Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«672 »
  • Post
  • Reply
Null Pointer
May 20, 2004

Oh no!

feedmegin posted:

Not really. In theory the idea was that the Itanium chips could be very simple (and thus very highly clocked)

This is the point of explicit instruction scheduling instead of using hardware, yes.

Adbot
ADBOT LOVES YOU

charliesome
Oct 21, 2010


Ugh, so I was playing Super Meat Boy today and it segfaulted. I had a look at the stack trace (hey I'm a programmer, that poo poo's interesting!) and I noticed a couple of mysql_* functions in the stack trace.

I was a little amused, so I posted about it on Twitter. The official super meat boy account replied:



I tweeted back saying "I hope that's a local database..." (ok so let's ignore the fact that it'd be strange for a game to have a full on MySQL installation as a dependency. They responded with just a simple "why?". Alarm bells start ringing around this time.

Anyhow I was pretty curious so I fired up gdb and set a breakpoint on 'mysql_real_connect' and dumped out the parameters:



(yes, those are the MySQL host, username and password that I've redacted there)

I tried logging in with those credentials and holy gently caress it worked:



I replied to them with a screenshot of the Sequel Pro window but they remained indifferent - even pulling the authority I-know-what-I'm-doing card. Yeah right.



Anyhow that escalated to emails and they still didn't give a flying gently caress. (read in reverse order)



"You are not showing me anything I don't already know." -- what the gently caress? This stubborn fellow knows that his MySQL database is open to the world and he doesn't care? Oh well, if he doesn't care then I don't care.

It's poo poo like this that makes me laugh/cry all the time.

Zamujasa
Oct 27, 2010

Link, some day you will leave this island...
I just know it in my heart...
Please, just don't ever forget this song... or me...


It might just be read-only, in which case you might not get anything special that you wouldn't get out of a poorly-designed API.

I dunno. Bad idea, sure, but I'm not entirely certain it's a horror.


...unless you have INSERT/UPDATE/DELETE, in which case, well.

charliesome
Oct 21, 2010


Zamujasa posted:

...unless you have INSERT/UPDATE/DELETE, in which case, well.

yeah insert and update works, delete doesn't though

Aleksei Vasiliev
May 7, 2007

Fuck the cowboys. Unf. Fuck em hard.

save the entire database locally then update all the values to zeroes

e: unless that database only stores you, in which case update all the values to INT_MAX

No Safe Word
Feb 26, 2005

I sure do love holding onto the rock!

turby posted:

Ugh, so I was playing Super Meat Boy today and it segfaulted. I had a look at the stack trace (hey I'm a programmer, that poo poo's interesting!) and I noticed a couple of mysql_* functions in the stack trace.

I was a little amused, so I posted about it on Twitter. The official super meat boy account replied:



I tweeted back saying "I hope that's a local database..." (ok so let's ignore the fact that it'd be strange for a game to have a full on MySQL installation as a dependency. They responded with just a simple "why?". Alarm bells start ringing around this time.

Anyhow I was pretty curious so I fired up gdb and set a breakpoint on 'mysql_real_connect' and dumped out the parameters:



(yes, those are the MySQL host, username and password that I've redacted there)

I tried logging in with those credentials and holy gently caress it worked:



I replied to them with a screenshot of the Sequel Pro window but they remained indifferent - even pulling the authority I-know-what-I'm-doing card. Yeah right.



Anyhow that escalated to emails and they still didn't give a flying gently caress. (read in reverse order)



"You are not showing me anything I don't already know." -- what the gently caress? This stubborn fellow knows that his MySQL database is open to the world and he doesn't care? Oh well, if he doesn't care then I don't care.

It's poo poo like this that makes me laugh/cry all the time.

I wonder if it's just a defense mechanism to try and make you go "oh okay then". But you're clearly not so he's just kind of dumb. Sure, having backups is nice, but what's the point if you always have to restore from them.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

Doesn't Meat Boy have a level editor for Super Meat World? If so, then Insert is an obvious privilege to have and not at all strange. Worst case you get a bunch of junk in the database that you need to prune out. (Okay, actual worst-case is impersonating another user for the purpose of uploading levels which is pretty bad, but it's not a huge exploit)

Update, not so much. Unless you're somehow limited to only being able to update levels you created.

edit: Actually, could you go and UPDATE all the "kid's christmas" levels to ones easy enough for me to complete? tia

Jabor fucked around with this message at Dec 23, 2011 around 07:33

Vanadium
Jan 8, 2005



Can you check if the author table has a list of emails and send it to me for a project??

Look Around You
Jan 19, 2009

You're just lucky my jaw is broken!


Jabor posted:

Doesn't Meat Boy have a level editor for Super Meat World? If so, then Insert is an obvious privilege to have and not at all strange. Worst case you get a bunch of junk in the database that you need to prune out. (Okay, actual worst-case is impersonating another user for the purpose of uploading levels which is pretty bad, but it's not a huge exploit)

Update, not so much. Unless you're somehow limited to only being able to update levels you created.

edit: Actually, could you go and UPDATE all the "kid's christmas" levels to ones easy enough for me to complete? tia

Wouldn't it make more sense to send a request to a web api and have a separate server application handle the actual SQL stuff? I mean I would think it'd be a lot safer than having the game directly connect to the database, especially if it's possible for someone to find the login stuff from the binary.

