Slashdot Mirror
Hackers Find Use for Google Code Search
An anonymous reader wrote in to say that "Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday.
"
Linux needs to get its act together
/tmp or the installer will dump core. After the installer is done, edit /etc/X11/XF86Config and add a section called "GL" and put "driver nv" in it. Make sure you have the latest version of X and Linux kernel 2.6 or else X will segfault when you start. OK, run the Quake 3 installer and make sure you set the proper group and setuid permissions on quake3.bin. If you want sound, look here [link to another obscure web site], which is a short HOWTO on how to get sound in Quake 3. That's all there is to it!"
Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.
Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
Linux zealots are far too forgiving when judging the difficultly of Linux configuration issues and far too harsh when judging the difficulty of Windows configuration issues. Example comments:
User: "How do I get Quake 3 to run in Linux?"
Zealot: "Oh that's easy! If you have Redhat, you have to download quake_3_rh_8_i686_010203_glibc.bin, then do chmod +x on the file. Then you have to su to root, make sure you type export LD_ASSUME_KERNEL=2.2.5 but ONLY if you have that latest libc6 installed. If you don't, don't set that environment variable or the installer will dump core. Before you run the installer, make sure you have the GL drivers for X installed. Get them at [some obscure web address], chmod +x the binary, then run it, but make sure you have at least 10MB free in
User: "How do I get Quake 3 to run in Windows?"
Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"
So, I guess the point I'm trying to make is that what seems easy and natural to Linux geeks is definitely not what regular people consider easy and natural. Hence, the preference towards Windows.
Isn't the point of open source that anyone can fix the programs? If it can be used by attackers it can also be used by developers. This is a pretty pointless article anyway as it's not that easy to find security holes in programs - if it was that easy then the developers would have patched up the holes already.
Duped fucking post!
Do not even bother with this flamebait shit.
Tools can be used for evil purposes! News at 11!
Someone has done pretty well out of the normal Google engine for this kind of "research".
Slashdot readers beat 'em to it!
The previous story /. precipitated comments that did exactly that.
Since it is easier for everybody to find bugs and vulnerabilities, it is now easier to fix them. Relying on the fact that your source code hides in some corner of a CVS repository where nobody really wants to casually go is just a lesser form of security by obfuscation. Would you rather have truly secure software or software that only seems to be secure?
"This is a pretty pointless article anyway as it's not that easy to find security holes in programs - if it was that easy then the developers would have patched up the holes already."
Micrososft agrees with you.
- Google launches a search tool, which makes it easier to search through every piece of code posted on the internet.
- Some retarded news reporter sees the launch, and figures "this is an easy way to make a frontpage headliner"
- Bingo you have your frontpage story "Hackers Find Use for Google Code Search"
In short, why is this even news ? Wouldn't every hacker, from the guy sitting in his basement hacking on some *BSD code to the guy in his million dollar house hacking on some Linux code, find a tool like this usefull, when looking for some code that isn't satisfactory. I guess the news in it, is that someone also found out google code search makes the comments and examples in the code available...only to those whose "security" in reality consists of not much - or even nothing - more than obscurity.
:%s/Open Source/Free Software/g
YTARY!
How is searching for something misuse of the search engine? I'd say that the Internet was misused by those who made the information public in the first place.
If you accidentally put something publicly available on a web page, it can be found, manually or by a search engine. This is really no different from how it has always been with text, images and anything else that you can put on the web.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
The only job these people have is profitting from the poor coding ability of most programmers, despicable.
"Powered by phpBB" in order to find phpBB boards that were vulnerable to an exploit to hack. This isn't exactly a new technique. Well ok I know it's not exactly the same thing but the idea is still the same.
The article talks about how easy it is to use Google Codesearch and goes further to suggest that the regular search can't be used to find code.
B.S.!
I've used Google search to find all sorts of code snippets over the years, particularly #define's for constants that Microsoft don't actually define anywhere on MSDN.
What else can one say, but DUH. If someone is stupid enough to leave their confidential files on a fucking web server, they won't be confidential for long. Google didn't create the problem. malicious hackers would probably have found them anyway, just now everyone else can.
16: my $self = shift;
# XXX a hole you could drive a fucking bus through
my $method = $self->cgi->param('method') || 'hello';
Yeah, I'm sure no malicious mind ever knew about grep and had to wait on Google.
I think previous posters got it wrong. They say the cracker access to the code is just as easy as anyone else's who can fix it. But a developer looks only for the code he's involved to, while the cracker is looking for any exploitable program. That, and although coders eventually search for security holes, he's goal is to build features. So, it indeed is making it easier for the crackers.
Which is a good thing, if you realize bad environment also leads to evolution. More bugs exposed, the more developers will fix them, and maybe one day software designers will get it right, stop using insecure programming language, and write safer code.
factor 966971: 966971
This whole thing smells really badly. Meaning: we know our products suck, people know what we tell them, and it's good for us this way. If somebody makes them possible with some tools to find out anything about what we don't want to tell them, that's bad for us. Even if they could find out these things without using those tools, it's good for us they have those tools since now we have somebody to blame. Either way, we win.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
I know my way around code pretty well. While poring through some source code I discover a code snippet with a particular vulnerability that I can exploit. Now if only I had a way to see if this same snippet appeared in other applications. I guess I'll have to wait for Google to introduce a source code search mechanism before I can figure that out. Bummer.
The more you regulate a company, the worse its products become.
People need to stop blaming those that provide tools and research for their finding or their ability to find bugs and errors. It's not their fault. If you screw up and someone finds it, it's not their fault, it's yours. Take responsibility and deal with the consequences.
The people that make the problems usually cry that the entire world needs to tell them about their mistakes in a nice quiet, private way, so they can silently fix them and avoid any unnecessary damage. The reality of this, as we have seen time and time again, is that when they are informed of these problems, so often they go ignored for months and months. And then the issue is finally leaked and they cry you didn't give us enough time! No, it was your fault to begin with, it doesn't matter if someone else made your mistake worse, none of this would have hapened without you screwing it up to begin with. This is how the world encourages you to try harder to get it right the first time instead of tossing us crap and fixing it later.
In summary, anyone that fights against auditing tools clearly has a quality control or security issue they are unwilling to fix and are afraid to have exposed.
(The whole model of "sell crap, fix later" is broken from the get-go. That's why we have crappy software hustled to the store in "version 1.0.0" form and have to beg the authors for bug fixes for the next half year. Problem is they already have your money, and that upgrade is free, so why should they pour resources into a 1.1 when there's no more money to be made? It's a losing proposition if you don't intend to release a paid 2.0 later, or if you think you can sucker them a second time)
I work for the Department of Redundancy Department.
A lot of people are skeptical about the security risks of this. The general claim is that if it's up on the web, a) it can be found anyhow, and b) you should know that it's secure (or insecure).
True, however here is another way of looking at it.
Lets say I buy a brand of lock for my house, which is later to be defective. Perhaps I don't know about this defect, or I don't have the time or expertise to fix it quickly.
Then someone develops a technology that alerts burglars to which houses have that specific brand of lock.
Wouldn't that be cause for some concern?
I think code-searching for vulnerabilities is mildly concerning, even far beyond the usual methods that exist without code search. Note I said mildly. This isn't going to cause the catastrophic collapse of the Internet. It's just one more thing for people to be aware of and (hopefully) take action on.
What do you mean, "inadvertently"? :)
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
http://google.com/codesearch?hl=en&lr=&q=mysql_con nect%5C(%22%5B%5E1%5D%5B0-9%5D%7B1%2C2%7D
Bonus points if you can find the one with 35 million AOL addresses in it!
So Robert McMillan of IDG digs up a small competitor to Google Code, who says actually publishing open source is bad. Of course, the point of open source is that anyone, not just motivated attackers, can inspect the source to reveal problems, and even fix them ourselves.
Fortify doesn't seem to offer GPL or any other open source for its own product. But it does seem to publish its own version of Google Code's results. Which any worthwhile reporter would have learned, if they wanted to tell us a story about the risks of open source, rather than a competitor's story of how "Google is Evil".
--
make install -not war
This is a fact of the information age.
Today's "hacks" mostly go for widely spread software. Why? Simple. For maximum impact. There are, of course, still targetted attacks, but those targets tend to be machines and nets of high interest for the hackers. If you use insecure software there, you earned that hack well.
So the key target is to get access to as many machines as possible, to create spambots, to phish for information, in other words, the key target for attacks is the machine of the common man.
Now, which approach would be more fruitful? To find a neat exploit, find out which software contains it and then match it against the software usually used by Joe Average? Or to do it reverse, find out what Joe uses and find exploits in that software?
I think the recent revelation of buffer overflows in MS-Office and the Javascript exploit in the IE answers that question.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is a pointless article only if you assume that "anyone" is spending the same time and effort looking for flaws as the hackers, let alone fixing them.
Are you that confident that such efforts are taking place?
"Ask not what your country can do for you." --John F. Kennedy
Both Krugle and Koders already offered open source search services. Google isn't offering anything new.
When I read this article, I went to code.google.com and tried it out for myself.
It seems to me that they are just indexing open source projects and presenting a rather nice interface for it. In my opinion, it seems more like a meta sourceforge that finds OSS projects from all over the web by searching for projects that make their VCS publicly available. If a closed source company has its VCS publicly accessible, then they've already done their own damage.
I've recently been searching high-and-low for a decent open-source knowledge base application that I can implement for our IT department at work. This search has been complicated by the fact that so many open source projects have a knowledge base about their products, so I get a lot of false positives in my searches. As code.google.com indexes more and more projects, I am hoping it might just be of help in that particular task, since it is indexing the project descriptions specifically.
Like any other tool, code.google.com is not evil, but its manner of usage may make it so. Do we ban hammers and kitchen knives because they can be used to injure or kill? I think not. Anyway, "code.google.com makes it easier for an attacker to find a bug or exploit" is only true for small values of "easier". Think about it... if someone has the knowledge to review source code and find the bugs and create an exploit, then they were already probably smart enough to use existing google (and other search engine) tools to find what they needed. Your average script kiddie is going to be looking for an exploit handed to them on a silver platter, not to actually have to figure out an exploit on their own.
Just my $0.02
The Digital Sorceress
I can't read code - it means absolutely nothing to me. So this whole point on OSS being transparent and knowing what the software really does, doesn't apply to me. Hell, if someone were to show me the source code to both Windows and Linux, I probably wouldn't even be able to tell which OS was which. All I care about is whether the software does what I need it to do; I don't plan on spending any evenings curled up to the fire reading source code.
So this leads us to the next pro-OSS argument, that if the program doesn't do what you want you can either make a solution or hire someone to do it for you. I've tried this (several times in fact), and it didn't work. Since I don't program I have to go out and hire someone to code the solution I want. Never mind that finding a coder can often be a royal pain, but each and every time not only has (or would have) it been more expensive to hire someone to code the solution, but it took longer than had I gone out and bought a commercial closed source package (or two) that did do what I want.
Lastly, I keep hearing how OSS programs are more nimble and should a bug or needed feature be identified, 'the community' will solve the problem much faster than a closed source solution. That may be for popular projects like Linux or Firefox, but in my experience I find the OSS programs to be less responsive to requests and needs than the closed source solutions.
As a scientist, I'm all for transparency and free flowing information. However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.
We're living in a world were obscurity will become more and more invalid method of cheating, securing, confusing, misrepresenting, lying, disinforming, profiting, whatever.
'IT' just makes it easier to find what is already out there. I'd say good for Google, another good step to their goal of "indexing the world".
There are other code search engines: krugle.com and koders.com
You're new to the computer biz, aren't you?
Nobody gives a shit about security or correctness. Not even open-source projects like Linux care that much. OpenBSD does, and maybe a few others, but they're far and few between. Business entities plain just don't give a shit.
Koders and even Krugle guys precede Google's code search, but they are going to have a hard time attracting more developers' eyeballs - check this.
Too bad one can't get Google code search on there, too, but you can imagine how far that graph curve would be.
Simpy
... don't post them on the internet in the first place.
Allowing anyone to find the bugs is the whole point of OSS. But why is there any "password information and even proprietary code"?
Lovely, just lovely. I just searched for my name (full name, and UNIX first-initial-lastname form) and even though I've only really contributed to two tiny OSS projects in extremely trivial ways, my email address (current and a few previous ones) all appear in plaintext in the search results. Spammers just got another way to harvest, without having to download entire files even.
I have a hammer. I can build a house with it. Or I can kill someone with it. Does that make the hammer bad? Should we restrict the availability of hammers? Should we start requiring FBI background checks at Walmart in order to purchase a hammer? If we make it illegal to own a hammer, only criminals will have hammers.
Seriously, any "tool" is like this. You can do wonderful creative things with it. Or you can do nefarious evil with it. That doesn't make the availability of the tool wrong or undesireable.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Q: Why is beginning a comment in the Subject: line annoying?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
I ran into a situation at work recently where we (note, we're statisticians, not programmers) discovered firsthand the value of having the source code to a piece of software. A proprietary program we purchased was calculating a value incorrectly because it wasn't taking a certain factor into account that most people don't need, and there was no way to get it to do that. My boss' comment: "And we can't fix it because we don't have the code."
Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.
When this happened, I realized that the general public is becoming much more aware of the potential problems with closed-source software. For now it might just matter mostly to programmers, but sooner or later, it'll matter to a lot more people, too.
However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.
Really? Ever use a Tivo? Ever go to a web site? How about Google? How about wikipedia? Do you have any idea how much BSD licensed code (math libraries, for example) might be running on your cell phone, your car stereo, etc?
People don't know it but open source is everywhere and it works great. Sure, you're not using an OSS spreadsheet or word processor, but that doesn't mean you don't rely on OSS a zillion times a day without even realizing it.
Her point was right on target - if we had the code, we could've easily contracted out fixing the program; it probably would've taken a competent programmer a couple hours to put the fix in and test it. But instead, we're stuck with a software package that's useless for many of the situations we wanted it for, unless the developer decides we're important enough to fix the software.
Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)
Disclaimer: I work for a closed-source software vendor, but we try very hard to meet the needs of all of our customers, so if they identify a critical issue we generally try to either find an acceptable work-around, or patch the code when possible. And (ideally) that would be done in such a way that you won't lose that fix when you upgrade. If you custom-fix your OSS solution, you either have to never upgrade, or patch every version that comes out; that seems to be a lot of long-term hassle.
Customer satisfaction is a big part of being a software vendor -- sure, you may be a small customer, but if my company is responsive to your needs then that builds good relations with you, and you may be an excellent referral source for us later (or become a larger customer yourself). That's a strong motivation for businesses that really care about their customers. And for professional-type products, buyers are more likely to pay extra for that good service.
From TFA: Code Search is "another tool that makes it a tad easier for the attacker,"
Like gcc and perl. Gee, those pesky tools. What do you know, personal computers are another tool that makes it a tad easer for the attacker too.
Obviously developers concerned with security should take note of any new and current tools available, but to create a tone like Google is providing a date rape drug for crackers is just raw fud propaganda.
i\hbar\dot{\psi}=\hat{H}\psi
First off, comparing the costs of hiring a programmer to make software to be used by one person with commercial software that is used by millions is silly. Commercial software costs millions of dollars to write, and they sell it for a 100 dollars per person to millions of customers. Custom software costs thousands of dollars to write, and the developers charge thousands of dollars to their 1 customer.
Secondly, there is a common misconception that open source software is suppose to be directly modified by end users, and this is why it is so 'wonderful'. Open source software is beneficial because it allows many smaller developers to work together to produce a quality of software they couldn't possible produce on their own. The end users benefit indirectly from OSS, not directly.
If you like Firefox, Google, using the Internet (most web servers and such are OSS), OS X, and even Windows (which uses OSS code, such as the TCP/IP stack, from Free BSD), then thank OSS. All end users should do is use the best software for the best price for their particular needs. Let the developers worry about things like OSS. This way, wether OSS or commercial, the best bubbles to the top; which is as it should be.
http://tickletux.wordpress.com/2006/10/07/google-c ode-search-a-vulnerability-hunters-dream/
Powerful tools can be used for good or ill!
Take a second look at those knives, fellas! Monitor the internet! Be aware before pushing on that gas pedal! Think twice with that plutonium, kid!
Yes, BB guns are fun--but you'll shoot your eye out if you're not careful!
!!!!!!
Tenemus pyrobolos atqui jacimus cognitiones.
About customer relations: I have heard it said that your most important customers are your current ones, so keep 'em happy, because they've already overcome the first hurdle between their money and your pocket: they decided to choose your product [or service] instead of another.
...]. They'd rather stick with you if you're keeping them happy. Plus, of course, your product is satisfying them, so that's the main reason they'd stick around, right?
If you keep them happy, they are more likely to be repeat customers than to shop elsewhere, I'm told, because shopping is, itself, a cost to them [time, effort, risk
Of course this depends a bit on the product... Music sellers know that music fans are fickle, and some businesses thrive on variety of choice [clothing?*], but software and computer gear vendors probably benefit more from maintaining current customers than marketing to find new ones to replace them.
In the context of your company, then, this advice suggests that you should keep them happy and make the changes they want, if it seems cost effective, taking into account the potential cost of replacing that customer.
In other words, it's not just the chance of referrals that make customers worth keeping. Even users whose needs are met can be pretty bitchy about software -- we can all relate to being angry at our tools -- so referrals might not be the best reason to value your current clients.
But since they are more likely to buy again from you, and since you don't have to spend marketing dollars to get them to make that first purchase decision, they are valuable for those reasons.
*I use the question mark because, as a computer geek and gearhead, I don't really know or care much about clothes.
Have you ever participated in any of these FOSS programs that you found lacking? Have you ever joined the mailing list? Ever just asked for a feature or explained a bug? The first time I did and it was implemented, I was surprised; the second time (Different project), I was gratified; the third time (Different project again), it cemented in my mind why I will always stick with FOSS projects, even those that aren't nearly as polished as their Shareware or Closed counterparts.
I am a programmer and a system administrator, and I could have eventually fixed it on my own, after digging through someone else's style of coding in a language I may or may not be familiar with. However all I had to do was ask and participate a little in the project and now those features exist and those bugs are fixed. I'm not batting a thousand in asking for features or bug-fixing by mailing list, but it's still better luck than I've had with any sort of closed-code program.
... And so it comes to this.
http://www.corecodec.com/index.php?option=com_smf& Itemid=29&topic=3204.msg18973;topicseen#msg18973
is a hacked site. only goes to show, if you mess with gpl, you get gpl. they use gpl code in the comm. products.
It's designed to be of use to hackers! It's the crackers I would be worried about!
When I first saw the link about google code, I was in the process of attempting to find software that used a certain function that is vulnerable in a popular scripting language. This was remarkably difficult using just 'regular' google, even though it really shouldn't have been. However, then google code came out and poof I used it to look for code using the vulnerable function, and I found a lot.
Hmmm. So what's your social security number?
BTW no one's mentioned that this can be used to find GPL violators.
BeaEss
The first thing you are suppose to learn Net wise is if you don't want it cracked, stolen, or downright abused... Don't put it on the Internet in the first place.
NEWSFLASH: Maps can be used for evil
It has been reported that a recent new invention of google corp. by the name of 'maps' can be used for evil purposes.
These new 'maps' show information about a given area so terrorists can find new targets to bomb.
George Bush is putting a bill through very soon to ban this evil invention.
*YAWN*
NEWSFLASH: Knives can be used to kill people.
Its all a double-edged sword whatever you do I guess.
Hear, hear. You have probably stumbled across one of the true secrets of computer programming.
It is hard work.
Lots of people don't get that at all. Lots of management types assume that because person A wrote this code in a week that person B should be able to fix it in a week. Not true at all.
Sometimes it takes person B a week (or a month) to figure out what in the heck person A was doing. Open source is not immune to this. Hiring someone that was not involved in the original development of some random open-source project of moderate complexity can be an exercise in training the person in the coding style and knowledge of the original developer. Having the source is not understanding the source, or even being able to fix problems in it. As a general rule, if you don't know what you are doing trying to "fix" something is far more likely to cause problems than it is to actually fix the original problem.
Thank you, Google Desktop users, for giving google the contents of your hard drives, to make it easier to search through your code for hacks!
Security experts say that the security implications of Google Code Search are noteworthy, if not earth-shattering.
Yes, and they are good implications. If a company lets proprietary, bug-infested source code leak onto the web, then they should have to deal with the consequences.
I'm not sure if she has contacted the author or not. I think she was going to, but now that I think about it, she might've forgotten (we're incredibly busy, and there are much bigger issues we tackle every day).
I think I'll shoot them an email when I get back to work Tuesday; it can't hurt to try. It's a small company, so they may be very responsive.
I like to relate open source software to the car industry. If a new car company was established that sold its car for a few thousand dollars less then everyone else, but the catch was the hood was locked shut and the only people with the key to it was the dealership themselves. Thus forcing ALL maintenance and repairs to be carried out by the original dealer at a premium. Do you think this company would survive? Would YOU buy a car from them?
Most people would say, HELL NO! Even though MOST people don't have a clue about car maintenance. Most people will never even change their own oil, but still they have the common sense not to purchase a car knowing they are going to get bent over the barrel for repair costs.
I believe open source is similar. Sure, most people aren't programmers, most have no clue what it takes to develop a piece of software. But MOST people have used a piece of software in the past that had a bug, or that lacked a certain feature they really need. If they had access to the source code at least they could ATTEMPT to get the bug fixed, or feature added. Just like they attempt to take their car to the local garage to get the oil changed and the weird engine sound fixed. It doesn't always work out that way, but at least they have the option. Not every garage you take your car to is going to do quality work, just like not every programmer you hire is going to get the job you request done. The bottom line though is you at least have OPTIONS.
Regarding your statement about open source programmers being more "nimble" and the community being able to implement bug fixes/features faster then commercial companies. You need to keep in mind that open source programmers and the community itself aren't paid. Just because some John Doe requests a feature that might suit him doesn't mean the programmer is going to call in sick to his day job to implement it for you. Try donating to the project FIRST, then requesting something back second and you might get better results. Your donation doesn't have to be money either, donate documentation, donate testing and feedback, donate any service you may have to offer and after that I bet any requests you have will be less likely to fall on deaf ears. The community is what drives open source, so become part of that community and everyone wins.
Open Source Time and Attendance, Job Costing a
Oh, and you forgot 'TODO', and possibly "Don't look at this, it will make you go blind"
"It doesn't cost enough, and it makes too much sense."
You make some very good points -- keeping your existing customers is an important goal in and of itself. And that's actually what my job is where I work: I work directly with our customers to provide technical guidance and programming support when they encounter a situation that doesn't work with our standard features / options. Basically, my job is all about keeping our existing customers happy, both to keep them and to provide good referrals & recommendations for our products to other potential customers.
:-)
Thankfully I'm not directly involved in sales / marketing -- just not my gig
Google's search changes little but the speed with which one searches. The same criticism could be leveled at a new, more efficient Library index. Yes, "bad" people can find things easier... but so can the much, much larger body of "good" people. Nothing is changed but speed of access. The ratios remain the same.
You put the ending of your comment in the Subject line, which is completely irrelevant to the subject (putting the beginning of a comment in the Subject line) at hand. gg revealing your lack of reading comprehension.
The only difference for google code search and normal code search is that you can search for special characters that one normally cannot in google standard search. but thousands of people have already used google for searching code by just trying to limit their search by using words like "int long public" etc so nothing is new here, except that we now can search using e.g. php $variables, wheras the $-sign is ignored unless you use google code search.
"When this happened, I realized that the general public is becoming much more aware of the potential problems with closed-source software. For now it might just matter mostly to programmers, but sooner or later, it'll matter to a lot more people, too."
There's several small facts that seems to be lost in these discussions.
One. Not every company/customer relationship is a hostile one, even thought slashdot regularly casts them as such. "Oh she could leave you, and take the kids. Don't trust her."
Two. Not every business model is the same.
Two-'A'. Some companies release source code to paying customers. Not to share with the world, but to give the customer more flexability.
Two-'B" In turn the companies in their self-interest release some of their changes back, as well give advice.
Three. Commercial companies usually do those jobs that don't scratch some individual's fickle "itch".
Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks.
Unfortunately not all closed source vendors are as helpful to their customers as your company. I once dealt with a problem in a closed-source accounting package, which could not handle a fairly simple way of grouping items together to be sold (selling a specified set of items as a "kit" at a reduced price). I contacted the firm that developed the software and asked them if they were planning on adding this feature - no. Would they consider adding it for us for a fee - no. "Not for any amount of money?" I asked. "No." That was the end of the conversation.
Ford is bragging how they boosted the EPA gas mileage of the Ford Focus by 10 percent (actually the highway rating of the manual transmission model -- the mileage improvement on other models and for the city rating was less) by updating the software in the ECM. Not only does the 2007 Focus have this improvement, but they are flashing the memories of 2006 models to get the same effect.
Now try making mods to your ECM for any purpose -- to boost gas mileage, to tweak performance. There are people who do this (mainly for performance), but it probably involves some hacking and reverse engineering.
One: Huh? I used the phrase "potential problems", not "always going to beat you over the head problems."
Two: Actually, see above. Same answer.
The issue we encountered is the type of problem that CAN arise without source code. The manufacturer may be willing to fix it. But if they aren't (or can't, if they're out of business or something), the source code would allow us to get the code fixed. Without source, we're entirely dependent upon the company fixing this problem for us; if they choose not to, then the software isn't going to help us as much as we'd hoped.
Three: Yes, they do. Unfortunately, the software, as it currently stands, isn't scratching the itch we paid for it to scratch. I ended up writing code in SAS that would do a similar job, but it doesn't have the features and flexibility of this package (it could, but I don't have the time to write it).
I'm not anti-commercial software. I'm not anti-companies making money. I'm just pointing out that the potential problems of closed-source software are becoming more apparent to the general public - and in the end, that can only be a good thing, even if it just forces the closed-source companies to improve their product.
..seems to work as well
"People need to stop blaming those that provide tools and research for their finding or their ability to find bugs and errors. It's not their fault. If you screw up and someone finds it, it's not their fault, it's yours. Take responsibility and deal with the consequences."
I agree. Let's not blame DRM and trusted computing and the people who create them. Let's blame those who pirate on one side, and those who engage in self-defense on the other. Now let's see how far we get with THAT. Too far to the left? How about PC for this forum? Let's blame those satan loving, freedom crushing, demons amoungst men, "middlemen" companies disturbing the peaceful, sun-shining, halo-glowing, flute-blowing, "customers" just trying to live a "can't we all just get along now give me a hug" life?
One solutions is to have a divide between "applications programs" and "systems programs". Back in the day applications were written in Fortran while system programs were all in assembler -- today the application program could be in Matlab or any of a number of things while the systems program is most likely in C or perhaps C++. That way the scientist/engineer/accountant could get into the programming just deeply enough to solve problems in a particular domain, but the low-level high-performance library modules would be written in C and walled off.
Again, enabling the writing of applications programs through some application-specific language -- Matlab, PHP, Visual Basic -- often gets programmer types all agitated because it enables non-programmers to write programs badly. On the other hand, anything but the most non-trivial use of a software package is a kind of programming, and there is a trend to make such tools more Turing complete.
Back in the day, if you wanted a chart of some data for a publication manuscript, you wrote a Fortran program and called the Plot10 library to drive a pen plotter. Later on, you had the numbers in a text file, and you used a plot package to generate the figure. These days a lot of people are using the plot library and figure window UI in Matlab to generate figures and save them in EPS files. While a plot package may seem to not involve programming, it can sometimes take a lot of banging one's head against the wall to get a plot package to generate the figure the way you want, while it may be more direct to write a Matlab script.
I think for a while there was a kind of view in the Unix community -- not the same as the Open Source community, but a lot of overlayp-- that you had C and you had Shell, one compiled and the other interpreted with a command executive, and between the two you had everything you needed. Since systems were programmed in a high-level language (i.e. C), you didn't need to have a separate applications program language -- applications programming was a matter of having the right libraries. I think that with Perl, Python, Ruby and others -- the scripting languages -- there is a reemergence of the concept of an application programming language and the recognition that C may not be the one tool for every job.
I also see that with scripting languages we may see a return to the Fortran/Plot10 model instead of the plot package model -- you have the power and flexibility of a more Turing-complete programming language to specify what you want rather than relying on a particular software package having the features you need. I am starting to see Open Source Python-based packages coming out the national laboratories to do a lot of what Matlab does.
Thanks for the info
Yes, it can be dangerous, in the sense that may help us to find flaws in Open Source software, as the the common Google Search does or even "grep".
But, anyway, the tool can be used in order to spend a good short while.
The problem is that you're at the mercy of the vendor. Some are very good. Some don't care. Some may care, but for whatever reason (layoffs, turnover, old code, 3rd-party binary libraries) can't fix your problem.
I've had at least one case where I was able to strace a vendor library, figure out the problem, send them a detailed description of the problem and solution--it was an obvious problem in the arguments to bind(2), which basically narrowed it down to 1 line of code for them and they _should_ have been able to fix it in seconds with that info.
It was like dealing with a black hole. Luckily it was a simple enough problem that an LD_PRELOAD hack could work around it, but when the vendor won't help you can be royally screwed.
So the lesson is to pick your vendors carefully, and always have an exit strategy if things change (they get bought out, discontinue the product line, etc). At least make sure you have a way to get at your data to move to a new system if necessary.
rage, rage against the dying of the light
And just because it's closed source, the developers will never fix any bugs in it? Ever?
That's just silly.
I've come to believe that open source works if you're a programmer, but for the rest of the world the promises fall flat.
You haven't looking very far. Open source is used in millions of products.
I can't read code - it means absolutely nothing to me.
So what? It's the whole market that matters, not just you.
So this whole point on OSS being transparent and knowing what the software really does, doesn't apply to me.
It applies to anybody in a functioning free market who wants third parties to verify something that is core to their work. "Trust me" from a vendor is not good enough, as I have found to my regret many times.
Hell, if someone were to show me the source code to both Windows and Linux, I probably wouldn't even be able to tell which OS was which.
So what? There are millions of third parties who can.
All I care about is whether the software does what I need it to do; I don't plan on spending any evenings curled up to the fire reading source code.
Irrelevant. It's third parties doing it for you.
So this leads us to the next pro-OSS argument, that if the program doesn't do what you want you can either make a solution or hire someone to do it for you. I've tried this (several times in fact), and it didn't work. Since I don't program I have to go out and hire someone to code the solution I want. Never mind that finding a coder can often be a royal pain, but each and every time not only has (or would have) it been more expensive to hire someone to code the solution, but it took longer than had I gone out and bought a commercial closed source package (or two) that did do what I want.
Nonsense. People pay for software modification all the time. And when you paid for a closed source package you benefited only yourself, not potentially millions of others.
Lastly, I keep hearing how OSS programs are more nimble and should a bug or needed feature be identified, 'the community' will solve the problem much faster than a closed source solution. That may be for popular projects like Linux or Firefox, but in my experience I find the OSS programs to be less responsive to requests and needs than the closed source solutions.
Depends on the developer. Just like closed source. In my experience closed source vendors are far worse because there's little profit in fixing problems. Brush offs are far cheaper.
As a scientist, I'm all for transparency and free flowing information. However, when push comes to shove, I need programs that work, and, while I really hate to say this, the OSS programs have always fallen short.
You haven't looked very far. You also have a very blinkered viewpoint. Sometimes it's sensible to accept short term sacrifices (higher cost to get what you want) for long term gain (more control over your destiny and a functioning free market).
Also, you claim to be a scientist. If your work is not open, and cannot be reproduced without dependence on hidden closed source tools that may have bugs that your results depend upon, then you are a poor scientist.
---
Astroturfing "marketers" are liars, fraudulently misrepresenting company propaganda as objective third party opinion.
Hunting rifle used to kill man. Details at 7.
4: some companies go out of business. not many of them contact all their customers and say "by the way, so that you aren't stuck with our dead code, here is the source". i know of lots of people that rely on old unsupported programs, and the data is in a format they can't convert to any modern equivalent.
> Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)
Yes. I had just this sort of problem with a vendor-hosted application my employer used (I'll call it VOMIT here as that's what spellcheck changes its name to).
I saw that VOMIT's login page was vulnerable to SQL injection. We immediately contacted the company (someone important enough to resolve the problem) and let them know exactly how to fix their application. Their response was that VOMIT had been reviewed by security 'experts' and that VOMIT has [several paragraphs of technobabble] that prevents such attacks.
We then made a screen shot of the 'admin' page which was accessible using the exploit. After some scrabbling and backpedalling, they then 'fixed' the problem. Their 'fix' consisted of a couple lines of javascript to give an error message if quotes were put in one of the login input fields. I then disabled javascript in my browser, and made another screen shot of the same problem. They then (finally) made the changes we had originally suggested.
So instead of a five minute fix (to correct an obvious problem that should never have been allowed to begin with), we ended up with numerous meetings with our security people, their VP, and God knows who else. All too many vendors seem too willing to engage in obfuscation and denial rather even when the solution is handed to them on silver platter.
Ken ') or 2=2 --
Customer satisfaction is a big part of being a software vendor
I, and hundreds of others, have contacted ATI about their software, drivers, not working properly on Linux. The OSS drivers march quickly towards fixing the problem with no information from ATI. However, ATI is slow and seemingly uninterested in fixing the problems we tell them about.
Having to work for a living is the root of all evil.
You can read code. You don't want to learn how. That's fine, but don't play the martyr card.
It will almost always be more expensive to hire someone to build you something than it would be to buy something already built. The prepackaged solution has already been paid for, and the developer is hoping that enough people will want to buy in to make them a profit. This is a good model for problems multiple people have. It doesn't work very well for individual issues.
A contractor doesn't care about how many people need a solution, only whether they're willing to pay for it or not. If you hang out lowball offers, most contractors will simply ignore you. You might get a few bites from hungry, desperate contractors, but they're probably desperate for a reason.
This is why I believe that hosted applications - software as a service - is the logical, commercial answer to OSS intrusion.
You don't want to hire a software firm, you don't want to have the source, particularly. You want/need feature NNN. And that's where hosted software shines. It all comes down to motivation.
If you BUY software, there's little incentive for the developers to fix bugs in it - there's no money in it. But a hosted application has a very different dynamic - if they fix the bugs that are troubling you, you'll continue using their software. It shifts power back towards the consumer, in a way that doesn't leave the consumer in charge of the codebase!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
... "all your base"