I would disagree with this, quite a lot. He brought up an issue with the Rails team, they pointed him at the canonical, "here is where we talked about this before, sorry." Still not satisfied, he found the same exploit in Github to prove a point. Rather than do the sensible thing by creating a dummy account and contacting Github showing how he messed things up, he barged into the Rails organization and left a silly commit. Github is first and foremost a business organization where lots of companies pay them lots of money to "take this shit seriously" and protect their data, so they did the right thing by shutting him down.
I honestly don't see the meaningful difference between contacting Github and leaving a silly commit, except that the former would probably get the bug fixed quietly; in contrast, now everybody is aware that the bug existed in Github and is aware of the potential for it to exist everywhere. He successfully proved his point, which apparently was a pretty good point. Isn't that a better outcome?
As for Github's responsibility: Github failed to protect people's data the minute the bug went live. That data was open to Egor since the moment he discovered the bug until the moment they fixed it. Making a silly commit did not make anyone's data more or less vulnerable, so I don't believe that "taking this shit seriously" implies flipping out over it.
> I honestly don't see the meaningful difference between contacting Github and leaving a silly commit, except that the former would probably get the bug fixed quietly; in contrast, now everybody is aware that the bug existed in Github and is aware of the potential for it to exist everywhere. He successfully proved his point, which apparently was a pretty good point. Isn't that a better outcome?
I'm not denying that by doing what he did it certainly got the word out and made everyone understand how serious of a problem this is. It was a very good point and I think the outcome is the right one. I'm just saying that Github's actions - to suspend the user who somehow got SSH rights to the rails org - is the right thing to do. They want to minimize his damage that he will do, and until they can do a full audit and understand how his commit got there, it's the right thing o do.
> Making a silly commit did not make anyone's data more or less vulnerable, so I don't believe that "taking this shit seriously" implies flipping out over it.
I fail to see how suspending a user is "flipping out" over it? I don't think you can color unauthorized commits to github repos with different levels of responses from Github. That's a dangerous line to walk IMO.
... if you want to take a US-centric view of things, then that last statement is correct I suppose... but not everyone is subject to US laws - including, unless I am grossly mistaken, the person you refer to.
GitHub's and its computers are governed by US laws, and many countries have extradition treaties. Many countries also have equivalent computer abuse laws.
My comment was to discourage such spectacular glory-seeking behavior by other people that claim to be trying to help. It's a serious crime, and the FBI does not care that your intentions were good.
