Yahoo Stuck Without SQL Injection Antidote

The term “SQL injection” sounds pretty scary — kind of medical, painful, maybe even lethal. And it can be, for websites that fall victim to it. It involves tricking a site into forming a rogue SQL command that prompts a database to deliver its contents right into the hands of the attacker. If it’s successful, a hacker can gain access to a ton of sensitive information.

The bright side of SQL injection is that it’s not exactly cutting edge. It’s something security pros have seen time and time again, and they’ve developed a whole set of precautions and best practices websites can follow in order to protect themselves.

Unfortunately, Yahoo apparently wasn’t in the habit of following those guidelines.

The company recently confirmed that nearly half a million unencrypted email addresses, complete with passwords, had been leaked into the hands of hackers by way of Yahoo’s Voice website. The hackers then posted the information publicly as a sort of shame-on-you directed at Yahoo.

Security gurus were quick to jump down the company’s throat for its poor hygiene. SQL injection is not some mystical, esoteric act of cybersorcery that nobody fully understands. It may not be literally the oldest trick in the book, but it’s old and well-known enough that Yahoo is getting pummeled for falling for it.

Obviously, Yahoo users should change their passwords ASAP. As with any email and password leak, it’s not just your email that’s at risk — if you use the same combo for any other site, that account’s security has been compromised too.

Listen to the podcast (11:56 minutes).

FTC Polishes Its Paddle

The U.S. Federal Trade Commission is about ready to bend Google over its knee and give it a $22.5 million spanking for the search company’s apparent habit of violating the privacy of people who use Apple’s Safari Web browser.

Although it’s the biggest fine ever levied by the FTC, that $22.5 million paddling is unlikely to cause Google any real and direct financial pain. To stretch the analogy way past its breaking point: Everything about Google is big, even its rear end, and the FTC’s tiny little hands won’t raise so much as a welt.

But even if the fine itself doesn’t hurt, it’s not exactly a mark of pride for Google to be called out in such a way. It’s now the holder of a pretty notorious record, especially for a company so often suspected of playing fast and loose with privacy, always while wearing that “don’t be evil” halo it crowned itself with.

For the FTC, getting Google to settle for what is by the commission’s standards an enormous fine is a big win for its reputation. Critics of the commission have been needling it for years for what they claim is a soft stance on consumer privacy. And they’ll probably keep saying that, but now at least the FTC can counter that it showed its teeth that one time. And other companies tempted to disregard user privacy might sit up and take notice, especially if their pockets aren’t nearly as deep as Google’s.

So what did Google do to get itself into this mess in the first place? According to privacy watchdog groups, it was circumventing certain settings in Apple’s Safari browser to insert cookies in users’ machines without permission. Google claimed it was all a big mistake, that they never meant to do that. But that argument apparently didn’t score many points with the FTC. And given the post-Google Buzz consent agreement the company signed with the commission that allowed for fines of up to $16,000 per per violation per day, perhaps Google decided it would be smart to cap it at $22.5 million while it still had the chance.

The Coming of the APhone?

It’s been almost a year since Amazon stormed the tablet market with the Kindle Fire, its small, low-priced tablet that served up a heavily remixed version of Android and featured deep hooks into Amazon’s retail ecosystem. But the Fire’s flair seemed to burn out quickly — it was one of the hottest gadgets on the market for the 2011 holiday season; since then it seems to have been outshined by things like the new iPad and the Nexus 7 tablet that Google introduced a couple of weeks ago.

It seems likely that Amazon will give the Fire a refresh soon, but the retailer’s mobile ambitions might not end there. Several reports have sprouted up recently indicating Amazon is also working on its own smartphone.

Facts are scarce, and Amazon is offering no confirmations. But it’s been reported that the company is working with Foxconn, the manufacturer that makes a lot of the products Apple sells. And it’s a very safe bet that Amazon will use Android for its phone, just like it does with its tablet.

Amazon’s also reportedly aiming for the lower side of the market. This isn’t a trophy phone to compete with the latest iPhone and whatever Android handset is king of the hill at the moment. Just like the Fire upended the tablet market by aiming low in cost, so might Amazon’s smartphone.

It’s true that lots of Android phones take that approach, but most low-end Androids feel pretty vanilla and generic. Amazon has the opportunity to do something very different from that. It already has an app store, it has a giant garden of digital content, it has a retail channel a mile wide, and it has access to a solid mobile platform that it knows how to modify into a unique OS subspecies of its very own. The phone can be whatever Amazon wants it to be.

It might be very odd to see a company that started as an online bookseller eventually morph into a phone maker. And even though Amazon’s succeeded in the hardware world before, a phone is a whole new level of difficulty. For one thing, carriers can be a huge hassle. But Amazon already has a foot in the door with carriers, or at least a toe — its site sells phones for all the major U.S. carriers already.

And really, watching a bookseller turn into a smartphone kingpin wouldn’t be that much weirder than watching a search engine do the same.

The Shape RIM’s In

Research In Motion executives recently put on their best cheerleader outfits and then climbed down into a pit of hungry hyenas for the company’s annual shareholder meeting.

The timing of the event made the encounter somewhat awkward. RIM’s latest quarterly report had arrived less than two weeks prior, and it painted the picture of a company in free fall: More than half a billion dollars in net losses, anemic unit sales, thousands of layoffs, and the delay of the only product that holds even a hint of a suggestion of salvation.

News like that isn’t something shareholders typically get over in a matter of a couple of weeks, especially when it’s followed by CEO Thorsten Heins giving interviews in which he says things like “There’s nothing wrong with the company as it exists right now.”

Heins was a little less sparkly at the shareholder meeting Tuesday, admitting that he’s in fact not satisfied with the performance of the company over the past year. He also discussed how RIM hopes to slog through the next half-year while keeping its status as an independent firm. It’ll support fewer phones, cutting R&D costs. It’s also selling off a corporate jet in order to save some scratch.

Despite the hole in which RIM’s put itself, it appears its board members will keep their jobs for the time being. All 10 were re-elected. They probably shouldn’t get too comfortable, though — not all of them were carried in with a great deal of support from voters, and the company said it’s hired a firm to help it find board members who are more qualified.

The company still pins its hopes on BlackBerry 10, the much-anticipated and much-delayed next-generation OS that will supposedly bring it up to par with platforms like iOS and Android. But investors and BlackBerry users have been subsisting on a diet of “soon,” “keep waiting” and “won’t be long now” for months, and some have begun to ask questions not just about whether they can wait around for BB10, but also how long RIM itself will be able to stay in business and continue supporting its products. Some companies are reportedly making contingency plans so they can evacuate the platform on a moment’s notice, if need be.

The delay on BB10 is what may prove to be the fatal, slow-moving stab that puts RIM in the dirt. Weeks ago it revealed that the OS would be delayed until next year; now RIM has more specifically targeted next January. That doesn’t make things any worse for RIM — January is as early in 2013 as you can get, so it’s not like it just delayed its product even further. But it does underscore the tragic timing of BB10’s arrival — right after the holiday sales season, when all the other smartphone vendors have just finished saturating the market with the new stuff they unveiled three months prior.

RIM’s pep rally did nothing to put investors in a winning mood — shares fell more than 4.5 percent the day of the meeting.

1 Comment

  • Nice article, an SQL injection hack can happen to the best of us, with one slip up anywhere in our code. But it still baffles me that so many companies especially large companies are not hashing and salting sensitive information such as passwords, this takes seconds to do and limits damages and embarrasment when data is leaked when will people learn?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels