PunkSPIDER Project Puts Vulnerabilities On (Searchable) Display 85
First time accepted submitter punk2176 writes "Recently I started a free and open source project known as the PunkSPIDER project and presented it at ShmooCon 2013. If you haven't heard of it, it's at heart, a project with the goal of pushing for improved global website security. In order to do this we built a Hadoop distributed computing cluster along with a website vulnerability scanner that can use the cluster. Once we finished that we open sourced the code to our scanner and unleashed it on the Internet. The results of our scans are provided to the public for free in an easy-to-use search engine. The results so far aren't pretty." The Register has an informative article, too.
Ethics (Score:3, Insightful)
Re:Next - SE for houses without security systems (Score:4, Insightful)
Well, at least one difference is that when a website gets hacked it is almost always the people visiting the website who are the target because the goal of the hacker is either to grab information about those users from the hacked system or to use the hacked system to distribute exploits to anyone that browses there.
While when a house is broken into, it is basically a problem for the owners of the house and not really anyone else.
So publishing a list of vulnerabilities on websites serves the purpose of shaming the website operators into better protecting their users.
Re:Ethics (Score:4, Insightful)
We hope to provide a view of this to the website owner and yes, push them a little to get their security ducks in a row.
No, you don't. If you did you'd have built your system to make *them* aware first, instead of posting a "don't blame the messenger" shame tool that exposes their vulnerabilities.
The hacking-promotes-security argument is weak sauce, even more so in your case. The vast percentage of people you've exposed (i.e. not anonymous mega-corps, but rather small mom-and-pops set up and left un-managed by unskilled sysadmins, innocuous self-hosting newbies, etc.) will likely never encounter your list, even after it provides scriptkiddies with an easily digestible list of opportunities who wipe their servers and turn them into warez hubs only to be rinse-repeated because they will *never* know any better.
You are merely a new vector for the disease, selling itself as a cure. Where in this is your moment to feel proud?