Beat the Slashdot crowd...

Posted by: DWallach

Beat the Slashdot crowd... - 19/12/2004 22:47

The story, in a nutshell, is that we found a security flaw in Google's Desktop search tool. We told Google a few weeks ago and they've already pushed out a fix. Still, it's a good story. An article about this should be running in tomorrow's New York Times and the inevitable Slashdot hoardes will descent on my site like vultures. We've got the site, all to itself, on a Mac Xserve G4 (dual proc, 4GB of memory) with Apache. Hopefully, it won't get crushed.

Thanks also to Cybjorg for his help with the CSS style sheets, and check out the cool logo that my sister put together. I now owe her a favor.

http://seclab.cs.rice.edu

P.S. Please, if any of you guys want to post something to Slashdot or whatever, wait until the story hits the New York Times tomorrow. I offered them an "exclusive" on the story, so hopefully they'll tell the story correctly. There's nothing worse than a story getting butchered by a bad reporter.
Posted by: jimhogan

NO SUBJECT - 19/12/2004 22:53

If you want to achieve your objective, my feelings won't be hurt if you delete your post.

I am now going top place a wager with myself.

Please note that this response is 100 percent content-free.

edit: spelling
Posted by: DWallach

Re: NO SUBJECT - 20/12/2004 00:30

Call me naive, but I assume this board is a community of people who like to know about things first and know how to keep things under their hat (which is often a condition of knowing about things first).
Posted by: jimhogan

Re: NO SUBJECT - 20/12/2004 00:54

Quote:
Call me naive

Never. You're just not as jaundiced as some of us.

I don't have any questions about the overt community. It's just that lurker Anonymous Coward. He gets around!

Well, I haven't lost my bet yet. Handy, that, betting with myself.

Congratulations on your work.
Posted by: tonyc

Re: Beat the Slashdot crowd... - 20/12/2004 01:20

Great stuff, Dan. Good to see hard work pay off, and especially good to see that it was handled the right way with all parties involved. Best of luck to your poor server!
Posted by: DWallach

Re: NO SUBJECT - 20/12/2004 01:25

Quote:
Never. You're just not as jaundiced as some of us.


Well, tomorrow's edition of the NY Times should be hitting their web page in about 90 minutes. It's not like I posted something here a few weeks ago, although cybjorg knew about it because he helped me get the web site working. I had no idea how bizzare the world of style sheets could be.

Edit: it appears to be online right now (90 minutes early) http://www.nytimes.com/2004/12/20/technology/20flaw.html
Posted by: jimhogan

Re: NO SUBJECT - 20/12/2004 01:42

Quote:
I had no idea how bizzare the world of style sheets could be.

I'm learning that if you can completely ignore IE, they ain't that bad

Quote:
Edit: it appears to be online right now (90 minutes early) http://www.nytimes.com/2004/12/20/technology/20flaw.html

Ha! I lost my bet!...(or won, I can't remember).

Just read it. That is quite the piece. Well done. And y'all are famous!
Posted by: DWallach

Re: NO SUBJECT - 20/12/2004 01:47

Quote:
And y'all are famous!


To quote from the otherwise forgettable ¡Three Amigos!: "Not just famous, IN-famous."
Posted by: tonyc

Re: NO SUBJECT - 20/12/2004 01:49

Woohoo! Now I'll know what a "composition flaw" is when I start my new job at the CERT in a couple weeks!
Posted by: jimhogan

Re: NO SUBJECT - 20/12/2004 02:03

Quote:
Woohoo! Now I'll know what a "composition flaw" is when I start my new job at the CERT in a couple weeks!

Well, Woohoo yourself!

Edit: No, I'm not that stupid. No recent mention of CERT (that I missed). Congratulations! New job!

Hey, why aren't you over there getting Dan slashdotted?
Posted by: Daria

Re: NO SUBJECT - 20/12/2004 02:07

Quote:
Quote:
Call me naive

Never. You're just not as jaundiced as some of us.



It's only jaundiced if there's no justification.
Posted by: DWallach

Re: NO SUBJECT - 20/12/2004 02:28

Quote:
Woohoo! Now I'll know what a "composition flaw" is when I start my new job at the CERT in a couple weeks!


It's not exactly a common term. For all I know, I just coined it. It just seems like a way to describe how many security attacks go. It's the opposite of normal computer programming, where you (hopefully) have nice, clean APIs where all the relevant functionality is all in one place. Instead, you're trying to mash something from over here into the slot over there.
Posted by: tonyc

Re: NO SUBJECT - 20/12/2004 03:52

Quote:
Edit: No, I'm not that stupid. No recent mention of CERT (that I missed). Congratulations! New job!

Thanks! did plan on crafting a "life update" post over the Xmas -> New Year's week when I'll be up visiting family and thus bored for extended periods of time after everyone goes to bed. I've actually been very scarce on the BBS lately, trying to move into my new (to me) townhouse and adjust to the new surroundings here in the Pittsburgh area. Anyway, I have a few minutes, so I'll go ahead and post that now, but in another thread, so as not to cloud this one up with autobiographical nonsense.
Quote:
Hey, why aren't you over there getting Dan slashdotted?

<whoosh> Over where?
Posted by: tonyc

Re: "composition flaw" - 20/12/2004 03:58

Quote:
It's not exactly a common term. For all I know, I just coined it.

Cool. I had never heard the term, but it does sound like an appropriate way to describe it.
Posted by: bonzi

Re: Beat the Slashdot crowd... - 20/12/2004 05:31

Congrats, Dan! I find especially impressive the fact that this work was a part of a student project. You certainly seem to be teaching them well down there in Texas! (But what else to expect from someone with results like yours )

I also like the web page about the discovery - clear, complete, slightly understated. No symptoms of slashdotting yet, BTW.

Heck, even NYT almost got it right (first paragraphs are a bit off ("which could permit an attacker to secretly search the contents of a personal computer via the Internet"), but they cleared it up later in the text).

Impressive, all together!
Posted by: bonzi

Re: NO SUBJECT - 20/12/2004 05:34

Quote:
"Not just famous, IN-famous."

Heh, especially with Diebold
Posted by: cushman

Re: Beat the Slashdot crowd... - 20/12/2004 14:15

http://www.pcworld.com/news/article/0,aid,118999,pg,1,RSS,RSS,00.asp

PC World article posted, mentions your website, but does not provide a link.
Posted by: msaeger

Re: Beat the Slashdot crowd... - 20/12/2004 14:47

HardOCP mentioned it also they linked to cnet news.com
Posted by: tonyc

Re: Beat the Slashdot crowd... - 20/12/2004 16:04

And here they come! At least they were kind enough to just post the NY Times link in the story... Maybe that'll save the server.
Posted by: DWallach

Re: Beat the Slashdot crowd... - 20/12/2004 17:14

So far, the load on the server has been relatively light - a couple hundred hits.
Posted by: DWallach

Re: Beat the Slashdot crowd... - 20/12/2004 20:56

All said and done, we're currently at 924 visitors to the home page and 1144 downloads of the tech report. Slashdot never linked to us from their home page; those downloads are from newspaper articles or from Slashdot readers. Eventually, I'll do a more detailed breakdown on the referrer logs, but this hardly even counts as a Slashdotting.
Posted by: tonyc

Re: Beat the Slashdot crowd... - 21/12/2004 03:01

Quote:
but this hardly even counts as a Slashdotting.

You sound so... disappointed.

I know, I know, it was the anticipation.. the buildup.. and then.... nothing.

Kinda like Y2K...
Posted by: g_attrill

Re: Beat the Slashdot crowd... - 21/12/2004 07:57

Woo, a mention on The Register too, top story this morning:

http://www.theregister.co.uk/2004/12/20/google_desktop_flaw/

Still no link though!

Gareth
Posted by: mdavey

Re: Beat the Slashdot crowd... - 21/12/2004 09:08

http://www.google.com/googleblog/
Posted by: Ezekiel

Re: Beat the Slashdot crowd... - 21/12/2004 15:53

Dan - you know no real Slashdotter actually reads the article!

-Zeke
Posted by: DWallach

Re: Beat the Slashdot crowd... - 21/12/2004 16:27

Or, 1000 out of, what, hundreds of thousands, actually decided to dig deeper. Now I just have to get the class grades done. They're due today...
Posted by: mcomb

Re: Beat the Slashdot crowd... - 22/12/2004 04:24

I'm pretty sure you made the SF bay area news last night as well. I saw a preview mentioning a Google bug and a screenshot that looked an awful lot like your web page. Unfortunately, I missed the actual report and I'm not sure which network it was.

-Mike
Posted by: ashmoore

Re: NO SUBJECT - 22/12/2004 11:41

Hey! You even made News8Austin !!
Posted by: bonzi

Re: Beat the Slashdot crowd... - 22/12/2004 12:23

You have been for over a day one of "top seven but not top two" Google news stories (those in right top corner), and still only a thousand hits? People seem to have very short attention span these days...
Posted by: DWallach

Re: Beat the Slashdot crowd... - 22/12/2004 15:48

The latest stats:
- 3647 hits for the CSS style sheet (which says something about unique visitors)
- 4687 hits for the PDF tech report (several news reports linked directly to the PDF)

Not bad, I suppose...