Security via obscurity...

Security via obscurity. Someone emailed me last week with a cut and paste of an error page on asktom. The error included:

ORA-01400: cannot insert NULL into ("ASK_TOM"."WWC_ASK_QUESTION_ACCESS_LOG$"."DISPLAYID")

Their comment was “isn’t it a good practice to never give detailed error messages to end users”. I was curious – was this about ‘user interface’ issues (some people do not want to give out the error message for aesthetic reasons) or was this about ‘security via obscurity’.

Turns out it was ‘security via obscurity’. They said “I now have some basic information for SQL Injection attacks”. The thought was - that by having knowledge of a column name – an application would be more SQL Injection attackable.

To me – it is more of a binary thing, either your application is subject to SQL Injection attacks or it is not. It is sort of like data integrity – you either got it or you don’t (it isn’t like hull integrity on Star Trek, data integrity is either 100% or 0%).

Knowledge of the program should never be a cause for alarm. The names of the tables, their columns, the SQL used, the program flow, the algorithms and so on – if they are “protected from prying eyes because of security concerns – knowledge of them makes us subject to attack” then you have a problem. You are already subject to attack, it is merely a matter of time. There are valid reasons for protecting these things from prying eyes (intellectual property reasons mostly), but security isn’t one of them.

If by looking at my application code, logic, schemas, whatever – you can attack it, you could attack it already. It must be vulnerable in the first place. You cannot hide SQL Injection vulnerabilities (you should read this most excellent paper on the topic – it is obvious to me that the people that put together this video read it, they used the techniques outlined there. I picked up that video from Pete Finnigan’s blog).

Beware when someone says “no, you cannot show that for reasons of security”. That almost certainly means there is a bug lurking there just waiting to be exploited.

On asktom – I do not use string concatenation to build my SQL, I bind all strings, numbers and dates using either bind variables or application contexts. That means the end user cannot change the meaning/intent of my SQL.

I enjoy Monty Python...

I enjoy Monty Python. I really like all of the Star Trek series. Two great things that
go great together.

In the same vein - Nine Reasons Why a Starfleet Education Won't Prepare You
for the Real Navy. Reason #1:

Unlike Starfleet, where the ratio of officers to enlisted personnel is roughly 100:1,
and where the only apparent purpose of enlisted personnel is to provide
anonymous crew members to be killed by alien life forms, the Navy is
highly dependent on the expertise, skills and efforts of its enlisted members.
(Just remember this the next time you are putting together your away team.)

It just keeps getting better from there.

But you just have to wonder what these companies where thinking when they registered
their domain names. What were they thinking.

And just to keep you mentally challenged – try these test questions.

First there was...

First there was the “deep insults” misprint. Now it is ‘forward’ looking… You would think – you would really think – that a publishing company would be able to get the word foreword right – especially if that are going to stamp it big and bold on the front cover of the book!



Laughing out loud – that is far too funny for words. Anyway, the book in question is Oracle Database Programming using Java and Web Services (that is a mouthful). I wrote the foreword for it. Brand new book – just came out.

Just to keep things in threes (things happen in threes of course) I’ll add a link to this news article. It is about a press release sent out by a company that makes a spell checker. You guessed it, it had spelling errors on it! How ironic.

Shine up that crystal ball...

Shine up that crystal ball. Someone sent me a link to the “Chronicles of George”. Long story short: George works the help desk, writes the problem tickets for the engineers to act on. Only George cannot write a complete meaningful sentence to save his life.

Not all of the messages are funny – but some are really good. I liked the response of “Fortunately, since I brought my Magic Telepathic Helmet today, I don't need any more of a description than this.” Reminded me immediately of when I say “my crystal ball is in the shop this week”.

Updated after posting:
I was just doing some asktom questions when this one came along. Classic:

not loging on oracle server 2000. and "database not started"

so what are doing now

It just seemed so appropriate, I had to add it here.
End of update...

