(And I’m hilarious)

Seems that simple lessons don’t get learned. Don’t get get me wrong, its very hard to protect every aspect against hackers who try to pry they’re way into your site. Storing passwords in plain-text is just dumb though. Even if the passwords for your own site are hashed, the proliferation of storing third party login details (which you could still encrypt with a symmetrical key) is a time bomb.

RockYou is just the latest site on the internet to learn this hard lesson. Supposedly the hacker is one of the good guys, but there is no guarantee that someone else didn’t get the information as well. It’s an argument for doing away with passwords altogether, how long will it be until we can use public/private key authentication with websites. It is now accepted best practice with SSH, since the advent of widespread SSH bruteforcing.

Private key authentication solves a lot of the problems with websites storing password information, the hacker would have gained nothing besides the ability to verify users were who they claimed to be.

I’ve been going along mostly unaware of the fact that the internet is currently experiencing a nasty spate of SQL injection attacks. These attacks are being used to infect visitors to otherwise harmless and friendly websites. They’re advanced and complicated attacks that a few years ago the world had never really experienced, thats not the case any more. It is an increasing reality that viruses and worms are no longer the province of bored uni students, but rather done by what can only be described as a technologically aware organised crime. The site I happened to run across the problem at, finally took the site offline and cleaned the fields that had been ‘infected’, and I would hope that they’ve also taken steps to solve the problem.

I’m going to build some more information up on the technical aspects of this attack. So for the moment this is a place holder. I’ll be building up some more information over the next few days.