Wednesday, August 18, 2010

Honey, I swallowed the webcam.

One of the 'features' of the election campaign here has been the National Broadband network. Apparently this will give us fibre directly to the home for over 90% of premises, with speeds of up to 1Gbps. Actually most households would still only get the 100Mbps previously offered. I'm still on 512kbps. Hardly the fast and the furious, but it suffices.

Sucking on a 1 Gbps pipe would allow an average download of a couple of terabytes a month. My current usage is about 5 Gig per month, just a few percent of that. I have occasionally watched a Doctor Who on ABC's iView, which seems to be about 250-300Mb for an hour of TV. Three hours per Gig makes it about 4 months of content in a terabyte, so even if my whole family each watched a different channel 24 hours a day, seven days a week, we'd still be under a terabyte. Not seeing the need yet.

Anyway, giving the consumers such a massive pipe to guzzle from means moving the bottleneck upstream. Partly to the pipes from the US (and to a lesser extent, Europe and Asia), and partly to the content hosters here. The latter will mostly be the Television companies, since video is the bandwidth hog and they've got the biggest store of 'watchable' video. I say 'watchable' advisedly. A lot of it is completely dire, but at least you would be able to watch "Hey, Hey it's Saturday" rather than on Wednesday when it is broadcast. Why it is broadcast on Wednesday, or why you'd want to watch it any day of the week is a different question.

If you've read up on Exadata, the key there was to removing bottlenecks. All of them. Everywhere. The only way that works with the NBN is really peer-to-peer, which is often gaming and file-sharing. But one application for the NBN will be doctor consultation. Fire up the web-cam and get your rash looked at by a professional rather than just anyone on ChatRoulette. Though I don't go to the doctor much, the kids do and often with throat or ear infections. I don't think they show up too well on a webcam but maybe we will get those tiny fibre-optic cameras I see on the medical dramas. Should make Skype a bit more intimate. Actually my Dad got a shock when the Skype on his computer fired up when he wasn't expecting it and I don't think he'd want it any more intimate.

The old lady who lives next to us doesn't have a computer. We could let her use ours, but since I've got kids, I'm quite adamant that the computer (and especially anything with a webcam) is out in the open, and I don't think she'd be comfortable with that. Nor would we to be frank.

Still the only other use for that sort of bandwidth that I could think of was a big network of CCTV cameras on each corner. But you couldn't imagine a Labo(u)r government installing anything like that, could you ?

Monday, August 16, 2010

Fun with passwords

Back in December, a site called RockYou was hacked and the passwords of 30+ million accounts were extracted (apparently by an SQL injection attack ). A file was released containing the passwords, without the related account identifiers (though the full content has been witnessed).  If you wander round the Torrent sites, you should be able to find the password file. Given that it was extracted by hacking, the legality of downloading it and possessing it should be considered in light of whatever jurisdiction you happen to live in or pass through.

Firstly, lets get the "Don't store passwords, store hashes" out of the way. Good policy, but not applicable here. Apparently the site connected to MySpace and similar and needed the passwords for that. OpenId and Twitter authentication are better solutions to that problem in general. Of course Oracle has a similar situation for Database Links requiring passwords. They are stored encrypted (not hashed) because they actually need to use the password to make the connection.

Onto the file itself. The most common passwords have been reported on here. The Washington Post reports that the most common passwords are, well, what you'd expect common passwords to be. That's the reason they are common. Lets face it, a lot of people will sign up to web accounts with no intention of going back to the site, or using it for anything important, and will use a simple throwaway password.

Just because they use a simple password on one site, doesn't mean they use for their banking. In fact I'd expect the ones using the more complex passwords are the ones who re-use the same one for their banks, and given this exposure, are likely to be regretting it.

Some aspects actually appear quite heartening. Out of the 32 million records, there were nearly 8 million unique passwords. So for most people their password uniqueness would be better than a "1 in a million". Sure there were some more common than others. The Premier League was well represented with liverpool, chelsea and arsenal all pretty popular, though manchesterunited was less so, presumably because of the time it takes to type...especially for Man U supporters  [who are known to move their lips while they read :)].

The real problem comes because now those 8 million passwords are much less effective. Consider, running orabf on my handy little netbook (built for low power consumption rather than for CPU intensive tasks) it can chug through 125,000 password attempts a second. That would be around a minute to test all 8 million potential passwords against a username/hash value from DBA_USERS. The word you are looking for is INSIGNIFICANT.

So if I've got your username and hashed password, and it is one of those 8 million, then consider it cracked. Which means you are not only trying to avoid a few dozen 'obvious' passwords, but a list of 8 million including ones with alphanumerics plus special characters.

In theory you can put that list in a dictionary and use Oracle to forbid passwords on the list. But that is going to make it pretty hard for your users to find valid passwords they can remember. ["Frenchtoast...taken...JackDaniels...taken...DamnComputer...taken...DBA_I_know_where_u_live....Bingo!] Then they'll start with passwords that are personal, so won't be on your list. Their car registration number perhaps, or mobile number. Maybe with a suffix or prefix to make it long enough to be valid. While it will be hard for you to lock out, it will actually be easier for anyone who knows them, especially someone they work with.

Friday, August 13, 2010

Buy your DBA a beer

Last week, Lisa Dobson remarked on the essential skill of knowing when to call Oracle Support.

A question on StackOverflow here prompts me to say, there is equally a time when you should talk to the people you work with FIRST.

Look, there is a time to call support. There are times to post something to a forum site. But to say "Our application is running slow. Have the DBAs flipped the GO SLOWER switch on us ?" suggests that either some places have some seriously scary DBAs, or some serious barriers between the DBAs and developers.

It is Friday (here, at least). If you are developer, go buy a DBA a beer. If you are a DBA, buy a developer a beer. In England, this is called buying a round. In Australia, it is called a Shout. And in Sydney, I can recommend the beers at the Harts Pub.

Oh, and if you a developer or DBA in Sydney, come to the Sydney Oracle Meetup and we can all share a beer.

PS. There may be DBAs who haven't yet been driven to drink, or at least don't like beer. I can also recommend the Chocolate Room (cnr sussex & bathurst streets) as a treat.