As I clicked on my slashdot bookmark, I for some reason said to my browser "Please give me something juicy" and it did not disappoint. It gave me this article. The sheer irony alone made me chuckle for 2-3 minutes. So, meine Damen und Herren, (I just had to throw a little German in there) let's talk about SQL injections. I promise this won't hurt (much)!
So, to understand a SQL injection, we need to understand SQL. To understand SQL, we need to know what a database is. And that's where we will start. This may be a bit round about, because to frank I find databases to be a dull and boring topic. We start at the bottom, with data elements. Now a data element is a single piece of data about an entity e.g. Name, Gender, Age, Favourite Star Wars Character and so on. A record is all the specific data elements about a specific entity e.g. {Saqib A Kakvi, Male, 23, Yoda} would be a record about me. If we have several such records stored as rows, we get a table. If we have more tables (generally related) we now have a database. In summary: A database is a collection of tables, which in turn is a collection of records, which in turn are a set of data elements.
Agreed, it's all fine and dandy having all this data nicely stored, but how do we access specific parts of it? The answer is Structured Query Language or SQL (sometimes pronounced 'sequel') for short. SQL is basically a language that allows us to get a section of a database based on some criteria e.g. all the records of people who are over the age of 30. Although SQL gives you quite a lot of lean room, it is strongly typed, which means that all SQL statements must have a very specific form, syntax and all the right symbols in all the right places.
And this brings us to SQL injection. A SQL injection exploits the srong-typing of SQL and issues malformed statements which cause the SQL interpreter to go a little bit bonkers and produce some crazy result. By taking very, for lack of a better phrase, well-formed malformed queries, an attacker can recover parts of (and even all of) the database. When implementing a database, one must ensure that any and all malformed queries are rejected, thus making SQL injections irrelevant.
MySQL is a software that helps you implement, run and maintain a database (known as a Relation DataBase Management System {RDBMS}). The MySQL company seems to have forgotten about this vulnerability in a primary part of their system. As we have seen, MySQL (and apparently sun.com) have been so ironically compromised due to a SQL vulnerability. Well who would have thought it?
ME! ME! ME! Well, actually the thought had crossed my mind a few times and I thought it was funny, but sincerely hoped that it would never happen. Well done world, you continue to surprise me.
Monday 28 March 2011
Sunday 27 March 2011
Location, Location, Location! What you don't know that they know!
Alrighty then folks, I have been away for about a month. Between my holiday, work and trying to write another post which I hope to publish some time soon, you have seen zero in terms of output from me. This is me correcting that. So, as I was browsing through the magical interwebz, I happened upon this article. This set of all kinds of crazy alarm bells in my mind. So, let's look at this issue in a bit more detail.
Historically, your mobile provided has always known where you are to some extent. With GSM (I believe there is a difference with CDMA, but I am not to familiar with it, so I will skip it) the service would know what the nearest base station to you was. With this information, they would that you were in a certain area. The reason they need to know this is so that when you make a phone call, they know which base station to forward the authentication information to.
One little point to make here is that one can tell approximately how far you are from a base station based on signal strength. If you can find out the distance from several base stations, you can use a method called multilateration to calculate an more accurate location. The more distances you know, the more accurate the location is. This is how location-based services, such as Google Maps, work on a handset with no GPS.
Now, it would be very very very easy for an service provider to obtain the location of any customer and store it, but it may be ILLEGAL!!! Under the European Data Protection Directive (and analogous legislation in other countries) no company may collect any personal data about you without your explicit consent. Now we need to clear up two points (in the simplest case):
1) Is your location personal data
2) Did the company have your consent
So, let's start with point 1. The defintion of personal data is as follows in Article 1 Clause 2 Sub-Clause a:
Historically, your mobile provided has always known where you are to some extent. With GSM (I believe there is a difference with CDMA, but I am not to familiar with it, so I will skip it) the service would know what the nearest base station to you was. With this information, they would that you were in a certain area. The reason they need to know this is so that when you make a phone call, they know which base station to forward the authentication information to.
One little point to make here is that one can tell approximately how far you are from a base station based on signal strength. If you can find out the distance from several base stations, you can use a method called multilateration to calculate an more accurate location. The more distances you know, the more accurate the location is. This is how location-based services, such as Google Maps, work on a handset with no GPS.
Now, it would be very very very easy for an service provider to obtain the location of any customer and store it, but it may be ILLEGAL!!! Under the European Data Protection Directive (and analogous legislation in other countries) no company may collect any personal data about you without your explicit consent. Now we need to clear up two points (in the simplest case):
1) Is your location personal data
2) Did the company have your consent
So, let's start with point 1. The defintion of personal data is as follows in Article 1 Clause 2 Sub-Clause a:
'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
I think we can safely say that a person's location and their movements would definitely qualify. So that's one point out of the way.
Next, we need to know if this information was collected legally. I'm going to go out on a limb and say probably. Most companies have you agree to a Terms of Service, which nobody ever reads. This is because it tends to be dozens of pages written in legal parlance. It's enough to make any sane non-lawyer cry tears of sheer anguish. We all sign our consent to it having read the summary and hope we haven't signed away one of our kidneys.
In this case, it's not really the end of the world if our cellphone provider knows where we are. The problem arises when they decide to share that data. In the Terms of Service it may say that they can share this information with certain 3rd parties for any reason. This means that marketing companies could potentially track your every move and learn a lot about your preferences. This could be a problem.
This is an example of why privacy experts complain bitterly about the loss of privacy in the digital age. And they have every right to, with things like this, less and less information is becoming private. However, their constant and sometimes annoyingly repetitive rants tend to fall on deaf ears. Unfortunately, some people release this information themselves using applications such as Foursquare. It's a classic case of taking a horse to the river and the horse drowning itself scenario.
Although despite this, people such as Malte Spitz (link is in German) still have concerns about the privacy of their data. I would not recommend that anybody try and get their hands on what locational data they have, as it would probably not go down well. According to the article it took 6 months of legal wrangling for Herr Spitz to get this data. It would be at least as for you.
Now to sum up I would say "Big Brother is watching you!" but that is trite and cliché. And frankly a tad more alarmist than I would like to be at dark-and-scary-o'clock in the morning. So, I will go with the slightly milder "Be careful what you share on the Internet!"
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments