Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

Unknown Lamer posted about a year and a half ago | from the should-have-used-cobol dept.

Ruby 117

vikingpower writes "As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens' digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore." Fixes were released, so it looks like it's on their sysadmin team now.

cancel ×

117 comments

Sorry! There are no comments related to the filter you selected.

LOL (1, Insightful)

Anonymous Coward | about a year and a half ago | (#42533351)

Should have used ASP.NET

Re:LOL (0)

Anonymous Coward | about a year and a half ago | (#42533805)

Why use ASP.NET when ASP Classic still exists! Heck, fire it up on NT 4 Server and you're set!

Re:LOL (0)

Anonymous Coward | about a year and a half ago | (#42533837)

Then you'd have to wait until Feb 1st to fix the problem. Or is ASP.NET the new bug-free version?

Re:LOL (2)

AlphaBro (2809233) | about a year and a half ago | (#42536113)

Laugh it up buddy, but LINQ to Entities largely eliminates SQL injection in ASP.NET web applications.

Re:LOL (0)

Anonymous Coward | about a year and a half ago | (#42536795)

Parameterized queries largely eliminate SQL injection in most web applications.

Re:LOL (1)

hackula (2596247) | about a year and a half ago | (#42537593)

I hate ASP.Net with a fiery passion (VS the ram hog, leaky abstractions, encourages poor design, tries to be stateful, etc.), but Linq using lambdas has to be one of the most productive features of any language. You have to be careful, since it can easily turn perl-esque, but it dominates with throw away scripts with crazy powerful one liners. It is the one thing I have missed since switching to rails a couple years ago.

Re:LOL (1)

AlphaBro (2809233) | about a year and a half ago | (#42537901)

Amen brother. My passion for LINQ runs deep.

Re:LOL (1)

aztracker1 (702135) | about a year and a half ago | (#42537877)

Agreed, but when there is a critical flaw in the underlying structure, it won't help much... in this case you need the encryption key for the application to manipulate the cookies in play. If you have access to the encryption key, then it's pretty much game over anyways, as you already likely have access to everything.

To the GP, in terms of Entity Framework, or any other ORM in modern web applications, you need to be diligent in what you transmit over the wire as any other system. I will usually create a new object to copy just what I need over in place... (View Models for MVC, and even in passing results for web services)... for my Node services backed by MongoDB, I have scrubbers that delete sensitive properties, and the _id (Mongo's identifier) field...

The suggestion of the GP to work around the issues of one framework's security by using an even more closed framework is naive at best. I like the .NET stack, even more with ASP.Net MVC, LINQ etc. But it isn't the end-all, be-all by a long shot. Every language/platform I've used has me longing at times for something else that does X, Y or Z easier/better.

Re:LOL (1)

AlphaBro (2809233) | about a year and a half ago | (#42537893)

Parameterized queries used correctly mitigate SQL, but guess what? It's surprisingly easy to use them wrong, resulting in a false sense of security and vulnerable code.

Re:LOL (1)

TechyImmigrant (175943) | about a year and a half ago | (#42543213)

Using a strongly typed language with a strongly typed database API, instead of that ugly hack called SQL will also mitigate SQL injections. Completely.

Re:LOL (1)

AlphaBro (2809233) | about a year and a half ago | (#42543261)

Like Entity Framework, which I mentioned in my previous post? And be careful of absolutes when you're talking about security. Out of necessity, most ORMs offer ways to execute queries constructed via string concatenation and thus SQL injection can still occur.

Rockstars wanted (0, Funny)

Anonymous Coward | about a year and a half ago | (#42533355)

That's all.

Overraction (2, Insightful)

mortonda (5175) | about a year and a half ago | (#42533383)

That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

Re:Overraction (1)

Anonymous Coward | about a year and a half ago | (#42533461)

They don't know if the vulnerability has been used to break into the site, so maybe they are restoring from backups, or verifying the integrity of the system?

Re:Overraction (-1)

Anonymous Coward | about a year and a half ago | (#42533607)

They don't know if the vulnerability has been used to break into the site, so maybe they are restoring from backups, or verifying the integrity of the system?

maybe they hired a bunch of niggers for their IT department because affirmative action is so great! then they find out niggers can't work computers so maybe that's not so great.

Re:Overraction (-1)

Anonymous Coward | about a year and a half ago | (#42533661)

It's more likely than you think.

Re:Overraction (1)

Anonymous Coward | about a year and a half ago | (#42533495)

Maybe they have a very old version and too much customization and they couldn't just apply a patch just like that. Assuming that everybody updates the OSS stuff religiously is naive. They generally have no clue that they have to do this on an ONGOING basis.

Re:Overraction (1)

Aighearach (97333) | about a year and a half ago | (#42537483)

No, the attack isn't as bad as advertised, you have to know the "secret" key used for the cookie data, even after this bug. This bug makes it so that if you use a known "secret" key for the session data, for example the default key from an open source package, then the session cookie can be used for a SQL injection exploit. All the major rails-based blog and ecommerce packages generate the key when you're installing. It is a standard step. And when you have a custom app, it is always generated and there is no default key.

So the threat of attack is from people who have access to the production server account; generally, the people who already can just open a SQL shell.

An important escalation to be aware of, but not a cause for alarm.

Re:Overraction (1)

coma_bug (830669) | about a year and a half ago | (#42538067)

you have to know the "secret" key used for the cookie data

That was last week. This time there are no conditions.

Re:Overraction (5, Interesting)

Serious Callers Only (1022605) | about a year and a half ago | (#42533509)

This one is quite a serious flaw, and the data this website in question deals with is very important data (citizen IDs), so I'm not surprised they're taking it seriously. The service being down for a day or two is probably better than millions of ids getting hacked. Perhaps the fix breaks something on their website, and they have to fix that before they can take it back up again? It has produced issues like this I think:

https://github.com/rails/rails/issues/8831 [github.com]

Most sites (like Slashdot) really don't matter if they are hacked and could just stay up, but something dealing with identity like this deserves special attention, and I'm sure they have good reasons if they have taken the site down while they look at workarounds. Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

Re:Overraction (1)

Gr8Apes (679165) | about a year and a half ago | (#42533713)

The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.

Re:Overraction (1)

lysdexia (897) | about a year and a half ago | (#42533929)

http://harmful.cat-v.org/software/ruby/rails/is-a-ghetto [cat-v.org] I would have thought they'd gentrified by now.

Re:Overraction (0)

Anonymous Coward | about a year and a half ago | (#42534231)

I tried to read that blog, but whoever wrote it is definitely off their meds. Holy cow! Somebody should do a psych assessment on that guy before he hurts someone or himself.

Re:Overraction (1)

tarius8105 (683929) | about a year and a half ago | (#42535697)

Not to mention its so out dated I wonder how much of it is still relevant 5 years later.

Re:Overraction (1)

Serious Callers Only (1022605) | about a year and a half ago | (#42533949)

Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.

QED

Re:Overraction (1)

Gr8Apes (679165) | about a year and a half ago | (#42541235)

Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.

QED

Perhaps, except for the fact that building your security out of what essentially is the equivalent of a rail fence to keep out a flood is doomed to fail. (See what I did there?) There are tools that can work for your stated purpose, and there are tools that are wholly unsuited to the intended application. RoR falls into the latter camp. Oh, and then there's the fact that I didn't talk about about technology xyz, but the actual one selected, and limited my comments to facts regarding said technology. Most other technologies don't have this flaw as a core feature, you have to code it that way. So you might want to revisit your "QED".

Re:Overraction (2)

Charliemopps (1157495) | about a year and a half ago | (#42533983)

No, the best answer is not number every citizen and have those numbers be so important that it could do so much damage. No system could ever be secure enough for what the Dutch are doing. This doesn't even get into the privacy concerns and the havoc that could happen should the wrong people get into office.

Re:Overraction (1)

Gr8Apes (679165) | about a year and a half ago | (#42541241)

You have already been numbered - courtesy of your DNA.

Re:Overraction (1)

mabhatter654 (561290) | about a year and a half ago | (#42536565)

Use an As400. Write your app in COBOL ... That ought to limit your hacker base to 40-70 year old males.

Re:Overraction (0)

Anonymous Coward | about a year and a half ago | (#42537493)

Nah, midrange is also for the younger ones...

Re:Overraction (5, Interesting)

slashdime (818069) | about a year and a half ago | (#42533543)

Really? The Dutch government does a decent job at being serious on maintaining security of their citizens' identification data and your first thought is to criticize them for overreacting? You've obviously never worked with sensitive data. Any decent admin's reaction should have been the same if it included the possible leak of sensitive data. This is an entire country's data. You have no idea what you're talking about and should just shut your pie hole.

Re:Overraction (0)

Anonymous Coward | about a year and a half ago | (#42533799)

I don't know why, but as I was reading your post... It was entirely in glen quagmire's voice. Interesting.

Re:Overraction (0)

Andy Prough (2730467) | about a year and a half ago | (#42534079)

For me, it was in Cleveland's voice. I also don't know why. I think it was because of the term "You've obviously never worked with sensitive data". But, when I get to the last line, "You have no idea what you're talking about and should just shut your pie hole" - that's definitely a Peter Griffin line right there. In fact, this is possibly a conversation between Cleveland, Peter and Quagmire, instead of just one speaker, like this:

Quagmire: "Really? The Dutch government does a decent job at being serious on maintaining security of their citizens' identification data and your first thought is to criticize them for overreacting?"

Cleveland: "You've obviously never worked with sensitive data."

Quagmire: "Any decent admin's reaction should have been the same if it included the possible leak of sensitive data. This is an entire country's data."

Peter: "You have no idea what you're talking about and should just shut your pie hole."

Re:Overraction (0)

Anonymous Coward | about a year and a half ago | (#42534475)

It works better coming from Stewie than Peter. :-)

Re:Overraction (-1, Offtopic)

Andy Prough (2730467) | about a year and a half ago | (#42535595)

Good point - that does look better. And I think maybe Peter with the third line, like this:

Quagmire: "Really? The Dutch government does a decent job at being serious on maintaining security of their citizens' identification data and your first thought is to criticize them for overreacting?"

Cleveland: "You've obviously never worked with sensitive data."

Peter: "Any decent admin's reaction should have been the same if it included the possible leak of sensitive data. This is an entire country's data."

Stewie: "You have no idea what you're talking about and should just shut your pie hole."

Re:Overraction (3, Insightful)

mcvos (645701) | about a year and a half ago | (#42533547)

A vulnerability in a blog is not quite the same thing as a vulnerability in a system used to submit tax returns.

Re:Overraction (1)

Floyd-ATC (2619991) | about a year and a half ago | (#42533595)

So you don't think it's a good idea to err on the side of caution if you're in charge of a government authentication service for umpteen million citizens and perhaps make sure the fix works as intended before deploying it?

Re:Overraction (1)

MakerDusk (2712435) | about a year and a half ago | (#42535953)

This type of updates are always being released. If they updated regularly, it would not be such an issue. They didn't notice the security hole in the first place, so it's doubtful at best that they'd notice any more, let alone some created with a patch. This is most likely an example of set it up with a competent 3rd party, and then hire a clueless, but politically connected, head of IT. Yay for government jobs.

Re:Overraction (2)

LordThyGod (1465887) | about a year and a half ago | (#42533671)

Wrong (again!). What you meant to say was *WordPress plugins*, that are mostly abandoned open source projects. Your active support, participation, and superior intellect would surely be welcomed.

Re:Overraction (-1)

Anonymous Coward | about a year and a half ago | (#42533877)

Why would anyone with a superior intellect develop for a piece of shit pile of security holes like Wordpress?

Your turn, nigger.

Re:Overraction (0)

LordThyGod (1465887) | about a year and a half ago | (#42534487)

Why would anyone with a superior intellect develop for a piece of shit pile of security holes like Wordpress?

Your turn, nigger.

Why massa you don't have to develop for shit you don't like, you jus' have to tell us po' boys where the current security holes are. That's all. 2 minutes of your precious time, massa, is all we'uns ask. Your turn butthole.

Re:Overraction (1)

jeffmeden (135043) | about a year and a half ago | (#42533793)

That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

And a lot of governmental operations rely on Wordpress, do they?

Re:Overraction (0)

Anonymous Coward | about a year and a half ago | (#42533897)

That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

And a lot of governmental operations rely on Wordpress, do they?

I can't tell because their site is down [wordpress.gov] .

Re:Overraction (4, Insightful)

benjymouse (756774) | about a year and a half ago | (#42533903)

That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

Really?

This is a system that controls access to virtually all of the government public sites. It deals with extremely sensitive data and I guarantee you that no single administrator is allowed to download a patch and just apply it.

It is not a hobbyist blogging site, it is a vital piece of a country infrastructure.

Any change will have to be reviewed, tested and verified, with full sign off, logging, documentation and procedural oversight. The SOP when integrity cannot be guaranteed *should* be to shut down until reliable assessment can be made.

Laughing My Ass Off (0)

Anonymous Coward | about a year and a half ago | (#42537591)

"vital piece of a country infrastructure."

And they use a framework which allows for SQL injections, it now transpires ? A "dynamic" framework hacked together by hobo-programmers ? Yeah, this was some kind of scheme by politicians to help their web-brogrammer friends into a nicely paying PORKBARREL CONTRACT.

If these politicos had been serious, they would have used the L4 kernel and a tried and tested Ada compiler for that purpose. They would have hired the people who secure Airbuses against crash-by-cyber-attack. But these are Software Engineers, not long-haired hippe Web-Brogrammers.

Re:Laughing My Ass Off (0)

Anonymous Coward | about a year and a half ago | (#42537633)

http://harmful.cat-v.org/software/ruby/rails/is-a-ghetto

Re:Overraction (-1)

Anonymous Coward | about a year and a half ago | (#42540233)

Any change will have to be reviewed, tested and verified, with full sign off, logging, documentation and procedural oversight. The SOP when integrity cannot be guaranteed *should* be to shut down until reliable assessment can be made.

Sounds great. So that's a total of:

  • 00:00:03 – three seconds to type '~> 3.2.11' into their gemfile,
  • 00:02:03 – two minutes to run 'bundle update' and get the new version installed,
  • 01:02:03 – an hour to run their automated unit, integration, and/or behavioral tests (which even on a big Rails app should be only a few minutes, but I'll give them an hour),
  • 04:02:03 – three hours to get the twenty-odd required signatures from management,
  • 04:07:03 – five minutes to deploy onto their staging stack,
  • 05:07:03 – another hour (hey, maybe they're moving slowly today) to run automated QA checks,
  • 05:22:03 – fifteen minutes for a developer to explicitly attempt to exploit the vulnerability and verify that it is now patched, and
  • 05:27:03 – five more minutes to deploy onto their production stack.

So even assuming that their unit tests are ludicrously slow and that they need three hours to place twenty phone calls, this should still be easily in a day's work for their development team.

If it's not, well... then you start to wonder if their development team has a clue what they're doing when it comes to maintaining and deploying large enterprise software.

Re:Overraction (1)

nedlohs (1335013) | about a year and a half ago | (#42534017)

Silly???

It's exactly what they should do. Rather than crossing their fingers and leaving it open and exploitable they've shut it down until they fix it. Sure that inconveniences the users and makes IT look bad, but it's the only correct choice.

Wrong title (0)

Anonymous Coward | about a year and a half ago | (#42533443)

Te serious flaw is not SQL Injection but remote code execution (CVE-2013-0156)

So? (1, Funny)

Big Hairy Ian (1155547) | about a year and a half ago | (#42533455)

16Mileon Dutch people cant authenticate? Smoke them if you've got them.

Horrors! (0)

Anonymous Coward | about a year and a half ago | (#42533515)

I too get mad when I can't authenticate myself with the government on a daily basis. I'm sure enraged citizens in Amsterdam and The Hague are burning copies of the pickaxe as we speak.

Re:Horrors! (0)

Anonymous Coward | about a year and a half ago | (#42533815)

Exactly my thoughts. What of value is being lost..?

TOO ROLLING STONED ARE THOSE DUTCH !! (-1)

Anonymous Coward | about a year and a half ago | (#42533577)

Dutch date !!
Dutch door !!
Dutch man !!
Dutch oven !!
Dutch dope !!

This is a different vulnerability (5, Informative)

bimozx (2689433) | about a year and a half ago | (#42533597)

This is a different security vulnerability that was brought to light a few days ago, which was given the full detail in this article. Finder method SQL Injection vulnerability [phusion.nl] Any Rails version that was build for the last 6 years is affected by this. This is a serious security flaw, it is sternly advised that you update your application immediately if your Rails version is in the bucket. You can refer to this discussion [google.com] for more details.

LOL Rubyists (-1)

Anonymous Coward | about a year and a half ago | (#42533609)

Ruby and RoR. The fail whales of their genres.

Re:LOL Rubyists (1)

Anonymous Coward | about a year and a half ago | (#42533771)

eh, ruby is a decent enough language. No comment on the users or RoR except to say a certain segment of idiots jumped from PHP to Ruby and are now (hopefully) jumping over to node.js.

Ruby in Holland (0)

fartrader (323244) | about a year and a half ago | (#42533673)

You can't even say :dyke anymore, it's women_in_comfortable_shoes()

Real-Life Consequences?! (1)

FreonTrip (694097) | about a year and a half ago | (#42533679)

That's even beginning to sound like... Full Life Consequences! [youtube.com]

Cookie Cut this (-1)

Anonymous Coward | about a year and a half ago | (#42533737)

SQL injection in 2013? This is an even bigger joke than rails itself!

I've been saying it for years. (5, Interesting)

multicoregeneral (2618207) | about a year and a half ago | (#42534045)

And this, children, is why you actually need to know and understand SQL before you go off and start writing database applications, without depending on a "framework" to do it for you.

Re:I've been saying it for years. (1)

CastrTroy (595695) | about a year and a half ago | (#42534417)

You got marked as flamebait, but I have to agree. I find it amazing that this is even possible in something like RAILs which is supposed to abstract away all the SQL for you. You'd think that they would only be using parameterized queries, and not doing stupid string concatenation when forming SQL statements. There's a lot of frameworks out there that try to abstract away the SQL. I really don't understand the need for such things. SQL is a pretty simple language (at least the part that most frameworks abstract away). There's not reason to hide something like this. I personally find it takes longer to develop, and you end up with much more unreadable code when you use these frameworks.

Re:I've been saying it for years. (5, Informative)

dam.capsule.org (183256) | about a year and a half ago | (#42534889)

It's a bit more complicated than a simple sql injection: see http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ [phusion.nl]

Re:I've been saying it for years. (1)

coma_bug (830669) | about a year and a half ago | (#42540649)

That was last week. This time it's ARBITRARY CODE EXECUTION without conditions. Please try to keep up.

Re:I've been saying it for years. (2, Informative)

iluvcapra (782887) | about a year and a half ago | (#42534893)

You got marked as flamebait, but I have to agree. I find it amazing that this is even possible in something like RAILs which is supposed to abstract away all the SQL for you.

Note, all parameters from the user's POST or GET are sanitized when passed to the finder methods, but developer-only parameters to the methods in question are exploited by the attacker sticking data into the server's Session object for the request, or by fooling the server into decoding a submitted parameter as a Hash of Symbol => Object pairs, instead of a String objects. This vector that's been described doesn't work unless the attacker has the HMAC that's signing the session cookie.

The object method in question accepts either a string or a Hash of Symbol => Object pairs, and in the second case allows specifying arbitrary SQL clauses -- these are available for efficiency reasons and the documentation's pretty clear that these aren't sanitized, because they can't be. The problem for the attacker is somehow getting a user-created Hash, with Symbol keys, into the application, which is impossible through GET or POST parameters; the only way people have managed to do it is through forging a Session, which requires having the application's session shared secret.

And That Means It Is Ruby On Muppets (0)

Anonymous Coward | about a year and a half ago | (#42537861)

The suuuper-dynamic web-brogrammer hippies apparently discover in the year 2013 what the consequences of "non-existent random initialization of cryptographic keys and generators" are. I guess they are all social science majors and have never ever thought about the concept of randomness. After all, "society is a system with well-defined rules". The world is deterministic and randomness does not exist. I am sure their socialworker-in-chief hashes "decides" on their random numbers.

Re:And That Means It Is Ruby On Muppets (0)

Anonymous Coward | about a year and a half ago | (#42537887)

Hint to brogrammers: /dev/random

Re:I've been saying it for years. (3, Insightful)

coma_bug (830669) | about a year and a half ago | (#42541495)

This vector that's been described doesn't work unless the attacker has the HMAC that's signing the session cookie.

That was last week. This time attackers can bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack [google.com] . Please try to keep up.

Re:I've been saying it for years. (0)

Anonymous Coward | about a year and a half ago | (#42534999)

I think you must have been using some really lousy frameworks if the SQL abstraction lead to unreadable code (I've only tried Django).

Re:I've been saying it for years. (1)

cout (4249) | about a year and a half ago | (#42534859)

I think your position is a reasonable one.

However, it's not particularly relevant to the security hole. The bug has to do with deserialization of parameters rather than SQL specifically; the SQL injection exploit is but one possible exploit of the bug.

Moreover it's not inconceivable (likely, in fact) that other bugs of the same class exist in projects other than rails. Avoiding Rails altogether doesn't protect you from this class of bug.

They Are Clueless (0)

Anonymous Coward | about a year and a half ago | (#42537945)

It actually is a cryptographic issue, but in their "dynamic web shallowness" there exist only "SQL Injections". These are all muppets without a computer science education. That is the core of the problem. Stay away from them at all cost.

Here's a nickel and a proper programming language, boy: http://lazarus.freepascal.org/

Re:I've been saying it for years. (1)

MillerHighLife21 (876240) | about a year and a half ago | (#42535205)

Totally agree with you. I was a long time Java, PHP developer and learned Rails to take over a project from a big firm in Atlanta. The level of BS these guys spew is insane. They chose Postgres as the database simply because its what Heroku says to do. I love Postgres, but if you are a major shop doing an application rewrite and not one person can articulate a reason for why you chose the backbone tech for the site...that is not good.

They cared more about the code being "beautiful" than making sure it was functional, stable, efficient, and handled errors. To their credit they were big on writing unit tests and documenting things, but the level of inexperience that shows through from being framework dependent for so long is astounding.

Re:I've been saying it for years. (0)

Anonymous Coward | about a year and a half ago | (#42536769)

What "guys"?

And why does one need to explain the choice of PostgreSQL ?

Re:I've been saying it for years. (1)

MillerHighLife21 (876240) | about a year and a half ago | (#42537991)

As stated, I love Postgres and there's many reasons to select it as a database. Nobody in charge of selecting it knew any of those reasons, which was shocking.

It is a solid solution for this, but the level of inefficiency in the code this particular crew was putting out was appalling.

Just a couple of "off the top of my head examples:

There was a user dashboard system that showed users a list of buying, bought, sold, selling, and expired listings. Rather figure out what constituted any of these relationships existing and storing it somewhere each was figured out on the fly through a series of model relationships that checked against when they started, if any offers had been accepted, etc. So when listing things out they were retrieving all of this data (some long time users have as many as 18,000 listings), using ruby to go through and figure out whether it constituted sold/selling/buying/bought, which in and of itself was triggering hundreds of one-off queries behind the scenes to get the data from adjoining tables. All of that data, once aggregated into a RUNNING WEB PROCESS, was then sorted in an array in the web process. In many cases this crashed the server or put us so far over our RAM limits that we started using swap.

We started running into duplicate listing URLs because they were depending on the uniqueness check in a ruby model, not even one they wrote btw one from a gem. At some point the gem was updated and redeployed with instructions to add a unique check to the field on the database. A) That should have been done in the first place because otherwise you're open to a race condition and B) since the gem update couldn't automatically do it and people don't generally read the change log when they pull updates for all of these gems we were left with duplicate url's all over the place.

The stuff I just described happens when you have people writing code for a database that have no knowledge of what a database is doing, how it works, etc. It's just amateurish and those are only a couple of examples of the stuff I've been cleaning up in this code base since I took over the project.

Regarding who they are, I'm not going to name them in a public forum. We don't work with them anymore. It's just like any other contract programming firm (I used to own one), the people at the top who started the company usually know what they're doing very well - that's why they started the company. Vouching for everybody else you hire to take on projects is a much harder task. 4 of their programmers worked on this project 2 of their top guys and 2 other guys. The top guys did a great job. I've only found a couple of minor detail issues with the work from them. The other 2 guys work was so shoddy it nearly killed the company I work for.

The root of the problem is this: The company is an agile shop and has a development process that works very smoothly for from-scratch projects where you can correct scaling issues as the site traffic grows. It's an utter disaster of a process for rebuilding a system that is already a high traffic site and is effectively "at scale" when launched.

Re:I've been saying it for years. (0)

Anonymous Coward | about a year and a half ago | (#42538359)

So if the leaders could not vet and/or train their underlings, they are even bigger muppets. Can we call it "Muppets On Rails" ?

As I said, real work is done with Cobol.

Re:I've been saying it for years. (0)

Anonymous Coward | about a year and a half ago | (#42538021)

The guys who need an insanely complex, dynamic, brittle crapola to write SQL for them. Because they haven't grasped relational theory.

Re:I've been saying it for years. (1)

colinrichardday (768814) | about a year and a half ago | (#42536975)

What would you use instead of Postgres?

Re:I've been saying it for years. (0)

Anonymous Coward | about a year and a half ago | (#42537353)

One of the many alternative databases out there, perhaps?

It doesn't matter which. His point was that nobody knew why it was chosen. If I was asked about any of the technologies that are used in my place, I should at least be able to unearth an email where someone had put up the pros and cons of some options - and I would be embarrassed if I couldn't.

Re:I've been saying it for years. (1)

colinrichardday (768814) | about a year and a half ago | (#42537963)

Ok, I'd say that I wanted a cheap, reliable database, and I didn't want MySQL. The person being asked couldn't say that?

Real Software Engineers (0)

Anonymous Coward | about a year and a half ago | (#42537983)

..code in Cobol and S/360 assembly. That Ruby thing is for the hobos to put a thin layer of crap in front of the well-paid pros and their mainframes.

Re:Real Software Engineers (1)

MillerHighLife21 (876240) | about a year and a half ago | (#42538165)

There's nothing wrong with Ruby. I love Ruby. For production deployments I'm also finding that jRuby fixes the bulk of Ruby's issues under load.

The problem is the dependency on Active Record without the slightest understanding of how the database behind it works, focussing on writing all of your code in ruby and not take the slightest advantage in letting your database do what it's specifically BUILT to do. If you wanted to say, get 20,000 of 500,000 records from a database in a certain order would you pull all of them into ruby just so you could use an array sort function on them or would you sort and filter them at the database level? You'd filter them at the database level. The people I'm referring to, would go the other route.

The search results page of this site used to run 2,000 queries to show 100 results. That's not hobos, that's morons.

Re:I've been saying it for years. (0)

Anonymous Coward | about a year and a half ago | (#42535285)

Or maybe we shouldn't be sending string literal text queries to a database server. This isn't the 1970s anymore and yet we keep doing these braindead things. SQL injection shouldn't even be possible.

Re:I've been saying it for years. (2)

shutdown -p now (807394) | about a year and a half ago | (#42535789)

There's nothing wrong with using a framework that does normal escaping (or, better yet, just uses parametrized queries consistently). The problem in this case is that Rails is too magical for its own good. So I would amend that to "don't use magical frameworks that claim to do everything without you doing nothing".

Re:I've been saying it for years. (1)

TechyImmigrant (175943) | about a year and a half ago | (#42543249)

And this, children, is why you actually need to know and understand SQL before you go off and start writing database applications, without depending on a "framework" to do it for you.

To know and understand SQL is to know and understand that it is a steaming pile and other interfaces should be used.

WHAT THE FUCK IS WRONG WITH THE MODERN WORLD? (0)

Anonymous Coward | about a year and a half ago | (#42534111)

Why is stuff like this even being made available using some generic framework built by a bunch of students?

How the hell can something be designed so badly that it is possible to have a database injection vulnerability? What kind of broken isolation of layers allows that to happen?

This is what happens when you privatise government.

Re:WHAT THE FUCK IS WRONG WITH THE MODERN WORLD? (5, Insightful)

seebs (15766) | about a year and a half ago | (#42534439)

You know, it's pretty obvious that you're trolling, but there's a real question here:

Why would we use frameworks, given that they have security bugs coming up all the time?

Answer: Because code people write themselves isn't any less buggy, and with a framework, at least you have other people looking for bugs too.

Re:WHAT THE FUCK IS WRONG WITH THE MODERN WORLD? (1)

greg_barton (5551) | about a year and a half ago | (#42534969)

seeeeeeeeeebs! Wish I had a mod point for you. :)

Ruby on Fails (1)

thetoadwarrior (1268702) | about a year and a half ago | (#42534339)

Rails is a vulnerability. Using it is like using PHP so don't count on security.

Not obvious what is actually at issue. (1)

seebs (15766) | about a year and a half ago | (#42534429)

Down for upgrades? Down for an evaluation of whether upgrades are needed? Down for code fixes? Down because they need to evaluate what happened after confirming attack happened?

The actual vulnerability was not automatically present; it's easy to use Rails and not have this vulnerability affect you, because while the vulnerability is nominally in the code base, there's no paths to trigger it without specific code -- so either you'd have to use a specific third-party library, or write your own code which does the same things. So it might well be that the site is not actually vulnerable -- and they're just being cautious.

Which I don't think is overreacting.

Re:Not obvious what is actually at issue. (1)

MakerDusk (2712435) | about a year and a half ago | (#42536545)

so either you'd have to use a specific third-party library, or write your own code which does the same things. So it might well be that the site is not actually vulnerable

This is /. writing code is no discouragement to anyone here. If all you had to do to steal all social security information for an entire country was 'write your own code', there will be takers.

Re:Not obvious what is actually at issue. (0)

Anonymous Coward | about a year and a half ago | (#42537311)

This is /. writing code is no discouragement to anyone here. If all you had to do to steal all social security information for an entire country was 'write your own code', there will be takers.

He's talking about the site developer, not the attacker, moron.

Toy (1, Insightful)

QuietLagoon (813062) | about a year and a half ago | (#42534577)

Why is a toy programming environment like Ruby on Rails used for such a critical infrastructure?

Re:Toy (1)

MakerDusk (2712435) | about a year and a half ago | (#42536595)

Generally, because it's easy to write and, if properly implemented, is extreamly effecient for extreamly large, decentralized nosql databases.

Brogrammers.... (0)

Anonymous Coward | about a year and a half ago | (#42538081)

Because the brogrammers who built the propaganda website for a politico now need a proper pork project. Meanwhile the real work is done on Cobol by adults in the national retirement insurance agency.

"Fixes were released, so it looks like it's on (1)

obarthelemy (160321) | about a year and a half ago | (#42534693)

their sysadmin team now."

I laughed

1- Maybe implementing, validating, testing... the fix does take a bit of time ?

2- This sounds so much like a teenager "But Daddy, I know last time I went out I got back past curfew drunk and smelling of cigarettes... but that was LAST TIME, I'm trustworthy now... what's the hold-up ?"

Re:"Fixes were released, so it looks like it's on (0)

Anonymous Coward | about a year and a half ago | (#42538145)

I fully expect this "dynamic" thing to dynamically open up 25 more serious flaws in the next three years.

Exaggerated (1)

Fuzzums (250400) | about a year and a half ago | (#42534891)

This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances ON LINE, and that those same government instances can not DIGITALLY communicate anything to those same citizens anymore.

So instead, you make a phone call?

Re:Exaggerated (1)

Anonymous Coward | about a year and a half ago | (#42537697)

This system is for example used for authenticating our tax-submission. It's quite vital for a lot of communication between goverment and civilians, since there are no (easy) other ways to perform such by law enforced civil tasks.

ps: a month a ago there were problems with the phone and it wasnt even possible to dail 911 (112)

Let's not overreact (1)

Aethedor (973725) | about a year and a half ago | (#42535073)

It is a computer system. Like *every* computer system, it has flaws and one of those flaws can be a security flaw. The real issue is how the flaw is being handled. One can deny it, one can secretly fix it or one can take responsiblity, inform its users and fix the issue. The last is the only correct way and it is the way the DigiD issue was handled. So, no 'real-life consequences', just another side effect of the digital age. It will soon be solved and live goes on. Nothing to see, move along.

NOT (0)

Anonymous Coward | about a year and a half ago | (#42538227)

I do think this incident, very much like the DigiNotar issue raised the question "can computers actually be used for anything truly important ??"

As it stands, the answer is a resounding "NO". We can NOT sign legally binding contracts using computers. We cannot rely on digital authentication to conduct government business. It seems we have to show up at a local government office and use some meatspace method of authenticating our important business. It seems that personally knowing people is actually a requirement for proper security.

The whole notion of "we are modern and use computers for everything" has been royally fucked through all bodily openings.

Wait until MOSSAD assassinates someone with stolen/counterfeittted Dutch ID cards/passports (based on data lifted from that super-insecure "dynamic" site), before you say "no but".

yo0 FAIL it (-1)

Anonymous Coward | about a year and a half ago | (#42536379)

obta1n a cop7 of
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>