Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!goblin3!goblin2!goblin.stu.neva.ru!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.111 X-Spam-Level: * X-Spam-Evidence: '*H*': 0.78; '*S*': 0.01; 'extent': 0.07; 'variables': 0.07; 'claimed': 0.09; 'subject:into': 0.09; 'cc:addr :python-list': 0.11; 'doing,': 0.16; 'wrote:': 0.18; 'bit': 0.19; 'seems': 0.21; 'input': 0.22; 'email addr:gmail.com>': 0.22; 'cc:addr:python.org': 0.22; 'decide': 0.24; 'question': 0.24; 'cc:2**0': 0.24; 'script': 0.25; 'pass': 0.26; 'values': 0.27; 'header:In-Reply-To:1': 0.27; 'specifically': 0.29; 'tim': 0.29; 'message-id:@mail.gmail.com': 0.30; "i'm": 0.30; 'hacker': 0.31; 'so-called': 0.31; 'subject:Database': 0.31; 'but': 0.35; 'received:google.com': 0.35; 'data,': 0.36; "he's": 0.36; 'doing': 0.36; 'level': 0.37; 'anything': 0.39; 'skip:& 20': 0.39; 'sure': 0.39; "you're": 0.61; 'you.': 0.62; 'our': 0.64; 'more': 0.64; 'to:addr:gmail.com': 0.65; 'customers': 0.66; 'subject': 0.69; 'secure': 0.71; '8bit%:100': 0.72; 'yourself': 0.78; 'potentially': 0.81; 'profession.': 0.84; 'absolutely': 0.87; 'favour': 0.91; '2013': 0.98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YOg+6gAUDB/rllrTFeqxKFVPQcylwBzXi7S3Cmx1qVM=; b=ISncb8x0rmRJ3p7lUp47suirhB7FXoqULVsy+MxLLtSBmLAi0wVrjpiujiRKBxeFEr QC3bmiEeVOdaLTaxXRDFRy/CokjAzRD7kYJeHgDoyhVKl0xTTl3mCtSHCf5LC/5HuyGe eg3mXnxOmkNSNRjdeHLYkq2xgR1nmNGEyYo4GTOZVE+2Sila/WxUZd58DVA2y2Qe1CA9 WBokfdYamiu8/8eYmlyKSZnzQcNFbnP9P91MayBAh9m27W1tk06UFdzcYfu5CeuGqhSB t2JGa33MJZov8CXo8N+5s7sP8/6FQxSCsl9tB+2plDFipg9OF/5o9JvIFpZg4R/UzyNM JuYA== MIME-Version: 1.0 X-Received: by 10.182.80.196 with SMTP id t4mr8636153obx.1.1383864302496; Thu, 07 Nov 2013 14:45:02 -0800 (PST) In-Reply-To: References: <527a5f79$1@news.synserver.de> Date: Fri, 8 Nov 2013 09:45:02 +1100 Subject: Re: To whoever hacked into my Database From: Tim Delaney To: =?UTF-8?B?zp3Or866zr/PgiDOkc67zrXOvs+Mz4DOv8+FzrvOv8+C?= Content-Type: multipart/alternative; boundary=047d7b2e4eda2af4f404ea9e0448 Cc: Python-List X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 62 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1383864305 news.xs4all.nl 15915 [2001:888:2000:d::a6]:58506 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:58710 --047d7b2e4eda2af4f404ea9e0448 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 8 November 2013 09:18, =CE=9D=CE=AF=CE=BA=CE=BF=CF=82 =CE=91=CE=BB=CE=B5= =CE=BE=CF=8C=CF=80=CE=BF=CF=85=CE=BB=CE=BF=CF=82 wr= ote: > I feel a bit proud because as it seems i have manages to secure it more > tight. All i need to do was to validate user input data, so the hacker > won't be able again to pass bogus values to specific variables that my > script was using. > So we now have confirmation that Nikos' site is subject to SQL injection attacks on anything that he is not specifically validating. And I'm absolutely sure that he has identified every location where input needs to be validated, and that it is impossible to get past the level of validation that he's doing, so the site is completely secure! Just like the last time he claimed that (and the time before, and the time before that ...). Nikos, please please please do yourself and your customers a favour and quit your so-called "business". All you are doing is opening your customers up to potentially disastrous situations and yourself to lawsuits. It's not a question of *if*, but *when* one of your customers is compromised to the extent that they decide to take it out of you. Also, you're an embarrassment to our profession. Tim Delaney --047d7b2e4eda2af4f404ea9e0448 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 8= November 2013 09:18, =CE=9D=CE=AF=CE=BA=CE=BF=CF=82 =CE=91=CE=BB=CE=B5=CE= =BE=CF=8C=CF=80=CE=BF=CF=85=CE=BB=CE=BF=CF=82 <nikos.gr33k@gmail.com> wrote:
I feel a bit proud because as it seems i hav= e manages to secure it more tight. All i need to do was to validate user in= put data, so the hacker won't be able again to pass bogus values to spe= cific variables that my script was using.

So we now have confirmation that Nikos'= ; site is subject to SQL injection attacks on anything that he is not speci= fically validating. And I'm absolutely sure that he has identified ever= y location where input needs to be validated, and that it is impossible to = get past the level of validation that he's doing, so the site is comple= tely secure! Just like the last time he claimed that (and the time before, = and the time before that ...).

Nikos, please please please do yourself and your custom= ers a favour and quit your so-called "business". All you are doin= g is opening your customers up to potentially disastrous situations and you= rself to lawsuits. It's not a question of *if*, but *when* one of your = customers is compromised to the extent that they decide to take it out of y= ou.

Also, you're an embarrassment to our profession.

Tim Delaney
--047d7b2e4eda2af4f404ea9e0448--