MSSQL Attacks and How to Stop Them

An organization employing over eight thousand employees within the public sector has been migrating their database systems in a consistent manner to Microsoft SQL Server.  The reasoning behind this migration is two-fold: firstly, the organization is moving all resources to Microsoft Azure and, as such, expect improved support for the product.  Secondly, the organization wishes to leverage all which the cloud can provide, which means moving to PaaS and eventually managed services; these offerings are not available with systems such as MySQL and PostgreSQL,  and Oracle in the Azure cloud space is not cost efficient.  However the movement to a new database platform has risks; I will be discussing some of the risks related to the security of Microsoft SQL Server and ways to prevent or mitigate such risks.

Artemiou (2016) provides a good list for starting points for securing your SQL server.  Several items do stand out, but in particular I will be discussing two things: the patching of SQL Server and setting up database encryption.

Patching is important for both the operating system (either Windows or Linux) as well as for SQL Server itself.  Netwrix (n.d.) points out that hackers are continually finding new ways to infiltrate SQL server; and as soon as Microsoft finds them, they implement fixes which are then meant to be applied by the DBA.  Coeo (n.d.) also agrees, pointing out that attacks such as the “speculative execution side-channel attack” was discovered and patched by Microsoft, leaving consumers of SQL safe from such attacks.

But, patching a SQL server is not easy; these servers are typically mission critical and cannot go down.  Additionally, the underlying operating systems can’t go down either.  So, what’s a DBA to do to keep their systems secure?  One method pointed out by Tintri (n.d.): AlwaysOn.

AlwaysOn is a SQL tool whereby a load balancer sits in front of multiple, clustered SQL servers; the balancer talks to the listener, which is the device which determines which SQL server is primary and which is secondary (“Business continuity and database recovery “, 2017).  The load balancer directs the consumer to the primary database server, leaving the secondary servers to stay just that: secondary.  Should a failover occur from the primary to a secondary, the load balancer will send traffic to the new primary.  Therefore patching, according to Tintri (n.d.) is as simple as patching your secondary servers, failing over, and then patching your previous primary.  Of course, they caution that testing be performed ahead of time in a lower environment, lest you break your applications.

Microsoft MSSQL AlwaysOn Cluster Diagram.

AlwaysOn helps to protect the organization from attacks by allowing DBAs to patch systems which require a continuous uptime, such as database systems.  For this large organization, downtime of database systems is unacceptable, but security must be a priority.  According to Microsoft (“Business continuity and database recovery “, 2017), AlwaysOn allows for the ability to switch database servers, patch those which are not in active use, and then fail back if desired; this allows for patching “offline” servers and keeping them secure.

The second item I want to talk about is database encryption.  Specifically, I want to talk about disk vs. file encryption.  Bitlocker is a tool which allows for the encryption of entire disks (Bitlocker, 2017).  In order to decrypt a drive, such as one which holds database files, the drive must be “unlocked” using a passphrase or even a certificate.  If your BIOS isn’t TPM compliant, you can still use Bitlocker; Bitlocker will simply ask you to store a startup key on a drive which is not attached to the system, such as a USB drive.

Bitlocker encrypts entire drives, including database files, but once the drive is unlocked, a hacker can grab your database files from right under your nose. (Bitlocker, 2017).  Bitlocked drives must be unlocked before they are usable, therefore your databases in the wild are not protected from something as simple as a file copy.  This is where Microsoft Transparent Data Encryption (TDE) comes into play.

According to Microsoft documentation, transparent data encryption encrypts SQL server data and log files, without any need for “unlocking” except when transactions occur (Transparent Data Encryption, 2019).  The benefit of TDE is that the files are never truly unlocked; therefore, a file copy by a malicious user on your network yields them nothing but an encrypted, unusable file.  With Bitlocker, this is not the case; the copied file would be unencrypted (Bitlocker, 2017).

TDE works with not only SQL itself, but with the underlying Window’s Data Protection API to create service keys; therefore, SQL is not reinventing any wheels (Transparent Data Encryption, 2019).  Encrypting a database is also very straightforward.  Using only T-SQL, you create a master key, create an encryption key, and then issue an “ALTER” statement against the database to tell it to encrypt using the key which you just created.  Of particular note is that the master key is only used to encrypt the keys you create yourself so that they are not stored in plain text in your database, so your database server can have one and only one master key.

