April to See Month of MySpace Bugs

An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"

But April only has 30 days

You'd think they'd do a year of MySpace bugs.

Re:But April only has 30 days

[TheWanderingHermit]

Why? Bottom line: MySpace is one big bug. One bug, done in one day.

Re:But April only has 30 days

Wow, looks like someone forgot to check "Post Anonymously".

It's that time of the month again

[Joebert]

It's like PMS, but all month long !

Re:It's that time of the month again

[joebagodonuts]

"If it kills this Month of Whatever fad, then hurray for everyone, it's over."

I think these guys are on to something. I hope they suceed

Re:It's that time of the month again

[joebagodonuts]

I know you are, but what am I?

well

[mastershake_phd]

Just goes to show you once software has enough of a user base to make it profitable to exploit bugs, people will start finding them.

Re:well

[Omnifarious]

Which is all the more reason to make sure that no software ever has a really huge user base. It's bad for everybody.

Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID. Many people get Myspace accounts because they're forced into it in order to communicate reasonably with a friend, and then decide "Oh, what the heck." and build content of their own there as well. I know that's why I have a MySpace account (and, strangely enough, Omnifarious on MySpace isn't me).

Re:well

[bconway]

Which is all the more reason to make sure that no software ever has a really huge user base.

Maybe they should introduce some bugs to slow the user base growth.

Re:well

[natrius]

Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID.

How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

Re:well

[mdwh2]

How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

OpenID means you can comment on other people's blogs/pages without getting a log-in or doing so anonymously.

Re:well

[Omnifarious]

How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

Because you could add someone as a MySpace friend without them having to have a MySpace account if MySpace implemented OpenID. If you just gave a list of OpenID URLs that had friend-type permission for your MySpace account and assigned them your own names then I think people would feel much less compelled to build a home on MySpace just so they could interact with a friend who had a home there.

Distributed identity and distributed social networking are strongly linked concepts. One enables the other.

Re:well

[dominion]

A decentralized social network would be nifty, but OpenID definitely isn't one.

I'm working on it... and the plan is to use OpenID for authentication.

Re:well

[mkosmo]

How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

However, Facebook's API better be damn secure (and not needing even a week of bugs) or else a lot of people would be mighty ticked off. Especially these people that think that stuff on their social networking profile is private and secure. Maybe somebody should let them know that the internet is a series of tubes, and the tubes don't have valves, and I can slide down any one of them and grab the picture of their boobies they posted on Facebook. Then they will sue me for getting it and the tube maker for not crimping the tube so my fat ass couldn't fit.
If you can't tell, I don't like the majority of the social networking demographic :( I do like most technology bloggers, though. They tend to write well and keep things interesting. Using proper, grammar of course. But that is a whole other flame post for me to write.

Re:well

[chimpo13]

OpenID means you can comment on other people's blogs/pages without getting a log-in or doing so anonymously.

Oh, yippee!!! More comments from an ex-girlfriend that I'm a "pregnant cow".

Re:well

[um...+Lucas]

If you just gave a list of OpenID URLs that had friend-type permission for your MySpace account and assigned them your own names then I think people would feel much less compelled to build a home on MySpace just so they could interact with a friend who had a home there

And now we know why none of the "social networking" sites will ever adopt this.

Re:well

[mdwh2]

If you can't tell, I don't like the majority of the social networking demographic :( I do like most technology bloggers, though. They tend to write well and keep things interesting. Using proper, grammar of course.

One of the main points of "social networking" sites is that you interact specifically with those you want (e.g., your real life friends), as opposed to everyone like on Slashdot, so the average demographic doesn't matter.

My friends write well, keep things interesting, and use proper grammar, better than the average Slashdot poster or technology "blogger", so that's all that matters.

Re:well

[mkosmo]

One of the main points of "social networking" sites is that you interact specifically with those you want (e.g., your real life friends), as opposed to everyone like on Slashdot, so the average demographic doesn't matter. True, it is. However, how can you tell what a person is like when everybody tries to create images to set themselves apart? I view most social networking sites as ways to practice creating fronts and faces. Sure, I have a MySpace and a Facebook, but I don't even maintain my MySpace. My girlfriend does. So she can put up my interests, but can she really express me? I like Facebook though. Its more limiting. I just get a cleaner vibe from it.

as opposed to everyone like on Slashdot, so the average demographic doesn't matter. Are you trying to tell me that Slashdot is not a diverse culture, not a "melting pot" like the United States is told to be? If you are, you are very wrong, sir. Slashdot's demographic is not just script-kiddies and sweaty old men who live in their mother's basement, but rather most of the technology world and the younger generation. Slashdot rates high on Google, so where do you think a lot of people are sent from their search results.

Anyways, I still have not woken up entirely, yet. Good morning, USA.

Re:well

[Omnifarious]

Sadly, you may be right. But I'm hoping that a few will implement it and that the lure of the shiny new technology plus the actual advantage of not having to create an account there to participate will convince people to move. There is marginally better utility for users in a site that uses OpenID, so I'm hopeful.

Re:well

[LBt1st]

What makes you think everyone else is a fake just because you are?

Re:well

[mkosmo]

What makes you think everyone else is a fake just because you are? As much as you deserve a troll mod down, you really need to think about what you are saying. You obviously have never worked with a human being in your lifetime, or else you would know that everybody IS a fake. Really- it is in our nature to be above and beyond. Competition. Do you like to compete? I am sure you do. Do you understand what I am saying?

Re:well

[mdwh2]

However, how can you tell what a person is like when everybody tries to create images to set themselves apart?

I'm not quite sure how you mean? I know what people are like because I am friends with them. My preferred place is LiveJournal, where you mainly interact by posting/commenting, and not by looking at their "profile".

Are you trying to tell me that Slashdot is not a diverse culture, not a "melting pot" like the United States is told to be?

I haven't made any comment on the Slashdot demographic, I'm saying that what the average person is like doesn't matter on a social networking site (where as on a general forum like here, it does matter).

Re:well

[kchrist]

Oddly, OpenID was created by the founder of LiveJournal, a large social networking site.

In other news

Bugtrack announced that on May first, they will start their 200th consecutive month of Microsoft bugs, give them a nice applause!

Re:In other news

[iago-vL]

Maybe a little picky, but we (SecurityFocus) just turned 7, so this is actually the 84'th month.

Bug message...

[Capeman]

Once they post the bugs, until they get fixed, we'll get this message: "Sorry! an unexpected error has occurred. This error has been forwarded to MySpace's technical group." Remember when the music player was hacked? They fixed it in less than 24 hours, I think the same will happen with these bugs...

Re:Bug message...

[quanticle]

>>Remember when the music player was hacked? They fixed it in less than 24 hours, I think the same will happen with these bugs...<<

Not necessarily. The music player was quickly patched because a vulnerability in the music player made it possible to download (read: pirate) music. Its comparable to the DRM vulnerability that Microsoft fixed in three days and issued an out-of-cycle patch for. The bugs uncovered by this project are likely to be more mundane bugs that won't be patched so quickly.

Re:Bug message...

[Dan+Hayes]

Except that it took them a couple of months to fix the problem whereby any new songs uploaded to the player wouldn't play unless the uploader had marked them as being available to download. So even on major artists' pages you'd have one or two tracks that were unlistenable.

MySpace's Microsoft-backed infrastructure.

This shouldn't be much of a challenge. According to Netcraft, MySpace uses IIS 6 on Windows Server 2003. While the security of Windows systems has increased dramatically since the days of Windows 95/98/ME, it's still widely known to be an extremely insecure platform, especially when compared to most commercial UNIX systems, most Linux distributions, and the *BSDs.

Where I work, we're considering what system we'll use when deploying some new web applications. We recently audited several ASP-based web applications, and found them to be quite terrible. I don't know if it's a problem with the developers of these products, but those that we tried were full of obvious security holes. Our past development was using WebObjects, and we saw nowhere near the number of obvious flaws that we saw with the ASP-based solutions, even when we had interns developing code.

My personal experience with ASP is fairly limited, but I suspect it may just be the technology itself that hinders secure development. It's much the same case for PHP. With such technologies, there are too many little details and flaws that even an expert programmer can become overwhelmed by. At least we decided to go with a Java-based solution running on Solaris. It's probably not perfect, but I'd wager that it's far more secure than most ASP- or PHP-based web apps.

Re:MySpace's Microsoft-backed infrastructure.

[DrSkwid]

Windows is a twisty maze of passages, all alike, all leaking information.
Root/Administrator is a design flaw.
All the platforms you mention have holes in them.

And PHP is a crock, steer well clear. See http://www.php-security.org/

Re:MySpace's Microsoft-backed infrastructure.

[peragrin]

It's not called the Blue screen of Death for nothing.

Re:MySpace's Microsoft-backed infrastructure.

[DrSkwid]

yes, I know.

that's why I run my web browser on a dedicated machine

Re:MySpace's Microsoft-backed infrastructure.

[Frosty+Piss]

According to Netcraft, MySpace uses IIS 6 on Windows Server 2003.

You may be right about MySpace using Windows, but remember, all Netcraft can really tell you is what technology they use to face the Interweb. What really runs the MySpace machine may be quite different. Could be squirrels, for all Netcraft can really tell. But you're probably right...

Re:MySpace's Microsoft-backed infrastructure.

[it074830-yanie]

myspace user has suffer from this latest bugs. although the words posted is kind of funny, but in reality many myspace user is getting tired with the mess happened in their page and decided to close their account. this is obviously quite a big task and threat to tom;the myspace owner to overcome the attack from the hackers or else the number of registered user is decreasing from his site. tom needs to find a way and protect their site from this irresponsible users.

Re:MySpace's Microsoft-backed infrastructure.

[nstlgc]

Windows 2003 is not Windows 2000. IIS 6 is not IIS 5. ASP.NET is not ASP.

Microsoft server products have become pretty secure lately. Perhaps you should reconsider your statements.

That said, I'd like to see a Month Of * Bugs on all 3 products mentioned above. Would be at least somewhat interesting.

Re:MySpace's Microsoft-backed infrastructure.

[dave562]

Given the number of MS SQL server errors I saw a year or two ago, it's pretty safe to assume that they are running on an MS backend.

Why is it "funny" to exploit security bugs?

[robla]

Most homes are vulnerable to someone breaking in and spraypainting "funny" things on the wall, but I imagine anyone on the receiving end wouldn't find it funny at all, even if the recipient is some 1337 hax0r. At the most extreme end, humans are vulnerable to failure when a bullet is put through the head, but rational people agree that we don't approve of exploiting that vulnerability for fun and profit.

Exploiting vulnerabilities on a big website, even an "uncool" website, is juvenile and criminal. There are plenty of perfectly legal and more effective ways of making a statement about MySpace, if that's the goal. I'm not sure I understand the need to make a statement about it anyway; let's just agree that it's GeoCities 2005 and move on.

Re:Why is it "funny" to exploit security bugs?

[QuantumG]

Because they claim they are secure. It's like if someone was to build a big fence around their property, place armed guards, security cameras, attack dogs, and then boast in a local newpaper that they are secure.. you'd have a nice good laugh if it turns out their cleaning lady stole their diamonds.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

Maybe I'm old and crusty, and just not "with it" but being an Oracle DBA and occasional Java developer... I really, really don't like the idea of posting "month of X bugs" sites.

The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.

The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for the whole world to see, which sets every idiot script kiddie out there on an easter-egg hunt to find vulns.

What's really screwed up about it is this: Let's say Joe Hacker decides to "out" some vendor and spends a month attention-whoring. That vendor may or may not get the bugs fixed before legions of script-kiddies figure out how to use them. MEANWHILE, every sysadmin out there is completely fucked, waiting for the vendor to catch up to the Scavenger Hunt that Joe Hacker decided to kick off with his stunt.

It's not cool, it's not funny, and I wish these assholes would just knock it off.

They should grow up already.

Re:Why is it "funny" to exploit security bugs?

[robla]

I might experience a little schadenfreude, but I also would happily approve of the cleaning lady being thrown into the clink.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

It has been long established that it is simply NOT POSSIBLE to write software without bugs.

The best that any developer can hope for is to find the bugs quickly and remove them.

Stunts like this only serve to attack a development project without doing anything productive to help fix it.

Your own comment shows that you think the same way: "These guys are idiots, switch to someone else".

They're not idiots. They're just the guys who happened to be arbitrarily chosen for public attack.

And it IS perfectly arbitrary.

Don't try to turn attention-whoring into some noble quest. It's not and never will be.

Re:Why is it "funny" to exploit security bugs?

[Watson+Ladd]

The point is to put pressure on an unresponsive vendor or one with a bad track record to improve. And if you have insecure products on a network you deserve getting hacked. OpenBSD/RBASC are free, and they are never attacked successfully. Attackers are part of the internet environment now, and complaining about it is like complaining about rain making your expensive suit wet when you forgot an umbrella. Sure, it might be expensive to be secure, but that's the tradeoff, and it is not going to change.

Re:Why is it "funny" to exploit security bugs?

[QuantumG]

Dude, we're not talking about "writing software", we're talking about setting up a website and leaving the default mySQL account active. We're talking about writing shit in php and not escaping user input. We're talking about gross incompetence. There's plenty of it, and yes, the best way to deal with it is public naming and shaming.

Re:Why is it "funny" to exploit security bugs?

[jamesh]

It's not cool, it's not funny, and I wish these assholes would just knock it off.

The curious thing is, if you created a tv program out of it, and added silly sound effects and a silly voiceover, it would be funny. If funniest home video's has taught us nothing else, it has at least taught us that pain and misfortune is funny when it happens to other people.

If it was my application under the spotlight it would be a complete different matter...

Re:Why is it "funny" to exploit security bugs?

[Threni]

> Why is it "funny" to exploit security bugs?
> Most homes are vulnerable to someone breaking in and spraypainting "funny" things on the wall,
> Exploiting vulnerabilities on a big website, even an "uncool" website, is juvenile and criminal.

I'd take issue with your analogy. Defacing a website is nothing like defacing someone's home. For one thing, it's not someone's home. It's almost as bad as the old "you wouldn't steal a car, so why would you download a stream of numbers via tcp/ip?" argument all over again.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

But you forget.

This is not the only "month of X bugs" that has happened.

The others were ALL about one or another software package.

I'm saying the general principle is wrong. If you find bugs you should disclose them responsibly. One copy goes to the vendor (or the site owner) and one copy goes to CERT. You don't show the whole world the details of the bug, plus a sample exploit! That's just stooooopid.

Re:Why is it "funny" to exploit security bugs?

[DrSkwid]

Most of the Month of X Bug websites seen recently already did that stuff and nothing happened.

This one : http://www.php-security.org/ was even done by an ex-member of the PHP security team because they weren't taking him seriously.

Re:Why is it "funny" to exploit security bugs?

[QuantumG]

If you work in the security industry sure.. if you're a user who feels they are getting poor service you yell it from the rooftops. Think about it this way.. if you found out your keyless entry system to your car was broken and any idiot could get into your car with a $2 transmitter, would you go quietly to the company and help them "mitigate" the damage or would you send this information to your local newspaper or current affairs show so they can tell as many people as possible to steer clear of this manufacturer as they don't even do basic security checks of their key systems. Anyone who trusts a for-profit entity to "do the right thing" with disclosing their own fuckups is an idiot.. and as for CERT, they're just as complacent in coverups.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

The problem with your point of view is that you aren't hurting the VENDOR, you're hurting his CUSTOMERS who have done you (and the world) no harm.

The vendor isn't the primary entity harmed because he's already got his license fee from each customer. Also, it's not the vendor that will be attacked by script kiddies, it'll be his customers, who, again, have done you no harm.

The most you'll do to the vendor is give him a little bad P.R. Vendors don't care. They just hire a P.R. firm to "manage spin". The people who actually pay the vendor his fees (the suits, usually) ALSO won't care because they'll sympathize with the vendor. They'll view the situation, mostly correctly, as a bunch of snot-nosed kids waving middle fingers in the face of a staid, middle-aged establishment.

Putting up a "month of X bugs" is a dick move, man. All you accomplish is creating a huge clusterfuck for a whole bunch of people who never did you any harm, and that makes you no better than a vandal. Here's a tip: if you're showing people how to break something INSTEAD OF telling people how to prevent them from doing so, you're not on the side of the victim.

Guys like this are just another set of enablers, like (here's MY analogy) a ghetto gun-dealer who sells to muggers and rapists, and who justifies it by saying "I didn't tell him to go rape that woman! And it's her own fault for not having a bulletproof vest. My gun sales will show people that they NEED bulletproof vests, so I'm doing a service."

I'm not buying it. I'll say it again:

The PROPER thing to do is send one copy of the vulns to the vendor and another copy to CERT, which will disclose the existence of the issue responsibly and suggest a workaround.

Your suit analogy doesn't work, by the way.

As a sysadmin, I can take every precaution available to me, I can take every vendor-mandated step... Despite all that, all it takes is for some idiot to whip up a "month of bugs" and blammo, I'm hosed. All because some annoying little bastard wants to attention-whore out his new "security site".

So, I disagree -- most vehemently -- with your views.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

Uh huh. SURE they did.

What's really happening here is, things are easier to break than to fix. So a bunch of guys can figure out 30 snarky ways of breaking something, slap together a website, and try to get some attention by attempting to publicly humiliate whatever vendor has pissed them off most recently. They don't think for an instant about what's going to happen when script kiddies start using the ACTUAL EXPLOIT CODE they publish to attack every website under the sun. Or maybe they do -- but that only makes it worse.

The PhP site you just linked to is an excellent example of how NOT to do things. They post actual test exploits. How lovely. So some guy in Wichita has a website that runs PhP, and his ISP hasn't updated quickly enough, and he's hacked by some schmuck script kiddie who's bored -- all through no fault of his own or even his ISP's.

This is NOT good citizenship at work.

Here's my favorite analogy of the fundamental dynamic here:

Leon the ghetto gun dealer: "Hey, man, I'm just trying to show all you guys how important it is to wear a bulletproof vest! Nobody believed me, so I started selling these here Saturday Night Specials. Cheap, too. It ain't MY fault if some guy decides to rape and kill some downtown lady with a gun I sold him! Sheeeit, she should've bought herself a bulletproof vest, it's her own damn fault."

I think that's a good rebuttal of your point.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

In response to your analogy, NO, I wouldn't tell the whole world about it. I'd figure out a way to FIX it, like finding a local shop that can replace the keyless entry system, and THEN, I'd tell everybody how to go to the shop and fix their systems. I'd give them SOME information, for instance telling them about how it's possible to steal a car with equipment available to thieves, but I would NOT tell them enough to let them go get a transmitter of their OWN.

Reason being: the object is to SOLVE the problem, not magnify it by letting every angsty teenager in your town get ahold of their own transmitter, after which all hell would break loose.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

It's so true... The human race just LOVES to get its Shadenfreude on.

Re:Why is it "funny" to exploit security bugs?

[QuantumG]

And while you're solving the motor companies problems for them, they'll be sure to put a lot of effort into making sure it never happens again, right?

Have you ever stopped to think that maybe all this do-gooding attitude is the reason why computer security is so bad? You're just co-conspirators.

Re:Why is it "funny" to exploit security bugs?

[GrumpySimon]

Whilst he's a very good security researcher, Stefan Esser has a reputation for being very hard to work with.

He claims that month of PHP bugs was created because he couldn't get the fixes into PHP. Whilst this may be true for PHP, he recently announced a vulnerability in mod_security complete with P.O.C code as part of MOPB. This had nothing to do with PHP, and Esser didn't bother to notify the mod_security team before releasing it.

Re:Why is it "funny" to exploit security bugs?

[Nazlfrag]

It's simple. A known exploit is much less dangerous than an unknown one. Security by obscurity is an invalid tactic.

Re:Why is it "funny" to exploit security bugs?

[RealGrouchy]

I think it's more like breaking into someone's home and rearranging the furniture.

It's a nuisance, but not irreparable.

- RG>

Re:Why is it "funny" to exploit security bugs?

[General+Wesc]

Your garage then. You don't live there (though I don't see why you think that's relevant). It just costs you a little time and money to paint over afterwards. I don't see how being on a computer or on the Internet is magically different.

And this is not like taking v. copying. This is doing direct, visible damage v. doing direct, visible damage. If this was a manuscript I was writing you'd (I assume) say 'yeah, it's wrong for them to burn it', but if it's an electronic manuscript, suddenly destroying it is harmless?

Re:Why is it "funny" to exploit security bugs?

[textstring]

basically these "month of x bugs" are free security audits. i'd much rather have someone finding vulnerabilities in my code and saying something, even if it's public, than some one else finding 30 vulnerabilities and owning me over and over.

Re:Why is it "funny" to exploit security bugs?

[Fred+Ferrigno]

Sometimes increasing the magnitude of the problem is the only way to solve it, because some businesses won't bother to do anything unless the problem is widespread. Will the company do anything if it only affects 0.1% of customers? Probably not, but it's a pretty shitty situation for the people in the 0.1%.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

NO.

The best way to solve it is to SOLVE it.

Come up with a fix and share THAT with the world. Don't just tell everybody how to break systems affected by the glitch.

Unless your real goal is to help script kiddies exploit systems, you should never EVER release an exploit.

This is common sense.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

OOOOHHHH, I SEEEEEE.

All us guys trying to lock down our systems and help our fellow systems administrators do the same are just CO-CONSPIRATORS, are we?

I bet I've got a pair of shoes older than you.

Listen, KID, all us adults out here in the real world have JOBS TO DO. Systems to protect. Data to safeguard.

And we are NOT AMUSED by a bunch of attention-whores who think it's amusing to pick on some random company for shits and grins.

You want to make the world a better place?

WORK THE FUCKING PROBLEM. Send a fix or workaround to CERT and the vendor.

Don't be an asshole!

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

It's one thing to say "there's a bug in this software, and it should be fixed."

It's another to say "here are 30 bugs in this software, with thirty sets of sample exploit code".

The former is a free security audit.

The latter is a free library for script kiddies.

See what I mean?

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

I'm not arguing for obscurity. I'm arguing for responsible disclosure.

Disclose to the vendor and CERT.

Don't disclose to the world unless you have a workaround and/or patch to offer. And when you do, DON'T include exploit code. EVER.

Common sense, really.

Re:Why is it "funny" to exploit security bugs?

[QuantumG]

You're the assholes who keep buying the same software every year even though it has big fat flaws in it and better alternatives exist.

Re:Why is it "funny" to exploit security bugs?

[ioshhdflwuegfh]

I might experience a little schadenfreude,[...] I'm sure you would.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

What? Gimme a fucking break! I'm not the head of I.T. I don't get to choose the software.

Listen, KID, you wanna know what it's like to work in this business? The higher ups give you a shit sandwich and you have to figure out how to eat it. You tell them you want pastrami, they tell you "maybe you can get pastrami at some OTHER job" and you shut up and get back to work.

And don't tell me about your "better alternatives" because one of the alternatives YOU people always suggest, PhP, got nailed by the "thirty days" shmucks ALREADY. Oh, and by the way, sport: I won't tell you which systems I support, but NONE of them have had a "thirty days" experience yet. Put that in your pipe and smoke it.

You're obviously (at best) a college kid who's never had to hold down a real job. You've got some real nasty surprises up ahead.

Try to keep a stiff upper lip.

Re:Why is it "funny" to exploit security bugs?

[Threni]

> If this was a manuscript I was writing you'd (I assume) say 'yeah, it's wrong for them to burn it', but if it's an electronic
> manuscript, suddenly destroying it is harmless?

People should take backups to prevent suffering caused by theft, fire, hardware failure, corruption, virus/hack attacks etc. It's trivial, and there's no excuse for not taking backups on grounds of cost or inconvenience these days. It's morally wrong to deliberately damage someone else's property, sure, so I'm not suggesting it's 'harmless', but the two acts are not equivalent because, again, in one case you're destroying the only copy of something physical, and in the other you're changing some numbers somewhere which can easily be restored to the exact state before damage occured.

Re:Why is it "funny" to exploit security bugs?

[dave562]

The script kiddies already own MySpace. At this point I see the Month of Myspace Bugs as a good reference for EVERYONE ELSE who uses MySpace and who might be holding onto some false notion that the site is actually secure or safe to use. I have "fixed" more Windows boxen than I care to admit to and the one thing that they all have in common is MySpace. MySpace is simply the breeding ground for new exploit code. I have seen computers that have withstood the nastiest browser exploits and malware infection vectors that the pr0n industry has thrown at them have simply crumbled in record time when accessing MySpace. That entire domain is BAD NEWS.

Re:Why is it "funny" to exploit security bugs?

[dave562]

As a sysadmin, I can take every precaution available to me, I can take every vendor-mandated step... Despite all that, all it takes is for some idiot to whip up a "month of bugs" and blammo, I'm hosed. All because some annoying little bastard wants to attention-whore out his new "security site".

So let me get this straight... all it takes is a few moments of you not staying up with the cutting edge of security research and your site might get owned? Whoa there turbo! Stop the presses!! Say it ain't so.

Having read your posts in this thread I think it's time for you to take a vacation bro. Coming on /. and whining isn't going to make your life any better. You seem pretty stressed out and depressed with the current state of things.

Re:Why is it "funny" to exploit security bugs?

[dave562]

So some guy in Wichita has a website that runs PhP, and his ISP hasn't updated quickly enough, and he's hacked by some schmuck script kiddie who's bored -- all through no fault of his own or even his ISP's.

No fault of his ISP's? If PHP had MS style Automagic Updates then staying up to date wouldn't be a problem. It is completely the fault of the ISP for not staying up to date with the patches. If you are in the business of providing software to users then you are in the business of keeping that software up to date. Developing code that runs on a publicly accessible machine is like swimming in the deep end of the pool, with sharks, while you're bleeding. It isn't for everyone, and in fact I'd go so far to say that most of the people who do it aren't really up to the task. That's why those who do manage to keep secure systems are worth every penny that they earn.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

Nah, not depressed. Just wishing these guys would get a different hobby, that's all.

See, what bugs me is, most of this stuff is totally out of a sysadmin's hands. He's got to wait for patches in most cases. Even if he's got an open-source system and can patch his own stuff, often his boss won't let him.

Things are bad enough when there are unpatched vulnerabilities out there and your vendor is sitting on them. But guys like this make it worse by putting out sample exploit code. A vulnerability that might not have been that big a deal, and might have gotten patched before anything widespread happened, now can be exploited as soon as someone downloads the sample exploit and works it up into something more "interesting".

It's like I keep saying. Doing a "month of bugs" is a dick move. Us admins have it rough enough. Why add insult to injury? Why not just disclose the vulnerability and leave it at that? Why is it necessary to put out a friggin' TOOLKIT?

That's all I'm saying.

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

Yes, yes, but that ISP has to wait for the guys who build PhP to come out with patches, do they not? And someone already posted some info elsewhere in this thread mentioning how bad they often are with patches.

Therefore, not the fault of the ISP. I'm sure that most of the ones using PhP are Linux servers, anyway, and they get automatically updated nightly. If it's anyone's fault at all, it's the PhP guys' fault.

Again, not the ISP's fault.

And being on the web wouldn't BE quite such a shark tank if CERTAIN people weren't making things so EASY for hackers in the FIRST place.

(Before anyone freaks out over my use of "hacker", do realize that the language has changed over the past thirty years and its current common usage is NOT the one you fondly remember from your minicomputer days).

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

Wow... That wasn't particularly neighborly of him. :)

Re:Why is it "funny" to exploit security bugs?

[SadGeekHermit]

Ok, in the case of MySpace, I can see how this might not be TERRIFICALLY significant, IF it's as bad as you say (I wouldn't know, being about sixteen years too old for that demographic).

My comments are more pointed at the phenomenon in general, i.e. the whole "Month of X Bugs" fad that's been going around. I hate it. I wish it would go off and die the ignoble death of Disco and shoes with goldfish swimming in them. I see the whole thing as a sort of macro version of Dick Cheney shooting that old fart in the face.

You know...

Ok, gonna get a quail... Quail... Quail... Quail... OLD MAN! BLAM!

Wrong target. You know?

Re:Why is it "funny" to exploit security bugs?

[General+Wesc]

If I leave my parked out on the street, doors unlocked and keys in the ignition, and someone steals it, 'That's really stupid' is a correct response. 'That's really stupid and therefore the person who stole didn't do anything as bad as stealing a car that was reasonably-well secured' is not.

Anyway, whether one is a bit worse than the other is irrelevant. So long as you admit it's wrong enough to be criminal. I'm not saying they're equally bad. Having my popular website damaged may be less harmful than having a similarly popular brick-and-mortar store damaged, but it's probably more harmful than having someone paint graffiti all over my garage, so if the latter is wrong and criminal, surely intentionally compromising my website is at least as bad.

Re:Why is it "funny" to exploit security bugs?

[QuantumG]

You talk like a prick. Sound like a prick. Have the point of view of a prick. Claiming to be superiour because it's your job doesn't mean anything. You could be just lying for all we know. I bet you anything you can't make a rational argument if you tried, so to me, you ARE a prick.

The fundamental disconnect here is that you think you're so important because you "work the problem" as you say. My argument (you know, the part of discussion that is productive) is that the problem isn't people breaking into your servers.. the problem is complete lack of improvement in the security of software. For that you are not part of the solution, you are part of the problem.

Stop helping companies fix their fuckups.
Stop helping companies cover up their fuckups.
Stop buying products from companies that keep making fuckups.

And be more polite to people, prick.

Re:Why is it "funny" to exploit security bugs?

[Threni]

> 'That's really stupid and therefore the person who stole didn't do anything as bad as stealing a car that was reasonably-well
> secured' is not.

I'm not saying it's not as bad, I'm saying it's a little bit more funny. You'd expect an unlocked car to be stolen. Not that it *should* be stolen, just that it probably will be, and the fact that you didn't like it makes you a little bit stupid and worth a giggle.

> Having my popular website damaged may be less harmful than having a similarly popular brick-and-mortar store damaged, but it's
> probably more harmful than having someone paint graffiti all over my garage, so if the latter is wrong and criminal, surely
> intentionally compromising my website is at least as bad.

No, it's less harmful than having someone paint on your garage, because it's real paint on your real garage, and you'll have to spend time, money and effort fixing it. Sorting out a backup should take you less time/effort and no money (you've already paid for the backup software).

Re:Why is it "funny" to exploit security bugs?

[Fred+Ferrigno]

... you should never EVER ... Never use absolutes, because they are always wrong. Would you care to explain how you would go about writing your own patch for a closed-source system? Hell, suppose the exploit is in some network device which employs signed firmware. Even if you could write a patch, you couldn't apply it.

Myspace allows XXS redirect for malware execution

I Have had it happen about 4 times, its a redirect not properly sanitized (or injected in javascript), each time im redirected to http://193.x.x.x/somenasty.html, and its basically an IE 6.0 exploit. I can guarantee myspace infects more than half of its users. Sad thing is, no one is going to fix it. But hey, Tom has lots of friends!

Funny / Not Funny

[writermike]

'It's funny but it's not a joke.'"

Then launch it on April 2. April 1 is a Sunday anyway, and some hax0rz actually do toil thee not on their Sabbath.

clown shoes security?

[sfjoe]

I don't use MySpace so I know nothing of their security. But this guy's statement struck me, "Even when they have countermeasures in place... it's trivial to obfuscate to evade their detection mechanisms."
If their security model is based on detecting patterns, then they will never be able to get out of the Red Queen's Race. A properly designed web app has as its core philosophy, "that which is not explicitly allowed is denied". Ttrying to detect all the possible variants of hacking and denying them then is a fool's errand.

Re:clown shoes security?

[BillX]

Aha! THAT's why those pigfuckers capture your IP, User-Agent and a few other fields on first pageview and banish you to Unexpected Error Ocurred Purgatory if they ever change. I have a long rant on this subject, but the short form is I found the reason I thought Myspace was "always broken" the last couple years is my User-Agent Randomizer ran into their Paranoid Session Validator and began brawling. Using fields like UAgent as additional session validation tokens is a reactinary, but increasingly common stopgap on sites that know they have active XSS vulnerabilities but don't know where they all are or how to fix them.

Only one bug....

[Duncan3]

Users post personal data for identity thieves to download.

After that, all other "bugs" are 100% irrelevant, anything you would want to hack it already willingly posted. So a big fat security *yawn* on this one.

Re:Only one bug....

[pagerwho]

*Sigh* when will people learn. MySpace is highly susceptible to hacking, and the distribution of malware. Security does not end at personal information, security is cracking down on spam, cracking down on scripts, and ultimately making it safe to browse.

I personally have discovered viruses being distributed using MySpace, would one consider this secure? I certainly don't. Last time I check MySpace has no code to protect against scripts that create user accounts and spam the living daylights out of everyone and anyone. Today alone I received 10 friend requests and about a half dozen spam emails.

MySpace doesn't listen to its user base when it comes to flaws. They, like Apple, have to be slapped in the face with the flaws in order to listen. Remember what Microsoft was like? Apple is like that now, so is MySpace, and about a dozen other companies, to include linux fanboys. NOTHING is completely secure, and until people realize this fact, the more people like me will be frustrated.

WAKE UP! MySpace needs this, it isn't juvenile, it isn't malicious, its getting a company to wake up and realize they are NOT secure, and that they HAVE flaws, and above all, knock their damn ego down a few pegs. Everyone cheered when people beat the crap out of Microsoft, but when they turn the tables on other companies, everyone cries foul.

Bug Filing Number 1

Status: OLD

Severity: Major

Reproducible: Always

Description: MySpace is filled to the brim with whiny, middle-class, suburbanite, emo kids whining about how emo their life is and how they like to listen to emo music while cutting themselves.

Solution: Delete Myspace.

Re:Bug Filing Number 1

[Watson+Ladd]

If they truly were emo, they wouldn't be cutting. Replace emo with whiny.

Re:Bug Filing Number 1

[Paulrothrock]

Actually, LiveJournal's cornered the market on emo kids. MySpace is more about the people who give the emo kids wedgies.

Re:Bug Filing Number 1

[dwater]

wtf is 'emo'?

but...

[netdur]

myspace itself is a bug

Re:but...

[Rakshasa+Taisab]

Some complain that the "Month of MySpace Bugs" should have moved to May, so as to avoid the unfortunate collision with the "Stealing Candy from Babies Day".

Re:but...

[Valdez]

Myspace is a FEATURE.

In the old days, when stumbling around teh Intertron, you'd never know when you'd be blasted in the face with godawful web design.

Now, just check the domain name... if it's got myspace anywhere in it, you can be sure you'll get a page of blinking text, horizontal scrolling, fixed page backgrounds, and text the same color as it's container table (you know, the kind you have to select to read).

Myspace is to crappy web design as goatse is to anal porn.

Question for slashdot

Can someone tell me why, after all this time, a website as popular as MySpace is still rampant with bugs? I mean.. wouldn't the majority of them be fixed by now, considering how much profit MySpace makes?

And no I don't use MySpace...

Re:Question for slashdot

[DrSkwid]

I don't know what class of bug they will reveal but most XSS stuff is tricky to weed out when you let users freely upload.

See how many of these you would check for :

http://ha.ckers.org/xss.html

PEBKAC

[mdboyd]

My feelings about MySpace are that if users are too unintelligent to create a basic website, they shouldn't have a website at all. A lot of the scams I see users getting caught up in on MySpace are basic Phishing scams that trick them into downloading executable files which infect their machines. Sometimes making something too easy to do is a bad thing. While some of the blame probably lies with MySpace and lack of user safety (I can't make any claims because I don't use the service), it's ultimately up to users to choose what not to download and run on their computer regardless of what website it's on. I believe the course is title Internet Common Sense 101.

Re:PEBKAC

[maxume]

Also, there should be more intelligence testing before we let people read books. Stupid people might make some bad conclusions or something.

Re:PEBKAC

[mdwh2]

My feelings about MySpace are that if users are too unintelligent to create a basic website, they shouldn't have a website at all.

And there was me thinking that it's better to use existing tools than to reinvent the wheel (not that I think MySpace is a good tool, but that's another matter).

Re:PEBKAC

[uqbar]

While the snotty attitude works on slashdot, in the real world intelligent, but not terribly tech savvy people have real uses for this technology. There are lots of similar sites that don't have the massive number of XSS exploits and related scams you see on MySpace. It's mind boggling that they haven't figured out how to even come close to shoring up these problems.

And when someone spots XSS redirects on an account, you'd think that all links to the phishing page would be cleaned up - but I've seen the same redirect logon page URL go for weeks, appearing on account after account.

While catching XSS at the parser output level would be better, MySpace doesn't even do the less desirable but easier approach of blacklisting known phishing URLs from scripts.

Other social networking sites manage this - why not the biggest and best funded one?

Business Model?

[phantomcircuit]

Their entire business model is basically to get other people to generate cool stuff and then put their ads next to it.

Restricting myspace in anyway would quickly lead to less interesting stuff and thus less ad revenue.

I thought...

[adez]

I thought every month was the month of myspace bugs.

Re:I thought...

[UbuntuDupe]

That's been my feeling as well. Someone sent me a link to someone's myspace site a few months back, and when I got there, someone had just completely trashed the page. Everything was just strewn all over the place without any rhyme or reason. Whoever defaced the site also made some crappy music download and play whether you wanted to hear it or no and with no obvious way to silence it. If you clicked on a link to go anywhere, it would for some reason just take you to a login screen. WTF?

I hope that got that bug patched up.

Re:I thought...

[Mr+Z]

Hint: That "login page" was really a phishing page.

Bug Filing Number 2

[VirusEqualsVeryYes]

Status: OLD

Severity: Major

Reproducible: Always

Description: MySpace is like an ugly hooker; you wonder how she gets so much action when she's so hideous.

Solution: Bring the web designer from the 90's back to the present. Will need: flux capacitor, 1.21 jigawatts.

Monoculture

[Herby+Sagues]

What I don't get is the "monoculture" comment. These guys are complaining that all the web servers are using the same software? Or that the different layers are using the same platform? In neither case having a more diverse platform would reduce the number of bugs or make them less serious. That's especially true for cross site scripting exploits and the like. Having two differetn web servers would not reduce the number of exploits or their seriousness, it would actually probably double them and make them more difficult to diagnose. And having heterogeneous layers wouldn't make a difference at all. I just don't get it.

Re:Monoculture

[FLEB]

Recall the recent quote-unquote "cross-site" exploits stealing info. Although some people blamed things like form autofill, the real problem was that the server name was the same, so the pages created by separate people, which should have been cordoned off from each other, were under the same hostname and therefore the same website for all intents and purposes. I recall LiveJournal having problems like this, which were solved in part by making each user page a subdomain. I suppose this really isn't a "monoculture" problem, but it's certainly an issue with throwing everyone in the same bin, especially when people are given so much power over their page's logic and presentation.

Content

[StarKruzr]

Am I the only one who thinks MySpace's UI is incredibly ugly and poorly-put-together?

And why is it that as of a couple years ago everyone is "in your extended network?" Is there even an "extended network" anymore?

Re:Content

[Kraeloc]

It's because Tom, in his infinite genius, set himself as a default friend of all new users. And most users are too damn stupid to remove him. And since EVERYONE is friends with Tom, everyone is in the same extended network. It renders that feature completely useless, and is a good indicator of the amount of though they actually put into the design.

Re:Content

[parkrrrr]

Am I the only one who thinks MySpace's UI is incredibly ugly and poorly-put-together?

Nope. It's about the worst-written thing on the Internet today.

Just try writing your own CSS for your profile page. There's no consistent use of classes or IDs, what classes there are are named for their default formatting characteristics rather than their usage (e.g. "whitetext12"), the whole thing is made up of generically-named or anonymous nested tables to an extent that would have made even a mid-nineties "web programmer" ashamed, and there's even completely illegal HTML. For example, your profile page probably contains this construct: <tr id=Body type:Row>. Note the lack of quotes around what I assume was supposed to be an ID.

Don't even try to run a validator against a MySpace profile page. It makes Slashdot look well-written.

And they'll never be able to fix any of these bugs, because it'll break all of the customizations that their script-kiddie user base has cut-n-pasted from some third-party website and then forgotten about.

And probably about half the times I try to log in to MySpace, I instead get an error message telling me that I must be logged in to do that. That's right: I have to be logged in to log in.

Re:It's funny because

[SadGeekHermit]

Look, I couldn't care less about MySpace. I don't use or read the site.

My problem is that these "month of X bugs" are coming out for lots of vendors and platforms that in turn serve a WHOLE lot of companies and websites.

This trend is a rotten, rotten idea.

You don't get people to wear bulletproof vests by giving free Saturday Night Specials to every degenerate who wants one.

The whole practice stinks.

Okay

[StarKruzr]

so you're more criticizing the practice in general than MySpace as a target.

Fair enough. What is the proper way to go about getting big vendors like this to fix their security holes, then? If someone with a generally white-hat motivation doesn't do it, someone less benevolent will eventually.

Re:Okay

[SadGeekHermit]

As a database administrator and programmer, I'd have to say this:

You send the vendor one copy of your bug report, and you send the other copy to CERT. You open a service request to fix the problem, and you let the vendor know you consider it severe.

If this doesn't work, you try to come up with a workaround yourself. If you can come up with a workaround, you publish it. But you don't publish an exploit! You publish enough information on the problem that a fellow admin will be able to verify that it IS a problem, without giving him enough to roll his own exploit.

Maybe you talk to some of your developers, see if they can't help you put together a fix.

Maybe you talk to some of your friends from the local database or server user group.

You work the problem, you fix the problem, and you publish the fix.

THAT is how it's done.

Again, you should never, ever, EVER publish enough information to create a working exploit. Some of these people actually publish sample exploit code!!! So if an exploit wasn't in the wild before, it sure would be afterwards!

It's just not the way things ought to be done.

I'm probably just crazy, but...

[sub67]

Am I the only person thinking April Fool's? Imagine all the traffic these guys could generate with the myspace hordes hammering their site on apr. 1 trying to learn how to hax their ex girlfriend's accounts and what could potentially be done from there.. Obviously it's just speculation...but *shrug*

Discrimination

[RealGrouchy]

I think it is discriminatory to post this story on Slashdot: any comments from your "average" MySpace user will likely get modded "-1 Incomprehensible".

- RG>

Spam friend requests

[CmdrPorno]

What about the "bug" wherein bots send spam friend requests (usually, the bot is a female with links to AdultFriendFinder in her profile, and the recipient is male)? What is Tom doing about that? Because I get one of those about every day.

11 types

[hduff]

There are 11 types of people in the world, those who know binaries and those who don't.

At the risk of being labeled a pedant, that joke is only funny if you use 'binary' instead of 'binaries'; those are different things. It's almost like people who 'duel' boot their computers or ask you to 'bare' with them, except those are unintentionally funny. Homophonic Joke ----> O -+- | - Product of American Public Education / \ "Obviously, the 'Three R's' don't include spelling."

Re:11 types

[JFitzsimmons]

I could be categorizing myself into the not-understanding group here but 11 in binary is 3 in decimal. GP's sig only lists two. /shrug

Re:11 types

[DrSkwid]

As a pedant I'd like to ask how you know :

1) That I intend my sig., to be a joke
2) That if so, you are in on it

Re:11 types

[DrSkwid]

There's more than one binary encoding.

Even in BCD there are these encdoings for 2:

2 0010 0101 0010 0110 0010

I'm just trolling for people that think they know what they're on about and love to correct others.

You're not one of those so have a nice day :)

Quick easy one line fix for all Myspace bugs

[britneys+9th+husband]

127.0.0.1 myspace.com

Tom

[StarKruzr]

I haven't been friends with him in ages. Is it because I'm friends with people that ARE?

Re:Tom

[Kraeloc]

Probably.

small change

[Bill,+Shooter+of+Bul]

All platforms have holes in them.

We're encouraging fixing MySpace?

[SlappyBastard]

Isn't this sort of like trying to amputate legs from a four-legged duck?

Uhh In case you missed it..

[paynesmanor]

popular sites are.. At least it's only going to be for "fun" and not a real attack.. The web only appears safe, as the hackers have found better ways to cause havoc, then giving people viruses that destroy there data. I think this is going to be an interesting wakeup call to all the sites and users of that site. People should not be misled, as it's not just the security of the website that is being compromised, it is the personal computers too. People need to face the fact that just typing in a url and pressing enter, could be asking for a virus.

Re:Myspace allows XXS redirect for malware executi

[Fred+Ferrigno]

I'll be the first to chant the "MySpace sucks" mantra, but you're telling me an IE exploit (your words) is MySpace's responsibility?

Is that really enough time?

[JonnyO]

I'd imagine they could take all of Q2 with this one.

oh okay

[muzzafarIT073407]

Myspace's Tom might be busy updating his Friendster account i might say

Graphical Exploit?

[br0d]

I want them to address the vulnerability which allows people to post pictures which depict themselves as 1o times hotter than they actually are.

Re:Myspace allows XXS redirect for malware executi

[kchrist]

The cross-site scripting exploit certainly is. I think the original poster was saying that someone is taking advantage of XSS exploits in Myspace to redirect users to a page containing an IE6 exploit.

Regardless, if Myspace allows people to upload/embed JavaScript, they are definitely at least partially at fault. This is basic web application security 101.

Apparently you didn't read the parent.

[StarKruzr]

How completely unsurprising, coming from an arrogant narcissist completely cocksure (so to speak) of his own brilliance.