I didn't say "always", I said "most common", specifically in comparison to Sybase-backed ASP. Don't read into it more than what I said.
Remember that, not only does the language need to parse and run on the database server, the system tables used need to be the same too. Does PervasiveSQL have sysobjects and syscolumns tables? If not, the injected code won't work. I've never used PervasiveSQL, so I don't know that.
All I'm trying to say is that this particular attack is undoubtedly targeted at MS software, with Sybase possibly caught in the cross-fire, not that an extremely similar attack couldn't be done against Postgres, MySQL, or Oracle. Obviously they have the same vulnerability: bad application programmers. It's hard for the database makers to protect against stupid.
As I stated in another comment above, it's not really IIS that matters in this specific case -- it's the database backing. The injected code is written in Transact-SQL -- an SQL dialect specific to Sybase and MS SQL Server.
You're right -- the tone of the article is scoffing and trollish, but this particular attack is aimed specifically at Microsoft. I don't know if the T-SQL would work on Sybase or not, as the language features of T-SQL vary between the two databases.
The code looks fairly simple, though, so I'd assume that it would run on Sybase. Anyone who backs their web sites with sybase should have a good hard look at their databases.
The way I wrote this comment was a bit overreaching w.r.t. the scarcity of Sybase-backed web sites. Please read with an inferred "by comparison to ASP + SQL Server".
Except for the fact that the injected SQL looks to be Transact-SQL, so this particular attack would only affect sites backed by Sybase or MS SQL Server. Of the two, ASP backed by SQL Server would by far be the most common. Sybase doesn't back many web sites. In my experience, I've only seen it in finance, and usually only for internal processing.
SQL injection, as you state, is a common problem, no matter the database backing.
So you're okay with the means, as long as it's justified by the ends? Careful there, because there's always collateral damage when people don't act in good faith.
If it's found that scientists pushed a scam on the scale of global warming solely to advance a political agenda or for money, power, whatever, the reputations of many individuals, companies, and scientists in general would be damaged for a long time. "If they lied about global warming, why wouldn't they lie about _____?"
The means can cause much more damage than the ends they're trying to meet -- no matter how noble those ends.
The ceremony isn't for you, it's to help your relatives and friends through the grieving process. You might not care about what happens to your body, but for your family, it's all of you they have left. If you've got no one who cares about you, then sure, feed your body to sharks. It doesn't really matter.
But if this CO2 is coming from plants that are alive today, isn't burning them releasing back into the air only what was recently sequestered by those same plants? In other words, no net increase in CO2?
Maybe, maybe not, but I know a lot of people living in NYC right now that don't drive at all but do produce a fairly large supply of garbage. Maybe they won't mind if I drive their garbage?
Who says it has genetic roots? I always just figured it was a learned behavior after being screwed more times than we care to remember.
The reason I like to see these bastards get nailed to the wall is that they're usually attacking people who were minding their own damn business and not looking for a fight to begin with. The victim usually is completely unprepared for the fight and has significantly fewer resources than the attacker.
If there's such a thing as a cooperative gene, then I'd say that it feels good because opportunistic sociopathic assholes are the antithesis of cooperation.
Whether it's the opposite of our genetic coding, or part of our desire to see the underdog win, I don't know, but I agree -- it sure feels good to see sleazeballs get their just desserts.
There actually was some hullaballoo about this a while ago. Whatever became of it, I don't know, but the GP isn't exactly making baseless remarks, or rather, their baseless remarks are at least based on other baseless remarks from a while ago:
I think that's what he meant when he said "(when just reporting the integer part of course)." People tend to think you're being overly anal retentive when you start quoting them decimal points in everyday conversation.
In other words, Farenheit gives you greater precision without making you sound like a dick.:-)
The Chinese more than anyone anyone else shouldn't support pervasive MS Software simply because they've been using holes in that very same software to spy on everyone else. Why the hell would they want to roll out the those known security flaws inside of their own government and corporations?
Yeah -- that's my bad. I had a misunderstanding of what was going on with it (see thread with toadlife above). It wasn't intentional -- I was just misinformed.
2014? Seriously? I thought it was much sooner than that. I know there was some hooplah about when they were going to EoL XP, but I didn't realize they'd extended it to 2014. My bad, I guess. Was it always that way, or did they extend it?
I just did that last weekend. So far, no complaints. I even gave her the 8.04 pre-release, since it was due out in like 12 days or so at the time, and it's a lot more polished than 7.10.
