learning from irresponsible disclosure

Gotta link to Robert Graham again over at ErrataSec for the piece: “The Ruby/GitHub hack: translated”. There’s too many good points to pass it up.

1. This is a great example of irresponsible disclosure in action. By attacking GitHub, not only is GitHub now less vulnerable, but more people (hopefully developers and security auditors) are aware of this problem. Sure, more awareness of the problem may mean more people use it against vulnerable sites, but the flaw was still in those sites. Vuln is present, but risk has gone up a bit…

2. The problem is inherent in the feature set that makes Ruby of Rails a boon to developers. Pretty much a great example of a design flaw that has benefits, but also has risk. Usability vs security.

3. It also means a flaw in one tool affects everything/everyone that uses that tool. GitHub was hacked as a reaction to Ruby on Rails rejecting the bug, GitHub’s choice to use that platform, and their lack of securing (understanding?) a hole.

4. Putting the onus on site owners to blacklist and even understand the issues is probably not the right way to do things. I guess it’s a way to go, but it certainly makes me make a disgust facial expression.