Who is Matt Wright and Why is He Dangerous?
Author |
Message |
Jeff S #1 / 6
|
 Who is Matt Wright and Why is He Dangerous?
Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and dangerous "script kiddies" appear all the time in this (and other similar) newsgroup. "Matt Wright" appears invariably in one of those type of threads. Now without trolling, i ask, who is he, why is he dangerous, what can be done (or has anything been) to stop him? I am a beginning programmer who does not want to fall prey to dangerous bugs or mistakes. I often look for scripts on the internet to learn from and use. How the heck am i s'posed to be able to tell a "script kiddie" from JAPH? anyways, i suppose these questions can be responded to in any way; maybe I *am* just trolling. (but what else can I do while waiting for a Mac to reboot?) ciao ;^P -- | |\ /\ ---------------------------------------*
\/ |/ \/ Johns Hopkins University * Baltimore, MD Sent via Deja.com http://www.*-*-*.com/ Before you buy.
|
Wed, 18 Jun 1902 08:00:00 GMT |
|
 |
Kragen Sitak #2 / 6
|
 Who is Matt Wright and Why is He Dangerous?
Quote: >Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and >dangerous "script kiddies" appear all the time in this (and other >similar) newsgroup. "Matt Wright" appears invariably in one of those >type of threads. Now without trolling, i ask, who is he, why is he >dangerous, what can be done (or has anything been) to stop him?
He's an evidently wonderful guy who wrote a bunch of CGI scripts in Perl several years ago and has been offering them for download, for everyone, for free, ever since, out of the goodness of his heart. However, the scripts are very badly written, which he acknowledges, and he is not maintaining them. As a result, many of them contain security holes that have been known for years, and many general bugs. The result: lots of people download the scripts and need help fixing the same bugs over and over again, and lots of others don't even know the bugs are there. Many people in this newsgroup have complained about this, and there is presently a project underway (see http://www.*-*-*.com/ threads in this newsgroup with {*filter*}and UN{*filter*}in the Subject:) to replace Matt's scripts in the affections of CGI novices with solid code. Quote: > I am a beginning programmer who does not want to fall prey to >dangerous bugs or mistakes. I often look for scripts on the internet to >learn from and use. How the heck am i s'posed to be able to tell a >"script kiddie" from JAPH?
Hmm, I'm not sure how to answer that. --
Thu Sep 23 1999 46 days until the Internet stock bubble bursts on Monday, 1999-11-08. <URL: http://www.*-*-*.com/ ~kragen/bubble.html>
|
Wed, 18 Jun 1902 08:00:00 GMT |
|
 |
Ethan H. Pool #3 / 6
|
 Who is Matt Wright and Why is He Dangerous?
Quote:
> Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and > dangerous "script kiddies" appear all the time in this (and other > similar) newsgroup. "Matt Wright" appears invariably in one of those > type of threads. Now without trolling, i ask, who is he, why is he > dangerous, what can be done (or has anything been) to stop him?
The 'danger' in many of the MSA scripts lies in the fact that few, if any of them are maintained. He did make an unbelievable number of mistakes in the scripts he wrote, but the real danger if you will is the fact that he widely distributes these free scripts yet makes no effort to go back and correct the many bugs in the scripts. This is a good example of "you get what you paid for", and that is worth keeping in mind. The greatest risk, though, comes from the fact that the vast majority of people downloading and implementing these scripts have no programming knowledge of their own and, as such, are 'blissfully' ignorant of the security risks, Y2K bugs, and the frequent total lack of proper error handling. The risk multiples when these novices decide to begin learning to program by example based upon the way these scripts were written. Pretty soon we wind up with a lot more novice programmers writing free scripts for distribution to the general public which contain the exact same bugs. Quote: > I am a beginning programmer who does not want to fall prey to > dangerous bugs or mistakes. I often look for scripts on the internet to > learn from and use. How the heck am i s'posed to be able to tell a > "script kiddie" from JAPH?
You'll learn a good bit just from reading everyone's comments in c.l.p.m and c.i.w.a.cgi. Just remember that there will be many novices answering questions in addition to experienced programmers. Also keep in mind that even experienced programmers occassionally make mistakes. Some of the key issues to watch out for though: 1) Always included proper error-handling in your script. This is especially important when receiving input from users as you can never really predict what they will supply you. If the error occurs in a critical section of the script, at least make sure the script will abort as cleanly as possible. 2) Always perform taint/bounds checking on data, particularly that supplied by a user or their browser. 3) Avoid passing user/forms supplied data to the command line (exec, system, open pipe, backticks, etc) wherever possible. If you must pass the data to the command line, test it very carefully to make certain it only contains valid options and that no undesirable characters or options can be passed (not every visitor is going to be your friend, some will be up to no-good). 4) Always check to make certain that an open on a file succeeded and/or the creation of a new file or directory succeeded. 5) Always look at your scripts from the angle of a user who will be up to no-good. Rest assured, any weakness you can find in your script they can too. What happens if the user uploads too much data? Not enough data? The wrong data? Bad data? If there is login type security, do you reauthenticate the user at every step or are you assuming they are valid once they get past the login screen - assumptions can be dangerous. Realize that if your script is sufficiently complex that there will likely be bugs -- be proactive in tracking them down and repairing them 6) Study and come to understand what the security risks are. Some risks are unavoidable, others can be largely avoided with the proper precautions. Avoid making assumptions about your security -- test it. Learn that obfuscation only complicates matters for a malicious party, it does not offer a true defense. 7) There are many more you will learn with experience, these are just a few that come to mind in the few minutes I had to write this (your choice of programming language(s) will also play a role in the issues you need to be aware of). -- Ethan H. Poole **** BUSINESS ****
(personal) http://www.interact2day.com/
|
Wed, 18 Jun 1902 08:00:00 GMT |
|
 |
David Cassel #4 / 6
|
 Who is Matt Wright and Why is He Dangerous?
Quote:
> Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and > dangerous "script kiddies" appear all the time in this (and other > similar) newsgroup. "Matt Wright" appears invariably in one of those > type of threads. Now without trolling, i ask, who is he, why is he > dangerous, what can be done (or has anything been) to stop him?
Kragen and Ethan already provided good answers. But here's some insight. Matt Wright wrote these scripts when he was about 14 and still learning Perl. I wouldn't want everyone in the world to see the kludgy stuff I wrote when I was 14 and just learning a programming language. But his stuff is omni- present on the web. So he isn't dangerous. What is dangerous is the common belief amongst non-programmers that any script found on the web must be okay. Now that his scripts have metastatized all over the web, there is nothing that can be done to stop *him*. However, on 01/01/2000 a few people will find out the embarrassing way that scripts lifted off the web are worth every penny they paid for them. :-) Quote: > I am a beginning programmer who does not want to fall prey to > dangerous bugs or mistakes. I often look for scripts on the internet to > learn from and use. How the heck am i s'posed to be able to tell a > "script kiddie" from JAPH?
Ethan gave some good suggestions here. But there is really no way for the novice to know the difference between a great but complex program by Tom Christiansen, and a hideous kludge of a script by J. Random Luser, until they know enough Perl to be able to recognize good perlstyle and good coding when they see it. When I started out learning Perl, I just believed whatever Randal Schwartz and Tom Christiansen and Larry Wall [and a few others] said, and trusted they wouldn't lead me too far astray. Quote: > anyways, i suppose these questions can be responded to in any way; maybe > I *am* just trolling.
How could a nice Jewish boy like you be a troll? :-) David --
Senior computing specialist mathematical statistician
|
Wed, 18 Jun 1902 08:00:00 GMT |
|
 |
Larry Rosl #5 / 6
|
 Who is Matt Wright and Why is He Dangerous?
... Quote: > ... However, on 01/01/2000 a few people will > find out the embarrassing way that scripts lifted off the web > are worth every penny they paid for them. :-)
I think you mean on '01/01/19100'. :-) -- (Just Another Larry) Rosler Hewlett-Packard Laboratories http://www.hpl.hp.com/personal/Larry_Rosler/
|
Wed, 18 Jun 1902 08:00:00 GMT |
|
 |
Jonathan Stow #6 / 6
|
 Who is Matt Wright and Why is He Dangerous?
Quote: > Lotsa stuff about bad scripting, y2k bugs, general scripting errors, and > dangerous "script kiddies" appear all the time in this (and other > similar) newsgroup. "Matt Wright" appears invariably in one of those > type of threads.
Others seem to have addressed most of what is necessary here, however I might point you to some of the detailed critiques that I and others have posted to this group of some of Mr Wrights extant code - you post from Deja,com so you should be familiar with the way in which you can find these things. Bear in mind however that whilst Matt Wright may be the most exalted in the Script Kiddie pantheon he _is_not_the_only_one_ - *any* program found on the web must be treated with suspicion - particularly in the realm of CGI. Of course there are certain unreproachable sources which should be obvious. I would suggest that if you are really uncertain of the provenance of some piece of 'scripting' that you found on the net and are unable to determine its suitability for its intended purpose then you should post the URL - the URL mind not the whole code - to the most appropriate newsgroup for the program in question. I should be borne in mind however that - certainly here - people won't be keen on offering support or debugging for these programs but will we be very keen to point out the shortcomings in this code - occasionaly some bored, hyperactive or just plain kind soul might rewrite the thing so it will work properly ( an hey I have a disk full of {*filter*}Perl programs awaiting a rewrite ... ). Just tell 'em I sent you ;-} /J\ --
< http://www.*-*-*.com/ > Hastings: <URL: http://www.*-*-*.com/ ;
|
Wed, 18 Jun 1902 08:00:00 GMT |
|
|
|