2017 was a crazy year, 2018 is going to be challenging

It’s been a crazy year. In 2017 I’ve done talks in Paris France, Helsinki and Rovaniemi Finland, Sofia Bulgaria, Moscow Russia, Denver Colorado, Las Vegas Nevada, San Antonio Texas, Krakow Poland, Dushanbe Tajikistan, and Raleigh North Carolina. A few of these cities, (Helsinki, Moscow, and Sofia) getting there more than one time this year. And these don’t count the side trips to places like Saint Petersburg and London to see the ballet, visit friends, visit a pub, or see a football game. It’s now coming on the end of the year and thankfully I don’t have any travel planned for the rest of the year. You should see my frequent flier statement, but we all know it does not compare to Heli’s frequent flier statement.

Also in 2017, I made Oracle ACE Director. Now if you do the math, estimating there are over 500,000 Oracle Customers and if each customer has five Oracle professionals on staff, that would mean there are over 2.5 Million Oracle professionals in the world. As of this day there are 107 Oracle ACE Directors (the top tier professional advocates) in the world and I am one of them.

Robert Lockard – Oracle ACE Director

Then last month, I was asked by Oracle Magazine about doing a peer-to-peer profile. That was published this morning.

Oracle Magazine Peer-To-Peer

Now when Oracle Magazine asked me to do the Peer-To-Peer, it also included doing a short video. It’s hard to believe, but this short video took me four hours to shoot.

Oracle Magazine Peer-To-Peer Video

What is the plan for 2018? Well it’s going to be hard to beat 2017, But I’m up to the challenge. I hope to spend a little more time in Saint Petersburg Russia to explore the city some more. This is a seriously beautiful city and I think late May would be the perfect time to explore it. Fortunately, it will be just in time for White Nights.

I’ve decided that in 2018 I will be focusing more on the smaller Oracle Users Groups. Yes, Collaborate, KSCOPE, and RMOUG are great conferences, and I am not abandoning them for good, I’ll return to them perhaps in 2019. On January 1 when I’ll be heading back to Europe for a week that will include another new place for me, Tbilisi Georgia and I also have tickets to see the Nut Cracker in Moscow that week. I have two papers into the UKOUG Ireland event in March. I also plan on speaking in Utah, Ohio, Atlanta Georgia, Helsinki, Moscow, Poland, Paris, London, and of course, Bulgaria again. Maybe I’ll also get to do a talk in Saint Petersburg while I’m there.

What else will I be doing? Well, I’m working hard to bring speakers to the Baltimore Maryland area. I’ve already have Steven Feuerstein lined up for January 18th in Baltimore, Bobby Curtis and I are talking about him coming out in March. I would also love to get SQL Maria out here to do a deep dive into the Oracle Optimizer. Yes, 2018 is going to be a busy year, and I promise I also will be flying my plane more.

Yet another breach through #SQLInjection

The following quote bothered me a lot. “No amount of best practices or prohibitive steps is going to stop a determined hacker.” While this is a true statement, what it leaves out is if you make it difficult by securing the information, the hacker will move onto easier target.

Here is the full article: Yet another data breach

SQL Injection attacks continue to be successful. To secure your data from a sql injection attack, you can start by implementing secure coding standards. Here is a link to my write up on using a secure architecture that to date has been immune from sql injection.

Secure Coding, Code Based Access Control and using multiple schema

Upcoming #POUG17 and #tajoug #techconftj* #Oracle #plsql #infosec #fun

99% of my presentations are technical, addressing our information security needs. Then every now and again, I get to do something fun. There was “Hacking The Human Brain” last June at BGOUG.

My next trip in September is taking me to Krakow Poland, Moscow Russia and Dushanbe Tajikistan. While in Krakow, I’ll be presenting on “Secure Coding in the Cloud” and taking part of a panel discussion. On to Moscow, to see a concert on Red Square, and dinner with friends. Then off to Dushanbe where I’m privileged to present, “Secure Coding in the Cloud,” “Holistic Database Security,” and something fun. “Make a Difference, My 10 rules for a full life.” This will be a fifteen minute talk on, the rules I live by. Come on out to the Polish Oracle Users group or Tajikistan Oracle Users Group, September 7th. We are going to learn a lot and have fun doing it.

If you can’t make it to either of these two fine conferences, meet me in Moscow for a beer or two at Hotel Metropol.

What is it like on the Oracle User Group Speaking circuit?

This is how most of my trips start, a ride to the airport with my headset on. Listen to some easy listening music such as AC/DC or Iron 20161114_195431Maiden to get me in the mood for travel. Once at the airport; check into the business class lounge at Air France or British Airways to have a glass of Champagne wile waiting for my flight.

UPDATE: I pay for my own business class travel. Thanks for pointing that out Kent Graziano.

