Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Find Use for Google Code Search

Posted by ryuzaki0 on from the thats-why-you-don't-comment-code dept.

An anonymous reader wrote in to say that "Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday. "

11 of 176 comments (clear)

  1. Isn't the point of open source... by strider44 · · Score: 5, Insightful

    Isn't the point of open source that anyone can fix the programs? If it can be used by attackers it can also be used by developers. This is a pretty pointless article anyway as it's not that easy to find security holes in programs - if it was that easy then the developers would have patched up the holes already.

    1. Re:Isn't the point of open source... by Bing+Tsher+E · · Score: 5, Insightful

      True but by making it easy for third-parties to search for this problematic code, it can hopefully be fixed and the original coders notified, before the faulty code is melded into the 'code infrastruture' deeply and in ways that make it more difficult to fix.

    2. Re:Isn't the point of open source... by asylumx · · Score: 4, Insightful
      From the summary:
      ...even proprietary code that shouldn't have been posted to the Internet...


      Seems to me that it's NOT necessarily open source. Besides, Open Source isn't a magic bullet. "You found a bug in my open source app so you should fix it and upload a patch"... wow what a cop-out answer. If you think that anyone who uses any open source app is also a software developer... and a good one at that... well, no wonder Linux isn't more popular.

      I agree that it'd be nice if this article were actually an article though...
    3. Re:Isn't the point of open source... by Fordiman · · Score: 4, Insightful

      "Never ever trust your fate to a black box when you are unaware of its contents" - the US Military.

      --
      110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
  2. This is major threat by c0l0 · · Score: 5, Insightful

    only to those whose "security" in reality consists of not much - or even nothing - more than obscurity.

    --
    :%s/Open Source/Free Software/g

    YTARY!
  3. Search is misuse?!? by zecg · · Score: 4, Insightful

    How is searching for something misuse of the search engine? I'd say that the Internet was misused by those who made the information public in the first place.

    --
    .i lu doi ringos.star. xu do puku'aroroi dunli dopecaku leni virnu li'u
  4. The same as with ordinary text by Bromskloss · · Score: 4, Insightful

    If you accidentally put something publicly available on a web page, it can be found, manually or by a search engine. This is really no different from how it has always been with text, images and anything else that you can put on the web.

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
  5. evolution by doti · · Score: 4, Insightful

    I think previous posters got it wrong. They say the cracker access to the code is just as easy as anyone else's who can fix it. But a developer looks only for the code he's involved to, while the cracker is looking for any exploitable program. That, and although coders eventually search for security holes, he's goal is to build features. So, it indeed is making it easier for the crackers.

    Which is a good thing, if you realize bad environment also leads to evolution. More bugs exposed, the more developers will fix them, and maybe one day software designers will get it right, stop using insecure programming language, and write safer code.

    --
    factor 966971: 966971
    1. Re:evolution by Tim+C · · Score: 4, Insightful

      stop using insecure programming language

      No language offers 100% security. Some offer features that are easy to misuse in such a way as to inadvertently introduce security holes, but there is no such thing as a "secure" programming language; bad/inexperienced coders will produce dross whatever language they use.

      --
      It's official. Most of you are morons.
  6. blaming others for your mistakes by v1 · · Score: 5, Insightful

    People need to stop blaming those that provide tools and research for their finding or their ability to find bugs and errors. It's not their fault. If you screw up and someone finds it, it's not their fault, it's yours. Take responsibility and deal with the consequences.

    The people that make the problems usually cry that the entire world needs to tell them about their mistakes in a nice quiet, private way, so they can silently fix them and avoid any unnecessary damage. The reality of this, as we have seen time and time again, is that when they are informed of these problems, so often they go ignored for months and months. And then the issue is finally leaked and they cry you didn't give us enough time! No, it was your fault to begin with, it doesn't matter if someone else made your mistake worse, none of this would have hapened without you screwing it up to begin with. This is how the world encourages you to try harder to get it right the first time instead of tossing us crap and fixing it later.

    In summary, anyone that fights against auditing tools clearly has a quality control or security issue they are unwilling to fix and are afraid to have exposed.

    (The whole model of "sell crap, fix later" is broken from the get-go. That's why we have crappy software hustled to the store in "version 1.0.0" form and have to beg the authors for bug fixes for the next half year. Problem is they already have your money, and that upgrade is free, so why should they pour resources into a 1.1 when there's no more money to be made? It's a losing proposition if you don't intend to release a paid 2.0 later, or if you think you can sucker them a second time)

    --
    I work for the Department of Redundancy Department.
  7. I call this FUD by Opportunist · · Score: 4, Insightful

    Today's "hacks" mostly go for widely spread software. Why? Simple. For maximum impact. There are, of course, still targetted attacks, but those targets tend to be machines and nets of high interest for the hackers. If you use insecure software there, you earned that hack well.

    So the key target is to get access to as many machines as possible, to create spambots, to phish for information, in other words, the key target for attacks is the machine of the common man.

    Now, which approach would be more fruitful? To find a neat exploit, find out which software contains it and then match it against the software usually used by Joe Average? Or to do it reverse, find out what Joe uses and find exploits in that software?

    I think the recent revelation of buffer overflows in MS-Office and the Javascript exploit in the IE answers that question.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.