Reading MySQL security: inconsistencies I remembered a few related experiments that I did several years ago when I was studying for the MySQL certification. The first fact that came to mind is about the clause "WITH GRANT OPTION", which can only be given on the full set of options, not on a single grant. For example

GRANT INSERT,DELETE,UPDATE on world.* to myuser identified by 'mypass';
GRANT SELECT on world.* to myuser identified by 'mypass' WITH GRANT OPTION;
show grants for myuser\G
*************************** 1. row ***************************
Grants for myuser@%: GRANT USAGE ON *.* TO 'myuser'@'%' IDENTIFIED BY PASSWORD '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4'
*************************** 2. row ***************************
Grants for myuser@%: GRANT SELECT, INSERT, UPDATE, DELETE ON `world`.* TO 'myuser'@'%' WITH GRANT …

Another week of industry hijinks has passed, which means it must be time for another edition of the Developer Week in Review.

Apple offers some cover

After developer complaints that Apple was leaving them out to dry, in regards to the Lodsys patent threats being aimed their way, the House of Jobs stepped up to the plate and announced that they considered iOS developers to be covered by the existing licenses granted to Apple by Lodsys for in-game purchases.

This is a bit of a good-news, bad-news story from an intellectual property perspective, as it doesn't offer any relief to non-Apple developers from the patents themselves. Apple paid off Lodsys, which in a sense increases the perceived validity of the patents. Other non-Apple-based developers (such as Valve's Steam), could find …

Note: This article originally appeared at http://www.messagesystems.com/wordpress/?p=84

Introduction

Anyone who follows the email marketing industry news is no doubt aware of the increasing number of well-publicized data breaches that have been occurring at the various major ESPs. In addition to the major ESPs, there are no doubt a number of less-publicized or even non-publicized data breaches occurring all the time at both smaller ESPs and in-house enterprise senders. The days when most of us in the email industry could watch from the sidelines and shake our heads have surely passed. Henceforth we should all operate on the assumption that we’re either now under attack as well, or will be shortly.

Email marketers have two valuable resources that malicious parties want to capture and exploit: information and infrastructure. …

Welcome to this week's edition of Developer Week in Review. Sorry we're running a little late. We assure you it has nothing to do with the release of "Portal 2."

The wide world of litigation

Another busy week for the court system, courtesy of the software industry. Software patents are back at the Supreme Court, this time courtesy of Microsoft and i4i. Meanwhile, Apple is suing Samsung over look and feel issues related to the Galaxy Tab, while at the same time ordering $7.8 billion USD of iPad 2 components from Samsung this year. This is …

This is your Developer Week in Review, I'm Casey Kasem. Our first letter comes from a software developer in New England who writes, "Dear Casey. My wife just got accepted into the Experimental Psych doctoral program at UNH, and I'd like you to play something appropriate for the occasion." Well, going out especially for you, here's "I'll be Proofreading Your Papers for the Next Five Years, 'Cause I'll Never Split (Our Infinitive)" (Seriously, congratulations Bonnie!)

And you thought that Justin Bieber tickets were hard to score ...

What's the matter, pal? You say you had your heart set on going to Google I/O, but the tickets sold out in 59 minutes? Well, cheer up, because tickets went on sale this week for the Apple …

For those who didn't know it already: MySQL.com was "hacked" last weekend. There also was a report about SQL injection on 2 Sun.com domains.

I haven't seen an announcement from Oracle yet.

More info on:

• http://seclists.org/fulldisclosure/2011/Mar/309
• http://tinkode27.baywords.com/sun-com-sun-mycrosystems-vulnerable-sql-injection/

Since MySQL 4.0 it's possible to use SSL to secure the connections to MySQL. Unfortunately this is not used very often.

It can be used for cient-server connections and for replication. It will encrypt your traffic and prevent man-in-the-middle attacks if you're using ssl-verify-server-cert when connecting using mysql.

Securing database communication can be required to be compliant to some regulations.

There are other means of preventing anyone from snooping your database traffic like VPN, SSH Tunneling or stunnel.

As usual the documentation is quite good. The only issue with the docs is that the verification step is missing. (Bug …

If so then were is it installed on your publicly accessible website. If the location is where the documentation states not to put it, or in other popular locations then you can easily become open to an attack. The following are apache logs of a simple hacker test to find a potential security hole on a new IP public address for a client.

My advice is never have PHPMyAdmin accessible by default. You should use HTTP authentication, firewall rules and additional security practices all to protect any level of access to your data.

78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //phpmyadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //phpMyAdmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //pma/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - …

A special extended edition of Tech Messages for 2011-01-07 through 2011-01-08:

• The Services Used By Y Combinator Startups [Infographic] – ReadWriteCloud
  "The results show that the majority of Y Combinator startups depend on cloud services instead of self-hosted servers, traditional web hosting or co-location services."
• Tom Limoncelli on Time Management | O'Reilly Time Management for System Administrators | Sysadmins
  Video companions to to Time Management for System Administrators by Thomas A. Limoncelli.
• Guidelines …

Series

What are the chances for a free software cloud?

• Resolving the contradictions between web services, clouds, and open source
• Defining clouds, web services, and other remote computing
• Why clouds and web services will continue to take over computing
• Why web services should be released as free …