Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Rise of Everyday Hackers

samzenpus posted about a year and a half ago | from the hacker-mom dept.

Security 126

An anonymous reader writes "Research suggests there will be a rise in everyday hackers. A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities. The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw. Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing."

Sorry! There are no comments related to the filter you selected.

Hacker = Script Kiddie? (5, Informative)

Anonymous Coward | about a year and a half ago | (#43392187)

Really /. of all the places I'd not expect this particular stupidity.

you = stupid (0, Troll)

Anonymous Coward | about a year and a half ago | (#43392285)

so must be true

script kiddie = script kiddie and is a ( less then )hacker albeit not a skilled one.

Re:Hacker = Script Kiddie? (4, Funny)

jellomizer (103300) | about a year and a half ago | (#43392453)

Technically I am more of the old school definition of Hacker. And these criminals are actually crackers, and deserve to be punched in the face.

Oh all high and mighty Hacker, who broke into a website, made by some guy on a tight deadline, or is probably their first programming job. By using a SQL injection attack. How 7337 are they. By copying and pasting you have shown yourself to be some real computer wiz.

Sorry. I have no respect for these people. They just make the world a tougher place to live. Imagine how fast computers will be without layers of security to prevent people in breaking into their systems. But there are so many people who idealize these jerks think they are something special.

Re:Hacker = Script Kiddie? (3, Funny)

morgauxo (974071) | about a year and a half ago | (#43392687)

"But there are so many people who idealize these jerks think they are something special."

Oh, yeah, script kiddies. All the girls want to have them and the guys want to be them.

Re:Hacker = Script Kiddie? (1)

evilmidnightbomber77 (2891503) | about a year and a half ago | (#43392901)

Exactly. Us professionals run sqlmap --level 5 --risk 5 -u http://example.com/foo.php [example.com] instead.

Re:Hacker = Script Kiddie? (1)

Anonymous Coward | about a year and a half ago | (#43393389)

The professionals just know that their code does not have any SQL injections and it will be impossible to have an SQL injection anywhere in their code due to sane use of the DB, code review, etc. monitoring of fellow programmers. ;)

Re:Hacker = Script Kiddie? (1)

K. S. Kyosuke (729550) | about a year and a half ago | (#43393857)

...due to sane use of the DB, code review...

How primitive. Just enforce it with the language, in the type system, or with AOP (which is virtually the same thing from a certain point of view).

Re:Hacker = Script Kiddie? (3, Insightful)

Synerg1y (2169962) | about a year and a half ago | (#43393103)

That's like saying... imagine a world where i leave my front door open... hope i don't get robbed!

Also, every time somebody argues the definition of hacker, cracker, and script-kiddie you folks are lowering the bar. By definition, neither of these 3 should care less what they're called by the media (real pros define themselves with hats? :P ). In fact, the more obscurity the better.

Re:Hacker = Script Kiddie? (1)

Anonymous Coward | about a year and a half ago | (#43393863)

Imagine how fast I could enter and leave my home/car/office if I didn't lock the door!

Re:Hacker = Script Kiddie? (1)

GodfatherofSoul (174979) | about a year and a half ago | (#43394305)

Ridiculous analogy because people aren't leaving their networks open. Some of these exploits take a sophisticated understanding of protocols to figure out even if the exploit itself is a simple piece of code or series of interactions.

And, this is my problem with the glorifying of hackers we get on Slashdot. Those of us with jobs in the industry have to waste our time dealing with these monkeys, while a certain subset here thinks it's the admin's fault that you found an exploit by trawling torrent sites all night.

Re:Hacker = Script Kiddie? (1)

Synerg1y (2169962) | about a year and a half ago | (#43394497)

I was mainly responding to...

Imagine how fast computers will be without layers of security to prevent people in breaking into their systems

And btw it is beyond a reasonable doubt the admin's fault somebody is browsing torrent sites off the company network at night.

1. why is VPN access not audited? (why does nobody see somebody getting in at night for non-work reasons)
2. why are the torrent sites not blocked? Even a simple blacklist can accomplish 99% of this.

Leave security to human nature and tendencies and in my analogy you might as well not bother with the front door... or frame for that matter.

Re:Hacker = Script Kiddie? (2)

Opportunist (166417) | about a year and a half ago | (#43395003)

Those "sophisticated attacks" are the tiny minority. I spend my time auditing the security of systems, and the systems where I have to dig deep and bring out the big guns are few and far between, usually found in healthcare or finance (i.e. places where they bother to hire more expensive and knowledgeable people because that's cheaper than the stiff penalties which may include shutting your act down).

Most systems already break down under an automated attack. Which sadly also means that in security auditing, a lot of snakeoil peddlers are traveling around and showing off cheap tricks that befuddle those that know even less than them about security, but ... well, as long as there are idiots posing as programmers, there will be idiots posing as hackers and of course you'll also find a lot of idiots posing as security experts. Just the natural order of things.

And yes, I agree, I'd wish I didn't have to waste my time dealing with these monkeys.

Re:Hacker = Script Kiddie? (0)

Anonymous Coward | about a year and a half ago | (#43394353)

That's like saying... imagine a world where i leave my front door open... hope i don't get robbed!

Welcome to many places in the Developed world.

Re:Hacker = Script Kiddie? (0)

Anonymous Coward | about a year and a half ago | (#43393107)

7337? Titties?

Re:Hacker = Script Kiddie? (0)

Anonymous Coward | about a year and a half ago | (#43394775)

Titties?

As a typical AC /.'er, I can understand your not having any firsthand experience with them, but surely you can Google to see what they are?

Re:Hacker = Script Kiddie? (0)

Anonymous Coward | about a year and a half ago | (#43393393)

I agree with your first part. Most people called "hackers" today are nothing but script kiddies. I enjoy how some many people idolize anonymous, yet most are script kiddies at best. I watch a documentary on the group and one guy called himself a hacker and didn't do anything but install a DDoS program and opened it for a remote signal. That doesn't make you a hacker. The art of hacking is mostly lost today, the word is used cheaply. Its really an insult to anyone who is a real hack whether on the good side or the bad, cause these kids fail to grasp any depth of knowledge about the system, device, program,....

Your last part is the only thing I see different. I believe security is a very important thing, not just keeping kids out but other reasons. If there was no security you wouldn't have your credit card encrypted over the line and anyone could sniff that out. If there was no security nations could do easy man-in-the-middle attacks on one another. I don't see security being a large tax on resources. We need security both for the kiddies and the true bad guys. As someone who is deeply involved in security, I will always encrypt my data, keep my system patch and keep as secure as I can, cause its not going to get better only worse.

Re:Hacker = Script Kiddie? (1)

Anonymous Coward | about a year and a half ago | (#43393755)

The art of hacking is mostly lost today, the word is used cheaply. Its really an insult to anyone who is a real hack whether on the good side or the bad

Agreed. he misuse of the term hacker is akin to the misuse of the term hero these days. Real hackers don't even break into other computer systems. Real hackers see an interesting piece of software in action and think to themselves "How does that work?"...then they implement the functionality themselves to learn hoe it works. This is the approach I took years ago when Lotus 1-2-3 style menus were popular and I was had just finished reading a book about the C language. I implemented a complete screen management library (the popular term is framework these days) using C and implemented Lotus 1-2-3 style menus, drop-down menus, multi-level horizontal and vertical oriented menus, etc. over the course of two weeks. This was during the mid-1980s after I bought a Commodore PC (an IBM PC compatible computer) a few years after exhausting the capabilities of my Commodore VIC-20 computer. I wish I could go back to these exciting times!

Re:Hacker = Script Kiddie? (1)

GigaBurglar (2465952) | about a year and a half ago | (#43393981)

"The art of hacking is mostly lost today"

Actually no - they are too busy tinkering with something to post videos on YouTube - and not giving themselves ridiculous name like viRuS or bLaCkD34Th

Re:Hacker = Script Kiddie? (2)

Anonymous Coward | about a year and a half ago | (#43393455)

Maybe I misinterpreted the point of TFA, but I took it as meaning there's something in between, where someone isn't what would have been called a "hacker" in the 1980s, but they might not necessarily be blindly running scripts without understanding them, either. That is, SQL injection attacks on websites are so well known, and well explained, that mainstream people are capable of "getting" it. What ESR calls a "larval stage" hacker might indeed write a script (without merely pasting) that automatically attacks sites, attempting injection on every GET parameter that its crawler detects.

Even if you have no respect for them, writing the scripts is not something a "script kiddie" does. Call 'em juvenile assholes or worthless-piece-of-shit vandals if you like, but not "script kiddies." I think of script kiddies as people who use attack tools without knowing how the tools work or how to create them.

Where it gets even more blurry, is how the tools have improved. You can be a "programmer" but use the incredibly high-level "batteries included" standard libraries, like what comes with Python. You can crawl a site without knowing how to write a parser. That makes it harder to tell who is a what.

Re:Hacker = Script Kiddie? (1)

GigaBurglar (2465952) | about a year and a half ago | (#43393947)

"But there are so many people who idealize these jerks think they are something special." But I saw it in a film.. they look so cool.. people will think I'm smart and mysterious.

Re:Hacker = Script Kiddie? (1)

Opportunist (166417) | about a year and a half ago | (#43394913)

Idealizing the attacker? No. But likewise, not absolving the idiot who built the insecure webpage in the first place. A "tight schedule" is NO excuse for the crap that doubles today as security layer. Most of the things I find in webpages these days can easily be avoided without additional programming effort, all it takes is KNOWING something about SQL instead of copying/pasting the crap off the net.

Re:Hacker = Script Kiddie? (1)

Anonymous Coward | about a year and a half ago | (#43395155)

Cracker as a perjorative term to describe Black Hats is just not going to catch on as a term used by professional media. It's been a derogetory term refering rural white US Southerners for over 150 years and became a wide spread racial epithet towards white people in general over 50 years ago.

Re:Hacker = Script Kiddie? (1)

interval1066 (668936) | about a year and a half ago | (#43392579)

Huh? How is this 'stupid', exactly? This is a very informative article. Or are you of the "see no evil" persuasion?

Re:Hacker = Script Kiddie? (0)

Anonymous Coward | about a year and a half ago | (#43392793)

It's stupid because they used the "new" (read: incorrect) definition of hacker. It's a pretty common and highly irritating mistake that submitters and editors at slashdot alike make all the goddamn time. They should know better. http://www.catb.org/jargon/html/H/hacker.html

Re:Hacker = Script Kiddie? (2)

ci13urn (1653273) | about a year and a half ago | (#43393931)

It's also stupid because its common sense that Googling something will bring you a how-to. It's also stupid because I read this same article at least twice a month. SQL injection has, and probably for a long time coming, will be the most commonly exploited vulnerability on the web.

Re:Hacker = Script Kiddie? (0)

Anonymous Coward | about a year and a half ago | (#43392761)

The true morons are the ones who make these tools to fail. It's so bad they should be penalized for their failure since it's obvious they're working for criminals by inserting this weakness in their products.

Wanna bet M$ would not cream themselves at that idea?
Wanna bet the government would not cream themselves taking M$ money?
Wanna bet both would not benefit by racking your company and stealing what falls out and then charging the taxpayers to house and feed you and provide lousy healthcare for your bleeding anus?

Fix your shit now.

Re:Hacker = Script Kiddie? (1)

Opportunist (166417) | about a year and a half ago | (#43394883)

Well, considering how programming gets easier, it's just logical that hacking programming gets easier too. When you have people who don't know what they're doing and just following rote and rule creating programs, you can have people who don't know what they're doing exploiting their weaknesses.

It's the logical conclusion when you forgo basic knowledge and basic computing skills. That's what happens when cargo cult programming and copying/pasting from code snippets and samples becomes the norm. Of course, such people also create programs that have easy to exploit flaws. Not only because they copy/paste the programming errors of others, by stringing such bits of code together they introduce more.

Like not all programmers are rote programmers, not all hackers are script kids. All this said is that the fact that code is written by more and more inferior programmers, more and more inferior hackers can overcome the security of that code.

The word is cracker, not hacker (0, Informative)

Anonymous Coward | about a year and a half ago | (#43392219)

Re:The word is cracker, not hacker (1, Interesting)

Anonymous Coward | about a year and a half ago | (#43392259)

No it isn't. The word is Hacker. Cracker is someone who removes DRM protection from games and other software.

Re:The word is cracker, not hacker (0)

Anonymous Coward | about a year and a half ago | (#43392571)

The word is Hacker.

No, it isn't. The word is "cracker", just ask rms and the Jargon File. Hacking is simply playful cleverness.

http://stallman.org/articles/on-hacking.html
http://www.catb.org/jargon/html/C/cracker.html
http://www.catb.org/jargon/html/H/hacker.html

Re:The word is cracker, not hacker (1)

wonkey_monkey (2592601) | about a year and a half ago | (#43392669)

Sorry, but in English words are defined by how they are used, not how some wish they were used.

Re:The word is cracker, not hacker (0)

Anonymous Coward | about a year and a half ago | (#43393123)

But this is slashdot.

Stallman's word as gospel, unless you are one of those nasty Microsoft shills.

Re:The word is cracker, not hacker (1)

SuricouRaven (1897204) | about a year and a half ago | (#43393497)

The jargon file is more how they were used. Language changes, especially in tech circles.

Re:The word is cracker, not hacker (0)

Anonymous Coward | about a year and a half ago | (#43395105)

The jargon file is more like the middle english of computer science.

Things move that fast

Re:The word is cracker, not hacker (1)

GigaBurglar (2465952) | about a year and a half ago | (#43394037)

Let me axe u a question den. Have u evr used a dictionary? Den u wud kno that words hav clear definitions.

Re:The word is cracker, not hacker (1)

Lazere (2809091) | about a year and a half ago | (#43394245)

And yet, I understood every word of that. Clear definitions are only useful if everybody agrees on them.

Re:The word is cracker, not hacker (0)

Anonymous Coward | about a year and a half ago | (#43394261)

If words have clear definitions dumbfuck, why do dictionaries exist? It wouldn't have anything to do with, you know, keeping up with current usage and definitions?

Re:The word is cracker, not hacker (0)

Anonymous Coward | about a year and a half ago | (#43394817)

Your point would have worked if you had asked why they get updated. A static, unchanging language will still have a dictionary, but it would never be updated.

Not that I expected much by the 6th word in your post.

Re:The word is cracker, not hacker (2, Interesting)

fustakrakich (1673220) | about a year and a half ago | (#43392759)

No, a cracker is a thin, crisp wafer often eaten with cheese or other savory toppings.

Re:The word is cracker, not hacker (5, Funny)

dkleinsc (563838) | about a year and a half ago | (#43392859)

No, "cracker" is a synonym for "honky", although it's arguably correctly spelled "cracka".

Re:The word is cracker, not hacker (1)

BitZtream (692029) | about a year and a half ago | (#43394071)

No.

A cracker is a cowboy in Florida with a whip that he 'cracks' to encourage his cattle to move on demand.

A honkey is a racial slur for white people.

You probably also think Redneck is a racial slur. Neither Cracker or Redneck are racial slurs, they define a working class of people, race/color is irrelevant.

If you're going to be a bigot, at least get your fucking racism and prejudice right.

Re:The word is cracker, not hacker (1)

dkleinsc (563838) | about a year and a half ago | (#43394309)

For the record, I'm using slurs that could be and have been said targeting me. It's like Chris Rock saying the n-word.

Re:The word is cracker, not hacker (0)

Anonymous Coward | about a year and a half ago | (#43392889)

Cracker is someone who removes DRM protection from games and other software.

That's racist!

Re:The word is cracker, not hacker (1)

hackula (2596247) | about a year and a half ago | (#43394033)

...but probably true, more often than not.

Re:The word is cracker, not hacker (1)

TsuruchiBrian (2731979) | about a year and a half ago | (#43393951)

It's not that you are wrong. You are right about how these words are used today. That you seem completely unaware that these words used to mean (i.e. hacker (before) = tinkerer (today), cracker (before) = hacker (today)), betrays your ignorance.

Re:The word is cracker, not hacker (1)

GigaBurglar (2465952) | about a year and a half ago | (#43394029)

I usually define cracker as someone who 'cracked' a problem; to crack a code or puzzle (to use it generically).
A hacker is someone who modifies the function / flow of code / hardware - to re-purpose something into something else for their own benefit.

To create code that will modify the stack of a program; to alter the hex of a binary is really the domain of a hacker.
To crack something is to really use code to solve a problem - crack a code; perform brute forcing.
There is an overlap when one breaks license protection of software; or designs software to modify a program's stack - to do that you need to both hack and crack.

Most 'hackers' these days will just use code that was written by a real hacker - without hacking anything they essentially crack problems; crack their way into a system without ever modifying code on their own.

Re: The word is cracker, not hacker (0)

Anonymous Coward | about a year and a half ago | (#43394135)

I always thought a hacker was someone who created a tool from the ground up because it is way expensive to obtain. Eg Linux. What torvalds did is a perfect example. Or someone without academic credentials. Hacker , Hacking a term coined by the admins at universities given to someone who hacked into the servers with a C64 who no phd in programming computers.

Re:The word is cracker, not hacker (1)

Opportunist (166417) | about a year and a half ago | (#43395093)

I never really got that fight. Hacker, cracker, ... do I need a label?

War hero, murderer, same shit. I know it's easier and faster to just read the label instead of looking at the whole story and make up your mind accordingly... oh look what I'm saying, people supposed to make up their own mind. Do they still do that? I think it went out of fashion. Today we prefer to just read the label on a person. It's easier.

But I guess I finally get the PC craze. If it is so important what label is attached to us, and if we don't bother to look at the person behind the label anymore, it matters that the label has some good connotation. Whether the person has, who cares?

Cracker already means something else. (0)

Anonymous Coward | about a year and a half ago | (#43395205)

Cracker means you're a stupid white person. Chris Rock isn't talking about geeks.

http://en.wikipedia.org/wiki/Cracker_(pejorative) [wikipedia.org]

Um, yeah. (0)

Anonymous Coward | about a year and a half ago | (#43392237)

But a person without broad systematized technical knowledge don't know what they're doing and so can't do anything useful. It's the way it's always been.

Please ./ (1)

Anonymous Coward | about a year and a half ago | (#43392241)

remove this article

The rise of everyday... fuck, everything really. (5, Insightful)

rodrigoandrade (713371) | about a year and a half ago | (#43392265)

If this is what passes for research nowadays, I got some more data. Check out these Google queries and the results... (something, something, think of the children, something).

"make a bomb" 557,000,000 results
"rape sister" 99,000,000 results
"kill mother" 274,000,000 results (funny how "kill mother in law" turns up on Google's autocomplete thingy)
"cheat taxes" 59,700,000 results

Re:The rise of everyday... fuck, everything really (5, Funny)

geminidomino (614729) | about a year and a half ago | (#43392327)

After setting off every TLA alert system to make a point on slashdot, user "rodrigoandrade" received a midnight visit and was never heard of again.

And then they do (0)

Anonymous Coward | about a year and a half ago | (#43392743)

Not so funny now eh, funny man?

Re:The rise of everyday... fuck, everything really (1)

mjr167 (2477430) | about a year and a half ago | (#43392821)

I think the solution is to ban Google! Google is clearly facilitating terrorists!

Re:The rise of everyday... fuck, everything really (1)

amiga3D (567632) | about a year and a half ago | (#43393311)

no, just censor it. Wait for it, it's coming.

Re:The rise of everyday... fuck, everything really (1)

JazzLad (935151) | about a year and a half ago | (#43394855)

Coming? [wikipedia.org]

Re:The rise of everyday... fuck, everything really (1)

Anonymous Coward | about a year and a half ago | (#43393011)

half of those are blogs with no content and linkspam. another chunk is what im guessing are wordfiles for cracking passwords. another chunk will not have the search term anywhere on the page for some reason. even tho it showed it in the summary.

much better.

Re:The rise of everyday... fuck, everything really (1)

Idbar (1034346) | about a year and a half ago | (#43393245)

And my take on that is the news and Internet itself.

With news indicating "how easy is to find how to make a bomb online" or even running an article explaining it [guardian.co.uk] , and on the other hand, geeks making references to little Bobby tables, what do you expect, but people going around and confirm by themselves?

Re:The rise of everyday... fuck, everything really (1)

Idbar (1034346) | about a year and a half ago | (#43393279)

Then again, as you said, there's plenty of documentation online. Now, how is being used? Despite of just satisfying curiosity, is how Google or Wikipedia searches make no sense as metric or indication of anything.

Re:The rise of everyday... fuck, everything really (3, Insightful)

SuricouRaven (1897204) | about a year and a half ago | (#43393565)

Attitudes towards potentially dangerous material are often contradictory. For example, in an episode of Mythbusters the team required thermite for an experiment. They made this themselves, in a procedure not shown. The ingredients bottles were blurred out to hide the labels. Jamie sarcastically warned viewers never to mix 'blur' and 'blur.' So clearly, someone at the studio considered this information to be too dangerous to reveal to the audience - either because it could be used to create a weapon, or because of the risk someone would experiment with it and then sue the studio after they burned their hand off. And yet, this material that so scared the studio is widely known. Not only can it be looked up with ease on the internet, but it's the textbook example of a redox reaction - quite literally the textbook example. When I studied chemistry in a perfectly ordinary public school it was the example in the textbooks, including not just the ingredients but instruction in how to calculate the correct ratio and, thanks to a practical demonstration given by the teacher, instruction in the importance of particle size, correct safe preperation method and means of ignition. Does that mean the school chemistry text is a terrorism handbook?

You probably could use thermite for terrorism too. If it's used to weld rails, it can be used to sever them too. Sever a rail, derail a train. Could kill hundreds of people if you time it right.

Re:The rise of everyday... fuck, everything really (1)

GigaBurglar (2465952) | about a year and a half ago | (#43394057)

*Knock knock*

"Who's There?"

"The FBI"



Congratulations - I hope you don't plan on leaving the country any time soon. :)

Re:The rise of everyday... fuck, everything really (1)

Opportunist (166417) | about a year and a half ago | (#43395163)

"I gave at the office"

Disturbing Research Results (0)

Anonymous Coward | about a year and a half ago | (#43394677)

Your research results seem to indicate that people are an order of magnitude more interested in killing their mother than cheating on their taxes. This is deeply disturbing and warrants further study.

Will a $1,000,000 suffice?

Everyday? (1)

Beorytis (1014777) | about a year and a half ago | (#43392279)

I guess I'm wondering what the definition of "everyday hacker" is. Just less technically sophisticated?

Re:Everyday? (1)

TWiTfan (2887093) | about a year and a half ago | (#43392395)

It's a script kiddie.

Re:Everyday? (1)

Anonymous Coward | about a year and a half ago | (#43392717)

What I am concerned about is even though SQL injections are a common attack, which doesn't take a lot of skill to take advantage of, it can result in one unexpected consequence.

It wouldn't be hard for a LEO to make honeypots. Then when some junior level people run the scripts, their info is saved aside, and then at a later date after a DA has plenty of time to make a firm case, mass arrests, Operation Sun Devil style are made, and multiple times.

Yes, attempting to break into something is a crime, but what constant mass arrests would do is result in is another generation of children [1] too afraid to test limits, or if they know what they are doing, they would never work for anything government related for fear of being tossed to the wolves, come some witch hunt (say WarGames 2 gets released, and the fear of "cyber-terrorism" hit a peak again.)

In the '90s, we completely lost a generation of people who would do white-hat work for computer security due to Operation Sun Devil and Steve Jackson Games.

My concern is that leaving easy bait out for people curious about stuff, then mass arrests after that will not just pull computer-savvy people out of the workforce, but scare anyone off who is interested in computer security. Already, I've spoken with high school conselors who tell any STEM major to go law because the floodgates for H-1B workers is about to triple, and that means there is no real way to obtain a viable career in that field.

[1]: More like another generation of lusers.

Re:Everyday? (2)

SuricouRaven (1897204) | about a year and a half ago | (#43393707)

"result in is another generation of children [1] too afraid to test limits,"

That may be the intended result.

In the early days of the internet, there was a very casual attitude to hackers. It was fully expected that most aspiring technical types would go through a 'phase' of aggressive exploration and pranking, and so long as they didn't do any serious damage it was regarded as a standard part of the learning process and something they would eventually mature out of once they no longer felt they had to prove their skills by such a game. If someone broke your system, you'd fix the hole and silently congratulate someone who'd shown skill, initiative and enthusiasm for the field. Things are very different now. With computers much more involved in high-value commercial and governmental usage, their is much less room to tolerate hacking attempts - that playful, still-learning script kiddie could get lucky and cost the company millions. So attacks that once would have been shrugged off now result in calling in the police and the lawyers.

Also, Wargames 2 exists: It was a direct-to-DVD sequel generally regarded as an insult to the original.

Its called the internet (5, Insightful)

ci13urn (1653273) | about a year and a half ago | (#43392281)

My research suggests there will be a rise of everyday cooks. A simple Google search for "How to Cook" returns over 1 Billion links and videos describing how to cook! This is original news...

what is this shit (2)

Synerg1y (2169962) | about a year and a half ago | (#43392319)

As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing.

No!

Email Spear phishing is the leading cause of security breaches, you can patch software all you want, but patching an idiotic user? Good luck on that!

And 70% sounds a little low, on an intense enough audit (there's many levels), it would look more like 95%.

RISE !! RISE !! RISE !! (-1)

Anonymous Coward | about a year and a half ago | (#43392423)

She looks in the mirror and stares at the wrinkles that weren't there yesterday
And thinks of the young man that she almost married
What would he think if he saw her this way?

She picks up her apron in little girl-fashion as something comes into her mind
Slowly starts dancing remembering her girlhood
And all of the boys she had waiting in line

Oh, such is the rise of the everyday housewife
You see everywhere any time of the day
An everyday housewife who gave up the good life for me

The photograph album she takes from the closet and slowly turns the page
And carefully picks up the crumbling flower
The first one he gave her now withered today

She closes her eyes and touches the house dress that suddenly disappears
And just for the moment she's wearing the gown
That broke all their minds back so many years

Oh, such is the rise of the everyday housewife
You see everywhere any time of the day
An everyday housewife who gave up the good life for me

A Bit Late (1)

g0bshiTe (596213) | about a year and a half ago | (#43392455)

Wow, a recent google search revealed a search for sql injection netted over 7 million hits and even shows how to do this. This has been well known for at least the last 6 years, next you'll be telling me to beware of Belarc because it will post my serial keys in some hidden page.

Who is Veracode and what are they trying to sell? (2)

glwtta (532858) | about a year and a half ago | (#43392565)

Leaping to faulty conclusions from spotty data is basically my day job, but it seems these people take it to a new level.

30% of breaches will be from SQL injections, because that's the percent they found to be vulnerable?

A certain type of attack will increase because they googled some shit?

What the actual fuck is this?

Re:Who is Veracode and what are they trying to sel (0)

Anonymous Coward | about a year and a half ago | (#43393303)

And how much is Veracode paying Dice?

Amazing... (1)

ewenix (702589) | about a year and a half ago | (#43392569)

This is what passes as news on slashdot now? Let's see what's that brady bunch phrase?? oh yeah..... jumped the shark.

Re:Amazing... (0)

Anonymous Coward | about a year and a half ago | (#43392701)

This is what passes as news on slashdot now?
Let's see what's that brady bunch phrase?? oh yeah..... jumped the shark.

I thought it was Happy Days, where Fonzie jumped the shark.

Re:Amazing... (0)

Anonymous Coward | about a year and a half ago | (#43392755)

Happy Days - "The Fonze" jumped the shark [wikipedia.org]

If you were being sarcastic about brady bunch, may I suggest being less subtle: Little House on the Prairie.

Now get off my lawn!

LOL ... (1)

gstoddart (321705) | about a year and a half ago | (#43392629)

This reminds me of JK Rowling's "A Casual Vacancy" since this kind of casual hack figures into the plot.

Students (2)

nightfury (2826503) | about a year and a half ago | (#43392763)

"'Little Bobby Tables', we call him..."

Pure FUD by a security web site... (5, Insightful)

David_Hart (1184661) | about a year and a half ago | (#43392801)

I think that most comments are missing the fact that this is an article on a security web site which will be used to sell CEOs on the latest in security platforms. It's pure marketing, which means that it doesn't have to be logical or adhere to real world facts.

I agree that it should have never made it to Slashdot. However, it is interesting to read silly articles like this from time to time to remind ourselves where management gets their ideas about security.

Re:Pure FUD by a security web site... (0)

Anonymous Coward | about a year and a half ago | (#43393351)

One could almost say that they're hacking the CEOs for fun and profit.

Report finds that (2)

biodata (1981610) | about a year and a half ago | (#43393097)

Insecure software is insecure

Lies, damn lies, and statistics (3, Insightful)

Loosifur (954968) | about a year and a half ago | (#43393165)

"A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities."

Which means that people could be searching to learn what that means because they read or heard it somewhere, or because they want to prevent SQL injection hacks on their site. There are two alternative explanations that don't involve cracking, and I'm sure you can come up with more.

"Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks."

The quoted statistic does not prove the subsequent claim. This violates basic principles of logic, and anyone who's taken a statistics course (as all reporters should) would see the problem here. Just because 1/3 of web apps are vulnerable to a given attack does not mean that 1/3 of web apps will subsequently fall victim to said attack. The less horrible way to phrase this would be to say that there's a 1 in 3 probability that future attacks will involve SQL injection, and even that's not born out by the statistic.

Here's an analogy (non-automotive): 15% of college basketball players are talented enough to be drafted into the NBA, let's say. This does not mean that 15% of college basketball players WILL be drafted into the NBA, nor does it mean, and this is the kicker, that 85% of new NBA players will be talented players coming from somewhere other than college teams. Or, 1/4 of all homes being vulnerable to electrical fires does not mean that 1/4 of all home fires will be electrical.

Re:Lies, damn lies, and statistics (1)

postbigbang (761081) | about a year and a half ago | (#43393895)

What? Causation != Correlation?

I find it embarrassing that there are so many SQL injection links out there. Why? It means that those pages aren't filled with kitty pictures!

After all, it seems that about half of social media posts involve kitties, and if we could just post kitties instead of SQL injection attack links, the world would be so much nicer!

