Category Archives: Uncategorized

More on Password Managers

Last week I posted about reviewing passwords and mentioned using a password manager as part of that effort. DaniSQL noted in a comment a whitepaper about some browser vulnerabilities that can impact password managers – http://isecpartners.github.io/whitepapers/passwords/2013/11/05/Browser-Extension-Password-Managers.html. It’s a quick read and as always when we talk about security it often seems like can nothing be easy? A big point in the paper in that autofill can work against you – hidden fields on the page for example. Independent passwords per site helps reduce the pain if you get hacked and so would two factor authentication, but that isn’t the same as not getting hacked. Autofill is a huge convenience though. The manager I use allows me to set that option per site, so I’ll try to only use it where either the possible pain is almost nothing or I’m trusting the site to get it right every time (my bank?).

Knowing the risks is good. I still think the pros of a password manager used responsibly far outweigh the risks.

Security, Compliance, and SQL Server Webinar on January 29, 2014

My first webinar of the year! I’m joining forces with the GreenSQL and MSSQLTips to present Security, Compliance, and SQL Server on January 29th at 3pm Eastern. I’ll be talking about how to work with/understand the Security and Compliance teams – what drives them, what they hope to accomplish, and why they sometimes ask you to do things that don’t seem to make a lot of sense. I’ll be adding to that my Top 10 list of SQL Security tips, the kinds of things you want to do if you want to be secure and not just pass the test!

Register here: https://www2.gotomeeting.com/register/279348610

Changes to PASS Voting Eligibility

There was a blurb in the Connector today about an eligibility change for voting. The “change” is a requirement to update your profile (or for those of with more than one, all of your profiles).  Here are the fields that are now required on the profile:

 

image

 

I don’t have a problem with those, or even with asking for a yearly update. I worry that there isn’t enough information there to do a good dedupe – one of my two profiles (no, I don’t vote twice) has the state as Alabama (not on purpose, some strange system default). I worry that many voters won’t see this in the Connector and end up not being eligible. The latter is especially troubling.  A change like this shouldn’t be the third bullet in a email, it should be the email. The newsletter talks about a membership drive when I think what we need is an eligibility drive.

I’m hoping it is part of a larger strategy, but if so, where is it? Why not ask the members to help dedupe? I have two accounts, who/how do I tell them to merge those? Are chapters and events going to be pushing eligibility as much as membership?  What if someone went to the Summit (surely an eligible member) and doesn’t update their profile – do we really not want them to vote? I’ve always thought that asking for a LinkedIn URL would be a decent way to uniquely identify someone – do a one time validation and call it done. It also seems like at least making phone number optional would be a good and useful data point to have, and it would be worth a discussion of whether it might become part of voting ala Google Authenticator.

I’m all for making eligibility right. Let us never have an election that is questionable. Put a committee together, come up with some ideas, and vet them publicly. E-voting is tough to get right for anyone, but we should be able to define a system that is fair to the honest member and at least puts decent speed bumps in front of those who decide to not play fair.

Sometimes It IS The Network

Over the years when a performance problem comes up there is always some speculation that it’s a network issue and not the database (can’t be us!). I always ask a few quick questions to see if I can see a reason to pursue the network angle:

  • Is the problem affecting multiple database servers?
  • Is the problem affecting multiple databases and/or multiple applications?
  • Is the problem experienced in a particular geographic location?

I won’t say it’s never the network, but usually when it’s the network everything is slow or down. Check, ask them to check, but assume it’s a database or application issue is my rule of thumb.

But.

I worked with a client where everything was running fine. The server in question had the IP changed to meet some security requirements, it came back up fine and all seemed ok, except that jobs were taking 3x to 5x as long. Nothing changed but the IP. How could that cause a problem? Seems like network doesn’t it?

Network team swore it wasn’t them. No way could changing an IP affect performance. A more likely culprit given the reason for the change was the firewall. Firewall team swore it was not them. Database team goes back to look again, sees nothing wrong on the server. Changes IP back to old IP, performance is fine.

So what do you do now? No one sees a cause, but clearly something is wrong.

They flipped the IP back again, performance drops immediately. I still thought the firewall had to be the problem. I’m not a firewall guy so I’m pushing for details, what kind of rules are running, which rules are getting hit, etc, looking for clues. Finally with some arm twisting I have the firewall taken offline, removing it from the equation. Performance still bad. Firewall team mad. And yes, the database team was still sad.

Now we go back to the network team. We’ve proved that it’s running fine with old IP, miserable with the new IP. After agreeing to look again, reluctantly, because it makes no sense, they find the problem. The new segment had packet inspection enabled, the old segment did not. The high amount of data being transferred was maxing out the switch and that was the bottleneck. Turned it off, presto, all was well again.

So for once it was the network. I’ll probably never see that root cause again, but now I know to ask about it, just in case.

I Learned Something From You

I learned something from you – that was something someone said to me at the end of a recent consulting engagement. I wasn’t teaching, just doing, so that it made it all the more interesting to hear. Part compliment, part acknowledgement, maybe even part surprise, regardless, it was a very nice thing to be told.

It’s easy to forget that we all shape each other in the work place by the things we do and the things we don’t do and how we do (or don’t) do them. I’ve long been a believer in observing and ‘borrowing’ as I see behaviors or ideas that I think are effective. I’m sure that I don’t say “I learned something from you” as often as I should and I want to work on that. Sometimes we know when we do something well, but often we don’t – we’ve figured out a way that works for us as we try to get through the day/week/year and we go with it. It’s often not until someone talks to us about the way we do it that we take a fresh look and maybe re-value ourselves in the process.

Something to think about.

Upscale Bowling

I don’t bowl often, maybe once a year at best. It’s a fun way to spend a couple hours – I imagine many of you have done the same. Regardless of location they all seem about the same. Mostly quiet, not fancy, maybe even utilitarian in most ways. Food. Not great food, but good enough for an afternoon or evening outing. Shoe rental, the faint smell of the oil on the lanes, rack and racks of bowling balls. You’ve been there, right?

This past week we tried Splitsville here in Orlando, a (sort of) re-imagining of bowling. It’s located in what used to be the Virgin Megastore at Downtown Disney. I think you might call it full service bowling. When you enter you have a choice of just dining, or bowling with the option of having food delivered to your lane. Bowling is $15/hour per person and that includes shoes. They enter the bowlers names for you in the scoring system, ask for your shoe size, and then a – host/hostess? – puts the shoes in a basket and walks you to your assigned lane, in our case on the second floor.

Feels a bit nicer than average. Seating area is not typically alley, there is table with a bench and some chairs. Shoes are velcro closures, nice. All automatic scoring system is nice too, fully modern. Put your shoes on and start bowling. They have bumpers so the kids have a decent shot of hitting pins, and here it’s per player, so they go up and down as needed.

We managed two full games in our hour, a group without kids might stretch to three, not sure. The scoreboard shows time remaining and when you’re out of time, the lane goes dark and the pins won’t reset again. Lunch was $48 before tip for the four of us (a hamburger was $12). The burger was ok, but I’d have called it more like a $9 burger. Server takes your order and deliverers the food, does drink refills. Three of us bowled, so another $45 for that. Easily a $100 outing.

There is a full bar upstairs, another outside, and a sushi bar (which seems strange, but that’s just me maybe). They have full dinner items on the menu as well, I think a steak was $22. A few pool tables. I don’t remember seeing the arcade games, may have been on the first floor.

I can’t remember what we spent the last time we did bowling. Usually you pay per game plus one fee for shoes and I try not to eat while bowling, the food isn’t usually that good, so it feels like this was much more expensive – but on just the bowling, maybe not.

So, is this better? From a business perspective I’m intrigued. Per hour charges in advance are nice. People play and then move on, no taking two hours to play three games. Full service food of reasonable quality seems like it will do well, and again, because the bowling is time-boxed, you get to turn the tables like clockwork. Small gift shop at the exit is a nice touch.

Given a choice of this style or the ‘old’ style, we’d probably pick this one – nicer place, better food, full service (and given how rarely I bowl, any price difference for the bowling doesn’t matter much). That’s for the once or twice a year thing, because it’s an extra 30 minutes to get to compared to the one down the street. Bowling every week the extra drive time would rule out Splitsville for me.

Overall I thought their implementation was well done and given the location in Downtown Disney I think it will probably do well. It’s worth trying once and you probably haven’t been bowling lately anyway, right?

Looking forward to comments and thoughts on this one.

Security Cameras in the Neighborhood

I live in a pleasant, calm, middle class neighborhood. Not much crime here, at most the rare break-in or vandalism, not a place where you worry about going out for a walk in the evening. Recently the HOA sent out a letter discussing the install of security cameras to increase security and that provoked some interesting responses. Not everyone – including me – thinks that cameras everywhere are a good thing.

Will they reduce/deter crime? Maybe. Is it worth trading away some amount of privacy? Maybe. Maybe. I don’t have enough information to judge, just a sense that finding the balance between privacy and security isn’t easy. If the cameras would eliminate crime, that’s interesting. If they will, why didn’t we do it last year or ten years ago, is this purely about cost? It cost too much to stop crime then, not so much now? That’s not meant to be sarcastic. As costs decrease options become available that weren’t viable before and therefore maybe not even considered. I don’t have a good case for saying no to cameras – that’s either lack of thought or a bad position, I’m not sure which yet.

Still, I like to participate on issues that matter to me, so I sent the Board some questions, among them the following:

  • How long will the data be retained and how will it be purged?
  • Who will have real time access to the system (to view the camera feeds)?
  • Will administrators be allowed to view the data as a proxy – for example to see if they can find someones lost cat?
  • Will cameras be placed to only monitor public/community common areas and not any residence? (Policy)
  • With regard to public areas, what monitoring will be done at the playground?
  • How will the Board decide if the cameras are a success?
  • What logging will be done to track who views the live or recorded data?
  • How will you guarantee the security of the system so that it cannot be hacked (or such attempt detected and stopped) by a criminal using it to find targets and best times?
  • Will the Board require a subpoena for anyone to get a copy of the data, for example for a  wrongful injury claim?
  • What crimes and how many have occurred by year for the past three years?
  • Is there a time of year when crime spikes?
  • What research has been done to see how other associations address this issue and how effective it has been in similar neighborhoods?

You can see my IT/security centric view shapes the questions. Ultimately the Board will decide and I’ll respect that decision (and at worst try to vote someone else in next time around). They are doing the best they can and there is no one ‘right’ answer (and I said as much in my email to them).

Privacy rights aside (and I don’t say that lightly), this is an attempt to solve a problem. I like to see the problem defined, explore options, see what others have done, and then dig into the cost/benefit part. Maybe they did that, all I got was a ‘installing cameras’ email. I suspect that this was one of those times where a bit of group-think and a bit of insensitivity to the privacy issue generated some mild backlash.

Think about the privacy part though. We could probably do close to 100% coverage of the neighborhood, or we could just monitor the egress roads, or somewhere in between. Is it still about cost? Would you think it was fair (as opposed to legal) if someone across the street pointed a camera at your home 24×7? Where does privacy for the one outweigh the good of the many? Not easy questions, but for certain questions we will have to answer this decade.

I imagine the cameras will go and we’ll see what happens.

Looking Back-Part 2

As I re-read the original Looking Back post I realized I didn’t include anything about the fear part – stepping away from an established career focus to do something else for a while. I’ve been a SQL guy for a long time, I started using SQL Server in 1998 and I was working with data for a while before that. It’s hard to think about giving that up, about losing momentum, falling behind, etc, etc.

At the time a year seemed like a lot, but not out of the realm of reason, and in a lot of ways I looked at it and treated it as a working sabbatical. Then came the decision to make that break closer to two years. That wasn’t quite as worrisome, but it was still cause for thought. How long can you leave a field/technology before it becomes untenable to return, or at least difficult to return at the same level/salary?

I made a deliberate decision to not be finding reasons to use SQL Server during the day – that would have been going back to the comfort zone. It did force me to use Access from time to time to crunch some data to help me make some decisions (and that only reinforced my love/hate relationship with Access). I also made the deliberate decision to stay engaged, though at reduced levels, with my network. I went to some events,went to the Summit,talked to people in the SQL world.

Today I’d say I’m rusty, but not lost. I’ve spent little time with SQL 2012 so I’m behind on using new features, but I think when it’s time to return it will be a few weeks to grind off the rust. It reminds me that SQL Server, even though it has changed a lot, has in a lot of ways changed incrementally. The visual change from Enterprise Manager to SSMS was jarring, but a DBA today using SQL 2000 (and plenty are) could easily make the leap forward. Of course, that assumes doing data to day DBA/data work, which I’m not. That still leaves me wondering what is the longest you can go before you cannot return? Or is that true? Or how long can you maintain dual skill sets, dual networks, etc?

That fear of falling behind certainly bothered me, and I took some time to think on it before deciding. Today I think that kind of change bothers me less – a result of experience no doubt.

The lessons here are not simple. It’s not as easy as saying never fear change, or don’t worry about falling behind. Changing jobs, taking risks, there is no right answer, no formula, or it wouldn’t be a risk. I guess I would tell you, though, that if you get a chance to step away for a year take it. Grow and see what happens. Maybe you’ll return rusty and eager, maybe you’ll take a different path – just have to see. If you think of it as a working sabbatical (oxymoron?) it makes a lot more sense.

Not sure I explained that well, but I’m going to post as is – writing about fear isn’t the easiest thing for me.