Slashdot Mirror
Nuclear Materials System Not Buggy, Says Microsoft
Darkmeat writes: "Saw this on ZDNet. Looks like SQL Server was causing some problems in nuclear databases in Russia." Another similar story at Yahoo. This is a followup to this story detailing the problems.
It's not buggy, all the data is hidden in a secret directory on the windows machine, waiting for the next internet connection to be sent to microsoft :)
so they can be as reliable and secure as Slashdot.
If there is anything movies have taught me, is that this would only work if you don't misplace a . in the code, and end up with $100,000 after only a day.
Of course if that happens, you can alway wait for a co-worker to burn the building down.
How many of you read the article? The problem was with custom software that used SQL Server. The problem was not with SQL Server itself. And the subsequent "bug" that allowed unauthorized people to get access was only when there was no password in place. If you have any piece of software that doesn't have a password, you allow unauthorized access, no surprise there. This isn't Microsoft's fault. They even offered to fix the problem. Jesus Christ, read the article before you start spewing your mindless dribble.
Because rebooting the machine didn't work.
(Posting anon so my company doesn't piss off MS. :) )
My experiences with SQL Server support match with yours, though in a rather different situation-- no complex queries, and the data wasn't lost once it actually got into the DB, although that's what often failed. We had a bug where about 1/1000 statements would actually get a random character corrupted-- so, for example, your "SELECT * FROM tblWhatever" would become "SELECT * FROM tblWh#tever". We logged everything going in, and it was fine, but the error message coming out was that it couldn't find tblWh#tever, when what we logged as going into the statement was quite obviously tblWhatever.
We went through the various reporting channels; they may have even sent someone over at some point, I can't remember. IT people at other companies claimed they'd never seen the problem; I'm guessing it was just a particular configuration. The eventual solution was, "we have this new version that probably fixes that bug, please upgrade-- and we swear, it doesn't introduce new, impossible to track down and fix bugs". We agreed-- we upgraded (to Oracle).
The bottom line is that regardless of how many people here claim they've never seen the bug, and so on and so forth-- I KNOW SQL has bugs that aren't in the known bugs lists. And their excuse here-- "they upgraded to 7.0 and everything's happy now" rings hollow because that's what they said about 6.5. It's gonna be "all fixed" until they find the new bugs with 7.0. Denying the problems with their software won't get it fixed.
Of course, if the database were mySQL or PostGres , the story would have never made it on /. .
-k
.. you know that .. the good people that read slashdot know that. But Joe Sixpack doesn't, ergo the knee-jerk reaction.
Read the original e-mail piece. It's long, but it's well worth the read.
There a numerous issues in this article that are significantly "re-formulated" our left out - and that actually matters a lot in this case.
This article gives the impression (in my oppinion) that it is disputable wether the flaws were serious at all, and it seeks to give the impression that microsoft offered help which the russians refused.
If you read the longer original transcript, you will see that there were several other significant flaws found in 7.0 which made it unusable, and that the fix microsoft offered was "upgrade to 7.0".
The original transcripts ends with the russians expressing their deepest concern and surprise over microsoft actually suggesting them to fiddle with numeric formats etc. in order to work around real bugs that show up in SQL server.
#1 is WRONG. The bug they found was in SQL Server. The software they wrote just happened to trigger it.
From the article, it doesn't say exactly what the security problem was, you can't tell for sure that it was #2.
Engineering and the Ultimate
"It's not a bug, it's a feature. Russia wants to loose nuclear devices, it makes for much less cleanup and disposal on their behalf."
--M$ Press Agent
--
"If you insist on using Windoze you're on your own."
"If you insist on using Windoze you're on your own."
If it's not in the database, it doesn't exist, and will thus not need to be disposed of.
"MS announced today that the next version of SQL Server will have a tenfold increase in its lauded 'virtual disposal' capability as compared to previous versions. 'This is a huge step forward for our environmental policy', president Bush stated, and added 'It's another example of how business takes care of environmental concerns far more effectively than government regulations can do'."
Sorry.
/Janne
Trust the Computer. The Computer is your friend.
Fieros were among the safest cars on the road. They were amazingly good for their size in a collision. I know someone who was in a head-on collision in one and walked away without a scratch.
And, by the time the Fiero was dropped, it was a markedly improved vehicle, definitely more desirable than the stupid Firebird.
The real question is whether the car was dropped because of internal GM politics. The rumor is that Chevy hated it, because it threatened the Corvette.
Jon Acheson
All opinions expressed herein are my own, and not those of my employers, who are appalled.
Ok - my little story does indeed reek of 'urban legend' and just 'sounds' credible (hey, it got +4 here already!) I did a more indepth research and found one Phd who makes a distinction between MRI as a type of NMR, but then again here is another site that repeats my story.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
That's why medicine took the 'nuclear' out of Nuclear Magnetic Resonant Imaging - patients would freak out at the mere mention of 'nuclear' so they changed it to just MRI. It still involved the nuclei of atoms.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I'm all for M$ bashing - when they deserved to be bashed (and there are plenty of areas where they deserve this). But in this case, the article is nothing more than anti-M$ propoganda.
No. The article is either pro-Microsoft spin couched as innefectual criticism or profoundly incompetently written. If you check the referenced source material you'll find that, in fact, there were severe bugs related solely to Microsoft's SQL Server which have not only compromised the Russian nuclear tracking system, but even more severely compromised the American nuclear tracking system. What is worse, the Russians were wise enough to keep their manual system intact as a check, despite ridecule from their American colleagues. The United States, on the other hand, has had no manual system or check of any kind in place. Verifying the American stockpiles will cost on the order of a Billion US Dollars and will not detect any material which has already been diverted.
Los Alamos has verified the bugs, both in the version of SQL server the Russians were using and in the version Microsoft recommended they upgrade to.
Microsoft spin and apologist propoganda aside, this fiasco is real, has truly shocking and horrifying security implications for the entire planet, and is absolutely inexcusable. Of course, inexcusable lapses on the part of Microsoft and the quality of their proprietary products is hardly new or surprising, but it remains news so long as their shoddy products continue to dominate the market through marketing misrepresentation and public ignorance of the facts.
The Future of Human Evolution: Autonomy
A complete synopsis of the email exchange released by the Center for Defense Information reveals that the flaws in Microsoft's SQL server were serious, and seriously affected both the American and Russian systems for tracking nuclear materials.
Nuclear material may or may not have been misplaced or diverted. What is certain, however, is that currently neither country has complete track of its materials as a direct result of the aforementioned software bugs in Microsoft's SQL server, and the cost of reinventorying the materials will cost on the order of one billion US dollars for the United States alone. Furthermore, if materials have been diverted from within the US inventory, the diversion will not be identified by the reinventorying methods available. This situation is unambiguously a result of the problems both teams have had with Microsoft's SQL server, coupled with the fact that the bugs weren't identified until the project was well underway.
You may deny, deny, deny as much as you like, but the public record is clear and unambiguous, and, once again, the fault lies squarely on Microsoft's incompetent shoulders.
The Future of Human Evolution: Autonomy
When WAS the last time a server installation of Linux *did* crash then, hmm?
--
Delphis
Delphis
And the way I've always read Bill's statement was:
Some customers complain, but neither those customers nor the bugs they complain about matter to us.
Of course no one complains... There's no point. MS has never been known to do anything about bug complaints but disavow and disregard them.
I called - they said nobody else was having these problems. I demanded to know how many installed copies they had.
Turns out there were 2 - one of the techs told me while I was chatting to him in a notepad on the PC-Anywhere session he was fixing something with.
Stupid vendors.
Well if you kick a dog everytime he comes near you, eventually he'll stay away, everyime you come near him he will run.
:(
I can argue against that: my sister's family had a dog that was so stupid it would never learn.. just kept on coming back for more. Didn't help that it was about 100 lbs of pure muscle either.
I think that, just like that dog, there are companies/people/gov'ts stupid enough to just keep taking it in the shorts over and over from MS because they buy into the MS PR that there's just nothing out there better.. or even close.
Personally I think all windows products suck. I've got an athlon based box at home right now that I can't even install 2k on without it blue screening about 80% of the way through the process... and if I use a 98 or ME boot disk to try to install them, fdisk hangs hard. Linux is running like a champ on the box! I just want to load a windows up to play some of the games that I have which aren't available under linux.
- My favorite error message: xscreensaver, running on an old Sparc 5 w/ 8bit color: bsod: Couldn't allocate color Blue
So essentially they're argument is that this was operator error. How exactly would the operator have done things differently so as to get their information out of the database correctly all 1000 out of 1000 times?
Your right to not believe: Americans United for Separation of Church and
I can't believe I wrote "they're" instead of "their". My own post is now making me cringe in shame - no more grammar flaming from me for a while :)
Your right to not believe: Americans United for Separation of Church and
If this had been an open source database, it would have been fixed right the first time. Heck, if this had been an open source database, the DOE or the Russians could have audited the whole system from the ground up the instant they detected any problems.
This is only a story because a closed source vendor can't keep a handle on their bugs even when they are of literally world-changing importance.
Your right to not believe: Americans United for Separation of Church and
Er, howabout the fact that if it *had* happened in a free software product, then the Russian or American teams could most likely have hunted the bug down themselves and fixed it, or even had help from the author(s). It therefore would have been less of this conspiracy-of-silence type situation, which everyone loves.
Very few free software people have any illusions about there being bugs in their stuff, and so the response would have been more of an "Oh shit, do you have a patch?" and less of a "Nope, can't happen." scenario. It's more Microsoft's response (and their continual attitude that their products are fault-free) than the fact that the bug was there that irritates.
Holy crap! Do your homework! People drop the same engines into Fiero's as they have in covettes. A chevy/pontiac 350 cubic inch V8 can be fit. It's tight...yes...but from what I understand, you don't even have to cut metal or anything to do it. If you have the Getrag (sp?) 5 speed transmission, they can even take the extra grunt of a bigger engine.
I don't buy the "Threatened the Corvette" line either...but you can make a serious bullet out of a Fiero...you can take on some pretty serious stuff with one. Do a search on Google if you don't believe me.
You'd be amazed at how little the weight difference is between the V8's and those inline 4's btw. Not NEARLY as much as people seem to think.
I think you mean aoltimewarneryahoo.com .
Domain Name: AOLTIMEWARNERYAHOO.COM
Registrant:
America Online, Inc.
22000 AOL Way
Dulles, VA 20166
US
Created on..............: Jul 28, 2000
Expires on..............: Jul 28, 2002
Record Last Updated on..: Jul 28, 2000
Registrar...............: America Online, Inc.
cpeterso
> I'm astonished that Russians trust software made by a US company to look after state secrets of this nature...
I'm astonished that the Russians didn't h@x0r it and fix all the bugs before using it...
--
Sheesh, evil *and* a jerk. -- Jade
> Technically it doesn't drop the transaction per se. It just deposits it into my bank account.
Yeah, well it's still a bug, because I had intended the deposit to to into my bank account.
--
Sheesh, evil *and* a jerk. -- Jade
> *cough* That's what I'm paying you for. Dammit. *cough*
I decided I could MAKE MONEY FASTer by stealing from you, too.
--
Sheesh, evil *and* a jerk. -- Jade
> So essentially they're argument is that this was operator error. How exactly would the operator have done things differently so as to get their information out of the database correctly all 1000 out of 1000 times?
Pose the query to a different brand of database?
--
Sheesh, evil *and* a jerk. -- Jade
MS Rep to Russian General:Rule #1: Never miss a sale.
--
Sheesh, evil *and* a jerk. -- Jade
Russian General: Someone SQL us up the bomb!
Database: 404, Fissionable Material Not Found. All your bomb are belong to USA.
--
Sheesh, evil *and* a jerk. -- Jade
BTW, what's the difference between a CT and CAT scan?
I think the "A" stands for axial not assisted.
I think that the time frame the Russian nuclear storage facilities were "missing" material, points more toward the US government as the enemy. Like maybe if the breakup decision hadn't been reversed the government would have been taken over in nuclear assault. (Microsoft has a special service pack to make sure that they're not missing any nuclear materials.) Screw lobbying, just take out the root cause. Ballmer could be President/CEO of the Microsoft States of America. Or maybe the United States of Microsoft.
This was included in a list of some MS hazardous materials systems which I had in an earlier post:
http://www.nrc.gov/NRC/COMMISSION/SECYS/2000-0163s cy.html#ATTACHMENT 4.
Hey, lameness filter. This ain't that comment. Stop making me rephrase it.Microsoft's idea of reliability, not mine.
Well, ... this is Microsoft software we're talking about.
(ducks and runs for cover)
That doesn't indicate an error in SQL Server, just in how this customized accounting software uses it.
Correct. The customized accounting software uses SQL Server.
No it's.... while( upgrade.exists() == true )
{
upgrade.sell
}
See it's much easier this way.
From the article:
Murchie said the bug was a minor problem in Microsoft's instructions for using the software and has been resolved. "It was not a product flaw."
From Neal Stephenson's essay, "In the Beginning was the Command Line":
Commercial OSes have to adopt the same official stance towards errors as Communist countries had towards poverty. For doctrinal reasons it was not possible to admit that poverty was a serious problem in Communist countries, because the whole point of Communism was to eradicate poverty. Likewise, commercial OS companies like Apple and Microsoft can't go around admitting that their software has bugs and that it crashes all the time, any more than Disney can issue press releases stating that Mickey Mouse is an actor in a suit.
Hmm. Perhaps our Russian friends are excercising a bit of well earned scepticism.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Because money is personal and people can relate to it.
Yes, it is sad, but that is the level of most of the public. Put it in terms they can relate to. What if it was THEIR account the money came from?
Nuclear material is something esoteric; something they can't see, touch or relate to. Not able to pay the mortgage due to a bank error, though...
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Not true. Data stored on a secure server is only as secure as the clients it trusts to access/modify that data.
If I compromised the client; created and account; and transferred money into it via that client how is the data in the server secure?
It doesn't have to be a newbie or random client off of the street. This is BANK ROBBERY. All it takes is one.
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
True. However, I was making the logical assumption that if I could compromise the client machine it wouldn't be anything to compromise the username/password of the teller from either packet sniffing; shoulder surfing or the little post-it note taped to the monitor. :-)
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Sorry, you're wrong.
I was in a bank the other day asking about opening an account.
The terminal that was being used to look everything up; open new accounts; etc. was a WINDOWS 95 machine accessing the database via a WEB BROWSER interface with JAVA.
It also had an IP address taped to the monitor and they had limited INTERNET access (so they can show their lovely Internet Banking).
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Drops one transaction in a thousand? What if instead this was installed at a major bank -- like a Federal Reserve or a National Bank?
A year or so of "dropping" 1 in 1,000 transactions could be quite a sum.
Hmmm...if any banks out there are looking for SysAdmins to implement an MS SQL Server solution -- I'm available!
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
If you are stuck on this DB server, *always* run your queries twice.
'Course, this'll kill their benchmark. <g>
mefus
--
um, er... eh -- *click*
mefus
In Open Society, GPL Software frees YOU!
The thing is (and it's very odd that you would get such a conclusion from the article. interesting) it wasn't operator error, it is a real bug in SQL Server 6.5 and 7.0. SELECT...WHERE queries miss data at about .1% occurrence.
/. article has changed.
Unfortunately the original assessment linked to in the earlier
mefus
--
um, er... eh -- *click*
mefus
In Open Society, GPL Software frees YOU!
No biggie. It runs Mandrake 7.2, Oracle 8i, and Apache/PHP4 so I use it for school and web development. I love that box.
Meanwhile my old P-II 300 creaks along with a four-year old Win 98 install (upgraded from Win 3.1). I use it for internet access (fscking WinModem) and Office 97. It is like a house of cards, where you have to tread lightly lest the slightest touch knocks it down.
I'm just dreading the day when Micro$oft breaks my system with some DLL forced on my system by some Internet Exploder "upgrade". The day that happens I swear I will go Micro$oft free.
It will give me a good reason to play with the various BSD distributions, something I've wanted to do for a while now.
--
You think being a MIB is all voodoo mind control? You should see the paperwork!
A man who wants nothing is invincible
I guess your antivirus company stock is doing well these days!
--
You think being a MIB is all voodoo mind control? You should see the paperwork!
A man who wants nothing is invincible
Yes but it does present another opportunity to point out that MS executives are habitual liars.
War is necrophilia.
As far as I know, they refer to the same thing. Probably got tired of patients jokingly (or, worse yet, seriously), complaining that they're alergic to cats.
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Some time ago a friend of mine, 'mike*' who supported enough people that he had an MS rep assigned to him, was beating his head against the wall trying to solve a bug that was causing excel files to be corrupted just by opening them.
His MS support rep kept on telling him, "nope it's a unique problem" you seem to be the only one suffering from this. What are you doing wrong. One day he found out that 'bob', a counterpart at another large company, had been dealing with the same problem for a number of months. He decided to mention this to his MS Rep.
*(names have been changed to protect the innocent)--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Oh, so then I guess because "enterprise customers do not tolerate crashes", and the Windows line has the largest desktop OS marketshare, that means that the Windows line hardly ever crashes.
Marketshare is not proof of quality, any more than winning an election was proof of Hitler's moral worth. There are many other factors involved.
Female Prison Rape in NY
The RIAA used them to nuke Napster.
It's 10 PM. Do you know if you're un-American?
Lately it's been one stale anti-MS joke after another with a +5 "Funny" moderation.
Surely you MS-haters must have a better sense of humor.
Maybe the GPL is a cancer, maybe it's not. But at least it's never misplaced plutonium.
... there. That one's even recycled.
- - - - -
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Microsoft confirmed it, reproduced it, and assigned it a bug number. So... who's full of bullshit here?
- - - - -
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
It's not that every 1,000 transactions are dropped. It's that, with odds of 1 in 1000, a select statement with an order by clause will not return all of the data.
A little less dramatic, but a problem nonetheless.
- - - - -
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Why so hostile? The original report has the bug number. Other people said they have independently confirmed it. Do you own a lot of MSFT stock or something?
- - - - -
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
I also own a company, and I work for one.
Sure, 'the client' or 'the boss' want to have something they think works. But the important thing is: you know better than they do!
So, you kindly advise them to use the 'right thing'. In the end, it's cheaper to use a un*x platform for most of the jobs, because (you know the drill) un*x is more stable, better to understand, gives you more insight into what software does what. And with Linux you can even fix the software your software depends on because the source is available!
"The customer is always right, but wants to be advised by you!" If the costumer whants to use Microsoft software, sure, give it to him. But it might be trivial to give them an alternative that works better because the system below is better.
Want an example? Try giving the costumer that wants a web-based application an IIS solution based on ASP and as a comparison show them what a computer with less processingpower/memory/diskspace/etc. and apache/php can do! With less code!
