Friday, April 28, 2006

Oracle Data Vault is released

Actually released is putting it a little strongly. OTN has a page about Data Vault which includes some viewlets. There's no sign of when we will actually be able to get our grubby mitts on it.

Data Vault is a very interesting product which I have been waiting for since seeing a demo of it at OOW2K5SF. Its value proposition is answering two questions:

  • How can I stop my DBA reading my sensitive data?
  • How can I prove that I have stopped my DBA reading my sensitive data?

It does this by separating user creation and privilege settings, and the auditing of same, from regular DBA activity. Of course it is not foolproof but if properly implemented it is going to need a conspiracy of at least three people to break Data Vault. A regular database is vulnerable to a single rogue DBA.

There's no details about pricing but the fact that it is listed as a Security Option alongside Oracle Advanced Security and Oracle Label Security should give us a clue.

Thursday, April 27, 2006

Fun with password verification

Prompted by a question in the OTN forums I have been having a little play around with the Password Verification functionality. It's quite easy: we just create a function under SYS and add it to the users' profile(s). Oracle provide a sample function that applies some standard rules.

SQL> @C:\oracle\ora92\rdbms\admin\utlpwdmg.sql

Function created.


Profile altered.

SQL> alter user a identified by a
2 /
alter user a identified by a
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password same as or similar to user


SQL> alter user a identified by b
2 /
alter user a identified by b
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20002: Password length less than 4


SQL> alter user a identified by abcd
2 /
alter user a identified by abcd
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20002: Password too simple


SQL> alter user a identified by a1b2
2 /
alter user a identified by a1b2
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20003: Password should contain at least one digit, one character and one punctuation


SQL> alter user a identified by a1b_
2 /

User altered.

SQL> alter user a identified by a1b_
2 /
alter user a identified by a1b_
*
ERROR at line 1:
ORA-28007: the password cannot be reused


SQL>

So that's quite nice. But wait a minute, what about this:

SQL> alter user a identified by b1b_
2 /

User altered.

SQL>

Isn't there supposed to be some similarity checking? It is definitely there in the utlpwdmg.sql script. So why isn't it working? Turns out it does work but only when the user changes their own password. By the way, notice the REPLACE syntax we need now that we have enabled the PASSWORD_VERIFY_FUNCTION.

SQL> conn a/b1b_
Connected.
SQL> alter user a identified by b2b_ replace b1b_
2 /
alter user a identified by b2b_ replace b1b_
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20004: Password should differ by at least 3 characters


SQL>

This part of the checking doesn't work for SYS or any other user with the ALTER USER privilege. There's some helpful in Metalink note #114930.1 which explains Oracle's password management policy. Amongst other things the note says that:

"Oracle recommends that you do not change passwords using the ALTER USER statement because it does not fully support the password verification function."

Apparently we should use the SQL*Plus PASSWORD command or make explicit calls to OCIPasswordChange() to change passwords instead. But apart from the fact that SYS can bypass some of the similarity checking I'm not sure what the differences are. For normal users I think ALTER USER with the REPLACE clause remains a valid option (although using SQL*Plus PASSWORD is probably friendlier).

Object Monkey RIP???

So Jason Gorman seems finally to have pulled the plug on the ObjectMonkey website. True, lately it had turned into a potty-mouthed Private Eye wannabe, with the recent stuff being particularly virulent. Indeed Jason seemed a bit sheepish when I pegged him as Mr ObjectMonkey at the BCS Mini-SPA last year. Nevertheless some of the older material was refreshingly frank and insightful into the realities of software engineering and the project lifecycle, as well as being laugh-out-loud funny. It's like reading an DevX column written by Roger Mellie.

One essay in particular, "The Emperor's New Code", contained a very useful list of advice for a business project manager who needs to make a success of an IT project. Unfortunately the advice is headed Don't be a sh*thead. As a consultant I couldn't give that to a client: they won't read the advice, they'd just think, "He's calling me a sh*thead!". That's the problem with swearing. It is big and it is clever, and a well-timed expletive can be funny. But many people will grep out everything except the cusswords. It's all very well saying, as the Sub-Genius motto has it, "F**k 'em if they can't take a joke" but sometimes it's just not worth it. We end up alienating the people we most need to reach.

Alas, all this, the insights and the profanity, is now 404. Still, unlike Ozymandias, Jason Gorman has left behind more than a few broken links. Thank you Google cache!

Friday, April 21, 2006

Big Trouble In Little Kyoto

The Register has some interesting analysis of the slanging match that has developed between Larry Ellison and Red Hat chief executive Matthew Szulik sparked by the latter's purchase of JBoss.

"Why should [Oracle] buy an operating system when it can rely on partners like Red Hat and Novell to take responsibility for R&D of the distro themselves?

The only possible justification is if Oracle feels that by owning the operating system, it can also "own" a growing number of open source software developers. These developers can then help drive integration between the distro and Oracle's applications. Owning the operating system would certainly confirm the view Oracle is working towards an open- and closed-source stack that is certified to work together."


Of course, putting out a Linux distro means Oracle will be able to position itself in the same space as Microsoft operates, running MS applications on an MS operating system. Certainly Oracle licences look a lot cheaper when we don't have to pay for the OS licence too.

Incidentally, I see Szulik is claiming Oracle is like the old giants of the American automotive industry and that open source software companies are going to do to Oracle what Japanese car manufacturers did to General Motors in the seventies. The problem with such an analysis is that it misunderstands the nature of those Japanese companies. Really those companies were merely the automobile manufacturing arm of giant combines. These keiretsu were derived from the old samurai zaibatsus and each owned a bank, a ship builder, an electronics company, a white goods manufacturer, etc. Such ownership patterns are forbidden by US anti-trust laws but they gave the Japanese a competitive edge: difficulties in the car market could be offset by boom times in shipbuilding.

So really, Oracle producing its own Linux distro is much closer to the Japanese model than it might seem at first. And I bet Ellison, the daimyo connecting primally to his running water and cut unfinished wood, knows it.

Thursday, April 13, 2006

Share and enjoy: online participation

What is it about online communities? The internet was spawned a plethora of community types - lists, forums, message boards, blogs, MMORPGs, open source software - in which individuals contribute their time and knowledge to help others in their community. Yet the stereotypical internet geek is a surly, uncommunicative individual with poor hygiene practices and no human friends. So how come we're such a social bunch?

These thoughts were prompted by an online questionnaire about online participation which was posted by an IS Masters student. If you're reading this then you ought to participate by taking his survey. That would be in the spirit of his thesis, which is about the relationship between social capital and knowledge sharing in virtual communities. That is, why people share in online communities when there's no reward.

First let's examine that assumption about no reward. For some people there is an indirect pecuniary reward for their online participation. I'm sure I wasn't the only person who was motivated to buy Tom Kyte's Expert One-on-One because of the AskTom site. Not just because the site acts as an advertisement for the quality of the book but because I felt beholden to Tom because I had got useful advice from the site. Jonathan Lewis says in his DBAZine podcast that his profile within the Oracle community (due to his activism with the UKOUG as well as his website) does help him get work as a contractor. Mark Rittman's blogging won him the Oracle Magazine ACE of the Year 2005 award, which has rewards (in kind). And I'm sure I'm not the only person who's been approached by headhunters because they've come across my spoor here or in the forums.

However, it is obvious that these rewards are trivial compared to the time we all in our various ways spend in the online communities (certainly compared to our hourly rates in the day job). Furthermore most people who contribute in the various forums, lists and blogs are not authors or ACEs. So why do we do it? Everybody's reasons will be different or at least differently prioritised but here are my reasons.

Firstly, my participation, in the forums and this blog, helps me organise my thoughts. Writing things down is a useful discipline. That's why I think people who dash off blog entries casually, as they would an e-mail, are missing a trick. It's one thing to be the first with a hot scoop, another thing to present an insight into some aspect of database programming or architecture in a way that's interesting and useful to others.

Secondly, presenting information in public is a good way to get our own misunderstandings corrected and our assumptions debunked. Ideally we do this ourselves by cobbling together a test case before posting . But if not someone else will point out our bloomers. Over the years I am getting better at not asserting things that I have not tested for myself but I still occasionally slip. And then the vultures swoop.

Thirdly, questions in the forums throw up problems from out of left field. Investigating those issues can teach us new techniques or fresh understandings in areas that our work has not yet taken to. This can make us more effective in our jobs. Or more likely it just appeals to our geeky need to know.

So far this is all about me. Well, it is a blog ;) But, what about the "community"? Doesn't that matter ? Of course it is important. To a large extent our existence as individuals is defined by our interactions with other people. Game Theory teaches us that in order to interact successfully we have to approach other with a presumption of trust people and a preparedness to give openly. In return we can expect gratitude and future co-operation. That's the only way any society can work. So perhaps we contribute to ensure there is a still an active community for when we need to ask for help, even if that means answering many more questions than we pose ourselves.

I think there's more to it than just the strictures of mutual grooming and the Prisoner's Dilemma. There is a warm sense of camaraderie among the regulars in any of these arenas. Interestingly this is often reinforced by communal activities in meatspace - drinking whisky around the old oak table, Oracle-L dinners during the Hotsos symposium, Oracle bloggers' dinners at various conferences.

Finally it's fair to say that online communities are not perfect. It's very easy to lose one's rag when interacting via e-mail. And - especially when the participants don't share a common first language - it's common for insults to be perceived when none was intended. We've had to invent new words to describe anti-social activity in cyberspace. Just recently a MMORPG called Roma Victor introduced virtual crucifixion to punish cheating players. And it is possible to overshare.

In conclusion ... Well, let's close the circle of online participation: start a blog and write your own conclusion!

Wednesday, April 12, 2006

SQL Developer makes Daily WTF

A few weeks into production and already making its mark in the wider software engineering community. Kris and his team must be so proud.

Mind you, it is a sign of the relative merits of SQL Developer as a tool that the only thing they can find to mock is the code generated by the DDL wizard. As several of the commenters say, most generated code is not the prettiest. Still the code as shown is rather revolting. You wouldn't want to work with anyone who learnt how to program PL/SQL by studying this stuff.

Read the whole thread here.

Monday, April 10, 2006

Red Hat buys JBoss

In this press release Red Hat announces that it has bought JBoss for $350m, although only 40% of that is cash. There's another $70m promised, "subject to the achievement of certain future performance metrics".

Well that's one Larry can scratch off the shopping list. If it's true that Oracle were offering $500m for JBoss I wonder why Marc Fleury turned that down but accepted Red Hat's much lower offer a few weeks later.

Update


The Register, diligent as ever, has uncovered a cached version of blog post in which Marc Fleury says what he read thinks, or at least thought, about Red Hat.

Wednesday, April 05, 2006

Which version of Oracle do you use?

The OTN Raptor forum is running a poll on which version of Oracle people are using. At the moment 9.2 is the most popular flavour with over half the votes. However, only thirty-three people have voted so far and I doubt this sample size is statistically valid. So, if you haven't already, click across and cast your vote!

Tuesday, April 04, 2006

Penguin to be top dog for Oracle

According to this CBR Report Linux is likely to the dominant platform for Oracle database servers next year, toppling Sun Solaris from the top spot. Interestingly, it's not just bad news for Scott. Some of the sites who say they're moving to Linux are currently Windows shops. I suppose they've got lots of Intel boxes lying around.

This would definitely seem to validate Oracle's championing of the Linux platform. By reducing the cost of the OS they have lowered the TCO and so reduced SQL Server's advantage there. Levelling the playing field in turn makes it easier for Oracle to compete on feature comparison. And all without cutting Oracle's licensing fees.