Hackers Find Use for Google Code Search

An anonymous reader wrote in to say that "Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday. "

Isn't the point of open source...

Isn't the point of open source that anyone can fix the programs? If it can be used by attackers it can also be used by developers. This is a pretty pointless article anyway as it's not that easy to find security holes in programs - if it was that easy then the developers would have patched up the holes already.

Re:Isn't the point of open source...

But it is that easy. Back in the original slashdot article concerning the search tool, somebody posted a link to a result page that included a rather large number of php scripts that were vulnerable to SQL injections. Other common flaws should also be easy to search for.

The problem is, not all developers perform this kind of search over their code. They may not even be aware that it's helpful.

Re:Isn't the point of open source...

True but by making it easy for third-parties to search for this problematic code, it can hopefully be fixed and the original coders notified, before the faulty code is melded into the 'code infrastruture' deeply and in ways that make it more difficult to fix.

Re:Isn't the point of open source...

...somebody posted a link to a result page that included a rather large number of php scripts that were vulnerable to SQL injections.

And you're surprised? Go to any site trying to teach programming in PHP and you'll likely find tons of vulnerable code. There seem to be very few PHP "programmers" who actually know anything about programming, let alone security. Most just copy from others (who copied from someone else, ad nauseum) and tweak. It will be quite a while before the amount of "secure" PHP code out there on the internet reaches critical mass.

Re:Isn't the point of open source...

From the summary:

...even proprietary code that shouldn't have been posted to the Internet...

Seems to me that it's NOT necessarily open source. Besides, Open Source isn't a magic bullet. "You found a bug in my open source app so you should fix it and upload a patch"... wow what a cop-out answer. If you think that anyone who uses any open source app is also a software developer... and a good one at that... well, no wonder Linux isn't more popular.

I agree that it'd be nice if this article were actually an article though...

Re:Isn't the point of open source...

Isn't the point of open source that anyone can fix the programs?

That's one point. Another point is that if your company, for example, uses an open source application, you can hire someone to fix it instead of having to rely on the company that sells it.

Yet another point is transparency -- being able to know WHAT the software is really doing, instead of having to trust the company that sells it.

Re:Isn't the point of open source...

"Never ever trust your fate to a black box when you are unaware of its contents" - the US Military.

Re:Isn't the point of open source...

In practice the US Military does this quite a bit, unfortunately.

It's actually kinda funny (read: ironic.) My roommate works on Jaam (actually, my roommate and his boss *are* Jaam,) and according to him, he's allowed to know far more about Red aircraft than he is about Blue. Why? Because info on Red aircraft were obtained through spying or diplomacy, information about Blue aircraft is tightly controlled by the companies that make them.

And that's your daily dose of "our government is insane."

OSS - Theory vs. Reality

I've come to believe that open source works if you're a programmer, but for the rest of the world the promises fall flat.

I can't read code - it means absolutely nothing to me. So this whole point on OSS being transparent and knowing what the software really does, doesn't apply to me. Hell, if someone were to show me the source code to both Windows and Linux, I probably wouldn't even be able to tell which OS was which. All I care about is whether the software does what I need it to do; I don't plan on spending any evenings curled up to the fire reading source code.

So this leads us to the next pro-OSS argument, that if the program doesn't do what you want you can either make a solution or hire someone to do it for you. I've tried this (several times in fact), and it didn't work. Since I don't program I have to go out and hire someone to code the solution I want. Never mind that finding a coder can often be a royal pain, but each and every time not only has (or would have) it been more expensive to hire someone to code the solution, but it took longer than had I gone out and bought a commercial closed source package (or two) that did do what I want.

Lastly, I keep hearing how OSS programs are more nimble and should a bug or needed feature be identified, 'the community' will solve the problem much faster than a closed source solution. That may be for popular projects like Linux or Firefox, but in my experience I find the OSS programs to be less responsive to requests and needs than the closed source solutions.

As a scientist, I'm all for transparency and free flowing information. However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.

Re:OSS - Theory vs. Reality

I ran into a situation at work recently where we (note, we're statisticians, not programmers) discovered firsthand the value of having the source code to a piece of software. A proprietary program we purchased was calculating a value incorrectly because it wasn't taking a certain factor into account that most people don't need, and there was no way to get it to do that. My boss' comment: "And we can't fix it because we don't have the code."

Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.

When this happened, I realized that the general public is becoming much more aware of the potential problems with closed-source software. For now it might just matter mostly to programmers, but sooner or later, it'll matter to a lot more people, too.

Re:OSS - Theory vs. Reality

Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.

Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)

Disclaimer: I work for a closed-source software vendor, but we try very hard to meet the needs of all of our customers, so if they identify a critical issue we generally try to either find an acceptable work-around, or patch the code when possible. And (ideally) that would be done in such a way that you won't lose that fix when you upgrade. If you custom-fix your OSS solution, you either have to never upgrade, or patch every version that comes out; that seems to be a lot of long-term hassle.

Customer satisfaction is a big part of being a software vendor -- sure, you may be a small customer, but if my company is responsive to your needs then that builds good relations with you, and you may be an excellent referral source for us later (or become a larger customer yourself). That's a strong motivation for businesses that really care about their customers. And for professional-type products, buyers are more likely to pay extra for that good service.

OMG!!!

Tools can be used for evil purposes! News at 11!

Not earth-shattering

Someone [ihackstuff.com] has done pretty well out of the normal Google engine for this kind of "research".

They must have read Slashdot!

Slashdot readers beat 'em to it!

The previous story /. precipitated comments [slashdot.org] that did exactly that.

find and fix

Since it is easier for everybody to find bugs and vulnerabilities, it is now easier to fix them. Relying on the fact that your source code hides in some corner of a CVS repository where nobody really wants to casually go is just a lesser form of security by obfuscation. Would you rather have truly secure software or software that only seems to be secure?

This is major threat

only to those whose "security" in reality consists of not much - or even nothing - more than obscurity.

Search is misuse?!?

How is searching for something misuse of the search engine? I'd say that the Internet was misused by those who made the information public in the first place.

The same as with ordinary text

If you accidentally put something publicly available on a web page, it can be found, manually or by a search engine. This is really no different from how it has always been with text, images and anything else that you can put on the web.

And people used Google to search for...

"Powered by phpBB" in order to find phpBB boards that were vulnerable to an exploit to hack. This isn't exactly a new technique. Well ok I know it's not exactly the same thing but the idea is still the same.

Absolute FUD

The article talks about how easy it is to use Google Codesearch and goes further to suggest that the regular search can't be used to find code.

B.S.!

I've used Google search to find all sorts of code snippets over the years, particularly #define's for constants that Microsoft don't actually define anywhere on MSDN.

Flash! Google finds stuff on Internet!

be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday.

What else can one say, but DUH. If someone is stupid enough to leave their confidential files on a fucking web server, they won't be confidential for long. Google didn't create the problem. malicious hackers would probably have found them anyway, just now everyone else can.

You mean like this?

16: my $self = shift;
          # XXX a hole you could drive a fucking bus through
          my $method = $self->cgi->param('method') || 'hello';

Yeah, I'm sure no malicious mind ever knew about grep and had to wait on Google.

evolution

I think previous posters got it wrong. They say the cracker access to the code is just as easy as anyone else's who can fix it. But a developer looks only for the code he's involved to, while the cracker is looking for any exploitable program. That, and although coders eventually search for security holes, he's goal is to build features. So, it indeed is making it easier for the crackers.

Which is a good thing, if you realize bad environment also leads to evolution. More bugs exposed, the more developers will fix them, and maybe one day software designers will get it right, stop using insecure programming language, and write safer code.

Re:evolution

stop using insecure programming language

No language offers 100% security. Some offer features that are easy to misuse in such a way as to inadvertently introduce security holes, but there is no such thing as a "secure" programming language; bad/inexperienced coders will produce dross whatever language they use.

politics, classical, but flawed

This whole thing smells really badly. Meaning: we know our products suck, people know what we tell them, and it's good for us this way. If somebody makes them possible with some tools to find out anything about what we don't want to tell them, that's bad for us. Even if they could find out these things without using those tools, it's good for us they have those tools since now we have somebody to blame. Either way, we win.
 