Freedom is a state of mind, not something you can buy.
sig not found
there was absolutely no room to icorporate a larger engine.
actually, some of them came with v6 engines. i also remember having a book of plans for upgrades, and more than one of those plans called for a v8.
alas, i drive something much better these days.
Hey- I just need to speak up, I have no idea about the missing data thing, but as far as "a new security flaw that could give unauthorized people easy access"... that's bunk!
The system password by default on install is blank, Oracle has a default password too, I think it is "CHANGE_ON_INSTALL". So if you happen to install SQL Server and not have the brains to change the default password, then you deserve everything you are about to get. Now I hate M$ just as much as the next guy, but it's a shame that these dorks have to go blaming their incompetence on other people.
Troy
No, the scenario is that a complicated query did *not* return correct results from the database, under certain conditions which are probably still not determined. That is, the bug was not in the SQL, but in the result returned by the database to the SQL query. No amount of auditing of the SQL code would have caught the problem. The code at fault was in Microsoft's domain.
If I ask for sin(0.5) and get 0.479425549 am I really expected to determine that there is a bug in the sin() routine? Or can I reasonably expect that whoever wrote the sin() routine actually should have done their own f*cking job, and properly curse them out when I find that it should have been 0.479425539?
So when Intel's FMUL routine produces an incorrect result, that's not a bug?
Funny, the C programmer asked to multiply two numbers. The programmer of the C compiler told the computer to emit instructions that multiply two numbers. But somehow, the numbers don't get multiplied correctly. We can just say "some Intel designer gave the instructions to the processor, and the processor is just doing exactly that." That is a pretty useless position to take. I don't want a computer to do what some designer mistakenly told it to do. I want it to do what the documentation says it should do, and I want it to do what I have told it to do. And when it doesn't, someone is at fault. That's a bug.
And you are a troll.
From what I can gather from the memo written by the Russians, it is indeed an intermittent bug; the same query run against the same data returns results of differing completeness.
I think your argument about SQL server being used "SO much" is misleading. I believe it is no accident that this incident happened at the Kurchatov Institute, where you have very smart people addressing a serious problem essentially without time-to-market pressures. The priority at the Institute is geared almost completely toward the integrity of their operation, not toward "get this web site running ASAP." In a typical dot-com or non-critical business application, no one is paying close enough attention to notice these 1 in a 1000 bugs, or they are overwhelmed by the 1 in 10 bugs in their own code. How many MS SQL Server users are comparing their results to a parallel paper-and-pencil legacy system?
I find it far more likely that there are bugs in SQL server than in the KI code. The KI people obviously put forth serious effort to isolate the problem and to diagnose it. And they aren't stupid.
As for the sin() example, what I was hinting at is that sin() call embedded into a more complicated calculation. At some level, I have to have confidence the sin() call is actually calculating the sin(). Otherwise, the effort to validate everything down to 10 significant figures in, say, a few thousand iterations of a simulation is simply beyond human capacity. Many times, a computer is being used simply because it would take lifetimes of calculation for a human to know what the answer should be. There is no way to thoroughly audit that. You can run a few sanity checks, and rigorously check your own code, but you really are depending on your vendor.
Your use of the term "system" indicates to me that you have an incomplete definition, that makes your whole point dangerous.
One of the key principles of engineering is that a complex system can be produced by combining well-defined elements of lesser complexity. By restricting the design process to a higher level of abstraction, one can successfully design systems that, as a whole, are beyond human comprehension. That design process depends on the accurate modelling of the component pieces. If one of those components doesn't perform according to spec, then the system can fail, even though the design is sound.
One designer's system is the next designer's component. Consider one component telling the other component to do something, according to spec, and the second component fails to do it. That's not "the system" (i.e. the overall design concept) failing. That's the "component" failing. There's a world of difference between the two.
To the database programmer, MS SQL server is part of the system. A SQL query is "telling the system what to do." If the result of the query is incorrect, the system *didn't* do what it was told, no matter how much you may gainsay it.
Your argument absolves everyone from responsibility. "I told the system to calculate 2+2, and it told me 5. I guess + doesn't mean what I thought it means. Stupid me."
I don't care if it was tongue-in-cheek, your remark suggested a lackadaisacal attitude to engineering principles. I hope you think it is funny next time you fly in an airplane---after all, if it crashes, it must have been told to do so, right?
The way I read the memo to Blair, it seems that the Russians didn't want to upgrade to 7.0 because, even if that query bug had been fixed, too much had changed in the security features of SQL Server (including the bug they reported) to be confident that they wouldn't be inadvertantly opening a new security hole. I don't know enough about SQL Server to say.
Notice that MS spokesperson is very careful to say that "Only under circumstances (where) the site (had) no password could anybody get to it." Which to me says only that the password protection prevents the underlying flaw from being "usefully" exploited, not that the flaw is the lack of password itself, as many posters have accused.
from http://www.cdi.org/nuclear/nukesoftware.txt
Especially developed tests did confirm that a source of random errors is an error in execution of the 'SELECT' with 'ORDER BY' (sorting by) statement by the Microsoft SQL Server in version 6.5....Microsoft did confirm a presence of this software flaw. This flaw has been filed by Microsoft as flaw No. SRX000403600845.
one more flaw has been detected in the SQL Server 7.0. This flaw has been recognized by the Microsoft and filed as flaw No. SRX000727603512. Principal modifications introduced by the Microsoft in SQL Server 7.0 which are relating to the data security and data protection in a Database, and presence of the said flaw, are considered as creating a direct threat to data security and data protection in the SQL Server 7.0 Databases.
.....end of quotes.....
Also note use of modifications, plural, in considering the security threat, not just the bug reported.
Yeah, I figured the numbers looked weird, but I think that is what most posters were referring too.
Not if there are bugs sitting on the relays :)
"Between strong and weak, between rich and poor [...], it is freedom which oppresses and the law which sets free"
Christmas Jones
God, Denise Richards is a terrible actress....
---
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
I agree with the Russians: this *is* a big security hole!!
[
And change jobs, if your current one don't let you use the OS of your choice. Despite the dot-bomb crash, the labor market for software engineers is still splendid.
Say no to software patents.
Microsoft only offered a work around, not a bug fix.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
There are a bunch of other comments linking directly to more information about these types of bugs in sql server.
