Weekly Edition
Return to the Security page
| |||||||||||||
Github compromised
The Github repository site has been compromised;
this
posting contains a small amount of information. "At 9:53am
Pacific Time this morning we rolled out a fix to the vulnerability and
started an investigation into the impact of the attack. Database and log
analysis have shown that the user compromised three accounts (rails and two
others that appear to have been proofs of concept). All affected parties
have been or will be contacted once we are certain of the findings."
Anybody hosting a repository there should probably check its integrity just
to be sure.
(Log in to post comments)
Github compromised, or not?! Posted Mar 5, 2012 12:39 UTC (Mon) by fogzot (subscriber, #7152) [Link]
Appatently it wasn't a real compromise. Here's the other end of the story:
http://chrisacky.posterous.com/github-you-have-let-us-all...
Github compromised, or not?! Posted Mar 5, 2012 13:00 UTC (Mon) by tialaramex (subscriber, #21167) [Link]
It's a real compromise because that was the real rails github. If he'd created a test account on github and then messed with it, that would just be a proof of concept. Same demonstration value, but less disruptive, the difference between proving a point and rubbing it in someone's face. Suspending his account seems to me, for that reason, to be an acceptable penalty.
The Rails issue does seem larger, and as others have observed has that familiar ring of all the early PHP problems, where there's a feature which "everybody knows" you mustn't use but for some unfathomable reason they can't grasp that this makes providing it a bad idea and it must be deprecated. When even modern C shies away from providing the shotgun loaded, cocked and already pointed at your foot, you know it's time to take these things seriously.
As a github /user/ this doesn't really bother me, any more than when I used to provide source code as tarball dumps from an HTTP server. Git's cryptographic paper trail is impervious to defects in github, Rails, or Ruby itself. If github won't or can't fix it properly, I'll just move the repos somewhere else and continue as before.
Github compromised, or not?! Posted Mar 5, 2012 13:51 UTC (Mon) by epa (subscriber, #39769) [Link]
This often comes up. If a language or platform has a misfeature which makes it hard to write secure code, it is hard for experts in that language to see why it's a problem. In principle, there is workaround XYZ which you should clearly use if you care about that stuff, but otherwise it is working as designed. The argument that *in practice* lots of programs end up with security holes does not carry the weight it should.
It's similar to user testing: you may test your application thoroughly but when you give it to real users they do all sorts of things you didn't expect and will inevitably find bugs. Constructs which lure unsuspecting programmers into opening security holes (even though those programmers are not totally clueless or careless) should be treated as a security bug just as severe as the hole itself.
Github compromised, or not?! Posted Mar 5, 2012 13:57 UTC (Mon) by clugstj (subscriber, #4020) [Link]
But in this case, it appears that he got pissed off at the "experts in that language" (rails) and took it out on "real users" (github). Not at all a nice thing to do.
Github compromised, or not?! Posted Mar 5, 2012 14:33 UTC (Mon) by sorpigal (subscriber, #36106) [Link] Seems more like he took it out on the expert's issue tracker, which just happens to be run by someone else. A kind of an in-your-face way to make your point, but very effective.
Github compromised, or not?! Posted Mar 8, 2012 22:06 UTC (Thu) by bronson (subscriber, #4806) [Link]
And very necessary because Rails doesn't actually host anything itself. If you're going to demonstrate a trivial attack on Rails, you're going to have to select one of the many sites that use rails.
In this case, just demonstrating the attack is pointless because the docs already say, "don't do that." Homakov needed conclusive evidence that even good Rails programmers miss the docs sometimes.
Github compromised, or not?! Posted Mar 5, 2012 14:26 UTC (Mon) by XTF (guest, #83255) [Link]
> If a language or platform has a misfeature which makes it hard to write secure code, it is hard for experts in that language to see why it's a problem.
Exactly. How many SQL injection vulnerabilities are the result of PHP's mysql_query() design for example?
Github compromised, or not?! Posted Mar 5, 2012 17:27 UTC (Mon) by ajross (subscriber, #4563) [Link]
Actually, if you want to pick on php, the register_globals() misfeature (now fixed) is a closer fit. Rails, (apparently, under the default idiom "everyone uses"), allowed an attacker to override fields in the model object via unexpected CGI paramters. PHP using register_globals() gadget suck the CGI parameters in as global variables.
Basically the same stupid mistake. It's a collision between convenience (representing query parameters as variables automatically without the need to explicitly parse/validate/declare/etc...) and safety (forgetting that the resulting variables are potentially from untrusted sources). Rails leans heavily on the DRY principle, and would be expected to be particularly susceptible to this kind of goof.
Github compromised, or not?! Posted Mar 6, 2012 8:22 UTC (Tue) by Los__D (guest, #15263) [Link]
Wouldn't that be MySQL's mysql_query?
Github compromised, or not?! Posted Mar 9, 2012 12:57 UTC (Fri) by knobunc (subscriber, #4678) [Link]
Nope. mysql_query() is PHP's dangerous by default interface to the mysql DB. There are better ways to do it, but that was one of the earliest, and is documented all over the place.
http://www.php.net/manual/en/function.mysql-query.php
The problem is that it makes it easy to forget to escape the parameters to your queries. Prefer something with placeholders/bind variables.
Github compromised, or not?! Posted Mar 9, 2012 13:21 UTC (Fri) by Los__D (guest, #15263) [Link]
Ah, I was under the impression that mysql_query() was provided by MySQL AB.
Github compromised, or not?! Posted Mar 5, 2012 14:23 UTC (Mon) by tetromino (subscriber, #33846) [Link] > It's a real compromise because that was the real rails github. If he'd created a test account on github and then messed with it, that would just be a proof of concept. Same demonstration value, but less disruptive, the difference between proving a point and rubbing it in someone's face. Suspending his account seems to me, for that reason, to be an acceptable penalty.Messing with the rails github was a reasonable action on Homakov's part. He filed a bug explaining that rails was insecure by default. The bug was closed with little discussion ("There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative"). So what could he do, as an ordinary bug reporter, to shift the rails core team's established consensus about the default configuration? Further comments would be likely to fall on deaf ears. On the other hand, creating a bug from 1001 years in the future in the official rails bugtracker wouldn't cause damage to anyone, but would have a pretty good chance of convincing the rails core team that their insecure defaults result in real-world problems.
Github compromised, or not?! Posted Mar 5, 2012 17:41 UTC (Mon) by aliguori (subscriber, #30636) [Link]
There was a security bug in github. Regardless of whether it is due to bad defaults in Rails, it was still a security bug in github.
He exploited the bug and disrupted a project registered by another user. I'm shocked that they even reinstated his account at all. This was entirely irresponsible especially since for a brief period of time, it was a zero-day exploit that someone more malicious could have exploited.
Had github not responded so quickly, this stunt could have put a lot of people's repositories in jeopardy.
Github compromised, or not?! Posted Mar 5, 2012 19:24 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]
> [...]since for a brief period of time, it was a zero-day exploit that someone more malicious could have exploited.
0-day doesn't mean what you think it does. the bug *stopped* being 0-day (read: exploitable by only those in the know) the moment it was published. and from what i read, it wasn't Egor who introduced the bug in the first place or kept its existence secret for any significant amount of time, so if you really want to place blame for exposing github users to danger then you need to look no further than github & rails devs themselves.
Github compromised, or not?! Posted Mar 5, 2012 21:46 UTC (Mon) by aliguori (subscriber, #30636) [Link]
An exploit was in the wild before the fix was available. That makes it a 0-day. See http://en.wikipedia.org/wiki/Zero-day_attack
The terminology comes from the fact that many hacking groups would wait until patch Tuesday, and then disassemble the patch and create exploits. That means that these exploits would have a short window of time (usually a few days) where an administrator could be apply the fix before being concerned about the exploit.
0-day exploits are out in the wild before a fix is available.
Github compromised, or not?! Posted Mar 5, 2012 23:19 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]
> An exploit was in the wild before the fix was available. That makes it a 0-day.
nope, it doesn't. and quoting wikipedia on it just shows how clueless both you and they are. first, the term '0-day' comes from the warez world where it had a different meaning ('fresh stuff', not released and traded anywhere else before that day, and the wiki is wrong on this meaning too, btw). since the late 90's it was then used for similar (initially) 'fresh stuff' traded among the hacker underground signifying the novelty of the exploit and the underlying security bug (read: unknown by anyone else). unlike a warez 0-day though which loses its 0-dayness after one day (there even used to be terms for 0-hour, etc), a 0-day exploit remains 0-day until either the exploit or the underlying bug becomes public. the Microsoft patch Tuesday has never had anything to do with the term, 0-day predates that event by a decade.
tl;dr: 0-day exploits are about bug/exploit secrecy, not fix availability.
