April to See Month of MySpace Bugs 165
An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"
MySpace's Microsoft-backed infrastructure. (Score:2, Informative)
Where I work, we're considering what system we'll use when deploying some new web applications. We recently audited several ASP-based web applications, and found them to be quite terrible. I don't know if it's a problem with the developers of these products, but those that we tried were full of obvious security holes. Our past development was using WebObjects, and we saw nowhere near the number of obvious flaws that we saw with the ASP-based solutions, even when we had interns developing code.
My personal experience with ASP is fairly limited, but I suspect it may just be the technology itself that hinders secure development. It's much the same case for PHP. With such technologies, there are too many little details and flaws that even an expert programmer can become overwhelmed by. At least we decided to go with a Java-based solution running on Solaris. It's probably not perfect, but I'd wager that it's far more secure than most ASP- or PHP-based web apps.
Myspace allows XXS redirect for malware execution (Score:4, Informative)
Re:Why is it "funny" to exploit security bugs? (Score:2, Informative)
The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.
The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for the whole world to see, which sets every idiot script kiddie out there on an easter-egg hunt to find vulns.
What's really screwed up about it is this: Let's say Joe Hacker decides to "out" some vendor and spends a month attention-whoring. That vendor may or may not get the bugs fixed before legions of script-kiddies figure out how to use them. MEANWHILE, every sysadmin out there is completely fucked, waiting for the vendor to catch up to the Scavenger Hunt that Joe Hacker decided to kick off with his stunt.
It's not cool, it's not funny, and I wish these assholes would just knock it off.
They should grow up already.
Re:I thought... (Score:1, Informative)
Re:well (Score:3, Informative)
I'm working on it... [sourceforge.net] and the plan is to use OpenID for authentication.