Data We Don't Want

Don't visit the FillDisk.com site, which I ran across a link to from an Arts Technica article that talks about a flaw in web browsers. It's possible a security flaw, possibly an availability flaw as well. Apparently the new HTML specification allows for sites to use the Web Storage Standard to keep data on your hard disk. There is a limit in most browsers for how much data you can store per domain, but the FillDisk site uses sub domains to put random junk on your drive. The author of the site built this as a proof of concept and was able to add 1GB of data to an SSD on a laptop every 16 seconds.

That's a denial of service type attack that I hadn't expected, but it is an interesting attack vector. I wouldn't expect this to impact servers, but if servers are consuming web services, and using controls based on browsers, there is the possibility this type of attack might affect them. I'd hope this were limited to web servers and not impact database servers, but it's certainly a concern if you have processes running on your database server that might retrieve data from a remote source.

This makes me want to re-architect the way we build data driven application in the future, to prevent this type of vandalism. Maybe building an application level firewall that proxies all access to a database server. The idea of application servers was very popular a decade ago, but it seems few systems actually implemented this type of architecture. Perhaps this is because the web server/database server pairing is such an easy paradigm to build for most developers.

Frameworks that allowed separation of the application through a middle layer could allow for caching of data in addition to more security. That could increase performance and scalability as the database wouldn't be the single bottleneck for all requests.

Steve Jones

The Voice of the DBA Podcasts

We publish three versions of the podcast each day for you to enjoy.

Watch the Windows Media Podcast - 17.6MB WMV
Watch the iPod Video Podcast - 21.0MB MP4
Listen to the MP3 Audio Podcast - 4.2MB MP3

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

You can also follow Steve Jones on Twitter:

Lockdown or Let Them Free

by Steve Jones

SQLServerCentral.com

Editorial

Do we take security too far? Are we creating unnecessary rules for those that need to use the resources we support? Steve Jones talks today about security and how we might want to approach it when handling rights for developers.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

4.5 (2)

You rated this post out of 5. Change rating

2014-06-27 (first published: 2009-09-21)

217 reads

Discuss

Placing a Value on Data

by Steve Jones

SQLServerCentral.com

Editorial

What's your stolen data worth? It might be worth investigating, as Steve Jones suggests. Then you'll know how much you should be spending to protect it.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2009-08-05

66 reads

Discuss

The Danger of Algorithms

by Steve Jones

SQLServerCentral.com

Editorial

What problems occur because of the algorithm chosen to generate data? A new report says that social security numbers in the US can be predicted. Steve Jones has a few warnings about what algoriothms you choose.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2014-04-28 (first published: 2009-07-27)

326 reads

Discuss

Administering Securely

by Steve Jones

SQLServerCentral.com

Editorial

A common request is how can you secure SQL Server data and prevent the system administrator from viewing data. Steve Jones talks a little about the issue and how you can handle it.