Slashdot Mirror
MySql.com Hacked With Sql Injection
iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."
Microsoft web serving products? How dumb can can a bot get? Turing fail.
Help stamp out iliturcy.
Okayyyyyyyy... MS astroturfing, anyone?
Jesus fuck, people. It's not rocket surgery.
If you use bind variables, you CANNOT be SQL-injected.
If you don't, you can be.
It's that fucking simple. Do The Right Thing.
180 words, under 1 minute by the timestamp. It was actually under 30 seconds. Bot. A prepared response to any article containing "hacked" and "mysql"
Help stamp out iliturcy.
I herd you like Sql, so we injected Sql in your Sql so you can have Sql while you code MySql
Not trusting the user input is rule #1 of programming - from way before the internet era. I'm only a programmer by hobby and even I know that. What do they teach these kids at school?
Seven puppies were harmed during the making of this post.
Even inside a big team of a big company it is amazing how so many people are working by themselves. That's the kind of error that a simple code review by an experienced programmer would have avoided (use bind variables/prepared statements).
Ironic is when one's words say one thing and one's actions another that contradict it.
No, that's hypocrisy, not irony. Try again.
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
Ironic is when one's words say one thing and one's actions another that contradict it.
No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.
You would expect a person correcting the summary's definition of irony to be aware that there are multiple definitions of irony. The grandparent was clearly ignorant of this fact, thus making the comment meta-ironic.
Like this?
Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.
I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Note the parent's comment.
Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.
One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.
You are welcome on my lawn.
Ironically, the OP correcting someone else for not using ironic correctly is both hypocritical and ironic.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Screwing up irony is the only thing that unleashes the linguists with such ferrousity.
Be relentless!
Like Oracle not seeing it coming?
Be relentless!
When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"
I have never yet interviewed a candidate who answered yes.
So, then I explain what an SQL injection attack is, and ask how they would test for vulnerability to one.
Almost without exception, the answer is "I guess I would try entering some special characters and keywords into the GUI, and see what happens."
http://xkcd.com/756//
I think your pun detector is a little rusty.
The salt isn't a second secret, it's there to prevent the use of a pre-constructed rainbow table for the standard hash functions. Without a rainbow table, you can still do dictionary attacks of weak passwords--and there is no way to prevent this short of not using passwords for authentication. This only harms people who use guessable passwords and re-use passwords between sites.
When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"
Hahaha, reminds me of what I used to do to interns. We used to get a bunch of interns every year, and every year we'd have them develop small web applications for internal use. They'd work on their project and after a few weeks we'd come in and evaluate their work, steer them in the right direction (if that wasn't necessary earlier) and do a few tests.
The first thing I always asked was "Do you have a backup?" and after the inevitable googling of the mysqldump command I'd be an utter bastard and sneak in a DROP TABLE, or DELETE FROM statement in the URL bar, right after id=x, and surely enough most of the times it would work.
"It looks really great, but I think there's a problem with it. Maybe you want to check the logfiles to see what happened." to see if they'd see what was the problem, and if they didn't I would explain an SQL injection attack to them. Few of them managed to find the solution on google, but most immediately suggested such things as "I'll check for ; in the string" which inevitably led to me trashing their tables about 10 minutes later. I have to say, once they had their tables dropped twice they became real careful of permissions and handling SQL statements.
In a way I hope they learned something from having a complete bastard as a mentor, although I'm sure that a few of them have already forgotten about that one time a single statement ruined their database. Oh well...
Which is why I have a question: WTF is up with the MS Shill brigade on /. lately? I've only noticed it for about the past three weeks or so, but damned the shit is getting thick. Look at the one that posted on the Nook hack, the very first post is "I Wish Microsoft would have released the Courier" complete with link for those that don't know what that bullshit vaporware was in the first place. I mean did they get a deal on that HB Gary software or what? And why are they so insecure? I mean sure WinPhone is dead last but Windows 7 is nice, and the X360 is doing well. So what is up with the rampant MSFT shilling? Do they fire your ass if you don't post X number of shill posts or something?
As for TFA, garbage in, garbage out. I don't care if you code in VB 6 or Brainfuck if you write sloppy code it WILL come back to bite you in the ass. But trying to blame this on the language, to use a /. car analogy, would be like trying to blame Ford because someone got drunk and hit a kid with their Mustang. A tool is only as good as the person using it, full stop. I've seen clean code and lousy shit in just about every language. It ain't the tool that's the problem it is PEBKAC. But they should get extra points for the sheer irony factor. I mean a site promoting SQL falling for the oldest trick in the book? Bobby Drop Tables anyone?
ACs don't waste your time replying, your posts are never seen by me.