Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

April to See Month of MySpace Bugs

Zonk posted more than 7 years ago | from the next-up-a-month-of-teddy-bear-bugs dept.

The Internet 165

An anonymous reader passed us a link to PC World's coverage of the upcoming Month of MySpace bugs. Organized by a pair of wiseacre hackers tired of the 'Month of X Bugs', they are set up to 'highlight the monoculture-style danger of extremely popular websites.' Though it's supposed to be funny, outside security analysts have apparently been consulted on the project. "Though the project, which launches on April 1, has all the appearance of a practical joke one well-known hacker said he'd been contacted by the Month of MySpace team with legitimate security questions. 'Those guys and I have been keeping in touch,' said Robert Hansen, chief executive of Sectheory.com. 'It's funny but it's not a joke.'"

Sorry! There are no comments related to the filter you selected.

But April only has 30 days (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18396909)

You'd think they'd do a year of MySpace bugs.

Re:But April only has 30 days (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18396957)

You'd think you'd STFU before I kill you.

Re:But April only has 30 days (-1, Troll)

StarKruzr (74642) | more than 7 years ago | (#18397679)

You think YOU'D STFU, since my cock is currently down your throat and jizzing gallon upon gallon of seed into your incredibly stupid lungs.

Yes, that's right. Your STUPID, STUPID LUNGS. Your lungs have no fucking BRAIN, you stupid shit.

Re:But April only has 30 days (4, Funny)

Anonymous Coward | more than 7 years ago | (#18397805)

Wow, looks like someone forgot to check "Post Anonymously".

Nope (0, Offtopic)

StarKruzr (74642) | more than 7 years ago | (#18397937)

I have karma to burn, and retarded AC trolls are convenient for venting bile and practicing your e-hate skills.

Re:But April only has 30 days (1)

TheWanderingHermit (513872) | more than 7 years ago | (#18397607)

Why? Bottom line: MySpace is one big bug. One bug, done in one day.

myspace (0)

Anonymous Coward | more than 7 years ago | (#18396951)

yay myspace!

Monoculture (1)

Herby Sagues (925683) | more than 7 years ago | (#18397623)

What I don't get is the "monoculture" comment. These guys are complaining that all the web servers are using the same software? Or that the different layers are using the same platform? In neither case having a more diverse platform would reduce the number of bugs or make them less serious. That's especially true for cross site scripting exploits and the like. Having two differetn web servers would not reduce the number of exploits or their seriousness, it would actually probably double them and make them more difficult to diagnose. And having heterogeneous layers wouldn't make a difference at all. I just don't get it.

Re:Monoculture (1)

FLEB (312391) | more than 7 years ago | (#18397861)

Recall the recent quote-unquote "cross-site" exploits stealing info. Although some people blamed things like form autofill, the real problem was that the server name was the same, so the pages created by separate people, which should have been cordoned off from each other, were under the same hostname and therefore the same website for all intents and purposes. I recall LiveJournal having problems like this, which were solved in part by making each user page a subdomain. I suppose this really isn't a "monoculture" problem, but it's certainly an issue with throwing everyone in the same bin, especially when people are given so much power over their page's logic and presentation.

It's that time of the month again (1)

Joebert (946227) | more than 7 years ago | (#18396955)

It's like PMS, but all month long !

Re:It's that time of the month again (2)

joebagodonuts (561066) | more than 7 years ago | (#18396967)

"If it kills this Month of Whatever fad, then hurray for everyone, it's over."

I think these guys are on to something. I hope they suceed

Re:It's that time of the month again (1, Troll)

joshier (957448) | more than 7 years ago | (#18397081)

Jesus christ, the amount of hypocrisy and pointless messages here never ceases to amaze me.

Don't like www.myspace.com? Don't visit it, or are you attracted to the thought of teens girls exposing their selves but angry at their bad html-skills?.. you can't have it both ways, so stop f***** complaining you 40 year old man, chained up from any freedom by his over-protective-sex-bored 45 year old wife.

Re:It's that time of the month again (4, Funny)

joebagodonuts (561066) | more than 7 years ago | (#18398181)

I know you are, but what am I?

well (1)

mastershake_phd (1050150) | more than 7 years ago | (#18396975)

Just goes to show you once software has enough of a user base to make it profitable to exploit bugs, people will start finding them.

Re:well (5, Interesting)

Omnifarious (11933) | more than 7 years ago | (#18397037)

Which is all the more reason to make sure that no software ever has a really huge user base. It's bad for everybody.

Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID [openid.net] . Many people get Myspace accounts because they're forced into it in order to communicate reasonably with a friend, and then decide "Oh, what the heck." and build content of their own there as well. I know that's why I have a MySpace account (and, strangely enough, Omnifarious on MySpace isn't me).

