Yeah, I'm getting an increasingly good opinion of XKCD. Along with Day-by-Day it's one of the best sustained webtoons.
Little Bobby Tables remains one of my favs, but it may not mean as much to someone unfamiliar with SQL programming and trivial website security... But I think you can get the jist of what, exactly, happened and why.
Some variant of SQL. The SQL command, "Drop Tables" is the same as "Delete" tables. So when they entered his "name", they also entered a command to the system by the surrounding punctuation -- And the command was executed -- which deleted the student records tables.
Hence the term, "sanitize your inputs" -- which basically means to make sure that something like that can't happen.
It's one of the more common ways to hack into a system -- I believe that there was a case -- Kansas? -- where a publicly accessible interface, with minor alterations, could be tricked into listing the full information on a list of people (sex offenders, I think, but not certain -- But I believe it also included case workers, too!) by subtle, but easy, actions like this. We're talking Social Security numbers, address, phone, detailed background records, psychological profiles -- you name it, the info in the entire system was wide open to the public, if they just did a few not difficult to figure out tweaks (i.e., at least 50% of experienced SQL programmers could figure out what to do, and quite a few talented hackers).
I could possibly hunt down the details, if you wanted, but that might give you enough for a Lexis/Nexus search anyway. It was one of those Prarie states above Texas, but not Iowa, IIRC.
3 comments:
Yeah, I'm getting an increasingly good opinion of XKCD. Along with Day-by-Day it's one of the best sustained webtoons.
Little Bobby Tables remains one of my favs, but it may not mean as much to someone unfamiliar with SQL programming and trivial website security... But I think you can get the jist of what, exactly, happened and why.
I wondered what programming language was referenced.
Some variant of SQL. The SQL command, "Drop Tables" is the same as "Delete" tables. So when they entered his "name", they also entered a command to the system by the surrounding punctuation -- And the command was executed -- which deleted the student records tables.
Hence the term, "sanitize your inputs" -- which basically means to make sure that something like that can't happen.
It's one of the more common ways to hack into a system -- I believe that there was a case -- Kansas? -- where a publicly accessible interface, with minor alterations, could be tricked into listing the full information on a list of people (sex offenders, I think, but not certain -- But I believe it also included case workers, too!) by subtle, but easy, actions like this. We're talking Social Security numbers, address, phone, detailed background records, psychological profiles -- you name it, the info in the entire system was wide open to the public, if they just did a few not difficult to figure out tweaks (i.e., at least 50% of experienced SQL programmers could figure out what to do, and quite a few talented hackers).
I could possibly hunt down the details, if you wanted, but that might give you enough for a Lexis/Nexus search anyway. It was one of those Prarie states above Texas, but not Iowa, IIRC.
Post a Comment