Eye on Oracle


July 20, 2007  9:25 AM

Are open source companies hypocritical?

Beth Pariseau Beth Pariseau Profile: Beth Pariseau

There’s some interesting discussion going on this week over at Lewis Cunningham’s blog, as well as various other blogs and forums, asking whether open source companies are dabbling in hypocrisy — are they OK with taking business away from the big boys like Oracle, but not OK with other open source vendors treading on their own territory? — and if they’re really just monopolies waiting to happen.

Lewis C points to a discussion over the competition, as it were, between PostgreSQL and EnterpriseDB — specifically, a press release in which EnterpriseDB claimed ability to deliver better performance than PostgreSQL. A post on the PGSQL Advocacy forum denounced this claim as “cow dung.” Lewis finds this a little funny/baffling, or in his words, “hypocritical crap”:

The funny part to me is that this is not a new message. It only becomes a problem when the purity of PostgreSQL is called into question. Say what you want about the evil proprietary vendors (or even that evil OTHER open source database that must not be named! HINT: MySQL. Oh my gosh did I say that out loud?) but don’t diss THE POSTGRESQL!

CNET’s Matt Asay and Roy Russo at LoopFuse are musing about whether the open source business model is inherently monopolistic: “OSS companies focusing on the proprietary competition win out in the end, but if history is a guide, they also manage to squash their own OSS competitors by doing so,” writes Russo. Does “any market ultimately [have] room for only one purveyor of free software”? “So much for peace, love and open source,” says Asay. Asay goes on to say, however, that he thinks this is an oversimplification of the open source model. “There may not be room for Yet Another Open-Source Business Intelligence Vendor (YAOSBIY for short) ;-), but surely, there’s room for plenty more in this space who drive greater performance, superior ease of use, etc.? Open source becomes a facet of how such companies compete — an important one but not the outcome-determinative one.”

Do you think there’s truth to either of these claims? Are open sourcers ultimately as greedy and territorial as their proprietary counterparts? Do they have the right to take the moral high ground? Are there room for multiple open source vendors in the market?

Have a good weekend,
Elisa

July 17, 2007  9:24 AM

SQL FAQ for beginners, non-beginners and cheaters

Beth Pariseau Beth Pariseau Profile: Beth Pariseau

I field the questions that come to our Ask the Expert section—deleting spam and nonsense and otherwise undesirable questions before forwarding the potentially answerable ones on to our panel of experts. I don’t have to answer them, and even I get annoyed when I see the same, often vague questions over and over (“How to back up my database?”) or something that obviously came from a homework assignment. (When you get 10 questions in a row from the same email address, all addressing different “problems,” it looks a little suspicious.)

That’s why I’m working on a collection of FAQ resources for our readers, so our experts won’t have to keep answering the same queries over and over again. One of our first new FAQ offerings is a three-part SQL FAQ assembled by our witty resident SQL guru Rudy Limeback. Rudy revisits the most common questions he’s taken over the past six years, from the most basic duh-type questions, to the homework questions, to genuinely complex and interesting ones. Check out all three parts of the FAQ:

If you’ve got a burning SQL question that’s not addressed here, send it to Rudy. He thrives on them.

-Elisa


July 12, 2007  7:44 PM

Database 11g release date confusion

Derek Kuhr Derek Kuhr Profile: Derek Kuhr

For weeks now everyone has been reporting that July 11 was to be the launch date for Oracle Database 11g. That’s the impression I was under as I went forward with the reporting for our new Oracle Database 11g Special Report. But alas, the big Oracle event in New York was more of a Database 11g preview and introduction, rather than a product rollout. Now we’re told that the new release won’t be available for at least another month. And then only for the Linux platform.

Looks like I wasn’t the only who was highly confused by Oracle’s messaging around the so called “Database 11g Launch.” Tim at Oracle-Base blog apparently was too. He wrote:

“So all the pomp and ceremony is over and Oracle 11g is launched, but as yet I’ve not heard anything about a release date. Does anyone know when it is likely to hit the shelves. I kind-of [thought] that was the big news, but as yet I’ve not seen any press releases or blog entries that specify a date. It’s not available for download on OTN yet, so I’m assuming the “Launch” and the “Release” are not the same thing.”

 Well, Tim, I hope my little blog entry here clears up some of the confusion out there.

 – Mark 


July 12, 2007  11:05 AM

More security horror stories

Derek Kuhr Ken Cline Profile: Clinek

Don adds these tales of woe to our growing collection of Oracle security bloopers:

**********************************

We received a call from a client who was complaining of performance problems on their Oracle database which was running on a standalone Linux server.  The company was in the business of providing credit information to third-party companies to access an individual’s probability of financial default.

Upon accessing the server, Oracle was apparent that something was terribly wrong. Even when idle, the Oracle database was performing I/O operations and the processors were active, even though Linux did not show any active processes.  The Linux “ps” command failed to reveal any active processes.

After a Linux expert was consulted the real issue was discovered.  A disgruntled Systems Administrator had left a time-bomb on the server, to be activated when their user account was removed from the /etc/passwd file, indicating that they had been fired.

This time-bomb was activated when the System Administrator left the company to “pursue other opportunities”, and the attack was both clever and devastating.  The attacker placed a Linux daemon process called “vacuum” on the Linux server and this process was constantly polling the Oracle database, seeking new information, and e-mailing Oracle to an overseas mailbox.

This attack has disclosed the entire Oracle database of confidential information to an unknown party, and the company was held fully responsible because they failed to institute a third-party employee to manage their server security.

The attack was very sophisticated and unobtrusive.  The malicious employee had replaced the standard Linux commands with a “root kit”, an attack method readily available on the Internet.  In a root Kit attack, the Linux commands are replaced with an alias to disguise the presence of the Oracle data stealing mechanism.  In this case, the process command “ps” was replaced with the command “ps|grep –i vacuum,” such that the process would not appear within Linux. 

******************************************* 

In this case, a hacker exploited a server vulnerability, siphoned confidential information from a company’s Oracle database and shipped it to a foreign nation that did not honor U.S.. copyright law.  A foreign crook then extorted the company, proving that they had the Oracle data, and threatened to disclose proprietary secrets to a competitor unless they were paid a significant sum of money.

Faced with the loss of their competitive advantage, the company contacted the FBI and was told that there was no reciprocity with the nation and that Interpol would not be able to investigate or arrest the extortionists.  Even worse, Oracle management had not detected the leak, and had no idea how the thieves had accessed their Oracle database.

********************************************

An Oracle database sdministrator for a major university was caught “enhancing” college transcripts to allow people to gain acceptance to top professional schools.  The DBA had complete control over the Oracle database and the auditing mechanism and was charging friends and acquaintances thousands of dollars to add courses and improve existing grades.  Because the DBA controlled the audit mechanism, she was able to completely erase all traces of the fraudulent changes.

This fraud went undetected for more than five years until a professor discovered the fraud.  The professor was asked questions about a former student as part of a pre-employment background check and discovered that the student had never taken his class even though the official university transcript indicated an “A” for the course.


July 10, 2007  11:58 AM

I still haven’t found what I’m searching for

Beth Pariseau Beth Pariseau Profile: Beth Pariseau

Tim Hall at the ORACLE-BASE blog and Andy C at nbrightside have been writing about search engines (what percentage of their blog traffic comes from search engines, what percentage of that search traffic comes from Yahoo vs. Google, etc.). Search engine minutiae is endlessly fascinating to me, and these blogs prompted me to poke around our own stats to see what’s been bringing people to the Eye on Oracle blog lately.

I compiled this list of some of the amusing and/or unlikely search strings that have recently led folks to our humble blog:

  • what do you mean theoretical database
  • arrogant oracle database
  • sap on sql sucks
  • oracle pl/sql sucks
  • oracle webcenter sucks (Note to self: Use the word “sucks” more for search engine optimization)
  • learn oracle dba in one week
  • what would a database administrator do (I can see the shirts now: WWDBAD?)
  • database work is for suckers
  • recent dumb in oracle
  • WHINING AND GRINING (Grining? I get 439 hits in Google for this . . . does that make “grining” a word? But then “oralce” gets over 183,000 . . . there’s even an oralce.com! Talk about capitalizing on misspellings.)
  • sheryl, rich does like you (????!)
  • how does the eye function in easy languages
  • how does anyone ever use oracle when sql server is so much easier to use (Apparently some people are trying to engage Google in an actual conversation)
  • does anybody really do enterprise architecture (Nah. I think it’s a myth)
  • hate oracle dst patch
  • kramer dba seinfeld
  • elisa gabbert blog (Aww. I have a fan!)

What kooky phrases are turning up in your referring URLs?

-Elisa


July 9, 2007  10:11 AM

Oracle security bloopers II

Beth Pariseau Ken Cline Profile: Clinek

Last week, I asked you DBAs and consultants to send in the worst Oracle security nightmares you’ve come across. A few of you have responded so far. Read them and weep:

************************** 

Terry M. wrote:  

I was working as a software consultant going on site at a defense contractor.  Security was so tight that I had to be escorted to the bathroom and searched before going into and out of the site.

I was there to install a database monitoring software package for several of their Oracle 8i database instances.  The install requires the user to enter the sys ID and password to grant select on some data dictionary tables and the on site DBA that I was working with requested that I step outside of his cube while he entered the sys password.

After several failed attempts, and my hearing him curse a few times,  I noticed a repeating pattern of keystrokes which I immediately recognized — see if you can guess:

Tap Tap Tap Tap Tap Tap … Pause … Tap … Pause … Tap Tap … Pause … Tap … Pause … Tap Tap Tap Tap Tap Tap Tap

After about 5 minutes of listening to him fail to get the password correct and cursing, I finally had to speak up . . . as I turned around and walked back into his cube, I said “excuse me, but your sys password wouldn’t happen to be ‘change_on_install’ would it?” He immediately became suspicious and accused me of somehow watching him enter the password when I was clearly behind the outside of his cube wall.  I quickly told him that I bet I knew his system user password also: ‘manager’.  He was astonished and extremely embarrassed when I explained to him that those two passwords were the default passwords for the sys and system accounts on every Oracle database installed.  And that it was common practice for every DBA to immediately change those passwords to secure their database instances.

Unfortunately, we lost the sale — he explained that he had over 100+ database instances that he had to go change the passwords on; ushered me out the door; and never called back to reschedule another visit.

**************************

Rick K. wrote:

Like most Oracle professionals, I subscribe to several Usenet groups so I can keep my skills current.  Well, a few years ago a DBA needed some assistance and posted a question in which he shared his tnsnames.ora file and wondered why he could not connect to SQL*Plus with the following syntax:

sqlplus system/SecurePswd@prod

Almost immediately several people connected to this person’s production system and was able to fish around the system.  Numerous people emailed the DBA back and pointed out that he just broadcasted to the world his production connection string and password. How crazy is that?

************************** 

Anonymous wrote:

I know a firm that has a partnership arrangement with several credit card companies.  These partnerships involve the credit card companies initiating an electronic process to create an account with the firm for their card holders to receive services from that, which are then billed to their credit cards. 

Unfortunately, the credit card companies seem to have a remarkable difficulty keeping track of which accounts are billed to which credit card numbers.  As a result, the credit card companies sometimes need to ask the firm for a list of accounts associated with certain credit card numbers.  On more than one occasion, a representative of a credit card company has sent an unencrypted email listing tens of thousands of credit cards numbers, thus breaching the PCI DSS which the credit card companies are trying to enforce.

************************** 

Sean S. wrote:

Unfortunately, this comes from the government, in fact, the military. I was brought in as a consultant to manage a set of Oracle8 databases for a branch of the US military. One in particular contained sensitive data which could be used to track the whereabouts of strategic military assets around the world. It was open to the internet, on port 1521, so that remote locations could connect through the application. When I came on board, the first thing I checked for were default passwords. Of course, scott/tiger was there. What’s worse was system/manager and sys/change_on_install were, too. So I approached the manager to tell her that the password needed to be changed.

“Oh no, you can’t do that!”

“Why not, I asked?”

It turns out that there was a committee of about 60-70 individuals, contractors, vendors, and representatives that met via conference call on a weekly basis to discuss the database and application. When the database was first installed, the subject of changing the password came up, but the committee couldn’t decide on a suitable password to change it to. Debate raged for several minutes over who had the best password and policy, and with no solution in sight, the idea of changing passwords was tabled until the group could reach agreement. No action was taken, and the subject never came up again, apparently.

Your government in inaction. Needless to say, I changed the password and told them they could change it back when I left.

But wait. It gets better…

Just prior to Y2K, we learned that foreign hackers were going to attempt to compromise military computer networks. A couple of security drills ensued, but a few days prior to Christmas, 1999, we had a new task at hand. We were instructed to label every cable leading in and out of every machine in the server room, be it a server, disk array, network switch, or monitor. On December 29, we powered down every machine, and unplugged them from everything. Literally. Both ends of every cable were disconnected, be it power, network, SCSI, or a keyboard. Machines were moved out into the middle of the room so you could walk around them and see they were physically disconnected from everything. Tiles on the raised floor were left up so that you could verify that nothing was plugged in. Everything was to be left in that state until at least January 3rd.

We were told in our briefing that this was to prevent terrorists from disrupting our activities. Of course, I raised my hand to ask what I felt was the obvious question: “Aren’t we doing for the terrorists exactly what we only think they might attempt–that is, disabling our computer systems–and assuring them of widespread success where they might not accomplish anything at all?”

The answer: “No. We’re doing this on our terms.”

That’s like saying that if we had intelligence about an attack on Pearl Harbor, that we should have sunk the Arizona on December 6th, in order to be doing it on “our terms.” Sigh.

************************** 

Sigh indeed. It’s like driving by a car crash — we’re drawn to it and repulsed at the same time. If you have any (anonymous) additions to this sad and funny parade of ignorance, let’s hear it!

Have a good week, Tim 


July 4, 2007  11:35 PM

Database security bloopers

Beth Pariseau Ken Cline Profile: Clinek

As we reported last week, a new survey shows that IT security pros have a “disturbing lack of confidence” in the ability of organizations to use sensitive information securely.

The survey looked at the data privacy and data protection concerns of 1,000 IT security workers and compliance professionals. It found that many see the potential for disastrous data loss and feel that their organizations aren’t equipped to deal with the risk. Well-known Oracle blogger and consultant Peter Finnigan agreed, saying “my experience [with] users of Oracle databases and database users in general is that databases tend to not be securely deployed. They are better than they have been in recent years but still not where they should be in terms of protecting data.”

Frankly, it’s hard for me to believe that DBAs aren’t already doing all they can to protect their data assets. If not, why not? The years of warnings haven’t been enough? The multiple and expensive break-ins didn’t jar you into action? Don’t think it can happen to you? You think your data isn’t all that valuable? Just plain lazy?

If you are an experienced DBA or a consultant, send me the worst (and/or funniest) security nightmares you’ve seen and we’ll post the most horrifying here in the blog (anonymously, of course). Come across a company using SCOTT/TIGER as their admin login? We want to hear about it!

Have a good holiday week,
Tim


July 3, 2007  12:04 PM

Oracle sues SAP: SAP responds

Beth Pariseau Beth Pariseau Profile: Beth Pariseau

As reported by SearchSAP.com, SAP has finally issued a formal statement in response to the Oracle lawsuit — the company’s officials admit that TomorrowNow is guilty of “inappropriate downloads” of Oracle support materials.

