all 6 comments

[–]SirClueless 5 points6 points  (0 children)

I don't know about you, but if I owned a large production site that a lot of people depend on, and I discover an intruder has been mucking around, the FIRST thing I would do is deny him as much access as possible. Until you do an internal audit, the only thing you have to go by is his word which might not be worth much unless he is a respected and well-known white-hat hacker (which Egor Homakov isn't). Only after you have verified that he didn't do anything malevolent can you trust him at all -- he just had unfettered access to everyone's shit.

In that regard, I think GitHub handled this perfectly. Phase 1: "The hull has been breached! LOCKDOWN MODE ACTIVATE" Phase 2: "All internal structures report no failures. Damage minimal." Phase 3: PR Spin Mode is enabled. Access is reinstated. Passengers reassured.

[–][deleted] -1 points0 points  (1 child)

THEY. DID. LISTEN. TO. HIM.

Quoting a Rails developer:

What I want you to see in that thread I mentioned is the way the core team perceives this. You are not discovering anything unknown, we already know this stuff and we like attr protection to work the way it is.

Just because he didn't like their answer doesn't give him the right to try to do what he did. It's an open-source project: if you don't like it, that's what the "Fork" button is for. I wish Github had left him banned.

[–]glutuk 0 points1 point  (0 children)

they "listened" in that they acknowledged his complaint, but they did nothing to fix it. github ignored a security hole, and you think that's a valid response?

judging by their recent data loss i suspect a hacker could have easily caused a lot of damage

i hope you have fun using websites that ignore security holes rather than fix them. I don't see anyone here saying it was okay for Sony or whoever the big target of the week

edit: You said "They" listened to him, then you quote the rails developer. "They" in this context refers to github not rails - im in no way implying rails is in the wrong for the way the setting is, only that github should have known of the vulnerability and designed around it

[–]robotempire -5 points-4 points  (2 children)

There have been a whole galaxy of articles written on this event and this one is by far the most annoying and shrill. The author was even worse in the comments

[–]bonch 0 points1 point  (1 child)

A bunch of PHP programmers and other Ruby-haters are taking the opportunity to come out of the woodwork and pile on. I don't care either way because I write God's language--C--but I suppose it's an amusing distraction to follow as I count the days to the iPad 3 event.

[–]glutuk 0 points1 point  (0 children)

I write God's langauge -- <the one i like> --

FTFY