Nokia's developer network hacked

RaviBee

Clickety[^] Another SQL injection attack. :| /ravi

My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com

GuyThiebaut

Ravi Bhavnani wrote:

Another SQL injection attack. :|

I am amazed at how this can still happen nowadays... Unless SQL injection attacks have become more sophisticated - allowing this sort of backdoor is breaking the dumbass website 101 security checklist... in my opinion...

Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)

RaviBee

I think it has to do with lowering the bar.  I've seem some pretty bad production code in my time.  Makes me wonder who's minding the store. :( /ravi

My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com

leppie

I got a mail from them this morning: "We are not aware of any misuse of the accessed data, but we have identified that your email address was in one of the records accessed, though it contained none of the optional information, so we believe that the only potential impact to you may be unsolicited email. Nokia apologizes for this incident."

((λ (x) `(,x ',x)) '(λ (x) `(,x ',x)))

RaviBee

IMHO that's a bit like saying "Your car was stolen from our unlocked garage, but we're not aware that it's been damaged or that it's been used in the commission of a crime.  So rest easy."  :-D /ravi

My new year resolution: 2048 x 1536 Home | Articles | My .NET bits | Freeware ravib(at)ravib(dot)com

tgrt

GuyThiebaut wrote:

I am amazed at how this can still happen nowadays...

From a developer perspective I am, but from a business perspective I'm not amazed for a second. Pay for the cheapest instead of a professional and that's what happens to you.

Abu Mami

I got an email from them this morning and promptly deleted it. Nokia developer? I'm mean really - does such a thing exist today? Had to go look in my deleted mails to find it. Interesting.

OriginalGriff

I think the problem is that they don't seem to teach anything about injection attacks on IT courses any more - they just seem to go "Here is a SELECT statement, now lets move on". Certainly the number of Q&A questions that leave massive security holes is not reducing. Teach the little buggers about Parametrized queries from day one! Or are all lecturers too damn lazy to bother? Sorry, but SQL injection attacks are one of my personal bugbears...

Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together. Manfred R. Bihy: "Looks as if OP is learning resistant."

0bx

"We noticed someone has copied your passport. We believe they're just trying to forge a passport with your name on it and sell it on the black market. The only potential impact to you may be additional security checks at the airport, so it's no big deal really. Oh by the way, we're sorry."

Giraffes are not real.

Tech Code Freak

Agreed!

gavindon

I'll have to say, I never even heard the words "sql injection" during ANY of my classes... you might indeed have a point.

Programming is a race between programmers trying to build bigger and better idiot proof programs, and the universe trying to build bigger and better idiots, so far... the universe is winning. Be careful which toes you step on today, they might be connected to the foot that kicks your butt tomorrow. You can't scare me, I have children.

Albert Holguin

Very true...

Rage

GuyThiebaut wrote:

I am amazed at how this can still happen nowadays...

Have you been to Q&A recently ? The people asking question there are the same that are supposed to understand what SQL injection is and how to protect their code against them. Still amazed ?

QuiJohn

Isn't the "Nokia's developer network" now MSDN? Since they've switched to WP7 and all...

Gregory Gadow

I don't think anyone posted this yet to this thread: xkcd: Exploits of a Mom[^]

lewax00

gavindon wrote:

I never even heard the words "sql injection" during ANY of my classes

It's true. All I know about sql injection I've learned from the internet...

Sander Rossel

And so easy to prevent! Simply check if the sql statement to execute contains the words table, drop, delete, select... ;P

It's an OO world.