MS Issues Critical SQL Server Flaw Warning 69
silent wire writes "ZDNet is reporting on a pre-patch security advisory from Microsoft warning about an unpatched remote code execution vulnerability affecting its SQL Server line. Exploit code is publicly available so affected users should pay special attention to the workarounds from Microsoft."
Re:Exactly what is vulnerable? (Score:3, Interesting)
Funny. Being a DBA, I always say the same thing about developers....
But in all honestly, you're partially correct in that good DBA's are hard to come by. In the 10+ years I've been working in the field I can immediately think of three examples of DBA's that fit your description:
1) A DB2 DBA working for a large state government agency who couldn't write a SELECT statement.
2) A lady claiming to be an "MS Access DBA"
3) A guy who designed an OLTP database used for tracking help desk tickets that contained no normalization whatsoever
I think part of the reason is that almost nobody is actually pursuing a role as a DBA. They actually planned on being developers or sysadmins, and sort-of accidently ended up in the DBA role. I think being a DBA requires a person who is knowledgeable with coding, security, administration, and hardware; it takes a different king of training and experience than a developer or a sysadmin is going to be exposed to.
Re:Exactly what is vulnerable? (Score:3, Interesting)
This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.
You mean the kind of person who'd use Microsoft software in a security critical situation?
This is modded "Flamebait" but really this is just the "use the right tool for the job" idea. I know that if I were dealing with a medium or large organization and it were up to me, I would consider using Microsoft software for the end-user's desktop machines. It would be the most familiar software for the users, it's reasonably easy for them to use, and the network on which it is deployed can be locked down (which would, of course, include making sure that no Windows machine has a public IP address).
I definitely would not consider using any Microsoft product for the servers, especially if they are accessible on the public Internet. Microsoft's documented security history is one reason. My sincere personal belief that no matter what they say, Microsoft doesn't give a damn about security and they won't start caring about it so long as their products keep selling, which has always been the case, is another. Another reason is that if there is a vulnerability in open-source software, I am not completely dependent on the vendor to fix it. Also, a database may be a bad example of this, but with most open-source programs you have a variety of different ones to choose from and you could replace your current solution with another with minimal hassle. So, if one server has a critical security problem and I cannot find a patch, fix it myself, or find a workaround, I can easily replace it with something else. Compare that to Microsoft's proprietary file formats, embrace-and-extend tactics, and other deliberate incompatibilities designed to create vendorlock and then tell me how easy it would be to replace something like a database server (even if it would have zero effect in this case, do you really want to support this kind of business practice or do you prefer to deny that this is what you are doing?). The ease of remote administration of *nix would be another reason why I wouldn't use Microsoft for a server. The fact that, in general, *nix solutions simply have better uptimes and are easier for a skilled sysadmin to maintain than Windows solutions is yet another reason. Then there are extra security options available for Linux that are not available for Windows or only partially available for Windows, such as compiling from source with SSP (good luck with that on Windows), SELinux, using PaX and grsecurity to prevent stack-smashing attacks or to use RBAC, and lots of other nice options that are desirable in a secure server. License costs would be another, more distant reason, although I say that with the awareness that software licenses are usually a small part of the overall costs.
Anyway, that's how I feel about it and I have reasons for why I feel that way. I really believe that Microsoft is one of the worst available solutions for this type of server, that superior solutions with more functionality and better security can be had even for free. Maybe using Microsoft for this doesn't qualify as "a complete and total moron of the highest degree" but it shows a pro-Microsoft bias (as in "that's all we know!") in the least and might indicate poor decision-making. Ever notice that most *nix admins can handle Windows but most Windows admins do not know their way around a *nix system? It's another sign that this is not a culture of carefully considering all available options, as in show me an administrator who is highly skilled with both *nix and Windows who still prefers Windows, and I'll call that a legitimate preference (and a member of a small minority). You might not feel that way and have reasons why you disagree. Either way, it's not flamebait to say so (mods, I'm sorry, but as a group you're rather bitchy and trigger-happy lately -- apologies to the ones who don't knee-jerk).
If anything, the parent post shou
Re:Exactly what is vulnerable? (Score:3, Interesting)
I think the issue is unrealistic expectations. 10 years ago, being a DBA in the sense many companies want it (an SQL guru who can do whatever with the database and lock it down and administrate it) was possible.
Today, enterprise grade RDBMS are very complex, SQL is more than just a query language, and databases tend to support more (.NET, java, python, etc). Administrating them is just as tough as administrating servers. It can be a full time job for a large company. So you end up with 2 different "jobs". A database developer (often also a business intelligence specialist, though that can its own job too), and an actual database administrator. Asking someone to be a specialist in all these positions is setting yourself for failure. It is possible, and it does exist, I know a few...but its still not realistic of the average IT person. By making those 2 (or 3) specialities into distinct positions in the work environment, it becomes a lot easier to find someone who can fill them up, AND people can do their job to their full potential.
Its like asking a programmer to also be a designer. Some can do it. All 3 of them.
Comment removed (Score:5, Interesting)