SQL Server with Mr. Denny

August 19, 2012  12:46 AM

DEFCON: Why conference harassment matters

Denny Cherry Denny Cherry Profile: Denny Cherry

This was reposted from The Ada Initiative https://adainitiative.org/2012/08/defcon-why-conference-harassment-matters/ written by Valerie Aurora. They get all the credit for this, not me.

This weekend was DEFCON 20, the largest and most famous hacker[1] conference in the world. I didn’t go to DEFCON because I’m a woman, and I don’t like it when strangers grab my crotch.

Let’s back up a little bit. DEFCON is a stellar computer security conference, attended by famous computer security experts, shadowy government “spooks,” creative hackers of all sorts, and the journalists who write about them. I first attended DEFCON in 1995 as a gawky 17-year-old. DEFCON 3 was just a few hundred computer security experts wearing black leather jackets and milling around in a ballroomat the Tropicana Hotel in Las Vegas.

DEFCON 3 badge

The author’s first DEFCON badge

That weekend I learned about Kevin Mitnick getting hunted down by the FBI, war-dialing for modems, and the existence of the Internet. I met a guy with long red hair named Dan Farmer who had written a program called something like EVIL, or SATAN, I wasn’t sure which.

I was so inspired by the fascinating, brilliant, frequently leather-clad people I met at DEFCON 3 that I became a computer programmer. I still have my first DEFCON badge, a cheesy purple and white laminated number with only my first name – at age 17, I wasn’t about to to give my full name to a conference full of hackers!

DEFCON today

Fast forward 17 years to DEFCON 20. Every time I read about something cool happening at DEFCON, I wanted to jump on the next flight to Las Vegas. But I didn’t, because of my own bad experiences at DEFCON, and those of people like KC, a journalist and student in San Francisco who wrote about attending DEFCON 19:

Nothing could have prepared me for the onslaught of bad behavior I experienced. Like the man who drunkenly tried to lick my shoulder tattoo. Like the man who grabbed my hips while I was waiting for a drink at the EFF party. Like the man who tried to get me to show him my tits so he could punch a hole in a card that, when filled, would net him a favor from one of the official security staff.

Or the experience of one of my friends, who prefers to remain anonymous. At a recent DEFCON, while leaning over to get her drink at the bar, someone slid his hand up all the way between her legs and grabbed her crotch. When she turned around, the perpetrator had already disappeared into the crowd.

My own stories from DEFCON seem tame compared to what these women went through, but I couldn’t take the constant barrage of sexual insults and walked out halfway through DEFCON 16, swearing not to return if I was going to be harassed like that again.

Unfortunately, DEFCON isn’t unusual among hacker conferences. Similar stories about Black Hat, HOPE, CCC, and others are also common. Sexual harassment at other computer conferences often appears unintentional, but at hacker conferences it’s often clear that the perp is doing it on purpose, and enjoying the hell out of it. As a woman, it’s hard to justify attending a hacker conference when I can go to an academic computer conference and get treated like a human being most of the time.

Why harassment matters

At this point, some of you are thinking, “Well, if DEFCON is so bad for women, women just shouldn’t go. Who cares?”

As KC puts it, “Defcon is also many wonderful things. It is a fantastic environment to learn, network, and connect with friends old and new.” There’s a reason that I attended DEFCON five times before I quit. DEFCON and other hacker conferences are popular for all the reasons that conferences exist at all: learning new things, meeting people in your field, improving your reputation, finding jobs, and making new friends.

I’ll start with the most obvious benefit of attending DEFCON: jobs. Did you know that Twitter is recruiting computer security experts at DEFCON? So are Zynga and the NSA:

@netik: Twitter is hiring security people. If you are at defcon and need work, @ reply me and let's meet up.

Happy Recruiting! NSA top spy going to #Defcon 2012 http://exm.nr/NKEIOM  via @examinercom #infosec #cybersecurity

I am recruiting for AppSec, SecEng, and SecIR positions at @Zynga this week at BsidesLV, Defcon, and Blackhat. Let’s talk.

Twitter, Zynga, and the NSA are only a few of the companies and government agencies that consider DEFCON prime recruiting ground for experts in all sorts of areas: network security, operating systems, robotics, surveillance, electrical engineering, intrusion detection, and anything that communicates via electromagnetic waves. When companies recruit at DEFCON, and women aren’t at DEFCON, both the companies and the women miss out.

But how do you become qualified for a computer security job in the first place? Computer security isn’t very well documented, or taught in any depth in most universities. After my first DEFCON, I knew to sign up for the DEFCON mailing list, read the 2600 magazine, and check out a copy of the UNIX Systems Administration Handbook from the computer center library. When I got a computer account at my university, I logged into the UNIX workstations instead of the Windows machines because I knew UNIX was what hackers used. I poked around UNIX until I found files I couldn’t read and commands I couldn’t run, and then I started reading manuals to understand why. I eventually became a worldwide UNIX file systems expert – all because I went to this obscure little conference in Las Vegas in 1995.

For those women who work or want to work in a computer security related field, conferences like DEFCON are the best chance to meet influential people in the field. Take Bruce Schneier, a professional speaker and the author of “Applied Cryptography” (known outside computer security for coining the term “security theater” to describe TSA security measures). I met Schneier at DEFCON 6, when I made a joke that he reused in his talk a few minutes later. The DEFCON speaker list is a who’s who of modern digital glitterati – and in a strange twist of fate, now includes the Director of the NSA.

Giving the right talk at DEFCON can make your entire career and net you dozens of offers for jobs, contracts, and book deals. DEFCON is good for hands-on learning too: For example, every year teams of security experts compete in contests like “Capture the Flag” to show off their skills and learn from each other.

Finally, everyone at DEFCON benefits from more women attending. Women “hackers” – in the creative technologist sense – are everywhere, and many of them are brilliant, interesting, and just plain good company (think Limor Fried, Jeri Ellsworth, and Angela Byron). Companies recruiting for talent get access to the full range of qualified applicants, not just the ones who can put up with a brogrammer atmosphere. We get more and better talks on a wider range of subjects. Conversations are more fun. Conferences and everyone at them loses when amazing women don’t attend.

When you say, “Women shouldn’t go to DEFCON if they don’t like it,” you are saying that women shouldn’t have all of the opportunities that come with attending DEFCON: jobs, education, networking, book contracts, speaking opportunities – or else should be willing to undergo sexual harassment and assault to get access to them. Is that really what you believe?

Is change coming to hacker conferences?

Back to KC:

I know I’m not alone in being frustrated with the climate at Defcon. Last year at Deepsec in Vienna, I met a fantastically intelligent woman developer who flat out refused to attend Defcon because of interactions like those listed above. I can think of countless other women I know in the tech industry who are regular Defcon participants and speakers who are just as fed up with this crap as me. I wonder why we’ve all been so polite about such an unhealthy atmosphere.

Red/yellow (and green) cardsRed/yellow (and green) cardsKC stopped being polite, and started doing something about the sexist atmosphere at DEFCON: she created the Red/Yellow Card Project. She got the idea from a joke a rugby-obsessed friend made after she complained about sexism at DEFCON, suggesting that she hand out red and yellow penalty cards to people making sexist comments. She designed and printed the cards and distributed them at this year’s DEFCON, with mixed reception. Some people vehemently objected, but others loved it. DEFCON founder Jeff Moss offered to pay for the printing costs of the cards.

How the Ada Initiative is changing conferences

The cards are a hilarious way to raise awareness of the problem of brutal sexual harassment at DEFCON and similar conferences. Unfortunately, it will take more than raising awareness to make hacker conferences safe for women. That’s one reason why I quit my cushy computer programmer job and co-founded the Ada Initiative, a non-profit supporting women in open technology and culture. Our scope includes open source software, open hardware, and open data – all of which are major parts of hacker conferences like DEFCON.

The Ada Initiative’s first project: an example written policy that bans harassment at conferences, sexual or otherwise, of people of all genders. Organizers for literally hundreds of conferences have adopted some form of this policy, including open source software conferences from Linux to Python to Git, the world’s largest Wikipedia conference, Wikimania, and a plethora of others including gaming cons, open video conferences, science fiction conventions, and even skeptic/atheist meetups.

The policies aren’t just empty words; several conferences have enforced their policies successfully. Many conference organizers have told us that they had record women’s attendance after they adopted a policy aimed at reducing harassment (and often higher overall attendance as well). One conference organizer said that the first year they worked hard to invite 30% women, everyone enjoyed the conference so much more that they’ve done it every year since. When women feel welcome at a conference, everyone enjoys the conference more.

A call to action and a challenge

We’re waiting to hear about the first[2] hacker conference to adopt a specific, enforceable, well-planned policy protecting women from harassment – and then we’re going to promote the hell out of it. Will it be HOPE? CCC? DEFCON? Whichever hacker conference is first will get dozens or hundreds of new attendees, women and everyone else, too. If you want this to be your conference, and you want help designing and implementing a policy, email us at contact@adainitiative.org.

Updated to add on August 6, 2012: BruCON, a computer security conference in Belgium, is the first conference to meet our challenge! BruCON 2012 will be in Ghent, Belgium, on September 24-25, 2012. See their policy here and keep an eye out for related posts on our blogs. We will continue to update the list of computer security and hacker conferences with specific, enforceable policies preventing harassment on the Geek Feminism wiki.

If you’re not a conference organizer, you can help too! We’ve created a list of actions to take to support policies preventing harassment at conferences, all field-tested for effectiveness. To name just a few, you can publicly request a policy by blogging or tweeting, organize a community petition asking for a policy, and when speaking, make your appearance contingent on a policy.

Finally, if you like the work that the Ada Initiative is doing, you can support us by joining our announcement mailing list or donating to support our work for women in open technology and culture (we’re a tax-exempt non-profit charitable organization supported by donations).

[1] The precise meaning of the word “hacker” has been the subject of furious debate for at least 30 years. Suffice to say that in this post it does not mean exclusively “person who breaks into computers” and it includes people who experiment with computers and hardware for curiosity’s sake.

[2] Kiwicon is a hacker conference that has a (hilarious) Code of Conduct:

Kiwicon attempts to be a relatively informal conference where all members of the hacking community can come together over one weekend. Individuals intent on sprinkling fetid douchenuggets over the ice-cream sundae of anyone else’s enjoyment may incur penalties, reprisals or sanctions at the discretion of the Crue. In other words, the Crue reserve the right to kick you out, own your boxen and publicly shame you if you’re being an idiot.

However, our (rather extensive) experience with harassment at conferences is that policies don’t work unless they are specific about what isn’t allowed, for many reasons. Often the people doing the harassing believe that their behavior is acceptable at that conference, so unacceptable behavior has to be spelled out or people will keep doing it. Plus, specifically listing unacceptable behavior is often enough to stop it from occurring at all. People who are nervous about attending the conference can’t tell what the organizers consider harassing behavior and don’t know whether the organizers will back them up. Finally, it’s simply inconsiderate to tell your attendees that they can get kicked out of a conference if they behave badly – and then not give them some idea of what you consider bad behavior. See the example policy guide for more details.

Additional reading can be found at the original author’s post.

August 17, 2012  5:26 PM

Recommended reading from mrdenny for August 17, 2012

Denny Cherry Denny Cherry Profile: Denny Cherry

This week I've found some great things for you to read. These are a few of my favorites that I've found this week.

      This weeks SQL Server person to follow on Twitter is:

AmbivalentGeek also known as JJ Burnam

Hopefully you find them as useful as I did.


August 16, 2012  6:43 PM

Optimizing Microsoft SQL Server Performance in a Virtual Environment (Video)

Denny Cherry Denny Cherry Profile: Denny Cherry

This was reposted from SQL Server http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/DBI317 written by (author unknown). They get all the credit for this, not me.

In this session, learn what you should be looking at within your virtual environment to ensure you are getting the performance you should out of it. This includes how to look for CPU performance issues at the host level. We also discuss the Memory Balloon drivers and what they actually do, how you should be configuring them, and why. We discuss some of the memory sharing technologies which are built into vSphere and Hyper-V and how they relate to SQL Server. We finish up with some storage configuration options to look at. #TEDBI317

Additional reading can be found at the original author’s post.

August 16, 2012  2:00 PM

Upgrading Windows 8 RP to RTM

Denny Cherry Denny Cherry Profile: Denny Cherry

So as we all know Microsoft hates allowing upgrades of OSs from Beta/CTP/RC/RP (or whatever) to RTM (Release To Manufacturing) bits.  However thankfully Microsoft has made it easy enough to do anyway.  Simply take your ISO/USB/CD/DVD or whatever install media you plan on using and make it writeable in some way (I’ll leave this to you to figure out based on your media type).

Find the n:\sources\cversion.ini file on the media and open it with notepad.  Change the two numbers from 8508 to 7100 and save and close the file.


Now run the installer from within Windows 8 Beta/CTP/RC/RP (or whatever) and you’ll be nicely upgraded to Windows 8.  I would imagine that this works for Windows 2012 when that is released as well.


P.S. Thanks to Jason Fay (blog | @jfay_dba) for reminding me that this worked in Windows 7 and testing it faster than I could for Windows 8.

August 15, 2012  9:42 PM

Here’s How You Support Women in Tech

Denny Cherry Denny Cherry Profile: Denny Cherry

This was reposted from BlogHer https://www.blogher.com/snippets/heres-how-you-support-women-tech written by Virginia Debolt. They get all the credit for this, not me.

Want to find out how to throw a tech event, get women to participate along with the men, and make them feel good about the experience after it’s over? Lauren Bacon from Curious for a Living has seen it done and has a list of ideas that you can apply to your event.

I ‘ve worked in tech for fifteen years. In those fifteen years, women have remained a small minority in the sector, particularly in technical jobs (read: programmers/engineers/developers). A lot of people I know have bemoaned the numbers, and discussed various ways we might address the gender imbalance, but I haven’t seen a lot of success stories (There are some – don’t get me wrong. Just not a ton.)

A few weeks ago, though, something big and wonderful happened. And it is going to change the ratio.

hacker school
Hacker School by jolly_sonali via Flickr

via (title unknown) https://www.blogher.com/snippets/heres-how-you-support-women-tech

Additional reading can be found at the original author’s post.

August 15, 2012  2:00 PM

Old Web Based Applications Need To Be Removed

Denny Cherry Denny Cherry Profile: Denny Cherry

What happens to most obsolete web based applications at most companies?  They sit idle on a web server for months, sometimes years.  Why is this a problem? Because many of these old applications can be easily exploited via SQL Injection allowing access into the SQL Server databases which they connected to.  The reason that these old apps are a great way into the SQL Server is because they are old, and were probably written before things like SQL Injection protection became more common place.

This tweet from Daniel (@DaniSQL) is a perfect example of this.

An old application that isn’t being used anymore is still available on the Internet facing web farm.  Because this application isn’t being used any more it wasn’t on any lists of deployed applications, so when security audits were done it wasn’t seen as it wasn’t listed as an active application.  However it was apparently able to provide a hacker with a way into the database because it was still connected to a SQL Server instance and it was susceptible to SQL Injection.

The solution to this problem is sadly easy, remove the web based application from the web farm as the application isn’t being used anywhere.  It’s a lot easier than fixing the application, and a whole lot cheaper (10 minutes of a system administrator’s time versus weeks or months of a developers time).

I urge you to audit the applications and websites which are deployed to your web farms, especially the Internet facing web farms and see what’s on there.  When you audit them, don’t audit them against the list of what’s there.  Actually dig into the IIS config of each and every server (yes I’m well aware that doing this sucks) and actually see what’s configured on each machine.  If you don’t know if an application is actually being used ask around.  If it isn’t, remove it (or at least stop the site in IIS) so that you don’t have to worry about scripts breaking into your database and updating your data.

Now thankfully this current attack which is going around is just updating data, but it could easily enough be changed by the attacker to gather data as well, so do yourself a favor and protect yourself.


August 10, 2012  5:06 PM

Recommended reading from mrdenny for August 10, 2012 at 10:02AM

Denny Cherry Denny Cherry Profile: Denny Cherry

This week I’ve found some great things for you to read. These are a few of my favorites that I’ve found this week.

Hopefully you find them as useful as I did. Denny

August 10, 2012  2:00 PM

Full Day Storage and Virtualization Class at SQL Saturday 145

Denny Cherry Denny Cherry Profile: Denny Cherry

On October 12th 2012 I’ll be presenting an all day session titled “Storage and Virtualization for the DBA” as a pre-con session for SQL Saturday 145 in Nashville, TN (links to all four pre-cons can be found on the SQL Saturday 145 page).  This popular pre-con session has been presented in locations like the SQL PASS Summit, SQL Day 2012 in Poland, SQL Bits X in London, SQL Saturdays in Florida and California and now the session is coming to Nashville, TN.

This session will be a two part session in which we will be focusing on two of the biggest topics in the DBA field.  How to properly design your SAN storage solution and how to properly design your virtualization solution.

The storage portion of this session will focus on SAN storage, but most of the material will apply to direct attached storage as well.

In the first half of the session we’ll be focusing on the storage array.  Storage can be one of the biggest bottlenecks when it comes to database performance.  It’s also one of the hardest places to troubleshoot performance issues because storage engineers and database administrators often do not speak the same language.  In this session, we’ll be looking at storage from both the database and storage perspectives.   We’ll be digging into LUNs, HBAs, the fabric, as well as the storage configuration.

After going over the components we’ll dig into some advanced storage configurations.  This includes RAID groups, multi-pathing software, and proper redundant storage network design.  We will also be digging into some advanced storage array backup techniques including taking storage level clones and snapshots.  After going over these advanced techniques we will dig into how these can best be used to backup the SQL Server environment to provide maximum redundancy with no recurring tape costs.

In the second half of the day we’ll be looking into the pros and cons of moving SQL Servers into a virtual server environment.  Specifically we’ll be looking into when it’s a good idea and when it’s probably not a good idea.  Like everything in the database world there are no hard set answers as to if virtualization is a good idea or not, but there are some times when virtualizing a SQL Server is a good idea, and can save you some money.  There are some other times when you will be shooting yourself in the foot and virtualization isn’t a good idea.  We’ll be focusing on when how to make this decision, and how to gather the metrics that you need in order to come to this decision.

We’ll look into how tie the virtual platforms to the storage array so that you can maximize the storage performance for your SQL Servers and the virtual environment.

The session is priced at $129.95, but through the end of August you can sign up for just $99.95.

I hope to see you there,


August 9, 2012  2:30 PM

SSWUG Virtual Conference Registration Is Now Open

Denny Cherry Denny Cherry Profile: Denny Cherry

It’s that time of year again, it is time for the SSWUG virtual conference.  There is a great set of speakers for this virtual conference including myself, Kalen Delaney, Eric Johnson, Kevin Kline, Brian Knight, Lynn Langit, Bill Pearson and Jason Strate and more.  Every one of these speakers is a top notch speaker but most are also very good friends of mine and I can say for sure that this virtual conference will be time and money well spent.

One of the great things about these virtual conferences is that you don’t need to travel to attend.  Sessions can be watched from home or work, all you need is a computer and a set of speakers (or headphones).  Looking over the schedule, there are going to be a lot of really good SQL Server 2012 sessions on the schedule.

Now when you go and register for the virtual conference (it only costs $159 for three days of great training material) be sure to use VIP Code VCDENNY (you have to click the “Update Registration” button for the code to take).  So stop stalling and get registered.  There’s another bonus when you register for the virtual conference, because there is so much great material which will be available, you may not be able to see all the sessions you want to the day of the virtual conference.  Because of that you can view the recordings of the sessions for 30 days after the conference ends for free.

I’ll see you at the conference (in the chat rooms at least),


August 9, 2012  2:00 PM

Second Edition of Securing SQL Server now longer available for pre-order. It’s Shipping! (repost)

Denny Cherry Denny Cherry Profile: Denny Cherry

In case you missed the blog post over on securingsqlserver.com, I wanted to repost it here…

I’m afraid that I’ve got some bad news.  You can no longer pre-order Securing SQL Server 2nd Edition from Amazon.

Instead you have to settle for ordering the book outright and having it shipped to you.  That’s right, no more being a pre-order book, it’s published and available to be shipped directly to you.  Currently Amazon is selling the book at full price which is $49.95, but if you have Amazon Prime it is available for Amazon Prime shipping.  Because it is considered to be a text book you get a $5 Amazon MP3 Credit (what ever terms and conditions that Amazon chooses do apply).

This is a totally updated edition of the book including all sorts of new information about security within SQL Server 2012.  I of course cover things like how to secure AlwaysOn Availability Groups, how to use user defined server roles, contained users, etc. I also dive into how to properly secure SQL Server Reporting Services and SQL Server Analysis Services so they can’t be used to access data that people shouldn’t have access to.

All in all this book is much larger with Amazon showing it at 408 pages compared to just 272 pages for the 1st edition.  If you find someone cheaper to purchase it make sure that you are in fact ordering the second edition.  The ISBN number is 1597499471.

I hope that you pick up a copy of the book and that it is useful for you in securing your SQL Server environment.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: