I shouldn't try to speak for someone else, but I think most people are concerned with the use of a taser in less dangerous scenarios.
It appears to be more common for police to zap someone for lesser offenses. There are numerous examples of cops using it where it was inappropriate and dangerous. Non-violent, but not-entirely-compliant people.
Now, too many think that this apparent trend is because the police are using the taser as an excuse to use excessive force. I disagree. I think they've been instructed (directly or otherwise) to use it in any situation where someone isn't perfectly compliant, but you clearly don't want to shoot them. One thing is clear, it's fast becoming the catch-all solution in between. Little potential injury for the officer, and the expectation that the suspect won't be permanently injured.
I think they're learning to do this because the Taser has a big non-lethal marketing aura around it. It's much easier to defend later if you can say, "I used my non-lethal alternative to subdue the suspect because..." than "I beat him with my baton because..." or "I shot him because...". It takes the decision making out of situations. You don't have to worry about justifying it if they were at all non-compliant, and you won't have to justify pulling your sidearm or breaking bones with a stick.
See, I don't mind writing everything by hand and doing it as cleanly and precisely as possible, since nowadays content is often inserted programmatically. I only have to do a few pages, the code makes it 100's... so I don't mind taking the time to do it exactly the way I want it. And really, doing it manually is the only way you're going to get EXACTLY what you want.
Before you go on a rant about how stupid a whole forum of users are, you should be able to demonstrate a reasonable understanding of the topic you're judging people on.
Defining an interface to something like a kernel is one thing, and often still allows for certain kinds of catastrophic failures. Imposing a somewhat drastic limitation on a programmer's data access "by default" (whatever that means) in a feeble, wasted attempt to reduce the likelihood that someone might do something dumb is another thing altogether. Crippling the capabilities of one library and enabling them elsewhere in the same framework would only serve to make a more obscure library the new "default", as you call it.
The combination of proper programming practices, security functions built into the database server and thorough documentation are the appropriate way to prevent stupid vulnerabilities like SQL injection. And let's be honest, it's a terribly silly thing to let happen in your code.
Microsoft has done the only things you could reasonably expect in the way of due diligence by frequently iterating best practices for data access. They've provided abstracted data access controls and binding techniques for people with typical data access requirements. They've even gone so far as to provide data access in larger options like the enterprise library. Anyone who uses unchecked, ad-hoc queries with sqlclient in their codebehind has simply gone out of their way to do something dumb.
All this aside, you've failed to recognize that many other popular web stacks (not just.Net on IIS with MSSQL) allow the same behavior. Consider that this capability might exist for a reason, and that the world may not be comprised entirely of morons who haven't thought things through.
That would be intentionally retarding the capabilities of the framework to protect us from ourselves, and we'd be pissed about it.
It would be like saying they should disallow file system access via System.IO because someone could exploit bad code to write to the server's filesystem.
Precisely. An idiot-proof framework is a useless framework.
If you're writing ad-hoc queries without special character checking, how can MS possibly save you from yourself? By removing the ability to perform queries without parameterization and by putting their own string-cleaning right in the sqlclient? Imagine how pissed the masses would be if they did that without a way around it.
It's a shame that I see this all the time. I frequently notice it when I use a special character in a form and get a stacktrace indicating a failed (and unhandled) insert/update... but I can't even begin to justify blaming Microsoft for that.
I hate to sound abusive about this, as I'd only consider myself a mediocre programmer to begin with, but this looks like it rests solely on the programmer who writes shit code.
It's good that you posted this. I was wondering how a SQL Injection attack could POSSIBLY be Microsoft or.Net related, unless there was some flaw in parameterized inserts in SQLClient, or some such.
Further, I don't know how this could be at all scriptable only for MS based sites. AFAIK, compounding statements by exploiting ad-hoc queries and lack of string cleaning is an issue that could pertain to any framework and DB vendor?
Does anyone know how this could be vendor specific??
I'd rather 1 innocent person had their Orkut info turned over to their Gov than let 100 pedo's get away with the things they do.
Now if we're talking about falsely imprisoning or god forbid executing 1 innocent person in our efforts to lock up 100 pedo's... the situation becomes unacceptable.
Maybe it would be a non-issue if I had a better idea of the difference between suspicion and probably cause was, in Brazil.
I can't begin to count how many times I've seen people reprimanded for pointing a firearm in an unsafe direction.
However, I have never witnessed a person injured with one... intentionally or otherwise, ever, and I've been around firearms pretty regularly for about 30 years.
And finally, we have the 450:1 odds. Not 500:1, and certainly not 1000:1, but exactly 450. Cool. About as believable as my old homework excuses, but infinitely cooler. Can you say "significant figures"? I knew you could.
Nonsense. Everyone knows that for an asteroid on a collision course with Earth you call Bruce Willis. At least he has a drill, a nuke and a fatherly love for Liv Tyler. It's very different from the kind of love I have for Liv Tyler, and makes him do heroic things like blow up killer asteroids at his own peril.
All Harrison Ford has is a stupid whip. All that's good for is killing Nazis and stealing rocks from crazy people.
And if anyone says Chuck Norris, I'm gunna scream. You call him when someone steals your Mountain Dew.
Slashdot Mirror
3: Win Olympics?
Done.
Next prob?
Yeah, I read this story. Eventually the lion eats the people. ;)
Oh, you're going to hell for that.
I was thinking more something like this...
http://tinyurl.com/create.php
Every time I see that video I want to press the "Report a Problem" button next to it.
I think I'd want every last movement checked, approved, monitored, and then rechecked by an MD.
I shouldn't try to speak for someone else, but I think most people are concerned with the use of a taser in less dangerous scenarios.
