The Daily WTF: Curious Perversions in Information Technology

frits · 2011-08-18 Reply Admin

I don't blame you.

BTW- I spent many an inebriated weekend in Charlotte (in the 90's) and can say you're in a pretty nice location as well.

hoodaticus · 2011-08-18 Reply Admin

frits:
I don't blame you.
BTW- I spent many an inebriated weekend in Charlotte (in the 90's) and can say you're in a pretty nice location as well.

Thanks. I don't mind it, but I came here from San Diego and ZOMG, that place fits me like a glove. If only I could transfer there :(.

2011-08-18 Reply Admin

hoodaticus:
I also used to believe in the law... before law school. Now I'm an anarchist.

Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.

hoodaticus · 2011-08-18 Reply Admin

Plato:
hoodaticus:
I also used to believe in the law... before law school. Now I'm an anarchist.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.

The highest concentration of psychopaths by career is probably in politics, law, and law enforcement.

frits · 2011-08-18 Reply Admin

hoodaticus:
Plato:
hoodaticus:
I also used to believe in the law... before law school. Now I'm an anarchist.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.
The highest concentration of psychopaths by career is probably in politics, law, and law enforcement.

Sounds like basic self-preservation. Those are all good occupations for hiding out. Bonus: The whole power trip thing.

2011-08-18 Reply Admin

hoodaticus:
Plato:
hoodaticus:
I also used to believe in the law... before law school. Now I'm an anarchist.
Good people do not need laws to tell them to act responsibly, while bad people will change the laws to suit their desires.
The highest concentration of psychopaths by career is probably in politics, law, and law enforcement.

FTFM

C-Octothorpe · 2011-08-18 Reply Admin

frits:
hoodaticus:
Plato:
hoodaticus:
I also used to believe in the law... before law school. Now I'm an anarchist.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.
The highest concentration of psychopaths by career is probably in politics, law, and law enforcement.
Sounds like basic self-preservation. Those are all good occupations for hiding out. Bonus: The whole power trip thing.

This thread, I like very much. Thanks.

2011-08-20 Reply Admin

Seems to me they are storing it in the database as plain text but pulling it out encrypted. If this is the case, and it looks that way from the query, then this is bad.

paddy · 2011-08-20 Reply Admin

ALH:
Seems to me they are storing it in the database as plain text but pulling it out encrypted. If this is the case, and it looks that way from the query, then this is bad.

Very much so.

Until two things change, we'll always see horror stories like this.

Managers who get software budget advice like "We could go with 32 installs of Win7, Office, YaddaYadda... for $xxxx, and $xxxxx for the MS server config;$xxxxx if we go Oracle; or we could do OpenOffice for workstations and setup a LAMP server for $0..."

they have no idea why prices vary so much, just that they do. Armed with the knowledge that "A very well informed person can cleverly save money AND get a superior product" they go off and make horribly uninformed decisions.

There is no industry that can match software development for "hiding the cut corners" while still deploying a "working" solution.

they only ever test the standard "General User Experience" and wouldn't even know where to start to check any other quality factors, such as security, load handling, conflict locks, etc.

Question to clever bosses: "If I was an Indian programmer with all the grand powers over time and space to deliver five-six figure high-order solutions on a four figure budget, why f**ing why in God's name would I be stuck here paid by the Rupee doing this sht for you cheap a-holes?"

2011-08-20 Reply Admin

Those who live in glass houses...:
I wish all you ivory tower wannabes would get off your high horses. SHA1 is encryption! Do you even know what encryption means? It means to obfuscate. SHA1 is obsfucation. Now STFU.

encrypt |enˈkript|
verb [ with obj. ]
convert (information or data) into a cipher or code

cipher |ˈsīfər|
noun
a secret or disguised way of writing; a code

code |kōd|
noun
a system of words, letters, figures, or other symbols substituted for other words, letters

Now contrast this with:

hash |haSH|
noun
a dish of cooked meat cut into small pieces and cooked again, usually with potatoes.
• a finely chopped mixture: a hash of raw tomatoes, chilies, and coriander.
• a mixture of jumbled incongruous things; a mess.

SHA1 falls in the latter category. Which is also why it's not called "enhash" and "dehash", because a hash is not encryption.

