Google Releases a Web-App Case Study For Hackers

← Back to Stories (view on slashdot.org)

Google Releases a Web-App Case Study For Hackers

Posted by timothy on Wednesday May 5, 2010 @08:49AM from the just-this-once dept.

Hugh Pickens writes "The San Francisco Chronicle reports that Google has released Jarlsberg, a 'small, cheesy' web application specifically designed to be full of bugs and security flaws as a security tutorial for coders, and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities." (Read on for more.) "In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."

95 comments

Min score:

Reason:

Sort:

That's brilliant by Jay+L · 2010-05-05 08:54 · Score: 3, Funny

The hard part, though, will be keeping up with all the patches for 0-day missing-vulnerabilities.
1. Re:That's brilliant by FuckingNickName · 2010-05-05 09:20 · Score: 0, Troll
  
  Let me guess, we'll learn:
  - Sanitise input so random commands can't be executed on the server;
  - Don't allow upload of random files such as malformed JPGs which can include executable code;
  - Don't allow upload of HTML snippets which can contain cross-site scripting vulnerabilities;
  - Don't use session ID info which can be copy-pasted elsewhere, especially not corresponding to other people's accounts;
  - Don't do anything Google hasn't thought of, or they'll get pissy. Remember, you're only allowed to be as secure as Google thinks they are!
  Continue the list, guys...
2. Re:That's brilliant by networkBoy · 2010-05-05 09:31 · Score: 3, Interesting
  
  Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
3. Re:That's brilliant by Anonymous Coward · 2010-05-05 09:35 · Score: 0
  
  We hate you too.
4. Re:That's brilliant by calmofthestorm · 2010-05-05 10:32 · Score: 1
  
  I suspect that Google has this so sandboxed to hell they don't give a fuck what you do to it. VM inside a VM inside a VM inside a VM rebooting and losing state every 5 minutes sounds about right. Also alternate between linux and windows in the VMs, and make sure to run Norton antivirus on all hte Windows ones.
  For optimal security, randomly vary the VM recursion depth so attackers can't figure it out.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
5. Re:That's brilliant by NatasRevol · 2010-05-05 10:52 · Score: 1
  
  Norton would slow the VMs down too much....
  
  --
  There are two types of people in the world: Those who crave closure
6. Re:That's brilliant by calmofthestorm · 2010-05-05 10:58 · Score: 1
  
  Good point, we can replace it with a busy waiting process that also thrashes disk, only just a little bet less. Save RAM too.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
7. Re:That's brilliant by fractoid · 2010-05-05 16:50 · Score: 3, Funny
  
  Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...
  I hate you for how plausible that sounds.
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
8. Re:That's brilliant by networkBoy · 2010-05-06 02:02 · Score: 1, Funny
  
  that's what I'm here for ;)
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
9. Re:That's brilliant by Anonymous Coward · 2010-05-06 05:58 · Score: 0
  
  That's pretty much what it teaches, including the bit about not doing anything Google haven't suggested. But enjoy your down-mod for implying that Google aren't the pinnacle of insight.
Right on by cbev · 2010-05-05 08:55 · Score: 0

It sounds like a fantastic idea. My favorite course in college was a security course, and the message there was to 'think like an adversary.' At the very least, could be motivation to get more people interested in computer science.
Try Jarlsberg, the newest app from Google... by Anonymous Coward · 2010-05-05 08:59 · Score: 4, Funny

It's odd to see Google striving to be like Microsoft.
1. Re:Try Jarlsberg, the newest app from Google... by Anonymous Coward · 2010-05-05 19:48 · Score: 0
  
  Another proof that Micro$oft is years ahead of google and the rest of them.
2. Re:Try Jarlsberg, the newest app from Google... by Anonymous Coward · 2010-05-06 07:30 · Score: 0
  
  What on earth does that mean?
" designed to be full of bugs and security flaws " by Anonymous Coward · 2010-05-05 09:00 · Score: 0

Obligatory - um, do I really have to say it?
Is Google by Anonymous Coward · 2010-05-05 09:01 · Score: 0

now a botnet?
Yours In Perm,
K. Trout
Re:" designed to be full of bugs and security flaw by pwnies · 2010-05-05 09:02 · Score: 1

...yes?
Jarlsberg by clone53421 · 2010-05-05 09:02 · Score: 5, Informative

For those who missed the reference, Jarlsberg is a variety of cheese which has large, irregular holes.

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
1. Re:Jarlsberg by debile · 2010-05-05 09:12 · Score: 0
  
  This name is so cheesy!
2. Re:Jarlsberg by WrongSizeGlass · 2010-05-05 09:43 · Score: 1
  
  But is it as cheesy as the Moon?
3. Re:Jarlsberg by Jarlsberg · 2010-05-05 16:35 · Score: 2, Funny
  
  Everybody loves Jarlsberg. Especially me.
How is that news? by gksmith · 2010-05-05 09:10 · Score: 0, Troll

Microsoft has been doing that for decades with such products as Windows and Office.
1. Re:How is that news? by Weazol · 2010-05-05 09:16 · Score: 1
  
  pwned. It is a great idea however it is lacking an achievement system.
2. Re:How is that news? by Anonymous Coward · 2010-05-05 09:28 · Score: 0
  
  Microsoft was just trying to copying Linux (at least that's what you freetards claim).
How long... by Thelasko · 2010-05-05 09:13 · Score: 0

until Jarlsberg is blocked by all of the major security providers?

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
For those who may ask... by Juba · 2010-05-05 09:16 · Score: 4, Funny

The webapp is written in Python.
1. Re:For those who may ask... by kuzb · 2010-05-05 11:40 · Score: 1
  
  ...which is silly, considering it's far from the most popular language for writing web applications.
  
  --
  BeauHD. Worst editor since kdawson.
2. Re:For those who may ask... by lonecrow · 2010-05-05 15:05 · Score: 1
  
  Perhaps the point is that it is not the tool it is how it is used that counts.
3. Re:For those who may ask... by kuzb · 2010-05-05 15:32 · Score: 1
  
  If you're going to teach vulnerabilities and possibly how to exploit them, it's stupid to use a tool that very few people (comparatively speaking) use. The idea here is to show people the problems and give them a means to see the problems in action. Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.
  
  --
  BeauHD. Worst editor since kdawson.
4. Re:For those who may ask... by lonecrow · 2010-05-05 17:12 · Score: 2, Insightful
  
  OK So lets consider the two major attack types: Cross site scripting (XSS) and sql injection SQLi.
  
  If I am launching a XSS attack against your website I don;t really care what language its scripted in do I? I just try to defeat what ever process your using to sanitize my text.
  
  For a SQL injection attack I would think the database engine is more important to know than the script that is passing the crappy dynamic sql to it.
  
  I am not much of a hacker, I just try to defend my sites the best I can. In all my research very little is language specific.
5. Re:For those who may ask... by totally+bogus+dude · 2010-05-05 17:45 · Score: 1
  
  The point isn't really for you to attack the site. The point is for people writing web applications to look at this deliberately and openly buggy application and see the similarities to their own code. If they can't easily understand the Jarslberg code then they might not make that connection, thus defeating the whole point of the exercise.
  Most of the things they're demonstrating are obvious and well-known to anyone who actively thinks about security and sanitisation of user-supplied data. So while you can argue that any good programmer with knowledge of a handful languages would be able to easily understand Python code, it's not really aimed at the good programmers in the first place.
6. Re:For those who may ask... by lonecrow · 2010-05-05 19:00 · Score: 1
  
  Your right in the sense that if you don't speak python you will have trouble with half the value from this site. Half the value is that you can walk through the attacks and understand how they work which has nothing to do with the app source code.
  
  The other half of the value is being able to walk through the source and see where the programmer could have plugged some holes. I suspect anyone taking the time to use this site will be able to muddle through. And of course everything google does starts in python then later they maybe add java. I would love to use app engine but I am not strong enough in java yet. (do they even support java on app engie?)
  
  There are other pen test websites like this. You can download hacme bank its in vb.net I think. http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
7. Re:For those who may ask... by negRo_slim · 2010-05-06 05:24 · Score: 1
  
  Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.
  It's not like you have to be fluent in a language to understand the code to some degree. There are a lot of concepts in programming that transfer amongst the various languages and it would take no more than a trip to Wikipedia to see how any language works in relation to any other.
  
  --
  On the Oregon Cost born and raised, On the beach is where I spent most of my days
8. Re:For those who may ask... by kuzb · 2010-05-06 07:36 · Score: 1
  
  The problem here is once you know something can be done, you need to know the best ways to avoid doing it. Each language has its own pitfalls, and identifying the bad code and how to deal with it is the really important part of this exercise. Basically, knowing there is a problem, and knowing how to fix the problem are different things.
  I'm not trying to say what Google has done is a bad thing - I just think it would have made more sense to cover popular languages. This would have a greater benefit to the world.
  
  --
  BeauHD. Worst editor since kdawson.
9. Re:For those who may ask... by Anonymous Coward · 2010-05-06 18:05 · Score: 0
  
  I see 14 black box and 6 white box challenges. Unless you're peeking at the code when you're not supposed to the language doesn't matter most of the time
a tutorial from China by FuckingNickName · 2010-05-05 09:16 · Score: 0, Flamebait

would be better. I have no trust in being taught security principles by a closed source company whose greatest asset is information about me.
All the good security texts are by people who are open with their ideas, open with their methods and open with their code.
1. Re:a tutorial from China by Spad · 2010-05-05 09:20 · Score: 2, Insightful
  
  ...while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs.
  Those closed source bastards!
2. Re:a tutorial from China by FuckingNickName · 2010-05-05 09:26 · Score: 1, Informative
  
  Android is built on Linux, which is open source. Google's apps on Android are closed source.
  Chromium is built on WebKit, which is built on KDE's HTML rendering engine, which is open source. Chrome is closed source.
  So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.
  Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).
3. Re:a tutorial from China by Lunix+Nutcase · 2010-05-05 09:30 · Score: 1
  
  *yawn* Come back to us when you show us when they've open sourced the adsense/adwords platform, or all their Linux kernel changes they've kept to themselves, or GoogleF, or their PageRank code. You know, things that are actually fundamental to their revenue stream.
4. Re:a tutorial from China by Darkness404 · 2010-05-05 09:39 · Score: 1
  
  However, for both Android and Chrome, you can easily roll your own version without much trouble. Yeah, Google applications are nice on Android, but you can use alternates.
  
  So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.
  
  However, Google does a lot more to foster openness than Apple. Google doesn't like locked-down Android phones (otherwise why would they release the Nexus One?), Apple however seems to love having a closed platform.
  
  Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).
  
  Well of course it is closed. It is more or less a trade secret. If PageRank was open source, Google would be no more. However, unlike closed source programs, it doesn't hinder usability and it works better than competitors.
  
  --
  Taxation is legalized theft, no more, no less.
5. Re:a tutorial from China by Anonymous Coward · 2010-05-05 09:48 · Score: 0
  
  It's flamebait to not trust Google? I'm not sure I like the 'net any more.
6. Re:a tutorial from China by Anonymous Coward · 2010-05-05 09:57 · Score: 0
  
  Come back to us when you provide full access to all your code that you base your business on. You know, what you earn money from. The thing that puts food on your table, pays the rent, allows your children to have all their toys.
  Oh, I'm sorry. Your living in your parents basement and don't have to earn a living.
7. Re:a tutorial from China by FuckingNickName · 2010-05-05 10:05 · Score: 1
  
  Well of course it is closed. It is more or less a trade secret.
  Yeah, that's everyone's excuse for closed source.
  
  If PageRank was open source, Google would be no more.
  I didn't realise Google were such a one-trick po.. OK, yes I did. Good! Let them "innovate" in better ways than by hiding their super sekrit algorithms from each other. No wonder there's been so little advance in search quality over the past decade.
  
  However, unlike closed source programs, it doesn't hinder usability and it works better than competitors.
  Sometimes it does, sometimes it doesn't. There are half a dozen good search engines and, if you're just using Google, you're getting a fairly skewed view of the web. And it certainly hinders usability that others can't improve PageRank!
8. Re:a tutorial from China by FuckingNickName · 2010-05-05 10:10 · Score: 1
  
  Almost all the code I've deployed since 2001 is or has been (in cases where it's way too outdated to be usable) available publicly. I shan't link to it, because it'd link my real identity to my /. account - I value privacy, even though most of today's 'net users don't.
  The first and only office-y job I had before that, before self-employment, guarded its code jealously. While I went some small way to opening things up, they weren't that interested. Since then I've been able to fully form and stick to principle.
  Try again.
9. Re:a tutorial from China by Bromskloss · 2010-05-05 11:06 · Score: 1
  
  Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).
  I didn't know they had promised that. Do you have a link?
  
  --
  Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
10. Re:a tutorial from China by Lunix+Nutcase · 2010-05-05 11:30 · Score: 1
  
  Oooh ice burn! The fact of the matter is that Google is not an open source company. No one would accept people claiming that Microsoft is an open source company by pointing out how they have open sourced the ASP.NET MVC framework. Just because Google has open sourced some pet projects that have little to no bearing on their revenue stream doesn't make them an open source company.
11. Re:a tutorial from China by Capt.+Skinny · 2010-05-05 13:48 · Score: 1
  
  It's one thing to promote open source (I think it's great myself), but I'll never understand disdain for closed source. If someone wants to spend their time or money producing code, what they do with it is up to them. If you don't like it, don't use it -- but at least respect the freedom of choice of the person or organization that wrote it.
12. Re:a tutorial from China by FuckingNickName · 2010-05-05 20:45 · Score: 1
  
  I don't "respect" Google, and the only reason I wouldn't use their code commercially (with correct attribution) if I found it lying in the middle of the road is that I might face legal problems. If you don't want an idea shared, don't tell it to anyone, and I'll respect your right not to be tortured or otherwise forced to reveal it. Otherwise respect my freedom of choice to speak what I know.
  But you're strawmanning, because my argument was simply to never trust a security lesson from an outfit like Google. Since my previous posts, I've gone through it, and it turns out the tutorial is so basic and rendered redundant by many far more in-depth security challenges on the web.
13. Re:a tutorial from China by Anonymous Coward · 2010-05-06 03:29 · Score: 0
  
  What does open/closed source have to do with this? And just because you already know everything about security doesn't mean that other people do. Everyone has to start somewhere. Otherwise Slashdot for Dummies wouldn't be such a big seller!
14. Re:a tutorial from China by FuckingNickName · 2010-05-06 05:23 · Score: 1
  
  What does open/closed source have to do with this?
  Yes, why not trust the motives of people who keep everything a secret?
  
  Everyone has to start somewhere.
  Absolutely. But a little learning is a dangerous thing where security is concerned - by the writers too, it seems, since they come out with stuff like Python implying imperviousness to buffer overflows (another commenter has covered this well in the posts he links to).
  I'd have let them get away with it if they'd chosen a more honestly self-deprecating title. How about, "Brief introduction to inherent problems with the HTML application model we're obsessed with, and necessary workarounds"?
15. Re:a tutorial from China by negRo_slim · 2010-05-06 05:30 · Score: 1
  
  Yeah, that's everyone's excuse for closed source.
  Then don't use the products? For Christ's sake man your going to have to put up with a mixed eco system, hegemony is not going to be a good thing regardless of whether it's closed or open source.
  
  There is nothing that says you are entitled to effective search, or entitled to a pointless touchscreen "phone" (sorry they are nothing more than two way radios to me and I can't understand people spending more than 50 bucks on a phone, but that's my problem).
  
  You can avoid all the closed source stuff in the world and shut that trap of yours, no one is stopping you.
  
  --
  On the Oregon Cost born and raised, On the beach is where I spent most of my days
16. Re:a tutorial from China by Anonymous Coward · 2010-05-06 10:41 · Score: 0
  
  So you don't drink Coca-Cola or eat Big Macs or KFC, right? These companies all keep their ingredients secret and *advertise* that fact. FYI, the only major soft drink brand with no secret ingredients is 7UP.
  Funny for you to criticize the title when your post is titled "a tutorial from China". I think every book on programming should be titled "hey, get a clue, there's no way that reading a book is going to teach you programming".
Carte blanche to hack Google? by Anonymous Coward · 2010-05-05 09:18 · Score: 0

Any cracker who comes along and attacks Google will now be able to say that they were doing it as part of this project. Yes, I realize there are many disclaimers, but it will be at least an appearance of an excuse were none previously existed.
1. Re:Carte blanche to hack Google? by ceejayoz · 2010-05-05 10:01 · Score: 1
  
  Oh, bullshit. By that logic, a speed limit sign in one location would invalidate speeding tickets for all other locations.
Obligatory by Yvan256 · 2010-05-05 09:20 · Score: 3, Funny

Customer: Jarlsberg, perhaps?
Owner: Ah! We have Jarlsberg, yessir.
Customer: (suprised) You do! Excellent.
Owner: Yessir. It's..ah,.....it's a bit runny...
Customer: Oh, I like it runny.
Owner: Well,.. It's very runny, actually, sir.
Customer: No matter. Fetch hither the cheese of Norway! Mmmwah!
Owner: I...think it's a bit runnier than you'll like it, sir.
Customer: I don't care how fucking runny it is. Hand it over with all speed.
Owner: Oooooooooohhh........! (pause)
Customer: What now?
Owner: The cat's eaten it.
Customer: (pause) Has he.
Owner: She, sir.
1. Re:Obligatory by idontgno · 2010-05-05 10:02 · Score: 1
  
  Well cited, Mostly. Although the particular part you cite is actually the "Camembert" portion of the skit.
  However, the names of the customer (Mousebender) and the proprietor (Wensleydale) are known. As, apparently, all the cheeses named in the sketch.
  Which, if you think about it, says as much about Wikipedia as it does about Monty Python or the Jarlsberg web app.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
This is a joke. by MyLongNickName · 2010-05-05 09:21 · Score: 1

i followed the link and ended up at microsoft.com. Really funny Google... reallly funny.

--
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
1. Re:This is a joke. by Bat+Country · 2010-05-06 06:44 · Score: 1
  
  Meth: not even once.
  
  --
  The land shall stone them with the bread of his son.
Re:First Post by drougie · 2010-05-05 09:22 · Score: 0, Offtopic

man I hate you guys..

--
Calling out bogus battery capacity claims.
Cheesy web-app full of bugs by MyLongNickName · 2010-05-05 09:24 · Score: 1

Should Slashdot really be throwing stones?

--
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Ooh, cheese! by dangitman · 2010-05-05 09:31 · Score: 3, Funny

Cheese is a kind of meat
A tasty yellow beef
I milk it from my teat
But I try to be discreet
Ooh, cheese.
Ooh, cheese.

--
... and then they built the supercollider.
HackThisSite by brainfsck · 2010-05-05 09:50 · Score: 3, Informative

I had fun messing around on the site. If you're interested in this sort of thing, HackThisSite.org has about a dozen similar "Realistic Missions" as well as forums and many other types of security-related challenges.
Re:I do the same thing by Anonymous Coward · 2010-05-05 09:57 · Score: 0

Google have got to that hubris stage of hiring random pretty women with low qualifications, and their security product is shitty articles rather than, you know, essential stuff like intrusion detection. Whence the IE leak - imagine what else has been achieved by governments and organised criminals!
This is why I left accountancy... the big firms were rife with this behaviour, and while it was fun for a while, working became impossible once you saw that competence was being replaced with eye candy.
Web Goat by dhadley519 · 2010-05-05 10:17 · Score: 4, Informative

Interested parties should also be aware of web goat by the owasp team. http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
1. Re:Web Goat by halcyon1234 · 2010-05-05 14:06 · Score: 5, Funny
  
  Yeah-- as a rule of thumb, I don't follow any link on Slashdot that matches /^.*goat.*$/i
  
  --
  UTF-8: There and Back Again
2. Re:Web Goat by Kesch · 2010-05-05 14:34 · Score: 1
  
  I hear it features some pretty impressive holes.
  
  --
  If this signature is witty enough, maybe somebody will like me.
3. Re:Web Goat by Anonymous Coward · 2010-05-06 03:01 · Score: 0
  
  /^.*goat.*$/i
  Perhaps you meant /goat/i ? No need for anchors and dot-star matching.
Subliminal Job Application by everweb · 2010-05-05 10:24 · Score: 1

Is this another Google talent scout tool like their billboard of a few years ago ? Find the hidden easter egg and you're given a phone number at Google HR to call...
1. Re:Subliminal Job Application by FuckingNickName · 2010-05-05 10:46 · Score: 1
  
  That was barely a challenge - probably more to gauge how many people were paying attention. GCHQ put out some interesting challenges from time to time (not all of which are still on their site, so look further if you're searching).
Is this software... by fotoguzzi · 2010-05-05 10:27 · Score: 1

...Beta?

--
Their they're doing there hair.
Fine print in the last line... by Hylandr · 2010-05-05 10:43 · Score: 1

"As Directed"...

--
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Check out smashthestack.org by Anonymous Coward · 2010-05-05 11:35 · Score: 0

There's a few different games to be played. Different games are located on different SSH ports (2222-2227).
While I don't have any involvement in this, I know my friend helps host one of them, and to get started visit http://logic.smashthestack.org:88
It's fun and will make you think... it can actually get quite aggravating when you can't beat a "level" because you're over thinking it lol. The games involve PHP exploits, buffer overflow, etc. Give it a try!
Griefers, unite by halcyon1234 · 2010-05-05 14:17 · Score: 1

AppEngine will start a new instance of Jarlsberg for you, assign it a unique id ... http://jarlsberg.appspot.com/123/ (where 123 is your unique id). If you want to share your instance of Jarlsberg, just share the full URL with them including your unique id.
...it is possible to put your Jarlsberg instance into a state where it is completely unusable. If that happens, you can push a magic "reset button" to wipe out all the data in your instance and start from scratch. To do this, visit this URL with your instance id: http://jarlsberg.appspot.com/resetbutton/123

I think I've spotted a vulnerability:

$griefingIsFun = 0; while (1) get("http://jarlsberg.appspot.com/resetbutton/" . $griefingIsFun++);

--
UTF-8: There and Back Again
1. Re:Griefers, unite by Vroo · 2010-05-05 17:14 · Score: 1
  
  There's a captcha there.
Re:I do the same thing by Anonymous Coward · 2010-05-05 14:27 · Score: 0

at least with accounting firms, the cute trim is an unstated part of what the client is paying for
in silicon valley the tendency is for the entire place to fill up with airhead producers and marketing assistants, and they don't even date the super genius programmers supposedly at the core of the operation
the problem with learning insecurity from web-devs by justinnf · 2010-05-05 15:58 · Score: 3, Interesting

is that they generally don't know wtf they're talking about; I only looked at the part on buffer/integer related overflows; where they take the moment to not only give me flat out wrong advice, but also see fit to try and propagandize me:

"This codelab doesn't cover overflow vulnerabilities because Jarlsberg is written in Python, and therefore not vulnerable to typical buffer and integer overflow problems. Python won't allow you to read or write outside the bounds of an array and integers can't overflow. While C and C++ programs are most commonly known to expose these vulnerabilities, other languages are not immune. For example, while Java was designed to prevent buffer overflows, it silently ignores integer overflow. "

The thing is google of all organizations, and specifically appspot should know better. I mean, I already told them. I mean seriously, look at this.

Of particular interest is: http://bugs.python.org/issue2620 ... reported: 2008-04-11 22:35:37 bug closed: ?????

Just stop with this incessant bullshit 'lol hey my program-by-number language of choice doesnt have memory corruption security issues@#@!#'. It's all assembly at the end, and the processor does whatever you tell it, so everything has this problem. I thought this would be clear from my work, Dowd's actionscript work, nemo's obj-c work, ilja's pascal work, brezinski & mcdonalds ruby work, et cetera.

In short, when you try to talk about things you don't know, especially in the realm of security; you do more harm than good.
Re:" designed to be full of bugs and security flaw by fractoid · 2010-05-05 16:51 · Score: 1

NI!

--
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
it's python by story645 · 2010-05-05 18:09 · Score: 1

so while you can argue that any good programmer with knowledge of a handful languages would be able to easily understand Python code, it's not really aimed at the good programmers in the first place.
It's aimed at someone who's familiar enough with programming to be doing web dev and serious enough about writing good code to bother using this app. Those people will have no trouble with python, which really isn't all that hard, especially since the apps source is basically self commenting and really clean. I know almost nothing about web dev, but don't have much trouble following the code (granted, I code in python).

--
open source modern art: laser taggi
done by ViralInfection · 2010-05-05 18:34 · Score: 1

http://jarlsberg.appspot.com//saveprofile?action=new&uid=lol&pw=cats&is_author=True&is_admin=True *sigh*, I was expecting more of a challenge from the big G.
hi by katehudson06 · 2010-05-05 18:56 · Score: 0, Offtopic

We’re all waiting for your next article of course. Holiday Apartments Bol
Jarlsberg by GlobalColding · 2010-05-05 19:01 · Score: 1, Funny

For The Cheese!
What a perfect way to prove.... by npcole · 2010-05-05 19:14 · Score: 1

What a perfect way to prove just how fundamentally broken the technologies of the web are. Content, arguments, scripts, user-data....it's all just one big mess. I got to the point about hosting content on separate domains to avoid some XSS attacks and thought: when the security *fixes* look like kludges, something is very, very wrong.
Debug by MortenMW · 2010-05-05 19:49 · Score: 1

http://jarlsberg.appspot.com/your_id/dump.jtl

Admin:secret
brie:briebrie
cheddar:orange
sardo:odras
This isn't anything new by ioexcept · 2010-05-05 23:58 · Score: 1

Not sure why this is making headlines, Microsoft has been doing this for years.
Re:the problem with learning insecurity from web-d by Anonymous Coward · 2010-05-06 01:51 · Score: 0

Pet peeve much?
1. How many people in the world do you think know about this issue? There's info on a Python bug list and slides for a single security conference. Guess what? Very, very few developers, security or not, follow every Python bug or every conference paper. So instead of complaining about how negligent the author is, why don't you just tell HIM about the bug? Get used to the fact that NOBODY in the real world pays active attention to academic advances in any field. If one of these advances is yours, it's up to you to spread the word. Blame the world if you like, but you're the only one who can/will change it.
2. There is no way in hell this codelab does more harm than good. So the author did not mention one attack vector? Of course he didn't. Nobody in the world is aware of every single vulnerability that is conceivably out there. And so you think this means nobody should ever tell others what they know about security? Great idea!
3. There's a big difference between a function breaks in Python because of what will almost certainly be a transient bug in the language implementation, and a function breaks in C++ because it breaks by design. Get off your high horse.
Re:the problem with learning insecurity from web-d by soma · 2010-05-06 04:25 · Score: 1

You're being unfair to the Jarlsberg developers. "not vulnerable to typical buffer and integer overflow problems" is not the same as not vulnerable to *any* such problems. I agree they could be more specific, but it is true that you can't just run off the end of an array in Python like you can in C.
The bug report you refer to is about a flaw in the Python runtime environment, which is in fact a C program, and so is vulnerable to all the same problems as other C programs. To exploit this you have to give Python weird input. To corrupt memory in C, however, you just use regular language features, e.g., increment a pointer.
But anyway, spending your time looking for buffer and integer overflows in web applications is like looking to fix holes in the walls of a house where a tree has destroyed the roof - there are much bigger problems to worry about. Jarlsberg and WebGoat nicely illustrate this.
Reasons for Python by LeoMaheo · 2010-05-08 22:12 · Score: 1

Perhaps the reasons for choosing Python are
1) the application runs on Google's App Engine, which supports (only) Python and the Java VM. (So Google saved lots of time reusing their AppEngine machinery.)
2) Python being an easy to understand language.