Github compromised, or not?! Posted Mar 6, 2012 8:24 UTC (Tue) by Los__D (guest, #15263) [Link]
I just love people who can't accept that an expression doesn't mean what it used to mean. They provide for hours of fun.
Github compromised, or not?! Posted Mar 6, 2012 9:43 UTC (Tue) by epa (subscriber, #39769) [Link]
If you use bizarre and incomprehensible jargon like '0-day' instead of saying what you mean, then you deserve what you get.
Github compromised, or not?! Posted Mar 7, 2012 14:11 UTC (Wed) by pboddie (subscriber, #50784) [Link]
Well, Wikipedia is a wiki, obviously, and you can always improve it by adding references to the proper definitions.
Github compromised, or not?! Posted Mar 6, 2012 11:50 UTC (Tue) by nix (subscriber, #2304) [Link]
It was worse than that. The exploit was a design feature of Rails, and was documented as being a probable security hole! So this is an N-day exploit where N is the moment they documented it...
Github compromised, or not?! Posted Mar 5, 2012 21:28 UTC (Mon) by Wol (guest, #4433) [Link]
You miss the point.
The bug was already "in the wild". The people responsible for fixing it had said "not a problem". Somebody WAS going to exploit it.
Better a white-hat embarassing the project in public for being stupid, than a black-hat actually pulling off a damaging crack.
I repeat - THE BUG WAS ALREADY PUBLISHED AND IN THE WILD.
Cheers,
Github compromised, or not?! Posted Mar 5, 2012 21:47 UTC (Mon) by aliguori (subscriber, #30636) [Link]
GitHub was responsible for fixing the problem, not the Rails community. And the problem wasn't reported to GitHub per their official response.
Github compromised, or not?! Posted Mar 5, 2012 18:00 UTC (Mon) by clugstj (subscriber, #4020) [Link]
Reasonable? How is punching someone in the face a reasonable reaction to being upset with their neighbor?
Honestly, the number of people defending this guy worries me.
Github compromised, or not?! Posted Mar 5, 2012 19:35 UTC (Mon) by fuhchee (subscriber, #40059) [Link]
"How is punching someone in the face ..."
Your analogy is not working for me.
Github compromised, or not?! Posted Mar 6, 2012 0:34 UTC (Tue) by bronson (subscriber, #4806) [Link]
What a bizarre comment. Let's fill in your analogy a little, shall we?
GitHub, Rails, and Homakov are drinking in a bar. Everyone in the bar knows that, if you don't whitelist your wallet, Rails will steal it and punch you in the face. This aspect of Rails is well documented and everyone in the bar laughs when stupid noobs come in from the street and get their wallets stolen and faces punched.
Homakov grows tired of the game and tells Rails to quit being so hard on noobs. Rails ignores him, Homakov persists. Rails gets irritated and tells him everybody loves things the way thtey are and nobody really cares -- the only people who get their faces punched are the ones asking for it.
Homakov still disagrees but, since Rails is such a popular guy, he isn't getting anywhere. So He goes up to GitHub, one of Rails's best friends, and punches HIM in the face. Just lightly on the cheek, no damage done, but the point is made. Everybody in the bar is shocked and suddenly feel rather vulenrable... If it's so easy to punch GitHub in the face, then it's easy to punch ANYBODY in the face.
Rails suddenly realizes he's been acting like an asshole and agrees to change. GitHub was angry at first but that passed quickly and he and Homakov are good friends again. Everyone in the bar feels sheepish for pretending that nothing was wrong. Everybody agrees that it shouldn't have come to that but sometimes you're so wrapped up in your own drink that you lose sight of the bigger picture. Once in a while you need a Homakov to shake you out of your complacency.
And everybody lived happily ever after. Does that answer your question?
Github compromised, or not?! Posted Mar 6, 2012 1:22 UTC (Tue) by junkio (subscriber, #5743) [Link]
Bronson, I am wondering if you meant to call GitHub a noob in Rails programming.
Github compromised, or not?! Posted Mar 6, 2012 2:44 UTC (Tue) by bronson (subscriber, #4806) [Link]
GitHub is one of Rails's best friends and they've been hanging out at this bar for years. Definitely not a noob. That's why it's so shocking to see him get punched in the face!
To see some of the complacency that needed to be shaken loose, start reading here: https://github.com/rails/rails/issues/5228#issuecomment-4...
Github compromised, or not?! Posted Mar 6, 2012 7:08 UTC (Tue) by scientes (guest, #83068) [Link]
This was a fabulous analogy and a great read that gets right to the point, ignoring the numerous trolls (for lulz or for profit), thanks!
Github compromised, or not?! Posted Mar 6, 2012 21:27 UTC (Tue) by jnguyen (guest, #72727) [Link]
Heh thanks for this, made me chuckle! :-)
Github compromised, or not?! Posted Mar 7, 2012 14:15 UTC (Wed) by pboddie (subscriber, #50784) [Link]
It seems like someone has a career in bedtime stories ahead of them. If the listener isn't ready for sleep after that one, one can always add a bit about the people behind the bar naming a drink after Homakov in his honour.
Github compromised, or not?! Posted Mar 5, 2012 21:10 UTC (Mon) by rfunk (subscriber, #4054) [Link]
Yes.
The discussion in the Rails bug report is probably the best place to get the technical history of this: https://github.com/rails/rails/issues/5228
And the likely plan for fixing Rails:
Github compromised, or not?! Posted Mar 5, 2012 21:32 UTC (Mon) by robinst (subscriber, #61173) [Link]
By the way, the default for new applications is already fixed:
https://github.com/rails/rails/commit/641a4f62405cc276542...
And existing applications can enable the configuration option and fix their models to get the secure-by-default behavior.
Github compromised, or not?! Posted Mar 7, 2012 11:32 UTC (Wed) by job (guest, #670) [Link]
How could this not have been obvious from the start? The more I read about this mass assignment thing the more I am saddened by web developers. Did they learn nothing from PHP?
Github compromised Posted Mar 5, 2012 12:42 UTC (Mon) by Gollum (subscriber, #25237) [Link]
The vulnerability in question is a nice one, taking advantage of the RoR Mass Assignment operator to allow overwriting of records which should not normally be exposed.
All RoR apps should check whether they are vulnerable to this.
Github compromised Posted Mar 5, 2012 18:16 UTC (Mon) by wahern (subscriber, #37304) [Link]
The world was shocked--shocked!--when an exploit was discovered in a huge, unwieldly web application. The world was shocked further when said exploit effected mass numbers of people who through no fault of their own flocked to a singular web service to host their Git repos, unfazed by the inherent irony.
Git is super easy to run from your own server. It's simple to publish a read-only HTTP repository that people can clone. (A killer feature when compared to the custom daemons required with CVS and SVN.) But I suppose it lacks the GitHub coolness factor. I mean, why force people to fire up a terminal session to clone a repo when they could login into GitHub and click the hacker analog of "Like"... and then fire up a terminal session to clone the tree. Coolness trumps security every time, I guess.
Github compromised Posted Mar 5, 2012 18:30 UTC (Mon) by dmarti (subscriber, #11625) [Link] The "social coding" functionality is more than you can use from git out of the box. GitHub also has a web API for handling things like pull requests. Is there another hosting package or service that also implements it?
Github compromised Posted Mar 5, 2012 21:20 UTC (Mon) by artem (subscriber, #51262) [Link]
What's wrong with sending pull requests to e-mail list?
Github compromised Posted Mar 6, 2012 15:00 UTC (Tue) by jwakely (subscriber, #60262) [Link]
What email list? There are plenty of repos that aren't fully-fledged projects with mailing lists, just someone uploading some code where others can see it, use it, fork it etc.
(Besides, the kids these days don't seem to understand email; if it isn't a web forum they can't use it!)
Github compromised Posted Mar 6, 2012 19:34 UTC (Tue) by artem (subscriber, #51262) [Link]
There is always groups.google.com where anyone can create a thing that works like a mailing list and has web UI not so much different from a web forum. The only problem is to keep spam away.
Github compromised Posted Mar 7, 2012 0:32 UTC (Wed) by mathstuf (subscriber, #69389) [Link]
If only it provided an nntp interface. Having to choose between dealing with the web interface or getting busy mailing lists to your email account (of course, low traffic lists tend to be okay, but still inconsistent) is a no-win situation IMO.
Though I now see that gmane has an option to indicate that the list is from Google, that may be an option. It can't, unfortunately, work for private lists.
Github compromised Posted Mar 7, 2012 18:01 UTC (Wed) by jwakely (subscriber, #60262) [Link]
You replied to my parenthesis, not the main comment.
If you don't even want a mailing list or anything like it then the fact you can create a google group is not helpful, especially if you'd have to moderate it or let it drown in spam.
If you want to do a code dump somewhere public then GitHub is a reasonable choice. Yes, "social coding" may make you cringe, and it might be full of brogrammers commenting for the lulz, but its UI is far superior to e.g. SF.net, Google Code or Gitorious (I haven't tried Bitbucket because I don't much like Confluence or Jira, they're inferior proprietary copies of decent software.)
Don't get me wrong, I'm not a GitHub fanboy, almost all my FOSS work is done on mailing lists and I'd prefer to see Gitorious improve to the point where it matches or exceeds GitHub's features and ease of use. I'm just trying to respond to "What's wrong with sending pull requests to e-mail list?" as you seem reluctant to accept that might not be the best choice for everyone.
Github compromised Posted Mar 7, 2012 19:32 UTC (Wed) by artem (subscriber, #51262) [Link]
In my point of view, "uploading some code where others can see it, use it, fork it etc" is not enough to be "social". If you want others to use your code, you'd better be ready to accept feedback (not necessarily in the form of pull requests) and participate in discussions. I don't think anyone have invented better media for that than plain old mailing list.
"social coding" does not make me cringe - what seems odd is that people tend to substitute activities on github (or any other "social" site) for real actual social coding (or life).
Github compromised Posted Mar 7, 2012 21:00 UTC (Wed) by clint (subscriber, #7076) [Link]
No, another problem is that you need a Google account or for the group administrator to tweak something to add you.
Github compromised Posted Mar 6, 2012 14:49 UTC (Tue) by jwakely (subscriber, #60262) [Link] Gitorious is great (and I chose it over github for hosting some of my own mini-projects, because it's free software) but the site is quite often flaky (rendering bugs, http timeouts, clicking a link for a different page which reloads the current page, others I can't remember now) and github has many more features e.g. "Edit this file" which allows you to edit code in your browser, then automatically create your own clone and commit to it, so you never need to explicitly clone anything or even have git installed on your own machine. I was sceptical of github's benefit, but I have to admit the UI and features are pretty slick.
Github compromised Posted Mar 5, 2012 18:33 UTC (Mon) by mpr22 (subscriber, #60784) [Link] I value the presence of a public git respository for the (small) project I host on github more than I value USD7 a month, but less than I value not having the burdens associated with running my own server.
Github compromised Posted Mar 5, 2012 20:19 UTC (Mon) by wahern (subscriber, #37304) [Link]
People who understand that managing a server is a burden are precisely the people who should be managing their own servers, if only to help ensure the right and ability of people to continue doing so.
The more people flock to web services, the less demand and necessity for interoperability and standards, _especially_ for non-HTTP services. It's a civic duty to run your own services for those who are capable. Those who are incapable, but do so anyhow, will continue doing so regardless.
Also, I hate to sound like a fanboy but running OpenBSD is significantly less stressful than Linux. For many reasons (simplicity being the biggest, IMO), and particularly for basic HTTP, SMTP, and SSH services. Upgrading is more difficult than a simple `apt-get dist-upgrade', but I've done remote upgrades bi-annually for the past 12 years without a single problem.
The best system administrators are software developers, because the developers understand how crummy most software really is. But for this reason software developers hate doing system administration. It doesn't bode well for the security of any web service, where system administration and software engineering become highly specialized positions.
Github compromised Posted Mar 5, 2012 22:53 UTC (Mon) by kleptog (subscriber, #1183) [Link]
While I could theoretically run stuff I want to share off my own server, I'm also realistic in that I know I won't be able to dedicate the time required to make it work. It's never just a server, to do things properly you need fail overs, backups, alternate sites, etc.
