Slashdot Mirror
April to See Month of MySpace Bugs
An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"
You'd think they'd do a year of MySpace bugs.
"If it kills this Month of Whatever fad, then hurray for everyone, it's over."
I think these guys are on to something. I hope they suceed
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
Bugtrack announced that on May first, they will start their 200th consecutive month of Microsoft bugs, give them a nice applause!
Which is all the more reason to make sure that no software ever has a really huge user base. It's bad for everybody.
Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID. Many people get Myspace accounts because they're forced into it in order to communicate reasonably with a friend, and then decide "Oh, what the heck." and build content of their own there as well. I know that's why I have a MySpace account (and, strangely enough, Omnifarious on MySpace isn't me).
Need a Python, C++, Unix, Linux develop
This shouldn't be much of a challenge. According to Netcraft, MySpace uses IIS 6 on Windows Server 2003. While the security of Windows systems has increased dramatically since the days of Windows 95/98/ME, it's still widely known to be an extremely insecure platform, especially when compared to most commercial UNIX systems, most Linux distributions, and the *BSDs.
Where I work, we're considering what system we'll use when deploying some new web applications. We recently audited several ASP-based web applications, and found them to be quite terrible. I don't know if it's a problem with the developers of these products, but those that we tried were full of obvious security holes. Our past development was using WebObjects, and we saw nowhere near the number of obvious flaws that we saw with the ASP-based solutions, even when we had interns developing code.
My personal experience with ASP is fairly limited, but I suspect it may just be the technology itself that hinders secure development. It's much the same case for PHP. With such technologies, there are too many little details and flaws that even an expert programmer can become overwhelmed by. At least we decided to go with a Java-based solution running on Solaris. It's probably not perfect, but I'd wager that it's far more secure than most ASP- or PHP-based web apps.
I Have had it happen about 4 times, its a redirect not properly sanitized (or injected in javascript), each time im redirected to http://193.x.x.x/somenasty.html, and its basically an IE 6.0 exploit. I can guarantee myspace infects more than half of its users. Sad thing is, no one is going to fix it. But hey, Tom has lots of friends!
I don't use MySpace so I know nothing of their security. But this guy's statement struck me, "Even when they have countermeasures in place... it's trivial to obfuscate to evade their detection mechanisms."
If their security model is based on detecting patterns, then they will never be able to get out of the Red Queen's Race. A properly designed web app has as its core philosophy, "that which is not explicitly allowed is denied". Ttrying to detect all the possible variants of hacking and denying them then is a fool's errand.
It's simple: I demand prosecution for torture.
Status: OLD
Severity: Major
Reproducible: Always
Description: MySpace is filled to the brim with whiny, middle-class, suburbanite, emo kids whining about how emo their life is and how they like to listen to emo music while cutting themselves.
Solution: Delete Myspace.
Because they claim they are secure. It's like if someone was to build a big fence around their property, place armed guards, security cameras, attack dogs, and then boast in a local newpaper that they are secure.. you'd have a nice good laugh if it turns out their cleaning lady stole their diamonds.
How we know is more important than what we know.
myspace itself is a bug
"Steve Jobs invented the world" -- Bill W. GATES
Maybe I'm old and crusty, and just not "with it" but being an Oracle DBA and occasional Java developer... I really, really don't like the idea of posting "month of X bugs" sites.
The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.
The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for the whole world to see, which sets every idiot script kiddie out there on an easter-egg hunt to find vulns.
What's really screwed up about it is this: Let's say Joe Hacker decides to "out" some vendor and spends a month attention-whoring. That vendor may or may not get the bugs fixed before legions of script-kiddies figure out how to use them. MEANWHILE, every sysadmin out there is completely fucked, waiting for the vendor to catch up to the Scavenger Hunt that Joe Hacker decided to kick off with his stunt.
It's not cool, it's not funny, and I wish these assholes would just knock it off.
They should grow up already.
NO CARRIER
I might experience a little schadenfreude, but I also would happily approve of the cleaning lady being thrown into the clink.
Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID.
How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.
It has been long established that it is simply NOT POSSIBLE to write software without bugs.
The best that any developer can hope for is to find the bugs quickly and remove them.
Stunts like this only serve to attack a development project without doing anything productive to help fix it.
Your own comment shows that you think the same way: "These guys are idiots, switch to someone else".
They're not idiots. They're just the guys who happened to be arbitrarily chosen for public attack.
And it IS perfectly arbitrary.
Don't try to turn attention-whoring into some noble quest. It's not and never will be.
NO CARRIER
The point is to put pressure on an unresponsive vendor or one with a bad track record to improve. And if you have insecure products on a network you deserve getting hacked. OpenBSD/RBASC are free, and they are never attacked successfully. Attackers are part of the internet environment now, and complaining about it is like complaining about rain making your expensive suit wet when you forgot an umbrella. Sure, it might be expensive to be secure, but that's the tradeoff, and it is not going to change.
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
Dude, we're not talking about "writing software", we're talking about setting up a website and leaving the default mySQL account active. We're talking about writing shit in php and not escaping user input. We're talking about gross incompetence. There's plenty of it, and yes, the best way to deal with it is public naming and shaming.
How we know is more important than what we know.
That's been my feeling as well. Someone sent me a link to someone's myspace site a few months back, and when I got there, someone had just completely trashed the page. Everything was just strewn all over the place without any rhyme or reason. Whoever defaced the site also made some crappy music download and play whether you wanted to hear it or no and with no obvious way to silence it. If you clicked on a link to go anywhere, it would for some reason just take you to a login screen. WTF?
I hope that got that bug patched up.
Apology to Ubuntu forum.
But you forget.
This is not the only "month of X bugs" that has happened.
The others were ALL about one or another software package.
I'm saying the general principle is wrong. If you find bugs you should disclose them responsibly. One copy goes to the vendor (or the site owner) and one copy goes to CERT. You don't show the whole world the details of the bug, plus a sample exploit! That's just stooooopid.
NO CARRIER
If you work in the security industry sure.. if you're a user who feels they are getting poor service you yell it from the rooftops. Think about it this way.. if you found out your keyless entry system to your car was broken and any idiot could get into your car with a $2 transmitter, would you go quietly to the company and help them "mitigate" the damage or would you send this information to your local newspaper or current affairs show so they can tell as many people as possible to steer clear of this manufacturer as they don't even do basic security checks of their key systems. Anyone who trusts a for-profit entity to "do the right thing" with disclosing their own fuckups is an idiot.. and as for CERT, they're just as complacent in coverups.
How we know is more important than what we know.
A decentralized social network would be nifty, but OpenID definitely isn't one.
I'm working on it... and the plan is to use OpenID for authentication.
I know you are, but what am I?
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
127.0.0.1 myspace.com
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508