MySql.com Hacked With Sql Injection

iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."

Re:Another report

[Anonymous Coward]

No offense. Bad code can be written in any language.

The work of a lonely developer

[danielcolchete]

Even inside a big team of a big company it is amazing how so many people are working by themselves. That's the kind of error that a simple code review by an experienced programmer would have avoided (use bind variables/prepared statements).

Re:That's Not Ironic

[6031769]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that's hypocrisy, not irony. Try again.

Re:Too bad

[KiloByte]

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.

I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

Re:Another report

[PopeRatzo]

Note the parent's comment.

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.

One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

Re:Does xkcd explain it?

[Tridus]

I have that comic taped to my door. Any programmer who walks by, reads it, and doesn't laugh is someone I watch VERY carefully when they write any code that touches a database.

Re:Another report

[Anonymous Coward]

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety?

I agree with you, but sometimes a nigger joke is just a nigger joke. I wrote a nigger joke in one story and it made first post. Then you went all ape-shit (pun intended) about how it's THEM!!!! conspiring to take over teh solar system or something ... that made my day dude. I think the neighbors could hear me laughing.

But yeah this troll can obvious tell that guy was a shill. A real obvious one. Anybody who isn't sure about that may be interested in buying some nice swampland in Florida. Maybe they'd like to also help a Nigerian prince move money out of his country.

Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds".

Most Slashdotters are familiar with the long history of Microsoft and its business practices. Some moron singing the praises of MSSQL isn't gonna erase that history. Even if MS made the undisputably best database in the entire world, and they don't, but even if they did I wouldn't use it. I would rather use the second-best and not have to deal with the devil. But then I have standards. A lot of you are mercenary types who don't give a damn and that's cool, just don't complain about how corrupt and fucked up most of the world is because you're the reason for it, the steady source of support for it.

Anyway Slashdot's gotta be one of the very worst places to try to make MS look good. The people who don't like MS got a long LONG list of damned good reasons for that. It is not something they flipped a coin to decide. It is the product of repeated examples of abuses and asshattery by this company over the last 10-15 years. Not something you can smarm your way out of. The PHBs who might be dumb enough to buy this shill's marketing don't usually read Slashdot.

The professional liars known as PR firms are only making sure that a foolish company with no scruples and its money are soon parted. Anybody who works for a PR company, really what the fuck is wrong with you? How does it feel knowing that you get your living by dishonesty and trickery?

FUCK. OFF.

[evanism]

Go die in a hole. What complete, utter and total fucking twat.

Re:USE BIND VARIABLES

[Just Some Guy]

SQL = """
SELECT make, model
FROM vehicle
WHERE vin IN (%s)
""" % ', '.join(["%s"] * len(VINs))

My eyes, they bleed! Write that like:

VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789")
SQL = """
SELECT make, model
FROM vehicle
WHERE vin = ANY(%(vin)s)"""
dbconn.execute(SQL, {'vin': VINs})

Or even better:

vehicles = session.query(Vehicle).filter(Vehicle.vin.in_(VINs))

Voila. Those work, they're not hideous, and they prevent injection. To repeat the earlier idea: there's no need to write unsafe code. If you are, you're in the wrong line of work.

Re:What year is it?

[discord5]

When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"

Hahaha, reminds me of what I used to do to interns. We used to get a bunch of interns every year, and every year we'd have them develop small web applications for internal use. They'd work on their project and after a few weeks we'd come in and evaluate their work, steer them in the right direction (if that wasn't necessary earlier) and do a few tests.

The first thing I always asked was "Do you have a backup?" and after the inevitable googling of the mysqldump command I'd be an utter bastard and sneak in a DROP TABLE, or DELETE FROM statement in the URL bar, right after id=x, and surely enough most of the times it would work.

"It looks really great, but I think there's a problem with it. Maybe you want to check the logfiles to see what happened." to see if they'd see what was the problem, and if they didn't I would explain an SQL injection attack to them. Few of them managed to find the solution on google, but most immediately suggested such things as "I'll check for ; in the string" which inevitably led to me trashing their tables about 10 minutes later. I have to say, once they had their tables dropped twice they became real careful of permissions and handling SQL statements.

In a way I hope they learned something from having a complete bastard as a mentor, although I'm sure that a few of them have already forgotten about that one time a single statement ruined their database. Oh well...