I just saw this on Newsday.com.......

Oracle's Larry Ellison is top-paid chief executive

The Associated Press, Associated Press

Deadly Sin 2 has to do with the Oracle Cost Based Optimizer.

Early on oracle used a rules based optimizer. Which simply meant it made decisions on how to retrieve information based upon a pre-determined set of rules. For example:

When you issued the command

Select * from Table where columun1 = “Apple”

It was smart enough to use the index on column1 if it existed. If two indexes existed on column1 and one was a unique index, it would use the unique index first.

These rules governed how all data was retrieved. The retrieval of data was only as good as the rules that were used. It got even more complicated when two tables were joined together. Imagine a million row table being joined to a 3 row table.

For example:


Select bigtable.col1, smalltable.col2
From bigtable, smalltable
Where bigtable.col1 = smalltable.col2

The rules decided how these two tables got joined together. Joining a really small table to a big ran very fast. While joining a really big table to a small table ran really slow.

The rules never took into consideration the size of a table or how the data was distributed across the two tables. Some other vendors who recognized the major flaw in the rules based optimizer developed and implemented before Oracle a cost based optimizer

In the cost based optimizer tables sizes and distribution were taken into account when making decisions on how to query the data. Oracle knows the difference between a 3 row table and a 10,000,000 million row table. It knows record type a has 10 records and record type b has 100,000 records.

When Oracle first put the cost based optimizer into effect many people found their application ran much faster on the “old” rules based optimizer than the “new” cost based optimizer. This happened for a number of reasons. Many times the application developers had optimized the code better than the database could itself. Other times they had implemented the cost based optimizer poorly. When we check many databases today, we find that it is still being implemented poorly today causing your database to be sluggish and underperforms.

Oracle Database Management Deadly Sin 2 (Poor Implementation of the Cost Based Optimizer)

The cost base optimizer makes decisions based upon the information it is provided. When it lacks proper information it makes poor decisions. When it has proper information it makes optimal decisions and goes a long way to helping your database perform better.

To insure your database can perform optimality, its important it has the right information available to it. This means it needs to understand how data is physically distributed within the table. Here is a particularly useful feature that should be used whenever possible that will work in Oracle8i and up.

The GATHER EMPTY/GATHER STALE feature of DBMS_STATS should be used. When the GATHER EMPTY/GATHER STALE feature is in use, Oracle tracks insert, delete, and indexed column updates, making the counters accessible by viewing SYS.DBA_TAB_MODIFICATIONS:

Name Null? Type
--------------------- -------- ----------------------------
TABLE_OWNER VARCHAR2(30)
TABLE_NAME VARCHAR2(30)
PARTITION_NAME VARCHAR2(30)
SUBPARTITION_NAME VARCHAR2(30)
INSERTS NUMBER
UPDATES NUMBER
DELETES NUMBER
TIMESTAMP DATE
TRUNCATED VARCHAR2(3)

This is very important because based on object details in this view, if the row count of a table has changed more than 10%, DBMS_STATS will re-collect optimizer statistics. This will insure the database is always making performance decisions based upon current information that accurately reflects how the physical data is in your database at that time.. This is key to getting the most out of your Oracle database.

There are a few steps involved when implementing this functionality:

===============================================
= 1 Place tables in monitoring mode (monon.sql) ===============================================

-- Start monon.sql
/ as sysdba

set pages 0 lines 999 trimsp on feed off spool monon

select /* Will run for releases 8i and 9i */
'alter table '||owner||'.'||table_name||' monitoring;'
from sys.dba_tables,(select * from v$version where rownum < 2) vv
where monitoring = 'NO'
and owner not in ('SYS','SYSTEM')
and nvl(duration,'X') not in ('SYS$SESSION','SYS$TRANSACTION')
and iot_type is null
and (owner,table_name) not in
(select owner,table_name from dba_external_tables)
and (instr(vv.banner,'9i') > 0 or instr(vv.banner,'8i') > 0);

select /* Will run for release 10g */
'alter table '||owner||'.'||table_name||' monitoring;'
from sys.dba_tables,(select * from v$version where rownum < 2) vv
where monitoring = 'NO'
and nvl(duration,'X') not in ('SYS$SESSION','SYS$TRANSACTION')
and iot_type is null
and (owner,table_name) not in
(select owner,table_name from dba_external_tables)
and (instr(vv.banner,'9i') = 0 and instr(vv.banner,'8i') = 0);

spool off
set echo on feed on

spool monon.log

@monon.lst

spool off

exit-- End monon.sql



The monon.sql should be run daily. It will place tables in monitoring mode, including those belonging to SYS and SYSTEM if running Database 10g.

=============================================
= 2 Place a stake in the ground (startup.sql) =============================================
DBMS_STATS can start gathering insert/update/delete activity against tables after the collection of a fresh set of statistics. This should only be run once when starting to use the GATHER EMPTY/GATHER STALE functionality.

-- Start startup.sql
{username/password} or / as sysdba

set pages 0 lines 999 trimsp on feed off spool startup

select /* Will run for releases 8i and 9i */
distinct 'exec dbms_stats.gather_schema_stats (ownname=>'||''''||
owner||''''||',cascade=>TRUE,estimate_percent=>2)'
from sys.dba_tables,(select * from v$version where rownum < 2) vv where owner not in ('SYS','SYSTEM') and (instr(vv.banner,'9i') > 0 or instr(vv.banner,'8i') > 0);

select /* Will run for release 10g */
distinct 'exec dbms_stats.gather_schema_stats (ownname=>'||''''||
owner||''''||',cascade=>TRUE,estimate_percent=>2)'
from sys.dba_tables,(select * from v$version where rownum < 2) vv where (instr(vv.banner,'9i') = 0 and instr(vv.banner,'8i') = 0);

spool off
set echo on feed on timi on


spool startup.log

@startup.lst


spool off

exit
-- End startup.sql

The code below is run daily (or less often if desired) and will only collect statistics for objects with no previous statistics (i.e., new
tables) or tables whose current statistics are deemed to be stale.

-- Start gegs.sql
{username/password} or / as sysdba

set pages 0 lines 999 trimsp on feed off spool gegs

select /* Will run for releases 8i and 9i */
distinct 'exec dbms_stats.gather_schema_stats (ownname=>'||''''||
owner||''''||',cascade=>TRUE,estimate_percent=>2,'||
'options=>'||''''||'GATHER EMPTY'||''''||
', granularity=>'||''''||'ALL'||''''||')'
from sys.dba_tables,(select * from v$version where rownum < 2) vv where owner not in ('SYS','SYSTEM') and (instr(vv.banner,'9i') > 0 or instr(vv.banner,'8i') > 0);

select /* Will run for release 10g */
distinct 'exec dbms_stats.gather_schema_stats (ownname=>'||''''||
owner||''''||',cascade=>TRUE,estimate_percent=>2,'||
'options=>'||''''||'GATHER EMPTY'||''''||
', granularity=>'||''''||'ALL'||''''||')'
from sys.dba_tables,(select * from v$version where rownum < 2) vv where (instr(vv.banner,'9i') = 0 and instr(vv.banner,'8i') = 0);

select /* Will run for releases 8i and 9i */
distinct 'exec dbms_stats.gather_schema_stats (ownname=>'||''''||
owner||''''||',cascade=>TRUE,estimate_percent=>2,'||
'options=>'||''''||'GATHER STALE'||''''||
', granularity=>'||''''||'ALL'||''''||')'
from sys.dba_tables,(select * from v$version where rownum < 2) vv where owner not in ('SYS','SYSTEM') and (instr(vv.banner,'9i') > 0 or instr(vv.banner,'8i') > 0);

select /* Will run for release 10g */
distinct 'exec dbms_stats.gather_schema_stats (ownname=>'||''''||
owner||''''||',cascade=>TRUE,estimate_percent=>2,'||
'options=>'||''''||'GATHER STALE'||''''||
', granularity=>'||''''||'ALL'||''''||')'
from sys.dba_tables,(select * from v$version where rownum < 2) vv where (instr(vv.banner,'9i') = 0 and instr(vv.banner,'8i') = 0);

spool off
set echo on feed on timi on

spool ggegs.log

@gegs.lst

exit
-- End gegs.sql

www.ntirety.com

View blog top tags

The newest blog entry comes from THE ARUP NANDA Blog. It concerns why you should set the ADMIN_RESTRICTIONS_LISTENER to On.  According the ARUP blog he is from Danbury, Connecticut and has been an Oracle DBA for the past 12 years. Here is what ARUP blog entry titled "Why Should you set the ADMIN_RESTRICTIONS_LISTENER to ON" contained….

Recently someone probably went through the slides of my session on "Real Life DBA Best Practices" and had a question on OTN forum why I was recommending setting the parameter to ON, as a best practice. I responded on the forum; but I feel it's important enough to put it here as well.

As a best practice, I recommend setting this parameter to ON (the default is OFF). But as I profess, a best practice is not one without a clear explanation. Here is the explanation.

Over the period of time, the Oracle Database has encountered several security vulnerabilities, some of them on the listener. Some are related to buffer overflow. others involve unauthorized access into the listener process itself. Some of the listener access exploits come from external listener manipulations. Did you know that you do not need to even log into a server to connect to the listener? As long as the port the listener is listeneing on is open (and it will be, for obvious reasons) you can connect to the listener from a remote server.

In 10g, Oracle provided a default mechanism that does not require password from the oracle user manipulating the listener via online commands. Having said that, there have been bugs and there will be. Those vulnerabilities usually get fixed later; but most often the fix does not get to the software quickly enough.

So, what should you do to protect against these vulnerabilities? I consider a simple thing to do is to remove the possibilty altogether; and that's where the admin restrictions come into picture. After setting this parameter, you can't dynamically change the parameter. So, even though a connection is made somehow from an outside server - bug or not - eliminating the possibilty altogether mitigates the risk. And, that's why recommend it.

Let's ponder on the problem a little bit more. Is that a problem is setting the parameter? Absolutely not. When you need to change a parameter, you simply log on to the server, update the listener.ora and issue "lsnrctl reload". This reloads the parameter file dynamically. Since you never stopped the listener, you will not see unsuccessful conection requests from clients. So, it is dynamic. If you are the oracle user, then you can log on to the server; so there is no issue there.

I advocate this policy rather than dyanamic parameter changes, for these simple reasons:

(1) It plugs a potential hole dues to remote listener vulnerability attacks, regardless of the probabilty of that happening.

(2) It forces you to make changes to listener.ora file, which shows the timestamp.

(3) I ask my DBAs to put extensive comments on the parameter files, including the listener.ora file, to explain the change. I also ask them to comment a previous line and create a new line with the new value, rather than updating a value directly. This sort of documentation is a gem during debugging. Changing in the parameter file allows that, while dynamic change does not.

So, I don't see a single functionality I lose by this practice; and I just showed you some powerful reasons to adopt this practice. No loss, and some gain, however small you consider that to be - and that's why I suggest it.

As I mentioned earlier, a best practice is not one without a clear explanation. I hope this explanation makes it clear.

To reach the original blog entry.....

Why You Should Set Admin_Restrictions_listener on

When I have a chance, I will read more of ARUP's Blog to see how many other Gems he has.

Posted by Michael Corey

www.ntirety.com

This latest Blog entry concerns legislation Massachusetts Governor  Deval Patricks latest move. For those of you not from Massachusetts you may find this interesting reading.

In Massachusetts Police are assigned constructions details rather than having flag men (Woman) as in other states. My friends who are not from Massachusetts have always told me what a complete waste of tax payer money. I tended to agree with them, until I thought it through.

So after I include some articles from the Boston Globe (www.Boston.com), I will give the facts as I know them and my intial thoughts as to why I think this is a mistatke. Why I think Massachusetts policy of using Police officers at constructions sites is an excellent use of taxpayers money.

Here is an article from the Boston Globe …..

Patrick to set new curbs on police details

Policy, to be released today, targets construction zones

Governor Deval Patrick is planning to release new regulations this morning that will take on powerful police unions by limiting construction details on nearly all state-owned roads, say several people who were briefed on the regulations.

While the plan will not force municipalities to adopt the regulations, it is the most aggressive step yet to end a cash cow for police officers that critics have long called a waste of taxpayer dollars.

"There's a crack in the dam now," said David Tuerck, who is director of the Beacon Hill Institute and has criticized Patrick for not going far enough to crack down on police details. "The governor has shown a great deal of political courage in taking this step."

The final regulations will be released today by Secretary of Transportation Bernard Cohen. A public hearing will be held, but the regulations are not expected to change much before they are fully implemented in October.

The regulations will require any contractor hired by the state for road work to develop a construction zone safety plan, said the people who were briefed on the administration's plan. They did not want to be named before the initiative is unveiled today.

That plan, which will be developed by the Massachusetts Highway Department, will delineate when police details should be used and when civilians in bright vests with flags will suffice.

Police unions are expected to vigorously oppose the regulations, although several union leaders would not comment yesterday because they had not seen the final draft of the regulations.

"On our roadways, public safety has to be the number one issue," said Rick Brown, president of the State Police Association of Massachusetts. "Putting flaggers out on state highways is going to cause someone to get hurt, whether it's the flaggers or drivers on those roadways."

The new regulations will probably require civilian flaggers on state roads where the speed limit is below 45 miles per hour, as well as on low-traffic roads where the speed limit is higher. Flaggers will also be used on sites where barriers are used to block off construction sites on a high-speed, high-traffic road.

Some roads - generally those with speed limits above 45 miles per hour and with more than 4,000 vehicles per day - will still rely on sworn police officers to monitor traffic.

It means that flaggers would probably be placed on a construction site on Route 2 in Charlemont, where traffic is light, but a police officer would be used on Route 2 in Concord, where traffic is much heavier. Flaggers would be possible, though less likely, on the major interstates.

Although there are no statewide regulations currently requiring the use of police details for Massachusetts road projects or utility jobs, state and local officials have used them for decades at construction sites anyway, in deference to politically powerful unions. Massachusetts is the only state that automatically assigns police officers to nearly all utility and road work sites

Police have argued that the presence of a cruiser and a uniformed officer slows traffic and provides the best protection for the public and for road workers. Police have at times also made arrests or caught suspects on unrelated cases while on police details.

Critics, however, have railed against the frequent sight of police officers drinking coffee or talking on cellphones as they oversee construction sites. The details also add tens of thousands to police officers' salaries. In 2006, nearly 1 in 10 State Police officers made more than the governor, in part because of overtime and state police work. Sixty officers made more than $40,000 working details.

In 1992, Governor William F. Weld proposed legislation to replace police details with civilian flaggers. After 800 police officers flooded the State House and accused him of taking food from the mouths of their children, Weld gave up, and few have tried to revive the issue.

That changed in March, when Patrick joined House Speaker Salvatore F. DiMasi and Senate President Therese Murray to say they would work to eliminate the closely guarded union perk.

After a lobbying blitz by the unions and some signals from the governor that change would be difficult, the Legislature inserted language into the bill essentially preventing the state from forcing changes on local roads, where the vast majority of projects are done.

Administration officials have said they hope that their new policy will set an example for municipalities, but there's nothing to compel local officials to challenge police unions and make changes on their roads.

"I wouldn't say it's a disappointment, but anyone who looks at this with a straight face would have to say we're not going to see much change," said Jim Stergios, executive director of the Pioneer Institute, a fiscally conservative think tank.

Of the nearly 36,000 miles of roads in Massachusetts, about 90 percent was under local control in 2006, according to data collected by the Federal Highway Administration.

Administration officials say the new policy will save money, but have not put forward any estimate, according to the people briefed on the plan.

The cost of paying police for monitoring constructions sites and traffic on Massachusetts Highway Department projects increased from $15.5 million in 2003 to $22.6 million in 2006, a 48 percent increase over the three years, according to a report last year by the Transportation Finance Commission. Nearly 5 percent of the total cost of MassHighway's construction projects pays for police details.

Senator Steven A. Baddour, a Methuen Democrat and cochairman of the Joint Committee on Transportation, praised the regulations yesterday.

"This is the first step," he said. "We'll continue to look into modifying things as we go forward."

Matt Viser can be reached at maviser@globe.com.

To reach the original article ....

Boston Globe Article

Here is another article, I have also included from the Boston Globe...

Police protection needed from aggressive drivers

I'M GLAD everyone thinks saving money on police details at road construction sites is so wonderful. What I think is wonderful is my husband walking through the door every night safe and sound. He's a line-striper and spends every day standing, walking, running, measuring, and setting up and breaking down equipment in highway traffic. He's been hit by vehicles three times in 13 years. He credits his police and trooper details with saving himself and his crew countless times.

Maybe the reason we need these details is that the drivers in this state are among the most impatient and aggressive in the nation. The swearing and threats alone from drivers warrants police protection. I challenge anyone to stand for a day and watch what goes on at these sites. You would be horrified.

LAURA LaROCHELLE
Plymouth

To read the original Article...

  Boston Globe Article

Here are my quick thoughts on this……

We live in a very expensive state. As expensive as it is, I would not want to live anywhere else. Massachusetts is a wonderful place to live, great restaurants, Museums,  colleges, so many cultures. The Mountains, The Ocean and so on.

Scenario 1

If you take Police Details out of the equation the average salary of a police officer is effected quite a bit. In my town, it would be 42K dollars a year. What Police officer could afford to live here. What is now considered a good job, would be very quickly change. The average police officer in this state, is smart and well educated. These are good jobs and good people go after them. Its scary who would want the job, it it did not pay well. Think about who would be protecting us.  So as a flood of young Police officers left, it would very quickly send a message to all of us we need to pay them more. So the next article we would see in the Boston Globe would be the rising costs of Police Salary in the Bay State. We would have no choice but to raise Police Salaries.

Scenario 2

Police officers need to make additional money to survive. They know if they write lots of tickets. That when people dispute those tickets, they get to go to court to defend the Ticket they wrote. That is usually over-time unless you want to pull them off the streets. So instead of getting a warning, you will get a ticket. I wonder if that is not why Police are so aggressive in states like Connecticut. God think of the costly insurance surcharges.

Scenario 3

The construction company hires an outside service to handle filling out the proper forms so they don’t need Police Details. This third part of course has to put there overhead charge on the situation.  So it cost us the same anyway. The only difference is now our average police officer cant afford to live in this state.

Then I think about the typical Massachusetts driver. Lets face it we are aggressive. Imagine how we will be with a Flag Man (Woman). I think this is a place where the Governor Deval Patrick needs to back off. Give it a break. I think in Massachusetts we have it right. Pay the Police to do the construction details we are all better off.

My gut tells me this is not good public policy for Massachusetts.

Just my opinion.

Posted by Michael Corey

www.ntirety.com

I stumbled upon this video on YouTube and I had to share it. The Police officer Patrick Pogan claims that the Cyclist Christopher Long disrupted traffic and purposedly crashed into him. Police Officer Patrick Pogan then charged the Biker with attempted assault and other charges.

Patrick Pogan YouTube Video

To quote the NY Daily News…..

PBA: Rookie cop who decked cyclist was doing his job

BY ERIN EINHORN and TAMER EL-GHOBASHY
DAILY NEWS STAFF WRITERS

Tuesday, July 29th 2008, 10:42 PM

A rookie cop under investigation for violently knocking a cyclist to the ground was backed Tuesday by his union, which insisted he was protecting the public from an out-of-control rider.

"This officer observed the reckless actions of a specific individual weaving in and out of traffic and creating a hazardous condition for the public and took action," Policemen's Benevolent Association President Patrick Lynch said in a statement.

But that version was quickly dismissed by Mayor Bloomberg, who said the videotaped attack appeared "totally over the top and inappropriate."

Officer Patrick Pogan, 22, of the Midtown South Precinct, has been stripped of his gun and badge and banished to desk duty since the stunning video of the incident surfaced on YouTube.

Internal Affairs investigators are probing the incident, which occurred Friday during a Critical Mass bike ride through Times Square.

"I have no explanation," said Police Commissioner Raymond Kelly. "I can't explain why it happened."

The video appears to capture Pogan observing the bike ride in the middle of Seventh Ave. before suddenly singling out one rider, walking several feet to intercept him and then shoulder-checking him onto the ground.

Biker Christopher Long, 29, was then charged with attempted assault and other charges. Pogan claimed in court papers that Long disrupted traffic and purposedly crashed into him.

The charges against Long, of Bloomfield, N.J., will likely be dropped and Pogan will almost surely be fired, police sources said.

Posted by Michael Corey

www.ntirety.com

I found this blog entry on Pingdom www.Pingdom.com . It caught my attention. I beleive it is real when I think back about some of the Job Interview questions I have had.

August 15, 2008

Tricky, funny and interesting, these are some questions people claim to have been asked at job interviews with Microsoft and Google. And IKEA, sort of…

We came across these because we are currently looking for a developer and a support technician to join the Pingdom team, and were searching around the Web for some inspiration regarding interview questions. The mission was to find some really good questions for our future developer colleagues.

There are some serious brain twisters in there, so enjoy! (Or be baffled… )

How smart are our readers? The person with the best answer(s) in the comments will win a free one-year Pingdom Business account (worth $479). The winner will be picked by us here at Pingdom.

Questions by Google

1. How many golf balls can fit in a school bus?
2. You are shrunk to the height of a nickel and your mass is proportionally reduced so as to maintain your original density. You are then thrown into an empty glass blender. The blades will start moving in 60 seconds. What do you do?
3. How many piano tuners are there in the entire world?
4. In a country in which people only want boys, every family continues to have children until they have a boy. If they have a girl, they have another child. If they have a boy, they stop. What is the proportion of boys to girls in the country?
5. Describe a chicken using a programming language.

Questions by Microsoft

1. You have a bucket of jelly beans. Some are red, some are blue, and some green. With your eyes closed, pick out 2 of a like color. How many do you have to grab to be sure you have 2 of the same?
2. Pairs of primes separated by a single number are called prime pairs. Examples are 17 and 19. Prove that the number between a prime pair is always divisible by 6 (assuming both numbers in the pair are greater than 6). Now prove that there are no ‘prime triples.’
3. Imagine an analog clock set to 12 o’clock. Note that the hour and minute hands overlap. How many times each day do both the hour and minute hands overlap? How would you determine the exact times of the day that this occurs?
4. How much does a 747 weigh?
5. Imagine a disk spinning like a record player turn table. Half of the disk is black and the other is white. Assume you have an unlimited number of color sensors. How many sensors would you have to place around the disk to determine the direction the disk is spinning? Where would they be placed?

To read the entire Blog Entry click here......

Best Interview Questions by Microsoft, Google

The Question that I remember most when I was early in my Career..

Why Are Man Hole Covers Round ?

If you think you know the answer to this or any of the others, please post a comment. I would enjoy some of the answers and I think others would also..

I found this cartoon on...

www.sentimentalrefugee.com  

Posted by Michael Corey

www.ntirety.com

Our Friends in TSA just annouced this....

August 15, 2008

Starting Aug. 16, TSA will allow laptops to remain in bags meeting new 'checkpoint friendly' guidelines. Not all laptop bags are 'checkpoint friendly'
(see images below).

To help streamline the security process and better protect laptops TSA has recently encouraged manufacturers to design bags that will produce a clear and unobstructed image of the laptop when undergoing X-ray screening. A design that meets this objective will enable TSA to allow laptops to remain in bags for screening.

Industry enthusiastically met the call and more than 60 manufacturers responded, 40 of them submitting prototypes for testing. TSA opened three airports for manufacturers to perform live testing of these prototypes with Transportation Security Officers (TSO) so the manufacturers can gain feedback on what works and what doesn’t with various bag designs.

TSA screens laptops to see if the electronics have been tampered with. TSOs know what the inside of a computer should look like, and can recognize irregularities. This is why they need an unobstructed view as the item moves through the X-ray machine.

Purchasing one of these bags will not guarantee that you can leave your laptop in your bag for screening. If a TSO finds that the bag does not present a clear and distinct image of the laptop separate from the rest of the bag, the laptop will have to be screened separately.

There are laptop bag styles currently on the market, such as laptop-only sleeves, that have the potential to present a clear X-ray image of the laptop if they are correctly packed. However, most current laptop bags will not present a clear X-ray image and should not be sent through the X-ray with the laptop inside.

What does this mean for passengers?

TSA is not approving or endorsing any bag design or manufacturer and will only allow laptops to stay in bags through screening if they provide a clear and unobstructed
X-ray image of the laptop.

Click here to go to the Original Post......

http://www.tsa.gov/press/happenings/simplifying_laptop_bag_procedures.shtm Original TSA Post  

I feel this is a major step in the right direction. 

Posted by Michael Corey

www.ntirety.com

Every Major Database vendor is making an attempt to plug security holes. This is a real problem for the industry, putting everyone at risk. Don’t think this can happen to you, think again!. My 20 year old son went to buy his first car, and we learned that his identify was stolen.  On January 30th, 2008 I wrote a blog entry titled Identity Theft Hits Home – Lessons Learned. Click here to see that Blog entry....

Identity Theft Hits Home - Lessons Learned

The data in these databases is at risk and its important we take adequate measure to protect ourselves.

This video is based upon a true story or an Oracle Linux database being hacked through a SQL Injection Attack. It’s a step by step demonstration. It’s a must watch item for every DBA.

SQL Injection Attack Video Oracle Linux database

At Ntirety we recently launched a new service for our clients. Where we do full security audits focused on just the database. For many of our clients this is a must have item. In today’s world, I don’t care how big or small your company is. If you have a database that stores information about clients or your business, it’s important you protect it. Or it could be you who finds out there Identity has been stolen.

Posted by Michael Corey

www.ntirety.com

MoneyGram Just sent this email out to its community..... 

Protect Yourself Online

At MoneyGram, we take the protection of our customers’ personal information very seriously. A few simple tips can go a long way in protecting your personal information online:
 
·        Do not supply your eMoney Transfer login ID, password, or other sensitive information in response to an email you receive.  MoneyGram will never send you an email asking for that information.
·        Do not click on a link in an email to get into your eMoney Transfer profile.  Open a new browser window and type in https://www.emoneygram.com and log in to your eMoney Transfer profile directly.
 
For more information on how to protect yourself from online fraud, click here.
 
If you suspect that you are a victim of online fraud, please call 866-450-9897 for assistance. 

As I look at this notice. Its so full of common sense.....

Do not supply your eMoney Transfer login ID, password, or other sensitive information in response to an email you receive.  

Let Me say this a little differently...... 

RULE 1. Do not supply your login Id, Password of other sensitive information to any email you receive.  

Do not click on a link in an email to get into your eMoney Transfer profile.  Open a new browser window and type in https://www.emoneygram.com and log in to your eMoney Transfer profile directly.

Let me say this a little differently........

Rule 2: Do not click on an emaiul to get into any account you have that has sensitive information. Its always better to go to the site directly.

This is just common sense advice if you want to navigate the web safer.

Posted by Michael Corey

www.ntirety.com

In New England we always notice how small the Database community is.  How many times when we meet someone how likely it is we will know them though some connection. Then as I walk the Internet looking for information, I am always amazed how how big the Database community is. My latest blog entry comes to us from Atif Shehzad. He is located in Islamabad Pakistan. He clearly has a passion for database administration. His blog is called DBDigger.

The blog entry I include her is “DBA Best Practises for SQL Server Security”. Here is what his blog said…

Following best practices may be implemented as base line for standard security of SQL Server
1.    Ensure the physical security of each SQL Server, preventing any unauthorized users to physically accessing your servers.
Comment: How important physical security is. If someone can get at the physical server they can easily mess with it.

2.    Only install required network libraries and network protocols on your SQL Server instances.
Comment: The less network protocols you have on the server, the less ways for someone to hack in..

3.    Minimize the number of sysadmins allowed to access SQL Server.
Comment: I would argue that each Sysadmin should be a named account.

4.    As a DBA, log on with sysadmin privileges only when needed. Create separate accounts for DBAs to access SQL Server when sysadmin privileges are not needed.
Comment: Its nice to have privileges, but how easy it makes it to delete something or drop something you did not mean to drop. This is great advice.
5.    Assign the SA account a very obscure password, and never use it to log onto SQL Server. Use a Windows Authentication account to access SQL Server as a sysadmin instead.
Comment: Take it one step further. Make it at least 6-8 characters long. Make sure it has both uppercase, Lower, Numbers and characters. It will make it so much harder to hack.

6.    Give users the least amount of permissions they need to perform their job.
Comment: Great idea, but so hard to do in actual practice. Thank god for roles.

7.    Use stored procedures or views to allow users to access data instead of letting them directly access tables.
Comment: Amen.
8.    When possible, use Windows Authentication logins instead of SQL Server logins.
9.    Use strong passwords for all SQL Server login accounts.
Comment. Same as above. 6-8 character long. Number and letters, etc.
10.    Don’t grant permissions to the public database role.
11.    Remove user login IDs who no longer need access to SQL Server.
Comment: An absolute must,
12.    Remove the guest user account from each user database.
Comment: An absolute must
13.    Disable cross database ownership chaining if not required.
14.    Never grant permission to the xp_cmdshell to non-sysadmins.
15.    Remove sample databases from all production SQL Server instances.
16.    Use Windows Global Groups, or SQL Server Roles to manage groups of users that need similar permissions.
17.    Avoid creating network shares on any SQL Server.
18.    Turn on login auditing so you can see who has succeeded, and failed, to login.
19.    Don’t use the SA account, or login IDs who are members of the Sysadmin group, as accounts used to access SQL Server from applications.
20.    Ensure that your SQL Servers are behind a firewall and are not exposed directly to the Internet.
21.    Remove the BUILTIN/Administrators group to prevent local server administrators from being able to access SQL Server. Before you do this on a clustered SQL Server, check Books Online for more information.
22.    Run each separate SQL Server service under a different Windows domain account.
23.    Only give SQL Server service accounts the minimum rights and permissions needed to run the service. In most cases, local administrator rights are not required, and domain administrator rights are never needed. SQL Server setup will automatically configure service accounts with the necessary permissions for them to run correctly, you don’t have to do anything.
24.    When using distributed queries, use linked servers instead of remote servers.
25.    Do not browse the web from a SQL Server.
26.    Instead of installing virus protection on a SQL Server, perform virus scans from a remote server during a part of the day when user activity is less.
27.    Add operating system and SQL Server service packs and hot fixes soon after they are released and tested, as they often include security enhancements. 28. Encrypt all SQL Server backups with a third-party backup tool, such as SQL Backup Pro.

Comment: Easiest way to protect a database, keep the patch levels current.
28.    Only enable C2 auditing or Common Criteria compliance if required.
29.    Consider running a SQL Server security scanner against your SQL servers to identify security holes.
30.    Consider adding a certificate to your SQL Server instances and enable SSL or IPSEC for connections to clients.
31.    If using SQL Server 2005, enable password policy checking.
32.    If using SQL Server 2005, implement database encryption to protect confidential data.
33.    If using SQL Server 2005, don’t use the SQL Server Surface Area Configuration tool to unlock features you don’t absolutely need.
34.    If using SQL Server 2005 and you create endpoints, only grant CONNECT permissions t