Slashdot Mirror

← Back to Stories (view on slashdot.org)

Project Un1c0rn Wants To Be the Google For Lazy Security Flaws

Posted by Unknown on from the always-blame-wordpress dept.

Daniel_Stuckey (2647775) writes "Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. Think of Project Un1c0rn as a Google for site security. Launched on May 15th, the site's creators say that so far it has indexed 59,000 websites and counting. The goal, according to its founders, is to document open leaks caused by the Heartbleed bug, as well as 'access to users' databases' in Mongo DB and MySQL. According to the developers, those three types of vulnerabilities are most widespread because they rely on commonly used tools. For example, Mongo databases are used by popular sites like LinkedIn, Expedia, and SourceForge, while MySQL powers applications such as WordPress, Drupal or Joomla, and are even used by Twitter, Google and Facebook."

43 comments

  1. Derp by Anonymous Coward · · Score: 0

    What a stupid fucking name. Something only a true dork could come up with.

  2. Leet speak? by Anonymous Coward · · Score: 1

    Seriously? Way to instantly lose all credibility in educated people's eyes

    1. Re:Leet speak? by Anonymous Coward · · Score: 0

      I just read Unicorn and didn't notice leet speak until you pointed it out.

    2. Re: Leet speak? by Teranolist · · Score: 0

      "...educated people's..." - clearly you don't belong to them

    3. Re:Leet speak? by ProjectUn1c0rn · · Score: 1

      You don't get sarcasms nor irony, don't you ? I don't blame you, I have trouble finding those myself ;)

  3. Needs a different name. by Anonymous Coward · · Score: 1

    Given it's a listing of security flaws, and the use of automation in malware, etc, I think it should be Project Un1cr0n.

  4. Almost useful by Anonymous Coward · · Score: 3, Interesting

    Ok, you've got Google's list of everything, Un1c0rn's list of everything unsafe. What I want is the subset of Google's list that is not on Un1c0rn's list.

    Someone hack together that metasearch tool and I'll (anonymously) support you.

    1. Re:Almost useful by ProjectUn1c0rn · · Score: 2

      That's insightful man ! Thanks, glad I came to collect ideas !

  5. Seriously? by DougOtto · · Score: 2

    The search engine on that site returned 7800 sites when I searched on a single IP address. Maybe the site is useful but the signal to noise ratio is WAY too low to bother with.

    --
    Solving Unix problems since 1989...
    1. Re:Seriously? by Anonymous Coward · · Score: 0

      I concur. Searching a non-mainstream FQDN produced thousands of results. Something is broken.

    2. Re:Seriously? by ADRA · · Score: 2

      Well to be fair, some hosting companies have like a million sites hosted off a single IP, so not exactly irrelevant unless you know its a buggy scanner. Maybe the introduction of better summarization and breakdown tools are needed to enhance the tool, but hell anything takes time to work well for public consumption.

      --
      Bye!
    3. Re:Seriously? by Iarwain+Ben-adar · · Score: 5, Informative

      Try putting quotes around your IP address. You'll get better results.

    4. Re:Seriously? by just_another_sean · · Score: 2

      Thanks, that did the trick. I too was getting a lot of results when searching for very specific host names. Quotes around either an IP or host name reduced the results to zero (which is obviously what I was hoping for!). And just to test further I put quotes around a random result that did show up in my initial searches and it just came up once, as expected.

      I wouldn't depend it as the only means of double checking a site but it's a good edition to the tool belt. And it should only get better if they don't get sued out of existence.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  6. I predict... by Chris+Mattern · · Score: 4, Insightful

    If it's actually useful in uncovering sites with security defects, the owners will all be facing criminal indictments before the year is out.

    1. Re:I predict... by ThatAblaze · · Score: 2

      Not if they don't make any money. Punkspider has been available for over a year now, and it does much the same thing.

  7. Usefullness Factor . . . by tiberus · · Score: 2

    Okay, so I want to visit a site. So I have to go search Un1c0rn to see if it's on the list? What about all the ad, video and other sites this sites gets content from? Seems like a plugin that uses data from the "your site is in a poor state" database would be much more practical. It could replace at risk content with a big WHOA! graphic...

    1. Re:Usefullness Factor . . . by Anonymous Coward · · Score: 0

      do I hear a firefox / chromium pluggin comming?

  8. A publicity stunt that marred by busted search by Anonymous Coward · · Score: 0

    Could not get fewer than 8000 matches either by using hostname or ip. with no way to get the results on one page, it's essentially useless.

    1. Re:A publicity stunt that marred by busted search by just_another_sean · · Score: 1

      As some other poster pointed out add quotes around your search will give you the specific results you're looking for. It would be nice if they had a Search Help link or something but it does work better if you use the quotes...

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    2. Re: A publicity stunt that marred by busted search by Teranolist · · Score: 0

      The heck? Did you ever use a search engine before?

    3. Re: A publicity stunt that marred by busted search by just_another_sean · · Score: 1

      Uh, yeah. But I haven't had to use quotes, pluses, minuses or any other "advanced" crap like that in years. What search engine are you using that still requires such tricks to get good results?

      I'll give these guys a pass because the project's young but a little, helpful link that says "pretend you're using google 15 years ago" wouldn't hurt.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    4. Re: A publicity stunt that marred by busted search by ProjectUn1c0rn · · Score: 2

      The search functionnality is provied by a third-party software. That's what allows us to run quickly on such small hardware for now (fast indexing), but it's clearly not friendly with user inputs. We noted this is the main concerns about our users right now and will do some research on how to improve it ! Thanks

    5. Re: A publicity stunt that marred by busted search by just_another_sean · · Score: 1

      You're welcome and thank you! This looks like quite a nice project, I wish you success. I am short now but will drop by and donate when I can.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    6. Re: A publicity stunt that marred by busted search by omnichad · · Score: 1

      If the 3rd-party software is extensible in any way, making it so that a period is not considered a space/separator character would do the trick for almost all these sorts of problems.

  9. Project Un1c0rn? by fredrated · · Score: 2

    Was this named by a five year old?

    1. Re:Project Un1c0rn? by fahrbot-bot · · Score: 2

      Was this named by a five year old?

      Probably, and that "OMGP0n1es" was taken.

      --
      It must have been something you assimilated. . . .
    2. Re:Project Un1c0rn? by ProjectUn1c0rn · · Score: 1

      Thanks, p0n1es shall be the name of my minions :)

    3. Re:Project Un1c0rn? by lgw · · Score: 1

      Pwn1es, clearly. Does this mean we'll need a "Pwn1es.txt" file to stop the crawler (for that matter are you ignoring robots.txt now?)

      --
      Socialism: a lie told by totalitarians and believed by fools.
  10. As is: worthless by radioact69 · · Score: 1

    The search function is worthless, which pretty much makes the whole site worthless. Their data may be good, but if I can't find my site by hostname OR ip without paging through 243 pages of 10 sites at a time... Nope.

    1. Re:As is: worthless by just_another_sean · · Score: 2

      Try this: add quotes to your search

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    2. Re:As is: worthless by radioact69 · · Score: 1

      Added the quotes around my searches and went from way too many results to none. I guess that's a good thing.

    3. Re: As is: worthless by Teranolist · · Score: 2, Insightful

      Truly? Every second guy on /. is incapable of using a search bar correctly?

    4. Re:As is: worthless by just_another_sean · · Score: 2

      Yeah, that's what I was hoping for as well. Just to double check the quoting thing though, try this; do a search without the quotes, pick one "hit" from the results and then search for that with the quotes. The expected behavior is that you will get one result. That's what happened when I tried a couple of specific, quoted searches for host names and IP addresses that came back in previous, unquoted searches.

      As I mentioned elsewhere I wouldn't count on this alone but it's a good addition to the other tools used to check hosts for problems.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    5. Re: As is: worthless by just_another_sean · · Score: 1

      You again? How about no one has typically had to use such techniques on a search engine since the '90s. Or are you still using AltaVista?

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    6. Re: As is: worthless by Teranolist · · Score: 1

      It seems you never search for statements longer than two or three words... pity you

  11. GCHQ by q4Fry · · Score: 2

    So the gchq.gov.uk site that is on there: Honeypot?

    1. Re:GCHQ by ProjectUn1c0rn · · Score: 1

      I would say, check the data in there. If it's closed already it's probably a leak. If it's still open it's either : 1. Testing server with no important data 2. Honey pot servers, waiting for project like us to pick on them and collect our scanners IPs. 3. Really careless people

  12. Un1c0rn by westlake · · Score: 1

    Project or password?

  13. Well.. by koan · · Score: 1

    Shodan HQ?

    --
    "If any question why we died, Tell them because our fathers lied."
  14. Public Shaming by hduff · · Score: 1

    While surprisingly effective IRL, not so much on the Internet.

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    1. Re:Public Shaming by ProjectUn1c0rn · · Score: 1

      It indeed is not ... Worrying right ?

    2. Re:Public Shaming by lgw · · Score: 1

      Heck, "public shaming" is a fetish on the internet, if you go to the right sites. But then, so is everything. People are weird.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  15. All for poop? by malloci · · Score: 1

    Maybe this was the real reason behind the name: http://www.myrecipes.com/recipe/unicorn-poop-cookies-214011/