There are several other notes I would like to discuss when using TDE.  First, that key you created to encrypt your database?  Back. It. Up.  If you lose your database server and have to restore to a new SQL instance, you will have to import that key for your database backups to be usable (Transparent Database Encryption, 2019).  I’ve seen all too often the sad face of a DBA who can’t find their encryption keys.  Second, keep your basic SQL skillset up to snuff: remember where the results of table joins and like go?  Tempdb (Tempdb Database, 2019).  How secure would your data be if they were highly protected in the data files, but then open to the world in tempdb?  A hacker could just keep making copies of your tempdb until they got the information needed.  So, to protect against this, if ANY database on your server is leveraging TDE, tempdb is automatically encrypted and you cannot change this (Transparent Database Encryption, 2019; Tempdb Database, 2019).  Personally I find this to be a pretty nice touch.

So that sums up what I wanted to discuss re: SQL server and security.  For my next article I’ll discuss Microsoft SQL Server Always Encrypted, but that’s beyond the scope of this article as it is much, much more complicated, but in my humble opinion, much, much more interesting.  So thank you for reading, and as always, post comments and I’ll do my best to answer any questions which you may have.  I’ve been doing DBA work for around thirty years now, so I’ll do my best to answer as thoroughly as possible as well as give you links to Microsoft documentation.

Regards and best wishes

 

References

Artemiou, A. (2016). Top 10 security considerations for your SQL Server instances. Retrieved from https://www.sqlshack.com/top-10-security-considerations-sql-server-instances/

Bitlocker (2018).  Retrieved from https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

Coeo. (2018). You must upgrade SQL Server to stay secure.  Retrieved from https://blog.coeo.com/you-must-upgrade-sql-server-to-stay-secure

Business continuity and database recovery – SQL Server. (2017). Retrieved from https://docs.microsoft.com/en-us/sql/database-engine/sql-server-business-continuity-dr?view=sql-server-2017

Netwrix. (n.d.). SQL Server security best practices.  Retrieved from https://www.netwrix.com/sql_server_security_best_practices.html

Tempdb Database. (2019).  Retrieved from https://docs.microsoft.com/en-us/sql/relational-databases/databases/tempdb-database?view=sql-server-2017

Tintri. (n.d.). SQL AlwaysOn availability groups on Tintri.  Retrieved from https://www.tintri.com/resources/whitepapers/sql-alwayson-availability-groups-tintri

Transparent Data Encryption. (2019). Retrieved from https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017

Advertisement

Privacy Settings

Proof vs. Evidence

Question: how many people have been proven guilty in a court of law in the United States.  The answer might be “how in the world could I possibly know that?”, but the answer really is pretty easy: zero.

Now, you might be thinking that it couldn’t be zero; after all, not everyone walks out of court an innocent person; some go to prison immediately in fact.  But the devil’s in the details of course.  Here, the details are pretty subtle, but they are in fact how the scientific method works; they’re also how our legal system works, albeit the legal system is a lot less rigid.  No one is “proven” guilty; they are “found” guilty.  As I said, it’s very subtle.  Let’s take a look at the two words.

“Found” essentially means “as close to the truth as we can come, but there is still some doubt.”  In a court of law, we have to come to “beyond a reasonable doubt” for criminal offenses and “even plus a feather” to be found guilty.  I worked for law firms for twelve years, so I’m pretty familiar with the concepts.

“Proven” means “no doubt about it, this is true.”  Math is the only field of science allowed to have “proof”; everything else is “evidence.”  Think of court again; we have evidence for and against someone.  So we weigh the evidence to find a person innocent or guilty; we can’t prove it.

In science, we work towards p values mathematically, which allows us to mathematically prove that a statement we make is the truth.  Now it may not be the complete truth, there may be more to it, but it’s why we keep doing science.  We want the truth, the whole truth, and nothing less will suffice.  Look at Newton, who worked out the math for gravity.  He was right, as he had proof, but he was missing something.  Along comes Einstein, who added his laws of relativity to Newton’s laws of gravity, proving mathematically that he was correct.  Newton wasn’t wrong, he was simply incomplete.  Happens all the time.

The reason I wanted to blog this is because I hear the word “proof” tossed around when “evidence” is really the best word.  So unless you’re doing math, you don’t say “proof.”  Remember doing proofs in school?  What class was that?  Math.  It was your math class.  And you probably hated it, which I can’t blame you for, I hated it too.

So understand how science works.  We come up with ideas, and we test them.  We break what we find down into math, usually statistics, to prove, mathematically, that we’re correct.  Oftentimes incomplete, but we’ve got proof.  Evidence leads towards the proof, but if we can show what we’ve got leads to proper math, we get to use mathematical proof.

So there’s your differences, in a nutshell.  Also, as an aside, we can briefly talk about the “burden of proof.”  The burden of proof lies with the person making the positive claim, not the one denying it.  So if you say something such as “there is a god”, it is up to you to demonstrate that this statement is true; it is not up to me to show that what you say is not true.  As Christopher Hitchens used to say, what can be asserted without evidence, may be dismissed without evidence.

 

Long time

Wow, four years…seems like forever since I’ve posted anything. I plan on changing that, I’ve had a lot of life changes, mostly for the better. Plus my psychiatrist and psychologist think I should write out what I’m feeling, so I guess this is as good a medium as any.

So in the coming days I’ll start up my writing again, probably continuing to piss some people off 🙂 I’ve also started a YouTube channel, so I’ll make a few videos here and there and link to them.

Also… I hate thread necromancy. Don’t do it.

XBox Classic Modding

So over the weekend I opted to upgrade my XBox classic, previously softmoded using the MechAssault hack, to an 80GB hard drive (yeah, biggest IDE I had laying around). I’ll have to say that using the XBox HDM utility it was pretty much a snap. I ran a backup using the UnleashX dashboard, then copied the backups of the C and E drives out to my PC using FTP, then copied the eeprom.bin file over. With the XBox HDM utility, you copy the C and E backups to folders in a linux subfolder, copy the eeprom.bin file to an eeprom folder, then run a batch file to create a bootable ISO. Neato. So I burned the ISO to a CD-R, but turns out the computer I tried to boot it in had an issue with Linux. But as you can probably guess, I had another PC laying around with IDE ports, and it worked like a charm. I put the new hard drive into my XBox and it came right up…with the MS Dash!!!!

So easy fix? I removed the softmodding with the UnleashX dashboard, rebooted and remodded with MechAssault. Last night I copied backups of Stubbs the Zombie and KotOR 2 to the hard drive, both ran flawlessly. DVD+R discs still aren’t working tho, but it may be the HP brand that I’m using, I’ll give it one more shot with Verbatim, and if it doesn’t work no biggie, I’ll just us xISO to transfer games to the XBox for me over the wire.

I plan to hack the 360 tonight, I would have done it over the weekend but I opted to run two more cable runs from my server closet to the switch. I added an Intel 1Gbps dual port NIC to my server, and turns out the onboard NIC is also Intel, so the ProSet software teamed all three of them together for load balancing, so my server sees a single 3Gbps connection. So I hooked up those extra runs to get all three NICs back to the switch, worked great.

XBox Classic Mod

So over the weekend I opted to upgrade my XBox classic, previously softmoded using the MechAssault hack, to an 80GB hard drive (yeah, biggest IDE I had laying around). I’ll have to say that using the XBox HDM utility it was pretty much a snap.

I ran a backup using the UnleashX dashboard, then copied the backups of the C and E drives out to my PC using FTP, then copied the eeprom.bin file over. With the XBox HDM utility, you copy the C and E backups to folders in a linux subfolder, copy the eeprom.bin file to an eeprom folder, then run a batch file to create a bootable ISO. Neato.

So I burned the ISO to a CD-R, but turns out the computer I tried to boot it in had an issue with Linux. But as you can probably guess, I had another PC laying around with IDE ports, and it worked like a charm. I put the new hard drive into my XBox and it came right up…with the MS Dash!!!!

So easy fix? I removed the softmodding with the UnleashX dashboard, rebooted and remodded with MechAssault. Last night I copied backups of Stubbs the Zombie and KotOR 2 to the hard drive, both ran flawlessly. DVD+R discs still aren’t working tho, but it may be the HP brand that I’m using, I’ll give it one more shot with Verbatim, and if it doesn’t work no biggie, I’ll just us xISO to transfer games to the XBox for me over the wire.

I plan to hack the 360 tonight, I would have done it over the weekend but I opted to run two more cable runs from my server closet to the switch. I added an Intel 1Gbps dual port NIC to my server, and turns out the onboard NIC is also Intel, so the ProSet software teamed all three of them together for load balancing, so my server sees a single 3Gbps connection. So I hooked up those extra runs to get all three NICs back to the switch, worked great.

Serialization…not just for breakfast

So what the hell is serialization?  This word gets toss around quite a bit by developers, but I’ve yet to hear one actually be able to explain what it is.  So let me edumacate you.

Objects are build by instantiating classes.  Objects have properties and methods.  Methods are shared by all instances of the class; properties are NOT shared.  So the only thing that makes an object different from other objects of the same class is its properties.  Clear?  Good.

Now, I need to work with a web service, let’s say on Server A.  Server A has a web service where it will query a database and return, let’s say, a customer invoice.  It will give me the data as an object.  Sorta.  Let’s keep going.

So I talk to Server A and I say “Hey, give me this customer invoice, here’s the ID”.  Server A responds “Here it is…”, then a bunch of XML text comes back.  What the frig?

The XML text is what we call serialized; it is a list of the properties of the Invoice objects along with the specific values.  So if my Invoice object has a ClientName property, I would see <ClientName>Joe Blow</ClientName>.

So what do I do on my side?  Well hell, I deserialize it!  My class must implement the ISerializable interface, which has a deserialize method.  I can implement this method which will take the values and assign them to the appropriate properties of the object that I have built on my side; reflection is a great tool here.

And what if I need to update the invoice?  Why, I serialize it and send it back to the web service.

Serializing is fun and is the basis for all web services.

The Nirvana Fallacy and Tu Quoque

Fallacies are of a somewhat dear and special nature for me; I find it intriguing how easy it can be for someone to base their decisions or reject/accept ideas for reasons which can be shown to be illogical.  Even more interesting is watching how people, after being shown that their ideas are not logical, become even more entrenched in their view.  It’s crazy, at least in my opinion, to hold on to a position that requires all sorts of rationalizing and double think to make it seem as if it were true.

Logical fallacies are patterns of thought which are wrong; the specific pattern usually has a name for it.  For instance, the correlation does not equal causation fallacy is called post hoc ergo propter hoc.  So if I cling to the idea that washing my car causes rainy weather, I would be committing this logical fallacy.

One of the lesser-known fallacies is the Nirvana fallacy.  The Nirvana fallacy is committed when you attempt to discredit an entire field of thought because of some issue about a particular aspect of that field of thought, such as a knowledge gap or a known risk; the committer of such a fallacy will then use this particular shortcoming as proof that his field of thought is superior without actually providing evidence.

For instance, vaccination is a very powerful medical tool which can render people immune to disease such as polio, whooping cough, rubella, etc.  However, some people can be allergic to some of the preservatives in the vaccines, so they can’t have them.  Someone committing the Nirvana fallacy would try to argue that because some people can be allergic to vaccines, all vaccines are dangerous and should not be taken; and of course, they’re going to give you an “alternative” to vaccination (which are usually bogus treatments).

The Nirvana fallacy can be pretty persuasive because it usually does involve an actual shortcoming of the field we want to demonize, such as vaccination.  By harping over and over again on a tiny shortcoming, a person could realistically sway an audience who isn’t thinking in terms of the big picture (such as all of the benefits of vaccinating).  In other words, they don’t have a clear perspective of the risk-benefit ratio.

So arguing small points is really not very useful, such as arguing that people should stop buying their kids the occasional happy meal because some other kids got fat.  It doesn’t make sense.  Utilizing reductio ad absurdum, I could argue that we should ban cars because some people get into accidents.

Another lesser known fallacy is tu quoque, or “you as well”.  This fallacy is pretty much the lemming fallacy with fewer lemmings.  The person committing this fallacy will try to justify their own actions by arguing that their opponent does the same thing (usually not true).  This quickly delves into an is/ought fallacy; just because something is a certain way doesn’t mean that it ought to be that way.  So pointing and saying “But you do it too!!!” has no merit at all.  The validity of an action lies only with the action itself and nothing more.

 

Ankylosing spondilitis awareness month

So apparently this is Ankylosing spondilitis awareness month, which I just learned today courtesy of the AS Group on Facebook.  Overall I like this group, lots of people discussing AS, sharing stories, things like that.  There is at least one or two major god-bots over there that keep talking about the power of prayer, which is irritating as hell, but I just ignore them.  I mean, if God heals, stop taking your meds and pray, see how far that gets you.

I’ll be honest about having AS; it gets to you after a while, and it hits pretty hard.  You have to come to terms with it; there’s no cure.  At first I thought I would just beat it, after all it was only a sore back and hip.  I kept thinking that if I just lay down for awhile that it will stop hurting and I could go on with my life; of course, it’s not true.  The pain never ends, and laying around makes things worse.  It’s really hard to deal with something like this.  I’m going to be on pain meds for the rest of my life just to keep things bearable; I’m going to live in constant pain for the rest of my life, which sometimes you just hope isn’t that long.

Things started out with a sore back and hip, which I attributed to traveling so much to Morgantown, a 3 hour trip one-way.  I mean it made sense, but then when I took a break from travel things just got worse.  My regular doctor insisted I pulled a muscle or something, which is a load of crap and I told him as much; he recommended a Chiropractor and I said no, I’ll take a doctor instead.  So he ordered some x-rays and saw the damage; I was referred to a rheumatologist who quickly diagnosed me with AS after I told him about my symptoms.  He said the x-ray was nearly definitive, and of course wanted to do blood work which I declined 🙂

It turns out that I’ve been sick for a long time but didn’t know it.  I’m tired all of the time, anyone who knows me will know that I can sleep for 14 hours with no trouble, and I never knew why I was so tired all the time; chronic fatigue is a symptom of AS as well as other auto immune diseases.  I always seem to get sick after I eat anything, which my rheumatologist attributed to irritable bowel syndrome, another symptom of AS.  I have mild psoriasis, another symptom.  The pain simply came last, which he said was normal.

I was referred to a pain management doctor, Matt Ranson, who ordered two MRIs, no contrast; he ordered a bone scan as well, but the stupid nuclear medicine team had already left, so we just said screw it.  MRIs are a simple procedure, you simply lay in a tube for about 30 minutes.  They heat you up pretty good, but the folks who run the machine blow cool air thru the tube for you.  They’re really nice there, and they’ll chat with you, but you just want to cry; everybody knows that you’re sick and all they’re doing is scoping the damage.  You just sorta lay there and try not to think about it.  You try not to think that you’ve passed this off to your children; thinking that they’ve inherited this disease from you hurts more than I can put into words.

So the MRIs come back and the damage is pretty clear.  I have severe arthritis/fusing in my left hip (right hip if you’re looking at me).  There are two spots of severe arthritis in my back.  The arthritis in my back is putting pressure on the nerves that go from your back thru your abdomen (kinda like a rib cage of nerves), which makes it feel as if I’m in a vice grip all of the time; this hurts pretty bad, but the meds I’m on make it pretty much stop.

My ribs have a lot of bony growths on them, which again is expected from AS.  Before I was on gabapentin, it felt as if I was being punched in the ribs and the upper part of my back all of the time, really hard.  It hurt so bad to even breathe, let along move around.  The meds have helped a lot with this, but the back pain is still there.

There’s pain all the way from my hip up to the base of my neck, all of the time.  I’m starting to get pain in my knees as well, which is also expected.  Some days are better than others, but the bad days are starting to greatly outnumber the good.  My meds pretty much keep me dizzy anymore, so I think I’ve decided that I’m not going to drive anymore.  I can’t focus on the road and I can’t keep the car straight; I’d rather not be in a wreck, so I think my driving days are over.

For me, probably the worst part is the loneliness; there’s no one here to talk to about it, no one else who understands.  This isn’t easy to come to terms with.  You want to beat it, you want to have your life back, but you just can’t; the life I had is over now and I have to make the best of my life now.  You just have to accept that there are things you just can’t do anymore.  Mowing the lawn is a bit too hard for me, I can’t walk that long, so I may get a riding mower to help out.  I can’t carry a lot anymore, so I have to make extra trips to bring in groceries.  I have to be careful holding Miles so that I don’t drop him on the floor.

It’s a hard thing to handle, but so far I’m doing fairly well with it; as long as I don’t develop amyloidosis I’ll be all right 🙂  Of course if I do develop it, and it turns into subtype AA, I would be terminal, which of course would be worse.  Hopefully this helps somebody understand the things we go through.  It’s not easy, but it can be kept in control.  Take your meds, on time, every day.  Do NOT mess with junk science such as the gluten-free nonsense.  Try to keep active, like moving around; this helps AS quite a bit.  It’s not easy due to the pain, but just try.  Try not to get too sad or make bad decisions.  Pain can cause you to take shortcuts and make mistakes; fear of pain is probably worse.  Pace yourself and think things through.  Know your limits, don’t overdo anything.  Simple things like lifting can cause major damage to your bones.