In the original suit, Oracle accused SAP of compiling “an illegal library of Oracle’s copyrighted software code and other materials,” gaining access to Oracle’s password-protected customer support systems and “stealing software products and other confidential materials that Oracle developed to service its own support customers.”

In early June, Oracle amended the suit with seven additional pages of charges, including copyright infringement and breach of contract complaints. One example cited was SAP TN’s Daylight Savings Time (DST) fix.

“SAP TN’s ‘solution’ is substantially similar in total — and in large part appears to be copied identically from — Oracle’s DST Solution,” the brief read, saying that SAP TN’s DST change “even includes minor errors in the original DST Solution that Oracle later corrected. SAP TN’s version also substitutes an SAP TN logo in place of the original Oracle logo and copyright notice.”

SAP denied most of the charges brought by Oracle in its 20-page official response but did not deny that some activity went “beyond what is appropriate.” (It committed a third-party support faux pas?)

SAP said it plans to make changes to TomorrowNow’s operating structure but will not alter the Safe Passage program and will continue to add new customers through it.

Happy Fourth of July,
Elisa


June 29, 2007  11:16 AM

All IT people do is complain!

Beth Pariseau Beth Pariseau Profile: Beth Pariseau

Or so it sometimes seems, reading this blog and others lately . . . but complaining is communal and relaxing, so let’s just run with it. Here’s a round-up of some of the complaining that Oracle bloggers are doing this week.

Jeff Hunter at the So What Co-operative complains, “Why is it always the database?” He’s sick of users always complaining about the database when there are so many other places to point fingers (networks, routers, middle tiers, etc.), but he’s not just asking rhetorically. He wonders if the database really is usually at fault or if people just blame what they don’t understand. Commentors offers suggestions, like “Some people just point to whatever isn’t in part of their responsibility.”

Doug Burns supports Alex Gorbachev’s BAAG cause, but has his own fight to fight; he’s too busy sighing over not so “sage” advice offered in response to the crucial question “How do I backup my database?” He finds so many things to complain about on this Oracle FAQ/wiki he can’t even begin.

Pete Finnigan is complaining about a user who downloaded one of his free scripts and then emailed him to complain that it didn’t work — when really it just needed a small change to work in 10gR2. Grr.

Tim of the Oracle-Base blog changes his blog’s theme/design in response to complaints from users about how it displayed in various browsers and window sizes. (I must admit I found the previous layout annoying as well.)

Peter Scott and Dominic Brooks link to an imaginary letter that illustrates what the world would be like if architects had to work like Web designers:

Please design and build me a house. I am not quite sure of what I need, so you should use your discretion. My house should have somewhere between two and forty-five bedrooms. Just make sure the plans are such that the bedrooms can be easily added or deleted. When you bring the blueprints to me, I will make the final decision of what I want. Also, bring me the cost breakdown for each configuration so that I can arbitrarily pick one.

Sound familiar?

At least one tech guy isn’t complaining. Last week Mark Brunelli talked to an ex-DBA, Jeff Buelt, who expressed actual job satisfaction: “I loved being a DBA.” But naturally, he couldn’t get through a whole interview without airing out one or two complaints. Like Jeff Hunter, he notes that “whenever something went wrong it seemed like everybody always pointed to the database.”

That’s all for now. Take it easy, folks!
Elisa


June 22, 2007  10:41 AM

Log Buffer #50: A Carnival of the Vanities for DBAs

Beth Pariseau Beth Pariseau Profile: Beth Pariseau

I’m honored to cover the 50th edition (that’s right, the golden anniversary) of the venerable Log Buffer this week — thanks to Dave Edwards of the Pythian Group Blog for the opportunity!

Let’s get this party started, beginning with what’s been a very popular topic around here lately: the (so-called?) life of the DBA. Peter K responds to the question we posed last week: “Is database administration for suckers?” Peter’s take on the question is that everyone has choices: “If you are not happy with your current work situation, then my suggestion is that you do something about it (i.e. either work to change the job or go somewhere else).” For his part, Louis Davidson, the SQL Doctor, claims that being a DBA makes him feel like “a defense lawyer in Mexico” — the database is always “presumed guilty until proven innocent.” Over at the Oracle Contractors blog, Peter Stewart explains why the coffee machine is the water cooler for DBAs. While scripts are doing all your work, use your “coffee time to recover.”

Sean McCown at Database Underground asks, “What is Quest doing?” He’s been hearing rumors for a long while that Quest would release LiteSpeed for Oracle; now word on the street is that the release has been cancelled. The product already exists — McCown has even played around with a beta version. So what gives?

Matt Asay on The Open Road writes, in the ironically titled post “MySQL does not scale,” about the database’s recent conquests, including its massive scale-out for Wikipedia. “It’s time to put DB2’s and Oracle’s wishful thinking behind us,” says Asay (that MySQL doesn’t scale, that is). Bouncing off Brian Duff’s recent “If I had five Oracle wishes” post, Jay Pipes outlines his top 5 wishlist for MySQL. Stewart Smith at Ramblings and a number of others follow suit, whereas Antony Curtis of Antony’s MySQL bits says such wishlists are unproductive and suggests that wishing be done in an internal wiki linked to appropriate Worklog entries.

Speaking of lists, Lutz Hartmann of sysdba database consulting offers part one of his top 10 Oracle 11g new features. After taking part in beta testing, he’s most excited about the new change management features, starting with SQL Performance Analyzer.

Steven Chan at his Oracle E-Business Suite Technology blog lists seven ways to reduce patching downtime for apps. Tips include using a staged applications system and/or a shared application-tier file system and distributing processes across servers.

Jeff Smith of Jeff’s SQL Server Weblog offers a rule of thumb for developing database models: Ask yourself, “Is it an entity or an attribute?” “An entity should be defined as a table, but an attribute should simply be a column of a table.”

Jonathan Lewis at Oracle Scratchpad asks “How well do you know your hints?” and illustrates with a 10g test case exactly what a hint means.

Chris Eaton at An Expert’s Guide to DB2 Technology lets Lewis Cunningham (and the world) know that IBM took his request for a DECODE statement to heart, and DB2 Viper 2 (now in open beta) supports the DECODE syntax of other DB vendors.

Xaprb posts the third part in a series of archive strategies for OLTP servers, covering in this segment how to move data from the source to the archive destination, what that destination might look like and how to un-archive.

A new Oracle blog drops: look for “core IT for geeks and pros” from Tanel Poder. His “first real post!” is a troubleshooting guide for a wait interface issue.

And Alex Gorbachev at the Pythian Group Blog announces the birth of BAAG: Battle Against Any Guess. The mission of BAAG is to fight guesswork in decision-making processes, especially shot-in-the-dark, uneducated guesses — for example, in database performance tuning or when troubleshooting errors. “Hope-powered guess is the evil,” says BAAG.

Andrew Clarke at Radio Free Tooting goes over the abstracts for the UKOUG conference. He notes that the most popular topics this year are Application Express, incorporating AJAX into ADF apps, and migrating client/server Forms apps to the Web.

As a closing note, I leave you with Nuno Souto’s assessment of the Oracle blog world of late — it sucks. He writes on DBAs-R-Us that “What passes for ‘Oracle blogging’ nowadays is nothing short of blatant company-sponsored, ill-disguised, outright marketing. The number of posts in blogs that are nothing more than just repetitive, boring and stupid reiterations of company policy is overwhelming.” Ooh. Ouch. Do y’all concur?

And that’s a wrap for this carnival! Thanks for reading,
Elisa


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: