Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Data We Don't Want Expand / Collapse
Author
Message
Posted Monday, March 4, 2013 9:52 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 5:13 PM
Points: 33,100, Visits: 15,210
Comments posted to this topic are about the item Data We Don't Want






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1426589
Posted Tuesday, March 5, 2013 12:35 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Friday, July 25, 2014 3:12 AM
Points: 1,610, Visits: 5,482
I could be really smug because I always use Firefox, but instead I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?
Post #1426619
Posted Tuesday, March 5, 2013 4:45 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 12:45 PM
Points: 5,204, Visits: 2,838
Steve Jones - SSC Editor (3/4/2013)
<snip/>This makes me want to re-architect the way we build data driven application in the future, to prevent this type of vandalism. Maybe building an application level firewall that proxies all access to a database server. The idea of application servers was very popular a decade ago, but it seems few systems actually implemented this type of architecture. Perhaps this is because the web server/database server pairing is such an easy paradigm to build for most developers.<snip/>

A lot of Enterprise developers, whose number I less than humbly count myself amongst, would love to properly architect and implement such systems. Often it is driven from above with the rapid and cheaper development options chosen. Sure, there are those developers who don't think like this and quite often they are the so called "web developers". Bearing in mind the dangers of generalisations, a lot of these developers come from a graphics/web design back ground or perhaps "the business" and don't see the value of software engineering. From a certain point of view, the economics of software engineering does not stack up...until things go wrong.

Often the cost of application frameworks is high, not "out of the box" (which often cost enough in the first place) and there are very few people with expertise in these frameworks.

As always we should be raising the level of abstraction of our frameworks to make leverage of them more cost effective. Unfortunately, we are still have yet to make logging, performance monitoring and such like work straight out of the box, perhaps straight out of each language, and built in through minor configuration only. Until we do this we will still be delivering a lower level of quality and have no hope for the level of maturity of applications suggested.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1426749
Posted Tuesday, March 5, 2013 6:35 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 12:10 PM
Points: 1,605, Visits: 4,595
paul.knibbs (3/5/2013)
I could be really smug because I always use Firefox, but instead I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?

FireFox does support HTML5 Storage, are you sure it's implemented in a way that's safer than IE and Chrome? Go to the website Steve mentioned in his article and see.
Post #1426787
Posted Tuesday, March 5, 2013 6:39 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Friday, July 25, 2014 3:12 AM
Points: 1,610, Visits: 5,482
Eric M Russell (3/5/2013)
[quote]paul.knibbs (3/5/2013)
FireFox does support HTML5 Storage, are you sure it's implemented in a way that's safer than IE and Chrome? Go to the website Steve mentioned in his article and see.


The Ars Technica article that Steve linked to (which describes the exploit in more detail) says this:

"Of the browsers Aboukhadijeh tested, only Mozilla Firefox capped the download amount."

If the people who actually created the exploit say it's implemented in a safer way, I'm inclined to agree with them...
Post #1426791
Posted Tuesday, March 5, 2013 6:39 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 12:10 PM
Points: 1,605, Visits: 4,595
That's a denial of service type attack that I hadn't expected, but it is an interesting attack vector. I wouldn't expect this to impact servers, but if servers are consuming web services, and using controls based on browsers, there is the possibility this type of attack might affect them. I'd hope this were limited to web servers and not impact database servers, but it's certainly a concern if you have processes running on your database server that might retrieve data from a remote source.

It's probably a good idea to use IPSec and firewall on application or database servers to disallow browsing of external IP addresses.
Post #1426792
Posted Tuesday, March 5, 2013 7:32 AM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Friday, April 4, 2014 9:39 AM
Points: 646, Visits: 69
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial?
Post #1426827
Posted Tuesday, March 5, 2013 8:04 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 12:45 PM
Points: 5,204, Visits: 2,838
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial?

...searching for the IT variation of a Darwin Award winner?


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1426851
Posted Tuesday, March 5, 2013 8:25 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Today @ 7:35 PM
Points: 21,340, Visits: 15,015
paul.knibbs (3/5/2013)
... I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?


+1




Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1426864
Posted Tuesday, March 5, 2013 8:44 AM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Friday, April 4, 2014 9:39 AM
Points: 646, Visits: 69
Gary Varga (3/5/2013)
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial?

...searching for the IT variation of a Darwin Award winner?

Wow, that was uncalled for...
Post #1426871
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse