Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why? I would expect any company to suspend the account of someone hacking them.


He did it under his own name, in a way dad not damage anything, using a problem that has been well known for ages, after attempting to draw attention to the issue several times and being ignored.

It is pretty obvious that he did not have any malicious intent, nor intended to do damage (if he wanted to, he could've done massive damage from an anonymous account in ways that wouldn't draw attention to it).

The only thing suspending his account accomplished is to punish someone who has helped draw attention to a very serious problem.

It just comes across as an incredibly childish and petty response given the circumstances.


> He did it under his own name, in a way dad not damage anything, using a problem that has been well known for ages, after attempting to draw attention to the issue several times and being ignored.

He was ignored by the Rails devs, not by GitHub. Yet GitHub became the target of his attack, because he was "bored" (his word, not mine).

At no stage, as far as we know, did he raise the issue directly with GitHub. As I've said in another thread, he could have done so and requested they disclose the fix publicly (say, within 24 hours) in an effort to force the Rails devs' hands. Instead, he's punished GitHub (who, mind you, probably should have audited for this vulnerability a long while ago) because he was shunned by the Rails devs.


If you read the Github advisory, he did indeed raise the issue with them "last Friday":

https://github.com/blog/1068-public-key-security-vulnerabili...


When you've tried to inform the vendor and have been rebuffed, a demonstration of the vulnerability helps convey the gravity of the issue.


The point is he did them no harm when he could have done a lot of it.


Sure, that was my knee jerk reaction too. Of course they should suspend the account! But I think that was the wrong choice.

Shutting down the one account will do nothing. He can create a second account in a matter of seconds. They fixed the code that permitted the exploit, right? So the fix alone should be plenty to prevent any more malicious attacks.

And now, because of the suspension, they have a wave of bad PR (justified or not). This guy is clearly infatuated with Github. He got a tattoo of the Octocat for crying out loud. Why would you punish this guy for loving your service and caring enough about it to warn you of a security vulnerability?

Seems like there are only minuses to suspending the account, not a lot of pluses.


I would expect any company to do far more than suspend the account, especially knowing exactly who did it.

I would think having a suspended GitHub account would be the least of worries with a company who has presumably access to a good lawyer or two and boatloads of cash...




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: