Github compromised [LWN.net]

Github compromised

Posted Mar 5, 2012 23:52 UTC (Mon) by drag (subscriber, #31333) [Link]

No, but the same people with the same attitudes and similar practices are the ones that are responsible for keeping your system safe. If they can't use good design and best practices to keep their own systems secure, then what hope does anybody have that is trusting them?

Also. For software projects that are compromised and find out, how many out there don't realize they have been compromised? I can pretty much guarantee you that it's a non-zero number.

It's just as likely as not that this is @homakov fellow is not the first person to use this bug to hack into github.

Github compromised

Posted Mar 6, 2012 0:17 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]

The concern about people not knowing that they are compromised is nothing new, and it isn't limited to websites (let alone open source related websites)

do you really think that the hundreds of thousands of people who's machines make up botnets are allowing this knowingly? or do you think it's more likely that they are unaware that their machine has been compromised?

You may as well start yelling that all banks are unsafe because there have been three bank robberies in the US in the last week (I don't know what the stats are, but from having had a friend who worked in a national bank's security call center, I'm confident that there have been at least that many, just from probabilities)

Github compromised

Posted Mar 6, 2012 0:45 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

It's true - programmers introduce bugs into software! Stop the presses.

If you were right that this is somehow an "OSS thing" then no doubt when I look at threads discussing the "password encryption" of this or that proprietary PHP web application I'd find that they've all carefully added Solar Designer's custom PHP salted and pessimised password hash and used it in a compatible fashion rather than say, using a fast unsalted hash or relying on PHP's ancient built-in DES-crypt.

Whereas in reality what I see is stuff like "We use SHA1, so we are not vulnerable to the problems in the MD5 encryption" or "We have a custom algorithm which we are not at liberty to divulge" (which turns out to be something like MD5(password + "specialsauce"))

Also, and far more seriously, in reality when we look at Chip and PIN we see that banks were reluctant to even invite known white hats from outside to review their design, denied the existence of flaws they had in fact verified as real, and worked hard to keep the courts from understanding what evidence was needed to really prove that the customer's correct PIN was used to authenticate a transaction (hint, not the "PIN used" boolean in the database).

The "attitudes" and "practices" you condemn are so widespread as to be effectively universal. It would be extraordinary if they were not present in Free Software.

Github compromised

Posted Mar 6, 2012 0:50 UTC (Tue) by bronson (subscriber, #4806) [Link]

Internet-connected servers are insecure! News at 11.

I don't understand your comment... Do you think SF.net, kernel.org, and GitHub all connected somehow? Beyond the trivial circumstance that connects them banks, the US military, NASA, Sony, and all the other competently-administered websites getting hacked every day?

Happily, because of Git's hashing scheme, it's not very easy to make repo modifications without having people notice.

Github compromised

Posted Mar 6, 2012 1:03 UTC (Tue) by bronson (subscriber, #4806) [Link]

Apologies, somehow I thought both comments were by Drag. Ignore any accusations of conspiracy theories. :)