What century is this?!
SQL injection bug
Any web developer who is still concatenating GET/POST strings onto SQL queries should be taken around the back of the barn and humanely put out of our misery.
Variable binding, dolts!
A bloke has told how he discovered a bug in Valve's Steam marketplace that could have been exploited by thieves to steal game license keys and play pirated titles. Researcher Artem Moskowsky told The Register earlier this week that he stumbled across the vulnerability – which earned him a $20,000 bug bounty for reporting it – …
Yes, I have a bunch of colleagues who do this. One left before I joined, fortunately. On the other hand: there is no way currently to directly pass arbitrary values to the dynamic SQL code, so we are (for now) safe.
And the horror I have seen in the code... and the database schema - basically there is no organised schema and it is not relational - not a single key (and no foreign keys) at all.
And the horror I have seen in the code... and the database schema - basically there is no organised schema and it is not relational - not a single key (and no foreign keys) at all.
Ask a web developer what a normal form is and he'll tell you it has input fields.
i inherited a lot of "select * from table where thing = '" + strinput + "'" in an aspx intranet. I was bloody frightening they hadnt been hit before. Idiots.
But try getting a) budget or b) time from Management to fix this stuff, you'll get the 'it works so don't touch it' excuse.
Being Irish, I sometimes hear friends saying, "well, I tried to sign up to [site] the other day but it didn't work. I wonder what's up." A moment later I twig their surname is O'Connor or O'Brien or something and they've probably just inadvertently SQL-injected the sign-up page and I smile a little. A moment after em I realise a) this is the 21st bloody century and why are there still SQL injection attacks, and b) sometimes it's an Irish site. Then I have to go somewhere quiet for a bit until the urge to break things subsides
A years ago I was working for a small software company that made most of its money peddling web stores to small mom and pop type companies the e-store code was an in-house POS classic asp based monstrosity that every time we got a new customer would be copied from the last.
As you would expect in this scenario it was a total mess of ancient spaghetti code and then one day we woke up to find one of the customers had been hit by an automatic SQL injection script and was now trying to download a bunch of malware to anyone who viewed the site.
This obviously needed a fix, so a proper fix would be to go through every place in the code where a variable was incoming and do a proper validation.
But that was far too expensive for the boss when you take into account we were at that point managing ~30 of these messes all with slightly different code for each customer.
So the "genius" fix the boss came up with was to look at all incoming data from the browser the global.asax file and if it saw a single quote or a semicolon it would stop processing the request.
making it impossible to receive any business from any O'leary or the like.
How are we ever going to do away with the idea of intellectual property as unenforceable, if people play nice with the bug bounties. We stand to gain a lot more by Mass non-compliance. People will still program out of passion and share out of a desire to show off. If you think about how much combined value there is available to everybody in a world where intellectual property is no longer a legal concept, it seems naive and cool Hardy to support such things went in the end you're losing access to more than that 20, 000 could have ever boughten. And then multiply that by Everybody who might ever have an interest in something currently protected by IP law. Elimination of intellectual property law equals life upgrade for the entire world
How are we ever going to do away with the idea of intellectual property as unenforceable, if people play nice with the bug bounties. We stand to gain a lot more by Mass non-compliance. People will still program out of passion and share out of a desire to show off. If you think about how much combined value there is available to everybody in a world where intellectual property is no longer a legal concept, it seems naive and cool Hardy to support such things went in the end you're losing access to more than that 20, 000 could have ever boughten. And then multiply that by Everybody who might ever have an interest in something currently protected by IP law. Elimination of intellectual property law equals life upgrade for the entire world
Don't necessarily disagree because I can't follow this at all.
Please edit it into something vaguely comprehensible and grammatically correct. (Maybe lay off the sauce first?)
Some people will share to show off, sure.
But if you ever again want to have access to software that's been developed by a team of more than three people, that's not going to cut it. Many/most coders enjoy the process of creation, quite a few even like design. But very few enjoy rigorous testing and debugging, and even fewer believe in documentation. And as for project management - it's hard enough to get people to do that when you are paying them...
Elimination of intellectual property law equals life upgrade for the entire world
Or quick development of coercive monopolies. If you take regulations out of the picture, then historically the groups that tend to profit the most are those who have lots of money and legal clout to make their own rules.
+1
Not to mention that games, or at least a significant subset of them, sit in a massive blind spot for open source, by nature.
Many of our favorite games involve the element of surprise and discovery. How will you be surprised, as a player, if the underlying economic model depends solely on the, otherwise very successful, notion of user-contributors? It can work, very well, for game engines. But not for game content where users need to be dissociated from creators.
Fail, edris90, fail.
So just for this one guy's input Valve have paid out on two bounties totalling £45k, I can't help but wonder a few things...
Why aren't they just employing a couple of staff to be full time pen testers, surely it's the cheaper option?
While this bounty program is in place I would be worried that any internal staff of questionable morals coming across a bug would, rather than fixing said bug would look to strike a deal with an external pen tester to share a bounty.
Sorry for calling you Shirley.
If you employ people to be full time pen testers, they will automate things to make their lives easier. They will write scripts. They will become complacent. Not a complaint, just human nature.
Many eyes make bugs shallow.
This is why you employ a pro to review new services before you launch them, then you cheerfully part company, they go do the same thing elsewhere and learn new stuff, and you hire them again for a bit when you launch a new service.
It sounds to me like Steam probably did as much as they could at launch, then left it. Then when bug bounties come up, they're saying "thank you very much" and paying up. Which is as it should be.
While this bounty program is in place I would be worried that any internal staff of questionable morals coming across a bug would, rather than fixing said bug would look to strike a deal with an external pen tester to share a bounty.
maybe the bounty comes from whichever programming team is reponsible's wages!
Thank you for holding the readership in such high regard.
You saw the post above by edris90, right? While generally incomprehensible, it does indicate that were this bug made public before it was fixed, this person would have done all they could to exploit it as fully as possible. Sadly Les, just because someone reads The Register, it doesn't automatically make them a decent, upstanding human being.
"Valve said an investigation of its logs did not show that anybody had exploited the bug"
They would say that, wouldn't they
Video games have no inherent value, like art. And so rely on patronage. People don't purchase a video game versus pirate it because they are afraidof the law. They do it to invest in the artists(development team) to make new things in the future because they want to see more created by this artist(development team).