Github compromised, or not?! [LWN.net]

Github compromised, or not?!

Posted Mar 5, 2012 13:51 UTC (Mon) by epa (subscriber, #39769) [Link]

This often comes up. If a language or platform has a misfeature which makes it hard to write secure code, it is hard for experts in that language to see why it's a problem. In principle, there is workaround XYZ which you should clearly use if you care about that stuff, but otherwise it is working as designed. The argument that *in practice* lots of programs end up with security holes does not carry the weight it should.

It's similar to user testing: you may test your application thoroughly but when you give it to real users they do all sorts of things you didn't expect and will inevitably find bugs. Constructs which lure unsuspecting programmers into opening security holes (even though those programmers are not totally clueless or careless) should be treated as a security bug just as severe as the hole itself.

Github compromised, or not?!

Posted Mar 5, 2012 13:57 UTC (Mon) by clugstj (subscriber, #4020) [Link]

But in this case, it appears that he got pissed off at the "experts in that language" (rails) and took it out on "real users" (github). Not at all a nice thing to do.

Github compromised, or not?!

Posted Mar 5, 2012 14:33 UTC (Mon) by sorpigal (subscriber, #36106) [Link]

Seems more like he took it out on the expert's issue tracker, which just happens to be run by someone else. A kind of an in-your-face way to make your point, but very effective.

Github compromised, or not?!

Posted Mar 8, 2012 22:06 UTC (Thu) by bronson (subscriber, #4806) [Link]

And very necessary because Rails doesn't actually host anything itself. If you're going to demonstrate a trivial attack on Rails, you're going to have to select one of the many sites that use rails.

In this case, just demonstrating the attack is pointless because the docs already say, "don't do that." Homakov needed conclusive evidence that even good Rails programmers miss the docs sometimes.

Github compromised, or not?!

Posted Mar 5, 2012 14:26 UTC (Mon) by XTF (guest, #83255) [Link]

> If a language or platform has a misfeature which makes it hard to write secure code, it is hard for experts in that language to see why it's a problem.

Exactly. How many SQL injection vulnerabilities are the result of PHP's mysql_query() design for example?

Github compromised, or not?!

Posted Mar 5, 2012 17:27 UTC (Mon) by ajross (subscriber, #4563) [Link]

Actually, if you want to pick on php, the register_globals() misfeature (now fixed) is a closer fit. Rails, (apparently, under the default idiom "everyone uses"), allowed an attacker to override fields in the model object via unexpected CGI paramters. PHP using register_globals() gadget suck the CGI parameters in as global variables.

Basically the same stupid mistake. It's a collision between convenience (representing query parameters as variables automatically without the need to explicitly parse/validate/declare/etc...) and safety (forgetting that the resulting variables are potentially from untrusted sources). Rails leans heavily on the DRY principle, and would be expected to be particularly susceptible to this kind of goof.

Github compromised, or not?!

Posted Mar 6, 2012 8:22 UTC (Tue) by Los__D (guest, #15263) [Link]

Wouldn't that be MySQL's mysql_query?

Github compromised, or not?!

Posted Mar 9, 2012 12:57 UTC (Fri) by knobunc (subscriber, #4678) [Link]

Nope. mysql_query() is PHP's dangerous by default interface to the mysql DB. There are better ways to do it, but that was one of the earliest, and is documented all over the place.

http://www.php.net/manual/en/function.mysql-query.php

The problem is that it makes it easy to forget to escape the parameters to your queries. Prefer something with placeholders/bind variables.

Github compromised, or not?!

Posted Mar 9, 2012 13:21 UTC (Fri) by Los__D (guest, #15263) [Link]

Ah, I was under the impression that mysql_query() was provided by MySQL AB.

Github compromised, or not?!

Posted Mar 5, 2012 14:23 UTC (Mon) by tetromino (subscriber, #33846) [Link]

> It's a real compromise because that was the real rails github. If he'd created a test account on github and then messed with it, that would just be a proof of concept. Same demonstration value, but less disruptive, the difference between proving a point and rubbing it in someone's face. Suspending his account seems to me, for that reason, to be an acceptable penalty.

Messing with the rails github was a reasonable action on Homakov's part. He filed a bug explaining that rails was insecure by default. The bug was closed with little discussion ("There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative"). So what could he do, as an ordinary bug reporter, to shift the rails core team's established consensus about the default configuration? Further comments would be likely to fall on deaf ears. On the other hand, creating a bug from 1001 years in the future in the official rails bugtracker wouldn't cause damage to anyone, but would have a pretty good chance of convincing the rails core team that their insecure defaults result in real-world problems.

Github compromised, or not?!

Posted Mar 5, 2012 17:41 UTC (Mon) by aliguori (subscriber, #30636) [Link]

There was a security bug in github. Regardless of whether it is due to bad defaults in Rails, it was still a security bug in github.

He exploited the bug and disrupted a project registered by another user. I'm shocked that they even reinstated his account at all. This was entirely irresponsible especially since for a brief period of time, it was a zero-day exploit that someone more malicious could have exploited.

Had github not responded so quickly, this stunt could have put a lot of people's repositories in jeopardy.

Github compromised, or not?!

Posted Mar 5, 2012 19:24 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]

> [...]since for a brief period of time, it was a zero-day exploit that someone more malicious could have exploited.

0-day doesn't mean what you think it does. the bug *stopped* being 0-day (read: exploitable by only those in the know) the moment it was published. and from what i read, it wasn't Egor who introduced the bug in the first place or kept its existence secret for any significant amount of time, so if you really want to place blame for exposing github users to danger then you need to look no further than github & rails devs themselves.

Github compromised, or not?!

Posted Mar 5, 2012 21:46 UTC (Mon) by aliguori (subscriber, #30636) [Link]

An exploit was in the wild before the fix was available. That makes it a 0-day. See http://en.wikipedia.org/wiki/Zero-day_attack

The terminology comes from the fact that many hacking groups would wait until patch Tuesday, and then disassemble the patch and create exploits. That means that these exploits would have a short window of time (usually a few days) where an administrator could be apply the fix before being concerned about the exploit.

0-day exploits are out in the wild before a fix is available.

Github compromised, or not?!

Posted Mar 5, 2012 23:19 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]

> An exploit was in the wild before the fix was available. That makes it a 0-day.

nope, it doesn't. and quoting wikipedia on it just shows how clueless both you and they are. first, the term '0-day' comes from the warez world where it had a different meaning ('fresh stuff', not released and traded anywhere else before that day, and the wiki is wrong on this meaning too, btw). since the late 90's it was then used for similar (initially) 'fresh stuff' traded among the hacker underground signifying the novelty of the exploit and the underlying security bug (read: unknown by anyone else). unlike a warez 0-day though which loses its 0-dayness after one day (there even used to be terms for 0-hour, etc), a 0-day exploit remains 0-day until either the exploit or the underlying bug becomes public. the Microsoft patch Tuesday has never had anything to do with the term, 0-day predates that event by a decade.

tl;dr: 0-day exploits are about bug/exploit secrecy, not fix availability.

Github compromised, or not?!

Posted Mar 6, 2012 8:24 UTC (Tue) by Los__D (guest, #15263) [Link]

I just love people who can't accept that an expression doesn't mean what it used to mean. They provide for hours of fun.

Github compromised, or not?!

Posted Mar 6, 2012 9:43 UTC (Tue) by epa (subscriber, #39769) [Link]

If you use bizarre and incomprehensible jargon like '0-day' instead of saying what you mean, then you deserve what you get.

Github compromised, or not?!

Posted Mar 7, 2012 14:11 UTC (Wed) by pboddie (subscriber, #50784) [Link]

Well, Wikipedia is a wiki, obviously, and you can always improve it by adding references to the proper definitions.

Github compromised, or not?!

Posted Mar 6, 2012 11:50 UTC (Tue) by nix (subscriber, #2304) [Link]

It was worse than that. The exploit was a design feature of Rails, and was documented as being a probable security hole! So this is an N-day exploit where N is the moment they documented it...

Github compromised, or not?!

