Example #645,257,329 of why one must always sanitize every piece of user input that your code has to process. Doesn’t matter how foolproof or dead simple you think the action will be, or how safe or sane your users — someone will try to buffer overrun, break out of the current SQL statement and inject their own code, or just generally find any way imaginable to deface or destroy your work. Especially if your work is a direct confrontation of a particularly entrenched bit of misogyny amongst a terribly entitled and relatively tech-savvy audience, and that audience is inclined toward trollishness to begin with.
A group of social justice advocates in the video gaming community put together a pledge website called Gamers Against Bigotry (WARNING: Chrome reports malware!), asking people to sign onto the following statement:
As a gamer, I realize I contribute to an incredibly diverse social network of gamers around the world, and that my actions have the ability to impact others. In effort to make a positive impact, and to create a community that is welcoming to all, I pledge to not use bigoted language while gaming, online and otherwise.
Bigoted language includes, but is not limited to, slurs based on race, ethnicity, gender, sexual orientation, and disability.
Read more about the pledge, including what is and isn’t included, and the overall purpose here.
Read why you shouldn’t use the word “rape” casually here.
All in all, it’s a simple statement, and a rather unobjectionable one at that. The only way one can end bigotry within a community is to “be the change you want to see” — to never engage in bigoted behaviour, and to challenge it when one is able.
The response, however, was in no way proportionate to the pledge, especially given its entirely voluntary nature.
Before the project was really ready to go, Wil Wheaton linked to it, and it kicked off overnight. And with the publicity came the trolls — and given that this was a direct challenge to these entitled assholes, it’s absolutely no surprise. First, the page was defaced with that most iconic of squick-memes, the Goatse Guy. The defacement was successful because input was apparently not checked for HTML, so people could insert images into the signatures table and throw the whole thing out of whack. Then, when that defacement was cleaned up, people used other bits of code to hide the signatures table altogether.
When that was repaired, trolls with more tech skill realized what code was behind the pledge sheet: phPetition, a relatively immature and simple codebase that was apparently pretty easy to hack. Remember though — no matter how easy to hack a system is, one must still actively participate in morally questionable activities. Not that the moral compasses on these hackers were functional in the first place! This codebase had SQL injection exploits like crazy, so the trolls escalated from mere website defacement by attempting to destroy the existing signatures.
And they succeeded in short order. Nearly 1500 signatures were lost, though a few of them were recovered from an old backup. The page is presently at 640 signatures at time of writing, many of which are obviously further defacement or attempts at same:
0000000285 ‘) go drop table go ‘) go drop table go ‘) go drop table go US
0000000286 ‘) go drop table go ‘) go drop table go ‘) go drop table go US
0000000287 ‘) go drop table go select * from pledge ‘) go drop table go select * from pledge ‘) go drop table go select * from pledge US
Ad when deleting the database again failed, they moved on to more intellectual arguments:
0000000348 EAT DICKS eatmoredicks CX
0000000349 Ben Dover A gorrilion dicks US
0000000481 nigger joe niggerland US
0000000482 You Suck Chinatown US
0000000483 dicks mcchinky asstown US
Or lying about the site and its purpose:
0000000486 Claims this is a nonprofit project Begs for money instead of signatures This does not need money the creator is a sca US
This last one references the Indiegogo fundraiser the project has put together so they can hire someone to prevent these hacks from happening. Apparently, they hadn’t been asking for money before those bigots began treating the site as their litter box, so the request for funds came as a direct result of these trolls’ actions. I am reminded of Anita Sarkeesian and her Feminist Frequency kickstarter, where she asked for two grand to put together a movie about misogyny in video games, ended up on the receiving end of weeks of targeted abuse, and as a direct result of people seeing and recognizing that abuse, ended up with $150,000 in funding donations instead.
Let’s go donate, if you can. If you have spare cash so they can hire a pro to make this pledge sheet bulletproof, great. If you can’t, signing the pledge now isn’t a bad idea either judging by what’s already been done to fix the issue, especially if your name disappeared from a previous attempt as my own apparently has.
Chrome is reporting that the site is (or at least has been) infected with malware. So exercise some caution going there for now.
It’s pretty sad the amount of effort needed to protect sites from vandals. Considering the amount of damage (and potential malware), the hosting company needs to secure their services as well as the developers of the website needing to secure their code.
I agree with this whole-heartily:
“Remember though — no matter how easy to hack a system is, one must still actively participate in morally questionable activities.”
There is no such thing as a hacker that has his or her morals intact (yes, even the so-called white hat hackers). Regardless of your motivation, hacking is no better than throwing a chair through the front windows of my house. A vandal is a vandal.
@unbound #1:
http://en.wikipedia.org/wiki/Hacker_(computer_security)#White_hat
http://en.wikipedia.org/wiki/Hacker_(programmer_subculture)
http://en.wikipedia.org/wiki/Hacker_(hobbyist)
Can you link to their Kickstarter page? It looks as though the main page is still triggering malware alarms.
Thanks for passing along this info.
Kaspersky apparently scanned it at one point and saw an Iframe trojan. I’m guessing it was during the phase where HTML wasn’t being sanitized at all. It takes forever to get off those lists, but I wouldn’t put it past those hackers that the hack is still there, especially where the org doesn’t have any real tech resources to fix their shit.
Here’s the fundraiser. Apparently I got my facts wrong on this — they’re using IndieGogo instead of Kickstarter to do the fundraising. I don’t know who they’d hire to lock down the site.
I agree with CompulsoryAccount — it is possible to have a strong moral compass and still hack at computers, especially when expressly hired to do so. Think of it like BDSM: if you have express consent, it’s not “torture”.
Saw this a while back re: the Tropes vs. Women backlash (and meta-backlash); I figured I’d wait to sign until they sorted out the problems (the site had a warning about the security breaches for a while). If they’ve blocked the most direct exploits, I might as well sign now. I can always sign again later.
Most services are reporting the site clean, though Google was reporting an unintended malware download as of its last caching on 2012-08-06. Firefox has it flagged as an attack site; that might have more to do with trolls falsely reporting it as an intentional malware distributor.
http://www.urlvoid.com/scan/gamersagainstbigotry.org/
Just assume all users are malicious during development. You’d need to take many of the same precautions against noise from inept users as you would against artless web attacks.
Sanitize a bit client-side for convenience:
– Warn/drop banned chars, etc before submitting.
– Users have total control over their own environment to compromise your code or break compatibility. Don’t trust that clients’ disabled interface elements won’t be reenabled.
– Try to fail cleanly when met with old or exotic clients. Stick to stable standards to fail less often.
Sanitize everything server-side:
– Whitelist string characters (ascii/unicode, strip or seriously inspect the various brackets, quotes, percents, and backslashes, etc; even check integers for 0-9).
– Enforce maximum string lengths.
– Bail if the form sent incomplete or odd combinations of values.
– Bail if events haven’t happened in a pre-planned order.
– Wrap the already defanged strings in quotes before building sql queries with them.
– Take advantage of database locking and rollback features for simultaneous and aborted non-atomic changes.
– If uploading binaries (even images) is unavoidable, at least enforce dimension/filesize restrictions and identify the filetype from its header. Watch out for quotas or free space. Do a virus scan, if possible, and remind anyone who downloads to do the same.
– To be dickish, you can add referrer checking and blacklist user agents.
– Vet libraries and external scripts before you make your code dependent on them. They might be lousy, sporadically maintained, or prone to breaking things on updates.
– Check permissions n your scripts and directories to prevent undesired config file viewing or dir listing.
– Keep user settings out of reach in server-side sessions, keyed to both a random-valued expiring browser cookie and the user’s ip.
– Make frequent backups and store them elsewhere.
– Use a separate server environment for development, then copy everything to the production location once it’s stable.
I know this is sort of Missing The Point entirely, but I just have to say, I don’t care how immature the codebase is, there is just no excuse for being vulnerable to a SQL injection attack in 2012. (Note that this is not Gamers Against Bigotry’s fault, but rather the fault of the people behind phPetition) Seriously, with modern database frameworks, there is absolutely no reason why you would EVER build a SQL query by hand; you would just go through the existing framework, which automatically scrubs your input.
Allowing HTML in the sigs, that’s a much easier mistake to make. Somebody would actually have had to think of that exploit when designing the site and take active counter-measures.
But the SQL injection thing… Gah. Seriously, all you have to do is adhere to same basic best practices (which make your life easier anyway) and you should be completely immune.
Sorry, again, I know I’m missing the point, and I am not trying to blame the victim here (obviously the hackers are the ones primarily to blame; and even aside from that, as I mentioned, the group making the petition should be able to trust that any software written today, even an immature open-source project like phPetition, will be immune to such a trivial and trivially-easy-to-prevent exploit. I don’t fault them one iota for thinking the open source software they picked up would be, you know, written with a basic level of competence). It’s just… when I hear of SQL injection attacks in 2012, I can’t stop myself from facepalming.
DDL doesn’t take parameters.
/still get the willies even when I do my own sanitizing for that and I fully control the inputs, at least theoretically.
Two articles and two comments in, I’m done. Stop misusing the words “hack” and “hackers”.
If the site is easy to break into and deface, no hacking (regardless of intent) is necessary. Hacking is original work, sometimes difficult, intended to extend or change an existing thing, usually to make it better or easier to use. Malicious hacking is certainly done, but once the method is found, no further application of this is “hacking”. It’s following a recipe, usually for well known vulnerabilities in the case of internet computing.
What is sad isn’t the effort needed to protect a site (or whatever) from vandals, what is sad is that stupid configuration errors (like not doing any) and not doing things properly in the first place is why the majority of sites are low-hanging-fruit-class vulnerable. What is sad is that there are vandals at all.
That being more or less OT, I respond to the intent of the story by saying that the criminals trashing the site are assholes and should be found and soundly smacked by the law.
I guess I should have kept reading the comments. But I’d reached my quarterly limit for abuse of “hack”.
F: You’re describing the “black hat” / “script kiddie” dichotomy. While I don’t personally believe there’s a huge gulf of difference between the two aside from experience and creativity, both of which can be sharpened in the script kiddie to the point where they themselves are developing unique zero-day exploits on popular pieces of software. The difference is in experience, not in intent.
Either way, finding the exploits to tell the company that people are at risk of data loss or “pwnage” is moralistically different from people who find those same exploits for the purposes of extortion or personal gain, but it is not technologically different. That moral line is what is drawn when one claims that someone is “hacking” in a bad sense. The complaint that “hacking” is used to tar people who simply love computers and love finding out new things about the algorithms that are programmed into them is one of linguistic prescriptivism, and it’s not one I can sympathize with. I think that despite RMS’ protestations, the ship on the word “hacker” has long since sailed.
CA and jamessweet: all excellent advice. Thank you both. Stuff I might know, but audience might not, and it never occurred to me to give people a rundown on how to secure a web application.
Another piece of advice to web developers: log *every action*. Doesn’t matter if you have trusted admins or multiple users or if it’s open to the public — you need to know the IP address and other defining details of every transaction, including every single full-text variable that’s ever passed to any server.
And run everything you pass into MySQL to mysql_escape_string or the likes, if you’re running an app on PHP/MySQL. Equivalents exist for the PHP implementation of MS-SQL and PostgreSQL, I’m certain.
Um . . .
???
Hmm, did my post get eaten, or is it in moderation or something . . . ?
*peers about*
Sorry, yes, it went into spam and I don’t know why. I was under the impression that previously-accepted users don’t get spammed. Weird.
Anyway. Kickstarter and apparently Indiegogo both do “due dates” where the fundraiser has an end date, but it’s possible to leave it open past the end of the fundraiser, and people can still donate after the official end. It looks like this is one of those cases.
I’d prefer these folks use the money they’ve gained to hire a tech-savvy person or two, who can fix the issues on the phPetition code more than the administrators have thus far managed, and possibly clean out the ridiculously obvious trolls from the petition. Additionally, doing something about the backup situation where their signature database is backed up nightly, would be a good thing. The money might already be over their target, but I have no issue with giving more money than is expected so they can kickstart their petition website properly, pay whatever it takes to secure it, and keep it running for quite some time.
@Jason Thibeault:
Here’s one that should be eaten
https://the-orbit.net/lousycanuck/2011/08/14/pythontwitterbot-framework/#comment-59221
CA: Om nom nom.