Just as a followup to this, it's not actually a fault or exploit in MSSQL or IIS; just that the SQL being injected is specific to MSSQL and completely valid. This can and will happen in any future version of IIS or MSSQL unless specific action is taken by Microsoft to prevent the underlying technique used to do it, which is unlikely as it will break a large percentage of perfectly legitimate applications.
The same attack could probably be modified to hit Oracle, MySQL, or other DBMSes with minimal effort. I don't even really know why IIS is even mentioned as the actual server software is irrelevant. This attack would just as easily hit MSSQL databases with website front ends hosted on Apache or pretty much anything else, no code changes needed. This isn't even the first time this has happened. A couple years pretty much the exact same script was used to deface sites on about the same scale as this one did.
The blame should be placed on the developers of the poorly written 3rd party software that doesn't sanitize its inputs or (preferably) use parameterized queries and stored procedures.
As a web developer, I've always used the history window in Firefox as a base for my time tracking - gives me a pretty good idea of how many hours I spend browsing Slashdot and how many minutes I spend on customer websites.
Google Wave has to actually be forwards and backwards compatible with e-mails if it ever stands a chance of replacing it. That means people seamlessly being about to send e-mails to myaddress@googlewave.com and having them appear in my inbox, and having my replies (as waves) send out e-mails as replies if any of the participants in the wave is an "e-mail" participant.
And bots really don't count. It has to be tightly integrated into the system.
So the companies have to make cost analysis and decided what brings in more profit: screwing with your current costumers to gain some file sharers, or lose those file sharers that would pay but make your costumers happier. As long as the first option brings more money, they won't change.
Much like Sony's hardware and software manufacturers, Sony's costumers are known for their wardrobe malfunctions.
I disagree with that last part - online gambling always tells you exactly how much you lose. It's much easier to put a value on the computer telling you that you lost $800 than it is to just toss another 8 black chips on a table.
This is more or less what I do. The tables I make typically aren't 5-level nested monstrosities with spacer gifs and col/rowspans all over the place. It's usually only one or two levels deep, with the content placed into properly-styled DIVs with margins and paddings as appropriate.
It doesn't work perfectly (the DIVs wont grow vertically in any browser as they shouldn't, and the DIVs won't grow horizontally in IE6/7 with table cells like they should), but I refuse to deal with hacks like 100% heights, +1000000 paddings with -1000000 margins, and having to overflow a margined div to get clears inside the div to work properly and just accept that scrollbars will randomly pop up.
I'm still a tables guy- to me, doing anything remotely complicated in CSS is completely unintuitive and backwards, and requires ridiculous hacks before you even get to IE (no vertical alignment? lack of proper columns?). The real problem with web layouts today is that neither HTML Tables nor CSS were designed with layout in mind, so everything requires far too much effort to set up properly. To me, I'd rather deal with the (much smaller) hassle of using tables for layout than deal with the significant hacks to get around the severe limitations of CSS.
Hopefully when CSS3 gains some more widespread acceptance and some of the layout-oriented modules (the CSS3 table ascii-art module and/or the Flex Layout module) gain some traction, I'll be able to switch over.
This is actualy a stupid article, as it doensn't even bother to describe the platform which has the vulnerability in it. It's not a platform or database issue if it's a SQL Injection, so it must be some app that is common... like a CMS package or blog engine... something like that.
It doesn't matter. It's not an attack on a specific web server, CMS, or even database engine. The ONLY thing that matters is if the underlying scripts driving the website are poorly written and vulnerable themselves.
It's not difficult to write something that spiders websites and attempts injection attacks against querystring variables that that individual site commonly uses. The exact same thing happened either late last year or early this year. Now in that instance, that was specifically targeted for MS Sql Server, but it's not hard to imagine a completely platform-independent version.
One of the major features of the patch was adding a new LFG system that literally makes finding a group trivial. If you're just looking for a random instance, you'll be in a group within minutes. If you're looking for something more specific how long it will take will obviously depend on what instance you're looking for.
The key thing is that it's all automated now - it'll find 4 other people (with correct roles - 1 tank, 1 healer, 3 DPS) and automatically group them together for what they're looking for.
By "try again" they mean "try teleporting to the instance again".
There's an icon in the lower left corner of the minimap that you can click to try teleporting to the dungeon again. No need to drop group and look again.
"'There's a rounding-error bug in the camera driver's autofocus routine (which uses a timestamp) that causes autofocus to behave poorly on a 24.5-day cycle,' said Morrill."
Cool! The device will later be fixed to properly behave poorly only every 24.45 days!
As a two-year veteran of FIRST, I can say it's a fun experience and interesting to watch. This year's contest doesn't seem that competitive though, it's a 4v0, so i don't get to destroy Texan robots...:(
Slashdot Mirror
Just as a followup to this, it's not actually a fault or exploit in MSSQL or IIS; just that the SQL being injected is specific to MSSQL and completely valid. This can and will happen in any future version of IIS or MSSQL unless specific action is taken by Microsoft to prevent the underlying technique used to do it, which is unlikely as it will break a large percentage of perfectly legitimate applications.
The same attack could probably be modified to hit Oracle, MySQL, or other DBMSes with minimal effort. I don't even really know why IIS is even mentioned as the actual server software is irrelevant. This attack would just as easily hit MSSQL databases with website front ends hosted on Apache or pretty much anything else, no code changes needed. This isn't even the first time this has happened. A couple years pretty much the exact same script was used to deface sites on about the same scale as this one did.
The blame should be placed on the developers of the poorly written 3rd party software that doesn't sanitize its inputs or (preferably) use parameterized queries and stored procedures.
As a web developer, I've always used the history window in Firefox as a base for my time tracking - gives me a pretty good idea of how many hours I spend browsing Slashdot and how many minutes I spend on customer websites.
Seriously. Don't have a cow.
It's an online multiplayer beta.
This.
Google Wave has to actually be forwards and backwards compatible with e-mails if it ever stands a chance of replacing it. That means people seamlessly being about to send e-mails to myaddress@googlewave.com and having them appear in my inbox, and having my replies (as waves) send out e-mails as replies if any of the participants in the wave is an "e-mail" participant.
And bots really don't count. It has to be tightly integrated into the system.
And that shit be quantum. Is she eating it now? Is she eating it later? Until you actually open her mouth and look inside, she's doing both.
Schrodinger's Candy?
I was overjoyed to see a copy of Visual Studio running on Roy's monitor on an episode of The IT Crowd. He even uses the same color scheme I do!
That doesn't mean the developer or the framework was competent. Just that marketing was.
So the companies have to make cost analysis and decided what brings in more profit: screwing with your current costumers to gain some file sharers, or lose those file sharers that would pay but make your costumers happier. As long as the first option brings more money, they won't change.
Much like Sony's hardware and software manufacturers, Sony's costumers are known for their wardrobe malfunctions.
Paint.NET is far too usable to be compared to Gimp.
I disagree with that last part - online gambling always tells you exactly how much you lose. It's much easier to put a value on the computer telling you that you lost $800 than it is to just toss another 8 black chips on a table.
This is more or less what I do. The tables I make typically aren't 5-level nested monstrosities with spacer gifs and col/rowspans all over the place. It's usually only one or two levels deep, with the content placed into properly-styled DIVs with margins and paddings as appropriate.
It doesn't work perfectly (the DIVs wont grow vertically in any browser as they shouldn't, and the DIVs won't grow horizontally in IE6/7 with table cells like they should), but I refuse to deal with hacks like 100% heights, +1000000 paddings with -1000000 margins, and having to overflow a margined div to get clears inside the div to work properly and just accept that scrollbars will randomly pop up.
I'm still a tables guy- to me, doing anything remotely complicated in CSS is completely unintuitive and backwards, and requires ridiculous hacks before you even get to IE (no vertical alignment? lack of proper columns?). The real problem with web layouts today is that neither HTML Tables nor CSS were designed with layout in mind, so everything requires far too much effort to set up properly. To me, I'd rather deal with the (much smaller) hassle of using tables for layout than deal with the significant hacks to get around the severe limitations of CSS.
Hopefully when CSS3 gains some more widespread acceptance and some of the layout-oriented modules (the CSS3 table ascii-art module and/or the Flex Layout module) gain some traction, I'll be able to switch over.
The "paws" icon is from Lemmings. I could imagine it being in other games too, though.
Only disaster could possibly occur when we do such thing.
Haven't any of you learned anything from the movie, "Jurassic Pauroch?"
Please never spell "ludicrous" like that again.
Yes. Microsoft ripped of Virtual Console with XBLA so fast that it actually came out a year before the Wii.
This is actualy a stupid article, as it doensn't even bother to describe the platform which has the vulnerability in it. It's not a platform or database issue if it's a SQL Injection, so it must be some app that is common... like a CMS package or blog engine... something like that.
It doesn't matter. It's not an attack on a specific web server, CMS, or even database engine. The ONLY thing that matters is if the underlying scripts driving the website are poorly written and vulnerable themselves.
It's not difficult to write something that spiders websites and attempts injection attacks against querystring variables that that individual site commonly uses. The exact same thing happened either late last year or early this year. Now in that instance, that was specifically targeted for MS Sql Server, but it's not hard to imagine a completely platform-independent version.
One of the major features of the patch was adding a new LFG system that literally makes finding a group trivial. If you're just looking for a random instance, you'll be in a group within minutes. If you're looking for something more specific how long it will take will obviously depend on what instance you're looking for.
The key thing is that it's all automated now - it'll find 4 other people (with correct roles - 1 tank, 1 healer, 3 DPS) and automatically group them together for what they're looking for.
By "try again" they mean "try teleporting to the instance again".
There's an icon in the lower left corner of the minimap that you can click to try teleporting to the dungeon again. No need to drop group and look again.
"'There's a rounding-error bug in the camera driver's autofocus routine (which uses a timestamp) that causes autofocus to behave poorly on a 24.5-day cycle,' said Morrill."
Cool! The device will later be fixed to properly behave poorly only every 24.45 days!
Because we know of how high quality FOX specials are. Next on FOX- "When Moon Missions Attack!"
Well, I haven't been able to find any boots that enable me to jump six feet in the air...
As a two-year veteran of FIRST, I can say it's a fun experience and interesting to watch. This year's contest doesn't seem that competitive though, it's a 4v0, so i don't get to destroy Texan robots... :(