2011-08-21 Reply Admin

$result = mysql_query(
  "SELECT * FROM users " .
  " WHERE SECURITY_PRETENSE(username) = SECURITY_PRETENSE('" . $_REQUEST["username"] . "') " . 
  "   AND SECURITY_PRETENSE(password) = SECURITY_PRETENSE('" . $_REQUEST["password"] . "')");

//how i fix it, first whipe php, there is [node_js|asp_net|jsp], second only [oracle|sqlserver|db2] are true relational databases. //second put 2 columns, digest and salt //thirt, dont pass the password in querystring, never. //dont forget to put ssl

var result = dbutil.executeDataTable ( conn, "SELECT * FROM users " . " WHERE passwordigest = HASHBYTES('sha1', passwordsalt + @pwd )", Request.Form.Item["password"] );

2011-08-21 Reply Admin

$result = mysql_query(
  "SELECT * FROM users " .
  " WHERE SECURITY_PRETENSE(username) = SECURITY_PRETENSE('" . $_REQUEST["username"] . "') " . 
  "   AND SECURITY_PRETENSE(password) = SECURITY_PRETENSE('" . $_REQUEST["password"] . "')");

//how i fix it, first whipe php, there is [node_js|asp_net|jsp], second only [oracle|sqlserver|db2] are true relational databases. //second put 2 columns, digest and salt //thirt, dont pass the password in querystring, never. //dont forget to put ssl

var result = dbutil.executeDataTable ( conn, "SELECT * FROM users " . " WHERE passwordigest = HASHBYTES('sha1', passwordsalt + @pwd )", Request.Form.Item["password"] );

2011-08-22 Reply Admin

only one or two folks seem to be aware that the Secure Hashing Algorithm does what is says on the tin, and hashes. it has nothing to do with encryption.

2011-08-23 Reply Admin

Stev:
And yet how many companies, lately, have been found storing stuff in plaintext? By comparison, this seems like a major step up.

Read the code again noob, they were stored in plain text.

2011-08-25 Reply Admin

Can someone explain "Nagesh"? Is that a person?

2011-08-27 Reply Admin

What's even worse than this being stored in plain-text, is the fact that the database has to calculate a hash on every single row in the table in order to return the result. That is not a quick query!

2011-08-27 Reply Admin

Most people are missing the point that SHA1 is NOT encryption, it is a HASH function.

If something is encrypted, then it can be un-encrypted, you cannot take a SHA1 Hash and directly recover the original string because SHA1 is a HASH function.

What you can do is take a plain text string and run it through SHA1 to compare the resultant hash, but that is NOT decryption of the original SHA1 string.

Since it is a hash, this may mean that there may be multiple Key clashes due to weaknesses in the mathematics used to generate SHA1.

2011-08-29 Reply Admin

I'm so used to using parameterized queries that I didn't actually see the security hole until this comment. This code isn't just poorly written, it's an outright liability...

2011-08-31 Reply Admin

Encryption is when you are able to recover the plain text you encrypt. SHA1 is hashing function and by construction is a 'one-way' function. So you won't be able to recover the plain text from its digest.

2011-08-31 Reply Admin

Those who live in glass houses...:
I wish all you ivory tower wannabes would get off your high horses. SHA1 is encryption! Do you even know what encryption means? It means to obfuscate. SHA1 is obsfucation. Now STFU.
An this is for all you pathetic jackwagons posting in SHA1:

68a6a81ff9352dfd1910c2907451fb726886328b

2011-10-25 Reply Admin

The passwords are in clear text, because it's using SHA1 both sides of the assignment, but is not SQL-injectable, at least not in this queries, because any text inserted will be converted in a hex number.

2012-12-21 Reply Admin

hoodaticus:
I'm not contracting now, but my last contract job was so very bad, that I actually kept an evidence file and complaint outline up to date until the job was done (which was when I manipulated them into triggering my escape clause).

Law should be like a battle card game.

Contractor: As per the contract (rustles paper), you've triggered my trap clause!!!

Employer: Which triggers my double entendre which also stands as a "no liability" for work done clause.

Contractor: Except I own 20% of the web land valley share. Which means I get vote on web allocation, and so I threaten to polymorph your adspace into ponies.

Employer: We submit out of court settlement. 80% of pay par contract, 20% in futures.

Contractor: Deal!

2013-06-06 Reply Admin

I know that this is an old post but I'm a little confused why everyone is making such a fuss. The SHA1 is doing nothing but I can see no way to inject SQL by a hacker to gain access. Have I missed something?

2017-12-18 Reply Admin

Fast, cheap, good: pick two. Unless one of then is "good." Then you only get to pick one.

Top-grade, SHA1 Encryption

Leave a comment on “Top-grade, SHA1 Encryption”