Hackers Find Use for Google Code Search 176
An anonymous reader wrote in to say that "Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday.
"
Isn't the point of open source... (Score:5, Insightful)
Re:Isn't the point of open source... (Score:5, Informative)
The problem is, not all developers perform this kind of search over their code. They may not even be aware that it's helpful.
Re:Isn't the point of open source... (Score:5, Insightful)
Re:Isn't the point of open source... (Score:4, Insightful)
And you're surprised? Go to any site trying to teach programming in PHP and you'll likely find tons of vulnerable code. There seem to be very few PHP "programmers" who actually know anything about programming, let alone security. Most just copy from others (who copied from someone else, ad nauseum) and tweak. It will be quite a while before the amount of "secure" PHP code out there on the internet reaches critical mass.
Re: (Score:3, Insightful)
Re: (Score:2)
That's mostly because PHP (and to a lesser extent ASP and JSP) is designed to allow semi-technical people to throw rapidly pages together. The trouble is, that's about as far as most people using it take it; thus you end up with vulnerabilities that are painfully obvious to those of us with a little more experience. It's 2006, not 1996; there is absolutely no excuse for producing code with SQL inject
Re: (Score:2)
Most common response: "Who would try to do that?"...
PHP:{Java, Perl, Python, Ruby, etc} as Frontpage:HTML
I wonder if I got that formating correct. I'm sure you get the dri
Re: (Score:3, Insightful)
Re: (Score:2)
Footnote 1: I relize there are many large sites using PHP with great success. Kudos. Seriously, Kudos. Why put yourself through that though?
Re: (Score:2)
But PHP is not only for beginners. Of course they like it because you don't need 10 lines of code for a hello world. But it's still a nice language if you write your large web applications and is maybe easier to use than other languages that weren't made for the web.
Re: (Score:2)
Finding errors in C would likely be much harder, because typically you would need to analyse multiple lines of code to find them. A good start might be searching for strcpy(), but that'll give a lot of results with only a very small minority being exploitable. Whereas a use in PHP of $_POST without some kind of escaping function is highly likely to be an error.
Re: (Score:2)
To be fair, I'm sure some of those scripts [slashdot.org] aren't vulnerable. Some pages would have already checked the $_POST input for sanity before running the SQL. Also, for a while now PHP's default configuration has been to add slashes to $_POST/etc
Re: (Score:3, Insightful)
Yeah. This works right until somebody asks "how do I get rid of all those \'s that turn up in stuff?" and the answer is "oh, disable magic_quotes_gpc." I've seen it happen before, and I'm sure it'll happen again. Relying on particular settings being enabled for security reasons in a disaster waiting to happen.
Re: (Score:2)
If \' are turning up in stuff, then it means the script is doing its own addslashes or mysql_{real_}escape_string and hence wouldn't be vulnerable anyway. Of course, it's still a very bad coding practice, but my point was that not all the pages listed in that search page are vulnerable.
Re:Isn't the point of open source... (Score:4, Insightful)
Seems to me that it's NOT necessarily open source. Besides, Open Source isn't a magic bullet. "You found a bug in my open source app so you should fix it and upload a patch"... wow what a cop-out answer. If you think that anyone who uses any open source app is also a software developer... and a good one at that... well, no wonder Linux isn't more popular.
I agree that it'd be nice if this article were actually an article though...
Re: (Score:3, Interesting)
OSS Devlopers like control over their code. Even if you see and fix a bug, they're most likely to go over your code and use it as an example of how to fix their code, rather than just patch it in verbatim.
Re: (Score:2)
In the 90's I was working for IBM, the CEO made a speech and said "all software has been written, it just needs to be managed". All of the developers snickered, but the longer I stay in the bussiness the more it appears he was right.
I have a BSc in computer science and have been contracting as a C/C++ developer since 1991, I "specialize" in Windows
Re:Isn't the point of open source... (Score:4, Insightful)
That's one point. Another point is that if your company, for example, uses an open source application, you can hire someone to fix it instead of having to rely on the company that sells it.
Yet another point is transparency -- being able to know WHAT the software is really doing, instead of having to trust the company that sells it.
Re:Isn't the point of open source... (Score:5, Insightful)
Re:Isn't the point of open source... (Score:4, Interesting)
It's actually kinda funny (read: ironic.) My roommate works on Jaam (actually, my roommate and his boss *are* Jaam,) and according to him, he's allowed to know far more about Red aircraft than he is about Blue. Why? Because info on Red aircraft were obtained through spying or diplomacy, information about Blue aircraft is tightly controlled by the companies that make them.
And that's your daily dose of "our government is insane."
Re: (Score:2)
Meanwhile, what is 'Jaam'?
Re: (Score:2)
It's pretty much an aircraft simulator. Does simulations of dogfights and missles. Surface to Air, Air to Surface and Air to Air. That's pretty much all I know about it.
OSS - Theory vs. Reality (Score:5, Interesting)
I can't read code - it means absolutely nothing to me. So this whole point on OSS being transparent and knowing what the software really does, doesn't apply to me. Hell, if someone were to show me the source code to both Windows and Linux, I probably wouldn't even be able to tell which OS was which. All I care about is whether the software does what I need it to do; I don't plan on spending any evenings curled up to the fire reading source code.
So this leads us to the next pro-OSS argument, that if the program doesn't do what you want you can either make a solution or hire someone to do it for you. I've tried this (several times in fact), and it didn't work. Since I don't program I have to go out and hire someone to code the solution I want. Never mind that finding a coder can often be a royal pain, but each and every time not only has (or would have) it been more expensive to hire someone to code the solution, but it took longer than had I gone out and bought a commercial closed source package (or two) that did do what I want.
Lastly, I keep hearing how OSS programs are more nimble and should a bug or needed feature be identified, 'the community' will solve the problem much faster than a closed source solution. That may be for popular projects like Linux or Firefox, but in my experience I find the OSS programs to be less responsive to requests and needs than the closed source solutions.
As a scientist, I'm all for transparency and free flowing information. However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.
Re:OSS - Theory vs. Reality (Score:5, Interesting)
Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.
When this happened, I realized that the general public is becoming much more aware of the potential problems with closed-source software. For now it might just matter mostly to programmers, but sooner or later, it'll matter to a lot more people, too.
Re:OSS - Theory vs. Reality (Score:5, Interesting)
Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)
Disclaimer: I work for a closed-source software vendor, but we try very hard to meet the needs of all of our customers, so if they identify a critical issue we generally try to either find an acceptable work-around, or patch the code when possible. And (ideally) that would be done in such a way that you won't lose that fix when you upgrade. If you custom-fix your OSS solution, you either have to never upgrade, or patch every version that comes out; that seems to be a lot of long-term hassle.
Customer satisfaction is a big part of being a software vendor -- sure, you may be a small customer, but if my company is responsive to your needs then that builds good relations with you, and you may be an excellent referral source for us later (or become a larger customer yourself). That's a strong motivation for businesses that really care about their customers. And for professional-type products, buyers are more likely to pay extra for that good service.
Re: (Score:3, Insightful)
If you keep them happy, they are more likely to be repeat customers than to shop elsewhere, I'm told, because shopping is, itself, a cost to them [time, effort, risk
Re: (Score:2)
Re: (Score:2)
Unfortunately not all closed source vendors are as helpful to their customers as your company. I once dealt with a problem in a closed-source accounting package, which could not handle a fairly simple way of grouping items together to be sold (selling a specified set of items as a "kit" at a reduced price). I contac
Re: (Score:2)
I've had at least one case where I was able to strace a vendor library, figure out the problem, send them a detailed description of the problem and solution--it was an obvious problem in the arguments to bind(2), which basically narrowed it down to 1 line of code for them and they _should_ have b
Re: (Score:2)
I, and hundreds of others, have contacted ATI about their software, drivers, not working properly on Linux. The OSS drivers march quickly towards fixing the problem with no information from ATI. However, ATI is slow and seemingly uninterested in fixing the problems we tell them about.
Re: (Score:2)
You don't want to hire a software firm, you don't want to have the source, particularly. You want/need feature NNN. And that's where hosted software shines. It all comes down to motivation.
If you BUY software, there's little incentive for the developers to fix bugs in it - there's no money in it. But a hosted application has a very different dynamic - if they fix the bugs that are trou
Re: (Score:2)
Really? Ever use a Tivo? Ever go to a web site? How about Google? How about wikipedia? Do you have any idea how much BSD licensed code (math libraries, for example) might be running on your cell phone, your car stereo, etc?
People don't know it but open source is everywhere and it works great. Sure, you're not using an OSS spreadsheet or word processor, but that doesn'
Re: (Score:2)
I am a programmer and a system
Re: (Score:3, Insightful)
It is hard work.
Lots of people don't get that at all. Lots of management types assume that because person A wrote this code in a week that person B should be able to fix it in a week. Not true at all.
Sometimes it takes person B a week (or a month) to figure out what in the heck person A was doing. Open source is not immune to this. Hiring someone that was not involved in the original development of some random
Re: (Score:2)
Most people would say, HELL NO! Even though MOST people don't have
Welding the hood of the car shut (Score:2)
Ford is bragging how they boosted the EPA gas mileage of the Ford Focus by 10 percent (actually the highway rating of the manual transmission model -- the mileage improvement on other models and for the city rating was less) by updating the software in the ECM. Not only does the 2007 Focus have this improvement, but they are flashing the memories of 2006 models to get the same effect.
Now try making mods to your ECM for any purpose -- to boost gas mileage
The application program/systems program divide (Score:2)
One solutions is to have a divide between "applications programs" and "systems programs". Back in the day applications were written in Fortran while sys
Re: (Score:2)
I've come to believe that open source works if you're a programmer, but for the rest of the world the promises fall flat.
You haven't looking very far. Open source is used in millions of products.
I can't read code - it means absolutely nothing to me.
So what? It's the whole market that matters, not just you.
So this whole point on OSS being transparent and knowing what the software really does, doesn't apply to me.
It applies to anybody in a functioning free market who wants third parties to ver
Small correction (Score:2)
It will almost always be more expensive to hire someone to build you something than it would be to buy something already built. The prepackaged solution has already been paid for, and the developer is hoping that enough people will want to buy in to make them a profit. This is a good model for problems multiple people have. It doesn't work very well for individual issues.
A contractor doesn't care about how many peopl
Hardly pointless... (Score:2)
Are you that confident that such efforts are taking place?
OMG!!! (Score:2, Insightful)
Re: (Score:2, Insightful)
Experts say that by selling cars, car dealers are giving criminals a means to escape from the scene of a crime.
Re: (Score:1)
Re: (Score:2, Funny)
Re: (Score:2, Funny)
Tools can be used for evil purposes! News at 11!
My tool is only used for good.
Not earth-shattering (Score:4, Informative)
Someone [ihackstuff.com] has done pretty well out of the normal Google engine for this kind of "research".
They must have read Slashdot! (Score:5, Informative)
Slashdot readers beat 'em to it!
The previous story /. precipitated comments [slashdot.org] that did exactly that.
find and fix (Score:2)
This is major threat (Score:5, Insightful)
Re: (Score:2)
Re: (Score:1)
A: Because it breaks the flow of a message (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
A quite possible side effect of this is higher database load. Unlike kuro5hin, slashdot's threaded mode is completely useless, as trees with 50 posts are rendered as 50 lines with the same title, not giving the slightest indication of whether there might be something worth
Re: (Score:2)
A: Because it breaks the flow of a message.
Q: Why is top posting annoying?
Re: (Score:2)
With only a small handful of very rare exceptions, all security is implemented through obscurity. Passwords, keys, certificates, codes; even biometrics authentication can often be circumvented with the right knowledge.
The key to security is knowing what to use as your secret. A randomly-generated private key makes a better secret than an algorithm, especially when you publish an implementation of tha
Search is misuse?!? (Score:4, Insightful)
The same as with ordinary text (Score:5, Insightful)
Re: (Score:2)
And people used Google to search for... (Score:5, Interesting)
Absolute FUD (Score:4, Informative)
B.S.!
I've used Google search to find all sorts of code snippets over the years, particularly #define's for constants that Microsoft don't actually define anywhere on MSDN.
Re: (Score:2)
From the article:
Re: (Score:2)
Back in the day, being someone that 'asked the internet' for any non-trivial information was considered n00bish [computerjokes.net]. Now teh Intarweb is all-knowing and all-seeing[1].
It's as if not code-specific search is new:
These sites have been around a while (in Internet time) and specialize in source code search[2].
A good 3/5s of my help for people in Linux starts with Google'ing on error messages, #defines, and nam
Flash! Google finds stuff on Internet! (Score:2)
What else can one say, but DUH. If someone is stupid enough to leave their confidential files on a fucking web server, they won't be confidential for long. Google didn't create the problem. malicious hackers would probably have found them anyway, just now everyone else can.
You mean like this? (Score:1)
# XXX a hole you could drive a fucking bus through
my $method = $self->cgi->param('method') || 'hello';
Yeah, I'm sure no malicious mind ever knew about grep and had to wait on Google.
evolution (Score:5, Insightful)
Which is a good thing, if you realize bad environment also leads to evolution. More bugs exposed, the more developers will fix them, and maybe one day software designers will get it right, stop using insecure programming language, and write safer code.
Re:evolution (Score:5, Insightful)
No language offers 100% security. Some offer features that are easy to misuse in such a way as to inadvertently introduce security holes, but there is no such thing as a "secure" programming language; bad/inexperienced coders will produce dross whatever language they use.
politics, classical, but flawed (Score:2)
Imagine I'm a hacker ... (Score:3, Insightful)
blaming others for your mistakes (Score:5, Insightful)
The people that make the problems usually cry that the entire world needs to tell them about their mistakes in a nice quiet, private way, so they can silently fix them and avoid any unnecessary damage. The reality of this, as we have seen time and time again, is that when they are informed of these problems, so often they go ignored for months and months. And then the issue is finally leaked and they cry you didn't give us enough time! No, it was your fault to begin with, it doesn't matter if someone else made your mistake worse, none of this would have hapened without you screwing it up to begin with. This is how the world encourages you to try harder to get it right the first time instead of tossing us crap and fixing it later.
In summary, anyone that fights against auditing tools clearly has a quality control or security issue they are unwilling to fix and are afraid to have exposed.
(The whole model of "sell crap, fix later" is broken from the get-go. That's why we have crappy software hustled to the store in "version 1.0.0" form and have to beg the authors for bug fixes for the next half year. Problem is they already have your money, and that upgrade is free, so why should they pour resources into a 1.1 when there's no more money to be made? It's a losing proposition if you don't intend to release a paid 2.0 later, or if you think you can sucker them a second time)
Re: (Score:2)
Locks on doors. (Score:3, Interesting)
A lot of people are skeptical about the security risks of this. The general claim is that if it's up on the web, a) it can be found anyhow, and b) you should know that it's secure (or insecure).
True, however here is another way of looking at it.
Lets say I buy a brand of lock for my house, which is later to be defective. Perhaps I don't know about this defect, or I don't have the time or expertise to fix it quickly.
Then someone develops a technology that alerts burglars to which houses have that specific brand of lock.
Wouldn't that be cause for some concern?
I think code-searching for vulnerabilities is mildly concerning, even far beyond the usual methods that exist without code search. Note I said mildly. This isn't going to cause the catastrophic collapse of the Internet. It's just one more thing for people to be aware of and (hopefully) take action on.
Re: (Score:2)
Yeah, right (Score:2)
IDG Hatchet Job (Score:4, Informative)
So Robert McMillan of IDG digs up a small competitor to Google Code, who says actually publishing open source is bad. Of course, the point of open source is that anyone, not just motivated attackers, can inspect the source to reveal problems, and even fix them ourselves.
Fortify doesn't seem to offer GPL [google.com] or any other open source for its own product. But it does seem to publish its own version of Google Code's results [fortifysoftware.com]. Which any worthwhile reporter would have learned, if they wanted to tell us a story about the risks of open source, rather than a competitor's story of how "Google is Evil".
I call this FUD (Score:5, Insightful)
So the key target is to get access to as many machines as possible, to create spambots, to phish for information, in other words, the key target for attacks is the machine of the common man.
Now, which approach would be more fruitful? To find a neat exploit, find out which software contains it and then match it against the software usually used by Joe Average? Or to do it reverse, find out what Joe uses and find exploits in that software?
I think the recent revelation of buffer overflows in MS-Office and the Javascript exploit in the IE answers that question.
Pure FUD (Score:2, Informative)
You should be ready for it (Score:2)
'IT' just makes it easier to find what is already out there. I'd say good for Google, another good step to their goal of "indexing the world".
Google vs. (Koders|Krugle).com (Score:2)
Too bad one can't get Google code search on there, too, but you can imagine how far that graph curve would be.
Any tool is like this (Score:2)
Seriously, any "tool" is like this. You can do wonderful creative things with it. Or you can do nefarious evil with it. That doesn't make the availability of the tool wrong or undesirea
Like gcc and perl (Score:2)
From TFA: Code Search is "another tool that makes it a tad easier for the attacker,"
Like gcc and perl. Gee, those pesky tools. What do you know, personal computers are another tool that makes it a tad easer for the attacker too.
Obviously developers concerned with security should take note of any new and current tools available, but to create a tone like Google is providing a date rape drug for crackers is just raw fud propaganda.
Stupid title.. (Score:2, Informative)
thats what i did with it (Score:3, Interesting)
good (Score:3, Interesting)
Yes, and they are good implications. If a company lets proprietary, bug-infested source code leak onto the web, then they should have to deal with the consequences.
Google already indexes source code (Score:3, Interesting)
In other news (Score:2)
Re:I use it to find linux vunerbilities (Score:4, Funny)
So if Linux gets user friendly, it will drop to a 1% market share? Sounds like a reason to keep it not being user friendly!
Re: (Score:2)
You know, forget for a second that Synaptic has been around for a while, and is usually labeled 'Find new software' in most good distros.
Re:I use it to find linux vunerbilities (Score:4, Informative)
First: true for most cases. Linux Wifi support IS horribly lacking, but blame it on the vendors; we have to reverse engineer every chip that comes out, or use the windows driver.
Second: Patently not true for modern distros. Lite distros, that don't feel like adding the CURL drivers in, maybe, but I believe I've had an issue with exactly one printer on my laptop.
Third: Unbelievably not true. Not only does Linux itself handle USB drives seamlessly, but most distros automount it, and KDE automagically recognizes it and asks you what you want to do with it. You must've been playing with a complete shit distro. Or you're just lying through your ass. Either way, I call FUD.
Re: (Score:2)
Parent: Unbelievably not true. Not only does Linux itself handle USB drives seamlessly, but most distros automount it, and KDE automagically recognizes it and asks you what you want to do with it.
I just wanted to chime in that parent is correct. Recently a friend's laptop's main hard drive started to fail, so they put a new drive into it, but bought a USB enclosure for their original hard drive so they could get the data off of it. Interestingly, it refus
Re: (Score:2)
GNOME has the autoplay-type functionality these days as well, the CD burning stuff in the filemanager, etc etc.
I'll have to take a look at KDE again soon just so I can retch at the stupid configuration dialogs... but I understand both major environments have come a long way.
Re: (Score:2)
I realize that WiFi *drivers* exist and work well for Linux (not to mention the lovely ndiswrapper for unsupported cards). What I'm saying is that a very few distros handle WiFi in a nice, easy, card-agnostic plug-and-play GUI-spanking manner - which is what I mean by 'support'.
IE: Power users don't need support, they just need to know that it Can Be Done and access to Google. Normal users need the base system to handle it for them, and if it doesn't, they
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Only developers who cannot figure out how to use the normal windows install process for drivers have to resort to stupid yellow stickers.
it is possible to make Windows install your driver to any hardware without a driver which supports it once the driver is installed. Some drivers I have installed have done this for me automatically.
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Re:Playing with Google Code (Score:4, Interesting)
http://www.google.com/codesearch?hl=en&lr=&q=buff
http://www.google.com/codesearch?hl=en&lr=&q=%22c
http://www.google.com/codesearch?hl=en&lr=&q=%22I
http://www.google.com/codesearch?hl=en&lr=&q=%22n
http://www.google.com/codesearch?q=%22but+who+car