The only question I got was how to set up a printer and whether 64 updates in a day is "normal". I told her it'd taper off in the next few weeks, and had her printer set up in 5 minutes on the phone.
(I went into that in a little more detail in another post a few days ago.)
I explained to her exactly as you said -- these are your options. You can always put XP back if you want to get it from someone (not me -- I don't even have it to give), but I heartily recommend that you just learn Linux or buy a new computer with Vista pre-installed. XP is going to continue to get infected with viruses -- especially when MS ends the security patches in the near future.
Wifi for me works great -- never a second's trouble. Bluetooth has gotten better, but I still can't browse my Blackberry. I can detect it, exchange passkeys, and connect very easily through the GUI, but the OBEX still barfs.
Yeah -- that's what I meant by my second paragraph. The point is that I never had the thought it should now redirect to Slashdot.com now that it's commercial. I think.org is still perfectly appropriate, because its basic function is to serve as a community site -- an ORGanization of people -- rather than simply sales or marketing.
Along these lines, I just wonder what people think about online degrees? It seems like more and more colleges are offering distance ed online, and there are some universities that specialize in it.
When I was at a Big 10 about 8 years ago, they actually offered the better part of a few majors online. If I were to graduate online with a Big 10, would that lessen the value of the degree?
I frequently see derisive comments about DeVry or University of Phoenix on here, but the way I figure it is that any degree is better than no degree at all. This is especially pertinent to adult students who find it difficult to devote regular daytime hours to classroom attendance.
Where does the value really come from? How much of that value comes from actual physical classroom attendance?
It's actually to the point where I often wondered why they bothered installing women's bathrooms in the CS buildings. I figured it must be for when the moms visit on Parents' Day.
This is a good point, but I think the GP was more referring to the fact that good programmers, good *anything*, really, learn the vast majority of what they know outside of school. They're interested in their topics and are driven to experiment, learn more, and get better.
Obviously, any education is good education because it adds to your pool of experience. That's not to say that one experience isn't interchangeable for another. That's why 2/3 of the postings on Dice say "Bachelor's Degree or equivalent experience."
...Or communities, e.g. Slashdot.org -- a for-profit.
Arguably, Taco probably wasn't gunning for profit when he registered the domain, but I never saw anything inherently distasteful about slashdot.org (the name, anyway) being the web address of a for-profit business.
I think a lot of the community sites, even for-profit ones, would be more appropriately.org domains, except that they're more concerned about the knee-jerk ".com" people tend to put after everything.
One more convert today -- lady whose computer constantly had malware, very little memory in it, and much higher priorities than a new computer. She can't afford Vista, and XP has been overrun with malware within a month the last two times she's reinstalled.
I set her up with Ubuntu, made sure all the codecs and necessary software was installed, and she was off to the races. The only call I've gotten so far was to ask how to set up the printer. 5 minutes later, over the phone, she has a working printer and is once again a happy camper.
I've been using Linux for 11 years, and the fact that I can explain to a total Linux newb in 5 minutes over the phone how to configure a printer is nothing short of amazing. I'm old enough to remember when it took one hell of an effort to set up printers -- and it wasn't all that long ago.
I explained the situation: that her machine will not run Vista, and that XP will never cease to be overrun by malware -- especially when MS finally pulls the plug on security updates. She has the option to reinstall XP if she's really not comfortable with Ubuntu, but that it's probably in her interest to give it a real chance.
She's thrilled with the lack of malware, thinks the eye candy is spectacular (especially the fire close animation and the desktop cube), and is really enthused about the huge menu of free-beer software (she could care less whether it's free-speech).
I also made it a point to tell her that some things are still under development, and that there will be times that something doesn't quite work the way she'd expect. In those cases, there's usually a work-around, the software is constantly improving, and the upgrades are free.
I don't think I gave her any false expectations, and I think she's happy her old computer is not only young again and virus free, it even does cool eye candy that her friends newer machines don't do.
Overall, a win for everyone, and probably a win for the community. The year of Linux on the Desktop had to have come already; if it hadn't, the odds of success here would be hugely against. As it is, I think she's going to like it.
Indeed. Beyond that, there's the value-add (I can feel my hair getting pointy) that/.'ers know the BAD side of some of the software. All you're going to find on the web site is marketing. It's good to know the features, but sometimes knowing the downfalls is more important.
Slashdot Mirror
I didn't say "always", I said "most common", specifically in comparison to Sybase-backed ASP. Don't read into it more than what I said.
Remember that, not only does the language need to parse and run on the database server, the system tables used need to be the same too. Does PervasiveSQL have sysobjects and syscolumns tables? If not, the injected code won't work. I've never used PervasiveSQL, so I don't know that.
All I'm trying to say is that this particular attack is undoubtedly targeted at MS software, with Sybase possibly caught in the cross-fire, not that an extremely similar attack couldn't be done against Postgres, MySQL, or Oracle. Obviously they have the same vulnerability: bad application programmers. It's hard for the database makers to protect against stupid.
As I stated in another comment above, it's not really IIS that matters in this specific case -- it's the database backing. The injected code is written in Transact-SQL -- an SQL dialect specific to Sybase and MS SQL Server.
You're right -- the tone of the article is scoffing and trollish, but this particular attack is aimed specifically at Microsoft. I don't know if the T-SQL would work on Sybase or not, as the language features of T-SQL vary between the two databases.
The code looks fairly simple, though, so I'd assume that it would run on Sybase. Anyone who backs their web sites with sybase should have a good hard look at their databases.
The way I wrote this comment was a bit overreaching w.r.t. the scarcity of Sybase-backed web sites. Please read with an inferred "by comparison to ASP + SQL Server".
Except for the fact that the injected SQL looks to be Transact-SQL, so this particular attack would only affect sites backed by Sybase or MS SQL Server. Of the two, ASP backed by SQL Server would by far be the most common. Sybase doesn't back many web sites. In my experience, I've only seen it in finance, and usually only for internal processing.
SQL injection, as you state, is a common problem, no matter the database backing.
So you're okay with the means, as long as it's justified by the ends? Careful there, because there's always collateral damage when people don't act in good faith.
If it's found that scientists pushed a scam on the scale of global warming solely to advance a political agenda or for money, power, whatever, the reputations of many individuals, companies, and scientists in general would be damaged for a long time. "If they lied about global warming, why wouldn't they lie about _____?"
The means can cause much more damage than the ends they're trying to meet -- no matter how noble those ends.
The ceremony isn't for you, it's to help your relatives and friends through the grieving process. You might not care about what happens to your body, but for your family, it's all of you they have left. If you've got no one who cares about you, then sure, feed your body to sharks. It doesn't really matter.
But if this CO2 is coming from plants that are alive today, isn't burning them releasing back into the air only what was recently sequestered by those same plants? In other words, no net increase in CO2?
Maybe, maybe not, but I know a lot of people living in NYC right now that don't drive at all but do produce a fairly large supply of garbage. Maybe they won't mind if I drive their garbage?
Who says it has genetic roots? I always just figured it was a learned behavior after being screwed more times than we care to remember.
The reason I like to see these bastards get nailed to the wall is that they're usually attacking people who were minding their own damn business and not looking for a fight to begin with. The victim usually is completely unprepared for the fight and has significantly fewer resources than the attacker.
If there's such a thing as a cooperative gene, then I'd say that it feels good because opportunistic sociopathic assholes are the antithesis of cooperation.
Whether it's the opposite of our genetic coding, or part of our desire to see the underdog win, I don't know, but I agree -- it sure feels good to see sleazeballs get their just desserts.
There actually was some hullaballoo about this a while ago. Whatever became of it, I don't know, but the GP isn't exactly making baseless remarks, or rather, their baseless remarks are at least based on other baseless remarks from a while ago:
Network World
C|Net
From what I can find, it seems like it was mostly just unsubstantiated paranoia. I'm no expert, but I did see a Holiday Inn Express commercial once.
I think that's what he meant when he said "(when just reporting the integer part of course)." People tend to think you're being overly anal retentive when you start quoting them decimal points in everyday conversation.
:-)
In other words, Farenheit gives you greater precision without making you sound like a dick.
The Chinese more than anyone anyone else shouldn't support pervasive MS Software simply because they've been using holes in that very same software to spy on everyone else. Why the hell would they want to roll out the those known security flaws inside of their own government and corporations?
That's like saying "That's the best rat poison I've ever tasted!"
While you're at it, try "That's the cheapest yacht I've ever bought", or "This is the stablest version of Windows ever!"
Just because something is the *-est of its kind doesn't really mean I'd want it or be able to support it.
Yeah -- that's my bad. I had a misunderstanding of what was going on with it (see thread with toadlife above). It wasn't intentional -- I was just misinformed.
2014? Seriously? I thought it was much sooner than that. I know there was some hooplah about when they were going to EoL XP, but I didn't realize they'd extended it to 2014. My bad, I guess. Was it always that way, or did they extend it?
I just did that last weekend. So far, no complaints. I even gave her the 8.04 pre-release, since it was due out in like 12 days or so at the time, and it's a lot more polished than 7.10.
The only question I got was how to set up a printer and whether 64 updates in a day is "normal". I told her it'd taper off in the next few weeks, and had her printer set up in 5 minutes on the phone.
(I went into that in a little more detail in another post a few days ago.)
I explained to her exactly as you said -- these are your options. You can always put XP back if you want to get it from someone (not me -- I don't even have it to give), but I heartily recommend that you just learn Linux or buy a new computer with Vista pre-installed. XP is going to continue to get infected with viruses -- especially when MS ends the security patches in the near future.
Wifi for me works great -- never a second's trouble. Bluetooth has gotten better, but I still can't browse my Blackberry. I can detect it, exchange passkeys, and connect very easily through the GUI, but the OBEX still barfs.
Yeah -- that's what I meant by my second paragraph. The point is that I never had the thought it should now redirect to Slashdot.com now that it's commercial. I think .org is still perfectly appropriate, because its basic function is to serve as a community site -- an ORGanization of people -- rather than simply sales or marketing.
Along these lines, I just wonder what people think about online degrees? It seems like more and more colleges are offering distance ed online, and there are some universities that specialize in it.
When I was at a Big 10 about 8 years ago, they actually offered the better part of a few majors online. If I were to graduate online with a Big 10, would that lessen the value of the degree?
I frequently see derisive comments about DeVry or University of Phoenix on here, but the way I figure it is that any degree is better than no degree at all. This is especially pertinent to adult students who find it difficult to devote regular daytime hours to classroom attendance.
Where does the value really come from? How much of that value comes from actual physical classroom attendance?
It's actually to the point where I often wondered why they bothered installing women's bathrooms in the CS buildings. I figured it must be for when the moms visit on Parents' Day.
This is a good point, but I think the GP was more referring to the fact that good programmers, good *anything*, really, learn the vast majority of what they know outside of school. They're interested in their topics and are driven to experiment, learn more, and get better.
Obviously, any education is good education because it adds to your pool of experience. That's not to say that one experience isn't interchangeable for another. That's why 2/3 of the postings on Dice say "Bachelor's Degree or equivalent experience."
...Or communities, e.g. Slashdot.org -- a for-profit.
.org domains, except that they're more concerned about the knee-jerk ".com" people tend to put after everything.
Arguably, Taco probably wasn't gunning for profit when he registered the domain, but I never saw anything inherently distasteful about slashdot.org (the name, anyway) being the web address of a for-profit business.
I think a lot of the community sites, even for-profit ones, would be more appropriately
One more convert today -- lady whose computer constantly had malware, very little memory in it, and much higher priorities than a new computer. She can't afford Vista, and XP has been overrun with malware within a month the last two times she's reinstalled.
I set her up with Ubuntu, made sure all the codecs and necessary software was installed, and she was off to the races. The only call I've gotten so far was to ask how to set up the printer. 5 minutes later, over the phone, she has a working printer and is once again a happy camper.
I've been using Linux for 11 years, and the fact that I can explain to a total Linux newb in 5 minutes over the phone how to configure a printer is nothing short of amazing. I'm old enough to remember when it took one hell of an effort to set up printers -- and it wasn't all that long ago.
I explained the situation: that her machine will not run Vista, and that XP will never cease to be overrun by malware -- especially when MS finally pulls the plug on security updates. She has the option to reinstall XP if she's really not comfortable with Ubuntu, but that it's probably in her interest to give it a real chance.
She's thrilled with the lack of malware, thinks the eye candy is spectacular (especially the fire close animation and the desktop cube), and is really enthused about the huge menu of free-beer software (she could care less whether it's free-speech).
I also made it a point to tell her that some things are still under development, and that there will be times that something doesn't quite work the way she'd expect. In those cases, there's usually a work-around, the software is constantly improving, and the upgrades are free.
I don't think I gave her any false expectations, and I think she's happy her old computer is not only young again and virus free, it even does cool eye candy that her friends newer machines don't do.
Overall, a win for everyone, and probably a win for the community. The year of Linux on the Desktop had to have come already; if it hadn't, the odds of success here would be hugely against. As it is, I think she's going to like it.
Yeah -- we're all taller than you.
Indeed. Beyond that, there's the value-add (I can feel my hair getting pointy) that /.'ers know the BAD side of some of the software. All you're going to find on the web site is marketing. It's good to know the features, but sometimes knowing the downfalls is more important.