The Xbox One has been announced

Started by Lazybones, May 21, 2013, 12:02:09 PM

Previous topic - Next topic

Mr. Analog

Random thought: Kinect is supposed to be able to scan text for product recognition right?

I wonder if it's vulnerable to SQL injection?

Will I be able to wear my ' DROP DATABASE -- t-shirt?
By Grabthar's Hammer

Lazybones

Quote from: Mr. Analog on June 14, 2013, 09:28:02 AM
Random thought: Kinect is supposed to be able to scan text for product recognition right?

I wonder if it's vulnerable to SQL injection?

Will I be able to wear my ' DROP DATABASE -- t-shirt?
http://xkcd.com/327/


Mr. Analog

By Grabthar's Hammer

Darren Dirt

Quote from: Lazybones on June 14, 2013, 10:04:52 AM
Quote from: Mr. Analog on June 14, 2013, 09:28:02 AM
Random thought: Kinect is supposed to be able to scan text for product recognition right?

I wonder if it's vulnerable to SQL injection?

Will I be able to wear my ' DROP DATABASE -- t-shirt?
http://xkcd.com/327/



I've always LOVED that last frame of that comic  ;D
_____________________

Strive for progress. Not perfection.
_____________________

Thorin

That would only work if they have any products that use SQL in them.

..

Can you imagine being the developer who has to add sql-injection-combatting code to your OCR code for a game console peripheral?  Wouldn't that feel ... weird?
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Mr. Analog

I can, that's why I mentioned it

It's on one of those OH SNAP moments ;)
By Grabthar's Hammer

Lazybones

Quote from: Thorin on June 14, 2013, 10:19:31 AM
That would only work if they have any products that use SQL in them.

..

Can you imagine being the developer who has to add sql-injection-combatting code to your OCR code for a game console peripheral?  Wouldn't that feel ... weird?

Add add sql-injection-combatting code? Shouldn't the code that calls the DB directly always ensure the content is escaped. IE never generate the SQL Statement as a string concatenation?

Mr. Analog

You'd think that, but some ORMs do it better (or lock it out better) than others

For example, I've seen code that was changing the grid column sort order, a string containing the column to sort was being passed to a SubSonic query, well it didn't take long for me to exploit it during testing. It's easy to review the code and reflect on how dumb it is to pass a column name as a string parameter in any situation but I can tell you most people don't stop and think when they see a shortcut for an operation like this.

I also discovered that just because something is called a "data reader" doesn't mean it can't execute other statements. :)
By Grabthar's Hammer

Thorin

Never ever assume another layer will do the work it's supposed to do, and realize that your layer will always be blamed if something slips through (even when it's not your layer's job).

Hell, I'm willing to bet most OCR code works in a single layer anyway.

There are a lot of hacks out there that don't care about proper code separation, they only care about "does it work for the customer who's screaming today" and "payday's on Friday".
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful

Mr. Analog

By Grabthar's Hammer

Lazybones

Yes well sadly I admit I have written bad code like that as well and yes layers that all take the issue serious is also a good idea.

Melbosa

So looks like the Internet Reqs and Used Games stuff is being changed on the XBox One.  I figured M$ would crumble on those issues: http://ca.ign.com/articles/2013/06/19/microsoft-reversing-xbox-one-internet-used-game-policies.  Just waiting on official confirmation from Microsoft rather than rumour.
Sometimes I Think Before I Type... Sometimes!

Melbosa

And this is interesting as well if a little out of date based on the previous post: http://ca.ign.com/videos/2013/06/19/8-xbox-one-myths-debunked
Sometimes I Think Before I Type... Sometimes!

Mr. Analog

Quote from: Melbosa on June 19, 2013, 02:28:10 PM
So looks like the Internet Reqs and Used Games stuff is being changed on the XBox One.  I figured M$ would crumble on those issues: http://ca.ign.com/articles/2013/06/19/microsoft-reversing-xbox-one-internet-used-game-policies.  Just waiting on official confirmation from Microsoft rather than rumour.

I guess we'll see however Microsoft is not known for changing course, no matter how absurd the situation.

Quote from: Melbosa on June 19, 2013, 02:37:11 PM
And this is interesting as well if a little out of date based on the previous post: http://ca.ign.com/videos/2013/06/19/8-xbox-one-myths-debunked

Transcribing the video because it is grating and stupid:

Myth 1: Will only work in 21 states on launch: FALSE (will only work in 21 countries on launch)

Myth 2: Games at E3 were shown on PC. TRUE (strawman argument was that everyone else does it, second claim that what you see on PC is what you will see on launch is dubious at best)

Myth 3: If you get banned from XBox Live you won't be able to do anything. FALSE you can play single player but you won't be able to play online multiplayer

Myth 4: XBox Live Gold required. FALSE (Microsoft is trying to make it a requirement, 24 hour call home still required)

Myth 5: Kinect will record everything and send it to the NSA. FALSE (however the mic is always recording, though that can be disabled)

Myth 6: If your internet goes out for more than 24 hours you are screwed. FALSE (though the answer to this is to TETHER YOUR PHONE to your XBox so it can call home...)

Myth 7: Since installation to the hard drive is required I will have to wait to play my games. FALSE (installation can happen in the background while you play, the suggested alternative to queue digital download the night before is exceedingly stupid)

Myth 8: You can only share games with 10 family members. FALSE (only 10 PEOPLE, period, they don't have to be related to you but it is limited to 10)

IRONICALLY this raised more issues for me, really the only thing it addressed from this rather clever infographic (below) was the lending policy (up to 10 people can digitally borrow your games)



The funny thing so far is that Sony and Nintendo have basically done nothing different and are held up as examples of what gamers want, this is HOW BAD the Microsoft PR is.

If you can make Sony look good by comparison YOU ARE DOING IT WRONG.
By Grabthar's Hammer

Mr. Analog

Well, it's official:

http://news.xbox.com/2013/06/update

Kind of an obvious move, the damage has been done, and I'm kind of glad for it because I think average people have started taking a much harder look at what DRM really means not just for XBox but also PS4 and other systems.
By Grabthar's Hammer