Tag Archive: open source projects


GitHub hacked, millions of projects at risk of being modified or deleted

Filed under: COMPUTING, INTERNET, WEBLeave a comment
March 6, 2012

Surya R Praveen Octocat, GitHub's mascot

GitHub, one of the largest repositories of commercial and open source software on the web, has been hacked. Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. Homakov could’ve deleted the entire history of projects such as jQuery, Node.js, Reddit, and Redis.

Since launching in 2008, GitHub has quickly outpaced competitors like Codeplex and, depending on which metric you use, it has even outgrown the long-time incumbent Sourceforge. In essence, GitHub is a web-based wrapper around Linus Torvalds’ Git revision control system (which he initially wrote to aid Linux development), but it is the addition of social network features like feeds, friends, and trends that have fueled GitHub’s impressive growth. Ultimately, GitHub makes it very easy and fast for developers to collaborate — plus it’s free for open source projects — and as a result, some 1.4 million developers have been attracted to the service in just three years, creating more than 2.3 million repositories. A list of the most-forked projects on GitHub almost reads like a contemporary who’s who of successful open source projects.

Despite its size and importance, though, GitHub has never been hacked — until now. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what’s known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after “reviewing his activity,” he has been reinstated.

Surya R Praveen Homakov GitHub hackPutting aside the way GitHub handled the situation (quickly and with aplomb), the main issue is that GitHub was vulnerable to an incredibly simple and well-known Rails hack that has probably existedsince the site’s inception. Ruby experts like Michael Hartl and Eric Chapweske have been writing (and warning) about the mass-assignment vulnerability since 2008, when GitHub was first launched. In short, it’s highly likely that Egor Homakov was not the first person to exploit GitHub in this way. We would’ve heard about it if a large project had been deleted out of the blue — but maybe hackers have been quietly modifying code bases for their own, nefarious ends.

Moving forward, GitHub has apologized for obfuscating the how white hat hackers should disclose security vulnerabilities and set up a new help page that clearly lists how to report issues. GitHub, alongside 37signal’s array of popular web apps (Basecamp and Campfire), is probably the biggest deployment of Ruby on Rails on the web. After last year’s long series of high-profile hacks on technology companies like SonyRSALastPass, and Google, we probably shouldn’t be surprised that GitHub was vulnerable — but still, when it is a service that so many important projects rely on, it’s shocking that an age-old vulnerability wasn’t picked up in a security audit; if GitHub performs security audits, that is.

For discussion on the vulnerability used by Homakov, see his personal blog and Chris Acky’s blog

Source

Tags: , , , , ,
Comment

Is Android the most closed open source project?

Filed under: MOBILELeave a comment
December 14, 2011

Surya R Praveen Locked down

If you were to ask an average Android fan what the best part of the operating system was, there is a good chance that their reply would be that it’s an open source project. The fact that it’s freely available to use and work with is the cornerstone of the Android movement. However, is Android as wide open as users think? According to a recent report from VisionMobile, Google’s mobile OS is actually one of the most locked down open source projects on the market. While not everyone agrees with this point, it’s easy to see how they came to that conclusion.

VisionMobile conducted their research by putting Android up against other open source projects such as Mozilla, Linux, MeeGo, and Eclipse. Using its own market research, the company rated each project on four areas: access, development, derivatives, and community.

How did Android rank? Dead last. In each category the mobile OS scored the lowest, which, in my opinion, does not indicate a lack of openness, but an overstatement of VisionMobile’s self-importance. In reading the infographic, it feels like the whole thing was created to expose Android as an open source sham. As an Android user, I have to take issue with this, specifically because it calls out Android in the areas of access, derivatives, and community.

Access

Of the legs VisionMobile is trying to stand on, this may be the most sturdy. Android is not developed in the open, but in-house until it’s ready for release. Google works with partners like Samsung and HTC to make sure the latest versions plays nicely with hardware, then rolls the source out to the community for its use. Usually there is a large gap between the announcement and demo of the new features, but with Ice Cream Sandwich developers got the source before the Galaxy Nexus was even announced in the US.

Surya R Praveen While the definition of open usually involves fully crowdsourced piece of software, the fact that Google holds the code until it’s ready for everyday use is about quality. Honeycomb was not released until recently because of the fragmentation of the platform, and Google not wanting to exacerbate the problem. Once Android source goes live, anyone can do anything they like with it, even add to the source tree. I can concede the issue to a point, but I don’t think that Google’s focus on quality should be reason for a low score.

Derivatives

This is where VisionMobile’s case starts to fall apart. Android scored low here because it limits who “officially” can have the Android Market on their devices. Manufacturers must meet certain standards and be certified to be able to advertise the Market being there, but are free to either create their own or use one of the other third-party markets available on the internet. Google is not locking down applications like Apple, indeed there are some Android users who wish they would do that to raise the quality of apps. Instead Google is creating a new method of getting apps, allowing users to make the choice if they want to get Angry Birds from the Amazon App Store or the Market. Certification is about keeping hardware partners happy, nothing else. Go get yourself a no-name, knock-off Android device, I guarantee it has the Market installed on it.

Community

Rating a piece of software on whether or not users get tiered rights seem a bit anti-open source to me. The idea is that everyone gets access, not just the elite. Android again scored poorly here because there is no official leveling in the community. I understand that VisionMobile is talking about incentives for developers to actually get projects completed, but Android has one of the strongest communities around! A user can look to several development groups to pick and choose what kind of ROM they want to run on their device. These groups do the work because they love Android, love open source and are pleased to provide the public with a service that an everyday user can’t usually take part in. Docking Android or any of the other programs for that matter is ridiculous.

You can see the results of the study in the infographic below. Readers need to note that it was conducted solely by VisionMobile, using its own market research. Take it for what it’s worth.

Surya R Praveen Open Source Inforgraphic

Vision Mobile via Boy Genius Report

Source

Tags: , , , , ,
Comment