What I learned about "Security"

I travel a lot. Because of that, I use 'hotspots' all over the place. I am connecting through Germany right now and had to sign up for a T-Mobile hotspot. They require you set up an account - to buy a 60 minute pass (I don't really like that, I don't want an account but they make you).

So, I set up my account - username, password - credit card information, etc. Get logged in and immediately receive an email. I've received this email before (because I always have to set up a new account since I can never remember what my 'old' account was) . It was the standard "welcome to T-Mobile" sort of email, but it always contains this (I've written to them before - that is like sending email to a bit bucket, no response, no action). Here is the email (xxxxx represents information I:

From - Fri May 21 09:05:34 2010
X-Account-Key: account5
X-UIDL: AHxxafafdafda
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                
X-Apparently-To: xxxxxx@yahoo.com via 206.190.49.114; Fri, 21 May 2010 00:04:39 -0700
Received-SPF: none (mta1056.mail.mud.yahoo.com: domain of noreply-wlan@t-mobile.net does not designate permitted sender hosts)
X-Originating-IP: [193.254.174.32]
Authentication-Results: mta1056.mail.mud.yahoo.com  from=t-mobile.net; domainkeys=neutral (no sig);  from=t-mobile.net; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO wlansmtp.t-mobile.net) (193.254.174.32)
 by mta1056.mail.mud.yahoo.com with SMTP; Fri, 21 May 2010 00:04:39 -0700
Received: from kxsnsrg2 (kxsnsrg1 [172.28.76.134])
 by wlansmtp.t-mobile.net (Postfix) with ESMTP id 37BDD6716
 for ; Fri, 21 May 2010 09:04:37 +0200 (CEST)
Date: Fri, 21 May 2010 09:04:37 +0200
From: noreply-wlan@t-mobile.net
Message-Id: <1274425477.9165@kxsnsrg2>
To: xxxxxxx@yahoo.com
Subject: T-Mobile welcomes you to your new HotSpot Pass Account

T-Mobile welcomes you to your new HotSpot Pass Account.  The password for your
new account is XXXXXXXXX

Yes, that is right, they emailed my password - over unencrypted email, for no apparently good reason at all. Why??? Why would they do this??? What is the point? What is the reason?

Why am I posting this? Well, maybe they'll read or hear about it this way and change it. I found this funny - this is their FAQ:

https://hotspot.t-mobile.net/TMD/en_GB/web/security/index.html#1

Is the HotSpot registration (log in) secure?

Yes, because the access details are transmitted in code to the T-Home / T-Mobile HotSpots. The code that is used is SSL. The software for this is integrated into the browser. If this is not the case, you can update your browser. The relevant downloads are available from the browser provider.
By using our HotSpot Manager, which automatically logs onto T-Home / T-Mobile HotSpots, you can be assured that the registration details are only transmitted to a confidential hot spot web portal.

Well, that is not quite true is it. You can also be assured that your password will be transmitted to everyone on the planet in clear text via good old email.

In the year 2010, you would think we'd know better.

They shouldn't be STORING my password let alone EMAILING IT to me. Sigh....

Now I've got some passwords to change, ugh....

A SQLNet thing I probably forgot about...

My most recent "ah-hah", or "oh yeah" moment came reading Jonathan Lewis's blog. A very neat "SQL Net compression" detail.

It is one of those things that I cannot remember if it was something I knew but forgot - or just never knew.

His example makes the point nicely, you have to appreciate those little test scripts for that. You can clearly see what a difference an order by might make on a the size of a result set set across the network.

Yet another reason to look at bulk processing - the more reasons the better...

Not something new...

But something I see people learning over and over and over again.

I was reminded of a recently asked asktom question - regarding an "intermittent" 'Oracle' bug in a java application ('Oracle' used for sarcasm on my part).

I was reading the current Steven Feuerstein's Blog entry (read that link before going on). It was exactly the same problem found by the java developers on asktom - which they were certain would be an 'Oracle bug' (hint: it wasn't, it was clearly and demonstrably in their code).

Funny, I see the pattern so often that I saw the bug in both bits of code almost immediately. It jumped out and hit my in the face.

SPOILER ALERT: don't read past here if you want to test your ability to find the bug, read Steven's article first.




Maybe I'll put in a request for the to_date function to be overloaded to accept a date as input and just return that date as output.

edit: added after *thinking* about what I just said...

That of course would never work. People are expecting the date format to be applied to the string, so just returning the date could of course NOT be the right thing to do. I guess the overload would have to turn:

to_date( DATE, 'fmt' )

into

to_date( to_char(date,'fmt'), 'fmt' )

instead of

to_date( to_char(date, IMPLICIT_FORMAT ), 'fmt' )

as it does now, but it would be a HUGE change to existing code that 'relies' the way it currently works...

The to_date function takes a string as input and since the date can be converted to a string - it is. I've seen MANY people use:

to_date( date )

to "truncate" a date (horrible idea - not only slow, but RISKY) - it would break their code (not that it isn't already broken) so it would probably be questionable...

Important enough to point out to a wide audience though - beware implicit conversions and watch out for to_date( of a date )!

A decade ago...

It was ten years ago that asktom was "born" (and five years and a month ago this blog was)...

The first question asked was about Oracle 7.3 on a Sun 5.5.1 machine - in early 2000 (right after we got by that year 2000 thing). Funny, the last time it was updated was.... just a little more than 3 months ago - it is still alive...

Man oh man - have things changed since. I stand at about 12,000 published Q&A's (about 40,000 in total - not all get published for various reasons...) I have 10 new ones in the queue (will get to them soon - have lots of travel planned for today and the week in fact)...

I've learned a lot in the last ten years - things have changed considerably.

Remember what a "big" server looked like in 2000? Remember what they cost? Think about how now you can buy stuff off of the shelf on your credit card that blows them away.

In 1997 - we were doing terabyte test to scales - a terabyte was such a big deal then that we would put out a press release. Now we have a database machine with 5tb of flash cache just to buffer part of the database.... A terabyte is nothing - my son would be disappointed in any laptop with less than that for storage...

It is only because things keep changing so fast, so much - that this stuff stays interesting. Imagine if it were still like 1993 (when I joined Oracle) 17 years later. It would be pretty boring...

Anyway, thanks for all of the great questions - looking forward to more...