|
feedmegin posted:Not really. In theory the idea was that the Itanium chips could be very simple (and thus very highly clocked) This is the point of explicit instruction scheduling instead of using hardware, yes.
|
#
?
Dec 23, 2011 00:30
|
|
|
|
| # ? Apr 19, 2024 01:58 |
|
|
Ugh, so I was playing Super Meat Boy today and it segfaulted. I had a look at the stack trace (hey I'm a programmer, that poo poo's interesting!) and I noticed a couple of mysql_* functions in the stack trace. I was a little amused, so I posted about it on Twitter. The official super meat boy account replied:  I tweeted back saying "I hope that's a local database..." (ok so let's ignore the fact that it'd be strange for a game to have a full on MySQL installation as a dependency. They responded with just a simple "why?". Alarm bells start ringing around this time. Anyhow I was pretty curious so I fired up gdb and set a breakpoint on 'mysql_real_connect' and dumped out the parameters:  (yes, those are the MySQL host, username and password that I've redacted there) I tried logging in with those credentials and holy gently caress it worked:  I replied to them with a screenshot of the Sequel Pro window but they remained indifferent - even pulling the authority I-know-what-I'm-doing card. Yeah right.  Anyhow that escalated to emails and they still didn't give a flying gently caress. (read in reverse order)  "You are not showing me anything I don't already know." -- what the gently caress? This stubborn fellow knows that his MySQL database is open to the world and he doesn't care? Oh well, if he doesn't care then I don't care. It's poo poo like this that makes me laugh/cry all the time.
|
|
#
?
Dec 23, 2011 07:11
|
|
|
It might just be read-only, in which case you might not get anything special that you wouldn't get out of a poorly-designed API. I dunno. Bad idea, sure, but I'm not entirely certain it's a horror. ...unless you have INSERT/UPDATE/DELETE, in which case, well.
|
|
#
?
Dec 23, 2011 07:23
|
|
|
Zamujasa posted:...unless you have INSERT/UPDATE/DELETE, in which case, well. yeah insert and update works, delete doesn't though
|
|
#
?
Dec 23, 2011 07:26
|
|
|
save the entire database locally then update all the values to zeroes e: unless that database only stores you, in which case update all the values to INT_MAX
|
|
#
?
Dec 23, 2011 07:54
|
|
|
turby posted:Ugh, so I was playing Super Meat Boy today and it segfaulted. I had a look at the stack trace (hey I'm a programmer, that poo poo's interesting!) and I noticed a couple of mysql_* functions in the stack trace. I wonder if it's just a defense mechanism to try and make you go "oh okay then". But you're clearly not so he's just kind of dumb. Sure, having backups is nice, but what's the point if you always have to restore from them.
|
|
#
?
Dec 23, 2011 08:26
|
|
|
Doesn't Meat Boy have a level editor for Super Meat World? If so, then Insert is an obvious privilege to have and not at all strange. Worst case you get a bunch of junk in the database that you need to prune out. (Okay, actual worst-case is impersonating another user for the purpose of uploading levels which is pretty bad, but it's not a huge exploit) Update, not so much. Unless you're somehow limited to only being able to update levels you created. edit: Actually, could you go and UPDATE all the "kid's christmas" levels to ones easy enough for me to complete? tia Jabor fucked around with this message at 08:33 on Dec 23, 2011 |
|
#
?
Dec 23, 2011 08:29
|
|
|
Can you check if the author table has a list of emails and send it to me for a project??
|
|
#
?
Dec 23, 2011 08:43
|
|
|
Jabor posted:Doesn't Meat Boy have a level editor for Super Meat World? If so, then Insert is an obvious privilege to have and not at all strange. Worst case you get a bunch of junk in the database that you need to prune out. (Okay, actual worst-case is impersonating another user for the purpose of uploading levels which is pretty bad, but it's not a huge exploit) Wouldn't it make more sense to send a request to a web api and have a separate server application handle the actual SQL stuff? I mean I would think it'd be a lot safer than having the game directly connect to the database, especially if it's possible for someone to find the login stuff from the binary.
|
|
#
?
Dec 23, 2011 12:56
|
|
|
turby posted:I don't find that odd. You have access to INSERT and UPDATE the database just like you would have if you just cheated on the game itself. They're not concerned because you're not in a position to do any actual damage past adding fake statistics. Everything you can already do without logging into the SQL database directly. If you want to 'prove' how they should cover the hole up, then update with something malicious, and see their reactions. I'm willing to bet their reaction is going to be 'Good going, you deleted a level, *restore from backups*, now go do it again.'
|
|
#
?
Dec 23, 2011 12:58
|
|
|
Post the login details on 4chan and let nature take its course.
|
|
#
?
Dec 23, 2011 13:23
|
|
|
For once, using MySQL isn't the biggest horror.
|
|
#
?
Dec 23, 2011 14:54
|
|
|
Jabor posted:Doesn't Meat Boy have a level editor for Super Meat World? If so, then Insert is an obvious privilege to have and not at all strange. Worst case you get a bunch of junk in the database that you need to prune out. (Okay, actual worst-case is impersonating another user for the purpose of uploading levels which is pretty bad, but it's not a huge exploit) Red Mike posted:I don't find that odd. You have access to INSERT and UPDATE the database just like you would have if you just cheated on the game itself. They're not concerned because you're not in a position to do any actual damage past adding fake statistics. Everything you can already do without logging into the SQL database directly. You are both incorrect. They shouldn't have the game connect directly to their RDBMS, full stop. Access to the database (and changes to the database content) should be mediated by a service that checks that that access is appropriate, and applies any relevant business logic. It's very foolish of them to allow literally anybody in the world to perform arbitrary SELECT, INSERT and UPDATE queries on their database.
|
|
#
?
Dec 23, 2011 17:28
|
|
|
Hammerite posted:Access to the database (and changes to the database content) should be mediated by a service that checks that that access is appropriate, and applies any relevant business logic. Triggers and views! 
|
|
#
?
Dec 23, 2011 17:35
|
|
|
It sounds like they don't know what full Cartesian joins are, and thus also don't know how poorly MySQL reacts when you join the database's largest table against itself a few dozen times. That would be an immensely stupid thing to do, though.
|
|
#
?
Dec 23, 2011 18:27
|
|
|
Isn't MySQL GPL, and aren't you therefor obliged to release your source as GPL as well, if you strictly depend on other GPL code to run? vvv Darn. geonetix fucked around with this message at 22:46 on Dec 23, 2011 |
|
#
?
Dec 23, 2011 22:42
|
|
|
If you included MySQL code in your code, this would apply. Merely calling the application doesn't make your code a derived work and trigger the requirement to release your source when you distribute.
|
|
#
?
Dec 23, 2011 22:44
|
|
|
Otto Skorzeny posted:If you included MySQL code in your code, this would apply. Merely calling the application doesn't make your code a derived work and trigger the requirement to release your source when you distribute.
|
|
#
?
Dec 23, 2011 22:49
|
|
|
Threep posted:As far as I know there's no linking exception for MySQL. Edit: There's also a linking exception for a list of FOSS licenses as long as you just need the client. Bonfire Lit fucked around with this message at 23:04 on Dec 23, 2011 |
|
#
?
Dec 23, 2011 23:01
|
|
|
I'm guessing you can't update any other records besides your own though, right? They probably didn't have time/care to write a web service interface just to show you high scores in the game. I hope.
|
|
#
?
Dec 24, 2011 00:26
|
|
|
Factor Mystic posted:I'm guessing you can't update any other records besides your own though, right? They probably didn't have time/care to write a web service interface just to show you high scores in the game.
|
|
#
?
Dec 24, 2011 00:29
|
|
|
I suppose it's probably theoretically possible to securely expose MySQL directly to the client but it'd be way harder and more work than writing a simple web service that sits in front of it.
|
|
#
?
Dec 24, 2011 00:40
|
|
|
Aren't these the same guys that tell you using the keyboard is for losers and then only bothered to beta test their game with the XBox controller, leaving other controllers to work like poo poo?
|
|
#
?
Dec 24, 2011 02:07
|
|
|
PhonyMcRingRing posted:Aren't these the same guys that tell you using the keyboard is for losers and then only bothered to beta test their game with the XBox controller, leaving other controllers to work like poo poo? Yup! No PC Gamer should be without an xbox 360 or PS3 controller right? No one uses those pesky keyboards and mice.
|
|
#
?
Dec 24, 2011 02:38
|
|
|
I hope these guys do back-ups.
|
|
#
?
Dec 24, 2011 02:39
|
|
|
So it looks like someone posted this thread to HN, among other places, and the credentials and stuff you edited out were revealed: http://news.ycombinator.com/item?id=3387628
|
|
#
?
Dec 24, 2011 02:45
|
|
|
Threep posted:Welp. You know what, "write a bit of sane database interface code" should replace FizzBuzz as the idiot filter.
|
|
#
?
Dec 24, 2011 03:42
|
|
|
Factor Mystic posted:Welp.
|
|
#
?
Dec 24, 2011 03:46
|
|
|
Hahah, dang, it's spread all over twitter now. Even Garry Newman, the maker of GMod is laughing at it a bit. I mean, yes, I feel sorry for them, but come on, if you coded it this way, okay, that's a problem you can fix, but being arrogant about it? That's where the real problem was.
|
|
#
?
Dec 24, 2011 04:16
|
|
|
http://www.justpushstart.com/2011/12/24/jilted-anonymous-attacks-super-meat-boy/ Apparently you're an honorary Anonymous member, charliesome. 
|
|
#
?
Dec 24, 2011 15:51
|
|
|
quote:Yeah, sadly that really hosed things up for a few hours in super meat world but it was all fixed before i even woke up today.
|
|
#
?
Dec 24, 2011 19:25
|
|
|
Tw1tchy posted:Hahah, dang, it's spread all over twitter now. Even Garry Newman, the maker of GMod is laughing at it a bit. I mean, yes, I feel sorry for them, but come on, if you coded it this way, okay, that's a problem you can fix, but being arrogant about it? That's where the real problem was. Yeah, I agree. Maybe it's just the fact that I've done my own share of stuff like this merely because I didn't know better. The response of the dev is the real horror.
|
|
#
?
Dec 24, 2011 19:37
|
|
|
Dicky B posted:
|
|
#
?
Dec 24, 2011 19:49
|
|
|
Dicky B posted:indie_game_developers.txt Oh lord, that's just thick. It's not like somebody told them or something. edit: I can think of even simpler exploits that can be done using only select queries; but sadly, I'm not allowed to post about it  . Put simply, they won't be clear until they totally disallow connecting to MySQL, but I won't see it happen any time soon.
geonetix fucked around with this message at 20:29 on Dec 24, 2011 |
|
#
?
Dec 24, 2011 20:02
|
|
|
geonetix posted:Oh lord, that's just thick. It's not like somebody told them or something. Didn't you know? When someone exploits a grade-school-level security flaw that they had previously pointed out to the developer or company responsible for it only to be ignored, it is always malicious and always results in something being ruined. Never does security improve and never was that the intended result in the first place.
|
|
#
?
Dec 24, 2011 20:08
|
|
|
Edmund McMillen School Of Security: Feel free to leave your databases wide open to the public. If anybody exploits it, then they're a jerk!!! It totally sucks!! WHy can't the world be a better place????
|
|
#
?
Dec 24, 2011 20:22
|
|
|
To be fair, what you guys are doing is blaming the victim. It's not any more convincing than when people blame women for being raped.
|
|
#
?
Dec 24, 2011 21:10
|
|
|
Markov Chain Chomp posted:To be fair, what you guys are doing is blaming the victim. It's not any more convincing than when people blame women for being raped. gently caress off.
|
|
#
?
Dec 24, 2011 21:24
|
|
|
Markov Chain Chomp posted:To be fair, what you guys are doing is blaming the victim. It's not any more convincing than when people blame women for being raped. This is a loving terrible attempt at an analogy and it's actually pretty insulting.
|
|
#
?
Dec 24, 2011 22:18
|
|
|
|
| # ? Apr 19, 2024 01:58 |
|
|
Look Around You posted:This is a loving terrible attempt at an analogy and it's actually pretty insulting. Horrible analogy aside, he's completely right.
|
|
#
?
Dec 24, 2011 22:24
|
|
