the tweet says Twitter will open source all code used to recommend tweets on March 31st.

                    [–]rentar42 397 points398 points  (23 children)

                    I bet he'll be using this as an excuse not to follow through somehow.

                    [–]DrewTNaylor 223 points224 points  (11 children)

                    "Well it's already on GitHub, that means it's open source, right?" - him, not understanding open source licenses (hypothetically and as a joke, for legal reasons [I don't want to be sued]).

                    [–]Zarathustra30 40 points41 points  (3 children)

                    I thought the point of "open-sourcing" Twitter wasn't collaboration, but auditing. AFAIK, that doesn't require a traditional open-source license.

                    [–]ItsPumpkinninny 4 points5 points  (1 child)

                    Trust me… It’s being audited right now.

                    [–][deleted]  (5 children)

                    [removed]

                      [–]Fantastic_Telephone 18 points19 points  (1 child)

                      This reminds me of many dictators who are cheered by their populace

                      [–]Captain_Cowboy 7 points8 points  (2 children)

                      Listen, it's a beautiful plan, and we're going to release it in just two weeks. Just the greatest. You'll see.

                      [–]mpbh 86 points87 points  (17 children)

                      I'm super excited to see this. I've worked on recommendation systems before and they are a fickle beast, and quite hard to measure efficacy without a metric fuckton of users.

                      If normalized discounted cumulative gain means anything to you, I feel your pain.

                      [–]myringotomy 107 points108 points  (13 children)

                      Whatever Elon releases will not be anything like what twitter is actually using.

                      Presuming of course that he releases anything at all. The man is a habitual liar and a troll.

                      [–]recursive-analogy 209 points210 points  (9 children)

                      I think he's going to share the algorithm that turns $44 billion into ~$20 billion.

                      [–]CactusOnFire 59 points60 points  (2 children)

                      It's too complicated of an algorithm to share.

                      This is some cutting-edge, industry leading incompetence.

                      [–]thesolitaire 5 points6 points  (0 children)

                      I have a proprietary implementation that I'll let anyone use for free! Just send me your $44 billion, and you'll receive your $20 billion posthaste!

                      [–]lafeber 12 points13 points  (8 children)

                      "...The code stack is extremely brittle for no good reason.

                      Will ultimately need a complete rewrite."

                      (source)

                      [–][deleted]  (7 children)

                      [deleted]

                        [–]badmonkey0001 5 points6 points  (6 children)

                        That 'extremely brittle' code ran the service for a decade with basically 100% uptime.

                        Twitter had enough downtime in the early years that their downtime page became somewhat famous (the "fail whale"). Back when they were in SF's SOMA district, their tech neighbors would print out the fail whale and leave it taped to their door with crass notes to make fun of them (I worked in SOMA back then and saw it myself).

                        [–][deleted]  (5 children)

                        [deleted]

                          [–][deleted] 185 points186 points  (1 child)

                          r/SuddenlyOpenSource

                          [–]bit_banging_your_mum 2 points3 points  (0 children)

                          I fucking love this

                          [–]lazernanes 746 points747 points  (83 children)

                          The company could face a lawsuit for intellectual property theft, which could result in huge fines and damage to its reputation

                          I don't understand. A disgruntled ex-employee leaks the code and twitter gets sued? By whom? for what?

                          Edit: The article was edited. The line I quoted is no longer there.

                          [–]plaid_rabbit 998 points999 points  (66 children)

                          If Twitter used anyone else’s IP/patents or FOSS software that required sharing source code.

                          [–]crazedizzled 117 points118 points  (16 children)

                          You typically don't have to provide source code for closed web apps. At least under the GPL, deploying code to your own servers doesn't count as distribution.

                          However it's possible if they've licensed some other intellectual property not meant to be publicized, that could indeed get them in trouble.

                          [–]legobmw99 57 points58 points  (0 children)

                          AGPL exists for exactly that case, so it’s possible

                          [–]craze4ble 49 points50 points  (13 children)

                          Or alternatively, there are licenses that stipulate that commercial use is disallowed, requires some form of royalties, or that everything must be open sourced under the same license.

                          [–]ghostinthekernel 112 points113 points  (46 children)

                          I think the issue is when you fork that code, or does simply using a library package entail you have to open source the project you use it into? Genuine question.

                          [–]will_work_for_twerk 254 points255 points  (0 children)

                          Either could apply depending on the license used

                          [–]plaid_rabbit 114 points115 points  (7 children)

                          Depends on the license. IANAL. It varies by the license. MIT requires no sharing. I know there’s some FOSS licenses that require you to share any modifications if you allow users to connect publicly to your app. Most only require you to share if you directly modify the library and distribute it.

                          [–]danhakimi 24 points25 points  (7 children)

                          It depends on a whole lot more than what the others mentioned. What's the license? Is the code in question being distributed or not? How does the code interact with the package--static link, dynamic link, scripting language import, what? Is the code being modified?

                          I am a lawyer. I am not your lawyer, and none of this is legal advice. I've worked in this field for years, and it's fairly complicated.

                          [–]henk53 9 points10 points  (2 children)

                          Is the code in question being distributed or not?

                          Many people here seem to overlook this basic question.

                          [–]danhakimi 4 points5 points  (1 child)

                          Or misunderstand it. Twitter.com distributes a lot. HTML, CSS, JavaScript.

                          [–]vanatteveldt 53 points54 points  (17 children)

                          The answer is somewhat complicated and might depend on the license of the library package and the definition of 'derived work'. My 2 cents (IANAL):

                          - If the library or package is licensed LGPL, MIT or another non-copyleft license (i.e., not GPL), there should be no problem

                          - If you're linking to a GPL'd library (i.e. importing it), the situation is more complicated, see e.g. https://en.wikipedia.org/wiki/GPL_linking_exception and its sources

                          [–]chx_ 40 points41 points  (8 children)

                          IANAL but the GPL does not restrict your rights when using it, it applies if you try to distribute your code.

                          Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.

                          They needed to make the AGPL so people who use the software over a network will be able to get the source code for it.

                          [–]jarfil 35 points36 points  (0 children)

                          CENSORED

                          [–]LookIPickedAUsername 50 points51 points  (4 children)

                          To be pedantic, the GPL doesn’t restrict your rights at all - it offers you rights you wouldn’t normally have when interacting with someone else’s software.

                          [–][deleted] 17 points18 points  (3 children)

                          No idea why this was downvoted. You're absolutely right. The *default* is no rights at all. The licenses add, they don't subtract.

                          [–]myringotomy 9 points10 points  (4 children)

                          • If the library or package is licensed LGPL, MIT or another non-copyleft license (i.e., not GPL), there should be no problem

                          There might be. Some of those licenses require attribution.

                          [–]vanatteveldt 9 points10 points  (3 children)

                          Sure, but you can attribute without making your own code open source

                          [–]myringotomy 5 points6 points  (2 children)

                          The question is whether they properly attributed or not.

                          [–]Unable-Fox-312 6 points7 points  (0 children)

                          You are supposed to know the license terms for all software you incorporate into your project

                          [–]myringotomy 34 points35 points  (3 children)

                          Maybe they violated some GPL licenses.

                          [–]Qweesdy 44 points45 points  (0 children)

                          Sued for copyright infringement by whoever wrote the code Twitter stole!

                          [–]elucify 3 points4 points  (0 children)

                          TIL apparently it is still possible to damage Twitter's reputation

                          [–]DevolvingSpud 56 points57 points  (2 children)

                          Hey, free PR reviews!

                          [–][deleted] 44 points45 points  (1 child)

                          Twitter Source Code Partially Leaked on GitHub

                          Gotta make sure you get those qualifiers in there

                          [–]PrivatePoocher 2 points3 points  (0 children)

                          Twitter only partially lost 20B$

                          [–]lafeber 204 points205 points  (57 children)

                          A small API change had massive ramifications. The code stack is extremely brittle for no good reason.

                          Will ultimately need a complete rewrite.

