Thoughts in the Aftermath of the Github/Ruby on Rails Hack
Yesterday Github was hacked by a young developer named Egor Homokov. The way that Github handled it – suspending the user who demonstrated a vulnerability with a harmless prank – was widely criticized by the community. Github apologized and reinstated the user’s account.
Now that the dust has settled a bit the whole thing looks a bit less scandalous than it did yesterday.
This was a case of gray hat hacking. Homokov did go through the proper channels to notify the Ruby on Rails team about what he saw as a design flaw. The Rails team thought it was unimportant, saying it was the developers’ responsibility to write secure applications (here’s how to fix the problem in your own Rails application, by the way). But Homokov proved that even though the issue was in the Rails documentation, many developers failed to address it – including the developers hosting the Rails repository. By going after the Rails repository Homokov demonstrated the inadequacy of the Rails’ teams “not our problem” response. But Github was an innocent bystander caught in the middle, which is what makes it gray.
Homokov’s prank (adding a few lines of commented out code to Rails, and changing the dates of some forum messages) was harmless, and raised awareness of a security issue that even leading Rails developers had failed to address in their applications. But it’s hard to blame Github for initially suspending his account. The Github team has obligations to its paying business customers to keep their code safe. Banning Homokov while the team figured out what was going on and whether Homokov had done – or was going to do – anything malicious was a prudent action. But I’m glad in the end they gave him his account back.
The Rails team made a mistake in not taking Homokov’s initial report seriously, but I’m sure they’re taking it seriously now. Github made a mistake in how it communicated to users after the hack, but it’s done right by restoring Homokov’s account. Github is a young, small company and this won’t be the last mistake it makes. I suspect that today many of the Github users who threatened to move to Bitbucket will calm down (though it certainly wouldn’t be a bad thing to see greater variety in forge usage).
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
