Hackers Find Use for Google Code Search 176
An anonymous reader wrote in to say that "Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday.
"
Isn't the point of open source... (Score:5, Insightful)
OMG!!! (Score:2, Insightful)
This is major threat (Score:5, Insightful)
Re:OMG!!! (Score:2, Insightful)
Experts say that by selling cars, car dealers are giving criminals a means to escape from the scene of a crime.
Search is misuse?!? (Score:4, Insightful)
The same as with ordinary text (Score:5, Insightful)
evolution (Score:5, Insightful)
Which is a good thing, if you realize bad environment also leads to evolution. More bugs exposed, the more developers will fix them, and maybe one day software designers will get it right, stop using insecure programming language, and write safer code.
Imagine I'm a hacker ... (Score:3, Insightful)
Re:Isn't the point of open source... (Score:5, Insightful)
blaming others for your mistakes (Score:5, Insightful)
The people that make the problems usually cry that the entire world needs to tell them about their mistakes in a nice quiet, private way, so they can silently fix them and avoid any unnecessary damage. The reality of this, as we have seen time and time again, is that when they are informed of these problems, so often they go ignored for months and months. And then the issue is finally leaked and they cry you didn't give us enough time! No, it was your fault to begin with, it doesn't matter if someone else made your mistake worse, none of this would have hapened without you screwing it up to begin with. This is how the world encourages you to try harder to get it right the first time instead of tossing us crap and fixing it later.
In summary, anyone that fights against auditing tools clearly has a quality control or security issue they are unwilling to fix and are afraid to have exposed.
(The whole model of "sell crap, fix later" is broken from the get-go. That's why we have crappy software hustled to the store in "version 1.0.0" form and have to beg the authors for bug fixes for the next half year. Problem is they already have your money, and that upgrade is free, so why should they pour resources into a 1.1 when there's no more money to be made? It's a losing proposition if you don't intend to release a paid 2.0 later, or if you think you can sucker them a second time)
Re:Isn't the point of open source... (Score:4, Insightful)
Seems to me that it's NOT necessarily open source. Besides, Open Source isn't a magic bullet. "You found a bug in my open source app so you should fix it and upload a patch"... wow what a cop-out answer. If you think that anyone who uses any open source app is also a software developer... and a good one at that... well, no wonder Linux isn't more popular.
I agree that it'd be nice if this article were actually an article though...
Re:Isn't the point of open source... (Score:4, Insightful)
That's one point. Another point is that if your company, for example, uses an open source application, you can hire someone to fix it instead of having to rely on the company that sells it.
Yet another point is transparency -- being able to know WHAT the software is really doing, instead of having to trust the company that sells it.
I call this FUD (Score:5, Insightful)
So the key target is to get access to as many machines as possible, to create spambots, to phish for information, in other words, the key target for attacks is the machine of the common man.
Now, which approach would be more fruitful? To find a neat exploit, find out which software contains it and then match it against the software usually used by Joe Average? Or to do it reverse, find out what Joe uses and find exploits in that software?
I think the recent revelation of buffer overflows in MS-Office and the Javascript exploit in the IE answers that question.
Re:Isn't the point of open source... (Score:5, Insightful)
Re:Isn't the point of open source... (Score:4, Insightful)
And you're surprised? Go to any site trying to teach programming in PHP and you'll likely find tons of vulnerable code. There seem to be very few PHP "programmers" who actually know anything about programming, let alone security. Most just copy from others (who copied from someone else, ad nauseum) and tweak. It will be quite a while before the amount of "secure" PHP code out there on the internet reaches critical mass.
Re:evolution (Score:5, Insightful)
No language offers 100% security. Some offer features that are easy to misuse in such a way as to inadvertently introduce security holes, but there is no such thing as a "secure" programming language; bad/inexperienced coders will produce dross whatever language they use.
A: Because it breaks the flow of a message (Score:3, Insightful)
Re:Isn't the point of open source... (Score:3, Insightful)
Re:OSS - Theory vs. Reality (Score:3, Insightful)
If you keep them happy, they are more likely to be repeat customers than to shop elsewhere, I'm told, because shopping is, itself, a cost to them [time, effort, risk
Of course this depends a bit on the product... Music sellers know that music fans are fickle, and some businesses thrive on variety of choice [clothing?*], but software and computer gear vendors probably benefit more from maintaining current customers than marketing to find new ones to replace them.
In the context of your company, then, this advice suggests that you should keep them happy and make the changes they want, if it seems cost effective, taking into account the potential cost of replacing that customer.
In other words, it's not just the chance of referrals that make customers worth keeping. Even users whose needs are met can be pretty bitchy about software -- we can all relate to being angry at our tools -- so referrals might not be the best reason to value your current clients.
But since they are more likely to buy again from you, and since you don't have to spend marketing dollars to get them to make that first purchase decision, they are valuable for those reasons.
*I use the question mark because, as a computer geek and gearhead, I don't really know or care much about clothes.
Re:OSS - Theory vs. Reality (Score:3, Insightful)
It is hard work.
Lots of people don't get that at all. Lots of management types assume that because person A wrote this code in a week that person B should be able to fix it in a week. Not true at all.
Sometimes it takes person B a week (or a month) to figure out what in the heck person A was doing. Open source is not immune to this. Hiring someone that was not involved in the original development of some random open-source project of moderate complexity can be an exercise in training the person in the coding style and knowledge of the original developer. Having the source is not understanding the source, or even being able to fix problems in it. As a general rule, if you don't know what you are doing trying to "fix" something is far more likely to cause problems than it is to actually fix the original problem.
Re:Isn't the point of open source... (Score:3, Insightful)
Re:Isn't the point of open source... (Score:3, Insightful)
Yeah. This works right until somebody asks "how do I get rid of all those \'s that turn up in stuff?" and the answer is "oh, disable magic_quotes_gpc." I've seen it happen before, and I'm sure it'll happen again. Relying on particular settings being enabled for security reasons in a disaster waiting to happen.