Archive for July, 2009

I just finished watching the evening news like I do every night before I go to bed. I was appalled at the most recent identity theft issue that has plagued the great city in which I reside. It appears that the local campus of Colorado University has had one of the professor’s laptops stolen (I believe from his home). I know that the information on this laptop is vital to the students, the school and the professor. The news did a great job of explaining the events and talking to the school to find out if there were any cases yet of identity theft and fortunately, up to this point, none of the student’s information has been used illegally. The data that was taken included student data from as long ago as 2003 (if I heard correctly) and some did include social security numbers. In my opinion, there needs to be a level of investigation into why this loss/theft of data has happened. This should be made public…just as public as these students’ identities could potentionally be. If the school were to have to declare this information publicly then maybe others would take notice and fix the issues so this does not happen again.

The following questions I believe need to be answered publicly:

  • I believe we have the right to know why the heck a professor needs to have a student’s social security number?
  • What was the professor doing with the social security numbers that impacts those students?
  • Who made the decision that the Professor could see this information?
  • Where were the people that are responsible for keeping this data safe?

Many parents in a few months will have their children head into that school; many adults may head back into those rooms. How do they know that a number that will stick with them for life is going to be kept safe when the school has access to that information? How am I, a parent of a soon to be college student, going to explain to my son that the place he expects to learn his skills that are to stay with him for the rest of his life are letting Professors not only view his SSN, but take it home on a laptop?

I am disgusted; do they not have a DBA there? Did no one think that this information should be protected? I think it is time that we form an alliance of DBA’s that will swear an oath, this of course is a draft version but shouldn’t we be doing something like this?

I <insert your name here>, a DBA that could potentionally have access to data that could harm others and have access to data that could ruin lives, swear that I will protect that data as if it were my own. My responsibilities leave me in a state where I may have to tell my employer that they are not protecting their customers, and my responsibilities do not end after the database has been backed up. I will never use the data that I am responsible for, for my own gain, I will pressure anyone that has bad practices to correct their ways. I will not let my guard down for criminals to take advantage of my systems.

Sure the oath needs some work. I am debating bringing up a web site and seeing if I can rally DBA’s to take this oath and to move forward with being the professionals that we are. If you agree with me that it is time to make a change please comment on my blog or send me your e-mail address. This needs to stop, and it needs to stop now, and it needs to start with us…the Database Professionals.

Recent Question

Posted: July 27, 2009 in Uncategorized

Sometimes my brain just needs a rest; I hope that yours does as well. If not then I must just be getting older. So I apologize for my most recent lapse of non-posts. There has been a lot that have been going on. The first thing that I would like to make sure I mention is that Stephen Wynkoop and myself are going to get together to teach a class on SQL Server. This class will be in Tucson AZ, in September for 3 days. The reason that I wanted to mention it is so that you can get you name on the list if you would like to be part of this class. We are only going to allow 15 students in each class. If this sounds like something you would like to do I would recommend putting your name on the list to save a seat before the seats go on sale.

From the way that I understand this is going to work is that the seats will go on sale sometime this week. People that have said they have an interest will be notified 1 day before the public site is opened. If you want to be on that list please send an e-mail to dbaschool@sswug.org and mention Chris’s Blog in the body.

So for the post today…

I had this question in my inbox about a month ago and I believe I answered it for him via e-mail, but after looking at it for a while I thought I would put it up here on my blog.

Hi Chris,

I have attended the recent virtual SQL conference and listened your lessons. Our company has a small database 5G but request 5,000-10,000 concurrent connection. Sometimes we get slow database response. So we are considering upgrade the SQL Server. Currently server is SQL2000 on Window 2003.  

My question is whether a single SQL server 2005 or 2008 on Window 2005 can handle this amount of concurrent connection, assuming application is perfect?

Thanks

This question leaves me a lot of questions that I would need to have answered before I could provide him with some real good feedback. So I started by breaking down the information that I have. The current server is SQL Server 2000. This server handles 5k to 10k connections, but sometimes the database slows. The big question that I bring out of this is what is causing the slow down? I have to assume it is something hardware since the application is perfect. However, does the application also mean database design and how the database is read by the application?

Really the core pieces of information we need to know is what the database looks like, what does the hardware look like and what is the cause of these slow down’s. I would start by pulling a perfmon on the server to get a baseline on that the hardware is behaving when the server is good and when the server is bad. If the server behaves poorly at a predicted time or we can cause it to slow down then we could also run a trace during those times to better help us understand.

In short there is not true answer as to how it will react. I have seen systems go from SQL 2000 on 32 bit machines to SQL Server 2005 on 64 bit machines and the system no increase in speed. The client had reached a bottleneck with their design and finally reached a point where they would have to fix it before the saw the benefits in bigger hardware.

With all that being said SQL server 2005 should outperform SQL Server 2000.

SSWUG Newsletter

Posted: July 21, 2009 in Uncategorized

Thought if you missed this you may want to check this out.

New Onslaught of Injection Happening as We Speak
Just a heads-up.  There is a new injection wave happening right now – it’s a blind injection routine that simply tries to run against your web-based application without regard to whether you’re returning error messages or providing feedback that a hacker can use against you. 

The hack uses the fairly well-known technique of walking through your user tables and updating character columns to insert a javascript reference.  What’s interesting is that the routines that are doing the poking appear to be re-attempting access numerous times and look to be automated, but we’re not sure.  Remember to watch your form parameters that you’re passing in – checking each of them for tell-tale injection issues.  

We’ve talked about injection before – and I’m putting together a workshop about it to talk about things you need to know about, what we’ve seen, mistakes we’ve made along the way (and learned from) and much more.  The key things:

– check inputs – if it’s supposed to be a number, make sure it is.  Check out isnumeric()
– use stored procedures, pass in parameters.  SQL Server will forced the parameters to the right value type and won’t execute the statement, but rather just treat it like data.
– clean your inputs – watch for single quotes, “CAST” and the things you should have no business seeing on your inputs.

One thing – many people filter on keywords.  Those won’t trip on these types of injection attacks.  The reason is because the hackers are asking SQL Server to interpret the data and create a SQL statement, then execute it.  It’s not like they’re passing in a statement that you can filter out “UPDATE” keywords and the like.  

Lastly, do ALL of the protective things, all the time and test your system continually.  Don’t do some, some of the time.  You’ll get bit.

Fun with Restores

Posted: July 15, 2009 in Uncategorized

Just a quick note today, I have been pretty busy over the last couple days testing and working with restores. On the Agenda today is a number of items and the list appears to keep getting longer and the time shorter.

Today part 2 of a 3 part series on How to Hire a DBA is up and running.

Today will be the Colorado Springs SQL Server User Group Meeting with Peter Myers.

July 16th
SSWUG will be publishing a new article that I did on some thought about a neat White Paper I was reading by Maurice De Vidts

July 21st is the Deep Dive SQL Server 911 Backup Workshop.

July 22nd to the 24th is the Summer Refresher Conference that will include the show down between Stephen Wynkoop and me.

July 29th part 3 of 3 on the series is up on How to Hire a DBA. (I believe if you register now it will be free)

In the middle of this schedule I have to find another slot of time for travel and see if I can start to make my way down to Tucson to get ready for the live event showdown.

I just loaded the new Micro Soft Office 2010, and to be honest so far I like what I see. I think there have been a number of improvements common menu options that I use. I will put more of this down later as I work with the tool some more.

 

Smack Down

Posted: July 9, 2009 in Uncategorized

In my last post we talked about how it’s on. Me, Steven Wynkoop all about SQL Server, well to my surprise I saw this video about the upcoming conference

So you want to see what happens when I stay late and the producer was kind enough to use is awesome talent to help me?

So Mr. Wynkoop, I will see you in 10 days, on set and live. No recording, No stunt doubles, and a bunch of SQL Server tips and top Ten’s.

Oh It’s On!

Posted: July 7, 2009 in Uncategorized

Ok so maybe a little drastic, and may be a touch old. But I was talking with Stephen Wynkoop about some SQL Stuff today and we start back and forth on what we thought on a certain topic. For some reason or another an episode of the TV show South Park came to mind (I was Cartman, obviously). So any who I got to say I think he stood on his desk and declared that it’s on. I did not know what to do, is this legit, and is this really for real? Is it really on? Did I just get served? Or powned (I think my son calls it)? No matter the results are the same. It is so on. And I am going to bring my A Game.

We have decided that we are going to finish this like men. Ok grown men that cannot take the disagreement out back anymore. So the results are going to be coming to you live. Here is the set up and the rules.

We are going to have three topics. These three topics will be agreed upon today. It will be something along the lines of the 10 best SQL Scripts or the 10 best Performance enhancers SQL Server. But the end result is that you the viewers of the Summer Conference will see the battle right there at home or work. We each will have to answer what we believe the top 10 of a certain subject and then present it to the other. When the lists don’t match is when the match begins. There will be board (white ones) and lists. We will be asking you the attendee as the judge. You have a say because this will be live, and you can help either Stephen or myself, or maybe just yourself.

Keep an eye out I think you will see this on the site soon. The best news is that this will not be a timed sessions. It will not be a contest until one of us yells Uncle.

 

Shhhh Listen

Posted: July 6, 2009 in Uncategorized

Well I am getting ready to head off for another trip, this time I am going to film some sessions for the upcoming SSWUG Summer Conference. As I am looking into a few of the subjects I will be speaking on I got lost in the blog chain where I found one great post after another. One that I stopped on was an interview done with Claire Brooking by Sarah Blow. The entry in whole was well done, as it talked about how Claire saw women in technology. What I found of most interest was the last question that I think I get asked most often. What piece of advice would you give to anyone wanting to get into an IT career?

If you want to look into the original article it can be found here.

As I was contemplating the answers that Claire gave one in particular jumped out at me. Listen to other people…, the more and more that I thought about this I could not help to think about what this means. I think this piece of advice could be meant to everyone everywhere, but as I apply it to what I have done over the last 5 years I cannot help but to think of really how important this is and how much this is not happening. So I challenge you as readers are you really listening to what is being said?

A number of years ago I was the Senior Administrator at a company where a major upgrade was being developed that would dramatically impact the business. I was always caught off guard by the number of times that management would push deadlines and deliverables. There were a number of times when management would not ask the development time of a specific task but instead would state what they wanted done and when they wanted it done by. The lead developer on the project would try to meet those project timelines but when deadlines were missed or were under delivered, the wrath of management was felt. The employees under this one manager would even get to the point where they knew every 6 months the VP of that group would have a week where no matter what the circumstances were everyone in the group was a slacker, everyone in the group was at risk of being fired and everyone in the group was worthless.

Phil Factor posted an entertaining piece on IT in the Sci-Fi world and how the teams could or could not reprogram a ships function. As he went through this he pointed out the sad but true methods that we have put in place. If the future holds the same attitude as the present for moving towards a single goal we are in sad shape. Well that is my opinion.

As I am now no longer in the employment of the company that I mentioned earlier it is much easier to see the issues. The biggest one is the lack of anyone’s ability to listen.
If the VP would have listened then maybe the developers would have been able to set a better expectation on management of the challenges they were going to face and either get the help needed to overcome those, or adjustments to make sure that proper expectations were being set. If the development team listened a little more they may have understood the importance of the release and how much it would have impacted the company.

As basic as it sounds I am surprised at how much that I see this. Everyone wants to do the best they can, many want to be the Hero or the Super Star, the Most Valuable Player, how many people set out to be the supporting guy or gal, the backup singer, the team equipment manager? Does all this desire to be the “Hero” put people in the place where they are in the mindset of, “I know what needs to be done and I know how to do it”? I don’t mean to take away from people who are the go getters or the just get it done. Maybe this is a little of self refection, I know that If I were to listen more then I could be in a better place.

Well I guess today is a true rambling. I am amazed at how a simple statement can get me thinking.

Same Old Problems

Posted: July 1, 2009 in Uncategorized

First of all I would like to send a congrats out to all the new and Renewed MVP’s.

Over the last couple months I have been working on a few consulting jobs and helping out here and there with different projects and companies. I can’t help but notice that I see a number of reoccurring problems. The funny thing is that it first appears as a technical issue, and it ends as a technical issue. But I cannot help but notice over the last 5 years how some problems become magnified just because people are afraid to say, “let’s review my area because I may have missed something”. I use to think this had a lot to do with Empire building. Empire building is something that a person does when he believes his or her responsibilities are not as well rounded as they would like them to be. Today I am not so sure.

For Example:

I worked at a company for a number of years; they decided to implement a SAN as storage. There was a very lengthy process that we went through to move databases from local to SAN storage. One database in particular was of interest, It had a Delphi App that would gather data and then insert into the database every night. When the database was on local storage this process would take about 4 hours if I recall correctly, however when we moved it over to SAN storage the performance degraded.

There was only one change that was made to the system. It was the introduction of the SAN. However, when it came around to it the hardware people, the developer, the network people and the vendors were not willing to approach the situation openly. To be honest I am not sure that I did it as openly as I could have.

 

The answer that I would really like to get down to is why we put a fence around our area of responsibility, if we all have the same goal of correcting a problem. Maybe even a more important question is how do we break down that wall and ask the right questions or take the right approach so that the time spent finger pointing is put to a better use by trying to correct and or fix an issue.