Have I got a deal for you.  Simply use the discount code EXSP150 when you register for the PASS Summit and you’ll save $150.

That’s it.

Denny

The first step was to figure out which node of the cluster was running as the active node, so we could start with the passive node. The next step was the tell cluster to not allow failovers of the SQL Cluster. Next we opened the SIOS Data Keeper Cluster Edition GUI and break the mirror for the disks that we are going to upgrade. Then I logged into the Azure portal and converted the VM from a G2 into a GS2 so that premium disks could be attached. After the VM restarted (don’t forget, this is the passive node so there’s no outage for the restart) the disks are removed from the VM and the new disks are added. The new disks were added via PowerShell like this:

get-AzureVM -name ServerName | add-AzureDataDisk -CreateNew -DiskSizeInGb 1023 -DiskLabel ServerName-T http://Something.blob.core.windows.net/vhds/ServerName-t.vhd” | update-AzureVM

After the disks are all added, they are formatted and given the correct drive letters.

Next SIOS Data Keeper Cluster Edition is told to restart the mirror. This forces it to do a full sync as there’s no data on the old drives. This takes forever as we are limited to reading data from the disk at the speed of the old standard disks (500 IOPs). Once it’s done (in this case there was about 200 Gigs of data to replicate across three disks) the cluster can be failed over (this is the only outage in the process).

We can now upgrade the second VM to support premium storage, then change out the disks and restart the replication again. It’s a long process but it works, and there’s just a single outage to the process.

Denny

Using Microsoft DiskSpd to Test Your Storage Subsystem

DBTA – StretchDB, a Cool New Feature in vNext SQL Server

The Case Of The Auto-Truncating Table

Updating Your Data Strategy Requires a Shift in Thinking

Study Finds that CIOs Vastly Underestimate Shadow IT

Hopefully you find these articles as useful as I did.

Don’t forget to follow me on Twitter where my username is @mrdenny.

Denny

The differences between this year and past year are:

• This is 2015 not 2014
• My SQL Karaoke party is on Tuesday October 27th, 2015
• The URL to register for the party is http://www.dcac.co/go/2015-party, and this years party is being sponsored by SIOS just like last year
• The URL to register for Argenis Without Borders is here
• The URL to register for PASS Summit 2015 Speaker Idol can be found here
• The convention center is a little bigger in 2015.
  • PASS is expanding into the convention space called the TCC (The Conference Center).  You can access the TCC by talking across Pike Street or by walking through the lunch hall (4E & 4F).
  • The registration area will be back where is used to be in the atrium under the escalator to the 6th floor.  I’m pretty sure I pointed it out in the 2014 recording as where it was in prior years.

Sorry for having to use the 2014 recording, but it is what it is.  Thank you to SIOS for coming through so quickly with the recording for last year’s webcast.

Denny

What do you need to do to get into speaker idol?  Step 1 is to fill out the application form.  It’s got a few basic questions about where you’ve presented before and how to get in contact with you.  That’s pretty much it.  From the people that submit for the Speaker Idol we’ll select 12 people to be in the competition.

The full rules for being eligible can be found here.  With the rules as they are written probably 95% of PASS attendees are eligible as are most people who have spoken at an event (other than the PASS Summit) before.

The Speaker Idol is a great way for those speakers who aren’t as well known in the community to get in front of a national audience, which will include members of the content committee (the folks who select the sessions for next year).

So if you’ve ever wanted to speak at the PASS Summit, this is your chance.  Get signed up, and get ready to present.  If you don’t register you can’t earn yourself a speaking spot at the PASS Summit 2016.

Denny

This years event will be at the same venue, Cow Girls Inc. Like last year we’ll have the live band instead of the KJ. And yes the mechanical bull will be running (we didn’t hurt anyone last year, so we’ll try again this year) so you can drink, sign and ride the bull; the perfect combination.

