Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Find Use for Google Code Search

Posted by ryuzaki0 on from the thats-why-you-don't-comment-code dept.

An anonymous reader wrote in to say that "Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday. "

10 of 176 comments (clear)

  1. Not earth-shattering by adnonsense · · Score: 3, Informative

    Someone has done pretty well out of the normal Google engine for this kind of "research".

  2. They must have read Slashdot! by kafka47 · · Score: 4, Informative

    Slashdot readers beat 'em to it!

    The previous story /. precipitated comments that did exactly that.

  3. Absolute FUD by scdeimos · · Score: 3, Informative

    The article talks about how easy it is to use Google Codesearch and goes further to suggest that the regular search can't be used to find code.

    B.S.!

    I've used Google search to find all sorts of code snippets over the years, particularly #define's for constants that Microsoft don't actually define anywhere on MSDN.

  4. Re:Isn't the point of open source... by julesh · · Score: 4, Informative

    But it is that easy. Back in the original slashdot article concerning the search tool, somebody posted a link to a result page that included a rather large number of php scripts that were vulnerable to SQL injections. Other common flaws should also be easy to search for.

    The problem is, not all developers perform this kind of search over their code. They may not even be aware that it's helpful.

  5. IDG Hatchet Job by Doc+Ruby · · Score: 3, Informative
    "The downside is that you could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it," says Mike Armistead, vice president of products with source-code analysis provider Fortify Software.


    So Robert McMillan of IDG digs up a small competitor to Google Code, who says actually publishing open source is bad. Of course, the point of open source is that anyone, not just motivated attackers, can inspect the source to reveal problems, and even fix them ourselves.

    Fortify doesn't seem to offer GPL or any other open source for its own product. But it does seem to publish its own version of Google Code's results. Which any worthwhile reporter would have learned, if they wanted to tell us a story about the risks of open source, rather than a competitor's story of how "Google is Evil".
    --

    --
    make install -not war

  6. Pure FUD by SwashbucklingCowboy · · Score: 2, Informative

    Both Krugle and Koders already offered open source search services. Google isn't offering anything new.

  7. Re:I use it to find linux vunerbilities by Fordiman · · Score: 3, Informative

    "i plug in a USB wireless card and nothing happens, i plug in a USB printer, nothing happens, i plug in a USB stick nothing happens,"

    First: true for most cases. Linux Wifi support IS horribly lacking, but blame it on the vendors; we have to reverse engineer every chip that comes out, or use the windows driver.

    Second: Patently not true for modern distros. Lite distros, that don't feel like adding the CURL drivers in, maybe, but I believe I've had an issue with exactly one printer on my laptop.

    Third: Unbelievably not true. Not only does Linux itself handle USB drives seamlessly, but most distros automount it, and KDE automagically recognizes it and asks you what you want to do with it. You must've been playing with a complete shit distro. Or you're just lying through your ass. Either way, I call FUD.

    --
    110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
  8. Re:Playing with Google Code by Anonymous Coward · · Score: 1, Informative
    When I read this article, I went to code.google.com and tried it out for myself.
    Ok, now go to what the article is actually referring to here - http://www.google.com/codesearch
  9. Stupid title.. by lunadog · · Score: 2, Informative

    It's designed to be of use to hackers! It's the crackers I would be worried about!

  10. Re:I use it to find linux vunerbilities by drinkypoo · · Score: 2, Informative

    Well, let me give the long form. You buy hardare. windows has no driver. You connect hardware. windows tells you to go fuck yourself. You put in the CD. You install the driver. Now, one of two things happens. either you have to disconnect/reconnect the device or otherwise kickstart the driver install (perhaps doing it manually from device mangler.) Or, if the people who wrote/packaged the driver are one bit clueful, the driver install is kicked off for you automatically, without having to do anything else.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"