March 4, 2013 at 9:52 pm
Comments posted to this topic are about the item Data We Don't Want
March 5, 2013 at 12:35 am
I could be really smug because I always use Firefox, but instead I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?
March 5, 2013 at 4:45 am
Steve Jones - SSC Editor (3/4/2013)
<snip/>This makes me want to re-architect the way we build data driven application in the future, to prevent this type of vandalism. Maybe building an application level firewall that proxies all access to a database server. The idea of application servers was very popular a decade ago, but it seems few systems actually implemented this type of architecture. Perhaps this is because the web server/database server pairing is such an easy paradigm to build for most developers.<snip/>
A lot of Enterprise developers, whose number I less than humbly count myself amongst, would love to properly architect and implement such systems. Often it is driven from above with the rapid and cheaper development options chosen. Sure, there are those developers who don't think like this and quite often they are the so called "web developers". Bearing in mind the dangers of generalisations, a lot of these developers come from a graphics/web design back ground or perhaps "the business" and don't see the value of software engineering. From a certain point of view, the economics of software engineering does not stack up...until things go wrong.
Often the cost of application frameworks is high, not "out of the box" (which often cost enough in the first place) and there are very few people with expertise in these frameworks.
As always we should be raising the level of abstraction of our frameworks to make leverage of them more cost effective. Unfortunately, we are still have yet to make logging, performance monitoring and such like work straight out of the box, perhaps straight out of each language, and built in through minor configuration only. Until we do this we will still be delivering a lower level of quality and have no hope for the level of maturity of applications suggested.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 5, 2013 at 6:35 am
paul.knibbs (3/5/2013)
I could be really smug because I always use Firefox, but instead I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?
FireFox does support HTML5 Storage, are you sure it's implemented in a way that's safer than IE and Chrome? Go to the website Steve mentioned in his article and see.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 5, 2013 at 6:39 am
Eric M Russell (3/5/2013)
paul.knibbs (3/5/2013)
FireFox does support HTML5 Storage, are you sure it's implemented in a way that's safer than IE and Chrome? Go to the website Steve mentioned in his article and see.
The Ars Technica article that Steve linked to (which describes the exploit in more detail) says this:
"Of the browsers Aboukhadijeh tested, only Mozilla Firefox capped the download amount."
If the people who actually created the exploit say it's implemented in a safer way, I'm inclined to agree with them... 🙂
March 5, 2013 at 6:39 am
That's a denial of service type attack that I hadn't expected, but it is an interesting attack vector. I wouldn't expect this to impact servers, but if servers are consuming web services, and using controls based on browsers, there is the possibility this type of attack might affect them. I'd hope this were limited to web servers and not impact database servers, but it's certainly a concern if you have processes running on your database server that might retrieve data from a remote source.
It's probably a good idea to use IPSec and firewall on application or database servers to disallow browsing of external IP addresses.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 5, 2013 at 7:32 am
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? :w00t:
March 5, 2013 at 8:04 am
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? :w00t:
...searching for the IT variation of a Darwin Award winner?
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 5, 2013 at 8:25 am
paul.knibbs (3/5/2013)
... I'll allow myself to be gobsmacked that such an obvious flaw has made it into three major browsers. Who audits the code for these things?
+1
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 5, 2013 at 8:44 am
Gary Varga (3/5/2013)
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? :w00t:...searching for the IT variation of a Darwin Award winner?
Wow, that was uncalled for... 😉
March 5, 2013 at 9:12 am
😎
andyw-834405 (3/5/2013)
Gary Varga (3/5/2013)
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? :w00t:...searching for the IT variation of a Darwin Award winner?
Wow, that was uncalled for... 😉
...but of course you didn't follow it
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 5, 2013 at 9:30 am
Gary Varga (3/5/2013)
😎andyw-834405 (3/5/2013)
Gary Varga (3/5/2013)
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? :w00t:...searching for the IT variation of a Darwin Award winner?
Wow, that was uncalled for... 😉
...but of course you didn't follow it
Humor is lost on many who take life too seriously. Thanks for the giggle!
M
Not all gray hairs are Dinosaurs!
March 5, 2013 at 9:49 am
Gary Varga (3/5/2013)
😎andyw-834405 (3/5/2013)
Gary Varga (3/5/2013)
andyw-834405 (3/5/2013)
If FillDisk.com is a malicious site, why is it hyper-linked in your editorial? :w00t:...searching for the IT variation of a Darwin Award winner?
Wow, that was uncalled for... 😉
...but of course you didn't follow it
It was nearly as tempting as the "Self-Destruct Button", but no
March 5, 2013 at 9:52 am
I still believe in the application layer concept, particularly on critical systems. I've even added an ETL 'layer' where I have dedicated servers handling inbound and outbound traffic that hit critical databases. I've also found it a good place to deploy legacy vendor solutions that I have to support which are more often than not written *ahem* expeditiously. Some modifications are required and it adds to the overall system complexity a bit but the stability and flexibility are worth it so long as you pay it a little attention.
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply