top | item 45531857

(no title)

yargzeblog | 4 months ago

IMO the only way to avoid doing a total rebuild is to have Andre Arko:

1. Admit that he was the unauthorized actor (which means he's probably admitting to a crime?) 2. Have him attest he didn't exfil or modify the integrity of service while committing a crime.

If I was Ruby Central I would give clemency on #1 in exchange for #2 and I think #2 helps Andre Arko.

discuss

ctoth|4 months ago

So you would expect people to accept that the entire root chain of custody for the Ruby supply chain is attested by ... A guy saying he didn't do anything bad? I have a cool cryptocurrency you might wanna check out that I definitely don't have a backdoor to!

LamaOfRuin|4 months ago

If Andre doing that was criminal, it seems quite possible that their original takeover of the github organization was also criminal?

I have been waiting to hear if there would be any civil action on it since it's not at all clear they had any rights to do most of what they did.

tptacek|4 months ago

No, that's not at all clear. Ruby Central owns the AWS account for which Arko is (pretty clearly) being accused of changing the AWS root account password after having his access revoked.

I don't think for a second Arko will be charged, but there isn't a "nuh-uh, you did this gross thing in our open source community" defense for 18 USC 1030.

SAI_Peregrinus|4 months ago

Ruby Central isn't capable of giving clemency. They could refuse to testify in any prosecution, but they don't get to pick whether a relevant attorney general or district attorney decides to prosecute.

dragonwriter|4 months ago

> They could refuse to testify in any prosecution

Legally, they can state a preference not to testify, but they couldn't (legally) refuse to if issued a subpoena. (And, even more emphatically, they couldn't accept a good or service from the person who might be charged in exchange for not reporting the crime, or for refusing testimony.)

dragonwriter|4 months ago

In the US, at least, private parties can not grant immunity from prosecution for a crime (only public prosecutors of the jurisdiction against whose laws the crime was committed can do that), and they may face legal jeopardy in agreeing, or even offering, not to report a crime in exchange for some good or service of value, as that is the definition of blackmail.

florkbork|4 months ago

I hate to ask; but

- Account created 14 hours ago.

- Posts article crammed full of accusations

- Has a strong well formed opinion about "it's a crime", but didn't? read the content where the subject of the accusations has.... Already disclosed they had access in both private and public.

My account is also very new, because I have opted to discard my previous ones. I have used it to comment predominantly on this topic, as I sympathise with the maintainers.

So in the interests of making a similar disclosure is there any chance you are affiliated with RubyCentral through a business relationship with them, their legal counsel, a marketing or PR agency or anything of that nature?