MySql.com Hacked With Sql Injection

iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."

Another report

[symbolset]

Some evidence of server issues here already. Another report: A proper link? [sophos.com]

Incoming botswarm

[symbolset]

Microsoft web serving products? How dumb can can a bot get? Turing fail.

Re:

[Anonymous Coward]

No offense. Bad code can be written in any language.

Re:

[WrongSizeGlass]

This article is a tad harsh on MySQL.com - and rightfully so:
* The domain's SSL expired a month ago
* Some of the passwords for the account 'sysadm' was “qa”
* Their website was obviously not properly secured

Re:

[WrongSizeGlass]

This article is a tad harsh on MySQL.com - and rightfully so:

That should have been This article [securingsqlserver.com]. D'oh!

Re:

[Goaway]

Of course. That is hardly relevant. The question is, how hard is it to write bad code?

Re:

[c0lo]

Of course. That is hardly relevant. The question is, how hard is it to write bad code?

Far easier than to write a good code, no matter the language (on some languages, it's even impossible to write good code)

Re:

[DrXym]

Of course. That is hardly relevant. The question is, how hard is it to write bad code?

I think SQL databases / drivers could do a lot more to protect themselves from bad programmers. For example we all know that a prepared statement is safer from SQL injection than an ad hoc one because params are properly escaped. So why allow ad hoc statements at all by default? Seems to me that drivers should require the app to explicitly override safeguards if they want to dangerous things. Likewise SQL comments are often used to disable the rest of an injection attack but why are they needed in client si

Re:

[AsmCoder8088]

Okayyyyyyyy... MS astroturfing, anyone?

Re:Another report

[symbolset]

180 words, under 1 minute by the timestamp. It was actually under 30 seconds. Bot. A prepared response to any article containing "hacked" and "mysql"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[gfody]

it's called social media monitoring and engagement and get used to it because it's the future of marketing. more [alterian.com]

Re:

[bcmm]

The only other comments made by that account are on the front-page story before this one. However, they're timestamped quite a bit before this story went up. How long does a subscription let you "beat the rush" for?

Re:

[Cidolfas]

Or better idea: just use PHP's PDO module for your SQL interactions, regardless of backend database. It makes bad code just as hard to write in PHP as it is in C# (which means, still easy but most use-cases are at least sanitized).

Re:

[MarkRose]

Using PDO isn't sufficient. You also have to bind all your values/parameters. Just sticking variables into the SQL statement wont' save you.

Then there's the extra round trip performance overhead of using a prepared statement if created in PHP and not saved in MySQL.

Re:

[Cidolfas]

True, I was just saying it brings PHP into parity with .net

Re:

[bondsbw]

I have been a C# developer since .NET 1.0, and worked with MS SQL Server just as long. I love them, and recommend them wholeheartedly to everyone I know. But if you think C# + MSSQL = Safe, you've probably already been hacked.

Sure, C# via ADO.NET has parameterized queries to help prevent SQL injection, and we have the Entity Framework and such goodies, but all I need to do is "SELECT * FROM MyDB WHERE ID = " + queryStringID + ";". String concatenation... it's a feature of C#, and because of it you sudden

Re:

[marcello_dl]

>As a hobbiest web based game developer it's performance I wouldn't have money to get elsewhere.

sooo... you really haven't been far as decided to use even go want to do look more like, I guess.

Re:Another report

[Dunbal]

Not trusting the user input is rule #1 of programming - from way before the internet era. I'm only a programmer by hobby and even I know that. What do they teach these kids at school?

Re:

[Max Littlemore]

Well, I think it's one of the major problems with C# and MS SQL Server. By default the combination allows extremely unsafe code. or I should even say encourages. I'm all for allowing for the coder to take those routes if he wants to, but for the love of god, teach the noobs to program safely. While you can use safe methods with C# and MS SQL Server, other languages encourage it. For example befunge98 combined with Paradox makes sure the programmer is coding safe code. On top of that Paradox is speedy, stable product that is used by millions individuals and enterprises. For me that sure does tell about quality, and by looking at the companies using the PDP-11 I'm even happier to pick it as my platform. btw, I personally found their Paradox Baby Shit Orange cloud-based databases services absolutely stunning. They are highly scalable, ultra fast and automatically taken care of for you. As a hobbies useless pre loaded crapware developer it's performance I wouldn't have money to get elsewhere. And the sheer quality of the service is absolutely great.

or to put it another way, shit programmers write shit code, regardless of the tools they use. Begone to the special Hell they keep for corporate schills you obvious schill.
oh and by the way, more people and companies using a product is more likely to mean there is a reality distortion field or illegal anti-competitive behaviour surrounding a product if the past 30 years is anything to go by. Shit for brains.

Re:

[uberjack]

As AC below pointed out, bad code can be written in any language. I worked for a University of California campus, when UCLA got hacked a couple of years ago, due to a SQL injection attack. Their choice of platform? C#/MSSQL. Programmers on our own team (C#, MSSQL) wrote SQL injection-friendly code - I can't remember how many times I've caught unsanitized input being put into a SQL query without proper sanitization or "SqlParameter-ization" - people who wrote enterprise-level apps for years prior, and who s

Re:Another report

[PopeRatzo]

Note the parent's comment.

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.

One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

Re:

[Anonymous Coward]

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety?

I agree with you, but sometimes a nigger joke is just a nigger joke. I wrote a nigger joke in one story and it made first post. Then you went all ape-shit (pun intended) about how it's THEM!!!! conspiring to take over teh solar system or something ... that made my day dude. I think the neighbors could hear me laughing.

B

Re:

[PopeRatzo]

It shows how broken the Slashdot discussion system is.

To be fair, I think we're seeing an attack of mil-spec astroturfers and their sockpuppets. I don't expect Slashdot to have been able to have been omniscient enough to have anticipated this.

But now that it's here, I think it's an issue that anyone who uses the Internet to get information or opinion has to be aware of and address.

FUCK. OFF.

[evanism]

Go die in a hole. What complete, utter and total fucking twat.

Re:

[shutdown -p now]

You do understand that every time you post such crap in a Slashdot story (and it seems to be in Every. Single. Fucking. One.), you do nothing but drive more bad feeling towards Microsoft? If you want to do advocacy, fine - but then study what you're promoting enough to be able to meaningfully argue in favor of it, rather than spewing pure concentrated marketing drivel ("makes sure the programmer is coding safe code" - WTF?).

This isn't a room full of clueless PHBs where the higher your concentration of buzzw

Bad link in summary

[innocent_white_lamb]

Should be: http://techie-buzz.com/tech-news/mysql-com-database-compromised-sql-injection.html [techie-buzz.com]

(There is an extra l in the summary's link.)

USE BIND VARIABLES

[MoNsTeR]

Jesus fuck, people. It's not rocket surgery.

If you use bind variables, you CANNOT be SQL-injected.

If you don't, you can be.

It's that fucking simple. Do The Right Thing.

Re:

[SanityInAnarchy]

Note that this doesn't mean you should assume you're safe just because you're using bind variables -- be aware of stuff like LIKE, for instance.

But yes, that is exactly the frustration I have when I hear about things like this. There's pretty much never a reason to build your own SQL string outside of a library.

Re:

[vlm]

Note that this doesn't mean you should assume you're safe just because you're using bind variables

For example, bind variables are a great way to store the wrong value in the wrong column. Admittedly I'd rather discover that bug in the unit tests on the dev server, than discover the injection on the production server, but I can none the less hear the siren call of doing it the wrong way...

Now what would be nice would be libraries for ALL languages that look like convenient, yet vulnerable, inline SQL but translate behind the scenes into bind variables.

Also fun, if the (numerous) lint-y / perltidy-y what

Re:

[smellotron]

There's pretty much never a reason to build your own SQL string outside of a library.

Not to negate your argument (with which I agree), I want to demonstrate a case where building your own SQL string makes sense. Suppose you want to perform a SELECT that matches a set rather than a given value:

SELECT make, model
FROM vehicle
WHERE vin IN ('1M8GDM9A_KP042788', '1M8GDM9A_KP042789');

The prepared statement is a function of the number of VINs in the set. Something like this python code:

VINs = ("1M8GDM9A_KP04

Re:USE BIND VARIABLES

[Just Some Guy]

SQL = """
SELECT make, model
FROM vehicle
WHERE vin IN (%s)
""" % ', '.join(["%s"] * len(VINs))

My eyes, they bleed! Write that like:

VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789")
SQL = """
SELECT make, model
FROM vehicle
WHERE vin = ANY(%(vin)s)"""
dbconn.execute(SQL, {'vin': VINs})

Or even better:

vehicles = session.query(Vehicle).filter(Vehicle.vin.in_(VINs))

Voila. Those work, they're not hideous, and they prevent injection. To repeat the earlier idea: there's no need to write unsafe code. If you are, you're in the wrong line of work.

Re:

[cheater512]

I prefer:

$db->select('make, model');
$db->where_in('vin', $vins);
$db->get('vehicle');

Ahh CodeIgniter. I dont write SQL anymore.

Re:

[madprof]

Are you saying MySQL does not escape the delimiter characters within values passed to the LIKE operator?

Re:

[Anonymous Coward]

I just use something : addslashes(addslashes(addslashes(addslashes($str)))) ;
I like slashes ;-) ;

Re:

[Anonymous Coward]

addslashes() is unsafe. In PHP you want to be using the standard function "mysqlreallyescapethingsanddoitproperlythistime()". Don't go using "mysqlescapethingscorrectly()" by mistake, that one is completely insecure.

(Seriously, why do people use PHP?)

Re:USE BIND VARIABLES

[JustinRLynn]

You know, I could be a smart arse and say this rules out most people that choose to use PHP, but I think my karma would burn. Oh wait....

Re:

[camperdave]

Addslashes...Ah the mascara function.

Re:

[thebra]

And then while (strpos($string, "'") !== false) { $string = stripslashes($string); }

Re:USE BIND VARIABLES

[Dunbal]

Jesus fuck, people. It's not rocket surgery.

Apparently it's brain science.

Re:

[Cylix]

I'm of the new school and prefer rocket brain....

Re:

[Lorien_the_first_one]

What a trip. I'm not an SQL guy, but I'm fascinated by the discussion. So you can look at logs to see that bots are trying to hack your db? Does it look like the bots have any kind of intelligence? Do they seem to learn as they go? Can you tell if there is any human intervention?

Yo Dawg

[mrstrano]

I herd you like Sql, so we injected Sql in your Sql so you can have Sql while you code MySql

Re:

[JAlexoi]

Should they change MySQL to PwnSQL?

Re:Yo Dawg

[Sparks23]

Honestly, "YourSQL" seems more accurate than "MySQL" given that apparently even the developers can't keep control of their own database. ;P

Re:Yo Dawg

[MarkRose]

Pardon the grammatical gaff, but don't you mean YourSOL? :-)

Re:Yo Dawg

[MarkRose]

An SQL statement walks into a bar and sees two tables and says, "Hello, may I join you?"

Re:

[smellotron]

One of the tables replies, "Naturally."

Re:

[auLucifer]

Wow. That was so lame I had to lol. Thank you for a good Monday morning /. laugh

Re:

[MarkRose]

Oh René! I saw him. He was a bit out of his head, walking around all uncoordinated. I think he had already been drinking a while.

Re:

[MarkRose]

InnoDBody knows the injections I've seen,
InnoDBody knows my sort order
InnoDBody knows the injection I've seen
Shoulda used MyISAM!

Too funny

[danielcolchete]

After I finished visit all the funny sites I usually go to daily, that title made laught much much more than all of them.

The work of a lonely developer

[danielcolchete]

Even inside a big team of a big company it is amazing how so many people are working by themselves. That's the kind of error that a simple code review by an experienced programmer would have avoided (use bind variables/prepared statements).

Re:

[jd]

Quite possibly on the lone programmer, almost certainly on the code review. The NSA has some nice whitepapers on how to prevent SQL injection attacks, though they could really be summarized as "follow parent post's advice".

Re:

[Eunuchswear]

The NSA has some nice whitepapers on how to prevent SQL injection attacks

That is so fucking sad. Imagine your first day at work at the puzzle palace, expecting to work on some shit hot, high tech, super secret stuff and they say "write a paper on how to avoid SQL injection attacks."

Well ...

[lennier1]

Could've been worse. Imagine something like this had happened to Zend!

Too bad

[93 Escort Wagon]

Too bad it's not "unbreakable" like Oracle's other database...

Re:Too bad

[KiloByte]

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.

I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

Re:

[dkleinsc]

Yeah, they might convince more people to switch to PostGres!

Re:

[mobby_6kl]

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.

I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

Yeah but so does everyone who's ever worked with databases and doesn't have their head stuck completely up their ass. Let's pray this piece of shit is dead and buried soon.

Re:

[93 Escort Wagon]

Yeah, that's why I had it in quotes. I could've added a giant smilie or something, I guess...

Does xkcd explain it?

[Anonymous Coward]

Like this [xkcd.com]?

Re:Does xkcd explain it?

[Tridus]

I have that comic taped to my door. Any programmer who walks by, reads it, and doesn't laugh is someone I watch VERY carefully when they write any code that touches a database.

Re:

[roman_mir]

On the other hand if the same guy walks by often and laughs at that every single time, I would just watch VERY carefully to make sure they don't bring in a firearm.

Take it a step further. We can learn from this.

[HiggsBison]

bobby-tables.com: A guide to preventing SQL injection [bobby-tables.com]

What year is it?

[glwtta]

SQL injection attacks? What, is it 1998 again all of a sudden?

Are there really still people out there mashing user input together into a string that they then feed to the database?

Why would you even do this - it's not easier, the performance is worse, and it certainly doesn't make for more readable code.

This level of ineptitude is just shocking.

Re:

[smellotron]

In related news, teenagers are still bad at driving! Won't they ever learn proper lane usage?

Re:

[francium de neobie]

The thing is, if you have 100 engineers working on your code, and they write or modify 200 lines of code every day - it's very hard to guarantee there's not a single line of vulnerable SQL code written over 3 years. It only takes one mistake to get your server compromised.

Re:

[glwtta]

100 engineers, for mysql.com?

Simple solution - fire the 80 incompetent ones, the other 20 will be able to get a lot more done. Heck, also give them 1/4 of the money you were wasting on the dead weight.

Re:What year is it?

[Software Geek]

When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"
I have never yet interviewed a candidate who answered yes.
So, then I explain what an SQL injection attack is, and ask how they would test for vulnerability to one.
Almost without exception, the answer is "I guess I would try entering some special characters and keywords into the GUI, and see what happens."

Re:What year is it?

[discord5]

When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"

Hahaha, reminds me of what I used to do to interns. We used to get a bunch of interns every year, and every year we'd have them develop small web applications for internal use. They'd work on their project and after a few weeks we'd come in and evaluate their work, steer them in the right direction (if that wasn't necessary earlier) and do a few tests.

The first thing I always asked was "Do you have a backup?" and after the inevitable googling of the mysqldump command I'd be an utter bastard and sneak in a DROP TABLE, or DELETE FROM statement in the URL bar, right after id=x, and surely enough most of the times it would work.

"It looks really great, but I think there's a problem with it. Maybe you want to check the logfiles to see what happened." to see if they'd see what was the problem, and if they didn't I would explain an SQL injection attack to them. Few of them managed to find the solution on google, but most immediately suggested such things as "I'll check for ; in the string" which inevitably led to me trashing their tables about 10 minutes later. I have to say, once they had their tables dropped twice they became real careful of permissions and handling SQL statements.

In a way I hope they learned something from having a complete bastard as a mentor, although I'm sure that a few of them have already forgotten about that one time a single statement ruined their database. Oh well...

Password hashing + salt?

[Coolhand2120]

That simple passwords were revealed shows a lack of understanding or incompetence. The reason only "simple" passwords were revealed was from a poorly made SHA1 hashing function [wikipedia.org]. Yes this is pure conjecture, but it is the only scenario that fits the facts.

The hackers acquired the database with the hashed passwords. Then the hackers ran the password hashes against a rainbow table [wikipedia.org] which returned the matches for the simple passwords. Now the reason this is incompetence or ignorance is the simple inclusio

Re:Password hashing + salt?

[BCoates]

The salt isn't a second secret, it's there to prevent the use of a pre-constructed rainbow table for the standard hash functions. Without a rainbow table, you can still do dictionary attacks of weak passwords--and there is no way to prevent this short of not using passwords for authentication. This only harms people who use guessable passwords and re-use passwords between sites.

Re:

[Coolhand2120]

You can very easily convert a rainbow table into a rainbow table + predefined salt, a simple SQL statement and 10 minutes later your 1TB rainbow table becomes rainbow+salt. If you don't keep your salt a secret you may as well not use it.

Without a rainbow table, you can still do dictionary attacks of weak passwords

That would only work if you had the hashing function with the salt string. If you're talking about plain old brute force attack against the hashes, well that won't work without the hash function

Re:

[vgerclover]

There is one incorrect assumption in your reasoning. You don't have to use one salt for all passwords, you can easily use a different salt per entry, and store it along side the password. This way, even if your database is compromised, and the salts are know, you still have to create a different rainbow table for each entry to be able to try and guess the password. This effectively kills the ability of the breacher to fish around for insecure passwords.

You can never sanitize inputs enough.

[topham]

You can never sanitize inputs enough.
Repeat that to yourself 1,000 times. It's impossible(*).
Parameterized queries / bind variables are the only valid solution.

If you keep convincing yourself you don't need to use bind variables, and that you can sanitize your inputs enough you've already failed.

* - Of course it's mathematically possible to sanitize inputs enough; because theory, and reality don't have a damn thing to do with each other. Reality says you will fuck it up and the hackers will find it in less

Re:That's Not Ironic

[6031769]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that's hypocrisy, not irony. Try again.

Re:That's Not Ironic

[LordLucless]

Ironically, the OP correcting someone else for not using ironic correctly is both hypocritical and ironic.

Re:That's Not Ironic

[MarkRose]

Screwing up irony is the only thing that unleashes the linguists with such ferrousity.

Re:

[pankajmay]

...unleashes the linguists with such ferrousity.

And of course spellings... try ferocity.

Re:That's Not Ironic

[dr2chase]

I think your pun detector is a little rusty.

Re:

[adamofgreyskull]

Whoosh.

Hint: He's punning on "ferocity" and...ya know..."ferrous" [reference.com].

Re:

[realityimpaired]

hehe... wish I hadn't replied... that is a good one. :) mind if I... um... "borrow" it next chance I get?

Re:

[sstamps]

The above is what makes me really enjoy reading /. :)

I think my funny bone broke under the strain..

Re:

[realityimpaired]

If we're going to get on a grammar nazi binge, then it's worth pointing out that one of the definitions of Irony is actually exactly what the GP described... (merriam webster's exact words are "the use of words to express something other than and especially the opposite of their literal meaning".) He may not have expressed it properly, but I do think that was the meaning he was trying to get at.

Though interestingly enough, yet another definition of Irony is an incongruency between an expected result and an

Re:

[NoOneInParticular]

If a website gets hacked, it is sad. If the website in question is the home of one of the products that is commonly used by websites, it is already ironic. Apparently even the builders of this product don't know how to secure a website using their product.

Re:

[LordNacho]

Meh, security is a bit of a cross-cutting concern. People who are thinking about how read/write rows of data quickly might not have given it much thought that their product can be abused in this way.

I will give you that injection attack is a rather basic hack they should have thought about.

Re:

[Trebawa]

There are several definitions of irony, you know. One is an outcome of events contrary to that which might have been expected. You would expect a website concerning SQL to be well-protected against SQL-injection; in such a situation, an attack of this kind would not succeed. The attack did succeed, hence the irony.

Re:

[Anonymous Coward]

You would expect a person correcting the summary's definition of irony to be aware that there are multiple definitions of irony. The grandparent was clearly ignorant of this fact, thus making the comment meta-ironic.

Yes it is

[pavon]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Re:

[glwtta]

The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Having used MySQL, I don't see anything unexpected here.

Re:

[Ephemeriis]

Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation.

I hate the whole "situational irony" thing... It's bullshit. Situational irony didn't exist until a crop of kids were poorly educated in what irony actually is, and then Alanis wrote her song, and everybody was running around calling everything ironic. It wasn't actually ironic in any way... But trying to correct everyone under the age of 20 in America is a losing battle... So they gave up and said "yeah... it's a different kind of irony..."

Yes, I know, language is a consensus. It grows and changes o

Re:

[Daniel Dvorkin]

The situational meaning of "irony" is very old and well-established, and in fact probably predates the linguistic meaning. [wikipedia.org] Look it up, and don't try to impose your own ignorance on everyone else.

Re:

[DieByWire]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Excuse me, is this the right room for an argument? [youtube.com]

Re:

[Just Some Guy]

The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Actually, it's exactly what I would expect.

Sincerely,
Smug PostgreSQL bigot

Re:

[Troll-Under-D'Bridge]

Unlike the reserved words of a computer program, words in a natural language have a wide latitude of uses, from the strict to the colloquial. Here, I see the "irony" in how a site designed to promote some type of "SQL" turns out to suffer from an SQL flaw, in effect negating the product's virtues in the eyes of those who like to skim through IT news headlines. It's similar to the way you expect a dentist to have good teeth.

Ironic is when one's words say one thing and one's actions another that contradict it.

I think you're thinking of another word: hypocrisy, e.g., a politician who claims to

Re:

[nmb3000]

Merely related ideas are not "ironic". Ironic is when one's words say one thing and one's actions another that contradict it.

Like rain on your wedding day?

Re:That's Not Ironic

[MarkRose]

Like Oracle not seeing it coming?

Re:

[cforciea]

Really, the people that think it is cool to tell people that they are using "irony" incorrectly are more frequently wrong than the people they are trying to prove linguistically inferior. You should look into what situational irony [reference.com] is and why it has been used correctly in this situation.

Re:

[Anonymous Coward]

Perhaps you need a little refresher on irony.

Few but the most naive would expect the MySQL.com site to be written by nubies and rubes so unsophisticated as to depend on remedial examples of anything found "floating around the 'net". To the contrary, most people would expect MySQL.com to be maintained to somewhat high levels of security in particular at the level of the database. This is the construction of the irony in this case.

"How ironic, now he's blind after a life of enjoying being able to see." --