Rule #1 of database design: All user input is evil. No exceptions.

@AshtonSnapp

5 жыл бұрын

What if the user input causes an exception?

@tiny_toilet

5 жыл бұрын

@@AshtonSnapp See Rule #1.

@Tobias-nv3dx

4 жыл бұрын

@@AshtonSnapp I laughed way to hard at this ...

@AshtonSnapp

4 жыл бұрын

Tob ias I’m glad to know that :D you have an awesome day

@KnakuanaRka

4 жыл бұрын

Or at least treat all user input as possibly malicious.

“If they respond I’ll put it in the description” ...a half decade waiting list huh? They must be very very busy

@liquidtvafternoons5315

3 жыл бұрын

@@ejewart1450 the patients don't last long

I'm really hoping that the term "moonpigging" becomes a term for companies that give a vague "Your security is important to us" message. Next time I get one (on twitter) I'm RT'ing it with a message "I'VE BEEN MOONPIGGED"

@thejay8963

5 жыл бұрын

sxa555 Moonpigging Mün-pig-ing When a Company lies about internet security by making false claims of security that stated company does not have.

@techheck3358

5 жыл бұрын

Tom Lake Charles Moonpigging /muːn/pɪɡ/ɪŋ/ verb *VULGAR SLANG • ENGLISH* 1. When a company makes a very specific denial of a security bug “I was moonpigged” _synonyms:_ disgrace, dishonour, disrespect

@hencytjoe

5 жыл бұрын

I hereby take the liberty of claiming this term as a valid choice of expression for the aforementioned reason.

@richardmillhousenixon

4 жыл бұрын

@Kanashimi You can do that with Google Home

@qqqalo

3 жыл бұрын

When someone claims to care about your data it means they want to sell it and couldn't care less about it.

231 weeks since this video was uploaded. Tom hasn't updated the video description with moonpig's response yet...

@PackerFanGamer

4 жыл бұрын

5 years no update

@taylor1991

4 жыл бұрын

Does anyone care, doesnt have to be impartial or balanced

@butikikisame2548

4 жыл бұрын

I don't think Moonpig responded at all. I can't find any article after Moonpig's initial public response.

@IvanLDiaz

4 жыл бұрын

September 9th, 2020. Pandemmial here. Tom still doesn't get a reply.

@addisonchan3053

3 жыл бұрын

@@IvanLDiaz Someone seeing the word pandemmial 50-100yrs onward would sound like some trend name or something.

I cringed so hard when he said that Moonpig decided to use consecutive IDs. I think I'm finally becoming a computer nerd

@kristiansvendsen6906

7 жыл бұрын

Nope just a weaboo

@froidesprit

7 жыл бұрын

Nah, definitely a computer nerd. I cringed too, and I am the most anti-anime person alive.

@TheHaughtsauce

6 жыл бұрын

There is nothing wrong with consecutive IDs. If you think consecutive ids are a problem, it is actually a symptom of a much larger authentication/authorization issue

@CrazyConnor2

5 жыл бұрын

Same XD

@undead890

5 жыл бұрын

Consecutive ID's aren't the problem, as long as they are only used on the backend and no one ever sees them.

Tom scott- Defenitley not sponsored by moonpig.

@Fraktallity

8 жыл бұрын

***** No such thing as bad publicity, however I doubt tom would have sold out that hard if at all.

@kobiemelverton2231

7 жыл бұрын

By law, he has to state it

@kikicat123

7 жыл бұрын

you need to send that grammar to moonpig

@benjaminpatterson3535

7 жыл бұрын

+kobie melverton we all know that now don't we

@jpeg8596

6 жыл бұрын

Fraktallity - Cheeky Videos ( ͡° ͜ʖ ͡°) He wouldn’t because it is illegal to not disclose that you’re sponsored.

The notion that people still don't "code like they're being attacked" astounds me. One of the first formal courses I took in programming, the lecturer made it very clear we understood the notion and importance of defensive programming.

@ktcd1172

7 жыл бұрын

Some of us are Old School Programmers. Way back in the day the only kind of real hacking that needed to be worried about was some student coding something that would walk a printer across the room until it pulled the plug from the wall shutting it down until you could get engineers into the facility and haul it back into place and reset the equipment with the system. Security was maintained with locks on the doors and ID checks on personnel allowed into the locations with terminals.

@Toothily

4 жыл бұрын

@@ktcd1172 okay boomer

@WildBluntHickok

4 жыл бұрын

@@Toothily Nice to see someone using the word boomer correctly. I'm from the generation after the boomers and what he's talking about would've been when I was a kid in the 80s.

@nichm7318

3 жыл бұрын

@@WildBluntHickok o k b ö m e r

@doomse150

2 жыл бұрын

Or you could just start using a high level web framework, since the people designing those usually know what they are doing way better than you do

Companies: writing bad code Tom: "yall are getting paid?"

@chewtag

4 жыл бұрын

not funny

@beenis08

4 жыл бұрын

@@chewtag damn... and i assume you didnt laugh? 😞

@codinghub3759

2 жыл бұрын

@@beenis08 was funny, did laugh

half moon, half pig, and half bug.... no wait

@theLuigiFan0007Productions

7 жыл бұрын

The 3 halves you just mentioned caused a buffer overflow in the terribly written site. Congratulations, you now have root access to everything. :DDDDDDDDDDDDDDDD

@froidesprit

7 жыл бұрын

theLuigiFan0007 Not upvoting your comment because you will then have two different buffer overflows.

@pinkribbon1007

6 жыл бұрын

mena3976 😂👏

@panda4247

5 жыл бұрын

It's half moon and half pigbug. Better call Al Gore

@Banzybanz

5 жыл бұрын

Lulz. This week the same topic was revisited in South Park.

I found a security hole in a courthouse. I had Jury Duty so was going to the court house every day. I also have a fake leg that sets off metal detectors. This meant, every day I went there they had to pull me aside, scan me with a hand held device then check my leg. They did this the first three days, then on the 4th (and all the rest of the days) they just waved me through, without bothering to check. This meant, had I wished to, I could have easily gotten a gun or other weapon into the courthouse. When I called they were very interested to hear this. They thanked me and quickly fixed it.

@liesdamnlies3372

8 жыл бұрын

+Eric Taylor Government showing more responsibility for security than a large corporation. I don't know if I should be surprised or something else.

@erictaylor5462

8 жыл бұрын

***** This wasn't "government" This was a single individual who's ass would have been on the line had someone managed to get a weapon in. Also this was several years ago. Who knows if the same thing wouldn't happen again.

@liesdamnlies3372

8 жыл бұрын

Eric Taylor Well, okay, someone working for government. Which yes, I'm definitely surprised, given that the level of incompetence demonstrated by government in IT can be staggering. (I've received passwords, which can't even be changed, from government websites, via email in plaintext. Cringe.)

@erictaylor5462

8 жыл бұрын

***** I sent my sister a password in code at least.

@toproudtooadmitmitsake1842

4 жыл бұрын

@@erictaylor5462 You're thinking too zoned in, it is the government, you can never rely on security to police itself, complacency especially in repetition is human nature, the onus is on the government to monitor quality and ensure safeguards are in place to keep a constant standard of security.

Wish I’d mined bitcoin in 2015

@distantt

3 жыл бұрын

I wonder how it works

@hgu

3 жыл бұрын

Rip

@lukasvavrich3349

3 жыл бұрын

I did. And i forgot about it. And now there is a bitcoin wallet somewhere on the internet with $800 000 that i can't access. RIP me.

@distantt

3 жыл бұрын

@@lukasvavrich3349 rip you

@youngclueless7364

3 жыл бұрын

Ik ur cousin

Another pro tip: If you're working with offshore developers, always make sure they implemented features the way you requested. I've narrowly avoided silly problems like "sequential customer IDs" or "token strings containing user info" that way. You get what you pay for.

@robertlozyniak3661

8 жыл бұрын

+Joshua Pearce I wonder which is harder, making sure they do it the way you want or just doing it yourself.

@GamesFromSpace

8 жыл бұрын

Robert Lozyniak It depends if doing it yourself means reading their code.

@jacobtracey555

2 жыл бұрын

TL;DR: Don't hire Indian programmers.

@eTiMaGo

Жыл бұрын

@@jacobtracey555 Nothing wrong with them, but I once had an Indian friend tell me that the best programmers there end up getting hired by large companies, leaving mostly newbies and low-skilled programmers left on upwork, freelancer, etc.

@mystic_galaxies9832

Жыл бұрын

@@jacobtracey555 and why Indians specifically?

One could only guess what rights account number 1 was allowed to do.

@AshtonSnapp

6 жыл бұрын

kujmous Acc No 1 is probably the admin.

@Hahahawhatsup

6 жыл бұрын

cheers sherlock

@lyrimetacurl0

5 жыл бұрын

What about number 0? The boss?

@mitch_tmv

5 жыл бұрын

no number 0 is the time traveller

@Chris_Cross

5 жыл бұрын

Try -42

"Code like you're being attacked", love that. :) Great video as always!

@57thorns

4 жыл бұрын

Because you are under attack, this is the internet we are speaking of.

@kusaisama

2 жыл бұрын

💗

As Tom mentions in 3:34 - a word of caution, always report these kinds of bugs through a lawyer. Big companies will happily sue you or report you to police for "hacking" instead of saying thank you, even if your intentions were 100% honest and you showed them that. Has happened to more than one person I know.

I think one of the biggest things I learnt about security from hackers when working on online games is: "Assume all data you get could be a hack". Even if it's as simple as someone's date of birth, assume it could be forged data designed to break your system. No exceptions.

@georgiishmakov9588

2 жыл бұрын

date of birth: 1901-1-1"; DROP TABLE Customers;

"someones ugly baby". Telling it like it is. :D

I agree with you; something my uncle always says: whatever you program, try to get it to fail. Don't program it to fail, but test it and try to get it to fail so you can fix it. That's one of the reasons I like ethical hackers so much and the companies that use them; you know they won't easily fail to simple security flaws. Kudos to anyone who finds these issues and reports them urgently, safely, and carefully.

The problem is that a lot of these things are done when a company has no clue about code themselves and hires someone with a fast talk, or has the 16 year old son of one of the managers do it in a weekend. And then it stays in the code when the site grows and starts attracting lots of costumers. Nobody will be asked to look at it, because "it has worked reliably in the past".

"Ah, nobody will notice this" - a very british attitude

@hikari_no_yume

9 жыл бұрын

Also rather reckless. :(

@geraldhenrickson7472

6 жыл бұрын

Henry W: British? Denial seems a rather large factor of the human condition. I believe anyone, anywhere could say this.

@geraldhenrickson7472

6 жыл бұрын

Mr Shekel: Why fuel the fire of discontent? Stop blaming all of a given nationality... for the acts of but a tiny few.

@pepperjeanne1566

5 жыл бұрын

More like " a very *human* attitude"

@John2find

5 жыл бұрын

I thought it was Indian attitude.

I am constantly amazed how many developers incorporate security through obscurity as a strategy.

I'm pentesting right now. This one has no ink anymore, next.

@mastertrams

4 жыл бұрын

Ok, that was a good'un, but I think you're deliberately missing the point. Wrong type of pentesting mate.

@scepto43

4 жыл бұрын

@@mastertrams cant tell if thats a r/woooosh or not

@JustPoaj

4 жыл бұрын

@@scepto43 r/wooosh

@addisonchan3053

3 жыл бұрын

@Michael Darrow r/noheacknowledgeditasajokebutwantedtomakesurehewasntjoking

@legendarytat8278

3 жыл бұрын

@@addisonchan3053 r/ihavereddit

You are a fantastic model for a responsible public figure on the internet.

Not too long ago, someone I know gave me some advice similar to what you said at the end of the video. His words were along the lines of "When coding security as an adult, don't think logically, try to think like a kid. If you build it logically and too structured it's easy to crack. And even if it's logical and structured but still you think it's near unbreakable, most of your attackers will be kids, young people, the ones who think outside the box. It's easy for those people to find holes you never thought possible." What are your thoughts on this?

@vincentmuyo

5 жыл бұрын

... Why wouldn't you code logically? It's not going to get safer just because no one can read the code.

@Ashebrethafe

5 жыл бұрын

@@vincentmuyo The code should be a logical implementation of the design, but that design should be as unstructured as possible. Moonpig should have used random customer IDs, instead of taking the "logical" approach of making them consecutive, so that nobody could use their IDs to determine someone else's. They also should have generated a _different_ random ID for each token, so that a user whose token ID was compromised could get a new one by deleting the old token and signing in with their username and password.

@Toothily

4 жыл бұрын

I think that's a poorly articulated way to say, don't get cocky or rest on your laurels, but instead be curious and devious in testing your own code.

@beesree39

4 жыл бұрын

@@Toothily how does one rest on a yanny

@clockworkkirlia7475

4 жыл бұрын

@@beesree39 ...Well played.

This video was sponsored by Funky Pidgeon. :P

@fn9681

7 жыл бұрын

Funky, fun and free delivery. Woohoo

@kristiansvendsen6906

7 жыл бұрын

We'll even throw some other customers credit card details in! WOOOHOOOO

@invisi.

5 жыл бұрын

pigeon*

@adflyofficial

4 жыл бұрын

f u n k y p i g e o n . c o m

@thinwhiteduke4324

4 жыл бұрын

@@adflyofficial i read this like in the advert 🤦‍♀️😂

Context:I live in America. My professor always said “this isn’t the justice system, everyone is guilty until Proven innocent not the other way round.”

@electricspider2267

Жыл бұрын

You're innocent, but btw could you like stay in this tiny room for months until we can prove youre actually guilty. Notice i didnt include a '?' Because i'm not asking, im forcing.

@jacob416

Жыл бұрын

@@electricspider2267 you forgot "unless you, or someone you know, is able/willing to pay several months worth of your salary all at once, because that's a completely reasonable request of someone who more than likely lives paycheck to paycheck. aren't you glad we have such a flawless and perfectly morale system"

As someone who has no horse in this particular race, I have never heard of Moonpig before as a US customer, really enjoy these computer security videos. I hope to see more of them in the future!

Another thing to remember:There is NO SUCH THING as a 100% secure system. The Germans thought this about Enigma. They paid the price. Well the other Germans paid for them but you know what I mean.

@adaai2384

8 жыл бұрын

+Eric Taylor That is true but it's also irrelevant. There is no excuse for large companies not following the current best practices for information security (in the UK it's a legal requirement). What Moonpig did is analogous to a bank leaving all of your money on the sidewalk with a sticky-note saying "please don't steal this." And then they tried to insist they weren't doing anything wrong.

@erictaylor5462

8 жыл бұрын

GenericRubbishName I never said they shouldn't attempt to secure information. It's just that locks are for keeping honest people honest. You should always be trying to improve security. Donitz only SUSPECTED Enigma had been broken so added another wheel too it even though all the experts told him it was impossible to break Enigma. Even though this step improved the Navy's performance (at least for a while) the Germans STILL didn't realize the English had broken the Enigma code. The English were reading the dispatches before the German commanders were.

@JustusLynetta

7 жыл бұрын

Honestly, theoretically enigma seemed unbreakable but it had a major flaw. You should check out the new version of enigma which is several magnitudes better and most likely won't be able to be cracked in humanity's time.

@erictaylor5462

7 жыл бұрын

PacManAction That doesn't even make sense. "Theoretically seemed"? It was, to the people who designed it "theoretically unbreakable" and thus seemed unbreakable, but the theory was wrong. And you're right, the Enigma concept is still used today but with the flaw, a letter can never be "substituted" with itself, but the entire process is done in computers instead of clockwork machines. The great advantage of this is the number of "wheels" you can have is unlimited. And with each added wheel the number of possible outcomes is increased by a multiple of 26. Enigma was an amazing cipher machine, but like the builders of Titanic, they were over confident in their design.

@JustusLynetta

7 жыл бұрын

Yes, theory can be proven wrong. It's been done many times, something that works in theory doesn't always work practically. And I'd advise look up the TypeX machine.

good lesson in the illusion of "security through obscurity"

@thebouncyball2305

9 жыл бұрын

Yeah, it's a huge gamble to think like that. It only takes one malicious person to discover something like this, and it's only a matter of time.

I love how sarcastic tom is in these videos, given that he's usually so nice in videos

You wouldn't guess what advert KZread decided to slap at the top of my recommendations Moonpig

Tom mentions this being risky because a company might sue you. It gets worse, actually: the AT&T "hack" done/discovered by weev got him in jail - and it was a very similar type of issue to the one described in this video. I won't apologise for weev because he's a nasty piece of work and has done many horrible things, but the thing that got him sent to jail was AT&T being mad over exactly this issue.

@philpem

9 жыл бұрын

The key difference, as I understand it, was that Weev proceeded to crawl AT&T's customer database, download a massive chunk of it and then hand it to journalists, thus compromising thousands of customers' private information for the sake of irresponsible disclosure. Paul Price created a few new accounts with his own details (or perhaps fake details) to which he held the authentication details, then proceeded to use the customer IDs for those. At no point (at least based on what I'm aware that he's said publicly!) did he obtain any information to which he was not legally entitled access. Moonpig could take the nuclear option and try for criminal charges under, say, the Computer Misuse Act (disclaimer: I am not a lawyer, solicitor, barrister, or anything like that), but there's probably enough "responsible behaviour" to easily shoot something like that down (I'm not a lawyer. Have I said that yet?). That said, if MP did go down that route, the press would have an absolute field day. "Moonpig sues guy who reported security bug! A greetings card company has sued a computer security researcher who told them about a security bug, then gave them A YEAR to fix it! More on page five!"

@hikari_no_yume

9 жыл бұрын

philpem Yes, I suppose it's fair to say weev didn't get in trouble for merely exposing the vulnerability, I should have mentioned that.

@goodkisser8591

4 жыл бұрын

Yes, hacking other companies/websites, regardless of if you’re ‘just testing’ is illegal, because nobody knows what you did as well as informing them, you could’ve already sold all of the data.

@hexagonist23

4 жыл бұрын

Not if you use tor.

Tom, I have to say, you are my favourite KZreadr, just ahead öfter Vsauce. Your content is funny, inspiring, smart and also very informative. I would love to see you on german TV one day and think: This man should be cloned because he is a perfect tutor for humans of all ages. Thank you for producing all of the content. Regards, Felix

@BanterEdits

9 жыл бұрын

*ahead of

@bentheguy101

9 жыл бұрын

Interesting how your profile photo is a VGA cable

@JamEngulfer

9 жыл бұрын

Hey, just so you know, comments can be edited after you post them.

@BanterEdits

9 жыл бұрын

JamEngulfer not on mobile^^

@JamEngulfer

9 жыл бұрын

Checkername1 | Closed Oh right, fair enough

My school used a webportal a while back, so that we can upload our homework, see what is to be done, schedules and notices. However, the ID was stored in the URL itself - and you can see the ID of others by visiting their profile. Simply replacing it I was perfectly allowed to be my teacher or school mates, giving me full insights in all conversations between them and others. I was young so I played around a bit and was also able to see the invoices and ability to delete the entire school's account, change homework, schedules, and change admin roles. Luckily I was not stupid enough/too boring to change anything major or dwell too deep, so nobody noticed. I tried to bring this to my teachers attention but they didn't understand or care and when they seemed to think I was trying to "hack it" I stopped trying. This was in ~2008.

@paulverse4587

2 жыл бұрын

Also as I found out, the school paid a ludicrous amount monthly to this platform.

@warmachineuk

2 жыл бұрын

Third party frameworks and libraries allowing virtually unhackable cookies were available in 2008. The developer had no excuse. Your school was ripped off.

@paulverse4587

2 жыл бұрын

@@warmachineuk Yup

@llynxfyremusic

Жыл бұрын

god the way your teacher brushed you off pisses me off.

"how could I break this" That's how I always think

@joshuahadams

8 жыл бұрын

Sledge hammer, that's how you can break this.

@Xeverous

7 жыл бұрын

+Josh Adams with enough force, everything can be "solved"

@renatokobashigawa7025

6 жыл бұрын

that's how my country thinks about economy

@lappansommer546

2 жыл бұрын

Even about my heart!? (sniff)

Great breakdown as always. Clear, detailed, correct and complete.

This is a very important point, and every programmer really needs to understand this concept. I hope the message gets across and they actually fix the system.

People should stop thinking computing is a niche area and that they are doomed not to understand anything about it and realize computing is as law, it applies to everything and everyone should know about.

Genuinely think that this is the sort of thing that goes beyond "incompetence" and into "criminal negligence".

Shouln't that compagny get an huge fine AND get banned from visa/mastercard due to the insecurity? I tought in the UK that such thing would result in huge fine due to the blattant insecurity... and credit cards don't like that too...

@goodkisser8591

4 жыл бұрын

thephantom1492 the “huge fine” isn’t as big as you’d expect for a massive company, especially not back then

@jintie

3 жыл бұрын

tought? you mean taught?

@kyleedwards4903

3 жыл бұрын

@@jintie Glad you're here to save us all the mental strain of trying to figure out what that could have possibly meant. God forbid a person accidentally omits a letter in a word. We need more people like you in the world, our stockpiles of unearned self-satisfaction are dangerously low

@TheSudsy

3 жыл бұрын

@@jintie thought

@j.hawkins8779

3 жыл бұрын

@@kyleedwards4903 you. shut up. no one cares about what you have to say. if you wanna be like that, delete your comment and go to some other website that cares about you.

I remember back in the day when I was making a control panel for a game server and ran it on my test server. It was hacked within minutes by a friend just because I didn't check the input of 1 script causing my friend to get access to admin on the server and causing mayhem. I just didn't escape anything for one field and that was my downfall. Luckily I asked a friend to test the security and it was on a test server. You should never release something on a live machine until it has been tested.

As a developer I always think about safety first. My boss can sometimes argue with that time is money, I simply answer that I know my job and time doesn't respect what we do without him. The problem you described suggest me that they hire some low cost trainee to do the job. Because, even in your studies, you learn basic stuff like that. It's practically like counting on your finger...

Tom Scott speaking sense as usual. Thanks Tom.

Outstanding Tom, you always explain these videos with just the right amount of information. Not to much and not too less. Keep up the great work, Tom! Cheers.

Inspiring passion in your monologues! As a non-nerd, I can’t believe the degree to which I was able to follow that. Well done

"When dealing with sensitive information, assume the client is compromised."

@gametime449

8 жыл бұрын

He indeed did say that.

@Alex2Buzz

8 жыл бұрын

gametime449 Yes, it's my own tweak on it. I actually came up with it before I watched this video.

you know... years ago I found this channel and it had throwing drums and a symbol off a cliff outside shipley, trying to get on the budget news coverage, and being elected as a pirate captain I really really like that I can stumble back to it for well made educational content years later

I once had the pleasure of doing some updates on an accountants website. I discovered that as well as all their clients passwords being stored in plain text, their uploaded accounts documents were stored in a publicly accessible folder with consecutive ids as file names. To be fair the company I worked for had me update the code at no cost the customer. I was amazed at how many passwords were in the format: [username]123 ...!

"Moonpig bug" sounds like something from a Beat Poem, or William S. Burroughs novel.

@Sathrand

9 жыл бұрын

Thank you for the hearty laugh.

found this kinda incompetence with the reg system at school. they attempted to throw me out

@VicvicW

7 жыл бұрын

Zach Ashton A third party system our school used was terrible. Albiet it was just a past paper system, but it's even the idea of it. I said I'd forgot my password, expecting the standard, enter new password malarky. Nope, it sends me a plaintext version of the password.

@geraldhenrickson7472

6 жыл бұрын

You are the exception...ie different. Different scares people. Do not stop.

@ahreuwu

6 жыл бұрын

my school got literally a plain windows 7 install from 2010 with no access to updates (somehow) and the admin password was "" (nothing, just press enter). wut

@undead890

5 жыл бұрын

Jack B Ouch, that site hurt my web developer soul.

Love when Tom explains protocols and love the new graphics too!

My brother knows me so well. He showed me three of your videos and let me get on with it. One week later, I must've seen forty or more. I like what you do, Tom!

As a networking student "never trust user input" and "treat everything as malicious until proven otherwise" are the two biggest rules in setting any network or service up

For some reason, whenever I watch Tom's videos, I become thirsty.

@namelessasdf

8 жыл бұрын

wait me too o.o

@Joe-wj4hj

7 жыл бұрын

Thirsty for knowledge

@JapaneseWhiteKid

7 жыл бұрын

It's because he always makes mouth noises, if you know what I mean (not speaking obviously)

@craigthecat4202

7 жыл бұрын

Me too :o

@the1exnay

6 жыл бұрын

Me too ;)

I have never heard a better summary of moonpig! brilliant tom!

Thank you! I really enjoy your tech-y videos.

Great video, Tom! I'm never gonna give up watching if you're never gonna let me down with these ;) I really like these computer security videos, although it is scary how insecure some reputable services are.

@Kitulous

3 жыл бұрын

did you just rickroll me?

@LunizIsGlacey

2 жыл бұрын

@@Kitulous yes, they did.

"moonpig, well they make crap" Oh this is gonna be good

I always remember my IT teacher looking over our code as 'A test of destruction'.

Code it like someone is going to break it is not only a good mantra for security purposes, it's usually a good mantra for writing application code in general.

Ahh good ol pentest. As a leftie I’m very fond of this as most pens on the market smudge unless you adapt a cranes grip on the pen. Having to go through the hundreds of pens to find that one pen that both doesn’t smudge but also maintains a smooth flow of ink is crucial. 🤣

@Khunark

Жыл бұрын

goddamned liberal

Excellent video! It baffles me every time I hear of one of those incidents that there are still PAID developers who make these mistakes. Allow authentication with nothing but an auto-incrementing user id?! I cannot even count the amount of bells that should ring. Heck, even 9-year-old me wrote better authentication systems than that (and that used a shitty md5 function applied to the non-salted password, and the token was a PHP session id transmitted over the URL query string ... good old times ...). I didn't consider it possible to find something worse than that in f***ing 2014! Thanks for spreading awareness, Tom, and kudos to the guy who reported the hole.

This channel is amazing, I've been like binge watching his videos like everyday

7 years later, the description was never updated

"Innocent until proven guilty" is for lawyers, not software developers.

I see that three employees of moonpig gave you thumbs down.

Greatest opening line of a Tom Scott video in history.

The beginning is the best explanation of moonpig

Interesting video! I would like to know what exactly identity theft is. I get the main idea, but I, and I think many others, do not know exactly what bad things can be done(or have been done in the past to regular people). Most people I know do not really care about it.

@TomScottGo

9 жыл бұрын

levolta It's a shorthand for "someone impersonating you" -- best case, they order a couple of things using your credit card, your bank notices and cancels everything, no major harm done. Worst case -- and you see cases of this with relatives and friends, not unknown online attackers -- they take out some loans in your name, run off with the money and ruin your credit score.

@NNOTM

9 жыл бұрын

***** I think the worst case is probably a whole lot worse than that. Granted, this is unlikely to happen to a lot of people, but I think someone who can impersonate can, in addition to ruining your credit score, also ruin the relationship with anyone you know, get you to lose your job, get you into a court for some crime you didn't commit, etc.

@Booone008

9 жыл бұрын

NNOTM As you pointed out, doing that is luckily not the goal of the average bad guy targetting insecure services. If the attacker does not hold a personal grudge against you but is instead targetting random people that he happens to be able to hijack, he is usually "only" after money and/or prestige. That being said, it can still ruin you pretty easily when your online identity is taken over, especially nowadays where so much of our life takes place online ...

@jca111

9 жыл бұрын

Identity theft can maifest in many ways, but I was the victim about 8 years ago, and someone took £2K of loans out in my name. It too me 4 years to clear my name, and an awful lot of agro. They were however caught. All they needed was my name, address and DOB. Where they got it from (it was no one I knew) I do not know, but it could realistically be many places.

Delta Airlines had a similar bug in December that allowed you use another passenger's boarding pass. Whoops.

Haha I got an Experian ad on this video. Loving your channel

Their press response is basally saying "Please don't punish us for PCI violations," as many do. And no, the last four of a credit card number is not payment information. Troy Hunt wrote a good piece on this.

watching this after spiff's new vid

Does this mean you can get the tester account details by trying the first few accounts? :D

@thebouncyball2305

9 жыл бұрын

most likely, assuming those accounts are still live.

Congratulations on your second camera Tom

Very good and I like the nod to software testing which where I specialise in.

There is nothing wrong with using consecutive numbers for an ID in certain circumstances. For instance if the ID is kept fully internal and no one ever finds out how your ID system works and it isn't used with vulnerable data. A far more suitable approach (And the one I use) is to use UUID's. This is a random 36 character hexadecimal value which has less than 1% chance of returning a duplicated UUID for every quintillion UUID's. There are a over 5 unodecillion combinations possible. Which is basically a lot.

@Qbe_Root

7 жыл бұрын

Of course, just don’t use consecutive IDs as permanent tokens to access private accounts…

@floppaquest4916

6 жыл бұрын

5 unodecillion? Amateur. Try 2 combinations.

You would be surprised at how terribly vulnerable poorly designed some software is in the business world, I go mad thinking about what's going to happen when our company launches its SaaS platform...

Saw an older Tom Scott video today. So glad you got a haircut, looking a lot better.

As others have written, treat all user input as evil. Desktop web browsers have a developer mode, allowing even amateur users to edit the page they download, including hidden form values, cookies, hyperlink parameters, and form validation done in Javascript. Identify the customer from a hidden customer id in the page and a teenager will hack your application.

Was it just me that got an advert from Moonpig straight after the video? 😂

@fourk_

3 жыл бұрын

I started getting moonpig ads. I thought I was the only one

How do you mine bitcoins with a credit card? where do I even plug it in?

@pisse3000

7 жыл бұрын

The disk drive. And don't worry if your computer doesn't have one, there are external ones you can buy.

@pisse3000

7 жыл бұрын

***** (it's a joke)

@pisse3000

7 жыл бұрын

***** But 2 am is the best time to read KZread comments!

@Luca-jy8ne

6 жыл бұрын

I'd say buy a lot of hashing power from someone else and direct it to your wallet. Not sure if there's an easier way.

I love your channel. Still a student, aspiring to be a good developer. Thanks

Thanks Tom, another interesting video. I'm glad I've never registered with moon pig. I'll bear this in mind the next time I code.

When I was programming mainframes, the biggest worry was user input that might ACCIDENTALLY crash a program, and most of the input editing was aimed those kinds of errors, like someone exchanging a transaction’s effective date and their birth date on a form, then we tried to compute their age. Once the PC and the internet appeared, we also had to worry about outsiders trying to crash or misuse systems on purpose.

Remember to check through more than 14 different listings when checking for Pen-testers. The Pen-15 rule is EXTREMELY important to remember.

As a programmer, I know there's simply no excuse for this. Web application frameworks can generate large, unguessable strings of text as session ids. Even if someone manages to copy your session id, it's useless as soon as you logout or you've been idle too long. The client never sees a customer id.

switching between two static cameras, love it!

"...and run up 10,000 quid mining bitcoin on someone else's credit card." I love you Tom

I'm making a game (badly), and I'll need a way to log in sooner or later. I'm seriously considering using Facebook or Twitter APIs, even though it's a native executable.

@garouHH

9 жыл бұрын

Ratstail91 And thus shutting out everybody who doesn't buy into those sites?

@Ratstail91

9 жыл бұрын

garouHH Fair point. Still, I need a way to ensure I'm not sending my players down a river with the security, you know? Man-in-the-middle is probably the least dangerous problem, considering the size of my playerbase (currently in the single digits).

@garouHH

9 жыл бұрын

Ratstail91 Well, you could use TLS to encrypt the connection and thus (if you manage to do certificate authentication properly) be safe at that point from MITM by anyone but intelligence agencies. If you then remember to store passwords only as salted hashes, using a still-secure hashing algorithm (I'd currently recommend SHA512), then you're pretty much in the clear. Unless you introduce some vulnerability elsewhere, of course.

@undead890

6 жыл бұрын

Server side, you can use a proper web framework like Ruby on Rails or Laravel to handle authentication like that.

@agustinvenegas5238

3 жыл бұрын

now i'm curious what's the game you made, how is it going?

Don't forget that project management often drives these kind of flaws, not necessarily the devs themselves. I've been on projects where I bring up that accounts can be enumerated, that Ids are visible sequentially...etc But it ALWAYS gets deferred to the "It hasn't been a problem yet, so we are not going to work on it" pile of security negligence.

Well said, Developers so often consider security an after thought which makes things harder for everyone.

it’s been 5 years and they haven’t replied. F

So what is the best way to report something like this? I ran across a security vulnerability on a certain broadband provider's website entirely by accident - one that ultimately let you log in to anyone's account simply by knowing the username, without having to use the password at all. (Then once you're logged on you can of course see address, email, name, phone number, past invoices, etc...) Several emails to the company over the course of a few weeks and no fix; eventually, after a few months pass, I manage to get through on the 'phone, walk the tech support person through the steps, and now it looks like they've finally fixed the problem. (I am curious how exactly the problem came to exist, but I'm not exactly tech savvy. Maybe someone could explain it to me if I tell them the repro steps!). Did I do the right thing in keeping quiet and just privately contacting the company?

@NoriMori1992

8 жыл бұрын

Yes. That's what the guy who found the Moonpig vulnerability did. If they fixed it after you helped them, then there's nothing more for you to do. If they haven't fixed it yet, it's time to go public with it.

That closing sentence. It gave me feels.

This reminds me of the way that the Web based expenses system of a company that I worked for was coded. When submitting an expenses claim online it was given an ID (a sequential number) and at the end of the submission process the user was given an option to print the expenses claim form for their records. If you chose to do that the URL for the print request contained the ID as part of a querystring so by substituting another number you could (allegedly) print off any expenses claim ever submitted. When this was pointed out to the people who wrote and maintained the system it was ignored. Bearing in mind that the company was a large software house employing hundreds of programmers I have no doubt that people other than me noticed the flaw and for all I know exploited it to snoop.

MANBEARMOONPIG

@vladimirnikolic6612

9 жыл бұрын

lold

@undead890

6 жыл бұрын

I'm super cereal

I just discovered your channel yesterday and have watched through almost all your videos (because they are amazing, brilliant, unique, can't find words) and just realized I have had ADBLOCK ACTIVATED on every single video. (I was just about to ask why you didn't have ads...) I hope Jesus (but primarily you) will forgive me D:

@Boolihan

7 жыл бұрын

Hopefully you have rewatched every one of his videos in the month since you posted this. WITHOUT ADBLOCK

@karl5874

7 жыл бұрын

Wild Gaming Honestly I think I have now... Not even joking...

@zsdanix

6 жыл бұрын

Did you know, that if you skip ads the content creator gets no money at all, just like if you used adblock. Also content creators can't get any money from mobile views (where ads might run even for people using adblocks on PC). Yeah KZread ad revenue is a messed up system.

@grumpygoomba9763

6 жыл бұрын

Surely they must get something from mobile views assuming the ad is watched all the way through. Mobile is now the biggest platform in terms of number of views.

Hi Tom, I'd love to see details of your main workstation and firewall/router setup. I think it would make for an interesting video. Thanks, from Australia!

00:04 I heard that as "and they make personalized crack" and I was very confused