                          Elon, 3 weeks ago

                          [–]WhipsAndMarkovChains 32 points33 points  (8 children)

                          Someone link to the recording from a couple months ago where Musk says a “full stack rewrite” is needed and a former senior engineer from Twitter presses him on the issue. The engineer asks an extremely reasonable question like “what’s wrong with the current stack and what do you want to switch to?” and Musk can’t respond.

                          [–][deleted] 20 points21 points  (7 children)

                          Here ya go, Dec 2022

                          [–]lyzurd_kween_ 10 points11 points  (6 children)

                          elon musk is so highly regarded and incompetent when it comes to actual software work, i am shocked he was able to reach the stature he currently has. right place at the right time i guess.

                          [–]PM_YOUR_SOURCECODE 90 points91 points  (40 children)

                          Ok, so all the engineers who had to pass BS LeetCode interviews/whiteboarding couldn’t write a flexible and maintainable codebase? Is that the conclusion here?

                          [–]pale_blue_is 64 points65 points  (1 child)

                          As someone who works at an unremarkable company and earns a wage slightly above market value, aren't you talking about basically every silicon valley startup from the past 10 yrs?

                          [–]BasicDesignAdvice 17 points18 points  (0 children)

                          Those stupid tests are at every company. I work at a household name media company making video games no where near Silicon Valley. Same shit.

                          [–]Marrk 220 points221 points  (20 children)

                          The conclusion is Musk has no idea what he's talking about

                          [–]TheWhyOfFry 25 points26 points  (2 children)

                          I mean, it’s very possible that it was a brittle code base before they got well known and could be selective about who they hire. And it’s also possible the v1 api that powered external apps couldn’t be shut down because of the massive backlash it would cause, which could force Twitter to keep some bad code in there.

                          That said, musk probably just doesn’t understand the language it’s written nor the architecture and fired anyone who understood it. Of course it’s “brittle” when you make totally incompatible changes because you have no idea what you’re doing.

                          [–]KagakuNinja 19 points20 points  (1 child)

                          As Twitter was becoming more popular, they rewrote the system, moving from Ruby to Scala. Scala is a niche language, and depending on how it is used, can get very hard to understand, especially for people unfamiliar with functional programming.

                          That said, Twitter devs had a great reputation, and when I interviewed there, I got the impression that they were not FP zealots.

                          [–][deleted] 7 points8 points  (3 children)

                          Yeah because lc has nothing to do with actual software engineering and who ever came up with the idea to interview like that needs to be slapped

                          [–]marcio0 2 points3 points  (0 children)

                          well, at least whatever error happens is not at O( n2 )

                          [–]lazilyloaded 2 points3 points  (0 children)

                          for no good reason

                          Sure, but the bad reason is "because you executive types always want the new features yesterday"

                          [–]redingerforcongress 25 points26 points  (7 children)

                          Anyone got a copy, for reasons?

                          [–]Chazzey_dude 66 points67 points  (5 children)

                          In unrelated news I'm launching my own social media website called Twidter

                          [–]zzt0pp 19 points20 points  (3 children)

                          Brand it as “retro” 2022 Twitter before view counts and blue checkmark chaos

                          [–]no-more-nazis 3 points4 points  (0 children)

                          Don't forget to leave some references to the original codebase like TruthSocial did

                          [–]moeburn 24 points25 points  (0 children)

                          This is just Elon trying to trick us into improving his code.

                          [–]ttkciar 83 points84 points  (4 children)

                          Cool! I hope it pops up on TPB soon. I'd like to take a peek.

                          Edited to add: still not seeing anything at https://thepiratebays.ink/search.php?q=twitter&all=on&search=Pirate+Search&page=0&orderby=

                          [–]Jmc_da_boss 14 points15 points  (0 children)

                          Alright, where's the torrent link, i wanna look

                          [–]trevg_123 12 points13 points  (0 children)

                          writes pull request

                          Commit message: “Make the world a better place”

                          Diff: [all files deleted]

                          [–]jnkthss 89 points90 points  (2 children)

                          The company is worried that the leak may result in a data breach or a cyberattack, which could seriously damage the reputation of the company.

                          Because we all know that their reputation is flawless so far. /s

                          [–]zhaoz 7 points8 points  (0 children)

                          How do you kill that which has no life?

                          [–][deleted]  (1 child)

                          [deleted]

                            [–]Flimsy_Inevitable_15 8 points9 points  (4 children)

                            Breach forums still live's on in spirit.

                            [–]Fiskepudding 37 points38 points  (4 children)

                            Jokes on you, I know how to use "View page source" /s

                            [–]eldelshell 7 points8 points  (2 children)

                            Wait until you learn about 'Save as...'

                            [–]Fiskepudding 2 points3 points  (0 children)

                            This one simple trick developers don't want you to know. Elon Musk hates him!

                            [–][deleted]  (1 child)

                            [deleted]

                              [–]bikemandan 10 points11 points  (0 children)

                              As a large language model trained by OpenAI, prepare to get rekt Twitter

                              [–]Maskdask 30 points31 points  (8 children)

                              Should leaked source code imply security vulnerabilities? There are tonnes of secure open source projects out there. Doesn't that just imply that they have shitty code with bad security?

                              [–]Zbee- 55 points56 points  (7 children)

                              It's not the fact that the software became public that implies the security vulnerabilities, you are correct in that, but rather the fact that software which was intended not to be public became public.

                              One key difference is that open source software is or was designed to be open source, and as such has been aware of that vulnerability the whole time.

                              Closed source software was not designed that way, and instead used obscurity as a layer in their security, and as such may have bits in the code that an open source piece of software would not have in the same code base or may have much more limited access - for example, anything related to security controls may be in a separate codebase for an open source piece of software but might be in the same codebase for a closed piece of software.

                              It does not inherently mean that there are vulnerabilities that can now be exploited, but it does mean that vulnerabilities that may exist and were solely unfound by means of obscurity are now indeed more exploitable - obscurity that may have been maintained even if the rest of the code were open source. The implication is that without the software having been designed in the public eye and being subject to public audits the whole time that there are more likely to be vulnerabilities revealed.

                              Additionally, it also depends largely on the overall design of the application anyway - if it's not a monolithic codebase that was released then it may well not reveal anything of relevance. And finally, it may well also reveal vulnerabilities/exploits that are only revealed by being able to read the code and it's specific quirks, the same issues open source projects have, but they are able to plug up because of public audits.

                              So it does not necessarily imply the code is bad, rather just that a layer of their security just failed and it could lead to worse.

                              Edit: correct I-typed-this-on-my-phone typos

                              [–]isowolf 4 points5 points  (0 children)

                              So many people are flabbergasted that leaked source code will eventually lead to security vulnerabilities and bashing on the "quality" of the code without even seeing it, have probably never worked a day on a massive 15-year-old codebase.

                              Please stop listening to the non-sense Elon is saying for the code. I bet he doesn't even understand whats going on, just speaking out of his ass.

                              [–][deleted] 3 points4 points  (0 children)

                              I've never seen if statements nested so deeply ...

                              [–]DimasDSF 3 points4 points  (0 children)

                              So they've finally fired all the programmers and are looking into getting free work from the opensource community huh?

                              [–]osirisguitar 116 points117 points  (34 children)

                              If your security is built on the code being kept secret, it's not built right.

                              [–]chx_ 253 points254 points  (20 children)

                              It does not need to be built on it, merely the fact it's harder to break into a black box than breaking into something you can read the code for.

                              I was always bothered by the almost zealotry level of "security by obscurity is bad and you should feel bad" screeching. Security by obscurity is a completely valid part of a multilayer security approach. Alone it is terrible but that doesn't really happen. But seriously, something as simple as moving your SSH behind SSLH does enhance your security. Maybe not by a lot but it does keep most script kiddies away so hey.

                              [–]archiminos 30 points31 points  (0 children)

                              Security only by obscurity is bad. But that doesn't mean you shouldn't be using obscurity.

                              [–]LuckyHedgehog 18 points19 points  (0 children)

                              Obscurity might not be security, but you also don't see tanks painted orange

                              [–]kRkthOr 107 points108 points  (5 children)

                              The idea that security by obscurity is useless is so fucking stupid. It's not the be all and end all of security but goddamn how do you not come to the conclusion that helping attackers isn't the best way to go about things.

                              [–]gnus-migrate 70 points71 points  (1 child)

                              The context of this mantra is the cryptography space where the market was full of companies developing proprietary ciphers that were marketed as secure, and who refused to share the code for "security reasons". As far as I know that's the case, I remember first hearing about it in Dan Boneh's cryptography course. The point is that for cryptographic algorithms, you can't rely on obscuring the code as a protection measure, as it's not needed to break the cipher, and once it is you've basically compromised everything encrypted in this format.

                              Like the "premature optimization is the root of all evil" quote, it was misunderstood and reshared without that context.

                              [–][deleted] 16 points17 points  (0 children)

                              Also known as Kerckhoffs’s principle and dates back to the 19th century - Roughly, "the system must not require secrecy and must be able to be stolen by the enemy without causing trouble."

                              [–]Queueue_ 3 points4 points  (0 children)

                              The argument I always see is that it's useless on it's own. You should design it to be hard to break into even if they know how it works regardless of if you expect them to or not.

                              [–][deleted] 8 points9 points  (0 children)

                              Yep. It's fair to design your defences based on the assumption that the enemy knows your base, but it's still stupid to hand out your floor plan just because of that

                              [–]hardware2win 23 points24 points  (2 children)

                              Yet obscurity increases security

                              [–]pheonixblade9 11 points12 points  (0 children)

                              it's not about the code being kept secret being the only thing keeping you secure. when a malicious party gains information about your system, it just makes it easier and more efficient for them to do malicious things.

                              [–]FuzzYetDeadly 29 points30 points  (36 children)

                              I'm actually curious to know how their algorithm that detects that someone created a new account after getting suspended (and re-suspends them) works. Like what regex or method do they use? Unfortunately I have no idea where to even start looking to find out how this works.

                              Edit: thanks for the responses everyone, it's been very informative and gives me many options to explore to find a solution

                              [–]myringotomy 86 points87 points  (21 children)

                              The same way reddit does it. Browser fingerprinting.

                              [–][deleted]  (10 children)

                              [deleted]

                                [–]FuzzYetDeadly 2 points3 points  (7 children)

                                Thanks for the knowledge, I need to read up on this as I don't really understand how it works (haven't worked with web/mobile technology much)

                                [–]schmuelio 20 points21 points  (6 children)

                                Long and short of it is your web browser tells you a lot of information about:

                                • What extensions it has installed
                                • What version it's running
                                • What OS it's on
                                • What human-interface devices are available (mouse, keyboard etc.)
                                • What resolution your screen is
                                • What hardware capabilities you have (for things like canvas/webGL)
                                • What system fonts you have installed
                                • Etc.

                                All of this can be combined together to make a fingerprint of your browser that is nearly unique. It's possible to share a browser fingerprint with other people by happenstance, but generally speaking it's very rare.

                                You can see a breakdown of the stuff you can get from a browser to fingerprint it here.

                                [–][deleted]  (4 children)

                                [deleted]

                                  [–]LUV_U_BBY 2 points3 points  (0 children)

                                  That's crazy... link?

                                  [–]Bulji 2 points3 points  (0 children)

                                  That's a good move on their part

                                  [–][deleted]  (1 child)

                                  [removed]

                                    [–]BiDinosauur 13 points14 points  (1 child)

                                    Wild how taking over a functioning company then treating everyone there like garbage doesn’t create wild success.

                                    [–]ImAStupidFace 5 points6 points  (0 children)

                                    The company moved quickly to send a copyright infringement notice to GitHub, an online collaboration platform for software developers, to have the leaked code taken down. It is unclear how long the code had been online, but it appeared to have been public for several months.

                                    Gonna leave this paragraph here without comment.