Rob Farley : security

Code Camps galore

Rob Farley — Sat, 21 Jul 2007 10:32:28 GMT

We all know that Adelaide hosted Code Camp SA recently - it was a great success, and some people even wished I was there!

TechEd is coming up of course, but now there are two code camps scheduled for October, on the same weekend (13-14) and at the same venue! Yes, that place is Wagga Wagga - one Wagga for each event.

Firstly, and most importantly I'm sure, is the second SQL Down Under Code Camp. But the other one is the Security Camp Oz. With me doing the SQL Security talk at TechEd this year, I'm sure I'll have a good reason to attend both!

Also in October, but the weekend before, and in the UK, the SQL community is hosting SQLBits. These guys have three streams (Dev, DBA, BI), and promises to be a fantastic event. I only wish I could be there. I'm sure Tony, Simon, Jamie, Jasper and Chris will do a fantastic job.

Seems wherever you are, October will be a big month for training.

Vista requiring ctrl-alt-del before login

Rob Farley — Mon, 02 Apr 2007 10:47:00 GMT

So you want to tell Vista to require Ctrl-Alt-Del before you can logon. Just like you had in previous versions of Windows. And it's easy to do, you just have to find the proper dialog box, like the one below. You tick the checkbox, and everything is done.

Now, this dialog box should be easier to find, and I'll happily be told how to get to it normally...

But if you search Windows Help for "ctrl-alt-del", you'll get a link to a page which takes you to a dialog box that lets you set this option. In the dialog, it's on the Advanced Tab, at the bottom. If you can't find it in the help, you can just run NetplWiz.exe - that will open it for you too.

I honestly can't find any other way of opening this dialog box. But this dialog is definitely the place to set the option. I've asked Rocky Heckman (of Microsoft) how to get to this really-useful-dialog, and hopefully he'll have something for me in the next day or so. Any of you readers know how to do it?

Oh, and the reason why you might want this enabled is that you should make sure that you don't have something asking for your Windows password unless that thing is Windows. The Ctrl-Alt-Del combo will always force Windows to jump out of whatever it's running, so that you won't ever give your password away.

Malware distributed by MSN Messenger banner ads

Rob Farley — Sun, 18 Feb 2007 08:29:00 GMT

I'm sure this won't be the case for long, Microsoft tend to be good about addressing things like this.

Fellow MVP Sandi Hardmeier has put out a very detailed post about the problem, I suggest you read about it there. It does raise some interesting questions. Not least, how are we supposed to protect ourselves against these things? I think her suggestion about making sure that you close unexpected windows using the 'x' in the corner is a good one. And making sure that you have firewalls and virus checkers is an absolute must. Using the 'hosts file' protection against this particular problem will help too.

Insecure websites

Rob Farley — Tue, 26 Dec 2006 02:32:00 GMT

It really worries me when I stumble across an insecurity in a website. I don't go looking for them, but when I find one, I feel like I have a responsibility to do something about it. I don't mean tell the world about it - that would be bad for the company and more importantly for their unsuspecting customers, I mean to let them know.

In the case that I found today, I have used the "Contact Us" part of the site, and will call their head office myself tomorrow if I haven't heard a response. I really hope they take me seriously. I will offer to help them out to resolve their problems of course, I have no desire at all for them to be hacked.

Oracle has 3400% more vulnerabilities than SQL Server

Rob Farley — Tue, 21 Nov 2006 23:37:00 GMT

There has been a lot of talk over the years about how Microsoft products are vulnerable to hacks. When I went through university many moons ago, Microsoft were certainly painted as the evil empire (not necessarily by individuals or as the university as a whole, more just an overall feeling), whilst we were the rebel alliance. We all had Linux boxes at home, running fvwm on X-Windows. And of course, one of the main arguments against Microsoft was that their products could be hacked. They were not secure, not reliable, not worth using in the real world.

Of course, I graduated from uni and got into the real world, and found that people actually did use Microsoft products (as well as others). I quickly got into both Oracle and SQL Server, and still there was a general feeling that Microsoft products (including SQL Server) were less secure than others. And it was easy to just accept this as probable fact.

I remember Jesper Johansson having a bumper sticker that said "My other computer is your Linux box", which I thought was funny. It seems that Microsoft products are really only the most vulnerable simply because they have the word Microsoft on them. Seriously. This makes them a target, and because they are the most attacked, the net effect is that they are the most likely to suffer. Or something like that anyway.

So this morning, I came across an article which I found quite interesting.

http://www.ddj.com/blog/securityblog/archives/2006/11/the_least_vulne.html

Seems that Oracle has 3400% more (70, compared to 2) vulnerabilities. Of course, this assumes "proper execution", and I imagine that lots of systems don't do things that way. I think this gives even better arguments to grabbing some of the pre-built VHDs for applications like SQL Server, like this one. There are ones available through TechNet and MSDN subscriptions too.