When I read “isn't that what's supposed to be happening?” – I was reminded of the pilot gripe sheet and the “that’s what they’re there for” answer.

I can feel the posters frustration when they type “But what do they need, George? For the love of all that is good and pure in this world, what do they need?”. I know his pain – that would be when I ask simply “why”. Details – details, details. It is all about details (and preciseness and clarity).

But the one that made me actually laugh out loud – that was the response of “Well, George, it's like this: when a man and a woman get together...”. Absolutely classic, I’ll have to use that one someday.

When asking a question, when providing information, when forced to communicate – be precise, clear, brief, and remove anything that just isn’t relevant. I say it all of the time – “I need more information – maybe an example, something that is 100% complete, yet concise, but entirely complete from start to finish. Did I mention, it should be brief – but very importantly, it should be complete”.

I still think written communication and the ability to explain in detail to others the problem you have and are trying to solve is perhaps the most key trait one can have. Forget how much you know about computers, databases, software – all of that stuff. If you cannot communicate your needs, your requirements to others – it doesn’t matter how smart you are, you cannot be used in a team environment with other human beings.

When explaining a problem – take the approach of pretending you are explaining this to your mom (I am making the assumption your mom doesn’t work in information technology of course!). Don’t use internal acronyms well known only to you, remember that the person you are talking to (communicating with) hasn’t been staring at your problem for the last week like you have. Don’t tell them all of the failed attempts you made – tell them what you need to do. The thing that drives me crazy is when someone posts pages of code that doesn’t work – and then says “this doesn’t work, what is wrong with it”. Literally – that is the entire scope of the information provided – a failed attempt and the note that “it doesn’t work”. No ideas about what it is supposed to do in the first place!!

Just as importantly, remove things that are simply not relevant to the problem. I call them red herrings in the problem statement. It might go like this:

We are using unix. Well, not really unix but linux. We telnet into the server (actually, it is “ssh” but it looks just like telnet). We have an external table (code to set up external table here). It has data that looks like this (echo statements to create data here). We then have these five other tables (creates and data go here). We need to write a query that does “this” against the external table and loads this table over here.

• The fact they are on unix/linux – not relevant.


• That they use telnet/ssh – not relevant.


• That they use an external table – not relevant (only confuses the issue – you start assuming “they are having a problem with external tables”, but they are not)


• That they have these five other tables – not relevant, they don’t use them.

All we really need is

• I have these inputs


• I need these outputs


• This is the logic in detail (the specifications) that explains to you how to process the inputs and turn them into outputs.

Funny thing is – if we get that third bullet, most of the time, you are ready to write the code! I think many questions come from not fully understanding the problem that is trying to be solved in the first place…

A gripe sheet...

A gripe sheet. Supposedly true “gripes by pilots and the responses by ground crew”. If they are true – they show the ground crew has a really good sense of humor. My top favorite on that page (it was really hard to choose):

Problem logged: Friction locks cause throttle levers to stick.
Solution described: That's what they're there for.

I liked that most of all because it is somewhat similar to some answers I’ve given in the past myself. “It is supposed to do that”.

It was either that one or the “cannot reproduce on ground” answer.

The first real week...

The first “real” week with the new laptop went surprisingly well. I’ve completely switched over from the really large and really heavy HP Pavilion ZD7000 to the very small and very light Sony Vaio TX series.

I only encountered one glitch. While doing a seminar in Dallas – I could not get the Vaio to simultaneously display at 1024x768 on the notebook and project on the screen. So, for the first day – I only projected on screen which made it a bit tricky, but worked out ok. That night I took the projector back to the room and fiddled about (took new ‘intel graphics media accelerator for mobile’ drivers to get it going). So, on day two – I had both displays working.

The performance of the notebook is pretty nice – it seems to be at least as speedy as the zd7000 – but runs much cooler, fan is definitely not on as much (on the zd7000, the fan is never off). The footprint of it is a definite bonus. When I would take out the zd7000 – people really knew I had a computer. It was so “obvious”. The Sony on the other hand is smaller than a 8.5x11 inch piece of paper. Very unobtrusive.

The screen is really nice – 1366x768 (could be a couple of pixels taller, but it is sufficient) and at home/work with the 21 inch LCDs – I can still extend the desktop and do the normal 1600x1200 on them. So I haven’t given up much screen real estate.

So, after some 20 ½ hours of talks last week (two days of 8 hour technical seminars, the Baton Rouge OUG and the Oklahoma City OUG), I’m very confident in this notebooks ability to do everything I need. I knew I either needed a bigger phone or a smaller laptop (for airports, traveling, meetings and so on). The Treo phone is already about as big as you can get – so this was the only logical choice.

I really like that it doubles as a DVD player as well – no need to boot the OS or even run the OS to watch movies/listen to CD’s or view SD cards. That is a nice bonus.

This week, I’ll be using it on the other side of the podium for once. Meaning, I’m in the audience most of the week. I’ll be at corporate getting spun up on what’s coming in the near future. I haven’t been able to attend one of these events for a while due to scheduling conflicts – so I booked myself into this one a long time ago. It’ll be nice to be in the same city for a week (normally hit city after city) and to be on this side of the podium, asking the questions.

Before wireless networks, ....

Before wireless networks, tablet PC’s and laptops – there was the “mobile office”. I enjoy seeing “blasts from the past” and this new site I stumbled on is full of them. Necessity is the mother of invention they say and some of these articles from the past prove that out. If you needed to record an inventory in 1939 – maybe pushing an office around made total sense.

Some of the old ideas are just plain scary. Like this electric massage for “Milady”. That is just plain freaky scary. Take these electrified spoons (they are fully insulated with tape to protect your hands from shock) and touch them to your face. Interesting. I wonder how many things we do today will in 70 years just look frightening.

Before the internet and television – I guess one had to get their kicks somehow and blowing a glass bubble around cats is as good as anything I suppose. As one person commented “Um… how did he get the kittens OUT?” – good question.

I was watching the new rocketboom earlier and recognized part of it. They were commenting “using your car to grind meat”. They must have gotten the image and story from this site, was a bit disappointed that they didn’t attribute it (attribution is important I think – I always try to point back). On a side note, the new rocketboom personality “isn’t the same as Amanda – but good in her own right”. I’ll continue to watch it and see if it deems reentry into my “blog roll”

Some of the blasts from the past go beyond scary into the realm of “absolutely a bad idea”. This motorized “Motorcyclette” absolutely fits that category. Can you imagine a) riding on such a thing b) the mind that thought it up? Quote “The rider’s feet, which are used as brakes, stick out in front, while the rider leans over and clutches the cross bars atop the front wheel to keep from falling over backwards.” Indeed.

Before spy satellites and unmanned drones – there were of course “carrier pigeons”. Imagine how much more successful they would be today with a couple gigabytes on an SD card and a miniature camera!

Ok, I am pretty sure that we’ll look funny in the future. I say that because of this “happy land” that just reminded me of the Atari ad from the 70’s. It is inevitable that we will look “quaint and funny” not too soon into the future.

But then again, every now and then – there is something you makes you go “cool – that is pretty cool”. That one looks like fun – if it actually works.

Two more before I go – pole vaulting peasants. I could not resist that one. Must be hard to carry a lunch to work that way. I liked the “Month Python” reference – because it seems only they would come up with this. And lastly – if you are not killing yourself fast enough – here is an easy way to speed things up. A double barreled cigarette holder! Neat, how to double sales immediately.

I just finished a day in a two day seminar. First time with new laptop. It would not simultaneously display on my notebook and the projector at 1024x768 ( the resolution every demo I have needs). Weird sizes like 1064x600 – sure, but not 1024x768. I needed the extra 168 pixels down the screen. Ended up just projecting – nothing on laptop display. That was a huge pain – but workable. Tomorrow should be better as I downloaded new drivers and it seems to be working now. As I was installing them – I did get that rush of panic, the “oh, what, have, I, done!!!” feeling. I was upgrading device drivers on the road. Stupid stupid stupid.

But, I got lucky ( Really really lucky. Tomorrow will be easier.

I believe strongly there are only two answers...

I believe strongly – and more strongly every day – that there are only two possible answers to a “first question”. They are:

1. Why


2. It Depends

I was reminded of this a couple of times in the last week in my various engagements. The most poignant times were with a customer that “solves problems”. They do many things outside my area (lots of cool tools, a little like being on the set of myth busters). A point I got many times was “asking ‘why’ is very important”. People rarely really know what they want. They think they do – but they don’t. Especially when you don’t know what is possible. When you don’t know what is even possible – how can you know exactly what you want (or want to do – in the database for example).

This blog entry I hit reminded me of that in a way. (Yes, I definitely had to google BBROYGBVGW while reading that). Selling that stuff in the article was similar to answering technical questions in a (very roundabout) way. If you read the “why” blog entry I have a few (there is an infinite supply) examples of how just answering a question outright could be dangerous (you need to know why they think they want to do something).

Why and It depends. Always the right answers (but remember, never say always, never say never, I always say” – or as someone commented on the blog once “always is never true, never is always false”

Some interesting things...

Some interesting things.

I really enjoy the “WTFs” and this smorgasbord issue brought more than one smile. Favorite one of all time:

public class ValidationMessage
{
//internal members
string messageId;
string messageText;
string helpLink;
/* ... */
  double cheeseburger;
  char broiled;
  long time;

//helper functions
/* ... */
}

Oh. That. Is. Good. I liked this one too:

Price = 0e-5; /* JKF 1999-07-21 I hope it's not a bug */

Reminded me of a piece of old code of mine that my friend Chris Beck called me on one day. It reads:

typedef struct TAGmy_raw
{
sb4             len;
unsigned char   arr[1];
}
my_raw;
…
buffer = (my_raw *)malloc( (int)(Plength*1.1)+sizeof(my_raw) );

His question was "ok, Plength I understand,
it is the length of raw we'll move into arr –
but what is the 1.1 about?"

The only answer I had (years after writing the code) was “good luck?”

SQL Developer
On a more serious note – Sue Harper has an excellent write up on using SQL Developer to do “remote debugging”. How to debug APEX (HTML DB) procedures and triggers and the like. Very nice. If you haven’t looked at SQL Developer yet – this might motivate you to do so.

Your Job
We all like to joke about our management, our work place (actually – I’ve got it quite good. I actually like my job most of the time). But – I hope none of you can hold a candle to any of these stories! The “Employees: the other revenue stream” one – oh my. I cannot believe it.

Standing By
Ok, so you have stuff that consumes lots of electricity. Like monitors and computers and such. People leave them on because it takes a long time to start them up. So – someone thinks up standby mode. Instead of leaving them on 100%, the machines can go to “sleep”.

Now someone has figured out that machines in standby mode consume electricity. This is obviously evil. So – we must outlaw standby mode.

Umm, think about it. Instead of being in standby, people will just leave them on! Yeah, that’ll fix things – just disable standby and we won’t have any electricity wasted due to standing by. Nope, we’ll just use 100% of the power all of the time.

As they like to say in the UK – “brilliant”.

I agree
I agree with this educator. “Will this be on the exam” (loved his response). Coming in late – happens all of the time. Number 5 – actually answering the cell phone. Ok, so you left it on ring by accident. If you are actually going to answer it – at least leave.

But my favorite. “What happened in class yesterday”. If I could say what happened in a sentence then class would be 1 minute long. Awesome answer.

This was amazing to watch
Unless you speak Japanese, you won’t be able to understand the announcers – but trust me, a picture is worth 1,000,000 words for this video. I had no idea you could do that – and the ending where he combines two of them – well, mind boggling.

Last but not least
Nice cheesy commercial from the past. I remember this one – for Atari Pole Position. I didn’t have the game at home but I spent way more than a few quarters playing it at the arcade.

Not only have video games come a long way since then, but apparently so has the art of making commercials. I wonder if what we dress like and how our “culture” looks in 20 or 30 years will appear so “quaint” again.

I found this gizmodo entry very interesting...

I found this gizmodo entry very interesting. The synopsis is that gizmodo gets an unsolicited email from someone. That someone is to write some technical columns for a new magazine. That someone would like gizmodo to basically “do it”.

Some days… I have the same feelings they do. I really liked their closing:

I'm sure your readers are looking forward to your tech coverage. It's obviously something you care a lot about.

Classic. Reminds me of some request/responses I’ve gotten in my email…

Didn’t help me: I want faster replies rather than scanning through books

I received a package...

I received a package this morning:



I’m pretty sure that when UPS picked it up from the sender, it looked – well – more ‘box like’. Not so accordion like:



Reminded me of a new blog/website I’ve subscribed to recently. The consumerist.com. It is hard to call some of these sites “blogs” anymore. This is more like a site with a purpose. Many of the stories I either can totally relate too (most of the Best Buy ones) because something similar has happened to me – or I can fathom them happening. Some of the more outrageous ones are good for a laugh.

Guess I’ll have to replace rocketboom with the consumerist on my “blogroll” – since they fired Amanda Congdon.

Back after a short break...

Back after a short break – I was on vacation part of last week. We flew down to Cancun Mexico (because apparently I needed another 3,000 miles on my frequently flier account). It was a good short trip. Maybe the best part of it was the fact that they are still rebuilding the hotel we stayed at and there was no internet access in the rooms. At first I was not happy (withdrawal symptom?). The web site did not mention that (it said high speed internet was available – and it was in the business shop/gift shop/not a conference room anymore room!). I did email on my Treo phone exclusively for the week and didn’t get on the internet at all. Not as radical as Kathy Sierra over at “creating passionate users” but pretty close (catch up on her blog, the last couple of new entries are really good). Late on Friday/Saturday – started catching up on asktom stuff, about 200 review/follow-ups to look at (skipped more than usual just to skim them all).

Spent part of Sunday setting up the new laptop fully. This is the first trip I heading on with just it (I’m taking a briefcase and nothing else, just a quick overnight). Traveling very light. Hope I have everything I need on the laptop (I believe so). In fact I found a new utility that looks promising. I’ve used “registry mechanic” in the past to keep my registry clean – but they wanted me to re-subscribe and I didn’t want to. So I found “Ccleaner” (crap cleaner!). It seems to do part of what registry mechanic did as well as clean the disk of “extraneous files” (I reclaimed 3gig of space after all of the installs I did – they left bits and pieces of themselves all over the place) and lets you clean up stupid startup programs (AOL – hate it, have to use it sometimes. No, I do not want the AOL faststart to start ever time (making the startup time of the laptop itself slower). Even has a “uninstall program” that is many times faster than the control panels “add/remove software”.

Then, as I was looking around, I hit this entry. I have a feeling it was written for me… Time to start the next book – this week. Once I get started, it’ll just go – getting started – that is hard. Points #1 and #4 – they hit home.

Lastly – Andrew Clarke has a good entry on becoming an Oracle ACE. If you’ve never heard of the ACE program – or wanted to know “what can I do to become one”, you might want to read that. He hit the nail on the head. It is all about participation.

Now, if I can just make it to my next vacation at the end of next month… (we do a couple of short ones here and there). That’ll be into the mountains, with a lake and a cabin. Wonder if they have the T1 run to the cabin yet…