 
20170515_131521 20161107_114624
On some of my trips in the US, I’ll fly my 1948 Ryan Navion to the conference site. Many OSH1times while in Europe, I get asked if I flew my plane there. The answer is no. Single engine airplanes don’t do well when flying over thousands of miles of open ocean.
Who are you going to meet when you are out speaking. The most interesting people in the world. These people are some of the top experts in the world who volunteer their time to educate people. Once the best side effect of hanging around them, is they will inspire you to be better everyday. All if these people here have one other thing in common. They are all wonderful people who I’m happy to call friends.
20160124_132354 20170129_195220 
20170509_185627 20170517_174938
20170601_213052 20170603_210720
20170626_121538 IMG_3554
20170524_134852 20170624_213408
20170207_212104 20170207_195927
What happens when you get there. Well, there is the hotel you need to check into. Then you are going to need to find out where the reception is, head out to see the city, find out what the local beer is, and have a bit of fun.
20170520_080839 20161029_160629
20170530_195313 20170520_130123
20161113_222936 20170527_215202
FB_IMG_1484440268333 FB_IMG_1499123988544
20170527_183403 20170529_201317
20170530_122345 20160123_191934
IMG_5640 20161108_205224
You’ve found the reception, and taken in some of the city’s culture – it’s time to get ready to speak. No matter how many times you have done a presentation, it’s important to go through your presentation and demos before you get in front of your audience. You need to be ON. This may be your 20th time giving this presentation, but remember this is the first time this audience has heard it. Deliver your presentation like your reputation depends on it. Also remember, you may be asked a question that you’ve heard a hundred times. Again, the person you are talking to does not know the answer, that is why they are asking; so show that person the respect he/she deserves. You will also be asked questions that you don’t know the answer to. Write down the question, go back and research it; then provide that person the answer to their question.
FB_IMG_1492451855539 FB_IMG_1499123977327
FB_IMG_1499123992635 IMG_3020
IMG_5469 IMG_5471
You did a great presentation, you got to see the city and make new friends but don’t forget all the other great session that are being offered. Besides, because you are a speaker, you get to sit in on these sessions too. You also need to find time to get some work done.
IMG_5314 IMG_6104
FB_IMG_1499123999647 20170510_131025
IMG_5319 20161103_111804
It’s done, you finally made it home, you have customers that you need to take care of. In the past week, you traveled the equivalent of round the world. Get some rest, you really need it. The customer can wait for tomorrow, they wont mind. Smile

20161229_220300

#Oracle #sqldev 17.2.0.188 MAJOR improvement

This is going to be quick, I don’t get a lot of time to read new features documentation. I normally reserve that for once a month, print em’ out and read over a nice glass of Scotch. Hey it works for me.

So today, things seem a bit odd, so I opened the SQL Developer Instance Viewer to get a picture of what the database was doing. WOW, thanks Jeff, Kris and team. Love the new look. Check out Top SQL.

Kinda disturbed by an article I just read. #infosec #rant

As most of you know I live on the defense side of infosec. As attack vectors are exposed, I study them to learn how to design systems that can defend against them. There are some biggies, sql injection, cross site scripting, insider threat and encrypted data leaking that burn a lot of my time.

I just read an article giving a detailed technical description on how to use randomized proxy chains to avoid detection. And by using proxies in different countries, it makes it difficult to find out who did the attack. Now of course this article said this should only be used for white hat pen testing and you should not use this for any illegal purposes.

Make no mistake, articles like this are not helping the good guys secure systems. You are only helping the bad guys.

Exciting times. #poug #tajoug #techconftj*

I will making my first trip to Krakow Poland and Dushanbe Tajikistan. This trip will cover over 24,000 miles in air travel and five different airlines.

POUG High Five. The Polish Oracle Users Group will be having their annual tech conference in Krakow Poland September 1 and 2. http://poug.org/en/edycja/high-five-poug/ I’ll be speaking on secure pl/sql coding and taking part in a panel discussion. There is a very impressive group of speakers coming in from all over the world. This is a first class conference that will be held in a brewery.

Tajikistan TechConf. I don’t have a URL for this conference yet, it will be held Thursday September 7 in Dushanbe Tajikistan. Heli “From Finland” Helskyaho and I will speaking along with some local speakers. Heli is famous for her dynamic speaking style; she will teach you new information that will make you better at your job.

Come on out to either one of these two excellent conferences and I’ll help you wrap your brain around Oracle Database Security.

Between POUG and Tajikistan TechConf, I will be spending a couple of days in Moscow to go to a concert and visit with some friends.

Getting to know you, getting to know all about you. #infosec #windows10

Windows 10 has the capability to record everything you say, everything you type and everything you write. Okay, I have a fundamental problem with this. Microsoft implemented this feature in the Beta release of Windows 10 to help the product development troubleshoot problems and improve the product. The product development team loved it so much, they kept it in the production release of Windows 10.

I am not going to discuss Microsoft’s motivation for keeping this in the production product. I will give you my opinion: Information is leaking like a water from a broken colander, so why would we keep this around? Saving this information on your device and the cloud is a massive issue. Here is what you need to do, turn it off and remove the voice, writing, typing from the cloud.

Go to Windows Settings -> Privacy -> Speech, Inking, & typing. If you see Stop getting to know me then click on it and it will turn it off and remove all the data from your local drive. You also need to remove all the data from the cloud. So on that same screen “Go to Bing and manage personal info for all your devices” to clear the Getting to Know You Data from your Microsoft account.

This combined with the setting “Send Microsoft info about how I write” has me very concerned. So turn that off too. On the same screen click on “General” then the third item on the right, “Send Microsoft info about how I write to help us improve typing and writing in the future” Turn that off.

#quicktip #oracle #sqlcl logon.sql #PLSCOPE_SETTINGS and #PLSQL_WARNINGS

Quick Tip. My logon.sql file.

I don’t want plscope_settings and plsql_warnings set when I’m in production; but if I’m in my test / dev / sandbox environments, then I do turn them on.

This helps. Enjoy; this should be self explanatory.

set linesize 90
set pagesize 1000
col table_name format a35
col owner format a20
set timing on
--
DECLARE
 sInst varchar2(1);
BEGIN
 select upper(SUBSTR(instance_name, 1,1))
 INTO sInst
 FROM SYS.V_$INSTANCE;

-- test to see if this is a production instance
 -- all production instances start with P so ...
 -- if it's not a production instance set up
 -- session properties approiate for dev / test / sandbox.
 IF sInst != 'P' THEN
   execute immediate 'ALTER SESSION SET PLSCOPE_SETTINGS=' || '''IDENTIFIERS:ALL''';
   execute immediate 'ALTER SESSION SET PLSQL_WARNINGS=' || '''ENABLE:ALL''';
 END IF;
END;
/
--
define _editor=vi
SET SQLPROMPT "_USER'@'_CONNECT_IDENTIFIER > "

-- setup aliases for sqlcl
alias tab=select table_name from user_tables;

#GDPR – RIGHT TO ACCESS. Security is a feature #3 Right to Access Part 1 of 2

The GDPR Right to access can get a bit complicated as it covers a few things that provide some challenges for us.

What is the purpose of the processing? Lets face it, we process data on people for a number of reasons.

First we are going to use the example of an online storefront. When a person places an order, a number of things happen with that person’s data. 1) Is there payment information accurate? 2) Do they have a store credit? 3) Does that person get a discount? 4) The parts that were ordered need to be shipped. 5) Store a history of the persons order, so the next time they want to order something, the system can make recommendations based on past orders.

If the shipping is being done by a third party such as Fedex or UPS, the person’s data is going to be transmitted to the shipping company. So now a person’s data is being held at both the online vendor and the shipping company.

What is the category of the data being processed? For the online storefront, we have payment, order and shipping information. For the shipping company, there is shipping and value information.

The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations. So in this case, let’s say that the package was shipped by FEDEX and let’s assume FEDEX data processing is done in the United States. (NOTE: this is an assumption, not a statement of fact.) Anyway the person’s shipping information has now left the EU for the United States of America. From the perspective of the online store vendor, the shipper will need to address Article 44 of the GDPR. I’ll get to Article 44 later.

Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. So, how long will the data be stored? Certain types need to be kept for a defined period of time. ie. Financial information may need to kept for five or seven years that is defined by either applicable law or regulation. Other types of information may be kept for very short periods of time. I once worked on a system where the data was only resident for thirty days. This system packaged up the data and sent it to downstream system for further processing. Once the data was sent downstream, it was no longer needed. But, once the data was sent downstream, we would need to track what downstream systems received the personal data.

The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing. You should be seeing a pattern here. It is going to be critical that we identify all PII (Personally Identifiable Information) in our systems. If a person identifies information we hold that is inaccurate, there needs to be a process in place to correct the information. If a person wants their information removed from our system, there needs a process in place to remove the information without corrupting or compromising the integrity of the system. Reference the Right to be forgotten and Article 17 of GDPR.

The right to lodge a complaint with a supervisory authority. We need to get into the definition of “Supervisory Authority.” I’ll address that in a later post. What kind of complaints can we expect? And what is the process to resolve those complaints? We need to spend time developing the process to address data complaints.

Where the personal data are not collected from the data subject, any available information as to their source. We feed downstream systems, and to be honest, there are a number of companies that sell our personal data. Say your company purchases mailing and phone list from a series of companies, you are now going to need to track the source of that data, so when the question arises, and it will; you can answer the question. What was the source of the data?

More to come.