I heard this story on the news earlier this week and later saw a very similar version on the Web, so I assume it all is regurgitated AP ignorance.
Here is the quote that got me charged up about the story (emphasis added):
…In a two-count indictment alleging conspiracy and conspiracy to engage in wire fraud, Gonzales, AKA “segvec,” “soupnazi” and “j4guar17,” is charged, along with two unnamed co-conspirators, with using a sophisticated hacking technique called an “SQL injection attack,” which seeks to exploit computer networks by finding a way around the network’s firewall to steal credit and debit card information….
The journalist clearly is clueless about computer security, yet still managed to get his story on the wire without a fact-checker in sight. I can almost visualize the guy nodding along to the computer person who tried to explain what happened and munging together several parts of the conversation into this nonsense. If this person had done the bare minimum research with Google they would have at least found the Wikipedia article on SQL Injection and got their facts straight.
But alas, it is all too common for journalist’s own ignorance of computers to creep into the news and make anything beyond MS Word seem like a mysterious art practiced by super-geniuses. The part that really bakes my broccoli is the way it unfairly portrays all the characters involved in this story.
The slapdash developers responsible for the site come out of this story completely clean, but bear most of the responsibility for the breach. Calling SQL Injection a “sophisticated hacking technique” would be good material for an XKCD comic strip.
Developing a site that is vulnerable to a SQL injection attack is a lot like securing a vault by tying a string around the handle and putting a sign on the door:
Warning: String is fragile. Don’t pull too hard!
SQL Injection is talked about so frequently in developer circles that no competent programmer should be able to plead ignorance on this with a straight face. Also, unlike more sophisticated security issues, preventing SQL Injection is pretty much a solved problem.
These developers are not victims, they are conspirators (perhaps the two unnamed ones from the article)!
When my mother and 90% of the other less-technically inclined people read this article, they are imagining the people who stole the credit card numbers as the whiz kid from the old Encyclopedia Brittanica commercials.
Don’t even get me started on this. I felt about as outraged as when I heard that Al Gore won a Nobel prize for being able to drone on about the weather despite the fact that he probably needs a consultant to operate a thermometer.
I’m not taking the side of these criminals who stole the credit card numbers, but if they got these programmers fired at least some good came out of the situation.
The IT Guys
These guys get unfairly dragged into the problem with the journalist ignorantly characterizes a SQL Injection attack as “finding a way around the network firewall.”
For any journalists who happen to find this blog and want to scoop your peers, let me help you out on the next hot story.
I’m pre-announcing that I, a super hacker, plan to use an advanced hacking technique whereby I penetrate my credit card company’s firewall using the HTTP protocol.
Through advanced computer science techniques involving using a Joystick to navigate mathematical equations I have determined that they have unsuspectingly left ports 80 and 443 open on their firewall.
I plan to use this information and a little known “backdoor” called TCP/IP to access financial data unless they meet my demands and provide me with a free toaster by noon tomorrow!