Someone Stole My Credit Card Number

Two weeks ago on Saturday morning I got a push notification on my phone from American Express that a potential fraudulent use of my card had been attempted and denied 14 seconds earlier. I had loaded the phone app just to try it out and I think I had used it once, so it was a mild surprise to see the notification. I was just reading it and thinking about the 14 second part when the phone rang – Amex security. Someone had tried to use the card at a truck stop type place in Georgia (I’m in Orlando). I had my card and it had not been out of my possession, telling me that there had been a breach somewhere. They cancelled the card, offered to overnight me a new one with chip and pin, and emailed me a list of merchants that appeared to have recurring transactions so I could update my payment information with them. First class service.

14 seconds. Given that they analyzed the transaction and denied it at point of sale it’s hard for me to complain about 14 taking seconds to notify me. In terms of rules and/or machine learning I’d guess it wasn’t a hard catch, it was a charge 500 miles from my last location at a location I had never used before. I’d like to see a presentation on how they do it, at a high level. Much like time boxing the generation of a query plan, they can only spend x time checking before they return an ok or not to the point of sale.

I’m curious if/when I’ll find out the source. My guess is that it was a skimmer because they duplicated the card and that required the magnetic track data. It’s a lot less likely it was a hack of a merchant system because they would not have the track data stored (assuming they follow PCI), but it could have been a POS hack along the lines of Target.  Seems like it wouldn’t take long to figure out either way unless it was really a one off hack and that’s not likely.

So far I’ve used the card at a handful of places and not one has used chip/pin. Remains to be see how effective it will be. I’m for doing the things we can do.

It cost me 5 minutes for the call and a little time thinking about it because I’m curious, but no real impact. It’s the big reason I have cards from each of the major card issuers, I don’t want to have something like this happen while I’m traveling and have to worry about waiting on a replacement.

Thinking Ahead to SQLSaturday Orlando 2016-Tenth Anniversary

I’ve been talking to Team Orlando recently about following the great example set by Code Camp Orlando for celebrating 10 annual events. Our first was in 2007. That is an impressive run. We’ve been lucky to be able to transition leadership of the event many times, from me to Jack Corbett to Karla Landrum to Shawn McGehee to Kendal Van Dyke, and back to Shawn this year.  We’ve had the same venue for the entire time and it’s hard to quantify just how big a deal that has been for us. So what could we do different/better to celebrate the 10th anniversary? What is worth doing? We don’t need to bake the entire plan now (we’re working on the 2015 event right now), but we need to forecast anything special that needs lead time.  My focus isn’t just the what, it’s the why. What things can we do that not only celebrate our accomplishments but set the stage for the next ten years?

To figure that out, I’m going to start by doing what I always do for events, put on a different “hat” and try to think about how that category of person sees the event, and what I can do to improve their experience. For each row (and I may add/remove some as I go) I hope to fill in one or more things we can do to celebrate accomplishments and one or more things we can do to make things better (and perhaps different) in the future. Some may take money over and above what we normally do, some will just take the effort to envision and execute. I won’t do this in a vacuum, the team here will ultimately decide what to do and what it can support. I’m also mindful that there are other events that will soon hit their 10th anniversary, and that PASS could/should also be thinking about how/when it wants to jump in and add to this. More in the next week or so.

 

Volunteers Celebrate Accomplishments Plan for Future
Leaders    
Speakers    
Sponsors    
Attendees    
Venue    
Networking    
Seminars    
PASS    
oPASS/MagicPASS    

SSC Editorial: Would a Duress Password be a Good Idea?

Would a Duress Password be a Good Idea? ran on April 21, 2015 in the SQLServerCentral.com newsletter. Good editorials should provoke thought and discussion. I rate it as partially successful. I knew when I wrote it that the idea of coercing a password from someone was an edge case that’s easy to dismiss, but those cases do exist, both in the physical and virtual worlds. How I wrote it – that’s a reminder to watch the things that can distract from the message, in this case my example of one way to implement a duress code by changing case on an existing password. Still, a decent amount of discussion.

So what was the inspiration? Many years ago when I worked for my uncle I was one of a handful of people that had what was called “unaccompanied access” to a vault containing more than a hundred fairly serious automatic weapons, meaning I had the combinations, keys, and authorization to open the vault at any time and allow removal of items. I won’t go into details, but we had a method of signaling duress in the case of someone trying to force us to open the vault and that signal would call in the response team. Being granted that kind of trust is a big deal and as Spiderman says, with it comes great responsibility.

It’s not that we don’t take security seriously in IT – surely we do – but because it’s a shared responsibility I don’t know that we look at it quite the same way.

Thoughts On The SQLSaturday Upgrade & Security Issue

Last week PASS deployed an update to the SQLSaturday web site and then had to take the site down for almost four days to fix security issues. You can read about the features and the issues in these posts from PASS:

I love – truly – that PASS has already posted about what happened. That’s an important step for the org, and one that makes me reluctant to post anything at all about the incident because I don’t want to discourage transparency. I hope the trend of that kind of communication continues.

As far as the upgrade, it seems to go further than just a new coat of paint while still being an evolutionary change and I consider that good – better to do incremental change where possible because doing otherwise can really frustrate users who are are used to things being in a certain place. I imagine some of us will value some changes more than others, but I didn’t see anything that felt like it was  a step backwards. Many seemed to address common problems from speakers and event organizers – good! I wish there was more data made public via API and/or the guidebook xml file. I’ve heard that with the new site scraping is harder than before, and really, should we make people scrape? That would be an area where some minor add on work could yield some nice benefits.

On the private administrative site used by organizers there was work done also, though I’d like to see more. Some of the reports that I wrote back in 2009 are still there and need review/sprucing up, and the dashboard is still not as functional as I’d hoped- for example it doesn’t have the one marketing chart I value the most, the one that shows cumulative registrations by week (the chart is there, but it’s the number that registered each week, not the cumulative). That’s a minor quibble, but one I hope will get addressed in the next update.

There was a decent amount of messaging about the planned outage for the upgrade. I’d have liked to have seen more messaging either before or after about the details. I think details are both reassuring and interesting. Why and how are perhaps more interesting to us than it would be to a homeowners association. It would also help us assess the duration/investment to the return on that investment.  The PASS IT team did a lot of work, it’s always good to tell the story and celebrate the work.

On to the rollout.

I was surprised about taking an entire weekend for the outage, but took it to be a hyper conservative approach which I couldn’t fault. I had just started looking at the new site when the security issue was mentioned on Twitter and then the site was offline.

It’s never good to have a security issue, but it was handled as well as I’ve seen PASS handle any issue – just about an immediate response and the site was updated with a brief message about the outage. Kudos on that.

The messaging after that was ok, but felt minimalist. I’ve been through these, probably you have too, you’re trying really, really hard to fix whatever is broken and get things going, so messaging gets pushed off, delayed, whatever. It’s important to have someone (that is, one person) public facing that can answer questions, even if the answer is “don’t know”.  I’d like to have seen the SQLSat web site updated with more news, or links to blog/twitter posts so that attendees or potential attendees had  more info to work with – they aren’t all on Twitter.

It seemed to end up being an all or nothing deployment, not my favorite kind. Ideally (and I don’t know if this was possible) the sites would run in parallel for some period of time, the “old” site as primary and anyone who wanted could try the new site.

On the security flaws, stuff happens. I’d be curious to know if PASS is using vulnerability scans and code analysis to supplement testers, but even then, it can be hard to catch issues. It was found, action taken, that’s the good part.

The bad part is obvious, a four day outage on an important site. I’ll argue that to have any site down for four days is just not acceptable. To be clear I’m not suggesting that leaving it up with the security flaw was acceptable either, but that could have been addressed in other ways (killing the page for example). My point is not to second guess decisions, it’s to look at the results.  Going into this no one would have said that four days was acceptable and it’s still not.

The site is up and I’m sure post-deployment tasks are being done and lessons learned compiled and internalized. Now I’d like to see PASS go forth and survey users, get good feedback, and publish a backlog and list of ideas for discussion for the next version.

SSC Editorial: Your Cloud Held Hostage–Could it Happen?

I really debated over whether to write Your Cloud Held Hostage – Could It Happen?. Figuring out when/if to adopt is hard enough just on the technical and pricing issues, is it good to add fear to the mix? I finally decided that raising awareness a bit more was worth doing, even if in a small way.

I suspect people will move to the cloud because it’s cheaper, as long as compliance is willing to sign off on the legal side. Think about reversing the argument. Is your local colo more secure than a cloud data center? You can argue it’s a less attractive target in terms of scale, but it’s perhaps a more attractive target because the colo doesn’t have a SWAT team on premises.

Interesting stuff to think on.

Notes on Marketing PASS at Non-PASS Events

This is a follow up to my previous post about Orlando Code Camp. The event team offered oPASS/MagicPASS a free sponsor table and we took them up on it. I wrote a bunch of notes about what worked and what didn’t (below), but the bigger point I want to make is that there are so many people interested in SQL at these events. Some know about us, some don’t. If we will go to these events, present material relevant to them, and really put on our marketing hats to explain what we’re about, there is an audience that is waiting to be reached and served and they fit very well into the world of PASS. It has and still disappoints me that there is so little crossover between the .Net and PASS world, and as far as I can tell there is no official PASS marketing plan to reach out and participate in these events. Regional mentors may participate, but the strategy should be originated at the top. Worth more and longer discussion, but the rest of this is a focus on the tactical stuff of attending to represent PASS and the local chapter:

  • We didn’t have a table cover. Karla (who happens to live in Orlando) has a PASS one, but she was out of town. oPASS/MagicPASS need one (and so should your chapter). I’d like to see the chapter logos large on it, and the PASS logo too.
  • Kendal brought two sign up sheets, one for oPASS and one for MagicPASS. We spent a lot of time explaining the difference. I think we need a sign/map showing the areas served, but we could also change the sign up so that there were columns for oPASS/MagicPASS, plus Tampa and Jacksonville, and even one for PASS. Then they can write info once, pick the ones they want.
  • That said, sign up sheets are a pain. I’d much rather have sign up cards that can go in a box and be used for a raffle, it reduces the queue for the sign up list, and we can put them away – easy to lose a sign up list (wind kept blowing ours off the table, bring a clipboard or paper weight!)
  • We didn’t have business cards or brochures, though we did have a few flyers for an upcoming seminar. We didn’t have the date set for SQLSaturday Orlando and so it was a less than perfect discussion of “sometime in October”. We need a landing page where we can get them to sign up for the list, or we have to just drive them to the chapter pages (easier perhaps).
  • I wish we had all had a PASS shirt, or same kind of shirt
  • We need a PASS stamp for the bingo card
  • We should have put the SQL room number on  big sign
  • We should have duplicated all the marketing stuff in the SQL Room
  • We need signage
  • Part of our problem was not having someone with time to focus on the prep. We should be able to fix that.
  • Another problem was not having logos that could be printed larger and still look good. We need to update logos so we have high resolution ones.
  • We didn’t have a raffle item (we forgot/we should have asked PASS for one)
  • Need a box for raffle tickets, just in case the event doesn’t provide one
  • We didn’t get any/many photos of attendees/sessions
  • We need something that says largely “SQL Server” because PASS, oPASS, MagicPASS doesn’t get their attention. Who are we and what are we selling? I feel like we’re far too passive (here in Orlando, can’t speak to other locations). Why aren’t we asking them to answer five questions on a card to get a sticker or a cup cake or a chance to win? Posters of SQL tips and how to think like a DBA and etc, etc. Why don’t we talk about #sqlfamily?

I can’t blame that on PASS, we (me) just haven’t put the time into it yet. I hope we can fix that. All of that (minus shirts) should be a kit we can readily deploy. Right now our target is Orlando Code Camp next year, but we’ll have others – joint chapter meetings is one case, perhaps other technical events in Orlando.

Notes From Orlando Code Camp 2015

Last weekend I attended the 10th annual Orlando Code Camp. I think I’ve missed two of those due to scheduling conflict. Ten years, and ten consecutive years, that’s a really good run! Former ONETUG President’s Joel Martinez and Shawn Weisfeld were present along with current President Esteban Garcia. I like that continuity and hope it’s something we can do when we celebrate our 10th SQLSaturday in Orlando next year. Now, on to the notes:

  • Speaker party was good, at Liams, a good location, but parking was really hard to find. Very busy area.
  • Very nice speaker t-shirts this year with the 10th logo on the front
  • ONETUG provided a table for PASS at no charge and gave us prime location too, first table in the door!
  • Attendees received a bingo card, but some confusion about where to turn it it
  • I had 40+ at my presentation on SQL Security for Developers. Didn’t get to the last couple slides, still some fine tuning to do.
  • I attended the presentation on Calculated Columns, Measures, and KPIs, Oh My! by Mike Antonovich and learned some good stuff!
  • Lunch was sandwiches (boxes) from Subway, plus a cupcake truck
  • We had a SQL track, but we should have done more with it – signs and brochures and etc in the room too
  • Talked to a LOT of people. Most had heard of oPASS or MagicPASS or SQLSaturday, but quite a few had not. 40+ sign ups, well worth the effort
  • They do a keynote, and so post-keynote there is a ton of traffic coming through the sponsor area, might have been a good time to just hand out brochures

The event went well, no problems at all. Thanks to ONETUG for a great event and for inviting oPASS/MagicPASS to participate! We’ll be reciprocating soon as we begin preparations for SQLSaturday Orlando later this month.

Time to Rebrand

I became a SQL guy back in 1998 because the company that hired me used SQL Server. It’s been a good ride and it’s paid the bills, but after 15 years or so it’s time to do something different. It’s something I’ve been thinking about for a while. Part of it is wanting to run with the big dogs and while SQL can do great stuff, we don’t have a big dog team, we have a cat team. Couldn’t it at least be a tiger team? Cheetah? Leopard? Something with a fierce growl? The other part is I love the community that has developed and the relationships I’ve built within it – it’s hard to let those go, but I realized that with PASS expanding to include Excel, text files, and probably even XML there’s no reason it can’t add other stuff too. That’s right, after a lot of years I’m giving up the pointing and clicking and moving to a real database, one that will run on Linux even. Today I’m closing out the journey of SQLAndy and starting a new one as….KnowSQLAndy!

Yes, it’s April 1st.

I didn’t have a lot of ideas for it this year, just been busy with other stuff. I debated something about angry pandas (a Twitter thread from a while back), something less politically correct (which I’ll just omit), announcing that Allen Kinsel was going to run for the Board this year, something not at all politically correct (but funny), and a few more. It’s tough to do a good April Fools post. It has to be credible, can’t be too long, shouldn’t be offensive. So I crossed all those off, and that left me with rebranding and one more, which was interesting only because it would seem to be out of character (or maybe not) and is a funny story about being a Dad, but I decided to leave that one for another time. Did you really want to read a post titled Smell My Butt?

It’s not too late for a prank or two. Try BoredPanda (#11 looks like fun), or this list from Mashable (#2 is just wrong, #13 – I might have to try), or one from Buzzfeed (#6 is good for kids).

Enjoy your day.