And then it's just way too much work required just to share a single Git repository. You're right, I don't like system administration much.
I do run my own server, but I run it for myself. I know the backups are irregular, that there's no alternative site. But if it breaks no-one else is affected.
The Github's of the world fulfill a need, that's why they're there.
All or nothing or something in-between Posted Mar 7, 2012 14:34 UTC (Wed) by pboddie (subscriber, #50784) [Link]
I don't know why people keep portraying this as a contest between hosting stuff on someone's service with all the weird terms and conditions and running your own server with you being responsible for absolutely everything from the (virtual) motherboard upwards. There are other options.
I remember looking into VPS hosting after deciding to move away from fairly simple static hosting, and after realising that I didn't want the hassle of having to deal with SSH port-scanning and the accompanying attacks and the like (it was a surprise that they left such issues to the average user), I ended up going with a shared hosting provider who gives SSH access, provides a reasonable OS distribution, and lets you install your own software. From that point, you can host repositories fairly easily if you can follow the instructions for your DVCS project of choice.
What hosting (and service) providers are missing, not just in this case but in the area of social networks and other services with a tendency to cultivate dominant providers, is the opportunity to offer convenient but interoperable services to a wider audience. Everyone wants to own the whole cake, no matter how small, instead of having a larger slice of a larger cake, which means that everyone has to watch as the behemoths take all the cake.
Github compromised Posted Mar 5, 2012 23:10 UTC (Mon) by tpo (subscriber, #25713) [Link]
So sf.net was compromized, kernel.org too and now github. OSS got 3 chances to learn but still hasn't. Seems like human nature requires very severe pain to turn around and learn. Doesn't make the future look bright wrt OSS either. We're daring our fortune for some *really devastating* attack.
Github compromised Posted Mar 5, 2012 23:21 UTC (Mon) by rahulsundaram (subscriber, #21946) [Link]
That doesn't make any sense. sf.net and github are both running proprietary software as their web interface. You can't blame FOSS for administrative issues like those in kernel.org.
Github compromised Posted Mar 5, 2012 23:52 UTC (Mon) by drag (subscriber, #31333) [Link]
No, but the same people with the same attitudes and similar practices are the ones that are responsible for keeping your system safe. If they can't use good design and best practices to keep their own systems secure, then what hope does anybody have that is trusting them?
Also. For software projects that are compromised and find out, how many out there don't realize they have been compromised? I can pretty much guarantee you that it's a non-zero number.
It's just as likely as not that this is @homakov fellow is not the first person to use this bug to hack into github.
Github compromised Posted Mar 6, 2012 0:17 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]
The concern about people not knowing that they are compromised is nothing new, and it isn't limited to websites (let alone open source related websites)
do you really think that the hundreds of thousands of people who's machines make up botnets are allowing this knowingly? or do you think it's more likely that they are unaware that their machine has been compromised?
You may as well start yelling that all banks are unsafe because there have been three bank robberies in the US in the last week (I don't know what the stats are, but from having had a friend who worked in a national bank's security call center, I'm confident that there have been at least that many, just from probabilities)
Github compromised Posted Mar 6, 2012 0:45 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
It's true - programmers introduce bugs into software! Stop the presses.
If you were right that this is somehow an "OSS thing" then no doubt when I look at threads discussing the "password encryption" of this or that proprietary PHP web application I'd find that they've all carefully added Solar Designer's custom PHP salted and pessimised password hash and used it in a compatible fashion rather than say, using a fast unsalted hash or relying on PHP's ancient built-in DES-crypt.
Whereas in reality what I see is stuff like "We use SHA1, so we are not vulnerable to the problems in the MD5 encryption" or "We have a custom algorithm which we are not at liberty to divulge" (which turns out to be something like MD5(password + "specialsauce"))
Also, and far more seriously, in reality when we look at Chip and PIN we see that banks were reluctant to even invite known white hats from outside to review their design, denied the existence of flaws they had in fact verified as real, and worked hard to keep the courts from understanding what evidence was needed to really prove that the customer's correct PIN was used to authenticate a transaction (hint, not the "PIN used" boolean in the database).
The "attitudes" and "practices" you condemn are so widespread as to be effectively universal. It would be extraordinary if they were not present in Free Software.
Github compromised Posted Mar 6, 2012 0:50 UTC (Tue) by bronson (subscriber, #4806) [Link]
Internet-connected servers are insecure! News at 11.
I don't understand your comment... Do you think SF.net, kernel.org, and GitHub all connected somehow? Beyond the trivial circumstance that connects them banks, the US military, NASA, Sony, and all the other competently-administered websites getting hacked every day?
Happily, because of Git's hashing scheme, it's not very easy to make repo modifications without having people notice.
Github compromised Posted Mar 6, 2012 1:03 UTC (Tue) by bronson (subscriber, #4806) [Link]
Apologies, somehow I thought both comments were by Drag. Ignore any accusations of conspiracy theories. :)
Github compromised Posted Mar 8, 2012 6:50 UTC (Thu) by pabs (subscriber, #43278) [Link]
Sourceforge is transitioning to a free software web interface:
http://sourceforge.net/blog/new-projects-welcome-to-allura/
Github compromised Posted Mar 5, 2012 23:22 UTC (Mon) by Doogie (guest, #59626) [Link]
Yeah these three problems definitely spell the end of all open source software everywhere. Who would ever use or trust any software developed with the same methodology as other software that has had a bug or failure in system administration associated with it? This kind of thing stopped happening long ago in closed source software.
Homakov already slandered by FLOSS noobs Posted Mar 6, 2012 7:51 UTC (Tue) by gabucino (guest, #72504) [Link]
A lamer Ubuntu-user blogger from Hungary (trey @ http://hup.hu) is already slandering the guy, suggesting that he is in it FOR THE MONIES!!!11
http://translate.google.com/translate?hl=en&ie=UTF8&...
Not a big deal Posted Mar 7, 2012 10:34 UTC (Wed) by slashdot (guest, #22014) [Link]
If a git repository is compromised, developers would notice on the next access, obviously, so it's not really an issue for actively developed projects.
Unless the git server has actually been replaced with one that serves the proper content to the developers, and malicious content to end-users, but this cannot be achieved with just database modification.
Not a big deal Posted Mar 7, 2012 11:29 UTC (Wed) by job (guest, #670) [Link]
Not necessarily. He could attach his PGP key to any project in the system. If the key was made to look more like a trusted contributor, a malevolent commit could easily have gone undetected.
Not a big deal Posted Mar 7, 2012 19:12 UTC (Wed) by Tobu (subscriber, #24111) [Link] An extra commit at a busy time could easily be overlooked. But that isn't a certainty, so maybe someone would look for something else before tipping their hand, or would only do it if it's worth it (eg to escalate by putting a more general-purpose backdoor in github, which is self-hosted).
Not a big deal Posted Mar 7, 2012 20:34 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
it would be noticed, because the next time that the developer attempted to update the repository, he would get an error message saying that the repository wasn't what was expected.
Since that error doesn't happen under normal conditions, it takes more than just being busy to hide this.
Not a big deal Posted Mar 7, 2012 22:25 UTC (Wed) by Tobu (subscriber, #24111) [Link] On a single-developer repo maybe, but on a collaborative project I pull/rebase things without paying much attention.
Not a big deal Posted Mar 7, 2012 22:32 UTC (Wed) by Tobu (subscriber, #24111) [Link] And by collaborative I mean the centralised workflow where multiple people have commit rights and are actively using them. A semi-centralised workflow where multiple people are doing merges is also vulnerable.
Not a big deal Posted Mar 8, 2012 9:45 UTC (Thu) by job (guest, #670) [Link]
You seem to think the only way to compromise hosted git trees is by manipulating the git tree from the file system. But what he would likely do is add himself to the Rails committers and do a legitimate commit. He needn't do it under his own name of course.
So, yes, this is a big deal. And it might not be such a good idea to trust a large unwieldy web application with your access keys. It might also not be such a good idea to write large web frameworks which by default gives anyone write access to your database fields unless explicitly told otherwise.
Not a big deal Posted Mar 9, 2012 18:55 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
unless you have multiple people pushing updates without much coordination with each other, it doesn't matter how the changes happen to the repo, the maintainer of that repo will be notified that it's not in the expected state the next time he tries to do a push to that repo.
|
|||||||||||||