Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MySql.com Hacked With Sql Injection

samzenpus posted more than 3 years ago | from the we-got-a-breach dept.

Oracle 288

iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."

cancel ×

288 comments

Sorry! There are no comments related to the filter you selected.

Another report (2)

symbolset (646467) | more than 3 years ago | (#35632554)

Some evidence of server issues here already. Another report: A proper link? [sophos.com]

Re:Another report (-1, Troll)

neverforget (2027512) | more than 3 years ago | (#35632562)

Well, I think it's one of the major problems with PHP and MySQL. By default the combination allows extremely unsafe code. or I should even say encourages. I'm all for allowing for the coder to take those routes if he wants to, but for the love of god, teach the noobs to program safely. While you can use safe methods with PHP and MySQL, other languages encourage it. For example C# combined with Microsoft SQL Server makes sure the programmer is coding safe code. On top of that MSSQL is speedy, stable product that is used by millions individuals and enterprises. For me that sure does tell about quality, and by looking at the companies using Microsoft SQL Server I'm even happier to pick it as my platform. btw, I personally found their Microsoft SQL Azure cloud-based databases services absolutely stunning. They are highly scalable, ultra fast and automatically taken care of for you. As a hobbiest web based game developer it's performance I wouldn't have money to get elsewhere. And the sheer quality of the service is absolutely great.

Incoming botswarm (5, Funny)

symbolset (646467) | more than 3 years ago | (#35632586)

Microsoft web serving products? How dumb can can a bot get? Turing fail.

Re:Incoming botswarm (1)

mace9984 (1406805) | more than 3 years ago | (#35632884)

+1 funny

Re:Another report (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35632594)

No offense. Bad code can be written in any language.

Re:Another report (2)

WrongSizeGlass (838941) | more than 3 years ago | (#35632614)

This article is a tad harsh on MySQL.com - and rightfully so:
* The domain's SSL expired a month ago
* Some of the passwords for the account 'sysadm' was “qa”
* Their website was obviously not properly secured

Re:Another report (2)

WrongSizeGlass (838941) | more than 3 years ago | (#35632628)

This article is a tad harsh on MySQL.com - and rightfully so:

That should have been This article [securingsqlserver.com] . D'oh!

Re:Another report (1)

Goaway (82658) | more than 3 years ago | (#35632754)

Of course. That is hardly relevant. The question is, how hard is it to write bad code?

Re:Another report (1)

guybrush3pwood (1579937) | more than 3 years ago | (#35632596)

Bill, is that you?

Re:Another report (3, Interesting)

AsmCoder8088 (745645) | more than 3 years ago | (#35632604)

Okayyyyyyyy... MS astroturfing, anyone?

Re:Another report (4, Informative)

symbolset (646467) | more than 3 years ago | (#35632648)

180 words, under 1 minute by the timestamp. It was actually under 30 seconds. Bot. A prepared response to any article containing "hacked" and "mysql"

Re:Another report (1)

igreaterthanu (1942456) | more than 3 years ago | (#35632682)

Or whoever posted it has a subscription on another account perhaps?

Re:Another report (0)

Anonymous Coward | more than 3 years ago | (#35632778)

Was yours a canned response too? I see you're always writing about Microsoft... albeit with more intelligence than devxo possesses.

If you were paying attention you'd notice that devxo's 30-second post was a reply - he could not have composed it in advance. Which confirms beyond all doubt that he is in fact a shill.

Re:Another report (0)

Anonymous Coward | more than 3 years ago | (#35632844)

Paranoid much? Perhaps you should leave your mum's basement and get some sunlight...

Re:Another report (0)

Anonymous Coward | more than 3 years ago | (#35632882)

My mum's attic allows plenty of sunlight through the cage bars, you insensitive clod!

Re:Another report (1)

igreaterthanu (1942456) | more than 3 years ago | (#35632874)

You don't think I could have typed that one sentence by hand within 6 minutes? I admit that my last few comments I've made have been about Microsoft but I have made many comments on other topics too.

Why couldn't he have composed it in advance? The story was posted in advance and anyone with a slashdot subscription could have read it, composed a reply, created a disposable account and then pasted the response into the story. Is it really so hard to copy and paste within 30 seconds if you are given plenty of warning of which 30 seconds it will be?

Re:Another report (1)

Anonymous Coward | more than 3 years ago | (#35632936)

A 30s reply to symbolset could not have been composed in advance. Only a shill would compose a story response, then post it as a reply to someone. As usual, he did it to get the most views (since responses to symbolset would push his post down the page otherwise).

Re:Another report (1)

Anonymous Coward | more than 3 years ago | (#35632730)

Perhaps he hacked /.'s mysql server to alter the timestamp? I bet he created a GUI in Visual Basic to hack the IP address.

Re:Another report (0)

Anonymous Coward | more than 3 years ago | (#35633060)

Okayyyyyyyy... MS astroturfing, anyone?

Don't you know it's not cool to hate MS now? It's cool to hate Apple (and to a lesser extent Google).

Re:Another report (0)

Anonymous Coward | more than 3 years ago | (#35632618)

I'm in. Where can I buy these wonderful microsoft products?

Re:Another report (0)

WrongSizeGlass (838941) | more than 3 years ago | (#35632636)

I'm in. Where can I buy these wonderful microsoft products?

I think you can buy them by calling 1-800-MS-SHILL

Re:Another report (1)

halestock (1750226) | more than 3 years ago | (#35632620)

laying it on a bit thick, aren't you?

Re:Another report (1)

Cidolfas (1358603) | more than 3 years ago | (#35632640)

Or better idea: just use PHP's PDO module for your SQL interactions, regardless of backend database. It makes bad code just as hard to write in PHP as it is in C# (which means, still easy but most use-cases are at least sanitized).

Re:Another report (1)

MarkRose (820682) | more than 3 years ago | (#35632922)

Using PDO isn't sufficient. You also have to bind all your values/parameters. Just sticking variables into the SQL statement wont' save you.

Then there's the extra round trip performance overhead of using a prepared statement if created in PHP and not saved in MySQL.

Re:Another report (1)

Cidolfas (1358603) | more than 3 years ago | (#35633226)

True, I was just saying it brings PHP into parity with .net

Re:Another report (1)

bondsbw (888959) | more than 3 years ago | (#35632664)

I have been a C# developer since .NET 1.0, and worked with MS SQL Server just as long. I love them, and recommend them wholeheartedly to everyone I know. But if you think C# + MSSQL = Safe, you've probably already been hacked.

Sure, C# via ADO.NET has parameterized queries to help prevent SQL injection, and we have the Entity Framework and such goodies, but all I need to do is "SELECT * FROM MyDB WHERE ID = " + queryStringID + ";". String concatenation... it's a feature of C#, and because of it you suddenly get to do with my database as you please. You're welcome.

And it happens all the time, since it's the most straightforward way to access a SQL database.

Besides, I doubt MySQL is that less secure than MSSQL. PHP is the traditional culprit... on that point, we agree.

Re:Another report (1)

marcello_dl (667940) | more than 3 years ago | (#35632678)

>As a hobbiest web based game developer it's performance I wouldn't have money to get elsewhere.

sooo... you really haven't been far as decided to use even go want to do look more like, I guess.

Re:Another report (2)

petteyg359 (1847514) | more than 3 years ago | (#35632780)

That's like an SQL injection attack for the brain. Just trying to figure out what you said is causing corruption.

Re:Another report (3)

Dunbal (464142) | more than 3 years ago | (#35632728)

Not trusting the user input is rule #1 of programming - from way before the internet era. I'm only a programmer by hobby and even I know that. What do they teach these kids at school?

Re:Another report (0)

Anonymous Coward | more than 3 years ago | (#35633042)

What do they teach these kids at school?

To suck up to the right people and to look down your nose at everyone else. It's a much more certain way to climb the corporate ladder than having skill.

Re:Another report (1)

Max Littlemore (1001285) | more than 3 years ago | (#35632752)

Well, I think it's one of the major problems with C# and MS SQL Server. By default the combination allows extremely unsafe code. or I should even say encourages. I'm all for allowing for the coder to take those routes if he wants to, but for the love of god, teach the noobs to program safely. While you can use safe methods with C# and MS SQL Server, other languages encourage it. For example befunge98 combined with Paradox makes sure the programmer is coding safe code. On top of that Paradox is speedy, stable product that is used by millions individuals and enterprises. For me that sure does tell about quality, and by looking at the companies using the PDP-11 I'm even happier to pick it as my platform. btw, I personally found their Paradox Baby Shit Orange cloud-based databases services absolutely stunning. They are highly scalable, ultra fast and automatically taken care of for you. As a hobbies useless pre loaded crapware developer it's performance I wouldn't have money to get elsewhere. And the sheer quality of the service is absolutely great.

or to put it another way, shit programmers write shit code, regardless of the tools they use. Begone to the special Hell they keep for corporate schills you obvious schill.
oh and by the way, more people and companies using a product is more likely to mean there is a reality distortion field or illegal anti-competitive behaviour surrounding a product if the past 30 years is anything to go by. Shit for brains.

Re:Another report (1)

uberjack (1311219) | more than 3 years ago | (#35632804)

As AC below pointed out, bad code can be written in any language. I worked for a University of California campus, when UCLA got hacked a couple of years ago, due to a SQL injection attack. Their choice of platform? C#/MSSQL. Programmers on our own team (C#, MSSQL) wrote SQL injection-friendly code - I can't remember how many times I've caught unsanitized input being put into a SQL query without proper sanitization or "SqlParameter-ization" - people who wrote enterprise-level apps for years prior, and who should know better. PHP has mysql_real_escape_string, which sanitizes input. I've written my own Ruby-on-Rails-ish helper functions to sanitize input in a less hackish fashion in PHP. There's always a way. This type of shit will continue to happen until people realize that security in today's web development is as important (if not more so) than programming skill, and stop hiring dipshits without proper screening.

Re:Another report (0)

Anonymous Coward | more than 3 years ago | (#35632964)

As someone whose full time job is pure C#/MSSQL, and has a pretty favorable opinion of them, you need to be a little less obvious about the astroturfing. You can easily write crap SQL from C# to MSSQL (I've seen it, trust me), MSSQL is really not a high-end DB (Oracle remains the gold standard for scaling), and Azure is junk.

Re:Another report (5, Insightful)

PopeRatzo (965947) | more than 3 years ago | (#35632998)

Note the parent's comment.

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.

One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

Re:Another report (1)

Anonymous Coward | more than 3 years ago | (#35633130)

The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

It shows how broken the Slashdot discussion system is. Comments on the first 2 pages are read the most -- many more people stop reading halfway down. The majority of moderation points are spent on the top threads. Thus, by trolling at the top of the story, one can completely derail the following discussion.

In my opinion /. admins need to

  • make it impossible for 6mo old accounts to get first, second, or third post -- not even as a reply to the topmost posts
  • make it impossible for 6mo old accounts to receive moderation points
  • controversial: display the usernames who have moderated a post

Re:Another report (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35633194)

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety?

I agree with you, but sometimes a nigger joke is just a nigger joke. I wrote a nigger joke in one story and it made first post. Then you went all ape-shit (pun intended) about how it's THEM!!!! conspiring to take over teh solar system or something ... that made my day dude. I think the neighbors could hear me laughing.

But yeah this troll can obvious tell that guy was a shill. A real obvious one. Anybody who isn't sure about that may be interested in buying some nice swampland in Florida. Maybe they'd like to also help a Nigerian prince move money out of his country.

Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds".

Most Slashdotters are familiar with the long history of Microsoft and its business practices. Some moron singing the praises of MSSQL isn't gonna erase that history. Even if MS made the undisputably best database in the entire world, and they don't, but even if they did I wouldn't use it. I would rather use the second-best and not have to deal with the devil. But then I have standards. A lot of you are mercenary types who don't give a damn and that's cool, just don't complain about how corrupt and fucked up most of the world is because you're the reason for it, the steady source of support for it.

Anyway Slashdot's gotta be one of the very worst places to try to make MS look good. The people who don't like MS got a long LONG list of damned good reasons for that. It is not something they flipped a coin to decide. It is the product of repeated examples of abuses and asshattery by this company over the last 10-15 years. Not something you can smarm your way out of. The PHBs who might be dumb enough to buy this shill's marketing don't usually read Slashdot.

The professional liars known as PR firms are only making sure that a foolish company with no scruples and its money are soon parted. Anybody who works for a PR company, really what the fuck is wrong with you? How does it feel knowing that you get your living by dishonesty and trickery?

Here's the paste. (0)

Anonymous Coward | more than 3 years ago | (#35632612)

http://pastebin.com/BayvYdcP

why is it ironic? (1, Interesting)

larry bagina (561269) | more than 3 years ago | (#35632624)

I would expect MySQL.com to be hacked with an SQL injection bug. They didn't support parameterized queries until version 5 or so and most mysql examples floating around on the 'net involve building your own query string from unchecked user parameters.

Re:why is it ironic? (2, Interesting)

Anonymous Coward | more than 3 years ago | (#35632802)

Perhaps you need a little refresher on irony.

Few but the most naive would expect the MySQL.com site to be written by nubies and rubes so unsophisticated as to depend on remedial examples of anything found "floating around the 'net". To the contrary, most people would expect MySQL.com to be maintained to somewhat high levels of security in particular at the level of the database. This is the construction of the irony in this case.

"How ironic, now he's blind after a life of enjoying being able to see." -- Homer Simpson.

Re:why is it ironic? (0)

Anonymous Coward | more than 3 years ago | (#35633092)

Yeah, man. Before MySQL 5 introduced parameterized queries, absolutely no one could have come up with ways to sanitize inputs! That would just be absurd!

USE BIND VARIABLES (4, Interesting)

MoNsTeR (4403) | more than 3 years ago | (#35632638)

Jesus fuck, people. It's not rocket surgery.

If you use bind variables, you CANNOT be SQL-injected.

If you don't, you can be.

It's that fucking simple. Do The Right Thing.

Re:USE BIND VARIABLES (2)

SanityInAnarchy (655584) | more than 3 years ago | (#35632654)

Note that this doesn't mean you should assume you're safe just because you're using bind variables -- be aware of stuff like LIKE, for instance.

But yes, that is exactly the frustration I have when I hear about things like this. There's pretty much never a reason to build your own SQL string outside of a library.

Re:USE BIND VARIABLES (1)

vlm (69642) | more than 3 years ago | (#35632704)

Note that this doesn't mean you should assume you're safe just because you're using bind variables

For example, bind variables are a great way to store the wrong value in the wrong column. Admittedly I'd rather discover that bug in the unit tests on the dev server, than discover the injection on the production server, but I can none the less hear the siren call of doing it the wrong way...

Now what would be nice would be libraries for ALL languages that look like convenient, yet vulnerable, inline SQL but translate behind the scenes into bind variables.

Also fun, if the (numerous) lint-y / perltidy-y whatever apps would highlight or comment upon security problems like this in an automated manner.

Re:USE BIND VARIABLES (1)

smellotron (1039250) | more than 3 years ago | (#35633140)

There's pretty much never a reason to build your own SQL string outside of a library.

Not to negate your argument (with which I agree), I want to demonstrate a case where building your own SQL string makes sense. Suppose you want to perform a SELECT that matches a set rather than a given value:

SELECT make, model
FROM vehicle
WHERE vin IN ('1M8GDM9A_KP042788', '1M8GDM9A_KP042789');

The prepared statement is a function of the number of VINs in the set. Something like this python code:

VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789")

SQL = """
SELECT make, model
FROM vehicle
WHERE vin IN (%s)
""" % ', '.join(["%s"] * len(VINs))

dbconn.execute(SQL, VINs)

The risk to manage here is the possibility of an overflow in the number of parameters. You might need to restrict the size of VINs before attempting to prepare the statement.

Re:USE BIND VARIABLES (2, Funny)

Anonymous Coward | more than 3 years ago | (#35632672)

I just use something : addslashes(addslashes(addslashes(addslashes($str)))) ;
I like slashes ;-) ;

Re:USE BIND VARIABLES (4, Funny)

Dunbal (464142) | more than 3 years ago | (#35632748)

Jesus fuck, people. It's not rocket surgery.

Apparently it's brain science.

That's Not Ironic (0, Flamebait)

Doc Ruby (173196) | more than 3 years ago | (#35632676)

Merely related ideas are not "ironic". Ironic is when one's words say one thing and one's actions another that contradict it. If MySQL.com claimed SQL injections in MySQL were impossible, then this attack's success would be ironic. If MySQL.com attacked some DB with a SQL injection, that would be ironic. Not all coinciding events are "ironic".

Re:That's Not Ironic (4, Insightful)

6031769 (829845) | more than 3 years ago | (#35632760)

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that's hypocrisy, not irony. Try again.

Re:That's Not Ironic (4, Funny)

LordLucless (582312) | more than 3 years ago | (#35633010)

Ironically, the OP correcting someone else for not using ironic correctly is both hypocritical and ironic.

Re:That's Not Ironic (4, Funny)

MarkRose (820682) | more than 3 years ago | (#35633026)

Screwing up irony is the only thing that unleashes the linguists with such ferrousity.

Re:That's Not Ironic (0)

Anonymous Coward | more than 3 years ago | (#35633090)

Are those... cunning linguists?

Re:That's Not Ironic (1)

pankajmay (1559865) | more than 3 years ago | (#35633110)

...unleashes the linguists with such ferrousity.

And of course spellings... try ferocity.

Re:That's Not Ironic (1)

realityimpaired (1668397) | more than 3 years ago | (#35633168)

hehe... wish I hadn't replied... that is a good one. :) mind if I... um... "borrow" it next chance I get?

Re:That's Not Ironic (2)

realityimpaired (1668397) | more than 3 years ago | (#35633136)

If we're going to get on a grammar nazi binge, then it's worth pointing out that one of the definitions of Irony is actually exactly what the GP described... (merriam webster's exact words are "the use of words to express something other than and especially the opposite of their literal meaning".) He may not have expressed it properly, but I do think that was the meaning he was trying to get at.

Though interestingly enough, yet another definition of Irony is an incongruency between an expected result and an actual result... so in other words, MySQL's website being hacked with an SQL injection attack *is* ironic, because one would expect the makers of MySQL to have some idea of how to secure it properly. (it's not even that hard to lock down, which makes it even more humorous).

Though I must say... correcting somebody's already correct use of the word irony? Absolutely classic....

Re:That's Not Ironic (1)

atomicbutterfly (1979388) | more than 3 years ago | (#35633146)

Why is "irony" so damn hard to define? Or more accurately, to define in such a way that this confusion doesn't keep happening?

Re:That's Not Ironic (2)

NoOneInParticular (221808) | more than 3 years ago | (#35632784)

If a website gets hacked, it is sad. If the website in question is the home of one of the products that is commonly used by websites, it is already ironic. Apparently even the builders of this product don't know how to secure a website using their product.

Re:That's Not Ironic (1)

LordNacho (1909280) | more than 3 years ago | (#35633006)

Meh, security is a bit of a cross-cutting concern. People who are thinking about how read/write rows of data quickly might not have given it much thought that their product can be abused in this way.

I will give you that injection attack is a rather basic hack they should have thought about.

Re:That's Not Ironic (2)

Trebawa (1461025) | more than 3 years ago | (#35632790)

There are several definitions of irony, you know. One is an outcome of events contrary to that which might have been expected. You would expect a website concerning SQL to be well-protected against SQL-injection; in such a situation, an attack of this kind would not succeed. The attack did succeed, hence the irony.

Re:That's Not Ironic (3, Funny)

Anonymous Coward | more than 3 years ago | (#35632822)

You would expect a person correcting the summary's definition of irony to be aware that there are multiple definitions of irony. The grandparent was clearly ignorant of this fact, thus making the comment meta-ironic.

Yes it is (4, Informative)

pavon (30274) | more than 3 years ago | (#35632810)

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Re:Yes it is (0)

Anonymous Coward | more than 3 years ago | (#35632886)

Maybe if it was the MySQL security / best practices page. Or the page of a company that specialized in MySQL security. The main site of the MySQL developers? A little short of irony in my opinion.

Re:Yes it is (2)

glwtta (532858) | more than 3 years ago | (#35632896)

The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Having used MySQL, I don't see anything unexpected here.

Re:Yes it is (1)

Ephemeriis (315124) | more than 3 years ago | (#35632904)

Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation.

I hate the whole "situational irony" thing... It's bullshit. Situational irony didn't exist until a crop of kids were poorly educated in what irony actually is, and then Alanis wrote her song, and everybody was running around calling everything ironic. It wasn't actually ironic in any way... But trying to correct everyone under the age of 20 in America is a losing battle... So they gave up and said "yeah... it's a different kind of irony..."

Yes, I know, language is a consensus. It grows and changes over the years. And whether I like it or not, "situational irony" now exists. But that doesn't change the fact that it's wrong.

Just like all those folks who call their computer the "modem" or "hard drive" are wrong.

Re:Yes it is (1)

DieByWire (744043) | more than 3 years ago | (#35632962)

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Excuse me, is this the right room for an argument? [youtube.com]

Re:That's Not Ironic (1)

WrongSizeGlass (838941) | more than 3 years ago | (#35632826)

Merely related ideas are not "ironic". Ironic is when one's words say one thing and one's actions another that contradict it. If MySQL.com claimed SQL injections in MySQL were impossible, then this attack's success would be ironic. If MySQL.com attacked some DB with a SQL injection, that would be ironic. Not all coinciding events are "ironic".

So it would be ironic if MySQL.com was hit with an SQL injection if they were using MS SQL for their server DB?

Re:That's Not Ironic (1)

Troll-Under-D'Bridge (1782952) | more than 3 years ago | (#35632898)

Unlike the reserved words of a computer program, words in a natural language have a wide latitude of uses, from the strict to the colloquial. Here, I see the "irony" in how a site designed to promote some type of "SQL" turns out to suffer from an SQL flaw, in effect negating the product's virtues in the eyes of those who like to skim through IT news headlines. It's similar to the way you expect a dentist to have good teeth.

Ironic is when one's words say one thing and one's actions another that contradict it.

I think you're thinking of another word: hypocrisy, e.g., a politician who claims to stand for morality but goes out with a hooker.

Re:That's Not Ironic (1)

FunkyRider (1128099) | more than 3 years ago | (#35633036)

So, what's it like to be a virgin at your age?

Re:That's Not Ironic (1)

nmb3000 (741169) | more than 3 years ago | (#35633056)

Merely related ideas are not "ironic". Ironic is when one's words say one thing and one's actions another that contradict it.

Like rain on your wedding day?

Re:That's Not Ironic (4, Funny)

MarkRose (820682) | more than 3 years ago | (#35633084)

Like Oracle not seeing it coming?

Re:That's Not Ironic (1)

cforciea (1926392) | more than 3 years ago | (#35633186)

Really, the people that think it is cool to tell people that they are using "irony" incorrectly are more frequently wrong than the people they are trying to prove linguistically inferior. You should look into what situational irony [reference.com] is and why it has been used correctly in this situation.

HAHA (0)

Anonymous Coward | more than 3 years ago | (#35632684)

HAHA

Yo Dawg (5, Funny)

mrstrano (1381875) | more than 3 years ago | (#35632690)

I herd you like Sql, so we injected Sql in your Sql so you can have Sql while you code MySql

Re:Yo Dawg (1)

JAlexoi (1085785) | more than 3 years ago | (#35632872)

Should they change MySQL to PwnSQL?

Re:Yo Dawg (0)

Anonymous Coward | more than 3 years ago | (#35633120)

That's probably an Oracle trademark already. How about C&DSQL? That name would help the management to visualize the invincibility of their database solution of choice.

Re:Yo Dawg (4, Funny)

Sparks23 (412116) | more than 3 years ago | (#35633126)

Honestly, "YourSQL" seems more accurate than "MySQL" given that apparently even the developers can't keep control of their own database. ;P

Re:Yo Dawg (5, Funny)

MarkRose (820682) | more than 3 years ago | (#35633000)

An SQL statement walks into a bar and sees two tables and says, "Hello, may I join you?"

Re:Yo Dawg (0)

Anonymous Coward | more than 3 years ago | (#35633128)

An SQL statement walks into a bar and sees two tables and says, "Hello, may I join you?"

Was it an inner join ? Do you have pictures ?

Re:Yo Dawg (1)

smellotron (1039250) | more than 3 years ago | (#35633230)

One of the tables replies, "Naturally."

Re:Yo Dawg (1)

MarkRose (820682) | more than 3 years ago | (#35633256)

InnoDBody knows the injections I've seen,
InnoDBody knows my sort order
InnoDBody knows the injection I've seen
Shoulda used MyISAM!

Too funny (2)

danielcolchete (1088383) | more than 3 years ago | (#35632692)

After I finished visit all the funny sites I usually go to daily, that title made laught much much more than all of them.

This reminds me of the time... (1)

djpretzel (891427) | more than 3 years ago | (#35632718)

... our local file station burnt down.

Re:This reminds me of the time... (0)

Anonymous Coward | more than 3 years ago | (#35633016)

... our local file station burnt down.

you mean "fire station", i guess

The work of a lonely developer (4, Insightful)

danielcolchete (1088383) | more than 3 years ago | (#35632744)

Even inside a big team of a big company it is amazing how so many people are working by themselves. That's the kind of error that a simple code review by an experienced programmer would have avoided (use bind variables/prepared statements).

Re:The work of a lonely developer (1)

jd (1658) | more than 3 years ago | (#35632864)

Quite possibly on the lone programmer, almost certainly on the code review. The NSA has some nice whitepapers on how to prevent SQL injection attacks, though they could really be summarized as "follow parent post's advice".

Well ... (1)

lennier1 (264730) | more than 3 years ago | (#35632746)

Could've been worse. Imagine something like this had happened to Zend!

Too bad (1)

93 Escort Wagon (326346) | more than 3 years ago | (#35632786)

Too bad it's not "unbreakable" like Oracle's other database...

Re:Too bad (5, Insightful)

KiloByte (825081) | more than 3 years ago | (#35632954)

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.

I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

Re:Too bad (0)

Anonymous Coward | more than 3 years ago | (#35633052)

"Unbreakable" Oracle had bazillions of bugs that made it a security hazard, buffer overruns, default passwords, utilities with no passwords, privilege scale ups, etc. And Larry and the boys denied, denied, denied for years.

"Unrunnable" would have been a better slogan.

Re:Too bad (1)

93 Escort Wagon (326346) | more than 3 years ago | (#35633102)

Yeah, that's why I had it in quotes. I could've added a giant smilie or something, I guess...

Does xkcd explain it? (3, Funny)

Anonymous Coward | more than 3 years ago | (#35632854)

Like this [xkcd.com] ?

Re:Does xkcd explain it? (3, Insightful)

Tridus (79566) | more than 3 years ago | (#35633074)

I have that comic taped to my door. Any programmer who walks by, reads it, and doesn't laugh is someone I watch VERY carefully when they write any code that touches a database.

What year is it? (1)

glwtta (532858) | more than 3 years ago | (#35632876)

SQL injection attacks? What, is it 1998 again all of a sudden?

Are there really still people out there mashing user input together into a string that they then feed to the database?

Why would you even do this - it's not easier, the performance is worse, and it certainly doesn't make for more readable code.

This level of ineptitude is just shocking.

Re:What year is it? (1)

smellotron (1039250) | more than 3 years ago | (#35633250)

In related news, teenagers are still bad at driving! Won't they ever learn proper lane usage?

Even more concerning (1)

HuckleCom (690630) | more than 3 years ago | (#35632960)

So what they have a ton of usr@% grants on an open-to-the-world server? No vpn? jesus ....

planet hacked/hijacked; The Great Eagle has fallen (-1)

Anonymous Coward | more than 3 years ago | (#35633032)

"When David Hancock saw the bald-eagle count on the Chehalis River drop from more than 7,000 to fewer than 400 over a few days in December, he knew a crisis was coming.

Earlier this week, news reports that starving eagles were “falling out of the sky” in the Comox Valley, on Vancouver Island, confirmed his fears.

Wildlife rescue centres on the Island have reported birds growing so weak from hunger that they fall out of trees, or fly so clumsily they hit things. One crashed into a roof.

No sign could be more powerful and sure than the sudden demise of the great Eagle.

The great War will start soon after these prophesied events. Man is going to eat man. There will be so little food. People will look up and not know where the Sun rises or sets. The Tribes do not fully share their view of the future, they say there are no words to describe the horror and pain Man is going cause himself.

Genetic cross breeding. The Tribes have legends for what will be Man’s greatest transgression. Man will not accept the judgment and will further seek the use of ‘black magic’ to prolong his miserable and tortured life. Man will breed with animals in attempt to make himself stronger and survive the poisoned world.

Demons will walk the world in form of flesh. They will use the black magic to enslave all people. Few will escape them. They have the power to steal souls. The tribes know of the coming joining of Church and Hell. When Man’s Belief and Black arts will become one.

Let it also be known that just as European religions spread their word to the tribes, that the Tribes also tried to share their knowledge of the future. The knowledge was so threatening that the ‘Church’ mounted an all out war of genocide and cultural extinction using Smallpox and Bubonic plague that killed over 50 Million people. The greatest Holocaust in the history of the World."

Ya, I like... (0)

Anonymous Coward | more than 3 years ago | (#35633234)

Chai Tea too.

Somewhere, over the rainbow...

--

Only Irony (0)

Anonymous Coward | more than 3 years ago | (#35633076)

If it was on the "Unbreakable Oracle" product.

Password hashing + salt? (1)

Coolhand2120 (1001761) | more than 3 years ago | (#35633080)

That simple passwords were revealed shows a lack of understanding or incompetence. The reason only "simple" passwords were revealed was from a poorly made SHA1 hashing function [wikipedia.org] . Yes this is pure conjecture, but it is the only scenario that fits the facts.

The hackers acquired the database with the hashed passwords. Then the hackers ran the password hashes against a rainbow table [wikipedia.org] which returned the matches for the simple passwords. Now the reason this is incompetence or ignorance is the simple inclusion of a half dozen or so special characters appended to the back of the password during the hash function would make these passwords unmatchable to all but the largest, slowest (super computer realm) rainbow tables. That's why the 'strong' passwords were not cracked.

To defeat all but the largest rainbow tables everyone uses this method is called SHA1+Salt [slashdot.org] , not my idea but a damn good one. Using salt in your SHA1 hash function prevents this sort of thing from happening. Imagine how many other accounts on other systems are now compromised!

Now there is a chance that the salt string was compromised also, but that's probably not likely because the salt is not (in my experience) is not stored in the database. Allowing SQL injection on a damn SQL site is bad enough, but could reasonably be a single bad coder, having such poor security protocols is incompetence on a grand scale.

I'm just glad the amateur hour over at MySql.com doesn't have my l/p.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?