No One is Safe

  • Comments posted to this topic are about the item No One is Safe

  • Heh... can you imagine? Someone calls at 2:00AM with a prank call to ask "Is your refrigerator running?" and when you go to look, the damned thing has taken off down the street because of a bar code on a milk carton? 😛

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • That's thinking outside the square - even as a developer/SQL-admin, I have to admire his ingenuity.

    😛

    Chris

  • [font="Verdana"]

    and ensure every developer understands what SQL Injection is.

    :discuss:

    it means every developer (negative) would turn into a Doctor with an Injection named as "Sql Injection" .... [/font]:cool:

  • Security is a little interesting but to learn about it you have to dig by yourself usually. It's not promoted like other types of information. A reason for that I believe is that it's not easy to teach since there so many ways and so much to think about and it's not documented like an API because there is none, security breaches comes from peoples imagination set to practice.

    To build security functions is also costly and time consuming to make it good and effective so it does not slow down your application. When you have a time line and a budget security seams to always come last and that is a problem and we know it, but will it be a problem fro your application or your environment? Maybe it wont. So time, money and knowledge limitations seams to put security last, in many cases and thus we wont get rid of most security issues for a long time.

  • it's not really a million miles from the "little bobby tables" xkcd cartoon from a while back, is it?

    http://xkcd.com/327/[/url]

  • That gives me an idea for a new vanity plate so that the electronic license plate readers on the toll highway won't bill me. Thank you for sharing that picture. It certainly made me laugh... and then think about my data import processes.

  • Great picture, and what a genius to think of that! Thanks for sharing it!

    As evidenced by the recent data theft here on the east coast of the US, where two guys drove through TJX's corporate parking lot and wirelessly stole over 300,000 credit card numbers, I think the greatest danger to any kind of security is our own shortsightedness, ego, and more often than not too much 'intelligence' completely shadowing simple common sense.

    Let's face it, throughout history, security is often broken by man's own shortsighted presumptions.

    At Troy, a great battle was fought with great heroics and yet not one single person bothered to ask, "Why are they giving us this giant horse?" as they opened the gates to the 'impenetrable' city, and rolled their enemies in, to their own doom.

    Those who forget or ignore history are doomed to repeat it - and computer security is well laden with pristine examples of overly-intelligent people failing to use common sense.

    There's no such thing as dumb questions, only poorly thought-out answers...
  • That is pretty hilarious.

    I can only imagine being the one troubleshooting the source of the dropped table.

  • blandry (4/20/2010)

    At Troy, a great battle was fought with great heroics and yet not one single person bothered to ask, "Why are they giving us this giant horse?" as they opened the gates to the 'impenetrable' city, and rolled their enemies in, to their own doom.

    There were a few doubters, Laocoon, who railed against the acceptance of the horse, calling it a Greek trick. He of course was ignored, and then murdered by serpents sent by the gods. Cassandra warned them too, but she was ignored as well.

    All too frequently in my career, I've run into a general apathetic attitude from management regarding security. Every time I stand up for it, I always think of Laocoon...

  • Glad you liked it. I thought it was pretty funny when I saw it as well. I wonder if it worked at all, or if they ran down the street with it.

    The TJX thing, that was interesting. In 2001 we were just starting to deploy wireless around the JD Edwards campus. I joined up and noticed that we had a couple of DB2 and SQL Server accounts that had the same password. I went to try and change the SQL Server side and was told that I "couldn't" because they were used by too many applications and were embedded. So I wrote a short story about a former sales guy driving into the parking lot, not getting out of his car, connecting with wireless, using these accounts and downloading customer data.

    I got called down to the security group's office in a few hours being grilled about this happening and what would it take. It was an interesting discussion as they had no clue what wireless meant to them.

    Security is hard, and there are always new ways to attack systems, but there are so many we understand well, like SQL Injection and buffer overflows. Protecting against them isn't hard, it just requires good development habits.

  • This example of sql-injection is one of my favorites.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Reminds me of Bobby Tables cartoon. ;=)

    Besides the obvious injection issues that need to be closed, security can be made only as strong the organization wants. I've seen situations where project leaders were silenced for bringing up security issues. Even to this day, when users at many organizations show lack security, they are penalized for finding the loophole than rewarded for exposing. Given the culture we work in, it is not possible to be perfect all the time.

  • Steve Jones

    The TJX thing, that was interesting. In 2001 we were just starting to deploy wireless around the JD Edwards campus. .........So I wrote a short story about a former sales guy driving into the parking lot, not getting out of his car, connecting with wireless, using these accounts and downloading customer data.

    Surprised that more installations do not do as we did. Now the number of servers was some what limited, and the people who accessed them for data entry / producing reports were located in a room adjacent to the servers. Access to both rooms was controlled by a security lock open able only by inputting a 4 digit security code. Whenever an employee no longer had a need for the data / quit / retired that code was changed, and their login deleted from the server(s).

    Both rooms were constructed with copper wire mesh attached to a series of secondary studs and then grounded to a single ground probe (not the electrical wiring ground). After the mesh was installed, the normal sheet rock was attached to a series of studs (NOT those to which the wire mesh was attached). Personnel were NOT allowed to carry cell phones into either room. Nor did any desk top unit have a CD/DVD burner installed.

    Draconian measure perhaps, expensive not really.

    If everything seems to be going well, you have obviously overlooked something.

    Ron

    Please help us, help you -before posting a question please read[/url]
    Before posting a performance problem please read[/url]

  • Funny, fascinating, frightening all at the same time.

    CBS news had a story yesterday of digital copiers going into the used market with hard drives full of images of everything it had ever copied. Security breaches are everywhere, especially where no one is looking.

Viewing 15 posts - 1 through 15 (of 23 total)

You must be logged in to reply to this topic. Login to reply