Red Mike
Jul 11, 2011


turby posted:



I don't find that odd. You have access to INSERT and UPDATE the database just like you would have if you just cheated on the game itself. They're not concerned because you're not in a position to do any actual damage past adding fake statistics. Everything you can already do without logging into the SQL database directly.

If you want to 'prove' how they should cover the hole up, then update with something malicious, and see their reactions. I'm willing to bet their reaction is going to be 'Good going, you deleted a level, *restore from backups*, now go do it again.'

Dicky B
Mar 23, 2004



Post the login details on 4chan and let nature take its course.

A A 2 3 5 8 K
Nov 24, 2003
Illiteracy... what does that word even mean?

For once, using MySQL isn't the biggest horror.

Hammerite
Mar 9, 2007

And you don't remember what I said here, either, but it was pompous and stupid.

Jabor posted:

Doesn't Meat Boy have a level editor for Super Meat World? If so, then Insert is an obvious privilege to have and not at all strange. Worst case you get a bunch of junk in the database that you need to prune out. (Okay, actual worst-case is impersonating another user for the purpose of uploading levels which is pretty bad, but it's not a huge exploit)

Update, not so much. Unless you're somehow limited to only being able to update levels you created.

edit: Actually, could you go and UPDATE all the "kid's christmas" levels to ones easy enough for me to complete? tia

Red Mike posted:

I don't find that odd. You have access to INSERT and UPDATE the database just like you would have if you just cheated on the game itself. They're not concerned because you're not in a position to do any actual damage past adding fake statistics. Everything you can already do without logging into the SQL database directly.

If you want to 'prove' how they should cover the hole up, then update with something malicious, and see their reactions. I'm willing to bet their reaction is going to be 'Good going, you deleted a level, *restore from backups*, now go do it again.'

You are both incorrect. They shouldn't have the game connect directly to their RDBMS, full stop. Access to the database (and changes to the database content) should be mediated by a service that checks that that access is appropriate, and applies any relevant business logic. It's very foolish of them to allow literally anybody in the world to perform arbitrary SELECT, INSERT and UPDATE queries on their database.

nielsm
Jun 1, 2009



Hammerite posted:

Access to the database (and changes to the database content) should be mediated by a service that checks that that access is appropriate, and applies any relevant business logic.

Triggers and views!

McGlockenshire
Dec 16, 2005



It sounds like they don't know what full Cartesian joins are, and thus also don't know how poorly MySQL reacts when you join the database's largest table against itself a few dozen times.

That would be an immensely stupid thing to do, though.

geonetix
Mar 6, 2011



Isn't MySQL GPL, and aren't you therefor obliged to release your source as GPL as well, if you strictly depend on other GPL code to run?


vvv Darn.

geonetix fucked around with this message at Dec 23, 2011 around 21:46

Blotto Skorzany
Nov 7, 2008

He's a PSoC, loose and runnin'
came the whisper from each lip
And he's here to do some business with
the bad ADC on his chip
bad ADC on his chiiiiip


If you included MySQL code in your code, this would apply. Merely calling the application doesn't make your code a derived work and trigger the requirement to release your source when you distribute.

Threep
Apr 1, 2006

It's kind of a long story.

Otto Skorzeny posted:

If you included MySQL code in your code, this would apply. Merely calling the application doesn't make your code a derived work and trigger the requirement to release your source when you distribute.
It does apply if they're linking to the GPL MySQL client libraries though, which they likely are. As far as I know there's no linking exception for MySQL.

Bonfire Lit
Jul 9, 2008


Threep posted:

As far as I know there's no linking exception for MySQL.
Yeah, but there are commercial licenses. I'm not saying they've bought one, but it's possible to use MySQL (server and client) libraries legally without having to release your product's source.
Edit: There's also a linking exception for a list of FOSS licenses as long as you just need the client.

Bonfire Lit fucked around with this message at Dec 23, 2011 around 22:04

Factor Mystic
Mar 19, 2006

Baby's First Post-Apocalyptic Fiction

I'm guessing you can't update any other records besides your own though, right? They probably didn't have time/care to write a web service interface just to show you high scores in the game.



I hope.

Threep
Apr 1, 2006

It's kind of a long story.

Factor Mystic posted:

I'm guessing you can't update any other records besides your own though, right? They probably didn't have time/care to write a web service interface just to show you high scores in the game.



I hope.

Plorkyeran
Mar 21, 2007

Plorky Pig, let's get that Maria+Holic typesetting done yeah? You're starting to develop the requtation of lazy and slow, so ammend that for your own sake


I suppose it's probably theoretically possible to securely expose MySQL directly to the client but it'd be way harder and more work than writing a simple web service that sits in front of it.

PhonyMcRingRing
Jun 6, 2002


Aren't these the same guys that tell you using the keyboard is for losers and then only bothered to beta test their game with the XBox controller, leaving other controllers to work like poo poo?

Frozen-Solid
Aug 25, 2004

Behind you, Cobb! Stay alert!


PhonyMcRingRing posted:

Aren't these the same guys that tell you using the keyboard is for losers and then only bothered to beta test their game with the XBox controller, leaving other controllers to work like poo poo?

Yup! No PC Gamer should be without an xbox 360 or PS3 controller right? No one uses those pesky keyboards and mice.

ufarn
May 30, 2009


I hope these guys do back-ups.

Blotto Skorzany
Nov 7, 2008

He's a PSoC, loose and runnin'
came the whisper from each lip
And he's here to do some business with
the bad ADC on his chip
bad ADC on his chiiiiip


So it looks like someone posted this thread to HN, among other places, and the credentials and stuff you edited out were revealed: http://news.ycombinator.com/item?id=3387628

Factor Mystic
Mar 19, 2006

Baby's First Post-Apocalyptic Fiction

Threep posted:



Welp.


You know what, "write a bit of sane database interface code" should replace FizzBuzz as the idiot filter.

Volte
Oct 4, 2004

woosh woosh



Factor Mystic posted:

Welp.


You know what, "write a bit of sane database interface code" should replace FizzBuzz as the idiot filter.
The only winning move is not to play

Jewel
May 2, 2009



Hahah, dang, it's spread all over twitter now. Even Garry Newman, the maker of GMod is laughing at it a bit. I mean, yes, I feel sorry for them, but come on, if you coded it this way, okay, that's a problem you can fix, but being arrogant about it? That's where the real problem was.

Hammerite
Mar 9, 2007

And you don't remember what I said here, either, but it was pompous and stupid.

http://www.justpushstart.com/2011/1...super-meat-boy/

Apparently you're an honorary Anonymous member, charliesome.

Dicky B
Mar 23, 2004



quote:

Yeah, sadly that really hosed things up for a few hours in super meat world but it was all fixed before i even woke up today.

it sucks when people attempt to destroy the awesome creative things people make, and even more so when other people went out of their way to make this tool for fans as a thank you, asking nothing in return.

the good news is tommy had full backups of everyones levels, so even after they deleted everyones work he was able to return them with a single click and fully block all incoming attacks.

in the indie game the movie trailer im quoted saying that i desperately want to make friends but i dont want the actual interaction because i probably wont like them. this is one of many reasons why i feel that way.

there are a lot of sad people out there that love to destroy things to make themselves feel better, in the end it doesnt make them feel better but makes things worse for everyone else.

it really sucks that people are like this,
merry xmas i guess.
indie_game_developers.txt

Thermopyle
Jul 1, 2003

...the stupid are cocksure while the intelligent are full of doubt. —Bertrand Russell


Tw1tchy posted:

Hahah, dang, it's spread all over twitter now. Even Garry Newman, the maker of GMod is laughing at it a bit. I mean, yes, I feel sorry for them, but come on, if you coded it this way, okay, that's a problem you can fix, but being arrogant about it? That's where the real problem was.

Yeah, I agree. Maybe it's just the fact that I've done my own share of stuff like this merely because I didn't know better. The response of the dev is the real horror.

Factor Mystic
Mar 19, 2006

Baby's First Post-Apocalyptic Fiction

Dicky B posted:

indie_game_developers.txt posted:

fully block all incoming attacks.

geonetix
Mar 6, 2011



Dicky B posted:

indie_game_developers.txt

Oh lord, that's just thick. It's not like somebody told them or something.

edit: I can think of even simpler exploits that can be done using only select queries; but sadly, I'm not allowed to post about it . Put simply, they won't be clear until they totally disallow connecting to MySQL, but I won't see it happen any time soon.

geonetix fucked around with this message at Dec 24, 2011 around 19:29

Che Delilas
Nov 23, 2009
FREE TIBET WEED

geonetix posted:

Oh lord, that's just thick. It's not like somebody told them or something.

Didn't you know? When someone exploits a grade-school-level security flaw that they had previously pointed out to the developer or company responsible for it only to be ignored, it is always malicious and always results in something being ruined. Never does security improve and never was that the intended result in the first place.

Dicky B
Mar 23, 2004



Edmund McMillen School Of Security: Feel free to leave your databases wide open to the public. If anybody exploits it, then they're a jerk!!! It totally sucks!! WHy can't the world be a better place????

Markov Chain Chomp
Jan 5, 2005



To be fair, what you guys are doing is blaming the victim. It's not any more convincing than when people blame women for being raped.

Opinion Haver
Apr 9, 2007



Markov Chain Chomp posted:

To be fair, what you guys are doing is blaming the victim. It's not any more convincing than when people blame women for being raped.

gently caress off.

Look Around You
Jan 19, 2009

You're just lucky my jaw is broken!


Markov Chain Chomp posted:

To be fair, what you guys are doing is blaming the victim. It's not any more convincing than when people blame women for being raped.

This is a loving terrible attempt at an analogy and it's actually pretty insulting.

Adbot
ADBOT LOVES YOU

Nippashish
Nov 1, 2005

Let me see you dance!

Look Around You posted:

This is a loving terrible attempt at an analogy and it's actually pretty insulting.

Horrible analogy aside, he's completely right.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«672 »