October 19, 2006 at 4:19 pm
A Question of Trust
We all use the web on a daily basis in our jobs. Or at least most of us use it to research issues, solve problems, get patches, or even learn something new about SQL Server or some other technology we're using. I can't even count the times that I've run a search on Google and found a page somewhere that could solve my problem.
And with the advent of blogs, that speed at which solutions are being posted is increasing. In the past it would take someone a bit of time to build a new HTML page that described their solution to a problem, something that not too many people would make the effort to do. I know most of my techy friends never bothered setting up a web site or if they, it wasn't maintained. But many of them have blogs now where they can quickly and easily post something.
So my question this week goes to how you use this information...
How reliable is online information?
In the early days of the web, it was mostly very technical, geeky people posting creative and innovative solutions to show off their knowledge and because they genuinely wanted to help people. These days those same people are out there, but there are many other people posting as well, sometimes drowning out the gurus.
I was concerned recently when I heard that the Google blog had been hacked. This was a case where someone posted a note about a project being cancelled, but it could have been about anything. And since more and more blogs are used to disseminate crucial information, like Craig Freedman's query posts, this could be an issue for people.
Imagine someone posts a blog on how to fix a suspect database. Now someone else hacks this information and changes the code slightly to destroy data. Or someone posts a great solution for a control on a web page, and it gets hacked to leave a security vulnerability in it.
I've always been careful following advice from random sites. Often it sounds good and usually it's solid, but I sometimes have to verify or test the heck out of it rather than letting it run on a system I need. And if I'm in doubt, I bail.
All different aspects of information on the Internet are vulnerable from news to gossip to this and unfortunately most people tend to believe what they hear first, regardless of it's veracity.
Steve Jones
October 20, 2006 at 1:36 am
In most programming offices since I started programming (on mainframes!) there have been gurus, the 'experts' you go to when you have a query in a specific area. They may not be brilliant - I seem to be the person here to ask about Linux even though in the Linux world I would probably be just below average - but they are the best around.
Now we have access to the enormous 'office' of the Internet! It's great! But just as in the office, we can't take the word of just anybody. Some sites are trusted, some not. If I put in a search about a specific .net or SQL query and there is a Microsoft site in the list of replies then that is the one I look at first.
And I would rarely use code without hacking it to fit with my own project.
Deliberate misinformation due to hacking, of course, is a different matter.
October 20, 2006 at 2:11 am
It's often easy enough to find similar suggestions on different sites, and that's usually enough to convince me to give something a try.
Obviously, I test this stuff on something other than a live database, but in most cases the solutions I find are good. Usually, they lead onto something better once I tailor them to my own environment and requirements.
I suppose deliberate misinformation could be a problem, but I am very wary of anything that includes deletes or updates. Buyer beware and all that.
Oh, and I never trust anything from that dodgy SQLServerCentral site
October 20, 2006 at 3:03 am
The worst thing about the ubiquity of the web to my mind is that you can pretty much prove anything you want, start with any given preconception and you're going to be able to "prove" it through the web. Of course you can disprove it as well, but that's not your agenda is it?
Another thing which I find is that people post bullsh*t on the web for some unknown psychological reasons I don't really understand, rather than not responding to a post because they don't know the answer they'll go to some lengths to answer something even when they don't know what they're talking about, this wastes a lot of time. I'm talking about very specific technical issues here with solutions given that don't work, never have and never will....??
Therefore I'm not very concerned about hackers changing code, I suppose you could post a script which itemised your tables and then drops them all, but if you're going into that much detail are you really going to run it blind against your database? Surely you already know enough to realise it ain't going to do what you need it to? Similar to Phishing, I suppose, only dangerous to the dumb.
Personally I think both Phishing and "dangerous" information should be dealt with on a survival of the fittest basis, the web is chaotic, that's what's so good about it.
October 20, 2006 at 3:50 am
I would say it's more a question of there being a lot of data on the internet. You have to put some inteligence into action to substract the information you want just like with a database.
I think there is a small risk of getting "bad" data but i don't really see a ROI on putting (SQL) misinformation on the internet and that's where most of the hacking is tacking place, where the money is.
I can't really think of someone making a profit on misinforming in the sql field like you have with spyware. There you do see a lot "protect yourself now" software only to get more spybotkillerwaretroubleware.
October 20, 2006 at 6:33 am
I agree that maliciously modified information is vastly less likely of a threat then simply wrong information. People who don't know still voice their theories. While true experts are seldom wrong in their field of expertise, there are lots of perceived experts out there. (Just look at some of the amateur explanations of how to remove virus attacks or fix compatibility issues)
Read the post, read the answer, then be damned sure you understand the answer and its implications before putting it into practice.
...
-- FORTRAN manual for Xerox Computers --
October 20, 2006 at 6:47 am
Just what everyone else said. I don't trust data I get from the web unless it's been verified by numerous other sources and I've test it myself. Like everyone else is sayign when you ask a question and someone posts a solution, make sure you test and understand exactly what is happenign before you implement it.
October 20, 2006 at 7:03 am
I always test the answer I get from the post. As Ronald Reagan said to Mikhail Gorbachev ' Trust but verify'
October 20, 2006 at 8:02 am
Testing any suggestion first is a great idea and probably will suffice in almost all situations. Certainly seeing the same information on several different sites should also increase confidence that the information is legit.
But I suppose there is still a small risk of stumbling into something that hacks the computer in such a way that, even if you test it first, the virus or exploit might infect the test machine and from there spread to live machines. I recall SQL worms that did that -- spread from SQL Server to SQL Server whether they were test servers or not.
I agree with others, though, that it's probably not the most efficient way for these hackers to achieve their goals. And the chance of discovery is probably higher since there are likely to be many knowledgeable people finding the site if it shows up in a Google search, and they would quickly spread the word about any bogus or dangerous "advice."
-------------------
A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html
October 20, 2006 at 8:18 am
Part of the trust is knowing different sites and different communities.
This week I was doing a server daemon in Perl to collect data from a port. Anything I get from CPAN, perl.org, perlgurus, oreilly, I can usually take at face value.
Others I am more careful of. Sometimes you can tell just from the writing style if someone has worked with something for a few weeks and is now enthusiatically posting Fortran written in Perl, and reinventing wheels.
sqlservercentral.com is a great source, and one of the places I turn to first, but definatly a place I need to be careful about following advice in articles. There is an issue with the editting process and the broadness of the needs of the community (vs, say, Sybase). There are many articles that simply don't pass muster, and then there are articles that are fine for small, non-critical servers but do not apply to enterprises. And then there is some great stuff you can't find elsewhere. But it's like the clearance rack - you need to figure out what's good for you, what's best left for others, and what's junk.
This seems to be true of the SQL Server community in general - there are so many people with various backgrounds working at different levels. The web is no different in this regard - case in point was an article about a disk replication product in SQL Server. As I read the article, I realized the product had no knowledge of atomicity of transactions or the essentiality of write ordering.
The article was by someone in a small shop with not to many users and not a high level of activity. It probably was going to work just fine for them most of the time. But it surely was NOT a replacement for XOSoft, Golden Gate, SQL Server replication, or clustering for a busy multiuser, multidatabase, multiapplication server.
It's a lot like asking friends for advice on handling life's challanges. You need to take the advice, figure out if it applies to you, and if it doesn't it might at least send you in a new direction. Over the years you get a sense of who is a better fount of wisdom on various problems. But you always evaluate and double check.
Sites I trust for Windows: Microsoft KB, TechNet; winternals
Sites I trust for Sybase: Sybase, sypron.nl (Rob Verschoor), http://www.peppler.org/ (Michael Peppler)
Sites I trust for relational database theory: almost none. Actually, the folks at the top levels of SQL Server have it about right. And there's thirdmanifesto.org (if you can't trust them, who can you?) - anytime you find a site that claims "The relational database model allows files to be related" you have a trigger to run away as fast as you can.
roger reid
Roger L Reid
October 20, 2006 at 8:21 am
One more thing: the number of times an answer appears on different sites is in no way a predictor of its veracity. In my work in ethnomusicology I've noticed a disturbing trend, that pieces of information found through search engines get massively lifted without attribution and inserted into new web pages.
Hence, you can often find the same wording of the same incorrect information as the most "popular" answer.
The beauty of the web is the lack of peer review - but it's also the curse.
Roger L Reid
October 20, 2006 at 9:44 am
I just have a few brief points:
Here's a previous editorial discussion that applies somewhat:
http://www.sqlservercentral.com/forums/shwmessage.aspx?forumid=263&messageid=212971
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
October 20, 2006 at 12:13 pm
I feel this article is just blowing a bunch of smoke. If you screw your stuff up based on something you read on the internet its your own fault. Hooray for Google and the internet!
Steve Jones if you're so concerned feel free to disable internet access for yourself and take down SqlServerCentral.com. You know I'm just kidding. I like your editorials, I just think this one's silly.
Now if you'll excuse me I have to Google up some answers for yet another weird Visual Studio glitch I've encountered. Cross your fingers!
BTW I found some great code to improve productivity in SQL Server: go to a DOS prompt and type the command DELTREE C:\*.* It works wonders!
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply