[TRENCHES] Tuesday, May 15, 2012 - Infiltrator
LegionPerseus VeilRegistered User, Moderator, Penny Arcade Staff, Vanilla Staff vanilla
Infiltrator
http://trenchescomic.com/comic/post/infiltrator
SQL Injection
AnonymousI was a contract business/data analyst brought into a “WoW-killer” MMO project with a massive amount of funding from a first tier company. I had two months to burn and usually looked for small, interesting projects to work on until I got the next project, and being a remote gig, I ran with it. I have been on some hell requirement verifications before and thought this would be just as bad.
It was worse.
Two days into the contract, I was testing the chat system, trying combinations of strings would cause errors, entry speeds, etc. It was open testing. Type in commands and see what breaks. I had some previous test material from another project, so I copy and pasted it into text prompt, trying to overload the message queue.
It did a great job of taking all of the text, including some SQL commands. I ran through a SQL injection test, got some positives, notated the variation, and moved on. A normal test for my other projects.
My first hint that this WASN’T normal was a conference call from the engagement manager, test lead, and a lawyer. It seemed that they didn’t think it was possible to do what I did and rudely expressed that I must have “hacked the client.”
I spun up a remote session, brought them into it, and showed how I did it, following the documentation I had sent, with screenshots. I also mentioned that I was saving the session and was recording the conversation, since they were the ones who brought in the lawyers. It got really quiet on the other side, which I interpret as the lawyer putting them on mute, and when they came back, I was told thanks, my contract would be paid out and ended, and all access removed.
I thanked them for the experience and had an enjoyable vacation from the contract.
Posts
That's quite an interesting bug in the story.
But fuck you — no, fuck y'all, that's as blunt as it gets"
- Kendrick Lamar, "The Blacker the Berry"
So glad I've never had to put up with or witness that kind of garbage.
That doesn't sound quite right. There's no difference between manually typing an SQL command and pasting it in. You still have to sanitize data input.
and/or already accounted for in any system with user generated text input.
They let him go on full pay afterwards because they were embarrassed as fuck when they realised how stupid they had been. The false accusation meant he now had a potential grievance against them and thus it was safer to just pay him off and be rid of him.
Could easily have been describing Warhammer Online, Age of Conan, or pretty much any MMO in the last 3 years since calling everything new a "WoW-killer" has become boilerplate for MMOs.
Didn't sound like the person was doing "the usual" either. From the sounds of it they were pulling commands out of a list of commands they had found in other games/programs and only managed to find a few. When you've been doing something for a while, as the person in the story has, you always have some tricks that people tend not to find unless their job is to find those tricks. From the sounds of it, the company already tried to sanitize the input, felt they'd gotten it all worked out, and the tester found some extra lines that caused problems. If the company thought, or was probably told by an overconfident worker, that they'd already worked out the bug, then they probably had reason to think something might be up. Reaction was still more than a little knee-jerk though.
1. Management that believes it's way, way, way smarter and more knowledgeable about everything than those dumb ol' employees. After all, the employee knew anything, HE'D be the boss, right?
2. Clever, forward-thinking, creative employee identifies a problem that elderly/stupid/promoted out of their depth/etc management didn't even know could be a problem.
Because management has already decided that employees can't possibly be clever people, identification of a problem management hasn't already thought of immediately results in accusations of spying or sabotage. If the employee is smart enough to document and prove that he's telling the truth, now management looks stupid...and now they fear that their superiors will notice their stupidity and/or incompetence. Better to get rid of the offending employee than risk your own job.
PSN ID: fearsomepirate
Remember, it has a top-tier publisher (EA, Activision, maybe Sony or S-E at this point but they don't nearly have that name status) and a simply massive budget.
Activision doesn't release WoW killers since they have WoW. Square-Enix plays an entirely separate ballpark with FFXI and derivatives. Sony's games by and large have smaller (less prominent) budgets, because they know how to do more with less due to SOE's genre experience. (Additionally, SOE has never released a game tilted as a WoW killer, due to the timing of EQ2 and DCUO being something else entirely.)
Age of Conan, Rift, et al, don't fit because they don't have a top-tier publisher entwined with and directing development.
Which leaves EA. You also noted Warhammer Online rightly, but Warhammer wasn't promoted to the press as having a singularly different experience due to its' massive budget spent on polish and art. TOR was.
The clues are there: the game is SWTOR.
As for the Trenches comic - is it a given that the leak is Q and that's what's going to bring him back into their office somehow.
SWG predated WoW by a couple of years, so unless the devs were predicting the future, it wouldn't be that
Couldn't be EQ2 either, the last real big-budget MMO SoE made, as it was released at the same time as WoW. Which really only leaves Warhammer Online and SWTOR as the only two real possiblities.
Tube knows all about assassination.
True. I guess I was more thinking, "he's not long for this world anyway, so why bother." I suppose if you were going to do it, the obvious solution would be to do a deal with his son to "help the old man along" in exchange for a cut of the inheritance.
In this case, that would be.... Diablo 3 I guess? Or would that be more of a nephew? This metaphor is getting confusing.
Generic managerial idiocy.
And to think these people go through human relations courses and what not but no one to date had the sense to teach them that if a human resource produces an incredible result that would classify them as a valuable asset it is likely a very good idea to keep them around and use them to educate other resources in order to elevate their productivity.
And seriously, you think QA are going to hack the game client just to be able to post false bug reports, complete with reproducible steps, only to get caught on it because 'obviously' it can't be done? Huh!?!?
GG (un)common-sense.
For future reference to you manager-youngins, if you ran onto such a situation, here are the proper steps to handle it:
1) Punch the lawyers (for no reason, really, just do it to be on the safe side of right).
2) Punch the lead GUI programmer or whomever responsibility it was to build and proof the parser(sorry, you had this coming mate).
3) Promote the QA guy to sub-lead-tester or something. IDK. Give him a bonus.
4) Congratulate him on a job well done infront of all of his peers (or, if you were stupid enough to go onto that conference call and accuse him, conference call his peers and lead and apologize like a grown man with a pair).
Just three? Try eight. Every MMO since WoW came out has been a "WoW killer."
All the full-time employees where I work have to do a corporate ethics training thing once a year, we know not to bribe people or blog about proprietary information or what have you. It just a few videos you watch, and then you answer some questions on a little quiz. Usually, most of the videos are along the lines of: Employee does something they're not supposed to; Employee gets in trouble; Employee says to co-worker, "And now I have to go talk to leeeeeeegaaaaalllll!" In all the videos where the employee screws up, having to talk to legal is presented as just the absolute worst-case scenario.
Makes me feel kinda bad for the people who work in legal.
your = belonging to you
their = belonging to them
there = not here
they're = they are
Don't feel bad, if it's anything like my company even legal has it's teirs. The bottom rung is basic general counsel who does all the dumb legal stuff like running to court, doing filings, and being the firewall to the rest of the company,
Wow, I have new-found appreciation for where I've been working now. I may have to give the building a hug if they call me back before a get a better-paying job. :P
These things aren't intended to educate. They're there so there can be no pleading ignorance on the part of any wrongdoer and so top management has its ass covered with a record of telling people how to act if someone goes bad mid way up the chain of command.
Then they told me not to buy it.
Oh no, you obviously don't understand. ALL of your employees, despite how clean cut and middle of the road they might look, are basically a heartbeat away from devolving into the kind of people one might find living under an overpass in the wrong part of town. Left to their own devices they will lie, steal, cheat, murder, sell priviliged information and defecate in their cubicles to mark their territory.
The only way that this sort of anarchic chaos can be forestalled is for management to keep a tight rein on 'em - for their own good! Get them on contracts with punitive clauses and pay them so little that they are basically one paycheque from disaster. That way you can make them care about things like 'corporate culture' and 'face time'. Once you set up a poisonous enough environment the little guys will police themselves!
Employees whose skills aren't in such demand can be controlled by packing them tightly into test farms. You don't need to waste your time trying to civilise these guys, just scoop two or three of the ones who have made a fuss recently out of there every month and fire them. This will divide them into two camps - the ones who aren't nuts about working in the industry will quietly quit to get a different job whilst the ones who feel some sort of NEED to work in the industry will work like slaves to avoid being the ones who get fired. Either way they'll stop complaining, and that's your objective!
Some of your employees won't feel the need for 'security' and will have skills where the demand completely outstrips the supply. You're going to be forced to pay these people decently AND give them flexible working conditions. Fortunately this 'special treatment' will usually poison the regular employees against them. If you want to control these anarchic freaks then you're going to have to load their contracts with all kinds of vague and near-meaningless garbage that is essentially unenforcable in an actual court of law. Hopefully they won't want to pay a lawyer of their own to read through their contracts - luckily most don't!
Obviously if you ever have a problem with employees of this type you'll need to make sure you have a lawyer sit in on the conversation because lawyers are the only ones cunning enough to stop them from weaseling their way out of trouble.
Wouldn't the Elder Scrolls MMO fit?
WAR was fine when it came out. It wasn't really good and it didn't have the polish an MMO needs to compete with WoW, but it wasn't broken on release.
Also what is SQL injection anyway?
LoL - Renon DeSaxous
To get a user's password out of the database, you might type:
However, if instead of putting "Sticks" in the field, I put "Sticks' OR '1'='1" then a (poorly written) application might run
'1'='1' is always true, so it would end up returning ALL passwords in the users table.
xkcd
also for all the lawyers talk, it sounds from that story like the lawyer was the only member of the management team who could find his own ass with two hands and map
that's why we call it the struggle, you're supposed to sweat
I don't understand why people even mention Diablo 3, it's not an MMO in any sense. It's a single player game with multiplayer support and no persistent worlds or areas. It's pretty ridiculous when people describe it as an MMO or even "Not a traditional MMO" because it's not even close to an MMO.
This is the important phrase. It's not draining the userbase of WoW in any meaningful way if they're still paying the fees and intend to return to it. This is nothing more than what happens whenever a new high profile single player game comes along. People go play that other game for a few weeks, then they all rubber-band back to playing WoW.