Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Correct me if I'm wrong but the nature of the vulnerability was that someone who's not you had to submit a page with certain POST variables they could have determined after the fact to be malicious while logged in.

So the fact that they're sending out this E-Mail tells us that they either don't keep logs on requests + POST contents, or that they haven't had the time or inclination to analyze this data if they have it.



> So the fact that they're sending out this E-Mail tells us that they either don't keep logs on requests + POST contents, or that they haven't had the time or inclination to analyze this data if they have it.

No.

Github is primarily a B2B company. They're not making their big bucks off of individuals.

Businesses understand that problems arise. What they want to see is immediate action taken to rectify the problems.

Business 101. Even if the problem can be easily fixed by flipping a switch on your end that the customer never has to know about, always show the client "you did something to fix the problem". This is an in-your-face-we-are-taking-charge action. Even though it is completely unnecessary from a security standpoint, it is necessary from a business one.

They get it.


Or they realize that psychology is just as important to security (and customer confidence) as logs, analysis, and good code.

Every person that got this email now feels more secure about Github. They audited their own private keys. They were reminded that they can remove keys at will. And they know Github has improved its code and given users more power (email alerts, etc) to be in control of content.


I for one am feeling way less confident in them with every announcement they make. They clearly have no idea if and how they were exploited, and their communication with their users only asks their users to check for one attack vector, while in actuality the attack was not limited to just adding ssh keys.


This isn't the only thing we're doing. Most of the work is going on behind the scenes though.


Do people keep POST contents?


Rails logs POST and GET parameters by default.


Still, I think it's unrealistic to expect GitHub to parse through all of their logs. First, it would be non-trivial to detect the malicious behaviour in the first place, and secondly, keeping logs that go back multiple years is certainly non-standard, particularly at the info level.


GET parameters I understand, but POST as well? As in the form contents? I'm finding it hard to believe you. By default?


Why is that so shocking? It logs both.


Shocking because it will produce extremely large amounts of data, makes the logs extremely security-relevant, and probably breaks all kinds of privacy laws. E.g. in the EU a user has a right to request that a company delete all data they have collected about him. So you'd have to go through your logs and purge all request data from that user - possible, but likely to be overlooked.


GET params are a part of the URL. POST params aren't.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: