April to See Month of MySpace Bugs

An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"

But April only has 30 days

You'd think they'd do a year of MySpace bugs.

Why is it "funny" to exploit security bugs?

[robla]

Most homes are vulnerable to someone breaking in and spraypainting "funny" things on the wall, but I imagine anyone on the receiving end wouldn't find it funny at all, even if the recipient is some 1337 hax0r. At the most extreme end, humans are vulnerable to failure when a bullet is put through the head, but rational people agree that we don't approve of exploiting that vulnerability for fun and profit.

Exploiting vulnerabilities on a big website, even an "uncool" website, is juvenile and criminal. There are plenty of perfectly legal and more effective ways of making a statement about MySpace, if that's the goal. I'm not sure I understand the need to make a statement about it anyway; let's just agree that it's GeoCities 2005 and move on.

Re:Why is it "funny" to exploit security bugs?

[QuantumG]

Because they claim they are secure. It's like if someone was to build a big fence around their property, place armed guards, security cameras, attack dogs, and then boast in a local newpaper that they are secure.. you'd have a nice good laugh if it turns out their cleaning lady stole their diamonds.

Re:Why is it "funny" to exploit security bugs?

[robla]

I might experience a little schadenfreude, but I also would happily approve of the cleaning lady being thrown into the clink.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

It has been long established that it is simply NOT POSSIBLE to write software without bugs.

The best that any developer can hope for is to find the bugs quickly and remove them.

Stunts like this only serve to attack a development project without doing anything productive to help fix it.

Your own comment shows that you think the same way: "These guys are idiots, switch to someone else".

They're not idiots. They're just the guys who happened to be arbitrarily chosen for public attack.

And it IS perfectly arbitrary.

Don't try to turn attention-whoring into some noble quest. It's not and never will be.

Re:Why is it "funny" to exploit security bugs?

[Watson+Ladd]

The point is to put pressure on an unresponsive vendor or one with a bad track record to improve. And if you have insecure products on a network you deserve getting hacked. OpenBSD/RBASC are free, and they are never attacked successfully. Attackers are part of the internet environment now, and complaining about it is like complaining about rain making your expensive suit wet when you forgot an umbrella. Sure, it might be expensive to be secure, but that's the tradeoff, and it is not going to change.

clown shoes security?

[sfjoe]

I don't use MySpace so I know nothing of their security. But this guy's statement struck me, "Even when they have countermeasures in place... it's trivial to obfuscate to evade their detection mechanisms."
If their security model is based on detecting patterns, then they will never be able to get out of the Red Queen's Race. A properly designed web app has as its core philosophy, "that which is not explicitly allowed is denied". Ttrying to detect all the possible variants of hacking and denying them then is a fool's errand.

Quick easy one line fix for all Myspace bugs

[britneys+9th+husband]

127.0.0.1 myspace.com