Phil Scott's WebLog

Security Pixie Dust

Which OS are You?

The moral of the story: You may find this stupid now, perhaps even finding my bizarre "kentucky" sentence structure and spelling hard to follow.  But given time, you'll be telling all your friends and neighbors you've been reading my blog "before phil sold out and became all commercial." 

Anyways, last day of SQL Server in Lexington, KY.  Everytime I teach this class I'm amazed at the number of people who code apps with a system administrator account hard coded (or done via impersonation), let alone the people with SA as a blank password.  Two or three students who were taking the course to help them manage some pre-packaged sales software told me that the package software runs w/ a system administrator account with a blank password. 

I don't think people realize the pure chaos one can cause when an app is using the system admin account.  I think some believe that its some kind of magically "we won't get access errors now when we run insert statements and stored procedures" pixie dust.  There is no magical security pixie dust.  This little VB app always gets a good response (there's a textbox named Text1 that accepts an employeeId):

conn.execute "Select * From Employee Where EmployeeId = " & Text1.Text

Type into text1:

5; exec master..xp_cmdshell 'echo y | format d:'

Formatting a hard drive always seems to raise a couple of eyebrows.  Now, what I always find is that VB people always want to do data validation on the client.  And since the VB app is the only application that will be calling that stored procedure, why should they validate in the sproc too?  That kind of thinking is why the SQL Slammer worm and obviously many other get their play time. 

Heineken mini-bar "worm" virus

Oh, a big thanks of course to Scott Watermasysk for the weblog stuff.  Enough playing tonight, back to the luxurious Extended Stay "We are Saving the Environment by Giving you Crappy Towels and no Shampoo" America.

SQL Server 2000 Security Tools. Pretty cool set of tools to scan your network for the SQL Heineken mini-bar "worm" virus.  A sqlscan -d nwtraders revealed a resounding 8 machines installed on my network that needed to be patched.  Of course, the person who set the classroom up probably didn't want to throw down SP that MS didn't specify in the year+ old setup guide, so I should make fun of them toooo much (I'm on their totally unsecure Wireless network right now though.  Thanks guys!)

Blasting forth with three-part harmony

I at one time had a radio blog, but I only had radio installed on my laptop, and I never really had my laptop with me for some reason when I wanted to post.  So it kinda went down the crapper.  I guess I could have figured out how to set the thing up to remotely work, or the bizarro scripting library, but let's be honest, Grand Theft Auto: Vice City just doesn't reach 100% completion on it's own.

About me:
I'm an MCT and MCSD teaching VB6, the .NET tracks and the SQL Server development courses.  Basically, I get paid to play with cool stuff, and then I have to share my knowledge with others.  Yeah, life's rough. 

Upcoming Schedule for me (numbers represent MOC course #):

If you are in the Louisville area, I talked our sales people into offering 2373, 2310 and 2565 all for the low cost of $1,900 in hopes of driving up interest in .NET.  That's 13 days of training for $1,900.  I don't know if I should feel like a whore for the cost, or if I should get excited about people being able to justify training expenses to start to adopt .NET. 

Oh, I might also be in Santa Barbara sometime in Feb teaching 2373 at a New Horizons there.  We'll see about that though...