The party will be October 27th at 9:30pm and will run until about 1:30am Wednesday morning. Conveniently the welcome reception for the PASS Summit ends at 9pm Tuesday night so you can go straight from there to the Karaoke party. The only requirements to attending is the ability to have a good time. Singing isn’t required (but someone has to do it, and it won’t be me, which is for your benefit not mine, trust me), but if after you’ve had a little courage in a glass you want to, we’ll have a great band to back you up.

Like in prior years anyone is welcome to attend, but you’ll need a wristband for the open bar if you want the free drinks. You can register for a wristband at http://www.dcac.co/go/2015-party. The wristbands are first come first served, and you’ll need to be at the bar by 11pm to pick up your wristband.

I look forward to seeing everyone at the PASS Summit and at the SQL Karaoke party on Tuesday night.  Below you’ll find some pictures from last years party.

Denny

Denny

Building High Performance, Highly Available SQL Servers on Azure

Fear has Replaced Apathy as the Number One Enemy of Data: Implications for Lovers of Data

10 Emerging Big Data Vendors to Watch

Modeling Slides: $#@! Your Database Says About Me…and How to Fix It in Your Data Model

Nuance Says Your Car Will Understand You Much Better Within a Few Years

Hopefully you find these articles as useful as I did.

Don’t forget to follow me on Twitter where my username is @mrdenny.

Denny

In order to register for the session please visit this url. Once you have registered you’ll be able to get the conference call details as well as download a calendar reminder.

If you haven’t ever attended the PASS Summit before we’ll cover all the important things you need to know about the event, such as how to get from the airport to the convention center (hint, you don’t want to rent a car). Where the good food in town is, how to find things inside the convention center (it’s a big place if you’ve never been there before), and much more.

So get signed up for the webcast, get the calendar entry put into your calendar, and I’ll see you on Monday September 7th.

Denny

This is normal and setup this way by default.

First I’ll explain the why, then how to change this.

The Why

Fixing It

Site to Site VPN

The first thing you’ll want to do it connect to your Azure account and browse to the virtual networks. Select the network that you want to modify and you’ll get the properties of the network to pop out on the next blade. It’ll look something like this.

You’ll want to click on the VPN Connections section on the right, select site-to-site, check the “Create gateway immediately” check box, then click on Local Site and enter a name and the public IP for your office network as well as tell Azure what all the IP Subnets for your internal office network are. It’ll look something like this, then click OK to get back to the “New VPN Connection” blade.

Click the “Optional Gateway Configuration” button and change the routing from Dynamic to Static. If you want to change the IP subnet for the private side of the VPN within Azure you can do here as well. You can also select the gateway size between Normal and High performance, but the high performance one will probably cost more money. If you are a large enterprise you probably need the high performance option, if you are a small/medium business the normal gateway will be just fine. Click OK all the way back down to the virtual network blade and wait for the network changes to be made. This can take 5-10 minutes for the VPN endpoint to be created and spun up.

After Azure is done doing it’s thing the configuration section of the portal will look something like this.

Click on the “VPN Connections” panel and a new blade will open. At the top you can download the script to configure the office router to use the VPN connection.

Point to Site VPN

The first thing you’ll want to do it connect to your Azure account and browse to the virtual networks. Select the network that you want to modify and you’ll get the properties of the network to pop out on the next blade. It’ll look something like this.

You’ll want to click on the VPN Connections section on the right, select Point-to-site, and tell Azure what all the IP Subnet to use for people who VPN in should be. Any private IP subnet will work as long as you haven’t used it in one of your Azure networks already. The portal will verify that the IP subnet you enter will work. Something like “192.168.5.0/24″ should work fine.

Click OK all the way back down to the virtual network blade and wait for the network changes to be made. This can take 5-10 minutes for the VPN endpoint to be created and spun up.

After Azure is done doing it’s thing the configuration section of the portal will look something like this (but with the Point to site icon in color).

Click on the “VPN Connections” panel and a new blade will open. At the top you can download the VPN software that you will need to connect your computer to the Azure network securely.

Opening Access to the Virtual Machine from the Public Internet

To open an endpoint browse to the VM in the Azure portal. Open the properties of the VM in the Azure Portal, then click the “All Settings” option. Then select “Endpoints”. It’ll look something like this.

If you see a “SQL Server” endpoint with 0 ACL Rules then the work is half done (shown above). If there are ACL rules then you should be finished unless you need to add more ACL Rules.

If there is no SQL Server endpoint click the “Add” button at the top of the Endpoints blade. Name the endpoint “SQL Server”, select the protocol TCP, then set the ports to 1433 (or whatever TCP ports you want to use, but 1433 is the default). Select to setup access rules for whoever needs access and block any subnets that don’t need access and then OK back to the VM’s properties.

Now What

Denny

Securing SQL Server, Third Edition: Protecting Your Database from Attackers

In this edition the book is upgraded to include SQL Server 2014 and about 50 additional pages of information over the 2nd edition (about 190 more pages than the first edition).

Denny

I welcome these new readers of the book (and hopefully this blog, which is only published in English, sorry about that) and hope that they did a good job translating the book so that it makes sense in Portuguese.

Getting a book translated into another language is a first for me.  All I can say is that it’s pretty cool that someone feels that my work is good enough to take the time and money to translate it into another language.

Denny

If you are going to put the files on the Internet via iCloud, DropBox, Cubby, etc. then encrypt the files.  If they are encrypted it will be a LOT harder for someone who downloads them to view them.  They can share them all they want, but without your encryption key they won’t be able to see the data in the files.  Now if you aren’t involved in technology this probably sounds pretty hard, and it can be but if you’ve got files that you really don’t want to have out there for the public to view, then it’s probably worth an afternoon of your time to learn about this stuff so that you can protect yourself.  Do some reading, take a class at the local community college, buy my book, there’s lots of options available to you.

If you have these sorts of pictures and videos that you don’t want online, grab an old computer, disconnect it from the Internet, and put the files on there.  Use this machine for only those files, and never connect it to the Internet.  Odds are you don’t plan on sharing those files with anyone besides yourself, so having them on a computer which can’t get on the Internet probably isn’t a big deal.  If you loose those files is it that much of a problem?  After all you can always take new ones, and that’s most of the fun anyway, right?

After you’ve got your files encrypted you still need to do things like put a pin number on your cell phone, put passwords on all of your computers (especially that one with the naughty pictures on it), and use two factor authentication for everything that allows you to including your email, blogs, websites, banks, etc.  Of all of these your email is the most important one to have two factor authentication for, as this is where all the other services will send password reset messages to.

Now for the love of god, remove all those pictures from the Internet before you do anything else.

You would think that various colleges around the US would have a better idea of network security, but apparently not.  Now these aren’t really all that important, and it would slightly embarrassing at worst if someone started making changes to these.  However not everything that was found was so.

A kiosk at a college

Something else at a college

Display board of a college library

A desktop at a college

There’s some stuff that could have a direct impact on peoples day to day lives.  Such as the controls for a grain silo, which I could be told to dump all the grain from the silo onto the ground, which would ruin the grain and cost the farmer a lot of money.

Appears to be a Grain Silo

Or we could lock down the pumps at this gas station.

A large Gas Station

Ever wanted to control a car wash?

A Car Wash Control System

How about a movie theater?

Cinema City Movie Theater Control System

Or maybe we could screw around with the Parking ticket Kiosk for the city of Oakland, California, USA.

City of Oakland Parking Ticket Payment System

There were a large number of people’s desktop computers just sitting there available.  In this one the person is writing code for an application.

Someone actively writing code

It isn’t just small companies that have their systems exposed to the Internet for no reason at all. Here’s the Double Tree hotel in Boston, MA (a member of the Hilton family of hotels).  This system happens to be the display board for what’s going on in the conference rooms on the day the screenshot was taken.

The Boston Double Tree’s conference room TV

So far all of these systems have been pretty harmless.  But there are some pretty big control systems online as well.  Here’s the control systems for a hydro-electric plan which is producing around 480kw or power.

Some sort of Hydro-electric plant generating about 480kw of power

Here’s what appears to be another power plant.

My best guess is a power plant

Or if coal mining is more your speed, this appears to let us control the loaders, belts, trains, etc. for an active coal mine.

Coal Mine Control System

Here’s the control systems for a few more power plants, all of which are available to anyone who knows how to look for them.

A Power Plant

Another Power Plan

Yet another power plant

I’m not really sure what this controls, but it looks pretty important.

Something very industrial looking

I wonder what kind of wells these are that we can shutdown?  Water, oil, could be anything.

What appears to be a well monitoring system

Maybe there’s someone important hooked up to this heart monitoring system at a hospital.

Heart Monitor for a hospital bed

Every one of these systems can be connected to, and controlled from anywhere in the world because they don’t have even the most basic network security setup on these devices.  Do any of these devices need to be connected to the public Internet?  No, there’s no valid reason for a single one of these to be on the Internet, but they are.

Companies who run these systems need to take better care of their networks, because eventually someone who is looking to do some actual damage is going to stumble across the tools and techniques which are used to find and access these systems.  And once that happens it’s to late.  Thankfully Paul McMillan was just doing research, imagine if his plan was to do actually do damage.  I’ve shown you just some of the power plants, hospital equipment, and food storage locations which he found.  It would have been a simple task to just shutdown all those systems one by one as he found them and no one would have had any idea that it was him, or even what happened.  According to all the logs at the power plants someone would have issued the shutdown command from which ever control system that Paul was connected to.

Someone needs to get the message out to these companies, utilities, etc. that they need to fix these problems BEFORE it’s to late, not after.

Denny

Special Thanks to Paul McMillan for doing the hard work of scanning all these systems, and to Information Security Expert Dan Tentler (@Viss) for sifting through and finding some of the interesting ones and sharing them with me for this post.

ethics image via Shutterstock

I’m pleased to say that I’ve been invited to join a panel Thursday April 24th at 2pm EDT (11am EDT). This panel is titled “Ethics & Data Modeling“, which is a pretty timely topic given things like the Target breach, HeartBleed, etc.  There will be 5 people on the panel including myself.  The other members will be Karen Lopez, Len Silverston, Tamera Clark and Kerry Tyler.  This will be an interesting panel as Karen, Tamera, Kerry and I will all be located at the same place (should be interesting for Len).

The panel has an open Q&A time where you can ask the panel questions during the discussion.  There are some topics that we’ll be starting with (and probably deviating from pretty quickly).

Is my computer infected?

No, your home computer isn’t going to be infected with anything.  Heartbleed exists because of a bug in the software which handles the data encryption on some web servers.

Are all websites infected?

No.  Not every website is infected.  There is no easy way for us the end users to know which websites are still suffering from the problem and which ones aren’t.

How can I protect myself?

The only way to protect yourself is to not use websites which are suffering from the Heartbleed problem.  If you are using websites which haven’t had the needed patches installed on them, then any information which you send to those websites could be read by an attacker.

Is there a list of websites which are safe to use?

Sadly no, there is no list of websites.  All you can do is check with the company which runs the website or wait for them to tell you that their webservers have been patched.

Is this something that I need to worry about?

Sadly the answer here is yes.  If you shop online, or use the same username or password or different websites then you might be at risk.  There’s no way to know if your information has been leaked or not, so it’s best to change your passwords for all the websites that you use.

How would I know if a website is safe to use?

There’s no easy way, or any way to really know for sure.  The best bet for an end user is to look at the SSL certificate for the website and see what the dates for when the SSL certificate was issued.  If that date is April 2014 or later then it is probably safe.  The reason that I say this is that part of the threat is that the private keys for the websites certificate may have been compromised, so websites are getting new certificates and having the old ones disabled.

Finding if the certificate is new is pretty straight forward.  In your web browser such as Internet Explorer, Firefox or Chrome connect to the website in question, I’ll use Google.com as an example.  Once connected to the website find the padlock which shows that the website connection is secure, which I’ve circled below in Internet Explorer, and click on the padlock.

When you click on the padlock you’ll get some basic information similar to what you see below.  Click on the “View certificates” link at the bottom.

This will show you the certificate itself, which you can see below.  At the bottom you’ll see the dates which the certificate is valid from and to.  If the from date is in April 2014 or later then it’s probably safe.  You’ll notice that the from date in this case is April 2, 2014.

If you are using Firefox or Chrome the steps will be very similar but the screens will look a little different.

What should I do?

The best thing you can do is change your passwords for all the websites which you use, and use a different password for each website.

As I learn more about this, I’ll post it here.

Denny

The amount of data which they uploaded is massive, taking 27 DVDs worth of data (you can typically fit more than one encyclopedia set on one DVD) so you can imagine just how much information that would be if it was printed.  To make all this even worse the servers which make up the Google service which this data was uploaded to aren’t in Europe, instead being in the United States which is another problem as the European Union (EU) has specific laws about sending the data about people who live in Europe outside of Europe.

The kinds of data which was uploaded include the patients NHS number, their address, post code (zip code), date of birth, gender, what doctor they saw, as well as their inpatient, outpatient and emergency records.

And all of this was done without any sort of notice to the patients or a way to opt out of having your data uploaded to Google.  This is just another example of people (the ones who work for PA Consulting in this case) trying to get their job done but in doing so creating a massive problem for hundreds of thousands of people (or more depending on how many people’s data was included).

According to the article the information uploaded was the “entire start-to-finish HES dataset across all three areas of collection – inpatient, outpatient and A&E”, so basically everything that the NHS has ever collected.

The number of law suits which will be started up and the number of government inquiries will be amazing to watch as PA Consulting attempts to defend themselves from this mess which they’ve just created.

This sort of data breach is the worst kind for consumers because there isn’t any way to protect yourself from this as it was totally out of the hands of the consumers as to what happened and who had access to the data.

This is one of those cases where the best we can do is complain to the people in charge (in this case your local MP) to work to get the data removed from Google’s cloud servers and ensure that something like this never happens again.

Denny

Needless to say I’m pretty thrilled that the book is being recognized outside of the world of IT.

Denny

The safest assumption is that if you’ve used your card at Michaels in the second half of 2013 you’ll want to request a new card from your bank.  If you don’t want to go through the hassle of getting yet another new card then at the least you’ll want to monitor your bank account regularly to ensure that no one else is using your card to have purchases. I’d go with this for now until Michaels tells us more about the details of the breach.

Denny

Denny

The only way to get signed up is via the webpage which target has setup at https://creditmonitoring.target.com/.  Any other website which claims to be signing people up for this (and there are going to be several of them popping up rather quickly).  Also if anyone calls you trying to get you signed up they are scamming you.

If you shopped at Target, I’d recommend getting signed up for the monitoring service.  According to Target:

Guests have until April 23, 2014 to sign up to receive an activation code. Activation codes must be redeemed by April 30, 2014.

So go get signed up,

Denny

As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

If Target has encrypted all the PII which sat within their database then this data breach wouldn’t have that big a deal because the data which was stolen would have been encrypted and useless to the thieves.  However based on the fact that Target had to announce the breach we are left to assume that the data wasn’t encrypted.

Because someone (probably a developer or project manager) made the decision to store all this PII in plain text instead of taking the time and CPU power to encrypt this information we the customers of Target have to pay the price.  And there is nothing that we can do about this as customers other than not shop there any more, which in reality this isn’t always an option.

As IT workers we need to push our employers and clients to ensure that they are properly encrypting all PII data possible so that the customers and general public aren’t put through this sort of thing.  Pushing to make this happen won’t make us popular with managers, or co-workers as it does add more work to the workflows and more work in general, but this is something which we must start doing.  And I’m not talking about encrypting data when at rest, but actually encrypting the data in the tables so that when an attacker exports the data from the tables using a basic select statement they get useless information, otherwise the entire data encryption process was pointless.

Someone within organizations needs to step up and start bringing this up in meetings.  If you don’t do it, no one will and this sort of massive data theft will happen again.  Just because you don’t work in a large retailer doesn’t mean that you shouldn’t be bringing this up in your company.  EVERY company needs to be thinking about this because you never know how much information the systems will be holding or how these systems will be used in the future, so it’s best to plan for the best now.

Denny

The website “have i been pwned?” (https://haveibeenpwned.com/) has been created to help you solve this exact problem.  This website is very simple, when there are large amounts of data which have been breached and the lists made public they will be loaded into this website so that you can search and see if your account was on one of the lists.

Let me be clear, the person who created this website is NOT the person who is stealing your data, he’s just taking data that someone else has stolen and making it so that you can easily search the data without having to figure out where to get the data, and without having to figure out how to search through all this data manually.

So who created this site?  The answer here is also pretty easy, his name is Troy Hunt and he is trustworthy.  He is a well known IT security researcher and author who made this website to make everyone else’s life easier.  If you have questions about the site, I would recommend checking out the FAQ that is posted.  If you’ve read Basics of Digital Privacy Troy’s name may look familiar.  This is because I talked about Troy a couple of times in the book, and you’ll see a couple of links to Troy’s blog over on the links page, specifically this one.

Currently the website allows you to search the site, and it allows you to setup alerts so that when new data is loaded into the system if your email address has been compromised the website can email you.

I highly recommend checking your email address via this website and setting up alerts for your email address.

There are new features coming that Troy is working on, but I’m not going to steal Troy’s thunder.

Denny

A couple of weeks ago the Midnight DBAs were kind enough to invite me to their web show “DBAs @ Midnight” to talk about my new book “Basics of digital privacy”. It’s a video which is a bit different from what you’ll normally see here.

As this is a late night talk show style webcast, this show may not be safe for work … or kids.

I had a great time on the show and I hope you have a great time watching it.

Our current concept of credit cards and how they work was designed decades ago when data encryption was basically non-existent outside of government work. Because of this all the data that is needed to steal every penny in your checking account is carried around in plain text in your wallet in the form of your debit card (which if you are in the US probably also functions as a credit card as well). I’ll say it again everything is stored in plain text so that anyone with a magnetic strip reader can simply read the information from the card and use it. This information includes your credit card number, bank information, expiration date, and any other information about you and your account that the bank has decided to put onto the card.

The banking industry has come up with all sorts of security safeguards that they put in place to try and ensure that your credit card information is safe, except encrypt the data on the card so that a thief can’t read it. The rest of the world has evolved their banking and credit card systems, but not the US because we don’t like change. And most importantly the banks like being able to charge merchants extra swipe fees for different kinds of transactions.

What we should be using here in the US is a system called chip and pin. The credit card looks exactly like it does today, but instead of swiping your credit card like we do today, instead you insert the card into the reader. The reader prompts you for your pin number, much like when you use your card as a debit card. If the pin that you enter matches the pin which is stored in the chip, then the data is decrypted and the machine charges your card directly, then it simply tells the cash register that the charge was accepted or declined. The credit card information never goes to the stores cash register so the problem that Target had simply wouldn’t have happened. The credit card information is sent to the bank via either a phone line or via the network, but the data is encrypted before it leaves the credit card machine so there is no risk of it being intercepted between the credit card machine and the bank.

One of the big reasons that banks don’t want this to happen is that every transactions now becomes a pin transaction. Banks charge fees for pin card transactions, as do some stores. If every transaction is a pin based transaction the banks (and the stores) will have to stop charging these fees which means that they will loose profit (which is all these fees are, pure profit). So instead of loosing out of some profit the banks instead put our time, and sanity at risk as now about 40,000,000 people will either need to watch their bank accounts daily to ensure that there’s no fraud on their account, or cancel their card (like I did) and not have a debit or credit card for 2-7 days (depending on how long it takes your bank to send you a new card). And don’t forget that this is all happening over Christmas and New Years holidays so having working credit cards is kind of important.

It should be obvious by now that the banks aren’t going to give us a more secure banking system to use. The government needs to step in and mandate that the banks and credit card companies move us to a more secure system and that system should be the same system that the rest of the world is using. The chip and pin system which the rest of the world uses is a well used system that everyone has gotten used to using. Staying with the existing system just isn’t a realistic plan. This breach is going to cost target a small fortune in fines, fees, consulting dollars, etc. as they try and deal with it. Wouldn’t it be nice if it simply wasn’t possible.

Many stores are actually getting ready for these new cards already. You may have seen the new card readers which have a swipe on the side and a slot in the bottom to insert your card. These consoles are the ones that we should be using, just with the swipe option disabled.

There will be some pushback I’m sure because this means change. Yes you will need to remember your pin number. But you probably already have one for your debit cards, and it’s really not that hard for you to remember that pin number. People will need to get used to inserting the card instead of swiping it. You’ll get used to it. The biggest change will be when you go out to eat as the server will now bring the credit card machine to do instead of disappearing with your card as you’ll need to enter your pin on the portable keypad. I admit it takes a little getting used to, but it isn’t that big of a deal. I promise.

The only way this is going to happen is if the federal government requires it. And I really hope that they don’t mandate something different from the rest of the world because that would be the only mistake that’s a bigger one than keeping what we have today.

Denny

This post is a little bit different from prior recordings which I’ve posted. The big difference here that you’ll notice is that I’m not the person doing the interview, instead I’m being interviewing for SQL Server Radio which you can find at sqlserverradio.co.il. In this recording by Matan, which was done at the SQL Rally Amsterdam, we cover a bunch of topics.

Normally Matan does his podcast in Hebrew as he’s normally recording in Israel. This recording is thankfully in English as my Hebrew is a little rusty. The part with me which is in English starts a little more than 5 minutes into the recording.

You can find the original posting on Matan’s podcast site or you can listen to the recording below.

This week in episode 029 I’m joined by Jessica Moss who is a Senior Business Intelligence & Data Warehouse Architect from Virginia.  In this episode Jessica and I talk about what a data warehouse is, and some of the problems that came come up with working through a data warehouse project.  Specifically how the language of the business, who has their own language much like IT does, can greatly impact how the data warehouse project is worked through.  Additionally you need to get people to set aside their own ideas of how things need to be done so that, at least for a while, people who are working on the data warehouse project focus on the data warehouse and it’s needs not just the needs of the line of business application which they normally work on.

This week in episode 028 I’m joined by the Midnight DBAs Sean and Jen McCown.  Sean and Jen are located in Dallas Texas where they broadcast the Midnight DBA webcast from.  In this weeks episode we talk about a bunch of different topics including some of the issues with moving from a more traditional job role as a database administrator to being an Independent Consultant, among other topics that you’ll just have to listen in to explore.  We do kind of jump all over the place.

This week in episode 027 I’m joined by Boris Hristov from Bulgaria.  Boris is a SQL Server Database Administrator and Trainer for HP in their consulting services branch of the company.  In this episode Boris and I talk about why all DBAs need to have basic presentation skills.  And it isn’t even for those DBAs who want to get into presenting, but just the normal DBAs which most of us are need to bone up on our PowerPoint and get used to standing in front of our peers at the office from time to time.

Aside from that we also chat a little bit about some of the issues that people are seeing when it comes to adopting SQL Server 2012 (hint, it’s mostly a money problem).

As always, thanks for listening and I hope you enjoy the show.

This week in episode 026 I’m joined by Chris Testa-O’neill, John Martin and Andre Kamman.  Chris is a BI consultant with CoEo based in the UK, John is a Database Administrator based on the UK and Andre is a BI and SQL Server consultant based in the Neatherlands.  In this episode, which was recorded at SQL Saturday 194 in Exeter, England, we talk all about BI Architecture and some of the things that people should be looking at when starting a BI project.

I hope you enjoy the session.

This week in episode, number 025 I’m joined by Grant Fritchey.  Grant is a product evangelist for Red Gate software which means he’s probably got the coolest job around.  His job is to talk to people about Red Gate’s products.

During the show this week we talk about some of the ups and downs of working from home and some of the tricks that we’ve learned over the years of working from home to keep yourself sane and keep being productive while working somewhere which is both distracting and isolating all that the same time.

You can find out more about grant on his blog “Home of the Scary DBA“.

