Cesar Cerrudo of Argeniss Information Security has put out a new whitepaper (.pdf format), Data0: Next generation malware for stealing databases, describing how malware could be crafted to steal information out of databases. For the most part, it stays at a high-level, however, Cesar does give a few example queries (for SQL Server), the appropriate API calls to perform certain operations, etc., which delve a bit more into the technical side, but even these are fairly straight-forward. To demonstrate what he talks about in the whitepaper, he built a simple proof of concept (PoC), but based on what's in the whitepaper (and what is generally accepted as what's possible), nothing seemed outlandish or hard-to-do. Just for those worried about that PoC being …

While researching an article I came across a piece at http://www.simple-talk.com/sql/t-sql-programming/cursors-and-embedded-sql/. Basically the author says “embedded SQL” is bad — meaning developers should never put SQL in their code. Nor should they use ORM tools to generate SQL for them.

Instead, they should access everything they need through stored procedures. I have mixed feelings about this. On one hand, you have to give table-access permissions to users and then deal with the resulting security risks sounds very control-freakish to me. On the other hand, I agree that embedded code can be bad because if you change the database model in any way, you have to rewrite the procedural code that relies on the existence of the previous model.

And of course, stored procedures also help make your code more …

While researching an article I came across a piece at http://www.simple-talk.com/sql/t-sql-programming/cursors-and-embedded-sql/. Basically the author says “embedded SQL” is bad — meaning developers should never put SQL in their code. Nor should they use ORM tools to generate SQL for them.
Instead, they should access everything they need through stored procedures. I have mixed feelings about this. On one hand, you have to give table-access permissions to users and then deal with the resulting security risks sounds very control-freakish to me. On the other hand, I agree that embedded code can be bad because if you change the database model in any way, you have to rewrite the procedural code that relies on the existence of the previous model. …

So, O’Reilly’s ONLamp.com has published the “Top 10 MySQL Best Practices” at http://www.onlamp.com/pub/a/onlamp/2002/07/11/MySQLtips.html. Sadly, I find most “best practice” list do not thoroughly explain the “why” enough so that people can make their own decisions.
For instance, #3 is “Protect the MySQL installation directory from access by other users.” I was intrigued at what they would consider the “installation” directory. By reading the tip, they actually mean the data directory. They say nothing of the log directory, nor that innodb data files may be in different places than the standard myisam data directories.  More »

It's been a while since I've written about progress on the book. I actually stopped working on it as much at the beginning of the month, because on October 31(st) I managed to finish a first draft of the last big chapter! Now I'm back to full-time work at my employer, and I'm working on the book in the evenings and weekends only. Read on for details of what I've been working on and what's next in the pipeline.

I try my best to get things right the first time. So often, correcting a mistake or bad choice is costly: more costly than it would have been to take the time to do it right the first time. However, as SQL Server MVP Andy Leonard points out, sometimes you can't correct an issue.

He starts with the example of a camera and taking a picture out of focus and then brings it around to development. His example is great: you can't provide up to the second updates to a system than only collects data every five seconds. Well, you can, but the data is only going to change ever five seconds. This raises the question often asked by learning styles expert, …

Some time ago I was looking for a password vault and came across some recommendations for KeePass. KeePass is open source and free. It's a nice password manager and some of the features I like are:

• Strong encryption of the password database
• The ability to use a password, key file, or the combination of the two to secure access to said password database
• A password generator with a multitude of options
• The ability to copy the password to the clipboard (without ever showing it) and have it clear the password after a set amount of time
• Organize password entries by groups and subgroups (think folders)

A new version, 1.09, released in October. There is also a …

For a variety reasons, including personal/family concerns and workload, I've not been able to write as often as I'd like. That doesn't just include the blog, but also writing articles. It's been a long while since I've written an article for SSC. I want to get back to writing at least monthly, if not more often. One of the keys to writing well is to write every day. Therefore, I'm going to provide some structure to the blog in order to make it easier to post every weekday with something that will hopefully be useful. Here's the types of posts that should be present based on the day of the week:

• Monday - Career Development
• Tuesday - Tips, Tricks, and SQL Scripts
• Wednesday - Tools, Tools, and More Tools
• Thursday - Tips, Tricks, and SQL Scripts
…

Recently I had some trouble with the server where all of my websites are hosted.  Business site, various blogs, there is lots of stuff on there, not to mention backups of work, email, and all sorts of things I do not really want to lose.

I first noticed the trouble when I couldn’t login through the command line.  Strangely the websites were still running.  I called the hosting company, and after talking with them for a while, managed to login as root.  That was working.  But it was acting quite odd.  There were some errors in the /var/log/messages about ssh not being able to set uid 10003, the uid of my login, shull.  I pondered.  I thought.  I sat circumspect.

I investigated for a while, and called up 1 & 1 again.  I have a root server, but they’re not really supposed to support maintaining the machine itself.  Then I got to thinking, I could spend hours diagnosing this, …

I read a lot about MySQL backups using LVM Snapshots on Linux, WAFL Snapshots on NetApp and more recently ZFS Snapshots. But did you know you can do the same under FreeBSD?

FreeBSD has had snapshot capability since around 2001 allowing administrators to take a frozen image of a filesystem at a given instant in time with minimal impact on the server / filesystem. So how does …