Skip to content

The Security Payoff

I wrote a few months ago about United offering rewards for people that discovered security issues in the United Airlines software. Not the plane software, thankfully, but in their customer facing IT systems. Apparently a few people discovered flaws and were recently awarded frequent flyer miles, a couple of which received 1 million miles. That’s a nice bonus for some people, though I hope the end result of this is that United builds better security into their software and learns to code better. Certainly other manufacturers have programs that have helped in the tech world. MicrosoftGoogle, and others have programs that pay bounties for flaws that are discovered and reported.

However I wonder if this isn’t something that should become an accepted practice. I don’t necessarily want regulation here, though I would prefer our regulation not prevent the research and exploration of security issues. Imagine, however, if we had an accepted, known process for finding flaws in all software. Maybe this would be like a standard process, like reporting spam to the webmaster@ address for websites. If someone finds an issue, they let the company know. The company has a bounty of some sort, perhaps a token reward, and a limited time to fix the issue. One the time passes, the individual is free to disclose the issue to the public, the problem can be publicly discussed and analyzed. More importantly, the company now has liability for any data loss or productivity issues.

In theory this should already exist. However it doesn’t seem to regularly work, and we have lots of software with flaws, along with no incentive to fix the issues, even when data is exposed. There are some laws for personally identifiable information (PII), but what about random data that might be annoying to users? What about the various software packages that we use that monitor our systems or provide anti-virus protection or manage other aspects of business. I’d like to see perhaps more class action arbitration (not lawsuits, we need less lawyers involved in the world) that perhaps doesn’t award damages, but refunds purchase costs. If that CMS doesn’t work, your money is refunded. I’d think that would incentivize some secure coding practices. If vendors had to make insurance claims, I bet we’d start to see more requirements of code reviews and PEN testing of software in general.

This is certainly a hard issue to discuss. For every solution out there, plenty of edge cases or exceptions will be an issue. The openness and ease with which people can create software is a double edged sword. This encourages innovation and experimentation, resulting in some amazing new concepts, but that same freedom often also brings about lots of poorly written software, full of vulnerabilities and bugs. I hope that we find a way to mature this industry and start to build better, standard, well engineered practices and habits that encourage secure, robust, well written code.

Steve Jones

 

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 3.3MB) podcast or subscribe to the feed at iTunes and LibSyn.

Hiring for Culture

I’ve written in the past that I think that it’s important the hire people that get along with your group first, and with technical skills second. It’s not that technical skills aren’t important, but I think that fitting in with a team is more important. We can teach someone to be a better developer. We can’t easily teach them to be a person that others like to work alongside. Certainly, however, the person needs to have the technical skills needed for the job.

When I was interviewed in college, the hiring manager told me there were two important tests to pass: Would he drive cross country with me and would he go out for a drink with me after work? That doesn’t imply that those are the most important (soft) skills for a candidate. It’s that all the other, more quantifiable skills were similar in all the candidates. The ability to get along socially was a differentiating factor.

I was reminded of this reading a blog post that hiring for culture can hurt your culture. It’s a look at a developer’s opinion about the ways in which some startups operate. However I think the author confuses social situations or behaviors with culture. The culture includes much more than our schedule of activities outside of work. It includes our attitude towards work, towards building software, towards each other. Certainly this is mentioned in the piece, but there seems to be an emphasis on the social interactions with new hires.

Certainly a person coming to work at a company that refuses to engage with others in any way outside of work can be a problem. We need to get along with each other as social creatures, and be able to hold a conversation with each other that might not involve work. However I’m not sure that anyone expects every other employee to have, discuss, and participate in the same interests as the manager or even a group of people.

Finding a cultural fit is a difficult task. I do think plenty of people hire the best programmer they find (whatever that means), regardless of their ability to get along with others. I also think plenty of managers hire someone that gets along great, but isn’t a good employee. As with many things in hiring, finding a balance of talent, attitude, work ethic, and social compatibility is important and worth striving for, but difficult to actually achieve in practice.

Steve Jones

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 2.9MB) podcast or subscribe to the feed at iTunes and LibSyn. feed

Halloween at PASS–Donate for some fun

This year’s PASS Summit will end on Oct 30, which is just before Halloween in the US. I’m sure lots of people will have some fun on Friday, though I also suspect we’ll see no shortage of people leaving early to get home to spend the holiday with families.

A few of us in the #SQLFamily community are going to have fun with this. There’s a campaign to raise money for Doctors Without Borders, and it’s been named Argenis Without Borders 2.0. We did this last year and raised over $13,000. This year we’ve already gotten $2k in donations are are looking for more.

Argenis is on the hook for a TED costume, and I’ve asked for ideas. So far the Goldmember one looks like the most fun, though I may go Austin Powers instead. However feel free to continue to suggest things to me.

This is a great cause, and it should be fun again. Who knows, maybe you’ll get yourself a great picture with me if you’re there, like one of these.

Photo Nov 06, 1 50 47 PM

I’ll probably have some hat, so I might even convince you to wear one and pose with me.

Photo Nov 05, 8 48 00 AM

And if you dress up, I’m more than happy to snap a shot with you.

Photo Nov 06, 1 52 26 PM

This is all in fun, and for a good cause, so I’ll likely be costumed just for those reasons. The goal for me is to raise some awareness and some money, so I’d ask you to donate if you agree.

Donate to Argenis Without Borders 2.0

 

banner_468x60_2015_speaking

Password for SQL Server Service Accounts

I wrote recently about my philosophy for service accounts, and wanted to add a few more thoughts.

Security is important for our database servers. One of the loopholes that everyone should be aware of is that the service running SQL Server has complete control over the service and potentially if this account were compromised, the security of our installation would be at risk.

In this post I wanted to address two things related to service account passwords. The mechanics of building and working with these passwords and the ongoing maintenance in terms of changing the passwords.

Creating Passwords

One of the tools I recommend for anyone administering computer systems, including my parents on their personal computers, is a password manager. There should be a way for you to create and store complex passwords that are not easily guessed. I use Password Safe, but 1Password, KeyPass, and others are just as good.

Typically I’ve used these to store the administrative passwords for various systems for all DBAs, sysops, etc. to use. However I haven’t used these for service accounts.

Why not?

Mostly because I don’t think any of us should be logging in as services. Apart from initial setup and testing, we shouldn’t use service accounts for anything.

I always recommend long, complex, random passwords for services. The password should be created and written down long enough for someone to enter it twice in the areas reserved for credentials, and then the paper should be destroyed.

I write these down because I want extremely long (20+), random strings that aren’t memorable and are really a one-time use string. Used just long enough to enter into the Services applet or as a credential in a PoSh (or other) script.

If you use groups for your account rights, and you should even for service accounts (SQL Server makes this easy), you can always use another account to test access. Grant it the same permissions and groups, and perform your tests.

Changing Passwords

I don’t worry about changing service account passwords. Yes, I know this isn’t recommended, but services rarely change or are used to log on, we can limit the access of an account to a particular machine, and since the password isn’t stored, it’s not very vulnerable to cracking.

If you are worried, then create a new, long, random string for the particular service(s) that are suspected to be vulnerable.

I don’t allow expiration of service account passwords, though in a few organizations that have required yearly service account password changes, we’ve scheduled the changes for slow periods, not waiting until the expiration occurred. I can almost guarantee that accounts will expire during a critical time when machines should not go down.

One caution. I know that changing passwords to long, complex strings is hard, and that there’s a temptation to set services to the same password or use some pattern to build passwords.

Don’t.

Patterns are poor security, and coupling services together with the same password (or account) is not worth the risk of issues if one system requires a change or the password is disclosed.

banner_468x60_2015_speaking

Visualizing in Space

One of the really interesting things that we are able to do as developers and DBAs is help find ways to analyze data for our clients and customers. Many of us might not have expertise in the actual areas that are represented by our data, the industry specific knowlege, but those of us that will be the most successful in the future at our jobs will be able to work with the people that have that specific knowledge and need help to implement the analysis.

That will take some practice. I’d encourage many of you to start playing with some sort of data that you are interested in and try to perform some analysis. Whether it’s useful or just for fun, you will be gaining some skills in both analysis and presentation that will serve you at some point.

There are so many sets of data available for practice that you can probably find something in an area that’s interesting to you. I don’t know if you could get the cool spatial data set seen in this talk, but there are certainly sports sets available, open data sets from government, movies, entertainment, and more.

Working with a set of data that intrigues you is a way to enhance the very skills that you’ll want to have to help your employer. Building reports, visualizations, and more is a technique to show value to your current employer. It’s also a great way to showcase your talents on a blog that might just get you an inquiry or interview for an amazing next job.

Steve Jones

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 2.8MB) podcast or subscribe to the feed at iTunes and LibSyn. feed

Culture Differences: US v UK

This is a bit of an off topic post from the technical stuff, but there’s a bit of a tie-in, so stick with me.

I had to get a tire fixed this morning. I actually owned a replacement tire, so I just needed someone to mount it on the existing wheel (the existing tire needed to come off). I stopped by Discount Tire this morning in Parker, and I had a quick conversation with the salesman, Brian. He arranged for the service, even gave me a discount, and told me it would take about an hour.

At this point I knew I needed to do some work, and at 9am, I wanted some coffee. I mentioned this to Brian, who said, “It’s a long walk to get coffee.”

He noted that Starbucks was quite a distance for a walk. Certainly it was a hot day, approaching 85F as I exited the shop with my laptop, but a long walk?

My friends and colleagues in the UK would laugh at this. I had to go down a busy road, and it was warm, but 0.6mi is “long”? I think not. Certainly no navigational issues following the blue dotted path.

2015-07-27 12_53_47-Starbucks, South Parker Road, Parker, CO to Discount Tire Store - Parker, CO - G

This struck me as strange as I walked along the road. Certainly I think lots of people in the US might see this as a long walk. They would perhaps ask the shop for a ride, or they’d stay in the store and skip coffee. I suspect that lots of people think any distance outside of the parking lot of an establishment might be seen as “long”.

Far too many of us in the US as lazy in this manner, not willing to move dozens, much less hundreds, of yards. I’ve seen people wait minutes for a close parking spot to a store, when there were plenty of parking spots seconds away.

I thought about this as I walked, and as I walked back. The thought bothered me a bit as I tried to answer some emails and check on SQLServerCentral. Why do we struggle with simple movement in the US? Are so many of us really wedded to cars that much? A summer morning is hot, but it’s a few minutes in the sun.

I was curious how far I traveled in terms of steps, so I checked my Fitbit before leaving Starbucks. It was around 3,100 steps for the day. I checked when I got in my car, and I was at 4,500 steps. That’s about 1,400 steps for a cup of coffee. Each way, of course, but just a mile.

When I think about how little we need to walk, it’s amazing. My job is worse than many in some ways. My meetings are at my desk. My commute is a few dozen steps. Getting lunch in the kitchen is maybe 50 steps. If I don’t make a concerted effort to move, I can easily spend a day at work and get to 6:00pm having traveled less than 2,000 steps.

That’s sedentary.

I do make an effort to exercise and move. Certainly I could do better with my diet, but I am at least attempting to move. That goal was one thing that kept me going on my running streak. I often felt refreshed and no matter how much time I’d spent in front of a computer, I at least ran a mile.

We can all make an effort to move a bit more, especially those of us that spend lots of time in front of a computer. Taking breaks, walking up and down stairs, parking far away, scheduling walking meetings at times, or just making sure we spend some time before/after work moving.

Many of you will have long lives, regardless of how you treat your body. Your career might not be affected at all by poor physical health. However the quality of your life is lower, in my opinion, if you aren’t taking care of yourself a bit.

In the past we often had daily exercise as we lived. We walked around, we had to work to grow our food, or transport it, or just to find social company. Today we can avoid much of that, but I’m not sure we should.

Find some exercise in the margins, find a sport you enjoy, or just take some long walks to contemplate life and enjoy your own, or a friend’s, company.

What We Want and What We’ll Pay For

I’m sure many of you see surveys that note IT job growth is up 30%. Or that executives want to hire 20% more people. Or that the market dictates that salaries will be going up 12%.

Those are exciting numbers, and I see them too. However I saw a great post that summed up the fact that those are just quotes, perhaps even desires, but not necessarily realities. This answer notes that what we want and what we’ll pay for are often two different things.

Many IT executives would like to hire more staff. They know that there’s a backlog in IT that can be reduced with additional staff. They might also believe that hiring more staff increases the chances of talented staff that can produce higher quality work, playing a game of numbers. They also know that newer hardware or software technologies can often produce better results for the organization.

However whatever their beliefs, they will often be constrained by budgets. There are always going to be other priorities in an organization that compete for additional resources. Sometimes IT will get what they want; sometimes they won’t. Often the end result will be less than they want, but more than other groups would have spent on technology.

The surveys and quotes we see published, good or bad, aren’t worthless. They’re often a reflection of a best case hope, like so many of the estimates that developers give about their work. The numbers can indicate a trend, but take them with a grain of salt. Apply a little skepticism and treat them like averages. Remember, an average of 50 can come from 49 and 51 or from 1 and 99, both pairs of numbers reflecting different realities. Above all remember that an average or ideal also doesn’t necessarily reflect what you, personally, will experience in your career.

Steve Jones

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 2.3MB) podcast or subscribe to the feed at iTunes and LibSyn. feed

Is Skynet Coming?

That’s the question this week: Is Skynet coming?

I read a piece recently that noted Stephen Hawking, Elon Musk, and Bill Gates have warned us about artificial intelligence. They have been quoted as this is potentially something that the human race needs to be cognizant of. However, I wonder.

I know what IBM’s Watson does is amazing, but is it intelligence? Is it anywhere close to sentience? Or is it really just pattern recognition and matching with facts? I think more of the latter, and I’m not sure we’re moving closer to a computer intelligence.

I guess there are narrowly defined domains where computers seem to be improving their capabilities, but it seems to me that these areas are defined by the programmers and the systems are tailored to a specific ability.

I do agree with the article that combinations of massive computing power and humans will make fundamental changes in the world. I think many, many jobs are potentially going to be lost and workers dislocated because of the ability of computers to do many jobs that humans perform today. I don’t have any solutions here, but I am glad I work in technology.

Steve Jones

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 1.6MB) podcast or subscribe to the feed at iTunes and LibSyn. feed

Get Away from the Heat and Learn some Database Version Control

I have enjoyed the trips I’ve made to New Orleans and Baton Rouge in the past. It’s a good getaway, stopping in the French Quarter for a few minutes before an easy drive up the road. However it’s warm, and I can’t ever get my wife or kids to come with me. For some reason, they don’t seem to enjoy the warm, August Baton Rouge weather. I, however, am looking forward to a jog around University Lake.

LSU University Lake at BREC Milford Wampold Park

This might be the best time to run, but I’ll likely be going around when it’s sunnier, and a touch warmer.

However if you want to get out of the heat, perhaps you’d like to come learn about Database Version Control with Ike Ellis and me? Redgate Software has partnered with Crafting Bytes to deliver our workshop in Baton Rouge. We’ve put the workshops on sale, and only $100 for a full day of training.

What will we cover?

We’ll show you how to get your database in a Version Control System (VCS). We use Redgate’s tools, but the idea of using version control can be done in other ways. I’m running the labs, and you’ll see how you can keep track of all of your database DDL code, including Lookup data!

2015-07-23 18_45_53-DLM-Workshop-2015-02-19-1708-export-i-fg1k1eq0 - VMware Workstation

We are also covering some advanced features that the Redgate tools make easier. Things like branching, merging, and deployments. How many of you would love to know that development is done and we can deploy our changes like this:

2015-07-23 17_14_22-Schema Compare_Deploy - Microsoft SQL Server Management Studio

I’ll show you how you can deploy your changes right from inside SSMS.

This is an in-depth workshop, covering way more than I could ever do at a SQL Saturday or conference. What’s more, we provide you with a VM and let you actually work through the skills we teach you. You will get real practice during the day to give you the confidence and practice for your own environment back at the office.

I hope to see you at either the workshop or SQL Saturday #423 in Baton Rouge.

My SQL Server Service Account Philosophy

Recently someone sent me a question about service accounts. They weren’t sure how they should go about setting accounts up for various instances and services in their environments. Specifically they asked me about having domain accounts, or accounts separate for services.

Note that I’ve managed SQL Server for years this way in environments up to hundreds of instances. I haven’t managed thousands, so there might be issues with this philosophy at scale.

Here’s how I view service accounts. In a short list, I try to manage things like this:

  • Domain accounts for the SQL database engine and SQL Agent
  • Separate accounts for all instances and all Agent services
  • Long, complex, one-time passwords that aren’t stored.

This has worked well for me, providing separation of services so that password changes or security issues on one instance don’t affect other instances.

It’s also been scalable in that I rarely setup SQL Server instances. In most organizations I’ve worked in, we are adding a few instances a week at the most. The overhead to create two new accounts per instance (db engine and Agent) is minimal.

Note that I would also have a separate domain account for SSAS or other items I install.

With today’s rapid provisioning of machines through virtualized environments, I realize this isn’t necessarily a good hard and fast rule. If I expect an instance to be a production level instance and live for some period of time in the organization, I’d follow this philosophy.

However if I am bringing online development and test instances that may not be kept around permanently, I think the local service accounts are fine. These will probably handle your needs and are worth scripting into your VM/instance creation process.

I’ll add a few more thoughts on this across other posts, but there’s my idea in a nutshell.

Follow

Get every new post delivered to your Inbox.

Join 5,376 other followers