Imagine I'm a hacker ...

I know my way around code pretty well. While poring through some source code I discover a code snippet with a particular vulnerability that I can exploit. Now if only I had a way to see if this same snippet appeared in other applications. I guess I'll have to wait for Google to introduce a source code search mechanism before I can figure that out. Bummer.

blaming others for your mistakes

People need to stop blaming those that provide tools and research for their finding or their ability to find bugs and errors. It's not their fault. If you screw up and someone finds it, it's not their fault, it's yours. Take responsibility and deal with the consequences.

The people that make the problems usually cry that the entire world needs to tell them about their mistakes in a nice quiet, private way, so they can silently fix them and avoid any unnecessary damage. The reality of this, as we have seen time and time again, is that when they are informed of these problems, so often they go ignored for months and months. And then the issue is finally leaked and they cry you didn't give us enough time! No, it was your fault to begin with, it doesn't matter if someone else made your mistake worse, none of this would have hapened without you screwing it up to begin with. This is how the world encourages you to try harder to get it right the first time instead of tossing us crap and fixing it later.

In summary, anyone that fights against auditing tools clearly has a quality control or security issue they are unwilling to fix and are afraid to have exposed.

(The whole model of "sell crap, fix later" is broken from the get-go. That's why we have crappy software hustled to the store in "version 1.0.0" form and have to beg the authors for bug fixes for the next half year. Problem is they already have your money, and that upgrade is free, so why should they pour resources into a 1.1 when there's no more money to be made? It's a losing proposition if you don't intend to release a paid 2.0 later, or if you think you can sucker them a second time)

Locks on doors.

A lot of people are skeptical about the security risks of this. The general claim is that if it's up on the web, a) it can be found anyhow, and b) you should know that it's secure (or insecure).

True, however here is another way of looking at it.

Lets say I buy a brand of lock for my house, which is later to be defective. Perhaps I don't know about this defect, or I don't have the time or expertise to fix it quickly.

Then someone develops a technology that alerts burglars to which houses have that specific brand of lock.

Wouldn't that be cause for some concern?

I think code-searching for vulnerabilities is mildly concerning, even far beyond the usual methods that exist without code search. Note I said mildly. This isn't going to cause the catastrophic collapse of the Internet. It's just one more thing for people to be aware of and (hopefully) take action on.

/K

Yeah, right

What do you mean, "inadvertently"? :)

IDG Hatchet Job

"The downside is that you could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it," says Mike Armistead, vice president of products with source-code analysis provider Fortify Software.

So Robert McMillan of IDG digs up a small competitor to Google Code, who says actually publishing open source is bad. Of course, the point of open source is that anyone, not just motivated attackers, can inspect the source to reveal problems, and even fix them ourselves.

Fortify doesn't seem to offer GPL [google.com] or any other open source for its own product. But it does seem to publish its own version of Google Code's results [fortifysoftware.com]. Which any worthwhile reporter would have learned, if they wanted to tell us a story about the risks of open source, rather than a competitor's story of how "Google is Evil".

I call this FUD

Today's "hacks" mostly go for widely spread software. Why? Simple. For maximum impact. There are, of course, still targetted attacks, but those targets tend to be machines and nets of high interest for the hackers. If you use insecure software there, you earned that hack well.

So the key target is to get access to as many machines as possible, to create spambots, to phish for information, in other words, the key target for attacks is the machine of the common man.

Now, which approach would be more fruitful? To find a neat exploit, find out which software contains it and then match it against the software usually used by Joe Average? Or to do it reverse, find out what Joe uses and find exploits in that software?

I think the recent revelation of buffer overflows in MS-Office and the Javascript exploit in the IE answers that question.

Pure FUD

Both Krugle [krugle.com] and Koders [koders.com] already offered open source search services. Google isn't offering anything new.

Playing with Google Code

When I read this article, I went to code.google.com and tried it out for myself.

It seems to me that they are just indexing open source projects and presenting a rather nice interface for it. In my opinion, it seems more like a meta sourceforge that finds OSS projects from all over the web by searching for projects that make their VCS publicly available. If a closed source company has its VCS publicly accessible, then they've already done their own damage.

I've recently been searching high-and-low for a decent open-source knowledge base application that I can implement for our IT department at work. This search has been complicated by the fact that so many open source projects have a knowledge base about their products, so I get a lot of false positives in my searches. As code.google.com indexes more and more projects, I am hoping it might just be of help in that particular task, since it is indexing the project descriptions specifically.

Like any other tool, code.google.com is not evil, but its manner of usage may make it so. Do we ban hammers and kitchen knives because they can be used to injure or kill? I think not. Anyway, "code.google.com makes it easier for an attacker to find a bug or exploit" is only true for small values of "easier". Think about it... if someone has the knowledge to review source code and find the bugs and create an exploit, then they were already probably smart enough to use existing google (and other search engine) tools to find what they needed. Your average script kiddie is going to be looking for an exploit handed to them on a silver platter, not to actually have to figure out an exploit on their own.

Just my $0.02

Re:Playing with Google Code

Some search strings to try out:

http://www.google.com/codesearch?hl=en&lr=&q=buffe r+%22should+be+enough%22&btnG=Search [google.com]
http://www.google.com/codesearch?hl=en&lr=&q=%22ca n+be+fixed+later%22&btnG=Search [google.com]
http://www.google.com/codesearch?hl=en&lr=&q=%22I+ don't+understand%22&btnG=Search [google.com]
http://www.google.com/codesearch?hl=en&lr=&q=%22no t+very+safe%22&btnG=Search [google.com]
http://www.google.com/codesearch?q=%22but+who+care s%22&btnG=Search+Code [google.com]

You should be ready for it

We're living in a world were obscurity will become more and more invalid method of cheating, securing, confusing, misrepresenting, lying, disinforming, profiting, whatever.

'IT' just makes it easier to find what is already out there. I'd say good for Google, another good step to their goal of "indexing the world".

Google vs. (Koders|Krugle).com

Koders and even Krugle guys precede Google's code search, but they are going to have a hard time attracting more developers' eyeballs - check this [alexa.com].
Too bad one can't get Google code search on there, too, but you can imagine how far that graph curve would be.

Any tool is like this

I have a hammer. I can build a house with it. Or I can kill someone with it. Does that make the hammer bad? Should we restrict the availability of hammers? Should we start requiring FBI background checks at Walmart in order to purchase a hammer? If we make it illegal to own a hammer, only criminals will have hammers.

Seriously, any "tool" is like this. You can do wonderful creative things with it. Or you can do nefarious evil with it. That doesn't make the availability of the tool wrong or undesireable.

Like gcc and perl

FUD city.
From TFA: Code Search is "another tool that makes it a tad easier for the attacker,"

Like gcc and perl. Gee, those pesky tools. What do you know, personal computers are another tool that makes it a tad easer for the attacker too.

Obviously developers concerned with security should take note of any new and current tools available, but to create a tone like Google is providing a date rape drug for crackers is just raw fud propaganda.

This Just In!

Powerful tools can be used for good or ill!

Take a second look at those knives, fellas! Monitor the internet! Be aware before pushing on that gas pedal! Think twice with that plutonium, kid!

Yes, BB guns are fun--but you'll shoot your eye out if you're not careful!

!!!!!!

Stupid title..

It's designed to be of use to hackers! It's the crackers I would be worried about!

thats what i did with it

When I first saw the link about google code, I was in the process of attempting to find software that used a certain function that is vulnerable in a popular scripting language. This was remarkably difficult using just 'regular' google, even though it really shouldn't have been. However, then google code came out and poof I used it to look for code using the vulnerable function, and I found a lot.

first rule of thumb

The first thing you are suppose to learn Net wise is if you don't want it cracked, stolen, or downright abused... Don't put it on the Internet in the first place.

Warning Will Robinson!

NEWSFLASH: Maps can be used for evil

It has been reported that a recent new invention of google corp. by the name of 'maps' can be used for evil purposes.
These new 'maps' show information about a given area so terrorists can find new targets to bomb.
George Bush is putting a bill through very soon to ban this evil invention.

*YAWN*
NEWSFLASH: Knives can be used to kill people.

Its all a double-edged sword whatever you do I guess.

good

Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering.

Yes, and they are good implications. If a company lets proprietary, bug-infested source code leak onto the web, then they should have to deal with the consequences.

Changes Nothing But Speed

Google's search changes little but the speed with which one searches. The same criticism could be leveled at a new, more efficient Library index. Yes, "bad" people can find things easier... but so can the much, much larger body of "good" people. Nothing is changed but speed of access. The ratios remain the same.

Google already indexes source code

The only difference for google code search and normal code search is that you can search for special characters that one normally cannot in google standard search. but thousands of people have already used google for searching code by just trying to limit their search by using words like "int long public" etc so nothing is new here, except that we now can search using e.g. php $variables, wheras the $-sign is ignored unless you use google code search.

It may be dangerous, but is so call

Yes, it can be dangerous, in the sense that may help us to find flaws in Open Source software, as the the common Google Search does or even "grep".

But, anyway, the tool can be used in order to spend [google.es] a [google.es] good [google.es] short [google.es] while [google.es].

In other news

Hunting rifle used to kill man. Details at 7.

do a search for...

... "all your base"

Re:I use it to find linux vunerbilities

Reh. It's a dupe post. Every once in a while this one shows up.

You know, forget for a second that Synaptic has been around for a while, and is usually labeled 'Find new software' in most good distros.

Re:I use it to find linux vunerbilities

"i plug in a USB wireless card and nothing happens, i plug in a USB printer, nothing happens, i plug in a USB stick nothing happens,"

First: true for most cases. Linux Wifi support IS horribly lacking, but blame it on the vendors; we have to reverse engineer every chip that comes out, or use the windows driver.

Second: Patently not true for modern distros. Lite distros, that don't feel like adding the CURL drivers in, maybe, but I believe I've had an issue with exactly one printer on my laptop.

Third: Unbelievably not true. Not only does Linux itself handle USB drives seamlessly, but most distros automount it, and KDE automagically recognizes it and asks you what you want to do with it. You must've been playing with a complete shit distro. Or you're just lying through your ass. Either way, I call FUD.

Re:I use it to find linux vunerbilities

I plug a USB mass storage device into a friend's WinBox. It doesn' "just work". Not only that, the way everything is set up it's next to impossible to figure out WHY it doesn't "just work".

Re:I use it to find linux vunerbilities

Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.

So if Linux gets user friendly, it will drop to a 1% market share? Sounds like a reason to keep it not being user friendly!

Re:I use it to find linux vunerbilities

It's unfortunately a self-perpetuating windows monopoly. However, with your wireless problem, ndiswrapper is probably your friend. I like the new ubuntu (6.06) because it supports almost everything (I took a quick look at synaptic and it turns out that ndis is bundled in, with large amounts of wireless drivers, so you're set).

Re:I use it to find linux vunerbilities

Thanks! I was wondering how to get Q3 running on Linux.

Re:I use it to find linux vunerbilities

linux will stay with >1% marketshare.

To my knowledge most other Opererating systems also have a greater than 1% market share. Retard.

Re:I use it to find linux vunerbilities

I can see you've never wrestled with a Palm Lifedrive in drive mode (allows you to use it like a flash stick) on Windows.
Works fine on Linux. Who would have guessed.

Your not using a standard *Desktop* distro. Before you make a fool of yourself go download Knoppix or something.

Re:I use it to find linux vunerbilities

[..] i plug in a USB wireless card and nothing happens, i plug in a USB printer, nothing happens [..]

Are you doing it that way with Win-"install drivers before pluging in USB device"-dows? There are devices with huge yellow stickers to remind people how good Windows USB support is...