It slowed down the update (to 3.2.11), but it didn't prevent us from removing th... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bradleyland on Jan 11, 2013 \| parent \| context \| favorite \| on: Bitcoin exchange hacked via Rails exploit, funds s... It slowed down the update (to 3.2.11), but it didn't prevent us from removing the XML parser from DEFAULT_PARSERS immediately. I'm not defending anyone here. I'm simply pointing out that the scenario wasn't exactly status quo. This has all moved very quickly. EDIT: I guess that qualifies as a mitigation strategy, but when I said that, I was talking more along the lines of the patches, or like another person I know, even more dramatic steps like forking Rails. There are regressions in the 3.2.x updates since 3.2.9 that affect some sites. Bottom line is that there was a lot of bad timing here that sucked up a lot of time in securing a Rails site.

tptacek on Jan 11, 2013 [–]

Right on. That was the right call to make.

I wanted to be careful not to point a finger at you; it's just that this is exactly the kind of crazy mistake I can see a web startup making.

Obviously, the timing sucked, but nobody had any control over that.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact