I know this is slightly old news, but I still wanted to talk briefly about it. Near the beginning of March, GitHub users received this message via email.
A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.
While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.
. . .
Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.
. . .
Sincerely, The GitHub Team
The following is a rough sequence of events that led up to the official notification of the users. All times are in PST.
| March 1 3:14 AM |
Homakov opens Rails issue 5228 for mass assignment vulnerability. [source] |
| March 2 6:10 AM |
Homakov tests the vulnerability by opening an issue “from the future”. [source] |
| March 2 10:07 AM |
Issue 5228 is closed. [source] |
| March 3 3:19 PM |
Issue 5228 is deemed not a Rails issue. [source] |
| March 4 8:49 AM |
Homakov fully demonstrates the vulnerability by committing to the Rails master branch. [source] |
| March 4 | GitHub suspends Homakov’s account. [source] |
| March 4 9:53 AM |
GitHub fixes the vulnerability on their site. [source] |
| March 4 12:31 PM |
GitHub posts an entry on their blog informing the public of the exploit. [source] |
| March 4 1:56 PM |
Homakov describes the procedure for the exploit on his blog. [source] |
| March 4 4:20 PM |
GitHub posts another blog entry detailing Homakov’s reinstatement, as well as amendments to their security policy. [source] |
| March 4 4:22 PM |
Homakov’s account is reinstated. [source] |
| March 7 10:22 AM |
GitHub sends out an email informing all users that their public keys have been frozen and will be unusable until manually approved. [source: email] |
This is a classic case of hacker discloses vulnerability by exploiting vulnerability. Opinions often vary as to whether or not this is an appropriate method of disclosure. The intentions of the responsible parties have to be called into question, as well as the level of severity of the exploit. In this case, many argued that Homakov tried to report the issue but was brushed off, leaving him with no other way to call attention to the vulnerability. Others argued that he was trying to inform the wrong people, or that he simply should have refrained from exploiting the security hole himself. In any event, the damage (if it can be called damage) was extremely minimal considering what could have been produced by a malicious attack.
As stated in GitHub’s blog post, the final verdict was “no malicious intent”, and Homakov ultimately had his account restored. After reading through loads of comments, the general attitude of GitHubbers seems to be one of praise rather than condemnation, but it’s certainly an arguable issue in the way of ethics.
When, if ever, is it okay for hackers to act on a vulnerability in order to demonstrate flaws?
Posted in Technology | Tagged ethics, github, hacking, homakov, internet, internet security, mass assignment, programming, rails, security | Leave a Comment »
It’s no fun going home to your 25-inch CRT after watching movies on your buddy’s new 50-inch HD flat screen. It’s a concept most people are familiar with: try a product of higher quality, and the old stuff will seem like garbage in comparison. Alright, maybe not garbage, but the difference certainly becomes more noticeable than it may have been before. The same is true of the content you watch on that screen. I don’t mean half-hour sitcoms, or documentary programs that air on Discovery. I’m talking about the drama, action, and supernatural shows that usually have sixty-minute run times.
Thanks to channels like HBO, Showtime, and AMC, I’ve been exposed to a multitude of awesome shows, causing me to watch regular television with an even more critical eye. (And I was pretty critical to begin with.) The entertainment bar is being held insurmountably high by the likes of Dexter, with its fantastic acting and characters; The Walking Dead, complete with suspense, action, and special effects; and the superbly epic medieval fantasy, Game of Thrones.
I know that there are those who might disagree with me about The Walking Dead, claiming that there is room for improvement in the acting department, but I actually thought it was pretty decent. Sure, there was a character or two at whom I could point a finger, but really the action and cinematography more than made up for whatever thespian shortcomings there may have been.
Now there are shows on regular networks that I, and possibly others, unfairly brush aside. I probably could have enjoyed ABC’s Once Upon a Time once upon a time, but with my now refined palate I’ve sampled it, pooh-poohed it, and tossed it in the pile along with others like Grimm and Lie to Me.
I know, I know—not all programs have the budgets and special effects that the big guys do, so it’s not completely fair to put them all in the same bracket. And it is worth mentioning that the standout shows I mentioned all existed previously as celebrated written works. Nevertheless, the overall effect on me, the viewer, remains the same. In some sort of weird reverse-desensitization process, I’ve been left constantly expecting breakout acting, jaw-dropping plot twists, or scenes so gruesome that they make me go “Whooooaaaahhh!” and cover my mouth. Am I so wrong to be disappointed when, instead, I get shoddy green screen effects and evil knights who look like they’ve got helmets made from old Koosh balls?
Really, once you’ve seen the higher quality programs, the old stuff is ruined. You just can’t watch it without making comments and rolling your eyes at every scene. And if that’s not enough, the good shows are so good that viewers who don’t subscribe to the premium channels resort to Netflix and DVD rentals to watch a series like Dexter, getting hopelessly addicted and winding up going through an entire season in a lethargic weekend of binge watching. But who can really be blamed? Those shows are damn entertaining.
And so, to HBO and its friends I say both sincerely and sarcastically, thanks a lot!
Video: HBO via the Game of Thrones Youtube channel
Walking Dead image: AMC (screencap)
Once Upon a Time image: ABC (screencap)
Dexter image: Showtime (screencap)
Posted in Media, Opinion | Tagged abc, action, amc, dexter, drama, entertainment, fantasy, game of thrones, hbo, once upon a time, showtime, suspense, television, the walking dead, tv | Leave a Comment »
Last week was the 52nd Wordsmith Wednesday, marking a full year of my vocabulary-themed posts. In light of that, they will be undergoing a change. This week’s Wordsmith Wednesday (right before this post) was the first under a more flexible posting order.
In the past, there was no guarantee that I would encounter a word I didn’t know every single week. And so I found myself on several occasions having to search for a word expressly for the weekly post. Although not really a problem, I found it somewhat less satisfying than posting a word I had genuinely run into in the course of my regular reading.
What I’ve decided to do is keep Wordsmith Wednesdays going, but rather than sticking to a strict, once-a-week schedule, I will be posting only words that I encounter naturally. This means that there may be consecutive weeks where no words get posted. However, when I do add new words to the list, it will still happen on Wednesdays, to keep with the theme.
As always, I’ll be keeping the list solidly up to date on the Wordsmith Wednesdays section of my blog.
Image: Dictionary by gadgetgirl via Flickr under CC BY-NC-ND 2.0
Posted in Blogging, Wordsmith Wednesdays | Tagged anniversary, dictionary, language, vocabulary, words | Leave a Comment »
From Dictionary.com:
—adjective
1. lithesome or lithe, especially of body; supple; flexible.
2. agile, nimble, or active.
Wordsmith Wednesdays made-up example sentence:
It was a lissome rodent, bounding from branch to branch with incredible accuracy.
View this word on Dictionary.com for pronunciation and additional definitions.
Posted in Wordsmith Wednesdays | Tagged definitions, dictionary, english, language, lissome, vocabulary, words | Leave a Comment »
From Dictionary.com:
—noun
1. a person, especially a child, who has no home or friends.
2. something found, especially a stray animal, whose owner is not known.
3. a stray item or article: to gather waifs of gossip.
Wordsmith Wednesdays made-up example snippet:
They’d left him behind. He was certain. He would surely end up a waif left to beg by the roadside.
View this word on Dictionary.com for pronunciation and additional definitions.
Posted in Wordsmith Wednesdays | Tagged definitions, dictionary, english, language, vocabulary, waif, words | Leave a Comment »
-
Where to find me
Regions
History
Walking the Pattern 