Posted Mar 5, 2012 21:28 UTC (Mon) by Wol (guest, #4433) [Link]

You miss the point.

The bug was already "in the wild". The people responsible for fixing it had said "not a problem". Somebody WAS going to exploit it.

Better a white-hat embarassing the project in public for being stupid, than a black-hat actually pulling off a damaging crack.

I repeat - THE BUG WAS ALREADY PUBLISHED AND IN THE WILD.

Cheers,
Wol

Github compromised, or not?!

Posted Mar 5, 2012 21:47 UTC (Mon) by aliguori (subscriber, #30636) [Link]

GitHub was responsible for fixing the problem, not the Rails community. And the problem wasn't reported to GitHub per their official response.

Github compromised, or not?!

Posted Mar 5, 2012 18:00 UTC (Mon) by clugstj (subscriber, #4020) [Link]

Reasonable? How is punching someone in the face a reasonable reaction to being upset with their neighbor?

Honestly, the number of people defending this guy worries me.

Github compromised, or not?!

Posted Mar 5, 2012 19:35 UTC (Mon) by fuhchee (subscriber, #40059) [Link]

"How is punching someone in the face ..."

Your analogy is not working for me.

Github compromised, or not?!

Posted Mar 6, 2012 0:34 UTC (Tue) by bronson (subscriber, #4806) [Link]

What a bizarre comment. Let's fill in your analogy a little, shall we?

GitHub, Rails, and Homakov are drinking in a bar. Everyone in the bar knows that, if you don't whitelist your wallet, Rails will steal it and punch you in the face. This aspect of Rails is well documented and everyone in the bar laughs when stupid noobs come in from the street and get their wallets stolen and faces punched.

Homakov grows tired of the game and tells Rails to quit being so hard on noobs. Rails ignores him, Homakov persists. Rails gets irritated and tells him everybody loves things the way thtey are and nobody really cares -- the only people who get their faces punched are the ones asking for it.

Homakov still disagrees but, since Rails is such a popular guy, he isn't getting anywhere. So He goes up to GitHub, one of Rails's best friends, and punches HIM in the face. Just lightly on the cheek, no damage done, but the point is made. Everybody in the bar is shocked and suddenly feel rather vulenrable... If it's so easy to punch GitHub in the face, then it's easy to punch ANYBODY in the face.

Rails suddenly realizes he's been acting like an asshole and agrees to change. GitHub was angry at first but that passed quickly and he and Homakov are good friends again. Everyone in the bar feels sheepish for pretending that nothing was wrong. Everybody agrees that it shouldn't have come to that but sometimes you're so wrapped up in your own drink that you lose sight of the bigger picture. Once in a while you need a Homakov to shake you out of your complacency.

And everybody lived happily ever after. Does that answer your question?

Github compromised, or not?!

Posted Mar 6, 2012 1:22 UTC (Tue) by junkio (subscriber, #5743) [Link]

Bronson, I am wondering if you meant to call GitHub a noob in Rails programming.

Github compromised, or not?!

Posted Mar 6, 2012 2:44 UTC (Tue) by bronson (subscriber, #4806) [Link]

GitHub is one of Rails's best friends and they've been hanging out at this bar for years. Definitely not a noob. That's why it's so shocking to see him get punched in the face!

To see some of the complacency that needed to be shaken loose, start reading here: https://github.com/rails/rails/issues/5228#issuecomment-4...

Github compromised, or not?!

Posted Mar 6, 2012 7:08 UTC (Tue) by scientes (guest, #83068) [Link]

This was a fabulous analogy and a great read that gets right to the point, ignoring the numerous trolls (for lulz or for profit), thanks!

Github compromised, or not?!

Posted Mar 6, 2012 21:27 UTC (Tue) by jnguyen (guest, #72727) [Link]

Heh thanks for this, made me chuckle! :-)

Github compromised, or not?!

Posted Mar 7, 2012 14:15 UTC (Wed) by pboddie (subscriber, #50784) [Link]

It seems like someone has a career in bedtime stories ahead of them. If the listener isn't ready for sleep after that one, one can always add a bit about the people behind the bar naming a drink after Homakov in his honour.