Ah, but remember, they've "done this stuff for a while now". Either they know and don't care, or they don't know and they're claiming they do. There's no good way out of this, they're messing up potentially catastrophically regardless of the truth.

Not knowing is one thing.

Not knowing, being informed about it, and arrogantly blowing off that information is inexcusable, unprofessional, and deserving of all that scorn.

It would have been very easy to say, "Thanks for bringing this up, we will look into it", instead of being condescending and ending up looking like an ignorant jackass.

I can't imagine anyone specializing to such an extreme. If you want to make multiplayer games, for example, you have to know this stuff.

Every competent programmer should be familiar with basic security principles. It's then your responsibility to educate yourself about how to apply those principles in a given situation.

No, you don't. I work for one of the top social gaming companies around right now and programmers do specialize to a ridiculous degree. The programmers who write code for the actual game are rarely web developers. It's simply a different domain.

I can confidently say this because I'm a web developer in a studio of game developers and most of them don't even know how to run mysql locally. They aren't stupid, they could, if they spent the time to learn it. But they are much more interested in improving the efficiency of their A* pathing algorithm.

Well, it's fair to say that programmers specialise, but presumably you're only working on the website, and the game developers are only working on the game. TillE was right - if you are going to implement this stuff, you should know what you're doing, or at least seek advice from people who do.

Regardless, the super meat boy developer made a pretty basic mistake, which you could perhaps defend with your argument, but he then refused to engage with someone who was reporting a vulnerability and trying to help. To me, that's pretty astounding.

Game development especially has a lot of well meaning customers who haven't got a clue what they're talking about (a lot of kids). Whilst he probably should have listened, it's understandable why he may have dismissed a random on twitter.

The guy took a stack trace of a segfault. If a guy comes up to me, tells me I have a glaring security flaw, and shows me a stack trace of my own code to prove it, I'd be an idiot /not/ to give him at least a few minutes of my time, no matter what community he comes from.

This is true, whilst you might not expect them build a beautifully layered J2EE or RoR solution with full transactional integrity, a few hours with some basic PHP tutorials would not have gone amiss.

This is especially spooky since MySQL contains a few scary features like System() not to mention that anybody could connect and write a script to do massive crossjoins (as indicated in the original thread) I'm sure any decent game developer would understand the implications of O(n!) but they were probably blissfully unaware that these features even exist.

I doubt that Notch would have made such a schoolboy error :)

> I doubt that Notch would have made such a schoolboy error :)

He made an equivalent one: he wrote his own database[1], in the age of SQLite being dumb-as-dirt-simple to use and MySQL almost a no-brainer.

[1] - http://notch.tumblr.com/post/1166302589/this-is-what-im-doin...

Well, he made the error and immediately corrected it when it became an issue.

No, he corrected it after it had been an issue for some time and was negatively impacting his customers' enjoyment of what they had purchased.

Throughout Minecraft's development, "barely good enough, and sometimes not even then" has been the externally visible modus operandi. That so many players put up with customer abuse is unfortunate, not least because others will consider Notch's slipshod development practices and infantile product management goals to which one might aspire.