Janus 1 – 2018

As the year draws to a close, I thought I’d look back on the year a bit.

The goal of this blog has been to give me a place to reflect on the purpose of this blog.  I claim in My Goal Here to want to reflect on how we think and what drives certain decisions. And I suppose at times that’s true. At times it’s to give actual SQL or IT related advice.  But at times, it’s simply an exercise in my ability to put fingers to the keyboard and words on the screen and to be a bit self-indulgent if I’m honest.

My most popular page this  year was a mixture of things: The Streisand Effect. It was a bit of an activism piece about events at my alma mater and a chance to broaden my blog to more readers. But, it did also serve to actually reach one of my primary goals; to reflect on how we think and make decisions; primarily sometimes by trying to tamp down an issue, we only serve to draw more attention to it and to inflame things further.

My second most viewed piece this year was one of several on sexism, especially in the IT industry: Math is hard, Let’s Go Shopping. I still haven’t finished the book mentioned in the post, but it’s on my list to finish. The issue of sexism in my primary industry is one that has grown in importance to me and I expect to write more about it in the coming year and to try to do more about it.

Reviewing my SQL Saturday’s in 2018, I had the honor of speaking at Colorado Springs, or at least trying to, which I wrote about here; SQL Saturday Philadelphia, SQL Saturday Atlanta, SQL Saturday Manchester UK (my first overseas SQL Saturday, where I had a blast!), SQL Saturday Albany, and finally SQL Saturday DC. I also presented at the DC SQL User Group in September.  All great times and I had learned a lot and had a great time meeting new people and reconnecting with old friends.

I put in to speak at SQL Pass Summit, but again didn’t make it. But I still attended and had a great time.

I also was pleased to be asked to write for Redgate’s Simple Talk where I know have two articles published on using PowerShell for SQL: My first and second. I’ll be submitting my third article in coming weeks.

But not everything I did or wrote about was SQL related or even IT related. In late June, 13 people became trapped in the Tham Luang Nang Non cave in Thailand. This became a world-wide media event that a few weeks later I found myself part of. Besides at least four blog posts of my own that touched upon it, in my role as a regional coordinator of the National Cave Rescue Commission I did close to a half-dozen media engagements, including one for The Takeaway NPR program.

Oh, one more interview I did this past year was with Carlos Chacon and Steve Stedman of SQL Data Partners: it was a podcast I did with them. You can read about my thoughts here and listen to the podcast here. And definitely go to Amazon and buy my book!

Anyway, it’s been a great, and eventful year and I appreciate everyone who has read my blog and even more so to those who have commented on it, shared it, or somehow given me feedback.

I’m looking forward to 2019. I hope you are too.

Change your password!

This year saw a new form of greenmail: emails sent to you containing a password of yours stolen from a compromised site.  I saw the first one of these literally an hour or two before boarding a flight to Manchester UK to speak at the SQL Saturday there. My wife received it.

They often take a form similar to:

As you may have noticed, I sent you an email from your account.
This means that I have full access to your account: On moment of hack your account has password: Tel3phone!

You say: this is the old password!
Or: I will change my password at any time!

Yes! You’re right!
But the fact is that when you change the password, my trojan always saves a new one!

I’ve been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.

If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.

I also have access to all your contacts and all your correspondence.

Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.

I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.

If you want to prevent this, transfer the amount of $745 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).

My bitcoin address (BTC Wallet) is: 19Q4HZtCznuBGcuWng7cacwqZV13gNpZas

After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

If I find that you have shared this message with someone else, the video will be immediately distributed.

Best wishes!

I actually LOVE this form of greenmail because I suspect it’s highly effective.  I’m also amused because the above (edited) email came with the subject: Security Alert. You account has been hacked. Password must be need changed. It then goes on to tell you that even if you do change your password, the hacker can read it.  I’m also amused because the faux hacker’s concept of my time at the computer sounds FAR more exciting than what I actually do at the computer (and of course the fact I don’t keep my webcam plugged in!)

When confronted with a password that the user recognizes, I’m sure folks pay up.  But, don’t. Yeah, it’s probably a password of yours, but it’s almost certainly from a site that was hacked months previously and has nothing to do with your email, current account, etc.  You can easily find lists of email addresses and passwords online, especially if you’re willing to pay.

In the case of the above password (changed to be extra safe, but even if I hadn’t it most likely wouldn’t matter in this case) I know what service was hacked. Fortunately I only used that password on that one site and it had no financial data associated with it.

That said, again don’t use obvious passwords. In fact effective password systems would incorporate a list such as the one here: Worst 25 passwords of 2018. If you’re using a password on this list: SHAME on your.

The takeaway: If you haven’t, for 2019 make a New Years Resolution to use UNIQUE passwords for every site you use, use a password manager to remember them, and do NOT make them obvious or easy!




Merry Christmas

It’s Tuesday, which means normally I’d try to write something insightful about caving, or computers, or technology, or our human experience.

Instead, I can only say, “Merry Christmas” to all my fans and readers.

I was hoping to get to 2000 page views this year, looks like I’ll be about 50-100 short, but that’s ok. I’ve enjoyed writing my weekly missives and I hope you’ve enjoyed reading them.

Now get off the computer and spend time with your family!

Social Deconstruction II

In a previous post, Social Deconstruction I reflected on a barrier that had been put up on a Thursday, and by Sunday, completely bypassed. I had recent cause to revisit that area again recently and

Barrier bypassed

Barrier bypassed

as you can see, an actual, real gate has been put into the fence. The power of the crowd basically overruled the original intent of the landowner.

Of course, this could have been done from day one.

This is true in the IT world. How often has the security department come and said, “we’re implementing this new security policy” with little input from actual users and are surprised when users get frustrated and try to bypass the new security feature.  I had this happen at a client of mine. In the case of the fence above, people bypassed the security the fence builders wanted (presumably to reduce liability), and by doing so, increased their chance of getting hurt (and ironically, presumably increasing liability).

One of the security features that I think annoys most of us are passwords, or more accurately arcane password requirements. For example, some systems require a certain amount of complexity, but don’t necessarily tell you what the rules for complexity actually are! Yes, I’ve had that happen. Turns out they required special characters, but, only a specific subset of special characters and the ones I tried weren’t on that subset.

Now a minimum password length, makes sense. A one character password can be cracked by anyone. But, what about short maximum password lengths? Yes, perhaps that was a good idea when memory and storage were scarce (ok even then, not a great idea) but not so much these days. Yet, I know at least one system where your password has to be between 8 and 14 characters.

Another annoyance is the “must change every N days” where often N is something like 90 (though I’ve seen even lower). What does this mean? Folks end up with passwords like: Secur3Passwrd$1, Secur3Passwrd$2, Secur3Passwrd$3, etc.

Truth is, many of the so called password rules, actually encourage us to create lousy password, and so we repeat stuff, or write it down or take other steps that make it easier for to use them, but also as a byproduct weaken passwords.

The National Institute of Standards and Technology recently released an updated set of guidelines: NIST 800-63B that discuss good password requirements (note I have NOT read the entire document, just large portions of it).  Spycloud has a decent review here: New NIST Guidelines Acknowledge We’re Only Human. I’m not going to recap the recap here, but I will add what I generally do:

  1. I use a password manager. You can read reviews for finding one that best meets your needs. Personally, I use one that does NOT have storage on the cloud. While in theory they’re encrypted and secure, I get paranoid. (Yes, I do recognize if someone compromises my desktop, they can get access to my local password manager. But on the other hand, if they get access to my desktop, they can probably just install a keyboard logger and I’m hosed anyway.)
  2. I use a different password, automatically created by the above password manager for nearly every site of system I log into.  This ends up meeting most (but not all) of the NIST suggestions (they’re certainly NOT easy to remember, but they don’t have dictionary words, can be as long as I need, most likely are NOT in a previous breech, etc.)

Note, I said most, not all. There’s a few places I used passwords I can remember. These are systems I interact with on a daily or near daily basis, such as my desktop, AND the password manager itself. There would be no point to have a password manager if I couldn’t log into it, or if the password were so simple anyone could guess it.

So, I make sure these passwords are easy to remember, but extremely hard to guess. (For example, they do NOT include the name of my first dog, my mother’s maiden name, etc.)

In conclusion, if you’re in charge of security, make it usable, or else people WILL try to bypass it, simply to get the job done. And, remember, you’re always in charge of your own security, so make it usable, but secure.




Age Impostor Syndrome

This past weekend I was at another successful SQL Saturday. It was, as always, great to see so many of my fellow speakers and friends.

I was perhaps a bit more nervous than usual for this SQL Saturday because I was giving a new technical talk and my demo wasn’t working like I wanted and I hadn’t done as many run-thrus as I like to do.  But it was well received and people seemed to really like it. (For those interested, it was a demo of running SQL Server for under $200, including licensing and hardware!)

During a conversation this weekend I used the expression that I might grow old, but I don’t have to grow up. But I’ve realized it’s more complicated than that.

  • In the past week I’ve completed my 51st orbit of the Sun while still breathing
  • I’m preparing to cook dinner for a bunch of college students this weekend
  • I’ve been working with two recent college graduates on a couple of projects
  • I’m consulting on a new project and using my years of experience to guide it in the right direction
  • My son is completing his first semester at college and coming home this week
  • Apparently received praise (this is second hand) for work I’ve done in a volunteer community

Physically at times I sometimes feel my age, and there certain facts that suggest I really as old as I am; but mentally, I often actually forget I’m as old as I am. I wonder, “why do folks think so highly of me, I’m just a young kid trying to figure my way out in the world.”  Then I realize, I’m not that young kid at his first programming job, trying to figure out how to create a make file.  I’m a middle-aged man who has decades of experience in my various fields of expertise.  People look to me, the way I look to my mentors because they expect me to have the answers! (And fortunately, they’re actually sometimes right.) Sometimes too I’ll be engaging with people my own age and they treat me as equals and I get excited that they’re treating someone half their age with such respect. Then I remember, “but wait I AM their age.”  Or people half my age act as if they’re looking up to me and I want to say, “but I’m no different than you” but then remember, “Oh wait, I do have that many more years of experience.”

So, there’s still a bit of me thinking I’m an impostor. I really don’t know as much as people seem to think I do.  Or that I’m not as old as I really am. Can one even be an age impostor?  Not really, I mean age is a pretty objective fact. But the truth is, I don’t feel my age, and for that I’m grateful.

I’ll continue getting older, but I simply won’t grow up any faster than I have to.

One final request from this wizened old boy, make sure to subscribe if you haven’t!  And speak a little louder so I can hear you.




“I’d procrastinate, but I keep putting it off.” It’s an old saw but I think there’s some truth to it, at least for me.

Actually the truth is, when I’m not busy, I tend to procrastinate and things don’t get done. But when I’m busy, I get more done. How many of us say “I perform better under pressure”? I know I do.

The other phrase that comes to mind lately is “When it rain, it pours.” The above two adages seem to be the story of my life lately. This is not necessarily a bad thing.

You see, in the life of a consultant it’s often feast or famine. And some times of the year are often more famine than feast. For example, my largest client goes into a code freeze during the last 2 weeks of the year. Taking this into account, I figured I’d have some downtime and be able to work on some projects around the house.

But then, last week, another client emailed me to ask about my availability. They’re a good client and I enjoy working with them, so I responded right away. Unlike my previous project with them that was just a few hours, this one was a top priority project with a firm deadline and lots of work in a short period of time.

Suddenly, my calendar was more full than I expected.

Then my largest client, during our weekly all-hands call, informed me that a project I had completed, they were probably going to take a completely different tact on, and “oh by the way, we’ve got a strict timeline!”

And then of course today, another client calls in with an issue.

Suddenly my calendar was even more full than I expected.

Oh, and did I mention I have a talk to present at SQL Saturday in DC this weekend? And the hardware I was going to use for it is not working?

Suddenly my schedule was completely topsy-turvy and I’ve had to work harder than ever.  But, since I’m already busy, I’ve actually spent a little extra time on other projects that I had been putting off; like finishing the edits on my second article for Red-Gate’s Simple-Talk and then writing a first pass of my third article for Red-Gate’s Simple-Talk. I probably would have procrastinated on that last one a bit longer if I weren’t busy. I know, sounds backwards, but yes, being busy encouraged me to spend time writing.

Of course sometimes even some schedules have to slip, hence this post being 12 hours later than normally scheduled.

When it rain, it pours.  And right now, that’s a good problem to have.