I was never against Egor, I don't know that he had a lot to apologize for -- but others do. Either way it's very mature of him to offer apologies. Shows personal growth while learning and demonstrating very succinct security POCs. This kid is one to keep your eyes on.
Egor, if you make it to NYC, let me buy you a drink.
Awesome.
Feel free to hit me up at well when you're in NYC!
Stumbling into doing what you really love is .... magical.
Consulting is a lot of work, make sure you have your work pipelined far ahead of time yet avoid overloading yourself!
Sounds like you've had a benignly interesting year and learned a lot. What more could someone want?
Ironically, people said he should have handled the commit differently, and perhaps he should have.
But here we are talking about him 1 year later. I think he probably shouldn't have done it, but on which side of the pg/YC line of creative subversion did his stunt actually fall?
Well let's be fair, we're talking about him because he didn't rest on his laurels, he's been out there doing more and more.
Personally I thought it was hilarious, you can hardly be more gentle in the process of 0wning a system like that and as I recall he did try to warn them beforehand.
In my impetuous 20s I did something similar. I was rather ... well, rude, really in pointing out a major security flaw on the forums of one of the more famous tech sites. Things devolved from there and I ended up being banned, though they did fix the problem rapidly even so. Since then I've learned the value of tact.
It's a fine line sometimes. I think your commit is mostly defensible. It's really an open question. What do you do when you point out a serious security issue and it doesn't get the attention it deserves? I think your commit definitely proved that the issue was being downplayed far too much. Is there some better middle ground? If proving a vulnerability results in it getting fixed overnight and merely describing it results in it getting fixed never then what's the right course of action?
This guy keeps popping-up. Very impressive for a years worth of work. We should be lucky to have someone willing to do this so openly, even after the rebuff from the community. He could have easily gone black hat and we'd all be the worse for it.
How interesting he ended up in Mui Ne in Vietnam - it's one of the places I've been considering for a quit-your-job-and-focus-on-launching spot.
Mui Ne is a very small coastal town around 200KM East of Ho Chi Minh city. Although tiny, constant off-shore winds has increasingly made it the kite-surfing capital of SE Asia. Living expenses are cheap, and I've calculated a pretty comfortable lifestyle for USD1,200 pm (YMMV).
His post is somewhat testament to a usable internet connection.
mui ne is not so cheap because of tons of russian tourists coming. I used to spend $2k/month here.
but my apart is in the middle of it and it was winter (high season). Internet is pretty decent too!
Heh, been thinking myself of open sourcing an ecommerce site I'm building from scratch in node. Not sure if it would be good or bad.
The benifits of course being; a learning resource for newbs, a good transparent portfolio piece, easy collaboration with strangers on what is best etc. Downsides being; exposing potential security holes, embarrassment due to facepalm worthy pieces of logic in code (really, a plus) etc.
Of course, you may easily download a framework that makes foolish choices as a number of Rails developers have migrated to javascript :-p. Actually, I don't have a "thing" about Ruby or Rails developers, but some aspects of their mindset are very dangerous. The first time I heard that YAML could initialize objects from the serialization structure, I was absolutely shocked. How could that NOT be a disaster?
Take care. You're responsible for your code and its security. You're not playing a game. Your business is not a hackathon. Don't claim to offer "services" unless you are plan to be a servant of others. Servants don't code recklessly. You are the custodian of your clients' digital life and wellbeing. Choose projects run by grownups -- like izs and ry (the people who have run nodejs). Again, getting hacked is NOT okay.
By the way, if you want to learn how to run a project, subscribe to the nodejs-dev thread. That's a first-rate education in how to manage a large project with a lot of hype and growing pains. Watch and take notes.
I really REALLY care about design. I think it matters a lot. But so far don't have much spare time / money to get something decent. too busy these days :/
Egor, if you're ever in Singapore, please hit me up. I'll organize a meetup via NUS Hackers at the National University of Singapore. Would be interesting to let other university-level students hear about your experience.
(My email address's on my personal site (which, in turn, may be found on my profile)).
I kept a list of the best things I read in 2012. This github commit was near the top of it...everything about it, from its technical insight to how spectacularly (in an attention-grabbig sense) it was executed, to how it spoke about the constant conflict between "read the documentation" and "save the developers from themselves"...fantastic.
The argument with security research is how do you responsibly deal with the knowledge when people aren't listening? Well, in this case starting a fire to prove there's smoke wasn't the best decision. It takes a lot to admit you were wrong publicly and offer a mea culpa, and a lot to not get disheartened and stop researching. Kudos Egor, I'm sure I'm not the only person watching your work with interest.
I read almost all the notes in the Github page and it lasted for months. There are different sides shown.
BTW, I think travelling cost and need so much money. I wonder what are Egor's source of income. Don't know him that much so I just assumed consulting (Sakurity) is just his source of income. Also, if Egor is in South East Asia at the moment, he should visit the Philippines!
He discovered a major vulnerability in github and pointed it out by making a commit to the rails master repository (which has rather obvious serious repercussions from a security standpoint).
My recollection (though I don't know much about rails and this is just going from memory) is that he attempted to make an argument to the rails team for more secure defaults in parameter parsing and for the framework to steer apps towards more secure use. When they brushed him off and said it was ultimately the caller's responsibility to use it right, he exploited github to make his point.
you've got a Singha beer in Bangkok too :)
I worked a lot of time with a great Russian developer until year. Took him to Mexico to work together (no visa requirements) for 3 months.
He came from Siberia and I showed him the ocean for the first time then we travelled by car around the country.
So far the russians are the best for me, seriously.
Would love to meet you.
Egor, thanks for your writing about the OAuth 2 standard! I've implemented that a few times in the last year and would be in serious trouble (not immediately, but when somebody notices) without your writings.
Egor, if you make it to NYC, let me buy you a drink.