Security: mass SQL injection hack

I’m starting a couple new departments on the blog today. The first, the Security department, is going to be posts about computer security concepts and events as I attempt to educate myself about the field. I’m kicking off the department with this story about a mass SQL injection attack that recently hit more than 70,000 sites (via Slashdot That’s a lot of compromised sites, but the really astonishing thing is the vector that was used to do it.

SQL injection—putting database command language into a system as user input or command parameters so that it is executed in a remote system—isn’t a new attack vector. It’s been around since at least 2004, when it was used to deface the Dremel website. It’s also a fairly well understood attack—if you can explain a security vulnerability in a comic strip, you have something that developers should be able to figure out how to avoid.

So why are these vulnerabilities so widespread? One reason may be the ease of web development and its separation from more structured programming disciplines. It’s second nature to a well educated developer to sanitize inputs; self-taught scripters (PHP, ASP, whatever) may not have been exposed to the importance of this principle.

Virginiana, Wikipediana

I’ve been expanding my Wikipedia footprint over the past few months. Starting on the Virginia Glee Club page, my contributions now span articles on a few University presidents, the Raven Society, the Virginia Gentlemen, and even the Seven Society. Yes, editing articles on Wikipedia is a gateway drug.

So I made it formal the other day and joined the WikiProject University of Virginia. I don’t know exactly what that means but I suspect I’ll find out soon enough.

I’d welcome help from other University alumni or interested parties regarding any of these topics. For instance, there is damned little about the VGs online to use as reference material for discussion of this 50+ year old a cappella group, and I know they’re more notable than the Hullabahoos, who have a kick-ass article.

New mix: coverflow

coverflow.jpg

The only mix that I’ve ever done that started as a visual pun, coverflow contains a set of covers that hit some familiar ground and some unfamiliar items as well. It’s hard to do these right; my previous effort suffered from some lofi recordings and the same is true here. But there’s some fun stuff here. Particularly fun was sorting through the long hidden track at the end of Justin Rosolino’s first self published album to call out a few items that I feel are totally what covers are about.

Usual Suspects™: you’ll get this mix along with days that you choose to ignore.

Iowa ♥s Huckabee

According to the AP, Mike Huckabee, Baptist preacher cum politician, is in the lead in Iowa. And I’m pretty sure I won’t be the first to use that headline, but I might edge out the AP by a few hours with it.

Will Huckabee do well nationally, what with his “shut down the IRS, usage tax, theocracy” platform? I hope not, but then, I thought Bush Jr. would fail nationally too. I can’t see him doing especially well in New Hampshire, though. But I’m nothing but thrilled to see him bloodying Mitt Romney’s nose.

And how about Barack Obama? Rarely has a candidate done so well on a promise to do things differently.

Aw crap.

At the half, I said to my wife, “Well, we’re up, but we could always blow it in the second half like we always do.” I should have kept my mouth shut.

It was still a fun game to watch, at least until Jameel Sewell went out with an injury in the fourth quarter. Then it got sloppy fast. But still, I have to remind myself from the perspective of one glass of wine, at least we were in a bowl game, and not one of the low rent ones either. It was a nice end to a season that had its ups and downs.

Happy New Year

I have a bellyful of lentils and zampone, and I’m watching Virginia in the Gator Bowl. So far, a pretty good start to 2008. It’s snowing again, of course, but you can’t have everything.

I downloaded Dave Winer’s new FlickrFan yesterday, which is worth a look if you are a Mac user—a quick and easy way to put other people’s photos on your screensaver, and as Dave says particularly good for putting content on your HD TV. I don’t currently have a Mac hooked up to our 32″ LCD, so right now it’s driving my screensaver. I think the biggest stroke of genius in the thing is the default inclusion of the AP Photos RSS feed—absolutely brilliant to see totally world class photos of events almost as they happen.

New mix: “days that you choose to ignore”

Here’s one for the end of 2007: days that you choose to ignore, now posted at Art of the Mix (AOTM Mix ID 116837). I’m particularly proud of the first three or five transitions on this one; afterwards it gets a bit choppy.

Copies en route shortly to the usual suspects; contact me using the link below (on the site, if you’re reading this in a feedreader) if you want to be a usual suspect or haven’t been getting copies of my mixes already. Artwork also forthcoming…

End of an era

frank susi in national geographic

I knew we hadn’t been back in the North End very often, but what really brought it home was calling the phone number at our butcher and finding that it was no longer in service. A quick Google search confirmed the worst: Frank Susi, owner of the Abruzzese Meat Market on Salem Street, had to retire earlier this year and the shop is now closed.

To say this is culinary devastation would be an understatement. As this blog testifies, sausages and pancetta from Frank’s store were major ingredients in our lives for many years. On at least one occasion, I flew the pancetta back to Seattle with me when we were living there. And there will be no fresh cotechino for New Years this year.

At least I’ve learned that Frank’s legacy lives on, literally, in his son, Anthony, who runs Sage (which has apparently moved to the South End). Who knew?

The bonus pic is from National Geographic’s “zip code” visit a few years back to the North End, and captures Frank as I remember him: jovial, and with a very sharp knife in one hand and fresh meat in the other.