Sign in / up

back to article Code-sharing leads to widespread bug sharing that black-hats can track

Developers' enthusiasm for sharing code saves their colleagues' time, but also means they share security bugs they haven't noticed. And that means a smart attacker could follow who's shared what with whom to trawl the Web for vulnerabilities. That sobering idea comes from a group of German researchers with help from Trend …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Duh!

    "Developers' enthusiasm for sharing code saves their colleagues' time, but also means they share security bugs they haven't noticed. And that means a smart attacker could follow who's shared what with whom to trawl the Web for vulnerabilities."

    So researches have looked into this and came to conclude what most of us already knew for nearly 10 years now? Some slow researches those are...

    I know of a solution though: hold people accountable for the stuff they post.

    I've seen this so many times: a person has a somewhat common problem and someone else presents a small piece of code as the solution. Unfortunately that code comes close but doesn't quite solve the issue just yet. But despite that you'll see dozens of people copying and spreading it as if this solution was their own. For the simple reason that they have no clue what. so. ever. what they're doing nor copying yet hope to become more popular for sharing the solution to an infamous issue.

    So yeah: hold people accountable. Post bad code? The kind of stuff you could have known doesn't work by simply trying? Bzzzt., penalty time.

    I think some copy cats would be quickly gone

    2 4 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Duh!

      I know of a solution though: hold people accountable for the stuff they post.

      Steady, old man! If your proposal were applied to this here place, most of us would go around with our knickerbockers severely singed.

      Are you quite sure you are entirely blameless in this department yourself?

      4 0 Reply
    2. MacroRodent
      Reply Icon

      Re: Duh!

      That solution would be far worse than the original problem: nobody would dare to publish any code (apart from a "hello world"), and progress in software would grind to a halt, since everything complex is really built on earlier work.

      4 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Duh!

      Alright, but only if you get sexual favours for writing really exceptional code.

      #fakecode

      1 0 Reply
    4. Philip Stott
      Reply Icon

      Re: Duh!

      Yep, have to agree.

      Most professionally written tutorials, by Google, Microsoft, Oracle, et all state explicitly that the example is simplified to make the point clearer to read, and that it should not be used in production code.

      Devs that aren't able to turn example code into production quality code should probably go back for some more education.

      9 0 Reply
      1. Richard 12 Silver badge
        Reply Icon

        Re: Duh!

        The flipside is that it's often quite hard to find documentation of the appropriate error checking and/or sanitisation for a lot of calls.

        "Error checking omitted for clarity" is a common phrase in official examples.

        0 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Duh!

        in other words RTFM

        Who, these days even thinks about RTFM....????

        I'm a long serving member of a technical support forum. Many posts show that the person posting has not even done a cursory search. Then when given exact details of the search params they don't do it.

        So getting people to RTFM is getting worse. I know from talking to many devs from the sub-continent that theit whole modus operandii is to copy bits from the internet and cobble them together.

        No wonder that there is such crap code being produced.

        The copying also produces a signature that can be detected. 'strings' is a wonderful utility and a boon to hackers. Look for a load of common search strings that they already have injection hacks for and away they go. The Indian devs don't even bother to change the variable names. Talk about making life easy for the crims

        1 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          "in other words RTFM"

          If only you could still find exhaustive, well written manuals...

          5 0 Reply
    5. Anonymous Coward
      Reply Icon
      Linux

      Re: Duh!

      > So yeah: hold people accountable. Post bad code? The kind of stuff you could have known doesn't work by simply trying? Bzzzt., penalty time.

      I understand the chief developer of the Linux Kernel holds people to account for the code they post. Maybe the developers of WordPress should borrow the same methodology.

      6 0 Reply
    6. Nick Kew
      Reply Icon

      Re: Nearly 10 years?

      The Perl community were drumming this into us more than 20 years ago: always "use taint" and untaint all inputs! (an instant fix to the appalling example in the article). Doesn't mean the majority of wannabes looking for magic DWIM take any notice - hence the rise of PHP.

      And we had a name for zombie tutorials refusing to die for decades after they became invalidated: "Cargo Cult". For example, an ugly hack in the early days of Apache was to use "AddType" to configure it to run scripts such as CGI. That hack was deprecated with the introduction of "AddHandler" in Apache 1.1 more than 20 years ago, yet lived on as standard practice in the PHP world more than a decade later.

      5 0 Reply
  2. cavac

    WP Code Snippet

    Of course the code in the snippet is insecure: It's related to WordPress.

    If you want a webserver full of holes, WP is always first choice...

    5 0 Reply
  3. Anonymous Coward
    Linux

    open-source tutorials are a security risk says Trend Micro

    "The Web is replete with tutorial-style content on how to accomplish programming tasks. Unfortunately, even top-ranked tutorials suffer from severe security vulnerabilities"

    I would have thought, no one in his right mind would paste code snippets from a tutorial directly into a live application. And in this day-and-age someone would be charged with code review to root out such code bugs.

    "we restrict our analysis to open-source code, and thus, the possibility exists that the practice of copying from tutorials is particularly prevalent in the open-source world and less common in closed-source environments"

    A logical fallacy shurly, since you didn't examine any closed-source code it stands to reason you didn't find any security bugs. Is this a free advert for Trend Micro and closed-source environments under the guise of a technical report.

    2 1 Reply
    1. Richard 12 Silver badge
      Reply Icon

      Re: open-source tutorials are a security risk says Trend Micro

      In fact practically everyone here can attest to the fact that it is not just a horrific fallacy with no evidence to support the claim, it's simply wrong.

      Closed source code is full of snippets copied out of Stack Overflow et al, as everyone who deals with closed source code knows.

      0 4 Reply
    2. John Smith 19 Gold badge
      Reply Icon

      "the possibility exists..copying from tutorials is particularly prevalent in the open-source world

      No, that's academic politeness as he cannot prove that closed source devs do it more, less or the same as open source and politeness requires the benefit of the doubt.

      You can argue that closed source devs, under pressure make more use of CnP or that they are being watched by their PHB's to see they are not passing CnP as their own work to make up the development productivity numbers they use less.

      No I don't believe that but I cannot prove my PoV either, hence the benefit of the doubt.

      3 0 Reply
  4. John Smith 19 Gold badge
    Black Helicopters

    Or most of those tutuorials are poison pills to insert vulns

    Created by whoever your favorite candidate for such behavior is.

    TLA's

    Black hats

    Etc.

    0 0 Reply
    1. breakfast Silver badge
      Reply Icon

      Re: Or most of those tutuorials are poison pills to insert vulns

      Honestly most of them are written by people who figured out a solution to a problem that was bugging them. If they knew more they probably wouldn't have had such a hard time figuring out the solution so they wouldn't have written the tutorial.

      "Badly reviewed tutorials" is all well and good to complain about when one is dealing with a large corporate distributing a development platform, but most of these are volunteer efforts and one is often lucky to find any documentation at all around whatever edge case one is currently working on.

      0 0 Reply
  5. Charlie Clark Silver badge
    Stop

    That time of the month?

    Don't we seem to get a report like this stating the bloody obvious and overstating the risks from Trend Micro every month?

    The PHP example is annoying even if it's true: if you don't use prepared statements for DB work you deserve to be hacked. Good research highlights the less obvious security flaws in our code.

    0 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    That's why I rarely published "ready to use" code.

    I was for a long time a programmers forum moderator and "guide". Also, I posted articles about programming solutions on my blog.

    Often, readers complained I didn't post "complete" solutions but merely some fragments, while describing the complete solution with references, and just asked code samples ready to use.

    Usually, the complete code was much longer than I was going to write for a post, copying it from applications written for my employer is a no-no, nor I'm a free consultant to write someone else code because they were too lazy/incompetent to write it <G>.

    I encountered the same problem later on StackOverflow - where also most user prefer simpler, half-baked solutions to the complete, safe one, because the latter is usually more complex and longer to implement. And whenever you pointed that out, you just got complaints, downvotes, insults.

    On the other side, when performing code reviews it happened to spot code which was clearly borrowed from some samples (and a quick Google search usually confirms it), without even trying to understand if the sample was well written and free of issues - and more often than no, the code had clear issues.

    And even making a Torvalds or two didn't help much, there are still developers who are just interested to make the code work somehow quickly, never properly, after all in all those past years they did it, and almost nobody complained...

    4 0 Reply
  7. Julz

    192.168.0.1

    Was, I think, originality used in a Sun Microsystems manual as an example of an address to use to configure a network and look what happened to that.

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like