so you've never heard of internet anonymizing serivces?
what if every single request was to "http://www.example.com/fetch" and included encrypted parameters about what URL to fetch, and returned an encrypted response?
... and i mentioned that the tethering apps would continue to "make such reports" that would match what the telcos would expect for a non-tethered phone.
so the thing that requires "replacing/fixing" in this example is direct use of SQL, but the user is to blame for the exploit?
why is "microsoft" and "internet" still keywords, but now "sql" has now been removed after a few people wrongly complained? you're basically saying using SQL on it's own is very wrong, but SQL is not to blame.
the line of thought is that SQL is the last place that malicious input penetrated in this attack.... SQL's inherent non-use of variable parametrization was exploited. SQL was exploited.
considering most phones that do tethering are jailbroken or completely open to developers, how are you suggesting the carriers continue to spy on local wi-fi traffic? you don't think the tethering apps would tweak those APIs to give the numbers the telcos were expecting?
making tethering illegal is not enforceable because no one can prove you were tethering. similar to how no one can prove you were THINKING about killing someone.
making tethering illegal is the same as if netflix made it illegal for anyone else to watch the movies you rent with you.
so because people want the feature that was used to exploit it, exploiting that feature is no longer considered an exploit. not hard to understand at all.
most scripts use query parametrization libraries on top of SQL... so when the script author chose to not use a more secure way of utilizing SQL it suddenly becomes an exploit of something else?
on 9/11 was the airplane exploited, or the gasoline? everyone is to blame, and protecting a method of instructing a server to do something that doesn't inherently protect against malicious user input serves nothing.
if your front door had a lock that could be opened by anyone pushing a button clearly marked on the outside, and a robber pushed the button and came in, would you consider that a fault of the lock, the door, or the house?
buddy, i never claimed you would get service forever... i claimed that they couldn't make any legally enforceable rules directly relating to tethering, because they couldn't prove you did it. now you respond that your original argument doesn't matter because they can still cut you off... of course they can. it doesn't mean you weren't wrong.
it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.
there is a difference between "knowing" something and being capable of "proving" it. in the end it's all just network traffic originating from the phone.
Doesn't really matter, what they're doing is illegal also, and they're rather unlikely to turn you in.
so they did something that is covered by a $500 fine... you did something that is covered by a felony with jail time enforced by people who are particularly sensitive to the crime you've committed. and who did you commit this crime against? someone who is willing to call random people and lie to them to extract their money. so what do you think a telemarketer fully aware of the situation would do next? i'm guess it goes something like "give me $3,000 or i report you"... are you going to turn them in for extortion?
what they are doing is covered by fines... what is being suggested in retaliation is a felony. that does matter.
i'm also pretty sure they would never call you back at a number different than the one they originally called.... but, for science, i promise to you: the next telemarketing call i get, i will request they call me back on my out of state cell phone number, and report back here. i'm over 90% sure they won't call, and also that no telemarketer would ever call, but, perhaps i'm underestimating their greed.
Slashdot Mirror
what if every single request was to "http://www.example.com/fetch" and included encrypted parameters about what URL to fetch, and returned an encrypted response?
yeah, go buy some condoms and screw all the hookers with AIDS you can find.... YOU'RE PROTECTED!
if the database server required queries to use parametrized variables, there would be no room for injection exploits.
... and i mentioned that the tethering apps would continue to "make such reports" that would match what the telcos would expect for a non-tethered phone.
why is "microsoft" and "internet" still keywords, but now "sql" has now been removed after a few people wrongly complained? you're basically saying using SQL on it's own is very wrong, but SQL is not to blame.
the line of thought is that SQL is the last place that malicious input penetrated in this attack.... SQL's inherent non-use of variable parametrization was exploited. SQL was exploited.
considering most phones that do tethering are jailbroken or completely open to developers, how are you suggesting the carriers continue to spy on local wi-fi traffic? you don't think the tethering apps would tweak those APIs to give the numbers the telcos were expecting?
making tethering illegal is not enforceable because no one can prove you were tethering. similar to how no one can prove you were THINKING about killing someone.
making tethering illegal is the same as if netflix made it illegal for anyone else to watch the movies you rent with you.
you're not even sure what you yourself consider?
which is the same as making it illegal to think about killing someone. PROVE IT.
so because people want the feature that was used to exploit it, exploiting that feature is no longer considered an exploit. not hard to understand at all.
anyone else own a calculator?
on 9/11 was the airplane exploited, or the gasoline? everyone is to blame, and protecting a method of instructing a server to do something that doesn't inherently protect against malicious user input serves nothing.
if your front door had a lock that could be opened by anyone pushing a button clearly marked on the outside, and a robber pushed the button and came in, would you consider that a fault of the lock, the door, or the house?
whoops. someone else pointed out the theoretical max was around 1.5TB a month... swayed my math.
buddy, i never claimed you would get service forever... i claimed that they couldn't make any legally enforceable rules directly relating to tethering, because they couldn't prove you did it. now you respond that your original argument doesn't matter because they can still cut you off... of course they can. it doesn't mean you weren't wrong.
if SQL forced variable parametrization, there would be no injection risk. this most certainly is an exploit of SQL, not IIS.
it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.
there is a difference between "knowing" something and being capable of "proving" it. in the end it's all just network traffic originating from the phone.
always some mundane detail, right? pesky decimal places.
you can't prove they were tethering, so you can't build rules on top of an assumption that you can.
Doesn't really matter, what they're doing is illegal also, and they're rather unlikely to turn you in.
so they did something that is covered by a $500 fine... you did something that is covered by a felony with jail time enforced by people who are particularly sensitive to the crime you've committed. and who did you commit this crime against? someone who is willing to call random people and lie to them to extract their money. so what do you think a telemarketer fully aware of the situation would do next? i'm guess it goes something like "give me $3,000 or i report you"... are you going to turn them in for extortion?
i'm also pretty sure they would never call you back at a number different than the one they originally called.... but, for science, i promise to you: the next telemarketing call i get, i will request they call me back on my out of state cell phone number, and report back here. i'm over 90% sure they won't call, and also that no telemarketer would ever call, but, perhaps i'm underestimating their greed.
do you care that they don't care?
impersonate a 911 dispatcher
impersonate a firefighter
impersonate a journalist