SQL Injection Everywhere

  • Interesting read and I totally agree that as more and more things get "connected" the need for better security will increase proportionally.

    Also, I have the same kind of washer but will never have to worry about someone hacking in to add bleach to my colors. I only put bleach in the container when whites are in the machine. 😉

  • Anders Hansen (4/10/2011)


    I think there are many good reasons for connecting things to the internet, and to let them be computer controlled.

    Not to ruin your wind shield story - but I really like the wipers in our car. They are connected to a sensor, and start wiping if the windows get wet. This allows me to keep my limited focus on the road. And the wipers are just a small part. I believe that all these small things in cars can help us focus more on the road and drive safer.

    But I totally agree, that when they mess up and need to recall cars because of what must be a critical error in the wiper software - then something might not be as decoupled as it should have been. And sooner or later we will all be driving autonomous cars - and then we can start worrying about software bugs... 🙂

    For the other "connected" items, I would agree that maybe the washing machine isn't the most obvious. But still there could be some features which could come in handy. You could start the machine when you start driving home from work (even when you don't know when work is done), it could call on service if some small problem has occurred, instead of today where they just keeps going and then breaks completely (good for the environment I guess), receive updates to the built-in programs to be more efficient (in strong opposition to the "If it ain't broken, don't fix it" rule), etc.

    But we need to remember that no matter how much we test our software, when we move from mechanical controlled to software controlled we will introduce some new risk, and some new bugs. And those can be hard to fix in e.g. a non-connected washing machine.

    /Anders

    I did a campus visit with my daughter to Embry Riddle Aeronautical University in Prescott, AZ. The washers and dryers in the laundry area in the dorms are on the network. It allows the students to check the status of their laundry from the rooms without having to run up and down the stairs. Seems like a convenience to me, and my daughter seemed to like the idea.

  • I think part of the problem is lost in the discussion. Advantageous, wicked, criminal, subversive, behavior in various degrees. Consequences are important and enforcing them will avert some of the perpetrators from performing acts, but not all. Some people are just deliberate in their desire to affect.

    Ultimately we have a trust based society. Technology is our lever. The various implementations all require trust of varying degrees. That will never change as long as we exist. Maliciousness for what ever reason will also exists, which challenges some of the trust. We trust the perceived physics, theorist, innovators, designers, engineers, administrators and users to varying degrees.

    Hell I trust that a sql function can calculate an age providing the date of birth, faster and better than I can. I trust that the octane displayed on the pump is what goes in to the tank. I trust that the horsepower reported by the marketing materials is close to what the (maintained) car produces. I trust that the cell phone doesn't cause brain cancer... :w00t: All of these things are technology and can be abused by those that seek to pull pranks or harm if they desire.

    A car with no computer technology implemented still is heavy on trust. A fully automated car takes that trust level up in scale. I still prefer the fully automated car with optional overrides to purely manual one.

    If someone is going to seek to exploit weaknesses they will, computerized or not. When technology was strictly mechanical some(malicious) folks were ready to deny grease or introduce foreign material to bind it up. Some as a joke some with mal-intent. The advantages of having the tool didn't lead society to abandon the technology... just guard and punish. Same thing should be applied to the things that are computerized. Internet connectivity, wireless, remotely accessed are yet another layer.

  • Steve Jones - SSC Editor (4/11/2011)


    Jeff Moden (4/10/2011)


    I think people have really gotten silly with computers. I mean, c'mon! Why would anyone connect a bloody washing machine to the internet?

    On the surface I agree with you, however there are benefits to a better load balancing of the electrical system by scheduling loads. However you can't necessarily schedule them yourself. If the power company could send a signal to your house to start high energy loads, like your washer, your dishwasher, or even charge up a car (someday), there could be an efficiency value.

    It's not so much that I think this is a great convenience and I wouldn't really like to control my fridge or washer remotely, but on a large scale, I think there's merit here somewhere.

    Steve - The problem is that any possible benefits are outweighed by the (very likely) problems that will arise like misuse/abuse of the system by authorized persons let alone unauthorized like crackers and script kiddies. SMART METERS are very, VERY BAD idea all around even if they do provide some measure of benefit with regards to power management. WHY? One word, ENRON.

    Even after a decade of time has passed many still do not realize that the power shortages in California were all deliberately caused by Enron whose brokers had plants move power out of state so as to drive up Energy futures. Had Enron NOT come into California there would have been no blackouts and an old and long standing utility in California, Pacific Gas & Electric CO, would not have had to close and file for Bankruptcy destroying the lives and savings of many people.

    THE POINT? The marketers sold everyone on how wonderful it would be to deregulate the power and let the market decide future prices. The reality was that this was used and abused by those inside the system (not by some outside hacker) resulting in billions lost and the lives of God only knows how many people.

    ENRON WAS A ONE TIME EVENT – No it wasn’t. Here in Texas we have recently faced faux shortages in power thru the governments manipulation and regulation of the industry via the EPA. There are power plants in Texas, recently built that meet all pre-GREEN standards and codes that are not being allowed to come on line because the perception of an energy shortage must be maintained else the people will not be easily pushed into agreeing to go with an alternative that costs more and provides less. If Enron was able to so easily create the perception of scarcity just imagine what the government can do since it reports to no one**.

    **I imagine someone will say that the government reports to us the voters but that’s not really the case. The government routinely violates the law and gets away with it , occasionally tossing out a scape goat like Madoff, simply so as to say “we are doing something” when in truth no one goes to jail if they are high enough up the chain. Has anyone of an executive level who was involved in the recent derivatives gambling scheme that caused the largest bailout in history go to jail? Nope and they won’t.

    We do have elections were we can “throw the bums out” however when we do the end result is we get new bums who do the same things as the last bums, they just use different methods and partners. So as long as we believe we can only vote for the stooge that the 2 major party’s put out for us to vote then nothing will change.

    Kindest Regards,

    Just say No to Facebook!
  • YSLGuru (4/11/2011)


    a lot of stuff...

    YSLGuru, you said what I was thinking far better than I ever have. Thanks.

    Dave

  • Lynn Pettis (4/11/2011)


    I did a campus visit with my daughter to Embry Riddle Aeronautical University in Prescott, AZ. The washers and dryers in the laundry area in the dorms are on the network. It allows the students to check the status of their laundry from the rooms without having to run up and down the stairs. Seems like a convenience to me, and my daughter seemed to like the idea.

    If properly secured, maybe. If not, well we have all heard horror stories of assaults on campus, and giving criminals the ability to track a particular victim coming to pick up their clothes is a huge risk. I would not want my daughter typing in who she was where anyone who broke into the system could determine when she is likely to come down to pick them up. This risk could be reduced by always doing your clothes in daylight, when it is busy, but people tend to pick times that are less busy, when security is far more important.

    I apologize if I am scaring you, and admit that most people think I am too security conscious. However when it comes to my kids, there is nothing I wouldn't do to protect them. As parents we need to stop thinking like "good, safe people" all the time, and start realizing there are truly evil people out there who are willing to use any tool they can to hurt people.

    At best an insecure system could be abused by some guy who wants to get close to a girl. At worst, we don't need to say.

    Dave

  • Steve Jones - SSC Editor (4/11/2011)


    Dave/Jay,

    Connecting a smart appliance to an IP network (not necessarily the Internet) is about efficiency, grid balancing.

    The electrical grid balancing is not necessarily about government, but more about helping power companies deal with load and investment. They might offer discounts for allowing them to balance the demand, or perhaps create penalties if you don't.

    The investment for more power is a large one for the utilities, and often they are trying to cope with peaks that occur in the system. If they can smooth out the demand, they can more efficiently meet demand.

    Think Comcast. Buy up all the competition, then raise your rates by offering discounts to those who purchase more from your content, slam everyone who buys content from Pandora, Vudu or otherwise.

    Business is in the business of making a profit, hugely unfair profits being preferred over small honest profits. I refuse to believe there are many companies who would actually offer a true discount.

    Think Walmart. Price drops all the time, they last a month, go back up to the usual high rates, only to be a magic "price rollback" a couple months later. We the public "like getting deals" and so we buy, buy, buy, not realizing we are being lied to.

    Lastly, think jewelry store in the mall anywhere. 50% off, 90% off, it never ends. Do they ever sell anything at 0% off? No. Then why should I view 50% off of double inflated retail pricing is a good deal?

    Sorry, I know I sound jaded, but I just don't buy the argument that any company would offer to spend more on infrastructure to really save me anything. In the end, the ROI for the consumer is rarely positive.

    If the technology improves my life, decreases my costs, or saves me time, it might be worthwhile. All too often the improvement is to the (huge and unfair) business profits, not to mine.

    Dave

  • djackson 22568 (4/11/2011)


    Lynn Pettis (4/11/2011)


    I did a campus visit with my daughter to Embry Riddle Aeronautical University in Prescott, AZ. The washers and dryers in the laundry area in the dorms are on the network. It allows the students to check the status of their laundry from the rooms without having to run up and down the stairs. Seems like a convenience to me, and my daughter seemed to like the idea.

    If properly secured, maybe. If not, well we have all heard horror stories of assaults on campus, and giving criminals the ability to track a particular victim coming to pick up their clothes is a huge risk. I would not want my daughter typing in who she was where anyone who broke into the system could determine when she is likely to come down to pick them up. This risk could be reduced by always doing your clothes in daylight, when it is busy, but people tend to pick times that are less busy, when security is far more important.

    I apologize if I am scaring you, and admit that most people think I am too security conscious. However when it comes to my kids, there is nothing I wouldn't do to protect them. As parents we need to stop thinking like "good, safe people" all the time, and start realizing there are truly evil people out there who are willing to use any tool they can to hurt people.

    At best an insecure system could be abused by some guy who wants to get close to a girl. At worst, we don't need to say.

    It isn't that I am not concerned, but is that any different than someone staking out the laundry facility waiting for her to come? Not really.

    Regardless, she will need to take appropriate precautions regardless to ensure her safety. All I can hope for is that we have taught her well in the area of making smart, safe decisions. Late at nightn she could always ask her roommate to go with her, in fact they may do laundry together just for that reason.

    Many people think we live in a more dangerous society than when some of us were kids. I tend to disagree. I think it was get as dangerous, we were just ignorant of some of the dangers. Today's communications has given us access to information faster and that has affected our perceptions of the world we live in today compared to the past.

  • Lynn Pettis (4/11/2011)


    djackson 22568 (4/11/2011)


    Lynn Pettis (4/11/2011)


    Many people think we live in a more dangerous society than when some of us were kids. I tend to disagree. I think it was get as dangerous, we were just ignorant of some of the dangers. Today's communications has given us access to information faster and that has affected our perceptions of the world we live in today compared to the past.

    I agree with you. Also, as long as a person is aware of the danger they can usually protect themselves. I find too often people just assume they can trust technology, and don't even bother to check to see.

    Dave

  • To quote a movie The wonderful thing about creation is it is such a distructive force. We will never fully be able to weigh the damage or gain that technology has brought to our lives. For example technology has made it possible for us to cummicate in this venue and reach out to other peopld in our field at incedible speeds. However that same technology means that odds are high that someone reading this board right now is involved in a e-lationship that is affecting there spouse.

    Technology has saved lives and destroyed them in the same stroke with no remorse or recognition for the lives it has touched.

    Are we better for having toasters that will burn the current weather into the side of your bread?

    Are we better for ease in which we can affect each other with messages that are devoid of personal interaction?

    Who is really qualified to answer such questions?

    Dan

    If only I could snap my figures and have all the correct indexes apear and the buffer clean and.... Start day dream here.

  • Er :ermm: ... does anyone remember when this forum was about SQL Server, and this thread about SQL Injection issues? :Whistling:

  • David Data (4/11/2011)


    Er :ermm: ... does anyone remember when this forum was about SQL Server, and this thread about SQL Injection issues? :Whistling:

    The article this thread is responding to started it by introducing the idea of hacking washing machines and fridges!

  • paul.knibbs (4/12/2011)


    David Data (4/11/2011)


    Er :ermm: ... does anyone remember when this forum was about SQL Server, and this thread about SQL Injection issues? :Whistling:

    The article this thread is responding to started it by introducing the idea of hacking washing machines and fridges!

    Thanks Paul. I thought to respond earlier but I couldn't come up with a way that wasn't rude. Well phrased. 🙂


    - Craig Farrell

    Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

    For better assistance in answering your questions[/url] | Forum Netiquette
    For index/tuning help, follow these directions.[/url] |Tally Tables[/url]

    Twitter: @AnyWayDBA

  • Craig Farrell (4/12/2011)


    paul.knibbs (4/12/2011)


    David Data (4/11/2011)


    Er :ermm: ... does anyone remember when this forum was about SQL Server, and this thread about SQL Injection issues? :Whistling:

    The article this thread is responding to started it by introducing the idea of hacking washing machines and fridges!

    Thanks Paul. I thought to respond earlier but I couldn't come up with a way that wasn't rude. Well phrased. 🙂

    I simply would have stated "what thread here on SSC hasn't gone sidewise in one way or the other?"

    I think it is one of the things that makes SSC the community it is. Some thoughts just spur other thoughts, but we do tend to bring things back in time.

  • Jeff Moden (4/10/2011)


    How about spending more time and dollars on really cool stuff like designing a 350HP engine that gets 50MPG without batteries? You see that kind of stuff on the news all the time. How come no one has put that type of technology in common vehicles instead of screwing around with {gasp!} computer controlled windshield wipers.

    If they actually did put more effort into improving fuel efficiency of a 350HP engine, I could appreciate that. But cup-holders seem to matter more than fuel economy.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

Viewing 15 posts - 31 through 45 (of 46 total)

You must be logged in to reply to this topic. Login to reply