And if you have to, see a shrink.  It’s not a sign of weakness to seek help.  This disease is terrible and sometimes you just need somebody to talk to about it.  I think it’s pretty easy to get depressed about this stuff, and that’s the last thing anyone needs.

Well, I’m signing off.  Hopefully this helps somebody by letting you know that you’re not alone, we’re out here, just a bit spread out.

False equivalence and the failure of the media

The media, those bunch of tools who claim to report what’s going on the world, pretty much suck.  In their effort to remain “fair and balanced”, they offer even speaking time to groups who are just plain fucking stupid.  For instance, The Bad Astronomer has pointed out that Dateline gave equal time to both the pro-vaccine group and the pro-disease group, even tho the antivaxxers are fucking stupid.

Now, I’m not gonna go and point out how ignorant it is not to vaccinate.  If you’re dumb enough to deny your kids the same life-saving vaccines that you yourself received when you were a kid, go for it.  Darwin says let ’em die.  Odds are they got a bunch of your stupid genes and will end up either propagating your dumbosity or will end up giving whopping cough to my newborn where it can easily be fatal.  No, today I’m going to mention two types of logical fallacies, false dichotomy and false equivalence.

These are actually pretty simple.  A false dichotomy is when you present two sides as being the only possible solutions.  For instance, the moon is either made of green cheese or yellow cheese.  You’ve left no room for any other possibility, such as the moon is made of, you know, rock and regolith.  There aren’t just two sides to anything, there are probably hundreds if not thousands.  Of course, the only side that matters is the one with evidence. The pro-disease group has no evidence whereas vaccines have shit-tons of clinical studies showing efficacy.

False equivalence is when you present two sides as equally likely, such as it is equally likely that the moon is made of rock or that the moon is made of cheese.  Unfortunately, not all points are equally likely to occur.  It is not equally likely that the moon is rock or that the moon is cheese; one of those is clearly way beyond being wrong.  The media, when they try to show balance, create a false equivalence.  It is not equally likely that vaccines work or they don’t work.  Just because there are two sides doesn’t mean that one of them isn’t simply fucking wrong.

*———————————-

Quick update, before anyone accuses me of ad hominem when I refer to pro-disease groups as fucking stupid.  That is NOT an ad hominem.  I’m not saying that they’re wrong because they are fucking stupid, I am saying they are wrong because evidence contradicts their assertions…conclusively.  They continue to believe that vaccines cause autism, despite evidence to the contrary, which is why I say they are fucking stupid.  Order matters people.

Reductio ad absurdum

As anyone who reads this blog (both of you!) should know, I’m a huge fan of logic, reasoning and the scientific method; I’m also, shall we say, somewhat against the concepts of religion as they violate logic, reasoning, and the scientific method.  Magic fairy farts out universe and all life as we know it; right, gotcha.

The great thing about logic is that it doesn’t matter what you’re speaking about; logic is applied using patterns of thought, so the idea in question is actually irrelevant.  For example, take post hoc ergo propter hoc; doesn’t matter what I’m examining, it only matters if I’m trying to assign causation based solely on correlation.  The pattern holds regardless of the underlying argument.

Reductio ad absurdum, or a proof by contradiction, actually requires that we examine the actual argument and then, for argument’s stake, treat it as being true.  We take a premises, assume that it is correct, and take it to its logical conclusions to an absurd degree.  If the logical conclusions are simply absurd, we conclude that the premises must also be absurd, thus we assume that the argument is wrong.

Simple example: Cuius est solum eius est usque ad coelum et ad inferos, which basically means that if you buy land, you own everything above it and below it, to the heavens above and to hell below.  Let’s follow this to the logical conclusions, shall we?

Let’s assume that the land I own can be represented by a circle (say I’ve got a circular yard).  Then, let’s extend that circle both above and blow my yard, so we would basically be turning the circle into a circular rod (a 3D shape) that extended above and below my yard.  With me so far?

So if I extend that rod way below the surface of my yard, I may hit China.  Does that mean I own that piece of land in China?  What if I took the rod and went way above the surface of my yard?  Well, I’d certainly claim that I owned all of that airspace, plus I may end up hitting another planet or star.  Do I own those pieces of other planets or stars?  What about other peoples’ yards and their rods?  Surely I would intersect with somebody else’s rod, so what then?  Do we have to share that particular intersection?

So, the idea that I own everything above and below my yard is absurd, thus we refute the premises simply because the logical conclusions are ridiculous.

That, in a nutshell, is reductio ad absurdum.