Re:Lies, damn lies, and statistics (1)

chaos_technique (1191999) | about a year and a half ago | (#43394905)

and we should really stop talking about this, since it obviously makes the world even more insecure: I just googled for "SQL injection" and lo and behold,

About 6,790,000 results (0.16 seconds)

I guess this post makes it +1, I'm really anxious now.

Hmmmm (1)

inkcogito (2891523) | about a year and a half ago | (#43393171)

Is there a database of SQL injection hacks?

Re:Hmmmm (0)

Anonymous Coward | about a year and a half ago | (#43393291)

No, because there'd be no point. There's http://www.exploit-db.com/ and similar for bugs in well-used webapps, but these bugs are so relatively easy to find.

Re:Hmmmm (1)

amiga3D (567632) | about a year and a half ago | (#43393323)

talk about recursive

Re:Hmmmm (2)

JWW (79176) | about a year and a half ago | (#43393401)

There used to be...

Re:Hmmmm (0)

Anonymous Coward | about a year and a half ago | (#43393697)

Is there a database of SQL injection hacks?

There used to be...

Let me guess, was it hacked?

Insecure software? (0)

Anonymous Coward | about a year and a half ago | (#43393177)

I'd recommend counseling for all the insecure software out there. Might do wonders.

What? (1)

dragon-file (2241656) | about a year and a half ago | (#43393297)

Since when have script kiddies been elevated to everyday hackers?

Re:What? (1)

Opportunist (166417) | about a year and a half ago | (#43395203)

You don't follow the news on TV, do you?

.. are easy to identify, fix, AND AVOID completely (0)

Anonymous Coward | about a year and a half ago | (#43393357)

It's ridiculous that SQL injections keep popping up all the time when it's ridiculously simple to avoid them, just don't append random variables with data coming from the user to your SQL queries. Use parameter binding, cast numeric values to integers, etc. .. it is so trivial to avoid these that all stupid code examples on the internet should be removed immediately and anyone posting such examples should be publicly ridiculed.

Common programming forums and pages like PHP.net should also perma-ban and ridicule everyone posting examples or comments that have code/comments/etc. with SQL injections in them. More importantly, all examples should be complete enough to actually describe ways to enter your parameters in the queries in a sane way instead of just using a hard-coded ID number so they can just encapsulate it in a single string, since most "SQL newbie" programmers will never learn of parameter binding etc. that way.

Actually 138K hits, not 1.74m hits (1)

Ben Bederson (2881847) | about a year and a half ago | (#43393709)

Using Google to search for "SQL injection hack" WITH QUOTES results in 138,000 hits. If you search for SQL injection hack without quotes (meaning Google will count pages that have those words anywhere on the page), then you get the 1.74m hits reported.

Re:Actually 138K hits, not 1.74m hits (0)

Anonymous Coward | about a year and a half ago | (#43395179)

So what your saying is the author are right, but I you are more right? Pfft. What about all the sites providing the same information without using the word HACK? Pat yourself on the back son ... ya done good but not great.

The devil is in the details. (1)

houbou (1097327) | about a year and a half ago | (#43393771)

That's the only way to be truly secure. Pay attention to every aspect of your setup.

SQL is bad design (0)

Anonymous Coward | about a year and a half ago | (#43393817)

Having what amounts to dynamically generated code, that also includes information from the end user, being interpreted by the database (a SQL command) was, is, and will always be a terrible terrible idea. The database paradigm should have always had input provided in a different context from the code. And that's saying if code was at all necessary in the first place (which it wasn't, as NoSQL shows).

Furthermore, front-end developers will always prioritize client relations (regardless of whether its an internal client or external client) over code quality, thus it is expected that they suck at security. The only way to ensure that these developers follow secure practices is for the systems they use to reduce their workload to automatically provide these good security practices. I am a huge proponent of server side web frameworks because they ensure a majority of a dev's security bases are covered. They also marginally increase productivity, but that's just a bonus for me personally.

Re:SQL is bad design (0)

Anonymous Coward | about a year and a half ago | (#43393953)

Having what amounts to dynamically generated code, that also includes information from the end user, being interpreted by the database (a SQL command) was, is, and will always be a terrible terrible idea. The database paradigm should have always had input provided in a different context from the code. And that's saying if code was at all necessary in the first place (which it wasn't, as NoSQL shows).

The amount of stupidity in these sentences is mind-boggling. Please tell me you don't architect or write code for a living.

Obligatory XKCD (2)

OhSoLaMeow (2536022) | about a year and a half ago | (#43393991)

XKCD [xkcd.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?