Hacker Newsnew | past | comments | ask | show | jobs | submit | mofey's commentslogin

The public key form update vulnerability was based on the same concept in a different place.


"The same user exploited another vulnerability". It wasn't exactly "another vulnerability". It still had to do with the same mass attribute assignment feature just in a different place.


Isn't that Twitter?


Love the comment by dbounds: "Nice work. FULL DISCLOSURE"


Hey, how come there are no comments by @dhh and @josevalim? Are we missing out on epicness of zedshaw-level?


  Fred Wu
  So what's a good gem (if any) for safe guarding params on the controller level? @dhh's params.slice feels too dirty.
  DHH ‏
  yeah, it's too simple to be clean! I think you are using the wrong framework if you crave more complexity for its own sake.


Saw your full comment on github: https://github.com/blog/1068-public-key-security-vulnerabili... Well put. I guess startups can act enterprisy too when money is involved. The irony is that had they been actually proactive, they would have avoided this kind of publicity and money (for 3rd party audits).


I just wrote a longer than expected summary.

http://news.ycombinator.com/item?id=3664400


I, too, agree with your sentiments. But I wish people would lay off of GitHub. The were mostly just a bystander here.

The real troublemakers are the Rails developers who seem to seriously believe that leaving such subtle security traps in their framework (and then blaming the developers who follow the example code) is a defensible position.


I disagree. Github is very much not the bystander here. They chose to use Rails (which is fine). But GH then has the onus to properly deploy their app.

An analogy would be a door that only locks with a special key in a certain sequence. IF you choose not to do so, it's merely a door. Obviously, you could argue that that's a bad default but I think that goes to the crux of the problem.


I'm an experienced developer, but not terribly familiar with Rails.

What do you mean "properly deploy their app"?

The sample code at rubyonrails.org looks like it has the same problem to me, i.e., it would be vulnerable if it were put into production in the right (entirely reasonable) circumstances.


> What do you mean "properly deploy their app"?

No matter how bad the tool actually is, only a terrible craftsman blames his tools. That's what he meant.

Both Rails and GH are at fault. Rails for not discouraging poor practices and GH for not being more familiar with their own stack.


I agree with your sentiments. What Homokov did was childish, but he made his point in a non-malicious way that got the message out better than silently writing a letter to the admins. It is evident from the events that occurred that this is an issue in Rails that needs to be fixed. What does it say about a feature of your framework when, by default, one of the largest code repository hosting sites in the world is vulnerable? The phrase "meaningful defaults" has never been more relevant.


This was probably the best tl;dr I've read.


Aren't continuations being removed from Ruby?


This guy makes an argument as to why:

http://www.shoemoney.com/2011/07/13/twitter-will-be-as-worth...


How is this different from LinkedIn?


LinkedIn is an online rolodex with a job board thrown in. How many people have you recommended on Linked In? How many have recommended you?

The numbers are low, it is a unused feature, it doesn't work.

Vouched has a spin on this feature to make sure it gets used. Sign up and I'll send you an e-mail as soon as we're ready.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: