rc3.org

Strong opinions, weakly held

Month: April 2008 (page 1 of 4)

Used 1984 Ferrari for sale

The 1984 Ferrari 308 that Edmunds has been testing for the past year is for sale. They purchased it for $28,000 and spent $5,000 on repairs over the course of the year. Wonder how much they’ll get for it? Probably not as much as they get for the 2002 BMW M3 that the staffers have been raving about since January.

The investigative humorist

How does The Daily Show find all of those amazing clips of politicians saying stupid and contradictory thing? By tapping into the mind of one guy who has been with the show since the beginning. The Washington Post profiles Adam Chodikoff, the video producer for the show. It’s amazing what he does, when you think about it.

White House email: malice or incompetence?

Since it was initially disclosed that the White House had lost millions of emails that were required by law to be archived, I’ve been wondering whether they were lost due to technical ineptitude or “lost” for political expedience. Ars Technica published an article today looking into that question.

It looks like incompetence may have played a big part. The White House replaced Lotus Notes with Microsoft Exchange, and replaced the old archiving system with the “hey dude, make a backup every now and then” system. On the other hand, the habitual use of external email accounts by some White House staffers looks more suspicious:

As if that weren’t bad enough, there is also evidence that some senior Bush administration officials have taken to using non-government e-mail accounts as a way to skirt the requirements of federal law. For example, the National Journal has reported that while Karl Rove was working in the White House, he used an outside account provided by the Republican party for “about 95 percent” of his correspondence. Indeed, Democrats on the House Committee on Oversight and Government Reform estimate that 88 senior White House officials had e-mail accounts with the Republican party or the Bush re-election campaign, and many officials used them extensively.

On that front, however, I suspect that there may be more to the story. I wonder if it’s the case that it was just easier for White House staffers to get Blackberries through the RNC than through official government channels. I have a friend who’s a politician, and his campaign account pays for his Blackberry. If most of the staffers had RNC-provided Blackberries before they got to the White House, it wouldn’t surprise me if they kept them.

Either way, using the external accounts for official correspondence was illegal and in the end will result in the historical record of the Bush years being less well documented than it should be.

Is the personal Web site a thing of the past?

Given how easy it is these days to outsource Web functionality that you once had to create for yourself, Wired Compiler asks whether the standalone personal Web site is an endangered species. Back in the day you had to install your own blog software, set up your own photo gallery, and take care of everything else on your own as well. These days it’s a lot easier to just upload your photos to Flickr, set up a blog on any number of free or paid blogging services, and keep track of your friends via any of a number of social networks.

Furthermore, the network effects offered by those sites provide some key advantages over building your own site. It’s interesting that having your own domain and Web site once set you apart from the crowd because it meant you were an early adopter, perhaps soon it will mark you as unusually old fashioned.

Donald Knuth on unit tests

Programming guru Donald Knuth on unit tests:

As to your real question, the idea of immediate compilation and “unit tests” appeals to me only rarely, when I’m feeling my way in a totally unknown environment and need feedback about what works and what doesn’t. Otherwise, lots of time is wasted on activities that I simply never need to perform or even think about. Nothing needs to be “mocked up.”

If your name is not Donald Knuth, you must continue writing unit tests.

Donald Knuth on mortality:

Naturally, the cancer will be a serious concern. I have superb doctors. At the moment I feel as healthy as ever, modulo being 70 years old. Words flow freely as I write TAOCP and as I write the literate programs that precede drafts of TAOCP. I wake up in the morning with ideas that please me, and some of those ideas actually please me also later in the day when I’ve entered them into my computer.

On the other hand, I willingly put myself in God’s hands with respect to how much more I’ll be able to do before cancer or heart disease or senility or whatever strikes. If I should unexpectedly die tomorrow, I’ll have no reason to complain, because my life has been incredibly blessed. Conversely, as long as I’m able to write about computer science, I intend to do my best to organize and expound upon the tens of thousands of technical papers that I’ve collected and made notes on since 1962.

Mass SQL injection update

Looks like the misreporting of the mass SQL injection attack continues. The exploit is associated with MS SQL Server, not IIS or ASP. It’s confusing because most people run the full Microsoft stack, but the exploit will work against any site that does not prevent SQL injection and uses MS SQL as its database. (This misreporting was most recently seen at the Mass Attack FAQ at hackademix.net and Wired: Compiler.

Also it’s worth noting that the best solution to this problem (noted in the comments on yesterday’s post by Simon Willison) is to use prepared statements to generate database statements rather than building them using string concatenation.

If you’re a PHP developer using MySQL, that means using mysqli. For most other languages, that means simply not misusing your database library. For example, with JDBC (Java’s generic database access library), you can build SQL statements with string concatenation, but it’s just as easy to use prepared statements. There’s a good explanation of how to use prepared statements to avoid SQL injection attacks in ASP.NET at Scott Guthrie’s blog.

I think these days most people are pretty good about using prepared statements for inserts and updates, but they still get lazy and use string concatenation when building WHERE clauses, especially in cases where expressions are added to the SQL query dynamically. When doing so, the key is to go through the process in two steps. Building the statement dynamically but still leaving the placeholders in the query so that a prepared statement can be used and the parameters of the statement can be bound to it properly. It’s a bit more work, but it’s essential for security.

Truer words

Seen linked on my Twitter stream:

If your goal is to be a productive member of a community, avoid its advocacy groups

From the comments at Chris Dolan’s journal.

Mass SQL Injection attack

I’ve been reading up on the mass SQL injection attack launched against servers running IIS and MS SQL Server last week. That article is a bit out of date, as the problem turned out not to be a security hole in IIS but rather security holes in the Web applications themselves. The script that compromised the sites was clever enough to probe for forms that didn’t prevent SQL injection, and injected SQL specifically designed to work with MS SQL.

The article linked to also says that the attacks were first reported on April 17, but I found an incident report from April 13 describing the attack.

The end goal of these attacks is to infect client PCs with malware. The attacks appends database fields with markup that includes JavaScript from a third party domain, and then when any page that displays the field is viewed by a user, the JavaScript is downloaded and executed, any unpatched client PCs will be infected by the malware.

IIS.net has a post that explains exactly how the attack works. The script finds a form on the site that does not properly escape user input and injects SQL that finds all of the text columns in the database and appends the HTML that loads the malware to each of them. You can read more about it here. The main innovation in this attack is the cleverly written SQL injected that’s ejected. A similar attack could be launched against any application that does not protect against SQL injection. MySQL is somewhat protected in that most sites are running MySQL 4.x, which doesn’t provide support for stored procedures.

There are several takeaways from these attacks:

  • The only common vector in these attacks is MS SQL Server. Any application that does not prevent SQL injection could be the vector. So a Java application running on Solaris or a PHP application running on Linux could also be affected if they store their data in MS SQL.
  • You should minimize the privileges granted to the database user that the Web application uses. If your application uses the “root” or “sa” account, give up now. Just using grant all is the wrong idea for a production account. Figure out which privileges the account must have for your application to work properly, and grant only those.
  • If you’re writing Web applications and you’re not sanitizing user input, you need to go back to the drawing board. I’m beginning to think that languages like PHP and libraries like J2EE should sanitize all input by default and force programmers to go out of their way to access the original input. In other words, in PHP, $_REQUEST should contain escaped data by default. Many programmers don’t know what they’re doing, and in the case of attacks like this one, it’s end users who get hurt, not just the people who wrote the compromised application.
  • Just visiting Web sites you trust isn’t enough to keep you safe. Keeping your PC patched up and running security software is essential to preventing your PC from being compromised. It just keeps getting more dangerous.
  • Replication and backup are two different things. When this attack was run, all of the bad information inserted by the attack was almost certainly copied to the replication server immediately. Taking a snapshot of your data frequently is perhaps more important than replication. (Those of us who have run an errant update or delete statement and wiped out a ton of data, only to see the results replicated immediately already know about the dangers of relying on replication.)

Tyler Cowen on the reality of politics

Tyler Cowen in a post entitled Can we learn anything from the Democratic spat?:

Nonetheless constructivist attempts to remake America will, by political debate, be reshaped along traditional fault lines. That means your good idea — be it libertarian, progressive, or whatever — had better be pretty robust to mangling by the stupid, the emotional, the cynical, and the ill-informed.

The LAFD on Twitter

Today I stumbled across the Twitter feed for the Los Angeles Fire Department. I thought it was sort of a silly novelty until I clicked on the Twitter feed for the only person LAFD is following, Brian Humphrey, a public spokesperson for the department. Humphrey’s use of social sites to create a lightweight process for disseminating news from the department is clever and effective.

LAFD also publishes alerts to a Google Group, LAFD_ALERT, which contains the same information as the Twitter feed, and a blog that publishes longer articles. The home page for the Google Group explains what the alerts are for and how they’re used.

What I like about Humphrey’s approach is that it works with the web rather than just being on the web. Had LAPD put a form on their Web site that said, “subscribe to LAPD alerts,” it would be unlikely that they’d be seeing the public engagement that they get by taking advantage of existing services for which people have already registered. This approach surely works for him because implementing it was free of cost (other than his own time) and probably red tape (he didn’t need to get any help from IT to set it up). But the side effects are worthwhile in and of themselves. It’s a great example of how it can be more effective to reach users on the services they already use than to build a new service and expect them to come to you.

The LA Voice and Governing magazine have both published articles on Humphrey’s work if you’re interested in reading more.

Older posts

© 2017 rc3.org

Theme by Anders NorenUp ↑