Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 ... 9 10 [11] 12 13 ... 15

Author Topic: Sony's Bullshit  (Read 18712 times)

G-Flex

  • Bay Watcher
    • View Profile
Re: Sony's Bullshit
« Reply #150 on: June 03, 2011, 04:46:32 pm »

Storing passwords themselves instead of their hashes seems like a terrible idea to begin with when you're such a high-profile target.
That doesn't really matter. If you get to the password and know what type of hash is being used, it's easy to reveng a string to generate the same hash and match the password. It's a problem with these lazy days of webservice and integration.

That's why you salt hashes and also incorporate software-level secrets (inaccessible to someone who just has account data) as part of it.
Logged
There are 2 types of people in the world: Those who understand hexadecimal, and those who don't.
Visit the #Bay12Games IRC channel on NewNet
== Human Renovation: My Deus Ex mod/fan patch (v1.30, updated 5/31/2012) ==

Virex

  • Bay Watcher
  • Subjects interest attracted. Annalyses pending...
    • View Profile
Re: Sony's Bullshit
« Reply #151 on: June 03, 2011, 05:17:22 pm »

Nono, there was one that was a simple SQL injection any non-hacker douche can do.

It's really bad.
It's not about what you have to do, any monkey can type in some commands. It's about knowing what to do. Though if it was really glaringly obvious then I'll concede my point, but usually it takes hackers some time to find the vulnerabilities in a system. That's why I thought they got a tip about where to look.
Logged

Soulwynd

  • Bay Watcher
  • -_-
    • View Profile
Re: Sony's Bullshit
« Reply #152 on: June 03, 2011, 06:42:41 pm »

Storing passwords themselves instead of their hashes seems like a terrible idea to begin with when you're such a high-profile target.
That doesn't really matter. If you get to the password and know what type of hash is being used, it's easy to reveng a string to generate the same hash and match the password. It's a problem with these lazy days of webservice and integration.
That's why you salt hashes and also incorporate software-level secrets (inaccessible to someone who just has account data) as part of it.
Or use your own encryption code. Even adding a simple "hashed pass = hash(password + 'abcd')" to your php code will make it more difficult to reveng the password from a hash.

But most likely, whatever place you go to only uses a simple hash to protect your password.
Though if it was really glaringly obvious then I'll concede my point, but usually it takes hackers some time to find the vulnerabilities in a system. That's why I thought they got a tip about where to look.
Yeah, it was something you can learn how to do from this wikipedia page:
http://en.wikipedia.org/wiki/SQL_injection

Or download assorted programs that do it for you. Like... Not even hacker made programs... Programs meant to test the security of your website.
« Last Edit: June 03, 2011, 06:46:47 pm by Soulwynd »
Logged

lordcooper

  • Bay Watcher
  • I'm a number!
    • View Profile
Re: Sony's Bullshit
« Reply #153 on: June 03, 2011, 07:57:36 pm »

Seriously, SQL injection was taught in my comp at GCSE level.  It's the first thing any hacker or even a spotty kid with his first laptop would think to try.
« Last Edit: June 04, 2011, 07:05:51 am by lordcooper »
Logged
Santorum leaves a bad taste in my mouth

head

  • Bay Watcher
  • Whoop Whoop.
    • View Profile
Re: Sony's Bullshit
« Reply #154 on: June 03, 2011, 08:50:07 pm »

Yea..so..bad..
Logged
Dev on Baystation12- Forums
Steam Username : Headswe

alway

  • Bay Watcher
  • 🏳️‍⚧️
    • View Profile
Re: Sony's Bullshit
« Reply #155 on: June 03, 2011, 09:22:54 pm »

And IIRC, all it takes to prevent it is putting an if statement checking whether the query should be performed by checking against a list of permissible actions. I would say it's hacking 101, but it really isn't even a 100 level course.
Logged

Fayrik

  • Bay Watcher
    • View Profile
Re: Sony's Bullshit
« Reply #156 on: June 03, 2011, 09:52:53 pm »

And IIRC, all it takes to prevent it is putting an if statement checking whether the query should be performed by checking against a list of permissible actions. I would say it's hacking 101, but it really isn't even a 100 level course.
Actually no. There's a faster, more efficient way. Basically you have the program replace all ' characters with \' and all \ characters with \\. (The latter first, naturally, or you're undoing your own work.)
Over all, that's one line of code. That's all it takes.
Logged
So THIS is how migrations start.
"Hey, dude, there's this crazy bastard digging in the ground for stuff. Let's go watch."

G-Flex

  • Bay Watcher
    • View Profile
Re: Sony's Bullshit
« Reply #157 on: June 03, 2011, 09:57:39 pm »

Or use your own encryption code. Even adding a simple "hashed pass = hash(password + 'abcd')" to your php code will make it more difficult to reveng the password from a hash.

But most likely, whatever place you go to only uses a simple hash to protect your password.

That's kind of my point, though. Everybody is railing against Sony here, and for good enough reason, but the common state of affairs for other companies probably isn't much better, if it's better at all.
Logged
There are 2 types of people in the world: Those who understand hexadecimal, and those who don't.
Visit the #Bay12Games IRC channel on NewNet
== Human Renovation: My Deus Ex mod/fan patch (v1.30, updated 5/31/2012) ==

Xgamer4

  • Bay Watcher
    • View Profile
Re: Sony's Bullshit
« Reply #158 on: June 03, 2011, 10:24:20 pm »

And IIRC, all it takes to prevent it is putting an if statement checking whether the query should be performed by checking against a list of permissible actions. I would say it's hacking 101, but it really isn't even a 100 level course.
Actually no. There's a faster, more efficient way. Basically you have the program replace all ' characters with \' and all \ characters with \\. (The latter first, naturally, or you're undoing your own work.)
Over all, that's one line of code. That's all it takes.

Easier than that. Assuming you're using PHP, which is a safe bet, just send anything that's going into a database through mysql_real_escape_string() first.
http://php.net/manual/en/function.mysql-real-escape-string.php
Logged
insert something mind-blowing/witty here*

dogstile

  • Bay Watcher
    • View Profile
Re: Sony's Bullshit
« Reply #159 on: June 04, 2011, 08:41:40 am »

Or use your own encryption code. Even adding a simple "hashed pass = hash(password + 'abcd')" to your php code will make it more difficult to reveng the password from a hash.

But most likely, whatever place you go to only uses a simple hash to protect your password.

That's kind of my point, though. Everybody is railing against Sony here, and for good enough reason, but the common state of affairs for other companies probably isn't much better, if it's better at all.

I've bolded the important part.

We don't know how bad other companies is. We do however, know Sony's is shit. So we'll rail on them until they get better security, and other companies will hopefully follow their example.

Besides, even if you're just as shit as everyone else, you're still shit.
Logged
my champion is now holding his artifact crossbow by his upper left leg and still shooting with is just fine despite having no hands.
What? He's firing from the hip.

G-Flex

  • Bay Watcher
    • View Profile
Re: Sony's Bullshit
« Reply #160 on: June 04, 2011, 11:56:38 am »

You're right; for the most part, we don't know. However, we can't assume they're better. We have very little assurance from any company we deal with that their own security is up to par, and that's really, really bad these days, when people's accounts are linked to so much personal information, whether it's private registration info (like in these cases) or what content they actually have on the web associated with them. The point I'm making is that you just can't trust anyone too much, and I've seen enough examples of absolutely atrocious security to assume very little from anyone.
Logged
There are 2 types of people in the world: Those who understand hexadecimal, and those who don't.
Visit the #Bay12Games IRC channel on NewNet
== Human Renovation: My Deus Ex mod/fan patch (v1.30, updated 5/31/2012) ==

Soulwynd

  • Bay Watcher
  • -_-
    • View Profile
Re: Sony's Bullshit
« Reply #161 on: June 04, 2011, 11:59:15 am »

And that's why you make a facebook account. So you can show all your personal information to the world and then not worry if they will get it from another site.
Logged

devek

  • Bay Watcher
  • [KILL_EVERYTHING]
    • View Profile
Re: Sony's Bullshit
« Reply #162 on: June 04, 2011, 04:59:05 pm »

And IIRC, all it takes to prevent it is putting an if statement checking whether the query should be performed by checking against a list of permissible actions. I would say it's hacking 101, but it really isn't even a 100 level course.
Actually no. There's a faster, more efficient way. Basically you have the program replace all ' characters with \' and all \ characters with \\. (The latter first, naturally, or you're undoing your own work.)
Over all, that's one line of code. That's all it takes.

Easier than that. Assuming you're using PHP, which is a safe bet, just send anything that's going into a database through mysql_real_escape_string() first.
http://php.net/manual/en/function.mysql-real-escape-string.php

If you're writing something commercial, you are not using mysql.

A real database will have, at the least, compiled sql statements. Injection simply isn't possible.
Logged
"Why do people rebuild things that they know are going to be destroyed? Why do people cling to life when they know they can't live forever?"

Fayrik

  • Bay Watcher
    • View Profile
Re: Sony's Bullshit
« Reply #163 on: June 04, 2011, 05:15:08 pm »

If you're writing something commercial, you are not using mysql.

A real database will have, at the least, compiled sql statements. Injection simply isn't possible.
I hate to sound whiny, but all the good open source projects use MySQL (or the really good ones use any SQL.)
But I have to agree, compiled SQL statements are much better.
Logged
So THIS is how migrations start.
"Hey, dude, there's this crazy bastard digging in the ground for stuff. Let's go watch."

devek

  • Bay Watcher
  • [KILL_EVERYTHING]
    • View Profile
Re: Sony's Bullshit
« Reply #164 on: June 04, 2011, 05:27:08 pm »

You're not using an open source project to serve 70 million customers.
Logged
"Why do people rebuild things that they know are going to be destroyed? Why do people cling to life when they know they can't live forever?"
Pages: 1 ... 9 10 [11] 12 13 ... 15