It appears to be more common for police to zap someone for lesser offenses. There are numerous examples of cops using it where it was inappropriate and dangerous. Non-violent, but not-entirely-compliant people.
Now, too many think that this apparent trend is because the police are using the taser as an excuse to use excessive force. I disagree. I think they've been instructed (directly or otherwise) to use it in any situation where someone isn't perfectly compliant, but you clearly don't want to shoot them. One thing is clear, it's fast becoming the catch-all solution in between. Little potential injury for the officer, and the expectation that the suspect won't be permanently injured.
I think they're learning to do this because the Taser has a big non-lethal marketing aura around it. It's much easier to defend later if you can say, "I used my non-lethal alternative to subdue the suspect because..." than "I beat him with my baton because..." or "I shot him because...". It takes the decision making out of situations. You don't have to worry about justifying it if they were at all non-compliant, and you won't have to justify pulling your sidearm or breaking bones with a stick.
We're increasing our nuclear arsenal?
See, I don't mind writing everything by hand and doing it as cleanly and precisely as possible, since nowadays content is often inserted programmatically. I only have to do a few pages, the code makes it 100's... so I don't mind taking the time to do it exactly the way I want it. And really, doing it manually is the only way you're going to get EXACTLY what you want.
Before you go on a rant about how stupid a whole forum of users are, you should be able to demonstrate a reasonable understanding of the topic you're judging people on.
.Net on IIS with MSSQL) allow the same behavior. Consider that this capability might exist for a reason, and that the world may not be comprised entirely of morons who haven't thought things through.
Defining an interface to something like a kernel is one thing, and often still allows for certain kinds of catastrophic failures. Imposing a somewhat drastic limitation on a programmer's data access "by default" (whatever that means) in a feeble, wasted attempt to reduce the likelihood that someone might do something dumb is another thing altogether. Crippling the capabilities of one library and enabling them elsewhere in the same framework would only serve to make a more obscure library the new "default", as you call it.
The combination of proper programming practices, security functions built into the database server and thorough documentation are the appropriate way to prevent stupid vulnerabilities like SQL injection. And let's be honest, it's a terribly silly thing to let happen in your code.
Microsoft has done the only things you could reasonably expect in the way of due diligence by frequently iterating best practices for data access. They've provided abstracted data access controls and binding techniques for people with typical data access requirements. They've even gone so far as to provide data access in larger options like the enterprise library. Anyone who uses unchecked, ad-hoc queries with sqlclient in their codebehind has simply gone out of their way to do something dumb.
All this aside, you've failed to recognize that many other popular web stacks (not just
That would be intentionally retarding the capabilities of the framework to protect us from ourselves, and we'd be pissed about it.
It would be like saying they should disallow file system access via System.IO because someone could exploit bad code to write to the server's filesystem.
Precisely. An idiot-proof framework is a useless framework.
If you're writing ad-hoc queries without special character checking, how can MS possibly save you from yourself? By removing the ability to perform queries without parameterization and by putting their own string-cleaning right in the sqlclient? Imagine how pissed the masses would be if they did that without a way around it.
It's a shame that I see this all the time. I frequently notice it when I use a special character in a form and get a stacktrace indicating a failed (and unhandled) insert/update... but I can't even begin to justify blaming Microsoft for that.
I hate to sound abusive about this, as I'd only consider myself a mediocre programmer to begin with, but this looks like it rests solely on the programmer who writes shit code.
It's good that you posted this. I was wondering how a SQL Injection attack could POSSIBLY be Microsoft or .Net related, unless there was some flaw in parameterized inserts in SQLClient, or some such.
Further, I don't know how this could be at all scriptable only for MS based sites. AFAIK, compounding statements by exploiting ad-hoc queries and lack of string cleaning is an issue that could pertain to any framework and DB vendor?
Does anyone know how this could be vendor specific??
I guess the difficult part then is context.
I'd rather 1 innocent person had their Orkut info turned over to their Gov than let 100 pedo's get away with the things they do.
Now if we're talking about falsely imprisoning or god forbid executing 1 innocent person in our efforts to lock up 100 pedo's... the situation becomes unacceptable.
Maybe it would be a non-issue if I had a better idea of the difference between suspicion and probably cause was, in Brazil.
Focus on securing the data with encryption and remote-wipe capabilities.
Then insure the assets... odds are you're never getting them back.
Sheesh... everyone's a lawyer nowadays. ;)
OEM license follows the machine. You're not supposed to do that. :)
You sir, are one weird duck. :)
I can speak to this, if only anecdotally.
I can't begin to count how many times I've seen people reprimanded for pointing a firearm in an unsafe direction.
However, I have never witnessed a person injured with one... intentionally or otherwise, ever, and I've been around firearms pretty regularly for about 30 years.
And finally, we have the 450:1 odds. Not 500:1, and certainly not 1000:1, but exactly 450. Cool. About as believable as my old homework excuses, but infinitely cooler. Can you say "significant figures"? I knew you could.
Someone had to say it...
They would have had me if they had said 42:1.
I'm so sorry, I'll go away now.
Nonsense. Everyone knows that for an asteroid on a collision course with Earth you call Bruce Willis. At least he has a drill, a nuke and a fatherly love for Liv Tyler. It's very different from the kind of love I have for Liv Tyler, and makes him do heroic things like blow up killer asteroids at his own peril.
All Harrison Ford has is a stupid whip. All that's good for is killing Nazis and stealing rocks from crazy people.
And if anyone says Chuck Norris, I'm gunna scream. You call him when someone steals your Mountain Dew.
Or of course you could just solve your office politics problems with strychnine.
I dunno dude... but I saw this movie already. Will Smith wins, and I think Gene Hackman helped. Someone should give them a call.
...and get sent to gitmo.