martins writes "The website of popular magazine BusinessWeek has been attacked via SQL injection in an attempt to infect its readership with malware. Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected."
Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.
It's bad enough to have an insecure site, but to ignore the break-in for a week or more is just unconscionable.
I never understood how SQL injection happened on major sites until it happened to someone I know. (wow that sounded like a bad plug for some unknown disease... anyway...) Initially he absolutely refused to believe that it was SQL injection because, "His application wasn't vulnerable to that!". Finally, in the face of overwhelming truth it dawned on him that it was... so what happened? Oh, the database got cleaned up from a back up... but no code was changed. Then they did it again a short while later and he
Actually I've been wondering about these injection attacks, I use positional bindings, everything run from stored procedures and using dedicated users - not super users; so its pretty much impossible to inject anything harmful to my system via. SQL - however, that does not guarantee anything for the users.
Are these attacks the old type with;-- (escaping the query) or are they just code embedded through postings, i.g. forums/discussions from poorly escaped input / code injection through get requests?
They just don't teach anything about security in schools. We interviewed an intern candidate this spring and asked her how one would avoid a SQL injection attack.
Her response: "Don't use Microsoft products."
Swing and a miss!
The candidate's sample code had a big 'ol SQL injection vulnerability. Yet the instructor raved over his project.
SQL Server allows multiple commands to be parsed and executed on a single call, separated by a semicolon. Thus something like Robert''; drop table students; -- works
Oracle (while it has plenty of security vulnerabilities of its own), only allows one command to be executed. So if it is a query, a query is all you can do. True, if the developer is really stupid, you can do things like query DBA_USERS, but you are not going to be able to insert virus code or drop tables.
It's a site for MBAs - they were waiting for the "technical guys" to fix it. First techie to raise the issue gets fired as a scapegoat, second one has to fix it.
Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected."
A replicant virus. Is it a virus or a replicant? Will it need retiring? If the website hosted a picture of a turtle on its back, will it rotate the picture 180 degrees? Will we know if it's a replicant virus or a real virus by the end of the article?
by Anonymous Coward
on Monday September 15 2008, @08:40AM (#25009117)
HAI!
Just a friendly reminder - your Database Admin will be more than happy to set up multiple users for you with different permissions. For instance, a user with "write" privileges that can be used by the website backend page that the editors use, and a user with "read only" permissions that the public facing web server(s) will use when presenting the page to the public.
This is a very good point. Except that phpMyAdmin makes it really easy to set up a new database with a single user who has all rights, and the same name as the DB.
So what I tend to do (and I do admit that I am a lazy SOB), is just create a new DB and user for every app.
However, your idea is much better, and it would be nice if phpMyAdmin had such a feature... (Not that I'm about to code it in, on account of my being busy with other things, and never having even looked at the phpMyAdmin code beyond what is needed to install it.)
However, an even better thing to do (then just create a read-only user), is to escape shit before you query the DB... PHP and MySQL have this nifty function mysql_real_escape_string [php.net] which will do that for you. It is better then using the general escape functions in PHP, for reasons that I read just recently. Basically, it takes into account the character encoding for the DB... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string [shiflett.org]
Multiple DB users, proper escaping, you know it's not actually an either-or situation. If the only way you know to set up a database is through phpMyAdmin, then you need help reading the manual.
However, an even better thing to do (then just create a read-only user), is to escape shit before you query the DB... PHP and MySQL have this nifty function mysql_real_escape_string [php.net] which will do that for you. It is better then using the general escape functions in PHP, for reasons that I read just recently. Basically, it takes into account the character encoding for the DB... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string [shiflett.org]
The string escaping culture is really sticky, too. Its almost like hungarian notation, but worse. People tend to get insulted if you mention that you need to use prepared statements. Then when you explain it, they tend to insist that nothing can get through string escaping, that its perfectly fine, and sometimes they make excuses for it being better.
Then the only way to convince some people is to point out the performance issues (prepared statements result in cached query plans in many RDBMS, giving perform
The fact that "mysql_real_escape_string" or whatever exists is an example of that: String escaping relies on string manipulation tricks to make things "secure". On top of being potentially vulnerable to any problem in the server (which obviously cannot be gotten around of), it is also vulnerable to anything on the language side: for example, a string vulnerability would also make your queries vulnerable. Two attack vectors.
Its a workaround, a cheat, a hack. A prepared statement is handled by the driver and/
However, an even better thing to do (then just create a read-only user), is to escape shit before you query
Or use a parameterized query like select * from users where username = @username INSTEAD OF "select * from users where " + unfiltered_string where the the unfiltered string is taken straight from an input on the public website, spliced into a string literal query, and then passed on to the database. Of course, filtering is still advisable too in any case but really, there is no better way to announce to the world that an operation is amateur night (i.e. we just read "Teach Yourself PHP in 10 Minutes" before
phpMyAdmin already has this feature. Except in shared hosting environments, where each sites admin has permissions to read/write but not create. If they are in that situation, they can still ask their host to add another user to their dbase with the required permissions.
TFA: "the code injected into BusinessWeek's website points to a Russian website that is currently down and not delivering further malicious code."
Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?
Also, they always waste these opportunities to give replace real headlines with those from the Onion... if they're going to do something malicious, they should at least do it with style...
If you're going to do something malicious for profit you should make it look like nothing ever happened. While swapping the headlines would be funny it would definitely lessen the amount of time the flaw went unnoticed.
Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?
Inject a database to gain access
Insert barebones code to bootstrap from an updateable external source
Patch the database so no one else can remotely take over your newly pwned database
In short, it's because the people who do this want to make money and insure that they can update the mali
Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected
I suppose McDonald's is going to have to rely on employing just the liberal arts majors for now.
You made me snort my coffee... but it is so true. The other problem is that MBAs are very unlikely to know how to fix their machines once they are fscked up. In every place I worked, most viruses were spread by the top brass.
I can't believe in this day and age something as lame as sql injection is still happening, especially to large company websites. Anyone using inline SQL should be taken out back and ridiculed until they cry. If your developers are mindless enough not to validiate user input then at least use stored procedures.
You haven't seen the modern MBA have you. Almost half of the MBA students have Computer Science Degrees and have been working professional for at least 5 years. Many of them while good at what they do, wants to further their career so go for an MBA so they be considered qualified for promotion. Not every one wants to be a basic programmer for the rest of their life, they much rather have influence in the process and the design and less time doing the drudge work.
Not every one wants to be a basic programmer for the rest of their life
Pretty much all of the *GOOD* programmers *DO* want to program for the rest of their lives (while I wouldn't say "basic programmer"....most want to be Dev Lead / Architect type of coders, but coders none the less). And being Dev Lead / Architect is not the type of position that goes to the MBA grads.....MBAs are for people who want to go into Management / Project Management.
I've been in the industry since 1994 and am one of the top database developers in my company. And I don't see myself as being a manager any time soon. I enjoy programming too much. [This is in a large corporation where a manager is not a technical manager; small companies where "Dev Lead" equates to manager might be a different situation.]
To be a good Architect you often need a strong business knowledge. Yea Yea You know how to program you so smart (being that I learned to program at 6 years old) it doesn't take a genius to program. But in reality being able to be a good programmer doesn't mean you can design or create solutions that solve real business problems. I have been in the industry for a long time too. Working as a consulting I was actually the top database developer for multiple companies, including many fortune 500 companies. However I found that creating the code is a piece of cake, however the hard part is trying to understand the business process, then filtering out what is needed and not for the code to run successfully without having to run extra work, as well understand what is happening so in a case the software fails (or hardware) you can come up with a quick workaround solution for the employees until you can get a working version. Business knowledge is a key area. If you are working in a business environment getting Masters in computer science wouldn't be as useful as getting an MBA.
I've had knowledge of the business process since I was 4 and said knowledge has expanded massively over the years. I was programming using assembly language before I started school. I have created many well known software titles from nothing and many companies rely on these titles. I've cracked any encryption thrown at me and managed to recover files from a hard drive that had been zeroed out. I'm worth 124 billion dollars and Presidents have asked me for advice on many occasions (unfortunately not recentl
no to be a good architect you have to have DOMAIN knowledge, not business knowledge. You don't have to know how to turn a profit or what an ROI is. You have to have technical knowledge of the requirements and the varied means which you could possibly implement a solution with.
the masters in CS probably wouldnt be needed because these "business environments" you speak of never tend to do anything cutting edge in terms of the things that you do in getting a masters in CS; further research into Computer Scien
Depends. Alan Cox is a top-class programmer who got an MBA because there was this whole other world that intersected with what he did that he didn't understand.
I'd be really curious to know what he thought of it afterwards, and whether having an MBA really helped him understand this other world. I get the distinct impression that an MBA is the business-world equivalent of an MSCE: it gives you some basic knowledge and impresses the clueless but isn't really very useful.
Many of them while good at what they do, wants to further their career so go for an MBA so they be considered qualified for promotion.
To nitpick:
That depends on your company and their policies. Therefore ask HR. I did once to see what they'd do for me. The answer was that I'd get a $3,000 raise for having a graduate degree. I asked for clarification regarding why she put that way; "You mean, I would get the raise regardless of what masters degree I received?"
"Yes. Of course your manager has to approve it."
Another thing to clarify, and I've found this out the hard expensive way: getting an MBA does NOT automatically give you a ticket into management. Here's what I was told by several folks: You need management experience for an MBA to mean something. Without the experience, the MBA is worthless. So now, I'm a coder with an MBA - it's not doing me any good. And like a stupid SOB, I paid for it with student loans. I did it when I was out of work thinking that it would get me a management job. Schools are so quick to tell you that their MBA will further your career. BS! Experience matters more than the degree - and networking (i.e. It's who you know.)
So here's what I would do differently, get into management, see if my company requires an MBA for my position, get them to pay for it, bust my ass in night school, some profit! But if they don't require it, I don't see the point in getting one.
And there's going to be a HUGE glut of MBAs. With this down economy, MBA enrollments have gone through the roof. Which means, in two years, the already huge glut of MBAs is going to get bigger.
to disparage education. It's just that the days of getting more education to advance in your career, at least in corporate America, are gone. All you need are the basics; which usually is a BS in your field. It's who you know. And even then, if thy're snobs who don't associate with "your kind of people" it doesn't matter either. We're rapidly becoming a downwardly mobile society.
You can get by with the basics. You always could. However having a piece of paper to show that you have the possibly to do it, hedges your bets. Getting an MBA doesn't automatically put you into the C Table. But what it does is show ambition and most companies will see that and put you on that track.
I did 4 years of CS only to spend most of 4th year playing CS, mudding and having a long distance relationship with someone in a different timezone (meaning I only did about 25% of my project, which I could have swapped for a more interesting robotics/AI project, but I didn't think the one student who was assigned to the professor I wanted to study with would swap because the project was so awesome - then he swapped with someone else).
Yeah, she eventually moved over here for a few months but then it all ended pretty badly. I'll probably end up repeating the cycle of computer games, online forums, meeting a random person who somehow convinces herself she loves me while apparently the whole time just deluding herself that she's not in fact an asexual freak who wants to spend the rest of her life living alone writing books that she doesn't care if anyone else reason, in a mountain cabin. Resulting in me getting horribly burned. Yes, that wo
No, I just have to spend time around them occasionally since my field happens to be very useful in finance and business. You can tell, because when you enter the business-popular classes (time series; baby stochastic analysis; &c.) the first thing that hits you is a wave of cheap cologne covering the stench of desperation.
Just a quick question: why, exactly, do MBAs need to know calculus?
Please, I'm not following.
"In the fall of 1972 President Nixon announced that the rate of increase of inflation was decreasing. This was the first time a sitting president used the third derivative [daviddarling.info] to advance his case for reelection."
http://www.daviddarling.info/encyclopedia/D/derivative.html [daviddarling.info]
Malic or incompetence? (Score:5, Insightful)
Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.
It's bad enough to have an insecure site, but to ignore the break-in for a week or more is just unconscionable.
Re: (Score:3, Interesting)
Re: (Score:2)
Actually I've been wondering about these injection attacks, I use positional bindings, everything run from stored procedures and using dedicated users - not super users; so its pretty much impossible to inject anything harmful to my system via. SQL - however, that does not guarantee anything for the users.
Are these attacks the old type with ;-- (escaping the query) or are they just code embedded through postings, i.g. forums/discussions from poorly escaped input / code injection through get requests?
Re:Malic or incompetence? (Score:5, Interesting)
They just don't teach anything about security in schools. We interviewed an intern candidate this spring and asked her how one would avoid a SQL injection attack.
Her response: "Don't use Microsoft products."
Swing and a miss!
The candidate's sample code had a big 'ol SQL injection vulnerability. Yet the instructor raved over his project.
Parent
Re: (Score:3, Informative)
In one important way, she is right:
SQL Server allows multiple commands to be parsed and executed on a single call, separated by a semicolon. Thus something like Robert''; drop table students; -- works
Oracle (while it has plenty of security vulnerabilities of its own), only allows one command to be executed. So if it is a query, a query is all you can do. True, if the developer is really stupid, you can do things like query DBA_USERS, but you are not going to be able to insert virus code or drop tables.
If
Re: (Score:3, Funny)
It's a site for MBAs - they were waiting for the "technical guys" to fix it. First techie to raise the issue gets fired as a scapegoat, second one has to fix it.
Hmm (Score:5, Funny)
Re:Hmm (Score:5, Funny)
So no great loss to society then.
Parent
Re: (Score:2)
What no bail out? Can't we just print more money?
Pity on the future MBAs (Score:4, Funny)
Ah-well, only kidding ;)
That's frightening (Score:4, Funny)
A replicant virus. Is it a virus or a replicant? Will it need retiring? If the website hosted a picture of a turtle on its back, will it rotate the picture 180 degrees? Will we know if it's a replicant virus or a real virus by the end of the article?
ATTENTION WEB DEVELOPERS (Score:5, Insightful)
HAI!
Just a friendly reminder - your Database Admin will be more than happy to set up multiple users for you with different permissions. For instance, a user with "write" privileges that can be used by the website backend page that the editors use, and a user with "read only" permissions that the public facing web server(s) will use when presenting the page to the public.
That is all.
Re:ATTENTION WEB DEVELOPERS (Score:5, Informative)
This is a very good point. Except that phpMyAdmin makes it really easy to set up a new database with a single user who has all rights, and the same name as the DB.
So what I tend to do (and I do admit that I am a lazy SOB), is just create a new DB and user for every app.
However, your idea is much better, and it would be nice if phpMyAdmin had such a feature... (Not that I'm about to code it in, on account of my being busy with other things, and never having even looked at the phpMyAdmin code beyond what is needed to install it.)
However, an even better thing to do (then just create a read-only user), is to escape shit before you query the DB... PHP and MySQL have this nifty function mysql_real_escape_string [php.net] which will do that for you. It is better then using the general escape functions in PHP, for reasons that I read just recently. Basically, it takes into account the character encoding for the DB... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string [shiflett.org]
Parent
Re: (Score:3, Insightful)
Multiple DB users, proper escaping, you know it's not actually an either-or situation. If the only way you know to set up a database is through phpMyAdmin, then you need help reading the manual.
Re: (Score:2, Informative)
However, your idea is much better, and it would be nice if phpMyAdmin had such a feature
Um, it does. Click on 'Privileges' and then 'Add a new user'. You're looking for 'database-specific priveleges.'
Re: (Score:2)
Please repeat after me: String escaping is th
Re: (Score:2)
The string escaping culture is really sticky, too. Its almost like hungarian notation, but worse. People tend to get insulted if you mention that you need to use prepared statements. Then when you explain it, they tend to insist that nothing can get through string escaping, that its perfectly fine, and sometimes they make excuses for it being better.
Then the only way to convince some people is to point out the performance issues (prepared statements result in cached query plans in many RDBMS, giving perform
Re: (Score:2)
I'm curious, why is string escaping depreciated? The Wikipedia article doesn't make it clear.
Re: (Score:3, Interesting)
The fact that "mysql_real_escape_string" or whatever exists is an example of that: String escaping relies on string manipulation tricks to make things "secure". On top of being potentially vulnerable to any problem in the server (which obviously cannot be gotten around of), it is also vulnerable to anything on the language side: for example, a string vulnerability would also make your queries vulnerable. Two attack vectors.
Its a workaround, a cheat, a hack. A prepared statement is handled by the driver and/
Re: (Score:3, Informative)
VBA can have paramterized query. The old ADO supports them just fine...
Re: (Score:2)
However, an even better thing to do (then just create a read-only user), is to escape shit before you query
Or use a parameterized query like select * from users where username = @username INSTEAD OF "select * from users where " + unfiltered_string where the the unfiltered string is taken straight from an input on the public website, spliced into a string literal query, and then passed on to the database. Of course, filtering is still advisable too in any case but really, there is no better way to announce to the world that an operation is amateur night (i.e. we just read "Teach Yourself PHP in 10 Minutes" before
Re: (Score:2)
If they are in that situation, they can still ask their host to add another user to their dbase with the required permissions.
Bobby Tables is at it again... (Score:5, Funny)
Bobby Tables is at it again...
Re:Bobby Tables is at it again (obligatory link) (Score:5, Informative)
http://xkcd.com/327/ [xkcd.com]
Parent
' UNION UPDATE `users` SET karma='godlike';-- (Score:4, Interesting)
Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?
Also, they always waste these opportunities to give replace real headlines with those from the Onion... if they're going to do something malicious, they should at least do it with style...
Re: (Score:2, Insightful)
Re: (Score:2, Insightful)
In short, it's because the people who do this want to make money and insure that they can update the mali
more economic woes (Score:5, Funny)
I suppose McDonald's is going to have to rely on employing just the liberal arts majors for now.
Re: (Score:3, Insightful)
SQL Injection? At this hour? (Score:2, Insightful)
Re:MBA students, appropriate. (Score:4, Interesting)
You haven't seen the modern MBA have you. Almost half of the MBA students have Computer Science Degrees and have been working professional for at least 5 years. Many of them while good at what they do, wants to further their career so go for an MBA so they be considered qualified for promotion. Not every one wants to be a basic programmer for the rest of their life, they much rather have influence in the process and the design and less time doing the drudge work.
Parent
Re:MBA students, appropriate. (Score:4, Interesting)
Many of them while good at what they do
Not every one wants to be a basic programmer for the rest of their life
Pretty much all of the *GOOD* programmers *DO* want to program for the rest of their lives (while I wouldn't say "basic programmer"....most want to be Dev Lead / Architect type of coders, but coders none the less). And being Dev Lead / Architect is not the type of position that goes to the MBA grads.....MBAs are for people who want to go into Management / Project Management.
I've been in the industry since 1994 and am one of the top database developers in my company. And I don't see myself as being a manager any time soon. I enjoy programming too much. [This is in a large corporation where a manager is not a technical manager; small companies where "Dev Lead" equates to manager might be a different situation.]
Layne
Parent
Re:MBA students, appropriate. (Score:5, Insightful)
To be a good Architect you often need a strong business knowledge. Yea Yea You know how to program you so smart (being that I learned to program at 6 years old) it doesn't take a genius to program. But in reality being able to be a good programmer doesn't mean you can design or create solutions that solve real business problems. I have been in the industry for a long time too. Working as a consulting I was actually the top database developer for multiple companies, including many fortune 500 companies. However I found that creating the code is a piece of cake, however the hard part is trying to understand the business process, then filtering out what is needed and not for the code to run successfully without having to run extra work, as well understand what is happening so in a case the software fails (or hardware) you can come up with a quick workaround solution for the employees until you can get a working version. Business knowledge is a key area. If you are working in a business environment getting Masters in computer science wouldn't be as useful as getting an MBA.
Parent
Re: (Score:2, Funny)
Re: (Score:3, Funny)
You sound like "The Most Interesting Man in the World": http://www.brentter.com/dos-equis-most-interesting-man/ [brentter.com]
Do you drink Dos Equis???
Layne
Re: (Score:3, Interesting)
no to be a good architect you have to have DOMAIN knowledge, not business knowledge. You don't have to know how to turn a profit or what an ROI is. You have to have technical knowledge of the requirements and the varied means which you could possibly implement a solution with.
the masters in CS probably wouldnt be needed because these "business environments" you speak of never tend to do anything cutting edge in terms of the things that you do in getting a masters in CS; further research into Computer Scien
Re:MBA students, appropriate. (Score:5, Informative)
Depends. Alan Cox is a top-class programmer who got an MBA because there was this whole other world that intersected with what he did that he didn't understand.
Parent
Re:MBA students, appropriate. (Score:4, Interesting)
I'd be really curious to know what he thought of it afterwards, and whether having an MBA really helped him understand this other world. I get the distinct impression that an MBA is the business-world equivalent of an MSCE: it gives you some basic knowledge and impresses the clueless but isn't really very useful.
Parent
Nit pick time. (Score:5, Informative)
Many of them while good at what they do, wants to further their career so go for an MBA so they be considered qualified for promotion.
To nitpick:
That depends on your company and their policies. Therefore ask HR. I did once to see what they'd do for me. The answer was that I'd get a $3,000 raise for having a graduate degree. I asked for clarification regarding why she put that way; "You mean, I would get the raise regardless of what masters degree I received?"
"Yes. Of course your manager has to approve it."
Another thing to clarify, and I've found this out the hard expensive way: getting an MBA does NOT automatically give you a ticket into management. Here's what I was told by several folks: You need management experience for an MBA to mean something. Without the experience, the MBA is worthless. So now, I'm a coder with an MBA - it's not doing me any good. And like a stupid SOB, I paid for it with student loans. I did it when I was out of work thinking that it would get me a management job. Schools are so quick to tell you that their MBA will further your career. BS! Experience matters more than the degree - and networking (i.e. It's who you know.)
So here's what I would do differently, get into management, see if my company requires an MBA for my position, get them to pay for it, bust my ass in night school, some profit! But if they don't require it, I don't see the point in getting one.
And there's going to be a HUGE glut of MBAs. With this down economy, MBA enrollments have gone through the roof. Which means, in two years, the already huge glut of MBAs is going to get bigger.
Parent
AND I don't mean ... (Score:5, Insightful)
I'm just ... look at my user name...
Parent
Re: (Score:2)
You can get by with the basics. You always could. However having a piece of paper to show that you have the possibly to do it, hedges your bets. Getting an MBA doesn't automatically put you into the C Table. But what it does is show ambition and most companies will see that and put you on that track.
Re:Nit pick time. (Score:4, Funny)
Look on the bright side; it was only 2 years of student loans, I had to do 3 years of law school to be in the same situation.
Parent
Re: (Score:2)
I did 4 years of CS only to spend most of 4th year playing CS, mudding and having a long distance relationship with someone in a different timezone (meaning I only did about 25% of my project, which I could have swapped for a more interesting robotics/AI project, but I didn't think the one student who was assigned to the professor I wanted to study with would swap because the project was so awesome - then he swapped with someone else).
Re: (Score:2, Funny)
Wow, you were in CS but had a relationship? You're already beating the curve there.
Re: (Score:2)
Yeah, she eventually moved over here for a few months but then it all ended pretty badly. I'll probably end up repeating the cycle of computer games, online forums, meeting a random person who somehow convinces herself she loves me while apparently the whole time just deluding herself that she's not in fact an asexual freak who wants to spend the rest of her life living alone writing books that she doesn't care if anyone else reason, in a mountain cabin. Resulting in me getting horribly burned. Yes, that wo
Re:MBA students, appropriate. (Score:4, Funny)
No, I just have to spend time around them occasionally since my field happens to be very useful in finance and business. You can tell, because when you enter the business-popular classes (time series; baby stochastic analysis; &c.) the first thing that hits you is a wave of cheap cologne covering the stench of desperation.
Parent
Re: (Score:2)
Just a quick question: why, exactly, do MBAs need to know calculus?
Please, I'm not following.
Re: (Score:2)
Just a quick question: why, exactly, do MBAs need to know calculus?
Please, I'm not following.
Uh, why do you think the are called financial derivatives?
Voodoo economics / creative accounting (Score:3, Interesting)
Just a quick question: why, exactly, do MBAs need to know calculus?
Please, I'm not following.
"In the fall of 1972 President Nixon announced that the rate of increase of inflation was decreasing. This was the first time a sitting president used the third derivative [daviddarling.info] to advance his case for reelection." http://www.daviddarling.info/encyclopedia/D/derivative.html [daviddarling.info]
Re: (Score:2)
Um... I'm in an economics class now, and last semester, and we never discussed this stuff. Maybe it's only a formulas involved that require calc?