Slashdot Mirror

← Back to Stories (view on slashdot.org)

PunkSPIDER Project Puts Vulnerabilities On (Searchable) Display

Posted by timothy on from the anarchist's-cookbook dept.

First time accepted submitter punk2176 writes "Recently I started a free and open source project known as the PunkSPIDER project and presented it at ShmooCon 2013. If you haven't heard of it, it's at heart, a project with the goal of pushing for improved global website security. In order to do this we built a Hadoop distributed computing cluster along with a website vulnerability scanner that can use the cluster. Once we finished that we open sourced the code to our scanner and unleashed it on the Internet. The results of our scans are provided to the public for free in an easy-to-use search engine. The results so far aren't pretty." The Register has an informative article, too.

3 of 85 comments (clear)

  1. Ethics by gignac.adam · · Score: 3, Insightful

    Funny; my professor just told a networking class recently when discussing vulnerability scanners that it was seriously unethical to scan a system without permission - it would be like walking through a parking lot and checking which cars are unlocked. I think most people would agree with him. This project might have good intentions, trying to encourage the sysadmins to tighten up their security, but I think there's a better way to do it than public shaming.

    1. Re:Ethics by BemoanAndMoan · · Score: 4, Insightful

      We hope to provide a view of this to the website owner and yes, push them a little to get their security ducks in a row.

      No, you don't. If you did you'd have built your system to make *them* aware first, instead of posting a "don't blame the messenger" shame tool that exposes their vulnerabilities.

      The hacking-promotes-security argument is weak sauce, even more so in your case. The vast percentage of people you've exposed (i.e. not anonymous mega-corps, but rather small mom-and-pops set up and left un-managed by unskilled sysadmins, innocuous self-hosting newbies, etc.) will likely never encounter your list, even after it provides scriptkiddies with an easily digestible list of opportunities who wipe their servers and turn them into warez hubs only to be rinse-repeated because they will *never* know any better.

      You are merely a new vector for the disease, selling itself as a cure. Where in this is your moment to feel proud?

  2. Re:Next - SE for houses without security systems by Jah-Wren+Ryel · · Score: 3, Insightful

    Well, at least one difference is that when a website gets hacked it is almost always the people visiting the website who are the target because the goal of the hacker is either to grab information about those users from the hacked system or to use the hacked system to distribute exploits to anyone that browses there.

    While when a house is broken into, it is basically a problem for the owners of the house and not really anyone else.

    So publishing a list of vulnerabilities on websites serves the purpose of shaming the website operators into better protecting their users.

    --
    When information is power, privacy is freedom.