Who is Matt Wright and Why is He Dangerous?
| Author |
Message |
|
Jeff S
#1 / 6
|
 Who is Matt Wright and Why is He Dangerous? Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and
dangerous "script kiddies" appear all the time in this (and other
similar) newsgroup. "Matt Wright" appears invariably in one of those
type of threads. Now without trolling, i ask, who is he, why is he
dangerous, what can be done (or has anything been) to stop him?
I am a beginning programmer who does not want to fall prey to
dangerous bugs or mistakes. I often look for scripts on the internet to
learn from and use. How the heck am i s'posed to be able to tell a
"script kiddie" from JAPH?
anyways, i suppose these questions can be responded to in any way; maybe
I *am* just trolling.
(but what else can I do while waiting for a Mac to reboot?)
ciao ;^P
--
| |\ /\ ---------------------------------------*
\/ |/ \/ Johns Hopkins University * Baltimore, MD
Sent via Deja.com http://www.*-*-*.com/
Before you buy.
|
| Wed, 18 Jun 1902 08:00:00 GMT |
|
 |
|
Kragen Sitak
#2 / 6
|
Who is Matt Wright and Why is He Dangerous?
Quote: >Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and
>dangerous "script kiddies" appear all the time in this (and other
>similar) newsgroup. "Matt Wright" appears invariably in one of those
>type of threads. Now without trolling, i ask, who is he, why is he
>dangerous, what can be done (or has anything been) to stop him?
He's an evidently wonderful guy who wrote a bunch of CGI scripts in
Perl several years ago and has been offering them for download, for
everyone, for free, ever since, out of the goodness of his heart.
However, the scripts are very badly written, which he acknowledges, and
he is not maintaining them. As a result, many of them contain security
holes that have been known for years, and many general bugs.
The result: lots of people download the scripts and need help fixing
the same bugs over and over again, and lots of others don't even know
the bugs are there.
Many people in this newsgroup have complained about this, and there is
presently a project underway (see http://www.*-*-*.com/
threads in this newsgroup with {*filter*}and UN{*filter*}in the Subject:) to
replace Matt's scripts in the affections of CGI novices with solid code.
Quote: > I am a beginning programmer who does not want to fall prey to
>dangerous bugs or mistakes. I often look for scripts on the internet to
>learn from and use. How the heck am i s'posed to be able to tell a
>"script kiddie" from JAPH?
Hmm, I'm not sure how to answer that.
--
Thu Sep 23 1999
46 days until the Internet stock bubble bursts on Monday, 1999-11-08.
<URL: http://www.*-*-*.com/ ~kragen/bubble.html>
|
| Wed, 18 Jun 1902 08:00:00 GMT |
|
|
|
Ethan H. Pool
#3 / 6
|
Who is Matt Wright and Why is He Dangerous? Quote:
> Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and
> dangerous "script kiddies" appear all the time in this (and other
> similar) newsgroup. "Matt Wright" appears invariably in one of those
> type of threads. Now without trolling, i ask, who is he, why is he
> dangerous, what can be done (or has anything been) to stop him?
The 'danger' in many of the MSA scripts lies in the fact that few, if any
of them are maintained. He did make an unbelievable number of mistakes in
the scripts he wrote, but the real danger if you will is the fact that he
widely distributes these free scripts yet makes no effort to go back and
correct the many bugs in the scripts. This is a good example of "you get
what you paid for", and that is worth keeping in mind.
The greatest risk, though, comes from the fact that the vast majority of
people downloading and implementing these scripts have no programming
knowledge of their own and, as such, are 'blissfully' ignorant of the
security risks, Y2K bugs, and the frequent total lack of proper error
handling.
The risk multiples when these novices decide to begin learning to program
by example based upon the way these scripts were written. Pretty soon we
wind up with a lot more novice programmers writing free scripts for
distribution to the general public which contain the exact same bugs.
Quote: > I am a beginning programmer who does not want to fall prey to
> dangerous bugs or mistakes. I often look for scripts on the internet to
> learn from and use. How the heck am i s'posed to be able to tell a
> "script kiddie" from JAPH?
You'll learn a good bit just from reading everyone's comments in c.l.p.m
and c.i.w.a.cgi. Just remember that there will be many novices answering
questions in addition to experienced programmers. Also keep in mind that
even experienced programmers occassionally make mistakes.
Some of the key issues to watch out for though:
1) Always included proper error-handling in your script. This is
especially important when receiving input from users as you can never
really predict what they will supply you. If the error occurs in a
critical section of the script, at least make sure the script will abort
as cleanly as possible.
2) Always perform taint/bounds checking on data, particularly that
supplied by a user or their browser.
3) Avoid passing user/forms supplied data to the command line (exec,
system, open pipe, backticks, etc) wherever possible. If you must pass
the data to the command line, test it very carefully to make certain it
only contains valid options and that no undesirable characters or options
can be passed (not every visitor is going to be your friend, some will be
up to no-good).
4) Always check to make certain that an open on a file succeeded and/or
the creation of a new file or directory succeeded.
5) Always look at your scripts from the angle of a user who will be up to
no-good. Rest assured, any weakness you can find in your script they can
too. What happens if the user uploads too much data? Not enough data?
The wrong data? Bad data? If there is login type security, do you
reauthenticate the user at every step or are you assuming they are valid
once they get past the login screen - assumptions can be dangerous.
Realize that if your script is sufficiently complex that there will likely
be bugs -- be proactive in tracking them down and repairing them
6) Study and come to understand what the security risks are. Some risks
are unavoidable, others can be largely avoided with the proper
precautions. Avoid making assumptions about your security -- test it.
Learn that obfuscation only complicates matters for a malicious party, it
does not offer a true defense.
7) There are many more you will learn with experience, these are just a
few that come to mind in the few minutes I had to write this (your choice
of programming language(s) will also play a role in the issues you need to
be aware of).
--
Ethan H. Poole **** BUSINESS ****
(personal) http://www.interact2day.com/
|
| Wed, 18 Jun 1902 08:00:00 GMT |
|
|
|
David Cassel
#4 / 6
|
Who is Matt Wright and Why is He Dangerous? Quote:
> Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and
> dangerous "script kiddies" appear all the time in this (and other
> similar) newsgroup. "Matt Wright" appears invariably in one of those
> type of threads. Now without trolling, i ask, who is he, why is he
> dangerous, what can be done (or has anything been) to stop him?
Kragen and Ethan already provided good answers. But here's
some insight. Matt Wright wrote these scripts when he was
about 14 and still learning Perl. I wouldn't want everyone
in the world to see the kludgy stuff I wrote when I was 14 and
just learning a programming language. But his stuff is omni-
present on the web. So he isn't dangerous. What is dangerous
is the common belief amongst non-programmers that any script
found on the web must be okay. Now that his scripts have
metastatized all over the web, there is nothing that can be
done to stop *him*. However, on 01/01/2000 a few people will
find out the embarrassing way that scripts lifted off the web
are worth every penny they paid for them. :-)
Quote: > I am a beginning programmer who does not want to fall prey to
> dangerous bugs or mistakes. I often look for scripts on the internet to
> learn from and use. How the heck am i s'posed to be able to tell a
> "script kiddie" from JAPH?
Ethan gave some good suggestions here. But there is really
no way for the novice to know the difference between a great
but complex program by Tom Christiansen, and a hideous kludge
of a script by J. Random Luser, until they know enough Perl
to be able to recognize good perlstyle and good coding when
they see it. When I started out learning Perl, I just believed
whatever Randal Schwartz and Tom Christiansen and Larry Wall
[and a few others] said, and trusted they wouldn't lead me
too far astray.
Quote: > anyways, i suppose these questions can be responded to in any way; maybe
> I *am* just trolling.
How could a nice Jewish boy like you be a troll? :-)
David
--
Senior computing specialist
mathematical statistician
|
| Wed, 18 Jun 1902 08:00:00 GMT |
|
|
|
Larry Rosl
#5 / 6
|
Who is Matt Wright and Why is He Dangerous?
...
Quote: > ... However, on 01/01/2000 a few people will
> find out the embarrassing way that scripts lifted off the web
> are worth every penny they paid for them. :-)
I think you mean on '01/01/19100'. :-)
--
(Just Another Larry) Rosler
Hewlett-Packard Laboratories
http://www.hpl.hp.com/personal/Larry_Rosler/
|
| Wed, 18 Jun 1902 08:00:00 GMT |
|
|
|
Jonathan Stow
#6 / 6
|
Who is Matt Wright and Why is He Dangerous?
Quote: > Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and
> dangerous "script kiddies" appear all the time in this (and other
> similar) newsgroup. "Matt Wright" appears invariably in one of those
> type of threads.
Others seem to have addressed most of what is necessary here, however
I might point you to some of the detailed critiques that I and others
have posted to this group of some of Mr Wrights extant code - you post
from Deja,com so you should be familiar with the way in which you can
find these things.
Bear in mind however that whilst Matt Wright may be the most exalted
in the Script Kiddie pantheon he _is_not_the_only_one_ - *any* program
found on the web must be treated with suspicion - particularly in the
realm of CGI. Of course there are certain unreproachable sources
which should be obvious.
I would suggest that if you are really uncertain of the provenance of some
piece of 'scripting' that you found on the net and are unable to determine
its suitability for its intended purpose then you should post the URL - the
URL mind not the whole code - to the most appropriate newsgroup for the
program in question. I should be borne in mind however that - certainly
here - people won't be keen on offering support or debugging for these
programs but will we be very keen to point out the shortcomings in this
code - occasionaly some bored, hyperactive or just plain kind soul might
rewrite the thing so it will work properly ( an hey I have a disk full
of {*filter*}Perl programs awaiting a rewrite ... ).
Just tell 'em I sent you ;-}
/J\
--
< http://www.*-*-*.com/ >
Hastings: <URL: http://www.*-*-*.com/ ;
|
| Wed, 18 Jun 1902 08:00:00 GMT |
|
| |
|