I personally wouldn't worry about it myself, I just would be sure to not write complex queries. But if I was doing ANYTHING AT ALL related to nuclear anything I would probably use Oracle or something, and I'd be sure to track down everything possible on paper as well.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
moderators - please mod the parent accordingly
Sticking feathers up your butt does not make you a chicken - Tyler Durden
IF
opportunity to force customer to spend more money exists, and also happens to delay them with upgrade until you are promoted to another position
THEN
I'm on that sell like stink on shit.
ENDIF
"Blue Screen of Death"
If you have time, read the paper. It explains exactly what the bug is. Any summary is necessarily imprecise; however here's an attempt: the following code works: And the following code does not work: (I'm skipping a lot). If @X is declared decimal instead of int, the bug goes away. This was Microsoft's proposed fix.
Personally, I don't like stored procedures much, particularly Transact SQL which is what this appears to be. In general, a heavy reliance on stored procedures frequently shows a lack of understanding of SQL and data modelling.
I'll grant that they have a legitimate role. However, I've seen them overused. I've seen them used to replace foreign key, unique, and check constraints, even to enforce typing which could have been done by declaring the column correctly. Oracle's documentation warns against the performance penalties of such misuse. I've also seen them used as substitute for JOINs, again by programmers who don't have much grasp of SQL.
Stored procedures are dangerous because they offer a procedural cop-out to programmers from a procedural background. If you're using them correctly, great.
Please take this up with Mr. Terry Pratchett. I quoted it for the sentiment, not the grammar. If not for the character limit, I would have attributed it, too.
-jKarma: T-rexcellent.
I love how the knee-jerk scariness of these things jumps exponentially when the word "nuclear" is present. I realize it's justified, ate least in this case, but I still find it amusing.
-jKarma: T-rexcellent.
Since when did the matrix become a philosophy text, and Keanu Reeves a Philosopher? As bill and ted would say: EXCELLENT! ::air guitar::
Not quite. It was Christmas Jones who was de-arming the bomb and she was using her HP Jornada to interface with the bomb.
Bush : How can we keep those pesky russians down?
Gates : Don't worry about it. We got you covered. We give them buggy versions of our software. They're spending way too much time working around our bugs to be giving you a hard time on anything significant.
Bush : Thanks. I'll see to it that the antitrust case is closed.
(Gates in a snickering whisper to Ballmer) : Wait 'till he finds the bugs in the software for NMD.
Stop the brainwash
MS is trying to move into the nuclear arms industry. By making some nukes "dissappear", they can squat on the arms dealer business, forcing people like the mob out of business.
I am !amused.
You should try a visit to your local University's Nuclear Science Department or your local power plant's Reactor Engineering Department. There you will find the FORTRAN codes that people use to keep track of their inventories. The stuff from GE (3D Monocore) and Seimens comes with some strings attached, but the source is certianly open and long standing legacy stuff. Codes from places like Oak Ridge (SCALE an example) and Los Alamos (MCNP an example) are also open source, if not free. Bugs of the kind that produce computational errors are not tollerated at all. Some assembly may be required, but if your build does not produce the same results as previous proved cases IT DOES NOT GET USED.
I've written a few dinky codes of my own for classes. Other people in those classes have contributed to the real packages. It's fun work, nothing LEET about it.
Friends don't help friends install M$ junk.
The headline could have been "M$'s Munchie insults Rusian governement and scientific community by Blaming the User (TM)." Sounds like news to me.
Friends don't help friends install M$ junk.
True! and a good scientist would never trust MS.
I can't imagine using closed source programs for nuclear materials and I have not seen it either except for the most mundane additons and plotting. Some fool might be trying something more elaborate somewhere, but all software used in the US for this kind of thing has elaborate trails, proving and QC. This should serve as a wake up call to people trusting closed source junk on PC's for less critical, punn intended, applications.
Friends don't help friends install M$ junk.
This is just so typical. Certanly noone else run complex code in a database environment.
Nuclear Magnetic Resonance Imaging is referred to in medicine as MRI (rather than NMR) NOT because of public fear of "nuclear" thingies, but because of a simple issue of hospital politics: Use of the word 'nuclear' meant that the Nuclear Medicine departments started saying that they should be the ones to get the machines, the techs, and the money, rather than radiology.
Since radiology was obviously the best place to put it (as they already have control of the X-Rays, CT scans, and various other imaging technologies), the name was changed to MRI to shut the folks in nuclear medicine up.
\
No wonder there are fireballs hitting the U.S. East coast.
I'm the big fish in the big pond bitch.
Both of them?
If programs would be read like poetry, most programmers would be Vogons.
hee hee hee *wipes tears from eyes*
That was one of the very few really rofl-type funny statements I've ever read on slashdot. "World class sportscar". Hey, you made me laugh so hard I snorted!
Microdsoft use internally to keep track of bug reports...:-)
_O_
_O_
.|< The named which can be named is not the true named
And, FYI, I do own my own company. That means instead of pointy-haired bosses, I have pointy-haired clients. It's not really any different - they still sign the checks, and if I want to get paid, I have to do what they want me to do. In many ways, you have less freedom when you own your own company than you do when you work for somebody else. You don't own the company, it owns you.
In case you've never owned your own company, let me teach you an important saying: "The customer is always right". Even when he wants you to use Microslop software. If you want big corporations to do business with you, you have to play the game by their rules. If you start copping that holier-than-thou attitude with your customers, you are going to find yourself down at the courthouse filing for bankruptcy in very short order.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Probably a standard response.
IF
problem
THEN
Upgrade to a newer version
ENDIF
Hacker: A criminal who breaks into computer systems
"Information wants to be paid"
now, _that's_ a bug!
---
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Maybe they should've gotten Taco to write their system - that way Microsoft would've just given up instead of offering them a patch!
Billg: Thats it - this code reeks - Im outta here.
Ballamer: Wow - I cant believe this guy talks so much trash about us when he writes code like this....
Billg: Hes one of those sicko anime sex freaks - what did you expect?
I know I didnt expect anything more. I sure as hell hope none of you did either.
Gam
I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.
To me, this just screams "race condition": two threads weren't synchronising correctly with each other. This not only explains why it wouldn't happen every time (sometimes the threads interact properly, sometimes one clobbers the other), but the variability due to processor speed. Race conditions can be very subtle bugs, and not at all evident even on close inspection of the code. They tend to show up more under load.
The nature of bugs (especially MS bugs) is that not everyone experiences the same bugs. Just because you haven't seen it doesn't mean others haven't. I've seen documents that crash Word on some computers and not on others, even with the same version of Word. And if it wasn't an SQL Server bug, why would changing from one version of SQL Server to another affect it? Microsoft acknowledged the bug existed but said it didn't appear at "other customer sites" (all other sites? the majority of them?), downplaying its significance. As Bill Gates said, "There are no significant bugs in our released software that any significant number of users want fixed."
How the hell could a Fiero with a small inline 4 be a threat to a world class sportscar. I rebuilt one of those with my friend and his brother and there was absolutely no room to icorporate a larger engine. And the price difference was about 2x.
Chevy may have hated it, but it was not because the Fiero threatened the Corvette. They are in two different market segments. That's like the PT Cruiser threatening a Viper.
Remember, You are unique...just like everyone else.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Yes, the US government has been spending billions on the nuclear waste disposal problem. Microsoft has the answer. MS SQL Server will get rid of nuclear waste. Definitely a much cheaper solution. I'm going to go and buy some MSFT stock now.
134340: I am not a number. I am a free planet!
The code is doing exactly what the programmers' instructions tell it to do.
--------
The ivory tower has never had to reach so h
You proved my point when you said when it doesn't, someone is at fault. Someone, along the way, programmed it wrong. It may not be your mistake, but someone along the way made it. The system is only doing what it has been told to do, which in this case, would be the wrong thing.
As for you calling me a troll (unless, of course, that is your sig), not only do you have no idea what a troll is, you also dont know how to identify a tongue-in-cheek remark.
--------
The ivory tower has never had to reach so h
What if it was Pontiac Fiero. If I recall correctly, only 1 in a 1000 was catching fire. Hey, the total production of the Fiero was less that 350 thousand cars, so they only lost 350, no big deal right
That's a good way to share technology and sabotage your enemy at the same time.
Make them use Microsoft.
disclaimer: no offense intented
Funny that you mention this as I just remembered "The World Is Not Enough" when the bomb ;-)
which explosion James Bond is trying to abort is equiped with a WinCE interface.
Maybe were the filmmakers less interrogative than you are.
--
Trolling using another account since 2005.
Why are you testing if a boolean == true? What value are you expecting to get back?
Those pesky Russians, they probably forgot to use the scroll bar to see the rest of their query's results.
It is a feature.
+++ UGUCAUCGUAUUUCU
of the nuclear material. My country (Brasil) doesnt.
Remember Goiania ? The cracked Cesium-137 capsule ?
--
What ? Me, worry ?
I thought free software threatened national security and the american way of life.
I would search my quote database for the name of the person who said "Don't throw stones in glass houses," but given that it's the 1000th transaction of the day, I'm experiencing technical difficulties...
Let's get drunk and delete production data!
but then, I already hate those bastards.I'll just point non technical people to the article and they'll be impressed with how MS "runs things"
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Clearly, you weren't using either:
MacOS, Windows, BeOS, GNOME, KDE: they're all just Xerox copies
Is that why the reactors are all CE-ME-NT? Har har.
This is another total non-story from /. Let's see - the russians customized a solution on ONE sql 6.5 box, and did not lose data, but rather it was hidden from them. I've seen many companies running 6.5 for years with no such troubles.
Then the Russians upgraded to 7.0, and complained that everything was fine except for a possible security violation - "... Only under circumstances (where) the site (had) no password could anybody get to it."
Wow - so newsworthy!
In the quest to post as many articles bashing M$, the quality of the posted articles is approaching the level of the World Weekly News.
The Headline "Nuclear Materials System Not Buggy" is misleading. When you read the article, the main two arguments for saying that M$ has buggy code are:
1). Users of SQL Server are able to code software that can screw up the database.
2). When you don't put a password on admin accounts, it causes a security vulnerability.
These two assertions are true for EVERY database server, not just M$. Anyone who has write/commit privileges to database tables has the ability to screw up the database - this is not a SQL Server issue. And if you don't put passwords on your accounts, it is your own damn fault for introducing a security vulnerability.
I'm all for M$ bashing - when they deserved to be bashed (and there are plenty of areas where they deserve this). But in this case, the article is nothing more than anti-M$ propoganda.
"Microsoft has made computing accessible to a population who would otherwise not be able to use computers" - B. Kernigha
Is it just me, or do people try and get so clever shoving links into the article that you can't even tell which one goes where?
I meant 21 MILLION, not billion. Sorry.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
My scenario was pretty complicated too. The point is that the server responded the same way every time according to the way it was programmed. Now I'm not saying that there weren't any bugs in 6.5 or 7.0 for that matter, but you would think that the programmers would have checked their code for something this important. Judging by the "security hole" of not changing the default admin/sa password, I would say the chances are pretty heavily in favor of bad programming. To give them ~some~ credit, it is pretty easy to code in a "bug" when you're dealing with complex SQL and a lot of data that may have special cases. Still, it's NUCLEAR material!
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
I won't positively rule out that there was some fault on MS's part. I'm just saying that in the dozens of SQL Server applications I've worked on and for the hundreds of clients I've worked with who have SQL Server projects, NONE of us have ever run across a bug that loses records. And I've programmed some really weird stuff on occasion. What could really be that complex in an inventory management system, even if it is for nuclear materials that thousands of others wouldn't have run across as well? And if you read the updates in the service packs for SQL Server, you'll see that MS patches some pretty arcane stuff.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
That's why I stated in my comment above that a competent programmer audits not only his/her code, but also the results of that code. Perfectly logical code may still not return what you intend because you forgot to account for some special case. I don't see anywhere in the articles on this that the same query run against the same data will return different results on subsequent runs. If certain data sets cause the query to behave not as expected, then the query needs to be modified to account for whatever the special case in the data is.
I've written way too many queries with way too many special cases to believe that one of them would just start skipping records without it being caused by something in the data I forgot to account for.
Your example is too simple. I believe this error is more likely to be something like your sin function above being used in a calculation that works 999 times out of 1000, but that 1000th time you multiply it times something that causes it to lose significant figures because the data type you're using doesn't have enough placeholders and you get a bad result. That said, if it really was actually returning a bad result I certainly wouldn't blame you for properly cursing out the culprit. It's just much more probably the result of an error in the user's code than in a product that gets used SO much. But anything is possible, however unlikely.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
I think the first part of your post supports my position rather than opposes it.
As for lack of continued support of a product without having to continually upgrade to newer versions at additional cost, I agree with you. That sucks.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
I can't see why open software would be any better than closed software in this case. Hey! I found a bug in my nuclear materials storage database, let's ask 10,000 unknown persons if they can take a look at it and fix it. Meanwhile, they've all moved on to the next "l33t" thing and abandoned what I'm running. I believe that in many cases it's more important to hitch your wagon to someone who you know will be around and have a vested interest in keeping you and others like you happy.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
And what is this bug number? Have you got information not stated in any of the articles listed above and just haven't given use the source? Is that because it isn't true and you're just posting because you don't like Microsoft?
If you've got something to back this up then I'm interested, otherwise I think the answer to your question is, "you are."
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
I went to Iowa State University in Ames and did have some dealings with both the nuclear engineering department and the U.S. DOE facility there through the physics department and have written a fair amount of FORTRAN myself, though several years ago now.
If the customized accounting package at the one facility that had the error was based on standards and peer-reviewed to be more like the packages at all the other facilities that DID work then maybe they would have avoided the problem in the way you describe above.
Enterprise customers don't tolerate computational errors either and the proof is in the marketplace, where SQL Server is gaining marketshare, not losing it.
It's also worth mentioning that the systems you describe above are designed for a specific purpose and can afford to stay mostly "legacy" because they don't support thousands of different businesses that use them for thousands of different purposes. Maybe the Russians should have used something time tested for their accounting software, but their database engine software works just fine.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
Cmon, a lot of bugs DO get fixed when people complain or otherwise MS would never have grown into the behemoth that it now is. Ever heard of a service pack?
But I agree that they don't always fix their bugs in the existing product, instead forcing you to upgrade (paying more money of course) to a newer version that now no longer contains the original bug. That is wrong. Upgrades should be to driven by new features (real features, not MS PR department's use of the word), not fixing bugs. I think this is usually the case, but sometimes MS lets go and stops supporting old products too quickly.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
I'm not being hostile. Your post insinuates the insult. I simply provided a possible answer to your question. I'm seriously interested in the bug number and I didn't see it (and still don't). Am I just overlooking it? Your first post sounds a lot like unsupported bias and I'm afraid I'll keep taking it that way until I see the proof in the pudding. And no, I don't own any MS stock and don't have any vested interest in their wellbeing other than I think they have driven the market to a much better place than it would be without them, regardless of whether their products are actually the best.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
Basing code on the sysobjects table is a bad idea in general though it has its uses. Personally, on a database as important as this I would never even think of basing my code on system objects. Also, this code really doesn't make any sense in the context of what the problem reportedly is, since sysobjects of type 'P' are stored procedures and not records of data. Why you would code anything like this other than for some kind of database modelling tool is unclear to me. What are they doing? Making a list of all stored procedures and then running them to put together their data set? That would seem pretty silly.
Your conclusion about stored procedures is entirely misguided. On SQL Server, stored procedures provide performance improvements since the server can create execution plans based on table statistics to maximize performance in most cases. Running adhoc SQL against the database does not allow for this performance boon. The only way using a stored procedure show lack of understanding is if you use it without being able to write it. Even that is a potential benefit since you can then build on the work of programmers more experienced and knowledgeable than yourself.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
That's an interesting thought, but I think a threading bug would have turned up a lot more frequently than just the Russians and it would have received enough attention for a patch. But you might have something here.
What I can't figure out is why they refused the patch? Why would you do that? Someone else in this series of discussion suggested that they would have to modify a bunch of their source code and they didn't want to. If that's the case I don't know how this could be seen as a SQL Server bug since thousands of other custom clients attach to SQL just fine and don't have these problems. I don't know where they got that information, though, so it may not be true.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
But aren't these the same people who complained there was a "security hole" in SQL Server if you didn't change the admin/sa password from its default of blank? They don't seem like they're very knowledgeable about the database they're using if that's the case.
There are millions upon millions of transactions running on SQL Servers every day. MS really wants to take the enterprise database market away from Oracle and they can't do that with this kind of bug. That isn't to say one couldn't exist (especially in 6.5), but this is just way too random not to have been noticed and patched before. When they start refusing patches as it states in the article (why!?!) I start thinking they're covering for their own embarrasement. Why didn't any of the other installations have this problem and only the one site was affected?
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
There's a big difference between some worker's desktop crashing and the database server your company depends on having errors. I agree marketshare is not proof of quality, but when Oracle and others have such a grip on the database server market, someone moving in as substantially as MS has in the last few years indicates a matching (if not better) mousetrap.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
I don't think that's the case. When you install SQL, it has the master "sa" account. You have to set a good password for this since it has the power to do anything.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
And I've written code that didn't work correctly. Then I fixed it when I audited my results. Almost all complicated software has quirks in it. Should it be fixed? Yes. Do people handling nuclear material records have a responsibility to audit their code regardless of whether bugs might exist? Also yes. A good programmer checks the results of their code as well as the code itself.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
I ran a SQL Server 6.5 database that handled 7GB of data a month and processed around 21 billion transactions on that data, then countless more on the "rolled up" summaries. We had a general ledger to reconcile with and I think we would have noticed missing records if they occured every 1000 transactions. SQL 6.5 was a pain in the ass and 7.0 is a lot better. It still has some problems, but I think these reported "bugs" are more bad programmers than bad server software.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
I've used SQL Server for years... not because I want to, but because the company I work for prefers it. I've never seen such a problem of dropping every 1000 transactions. But there is one particular thing about this story that bugs me (no punn intended)... if the bug isn't in Microsoft's software, as they contend, then why did they tell the Russians to upgrade to a newer version to solve the problem???
---
Developers: We can use your help.
:)
- Dan I.
Read the e-mail exchange between Blair and the Russians here. Plenty of details on the problems with MS SQL server, and apparently both sides agree that this is pretty low quality software.
I just hope their engineers are 100% sure that it was just isolated to that one lab in Russia. If other labs in the US encounter a similar issue AND the public finds out about it - Microsoft will be in a err, difficult position.
I find it interesting that the Russian lab rejected Microsofts offered fix - whats that all about? I'd love to know why they did that.
Top Most Bizarre/Disturbing Error Messages
Actually, the EULA for NT4 Server states that it shouldn't be used for mission-critical tasks, such as controlling a nuclear power plant. The reason? It contains Java technology.
... ...
Yeah, right. I'm sure thats the only reason
Please, excuse me now while I fall from my chair laughting
---
morcego
What I really would like to see is a Nuclear Reactor on Redmond, controled by M$ products. If the product fails, it just meltsdown. I think that is the only way to make M$ products suck a little less. Considering, of course, that they could fix them in less then 24h, that is the aproximate time it would take the reactor do meltdown with the first rWin crash.
No, really. What scares the sh1t out of me is that someone would seriously consider AND use M$ products in a nuclear facility.
---
morcego
Nuclear waepons in private hands...
The flaw is available in http://www.cdi.org/nuclear/nukesoftware.txt
;)... I'd be interested in what someone with a SQL6.5 box generated.
Basically, random errors appear in this structure:
DECLARE @X int, @T varchar (255), @R int
select @X = 0
SELECT @X = id FROM sysobjects
WHERE id > @X AND type = 'P'
ORDER BY id DESC
select @R = @@ROWCOUNT
/*** COMMENT: Printing our resulting value of @X and @R ***/
select @T = 'Resulting value of @X = ' + convert(varchar, @X)
PRINT @T
select @T = 'Number of records in data set @R = ' + convert(varchar, @R)
PRINT @T
GO
The values of @X come out randomly wrong. The give a few examples of stored procedures which use that structure, and suggested workarounds.
They all work fine on my SQL2k box (damn well hope so since they recommended an upgrade to fix it
--
Convictions are more dangerous enemies of truth than lies.
Convictions are more dangerous enemies of truth than lies.
- Nietzsche
"At any rate, they were afraid," Blair said. "The Russians were very concerned that this posed a grave problem on the U.S. side."
You think so? Why would the Russians be worried about United States operations? After all, we have the Microsoft database server to protect our data and nuclear weapon reserves, and the DMCA to protect our free speech.
Lawrence Lessig is my personal hero.
"No nuclear materials were ever at risk..."
"IE was not illegally 'tied' to Windows..."
"MS is not a monopoly..."
"Ok, if MS is a monopoly, we are a good monopoly..."
"Consumers will benefit from Windows being able to do everything ..."
"Consumers want us to control the world..."
"I've been made King? Awww, shucks! You really shouldn't have..."
Laws affecting technology will always be bad until enough techies become lawyers.
I'm an American, you fuckwit.
Is your company running tools written by ma
...if ppl would take the time to read the whole story they would see it was NOT microsofts fault, it was the modified software the russians used. geeeeee if i modified some linux software and didnt do it correctly i could claim linux was full of bugs, and post to a ms forum about how buggy it is, wouldn't be true, but neither are the post blaming ms for the problems... PS, are the errata pages for the linux community just there for giggles or could it be it has bugs that need fixed, same as microsoft OS's? band wagons are small to start, and grow to make room for as many fools willing to jumb on-board...
karma, hah...
...The Green, Glowing, Radioactive Cloud Of Death
Oh wait, that's the meaning it already had...
--
324006
We had two thefts of nuclear material in Germany. One near Karlsruhe and one in Bavaria (which isn't approved yet). ;-)
Maybe they're also using the same or a similar system
Sorry, it was my bad english... ;-)
This doesn't really seem to shed any light on the previous articles about this. Is this just another excuse to slap Microsoft around a little bit?
--
Do not taunt Happy Fun Ball(TM)
Does anyone else find it VERY disturbing that the Russians didn't bother changing the default password on their database? I'm glad that the Los Alamos laboratory wasn't vulnerable to this "bug"!
Being Liberal should be a Crime!
It appears (we had no access to the source, so I can't do better than that) that if you have a complex select statement, with several nested sub-selects, you can get SQL Server into a state where it caches the query plan (roughly, the "compiled version") of some of the sub-queries from one execution to the next. This query plan sometimes acts as if it (incorrectly) includes information derived from other sub-queries as if it was constant. If in a subsequent use the value of these stored "constants" has changed, the where-clauses can fail, causeing the loss of rows in the result set.
We went several rounds of reporting it to MS, bogged down on the "can you produce a simple case that exihibits the problem" phase, and wound you instituting coding guidlines to break such queries into multiple peices using temporary tables.
Consequently I know that there are at least some bugs that are not seen by most users, and am more willing to credit this report than I was before I heard the keywords "SQL server" "complex queries" and "missing data".
-- MarkusQ
1) The bug was in the CUSTOM SOFTWARE that the Russians were running against the database.
3) The security "flaw" in the newer version that they upgraded to was only there if NO PASSWORD WAS SET. Well, of course there's going to be a security issue if you don't set your passwords!
It's about time Slashdot took some time to actually READ the stories they post.
--
One more post on the journey to negative Karma history!
M$ just wants to acquire the resources to take on AOL-Time-Warner-Amazon...
Be part of the world's largest collaborative work of art: http://www.paintthemoon.org
why did they tell the Russians to upgrade to a newer version to solve the problem???
...to make more money, of course!
http://www.themeparks.ie
I'm astonished that Russians trust software made by a US company to look after state secrets of this nature...
http://www.themeparks.ie
I wonder how stable Windows CE for Nuclear Warheads(R) is. Of course we should expect a Mushroom Cloud of Death(TM) instead of a BSOD, though...
http://www.themeparks.ie
Wow, u should sell that excuse to MS, they'll love it maybe even give you a job
http://www.gamedev.net/reference/articles/article
I'm sure they did test the software quite well but on systems like SQL Server it is tough to run through every instruction and every control branch that the code contains. Even on a simple nested loop with a few conditional tests there are hundreds and possibly thousands of values that may have to be tested to take everything into account depending on how complex the conditional tests are. If systems were tested exhaustively they would never be released as they would be in perpetual test mode. And the fact remains that it was custom code that was causing the problem.
There is no great news that MS makes crappy software. This just will just make the bug-list a little bit longer
"Bugs exist, and they get fixed," said Nancy Ambrosiano
code... test...code some more...test some more... code... and finally release "The fact of the matter is, any insider with access to an application can corrupt software and divert anything for their own nefarious purpose," Murchie said.
I guess this is right, but what about testing the software before the release?
If it's wet, Drink it!
If it's wet, Drink it!
"It's operating as intended", Bill Gates chuckles to himself as he closes the view port on his ever growing stockpile of weapons-grade nuclear material.