Re:well (1)

bconway (63464) | more than 7 years ago | (#18397357)

Which is all the more reason to make sure that no software ever has a really huge user base.

Maybe they should introduce some bugs to slow the user base growth.

Re:well (2, Interesting)

natrius (642724) | more than 7 years ago | (#18397379)

Right now, one major thing that keeps Myspace's user base so incredibly high is the lack of a widely adopted technology like OpenID.

How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs [facebook.com] that let you access their friend data.

Re:well (1)

mdwh2 (535323) | more than 7 years ago | (#18397581)

How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

OpenID means you can comment on other people's blogs/pages without getting a log-in or doing so anonymously.

Re:well (1)

Omnifarious (11933) | more than 7 years ago | (#18397963)

How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

Because you could add someone as a MySpace friend without them having to have a MySpace account if MySpace implemented OpenID. If you just gave a list of OpenID URLs that had friend-type permission for your MySpace account and assigned them your own names then I think people would feel much less compelled to build a home on MySpace just so they could interact with a friend who had a home there.

Distributed identity and distributed social networking are strongly linked concepts. One enables the other.

Re:well (2, Informative)

dominion (3153) | more than 7 years ago | (#18398009)

A decentralized social network would be nifty, but OpenID definitely isn't one.

I'm working on it... [sourceforge.net] and the plan is to use OpenID for authentication.

Re:well (1)

mkosmo (768069) | more than 7 years ago | (#18398089)

How are Myspace and OpenID remotely related? A decentralized social network would be nifty, but OpenID definitely isn't one. In the mean time, better social networks offer open APIs that let you access their friend data.

However, Facebook's API better be damn secure (and not needing even a week of bugs) or else a lot of people would be mighty ticked off. Especially these people that think that stuff on their social networking profile is private and secure. Maybe somebody should let them know that the internet is a series of tubes, and the tubes don't have valves, and I can slide down any one of them and grab the picture of their boobies they posted on Facebook. Then they will sue me for getting it and the tube maker for not crimping the tube so my fat ass couldn't fit.
If you can't tell, I don't like the majority of the social networking demographic :( I do like most technology bloggers, though. They tend to write well and keep things interesting. Using proper, grammar of course. But that is a whole other flame post for me to write.

Content (1)

StarKruzr (74642) | more than 7 years ago | (#18397693)

Am I the only one who thinks MySpace's UI is incredibly ugly and poorly-put-together?

And why is it that as of a couple years ago everyone is "in your extended network?" Is there even an "extended network" anymore?

Re:Content (1)

Kraeloc (869412) | more than 7 years ago | (#18397949)

It's because Tom, in his infinite genius, set himself as a default friend of all new users. And most users are too damn stupid to remove him. And since EVERYONE is friends with Tom, everyone is in the same extended network. It renders that feature completely useless, and is a good indicator of the amount of though they actually put into the design.

Tom (1)

StarKruzr (74642) | more than 7 years ago | (#18398353)

I haven't been friends with him in ages. Is it because I'm friends with people that ARE?

Re:Tom (1)

Kraeloc (869412) | more than 7 years ago | (#18398487)

Probably.

In other news (3, Funny)

Anonymous Coward | more than 7 years ago | (#18396983)

Bugtrack announced that on May first, they will start their 200th consecutive month of Microsoft bugs, give them a nice applause!

Bug message... (1)

Capeman (589717) | more than 7 years ago | (#18397009)

Once they post the bugs, until they get fixed, we'll get this message: "Sorry! an unexpected error has occurred. This error has been forwarded to MySpace's technical group." Remember when the music player [slashdot.org] was hacked? They fixed it in less than 24 hours, I think the same will happen with these bugs...

Re:Bug message... (1)

quanticle (843097) | more than 7 years ago | (#18397471)

>>Remember when the music player was hacked? They fixed it in less than 24 hours, I think the same will happen with these bugs...<<

Not necessarily. The music player was quickly patched because a vulnerability in the music player made it possible to download (read: pirate) music. Its comparable to the DRM vulnerability that Microsoft fixed in three days and issued an out-of-cycle patch for. The bugs uncovered by this project are likely to be more mundane bugs that won't be patched so quickly.

MySpace's Microsoft-backed infrastructure. (2, Informative)

Anonymous Coward | more than 7 years ago | (#18397039)

This shouldn't be much of a challenge. According to Netcraft, MySpace uses IIS 6 on Windows Server 2003 [netcraft.com] . While the security of Windows systems has increased dramatically since the days of Windows 95/98/ME, it's still widely known to be an extremely insecure platform, especially when compared to most commercial UNIX systems, most Linux distributions, and the *BSDs.

Where I work, we're considering what system we'll use when deploying some new web applications. We recently audited several ASP-based web applications, and found them to be quite terrible. I don't know if it's a problem with the developers of these products, but those that we tried were full of obvious security holes. Our past development was using WebObjects, and we saw nowhere near the number of obvious flaws that we saw with the ASP-based solutions, even when we had interns developing code.

My personal experience with ASP is fairly limited, but I suspect it may just be the technology itself that hinders secure development. It's much the same case for PHP. With such technologies, there are too many little details and flaws that even an expert programmer can become overwhelmed by. At least we decided to go with a Java-based solution running on Solaris. It's probably not perfect, but I'd wager that it's far more secure than most ASP- or PHP-based web apps.

Re:MySpace's Microsoft-backed infrastructure. (1, Interesting)

DrSkwid (118965) | more than 7 years ago | (#18397167)

Windows is a twisty maze of passages, all alike, all leaking information.
Root/Administrator is a design flaw.
All the platforms you mention have holes in them.

And PHP is a crock, steer well clear. See http://www.php-security.org/ [php-security.org]

Re:MySpace's Microsoft-backed infrastructure. (0)

Anonymous Coward | more than 7 years ago | (#18397315)

Windows is a twisty maze of passages, all alike, all leaking information.

You are likely to be eaten by a grue.

Re:MySpace's Microsoft-backed infrastructure. (1)

peragrin (659227) | more than 7 years ago | (#18397383)

It's not called the Blue screen of Death for nothing.

Re:MySpace's Microsoft-backed infrastructure. (0)

Anonymous Coward | more than 7 years ago | (#18397399)

I guess we shouldn't use Apple products, the Linux kernel or browsers either eh?

http://projects.info-pull.com/moab/ [info-pull.com] - Month of Apple Bugs
http://projects.info-pull.com/mokb/ [info-pull.com] - Month of Kernel Bugs
http://browserfun.blogspot.com/ [blogspot.com] - Month of Browser Bugs

Re:MySpace's Microsoft-backed infrastructure. (1)

DrSkwid (118965) | more than 7 years ago | (#18397547)

yes, I know.

that's why I run my web browser on a dedicated machine

11 types (1)

hduff (570443) | more than 7 years ago | (#18398231)

There are 11 types of people in the world, those who know binaries and those who don't.
At the risk of being labeled a pedant, that joke is only funny if you use 'binary' instead of 'binaries'; those are different things. It's almost like people who 'duel' boot their computers or ask you to 'bare' with them, except those are unintentionally funny. Homophonic Joke ----> O -+- | - Product of American Public Education / \ "Obviously, the 'Three R's' don't include spelling."

small change (1)

Bill, Shooter of Bul (629286) | more than 7 years ago | (#18398535)

All platforms have holes in them.

Re:MySpace's Microsoft-backed infrastructure. (1)

Frosty Piss (770223) | more than 7 years ago | (#18398519)

According to Netcraft, MySpace uses IIS 6 on Windows Server 2003.

You may be right about MySpace using Windows, but remember, all Netcraft can really tell you is what technology they use to face the Interweb. What really runs the MySpace machine may be quite different. Could be squirrels, for all Netcraft can really tell. But you're probably right...

Why is it "funny" to exploit security bugs? (1, Insightful)

robla (4860) | more than 7 years ago | (#18397069)

Most homes are vulnerable to someone breaking in and spraypainting "funny" things on the wall, but I imagine anyone on the receiving end wouldn't find it funny at all, even if the recipient is some 1337 hax0r. At the most extreme end, humans are vulnerable to failure when a bullet is put through the head, but rational people agree that we don't approve of exploiting that vulnerability for fun and profit.

Exploiting vulnerabilities on a big website, even an "uncool" website, is juvenile and criminal. There are plenty of perfectly legal and more effective ways of making a statement about MySpace, if that's the goal. I'm not sure I understand the need to make a statement about it anyway; let's just agree that it's GeoCities 2005 and move on.

Re:Why is it "funny" to exploit security bugs? (2, Insightful)

QuantumG (50515) | more than 7 years ago | (#18397175)

Because they claim they are secure. It's like if someone was to build a big fence around their property, place armed guards, security cameras, attack dogs, and then boast in a local newpaper that they are secure.. you'd have a nice good laugh if it turns out their cleaning lady stole their diamonds.

Re:Why is it "funny" to exploit security bugs? (2, Insightful)

robla (4860) | more than 7 years ago | (#18397249)

I might experience a little schadenfreude, but I also would happily approve of the cleaning lady being thrown into the clink.

Re:Why is it "funny" to exploit security bugs? (0)

Anonymous Coward | more than 7 years ago | (#18397313)

On the other hand, I'd hope that the cleaning lady had gotten enough diamonds to be able to spend the rest of her life on a beach in some South American country. And had the brains to get there very quickly with the diamonds.

Re:Why is it "funny" to exploit security bugs? (2, Informative)

SadGeekHermit (1077125) | more than 7 years ago | (#18397221)

Maybe I'm old and crusty, and just not "with it" but being an Oracle DBA and occasional Java developer... I really, really don't like the idea of posting "month of X bugs" sites.

The principled thing to do is to contact the vendor whose software is buggy, and give them a detailed report of all the bugs you found, mailing a duplicate report to CERT to make sure there's at least some pressure on the vendor to fix them.

The UNPRINCIPLED thing to do is to start up a website and post a "month of MySpace bugs" for the whole world to see, which sets every idiot script kiddie out there on an easter-egg hunt to find vulns.

What's really screwed up about it is this: Let's say Joe Hacker decides to "out" some vendor and spends a month attention-whoring. That vendor may or may not get the bugs fixed before legions of script-kiddies figure out how to use them. MEANWHILE, every sysadmin out there is completely fucked, waiting for the vendor to catch up to the Scavenger Hunt that Joe Hacker decided to kick off with his stunt.

It's not cool, it's not funny, and I wish these assholes would just knock it off.

They should grow up already.

Re:Why is it "funny" to exploit security bugs? (0, Flamebait)

QuantumG (50515) | more than 7 years ago | (#18397337)

Or, ya know, you could write code without security issues already. Most "wall of shame" sites are exactly that. The message is: these guys are idiots, switch to someone else as quickly as possible.

Re:Why is it "funny" to exploit security bugs? (2, Insightful)

SadGeekHermit (1077125) | more than 7 years ago | (#18397381)

It has been long established that it is simply NOT POSSIBLE to write software without bugs.

The best that any developer can hope for is to find the bugs quickly and remove them.

Stunts like this only serve to attack a development project without doing anything productive to help fix it.

Your own comment shows that you think the same way: "These guys are idiots, switch to someone else".

They're not idiots. They're just the guys who happened to be arbitrarily chosen for public attack.

And it IS perfectly arbitrary.

Don't try to turn attention-whoring into some noble quest. It's not and never will be.

Re:Why is it "funny" to exploit security bugs? (4, Interesting)

QuantumG (50515) | more than 7 years ago | (#18397415)

Dude, we're not talking about "writing software", we're talking about setting up a website and leaving the default mySQL account active. We're talking about writing shit in php and not escaping user input. We're talking about gross incompetence. There's plenty of it, and yes, the best way to deal with it is public naming and shaming.

Re:Why is it "funny" to exploit security bugs? (2)

SadGeekHermit (1077125) | more than 7 years ago | (#18397561)

But you forget.

This is not the only "month of X bugs" that has happened.

The others were ALL about one or another software package.

I'm saying the general principle is wrong. If you find bugs you should disclose them responsibly. One copy goes to the vendor (or the site owner) and one copy goes to CERT. You don't show the whole world the details of the bug, plus a sample exploit! That's just stooooopid.

Re:Why is it "funny" to exploit security bugs? (2)

QuantumG (50515) | more than 7 years ago | (#18397631)

If you work in the security industry sure.. if you're a user who feels they are getting poor service you yell it from the rooftops. Think about it this way.. if you found out your keyless entry system to your car was broken and any idiot could get into your car with a $2 transmitter, would you go quietly to the company and help them "mitigate" the damage or would you send this information to your local newspaper or current affairs show so they can tell as many people as possible to steer clear of this manufacturer as they don't even do basic security checks of their key systems. Anyone who trusts a for-profit entity to "do the right thing" with disclosing their own fuckups is an idiot.. and as for CERT, they're just as complacent in coverups.

Re:Why is it "funny" to exploit security bugs? (1)

SadGeekHermit (1077125) | more than 7 years ago | (#18397789)

In response to your analogy, NO, I wouldn't tell the whole world about it. I'd figure out a way to FIX it, like finding a local shop that can replace the keyless entry system, and THEN, I'd tell everybody how to go to the shop and fix their systems. I'd give them SOME information, for instance telling them about how it's possible to steal a car with equipment available to thieves, but I would NOT tell them enough to let them go get a transmitter of their OWN.

Reason being: the object is to SOLVE the problem, not magnify it by letting every angsty teenager in your town get ahold of their own transmitter, after which all hell would break loose.

Re:Why is it "funny" to exploit security bugs? (1)

QuantumG (50515) | more than 7 years ago | (#18397939)

And while you're solving the motor companies problems for them, they'll be sure to put a lot of effort into making sure it never happens again, right?

Have you ever stopped to think that maybe all this do-gooding attitude is the reason why computer security is so bad? You're just co-conspirators.

Re:Why is it "funny" to exploit security bugs? (1)

textstring (924171) | more than 7 years ago | (#18398563)

basically these "month of x bugs" are free security audits. i'd much rather have someone finding vulnerabilities in my code and saying something, even if it's public, than some one else finding 30 vulnerabilities and owning me over and over.

Re:Why is it "funny" to exploit security bugs? (0)

Anonymous Coward | more than 7 years ago | (#18397359)

No you! *points finger*

(In response to the "they should grow up already" comment)

Re:Why is it "funny" to exploit security bugs? (2, Insightful)

Watson Ladd (955755) | more than 7 years ago | (#18397405)

The point is to put pressure on an unresponsive vendor or one with a bad track record to improve. And if you have insecure products on a network you deserve getting hacked. OpenBSD/RBASC are free, and they are never attacked successfully. Attackers are part of the internet environment now, and complaining about it is like complaining about rain making your expensive suit wet when you forgot an umbrella. Sure, it might be expensive to be secure, but that's the tradeoff, and it is not going to change.

Re:Why is it "funny" to exploit security bugs? (1)

SadGeekHermit (1077125) | more than 7 years ago | (#18397639)

The problem with your point of view is that you aren't hurting the VENDOR, you're hurting his CUSTOMERS who have done you (and the world) no harm.

The vendor isn't the primary entity harmed because he's already got his license fee from each customer. Also, it's not the vendor that will be attacked by script kiddies, it'll be his customers, who, again, have done you no harm.

The most you'll do to the vendor is give him a little bad P.R. Vendors don't care. They just hire a P.R. firm to "manage spin". The people who actually pay the vendor his fees (the suits, usually) ALSO won't care because they'll sympathize with the vendor. They'll view the situation, mostly correctly, as a bunch of snot-nosed kids waving middle fingers in the face of a staid, middle-aged establishment.

Putting up a "month of X bugs" is a dick move, man. All you accomplish is creating a huge clusterfuck for a whole bunch of people who never did you any harm, and that makes you no better than a vandal. Here's a tip: if you're showing people how to break something INSTEAD OF telling people how to prevent them from doing so, you're not on the side of the victim.

Guys like this are just another set of enablers, like (here's MY analogy) a ghetto gun-dealer who sells to muggers and rapists, and who justifies it by saying "I didn't tell him to go rape that woman! And it's her own fault for not having a bulletproof vest. My gun sales will show people that they NEED bulletproof vests, so I'm doing a service."

I'm not buying it. I'll say it again:

The PROPER thing to do is send one copy of the vulns to the vendor and another copy to CERT, which will disclose the existence of the issue responsibly and suggest a workaround.

Your suit analogy doesn't work, by the way.

As a sysadmin, I can take every precaution available to me, I can take every vendor-mandated step... Despite all that, all it takes is for some idiot to whip up a "month of bugs" and blammo, I'm hosed. All because some annoying little bastard wants to attention-whore out his new "security site".

So, I disagree -- most vehemently -- with your views.

 

Re:Why is it "funny" to exploit security bugs? (1)

jamesh (87723) | more than 7 years ago | (#18397431)

It's not cool, it's not funny, and I wish these assholes would just knock it off.

The curious thing is, if you created a tv program out of it, and added silly sound effects and a silly voiceover, it would be funny. If funniest home video's has taught us nothing else, it has at least taught us that pain and misfortune is funny when it happens to other people.

If it was my application under the spotlight it would be a complete different matter...

Re:Why is it "funny" to exploit security bugs? (1)

SadGeekHermit (1077125) | more than 7 years ago | (#18397811)

It's so true... The human race just LOVES to get its Shadenfreude on.

Re:Why is it "funny" to exploit security bugs? (1)

DrSkwid (118965) | more than 7 years ago | (#18397569)

Most of the Month of X Bug websites seen recently already did that stuff and nothing happened.

This one : http://www.php-security.org/ [php-security.org] was even done by an ex-member of the PHP security team because they weren't taking him seriously.

Re:Why is it "funny" to exploit security bugs? (1)

SadGeekHermit (1077125) | more than 7 years ago | (#18397721)

Uh huh. SURE they did.

What's really happening here is, things are easier to break than to fix. So a bunch of guys can figure out 30 snarky ways of breaking something, slap together a website, and try to get some attention by attempting to publicly humiliate whatever vendor has pissed them off most recently. They don't think for an instant about what's going to happen when script kiddies start using the ACTUAL EXPLOIT CODE they publish to attack every website under the sun. Or maybe they do -- but that only makes it worse.

The PhP site you just linked to is an excellent example of how NOT to do things. They post actual test exploits. How lovely. So some guy in Wichita has a website that runs PhP, and his ISP hasn't updated quickly enough, and he's hacked by some schmuck script kiddie who's bored -- all through no fault of his own or even his ISP's.

This is NOT good citizenship at work.

Here's my favorite analogy of the fundamental dynamic here:

Leon the ghetto gun dealer: "Hey, man, I'm just trying to show all you guys how important it is to wear a bulletproof vest! Nobody believed me, so I started selling these here Saturday Night Specials. Cheap, too. It ain't MY fault if some guy decides to rape and kill some downtown lady with a gun I sold him! Sheeeit, she should've bought herself a bulletproof vest, it's her own damn fault."

I think that's a good rebuttal of your point.

Re:Why is it "funny" to exploit security bugs? (1)

GrumpySimon (707671) | more than 7 years ago | (#18397957)

Whilst he's a very good security researcher, Stefan Esser has a reputation for being very hard to work with.

He claims that month of PHP bugs was created because he couldn't get the fixes into PHP. Whilst this may be true for PHP, he recently announced a vulnerability in mod_security [modsecurity.org] complete with P.O.C code as part of MOPB. This had nothing to do with PHP, and Esser didn't bother to notify the mod_security team before releasing it [modsecurity.org] .

It's funny because (0)

StarKruzr (74642) | more than 7 years ago | (#18397715)

MySpace is a piece of shit. It really is. They are sailing on an enormous userbase and haven't done a damn thing with the site. They are fat and lazy.

Let them squirm a little while. Will you suffer? No. Will anyone other than MySpace's fifty employees suffer? No. Will they suffer for more than a month? No.

Relax, chief.

Re:It's funny because (1)

SadGeekHermit (1077125) | more than 7 years ago | (#18397753)

Look, I couldn't care less about MySpace. I don't use or read the site.

My problem is that these "month of X bugs" are coming out for lots of vendors and platforms that in turn serve a WHOLE lot of companies and websites.

This trend is a rotten, rotten idea.

You don't get people to wear bulletproof vests by giving free Saturday Night Specials to every degenerate who wants one.

The whole practice stinks.

Okay (1)

StarKruzr (74642) | more than 7 years ago | (#18397973)

so you're more criticizing the practice in general than MySpace as a target.

Fair enough. What is the proper way to go about getting big vendors like this to fix their security holes, then? If someone with a generally white-hat motivation doesn't do it, someone less benevolent will eventually.

Re:Why is it "funny" to exploit security bugs? (1)

Nazlfrag (1035012) | more than 7 years ago | (#18398023)

It's simple. A known exploit is much less dangerous than an unknown one. Security by obscurity is an invalid tactic.

Re:Why is it "funny" to exploit security bugs? (1)

Threni (635302) | more than 7 years ago | (#18397451)

> Why is it "funny" to exploit security bugs?
> Most homes are vulnerable to someone breaking in and spraypainting "funny" things on the wall,
> Exploiting vulnerabilities on a big website, even an "uncool" website, is juvenile and criminal.

I'd take issue with your analogy. Defacing a website is nothing like defacing someone's home. For one thing, it's not someone's home. It's almost as bad as the old "you wouldn't steal a car, so why would you download a stream of numbers via tcp/ip?" argument all over again.

Re:Why is it "funny" to exploit security bugs? (1)

General Wesc (59919) | more than 7 years ago | (#18398197)

Your garage then. You don't live there (though I don't see why you think that's relevant). It just costs you a little time and money to paint over afterwards. I don't see how being on a computer or on the Internet is magically different.

And this is not like taking v. copying. This is doing direct, visible damage v. doing direct, visible damage. If this was a manuscript I was writing you'd (I assume) say 'yeah, it's wrong for them to burn it', but if it's an electronic manuscript, suddenly destroying it is harmless?

Re:Why is it "funny" to exploit security bugs? (1)

RealGrouchy (943109) | more than 7 years ago | (#18398167)

I think it's more like breaking into someone's home and rearranging the furniture.

It's a nuisance, but not irreparable.

- RG>

Myspace allows XXS redirect for malware execution (4, Informative)

Anonymous Coward | more than 7 years ago | (#18397075)

I Have had it happen about 4 times, its a redirect not properly sanitized (or injected in javascript), each time im redirected to http://193.x.x.x/somenasty.html [x.x.x] , and its basically an IE 6.0 exploit. I can guarantee myspace infects more than half of its users. Sad thing is, no one is going to fix it. But hey, Tom has lots of friends!

Funny / Not Funny (1)

writermike (57327) | more than 7 years ago | (#18397087)

'It's funny but it's not a joke.'"

Then launch it on April 2. April 1 is a Sunday anyway, and some hax0rz actually do toil thee not on their Sabbath.

clown shoes security? (5, Insightful)

sfjoe (470510) | more than 7 years ago | (#18397121)

I don't use MySpace so I know nothing of their security. But this guy's statement struck me, "Even when they have countermeasures in place... it's trivial to obfuscate to evade their detection mechanisms."
If their security model is based on detecting patterns, then they will never be able to get out of the Red Queen's Race. A properly designed web app has as its core philosophy, "that which is not explicitly allowed is denied". Ttrying to detect all the possible variants of hacking and denying them then is a fool's errand.

Business Model? (1)

phantomcircuit (938963) | more than 7 years ago | (#18397307)

Their entire business model is basically to get other people to generate cool stuff and then put their ads next to it.

Restricting myspace in anyway would quickly lead to less interesting stuff and thus less ad revenue.

Only one bug.... (1)

Duncan3 (10537) | more than 7 years ago | (#18397147)

Users post personal data for identity thieves to download.

After that, all other "bugs" are 100% irrelevant, anything you would want to hack it already willingly posted. So a big fat security *yawn* on this one.

Re:Only one bug.... (1)

pagerwho (1071772) | more than 7 years ago | (#18398491)

*Sigh* when will people learn. MySpace is highly susceptible to hacking, and the distribution of malware. Security does not end at personal information, security is cracking down on spam, cracking down on scripts, and ultimately making it safe to browse.

I personally have discovered viruses being distributed using MySpace, would one consider this secure? I certainly don't. Last time I check MySpace has no code to protect against scripts that create user accounts and spam the living daylights out of everyone and anyone. Today alone I received 10 friend requests and about a half dozen spam emails.

MySpace doesn't listen to its user base when it comes to flaws. They, like Apple, have to be slapped in the face with the flaws in order to listen. Remember what Microsoft was like? Apple is like that now, so is MySpace, and about a dozen other companies, to include linux fanboys. NOTHING is completely secure, and until people realize this fact, the more people like me will be frustrated.

WAKE UP! MySpace needs this, it isn't juvenile, it isn't malicious, its getting a company to wake up and realize they are NOT secure, and that they HAVE flaws, and above all, knock their damn ego down a few pegs. Everyone cheered when people beat the crap out of Microsoft, but when they turn the tables on other companies, everyone cries foul.

Bug Filing Number 1 (5, Funny)

Anonymous Coward | more than 7 years ago | (#18397153)

Status: OLD

Severity: Major

Reproducible: Always

Description: MySpace is filled to the brim with whiny, middle-class, suburbanite, emo kids whining about how emo their life is and how they like to listen to emo music while cutting themselves.

Solution: Delete Myspace.

Re:Bug Filing Number 1 (1)

joshier (957448) | more than 7 years ago | (#18397251)

ah, just like the security cameras (CCTV) in the UK and soon to the US?.. Hey! Don't worry about crime, we now have security cameras! Yeah! that'll work! No one will ever take part in an illegal act ever again!

Re:Bug Filing Number 1 (1)

Watson Ladd (955755) | more than 7 years ago | (#18397463)

If they truly were emo, they wouldn't be cutting. Replace emo with whiny.

Re:Bug Filing Number 1 (1)

dwater (72834) | more than 7 years ago | (#18398529)

wtf is 'emo'?

Bug Filing Number 2 (1)

VirusEqualsVeryYes (981719) | more than 7 years ago | (#18397479)

Status: OLD

Severity: Major

Reproducible: Always

Description: MySpace is like an ugly hooker; you wonder how she gets so much action when she's so hideous.

Solution: Bring the web designer from the 90's back to the present. Will need: flux capacitor, 1.21 jigawatts.

Re:Bug Filing Number 1 (1)

Paulrothrock (685079) | more than 7 years ago | (#18397719)

Actually, LiveJournal's cornered the market on emo kids. MySpace is more about the people who give the emo kids wedgies.

Re:Bug Filing Number 1 (0)

Anonymous Coward | more than 7 years ago | (#18398363)

Status: OLD

Severity: Major

Reproducible: Always

Description: Slashdot is populated by large numbers of self-proclaimed experts eager to give their ego's a boost.

Solution: Delete Slashdot.

but... (5, Funny)

netdur (816698) | more than 7 years ago | (#18397179)

myspace itself is a bug

Re:but... (4, Funny)

Rakshasa Taisab (244699) | more than 7 years ago | (#18397295)

Some complain that the "Month of MySpace Bugs" should have moved to May, so as to avoid the unfortunate collision with the "Stealing Candy from Babies Day".

Question for slashdot (1, Funny)

Anonymous Coward | more than 7 years ago | (#18397187)

Can someone tell me why, after all this time, a website as popular as MySpace is still rampant with bugs? I mean.. wouldn't the majority of them be fixed by now, considering how much profit MySpace makes?

And no I don't use MySpace...

Re:Question for slashdot (1)

DrSkwid (118965) | more than 7 years ago | (#18397579)

I don't know what class of bug they will reveal but most XSS stuff is tricky to weed out when you let users freely upload.

See how many of these you would check for :

http://ha.ckers.org/xss.html [ckers.org]

Re:Question for slashdot (1)

toejam316 (1000986) | more than 7 years ago | (#18398453)

How would FIXING their bugs and problems make microsoft buy them? You silly, silly man.

Month of YouTube bugs!! (1)

Negativeions101 (706722) | more than 7 years ago | (#18397275)

If anything there should really be a month of YouTube bugs! That site is notorious.

Pretty funny.... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18397277)

The only MySpace page I can stand to look at is the one that BoingBoing just linked to, dedicated to H. P. Lovecraft. WTF, did the horror wrap past MAX_INT back into negative territory?

PEBKAC (1)

mdboyd (969169) | more than 7 years ago | (#18397279)

My feelings about MySpace are that if users are too unintelligent to create a basic website, they shouldn't have a website at all. A lot of the scams I see users getting caught up in on MySpace are basic Phishing scams that trick them into downloading executable files which infect their machines. Sometimes making something too easy to do is a bad thing. While some of the blame probably lies with MySpace and lack of user safety (I can't make any claims because I don't use the service), it's ultimately up to users to choose what not to download and run on their computer regardless of what website it's on. I believe the course is title Internet Common Sense 101.

Re:PEBKAC (1)

maxume (22995) | more than 7 years ago | (#18397573)

Also, there should be more intelligence testing before we let people read books. Stupid people might make some bad conclusions or something.

Re:PEBKAC (1)

mdwh2 (535323) | more than 7 years ago | (#18397597)

My feelings about MySpace are that if users are too unintelligent to create a basic website, they shouldn't have a website at all.

And there was me thinking that it's better to use existing tools than to reinvent the wheel (not that I think MySpace is a good tool, but that's another matter).

I thought... (1)

adez (967740) | more than 7 years ago | (#18397319)

I thought every month was the month of myspace bugs.

Re:I thought... (2, Funny)

UbuntuDupe (970646) | more than 7 years ago | (#18397423)

That's been my feeling as well. Someone sent me a link to someone's myspace site a few months back, and when I got there, someone had just completely trashed the page. Everything was just strewn all over the place without any rhyme or reason. Whoever defaced the site also made some crappy music download and play whether you wanted to hear it or no and with no obvious way to silence it. If you clicked on a link to go anywhere, it would for some reason just take you to a login screen. WTF?

I hope that got that bug patched up.

Re:I thought... (1, Informative)

Mr Z (6791) | more than 7 years ago | (#18397539)

Hint: That "login page" was really a phishing page.

What's next: Month of Homeland Security Bugs? (0)

Anonymous Coward | more than 7 years ago | (#18397815)

What's next: Month of Homeland Security Bugs, where "security researchers" send communiqués to Al Queda and the rest of the world, every day for a month, describing exactly how to poison a different city's water supply? When will these hackers realize that full disclosure hurts the good guys more than the bad guys? Do you really expect ANY organization to be able to fix a vulnerability in a DAY? These "researchers" are morally bankrupt - and more proof that 99% of people in "security" wear black yarmulkes under their white hats.

From what I've heard... (0)

Anonymous Coward | more than 7 years ago | (#18398013)

MySpace would be more closely associated with crabs than bugs.

I'm probably just crazy, but... (1)

sub67 (979309) | more than 7 years ago | (#18398041)

Am I the only person thinking April Fool's? Imagine all the traffic these guys could generate with the myspace hordes hammering their site on apr. 1 trying to learn how to hax their ex girlfriend's accounts and what could potentially be done from there.. Obviously it's just speculation...but *shrug*

Discrimination (1)

RealGrouchy (943109) | more than 7 years ago | (#18398191)

I think it is discriminatory to post this story on Slashdot: any comments from your "average" MySpace user will likely get modded "-1 Incomprehensible".

- RG>

Spam friend requests (1)

CmdrPorno (115048) | more than 7 years ago | (#18398209)

What about the "bug" wherein bots send spam friend requests (usually, the bot is a female with links to AdultFriendFinder in her profile, and the recipient is male)? What is Tom doing about that? Because I get one of those about every day.

Quick easy one line fix for all Myspace bugs (2, Insightful)

britneys 9th husband (741556) | more than 7 years ago | (#18398339)

127.0.0.1 myspace.com

We're encouraging fixing MySpace? (1)

SlappyBastard (961143) | more than 7 years ago | (#18398537)

Isn't this sort of like trying to amputate legs from a four-legged duck?

Uhh In case you missed it.. (1)

paynesmanor (982732) | more than 7 years ago | (#18398617)

popular sites are.. At least it's only going to be for "fun" and not a real attack.. The web only appears safe, as the hackers have found better ways to cause havoc, then giving people viruses that destroy there data. I think this is going to be an interesting wakeup call to all the sites and users of that site. People should not be misled, as it's not just the security of the website that is being compromised, it is the personal computers too. People need to face the fact that just typing in a url and pressing enter, could be asking for a virus.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?