In this weeks episode, which is episode 24, I’m joined once again by Karen Lopez.  Karen is a project manager and architect with Info Advisors.  She is also a fellow NASA TweetUp alumni as well as being the owner of some of the most famous and well traveled Barbie dolls in the world.  During this episode we talk about data security, and data loss.  Data loss has been a major problem recently for a lot of companies and government agencies which has led to a lot of peoples information being exposed to what ever random person found/stole it.  Karen and I talk about some of these recent data loss events and how they happened and how they could have been avoided; and most importantly why they should be avoided.   Karen has written a lot about data breaches which you can read about here.

Here are some write-ups of some of the data breaches which we talked about during the podcast.

Got Health Data? Your Penalty Exposures For Data Breaches Just Increased

Federal Department Bans Use of Portable Devices (YAFF)

Utah Health Department – Yet Another Flashdrive FAIL (YAFF)

BC Health Ministry Data Breach Affects Millions

Karen’s Data Modeling Blog at Datversity.net

Salary data

This week in episode 023 I’m joined by Chris Webb.  Chris is a SSAS and PowerPivot Consultant and Trainer based out of the UK.  Chris and I talked over Office 2013, BI and where everything BI has come from, where it is in 2013 and where it’ll be going in the future.  We also talk over some of the potential pitfalls that BI adoption has which includes the fact that people don’t deploy the new versions of Microsoft Office right away.  Hopefully things like Office 365 and SharePoint Online will help people move into the BI Space faster.  Listen in for more…

This week in episode 022 I’m joined by Gail Shaw who is a fellow SQL Server MVP and a SQL Server Consultant from Johannesburg, South Africa.  Gail is a major question answerer on some of the forums where she answers lots of SQL Server programming questions.  During this weeks episode Gail and I talk through some of the biggest problems that she sees in questions that are asked.  This includes things like BEGIN TRANSACTION, COMMIT and ROLLBACK TRANSACTION, as well as a single stored procedure that does everything, and of the biggest issues that she sees online error handling, or more specifically the lack of error handling and the improper use of error handling.

It seems like the majority of health data breaches I read about are via insiders with access to patient information systems stealing and selling their data.

Federal authorities say Sergei Kusyakov, who was involved with Metro Chiropractic and Wellness Center and City Lights Medical Center, illegally obtained private information about patients through Dale Munroe II and his wife, Katrina Munroe, who worked at Florida Hospital’s Celebration campus.

Authorities said Dale Munroe accessed more than 763,000 records for patients treated at various Florida

…

Additional reading can be found at the original author’s post.

New submitter uCallHimDrJ0NES writes “Security researcher Mark Gamache has used Moxie Marlinspike’s Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It’s been going on for a long time, probably, but this is the first time a ‘white hat’ has researched and exposed the how-to details for us all to enjoy. ‘You might think that with all the papers and presentations, no one would be using NTLM…or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!’ Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!”

…

Additional reading can be found at the original author’s post.

vikingpower writes “As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens’ digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore.” Fixes were released, so it looks like it’s on their sysadmin team now.

…

Additional reading can be found at the original author’s post.

RI labor dept. warns of possible privacy breach.

I think about data encryption, physical access controls to servers and such on a regular basis. But there are all kinds of formats via which data gets stored or communicated.  The Rhode Island Department of Labor recently had a data breach involving their call center.  Customers were able to hear conversations on other calls.  The department estimates fewer than 700 pe

…

Additional reading can be found at the original author’s post.

Folks have cited the recent InformationWeek article on how South Carolina’s Department of Revenue was hacked because the SC state government basically said, “It’s the IRS’ fault for not telling us we should encrypt social security numbers.” I’m not going to touch that. It stands on its own for its foolishness. However, I did key in on how the hack happened and how the data was obtained. I found this bit to be particularly interesting:

“But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system — outside the state’s control — and deleted the zip files to help hide the data breach, according to Mandiant’s report.”

In other words, the attacker, once inside the trusted network, located the database backup files, zipped them up, and then copied them offsite. That’s how the data was lost. The database backups were attacked.

…

Additional reading can be found at the original author’s post.