Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Find Use for Google Code Search

Posted by ryuzaki0 on from the thats-why-you-don't-comment-code dept.

An anonymous reader wrote in to say that "Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday. "

11 of 176 comments (clear)

  1. And people used Google to search for... by The+MAZZTer · · Score: 4, Interesting

    "Powered by phpBB" in order to find phpBB boards that were vulnerable to an exploit to hack. This isn't exactly a new technique. Well ok I know it's not exactly the same thing but the idea is still the same.

  2. Locks on doors. by kafka47 · · Score: 2, Interesting

    A lot of people are skeptical about the security risks of this. The general claim is that if it's up on the web, a) it can be found anyhow, and b) you should know that it's secure (or insecure).

    True, however here is another way of looking at it.

    Lets say I buy a brand of lock for my house, which is later to be defective. Perhaps I don't know about this defect, or I don't have the time or expertise to fix it quickly.

    Then someone develops a technology that alerts burglars to which houses have that specific brand of lock.

    Wouldn't that be cause for some concern?

    I think code-searching for vulnerabilities is mildly concerning, even far beyond the usual methods that exist without code search. Note I said mildly. This isn't going to cause the catastrophic collapse of the Internet. It's just one more thing for people to be aware of and (hopefully) take action on.

    /K

  3. Re:Isn't the point of open source... by Fordiman · · Score: 2, Interesting

    Actually, the 'many eyes' paradigm is what brings about things like BugZilla.

    OSS Devlopers like control over their code. Even if you see and fix a bug, they're most likely to go over your code and use it as an example of how to fix their code, rather than just patch it in verbatim.

    --
    110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
  4. OSS - Theory vs. Reality by xplenumx · · Score: 4, Interesting
    I've come to believe that open source works if you're a programmer, but for the rest of the world the promises fall flat.

    I can't read code - it means absolutely nothing to me. So this whole point on OSS being transparent and knowing what the software really does, doesn't apply to me. Hell, if someone were to show me the source code to both Windows and Linux, I probably wouldn't even be able to tell which OS was which. All I care about is whether the software does what I need it to do; I don't plan on spending any evenings curled up to the fire reading source code.

    So this leads us to the next pro-OSS argument, that if the program doesn't do what you want you can either make a solution or hire someone to do it for you. I've tried this (several times in fact), and it didn't work. Since I don't program I have to go out and hire someone to code the solution I want. Never mind that finding a coder can often be a royal pain, but each and every time not only has (or would have) it been more expensive to hire someone to code the solution, but it took longer than had I gone out and bought a commercial closed source package (or two) that did do what I want.

    Lastly, I keep hearing how OSS programs are more nimble and should a bug or needed feature be identified, 'the community' will solve the problem much faster than a closed source solution. That may be for popular projects like Linux or Firefox, but in my experience I find the OSS programs to be less responsive to requests and needs than the closed source solutions.

    As a scientist, I'm all for transparency and free flowing information. However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.

  5. Re:Playing with Google Code by FhnuZoag · · Score: 3, Interesting

    Some search strings to try out:

    http://www.google.com/codesearch?hl=en&lr=&q=buffe r+%22should+be+enough%22&btnG=Search
    http://www.google.com/codesearch?hl=en&lr=&q=%22ca n+be+fixed+later%22&btnG=Search
    http://www.google.com/codesearch?hl=en&lr=&q=%22I+ don't+understand%22&btnG=Search
    http://www.google.com/codesearch?hl=en&lr=&q=%22no t+very+safe%22&btnG=Search
    http://www.google.com/codesearch?q=%22but+who+care s%22&btnG=Search+Code

  6. Re:Isn't the point of open source... by OmnipotentEntity · · Score: 3, Interesting

    In practice the US Military does this quite a bit, unfortunately.

    It's actually kinda funny (read: ironic.) My roommate works on Jaam (actually, my roommate and his boss *are* Jaam,) and according to him, he's allowed to know far more about Red aircraft than he is about Blue. Why? Because info on Red aircraft were obtained through spying or diplomacy, information about Blue aircraft is tightly controlled by the companies that make them.

    And that's your daily dose of "our government is insane."

    --
    "Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
  7. Re:OSS - Theory vs. Reality by Skater · · Score: 4, Interesting

    I ran into a situation at work recently where we (note, we're statisticians, not programmers) discovered firsthand the value of having the source code to a piece of software. A proprietary program we purchased was calculating a value incorrectly because it wasn't taking a certain factor into account that most people don't need, and there was no way to get it to do that. My boss' comment: "And we can't fix it because we don't have the code."

    Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.

    When this happened, I realized that the general public is becoming much more aware of the potential problems with closed-source software. For now it might just matter mostly to programmers, but sooner or later, it'll matter to a lot more people, too.

  8. Re:OSS - Theory vs. Reality by Draknor · · Score: 4, Interesting

    Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.

    Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)

    Disclaimer: I work for a closed-source software vendor, but we try very hard to meet the needs of all of our customers, so if they identify a critical issue we generally try to either find an acceptable work-around, or patch the code when possible. And (ideally) that would be done in such a way that you won't lose that fix when you upgrade. If you custom-fix your OSS solution, you either have to never upgrade, or patch every version that comes out; that seems to be a lot of long-term hassle.

    Customer satisfaction is a big part of being a software vendor -- sure, you may be a small customer, but if my company is responsive to your needs then that builds good relations with you, and you may be an excellent referral source for us later (or become a larger customer yourself). That's a strong motivation for businesses that really care about their customers. And for professional-type products, buyers are more likely to pay extra for that good service.

  9. thats what i did with it by jnf · · Score: 2, Interesting

    When I first saw the link about google code, I was in the process of attempting to find software that used a certain function that is vulnerable in a popular scripting language. This was remarkably difficult using just 'regular' google, even though it really shouldn't have been. However, then google code came out and poof I used it to look for code using the vulnerable function, and I found a lot.

  10. good by oohshiny · · Score: 2, Interesting

    Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering.

    Yes, and they are good implications. If a company lets proprietary, bug-infested source code leak onto the web, then they should have to deal with the consequences.

  11. Google already indexes source code by fluor2 · · Score: 2, Interesting

    The only difference for google code search and normal code search is that you can search for special characters that one normally cannot in google standard search. but thousands of people have already used google for searching code by just trying to limit their search by using words like "int long public" etc so nothing is new here, except that we now can search using e.g. php $variables, wheras the $-sign is ignored unless you use google code search.