Feed aggregator
<strong>Contributions by Angela Golla,
Oracle Advanced Customer Support Services
Seamless data availability, optimal applications performance, and reduced IT risk are critical to business success. Oracle Advanced Customer Support (ACS) Services delivers tailored mission-critical support services to help you maintain and maximize performance of all Oracle mission critical systems. Our partnership with Oracle Support and Oracle's engineering teams combined with our unique approach to building a collaborative, long term relationship with your IT team provide a highly integrated approach to helping you meet your complex IT requirements.
Our engineers provide proactive and preventive support using advanced diagnostic tools to help you increase system availability, reduce risk and accelerate ROI across the Oracle stack—applications, middleware, database, servers and storage systems. Choose from a portfolio of mission critical support services that you can tailor to your IT and business needs. Learn more at: http://www.oracle.com/us/support/advanced-customer-services/overview/index.html
Getting Started with PHP Zend Framework 2 for Oracle DB
This post shows the changes to the ZF2 tutorial application to allow it to run with Oracle Database 11gR2.
Oracle Database SQL identifiers are case insensitive by default so "select Abc from Xyz" is the same as "select abc from xyz". However the identifier metadata returned to programs like PHP is standardized to uppercase by default. After executing either query PHP knows that column "ABC" was selected from table "XYZ".
In PHP code, array indices and object attributes need to match the schema identifier case that is returned by the database. This is either done by using uppercase indices and attributes in the PHP code, or by forcing the SQL schema to case-sensitively use lower-case names.
The former approach is more common, and is shown here.
The instructions for creating the sample ZF2 application are here. Follow those steps as written, making the substitutions shown below.
SchemaIn Oracle 11gR2, the schema can be created like:
DROP USER ZF2 CASCADE;
CREATE USER ZF2 IDENTIFIED BY WELCOME
DEFAULT TABLESPACE USERS QUOTA UNLIMITED ON USERS
TEMPORARY TABLESPACE TEMP;
GRANT CREATE SESSION
, CREATE TABLE
, CREATE PROCEDURE
, CREATE SEQUENCE
, CREATE TRIGGER
, CREATE VIEW
, CREATE SYNONYM
, ALTER SESSION
TO ZF2;
CONNECT ZF2/WELCOME
CREATE TABLE ALBUM (
ID NUMBER NOT NULL,
ARTIST VARCHAR2(100) NOT NULL,
TITLE VARCHAR2(100) NOT NULL,
PRIMARY KEY (ID)
);
CREATE SEQUENCE ALBUMSEQ;
CREATE TRIGGER ALBUMTRIGGER BEFORE INSERT ON ALBUM FOR EACH ROW
BEGIN
:NEW.ID := ALBUMSEQ.NEXTVAL;
END;
/
INSERT INTO ALBUM (ARTIST, TITLE)
VALUES ('The Military Wives', 'In My Dreams');
INSERT INTO ALBUM (ARTIST, TITLE)
VALUES ('Adele', '21');
INSERT INTO ALBUM (ARTIST, TITLE)
VALUES ('Bruce Springsteen', 'Wrecking Ball (Deluxe)');
INSERT INTO ALBUM (ARTIST, TITLE)
VALUES ('Lana Del Rey', 'Born To Die');
INSERT INTO ALBUM (ARTIST, TITLE)
VALUES ('Gotye', 'Making Mirrors');
COMMIT;
Driver and Credentials
The driver and credentials are Oracle-specific. Always use the OCI8 adapter in ZF, since it is more stable and has better scalability. Specifying a character set will make connection faster.
zf2-tutorial/config/autoload/global.php: return array(
'db' => array(
- 'driver' => 'Pdo',
- 'dsn' => 'mysql:dbname=zf2tutorial;host=localhost',
- 'driver_options' => array(
- PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES \'UTF8\''
- ),
+ 'driver' => 'OCI8',
+ 'connection_string' => 'localhost/orcl',
+ 'character_set' => 'AL32UTF8',
),
'service_manager' => array(
'factories' => array(
zf2-tutorial/config/autoload/local.php:
return array(
'db' => array(
- 'username' => 'YOUR USERNAME HERE',
- 'password' => 'YOUR USERNAME HERE',
+ 'username' => 'ZF2',
+ 'password' => 'WELCOME',
),
// Whether or not to enable a configuration cache.
// If enabled, the merged configuration will be cached and used in
Attribute & Index Changes
The rest of the application changes are just to handle the case of the Oracle identifiers correctly.
zf2-tutorial/module/Album/Module.php
$dbAdapter = $sm->get('Zend\Db\Adapter\Adapter');
$resultSetPrototype = new ResultSet();
$resultSetPrototype->setArrayObjectPrototype(new Album());
- return new TableGateway('album', $dbAdapter, null, $resultSetPrototype);
+ return new TableGateway('ALBUM', $dbAdapter, null, $resultSetPrototype);
},
),
);
zf2-tutorial/module/Album/view/album/album/add.phtml
$form->prepare();
echo $this->form()->openTag($form);
-echo $this->formHidden($form->get('id'));
-echo $this->formRow($form->get('title'));
-echo $this->formRow($form->get('artist'));
+echo $this->formHidden($form->get('ID'));
+echo $this->formRow($form->get('TITLE'));
+echo $this->formRow($form->get('ARTIST'));
echo $this->formSubmit($form->get('submit'));
echo $this->form()->closeTag();
zf2-tutorial/module/Album/view/album/album/delete.phtml
<h1><?php echo $this->escapeHtml($title); ?></h1>
<p>Are you sure that you want to delete
-'<?php echo $this->escapeHtml($album->title); ?>' by
-'<?php echo $this->escapeHtml($album->artist); ?>'?
+'<?php echo $this->escapeHtml($album->TITLE); ?>' by
+'<?php echo $this->escapeHtml($album->ARTIST); ?>'?
</p>
<?php
$url = $this->url('album', array(
'action' => 'delete',
- 'id' => $this->id,
+ 'id' => $this->ID,
));
?>
<form action="<?php echo $url; ?>" method="post">
<div>
- <input type="hidden" name="id" value="<?php echo (int) $album->id; ?>" />
+ <input type="hidden" name="id" value="<?php echo (int) $album->ID; ?>" />
<input type="submit" name="del" value="Yes" />
<input type="submit" name="del" value="No" />
</div>
zf2-tutorial/module/Album/view/album/album/edit.phtml
'album',
array(
'action' => 'edit',
- 'id' => $this->id,
+ 'id' => $this->ID,
)
));
$form->prepare();
echo $this->form()->openTag($form);
-echo $this->formHidden($form->get('id'));
-echo $this->formRow($form->get('title'));
-echo $this->formRow($form->get('artist'));
+echo $this->formHidden($form->get('ID'));
+echo $this->formRow($form->get('TITLE'));
+echo $this->formRow($form->get('ARTIST'));
echo $this->formSubmit($form->get('submit'));
echo $this->form()->closeTag();
zf2-tutorial/module/Album/view/album/album/index.phtml
</tr>
<?php foreach ($albums as $album) : ?>
<tr>
-<td><?php echo $this->escapeHtml($album->title);?></td>
-<td><?php echo $this->escapeHtml($album->artist);?></td>
+<td><?php echo $this->escapeHtml($album->TITLE);?></td>
+<td><?php echo $this->escapeHtml($album->ARTIST);?></td>
<td>
<a href="<?php echo $this->url('album',
- array('action'=>'edit', 'id' => $album->id));?>">Edit</a>
+ array('action'=>'edit', 'id' => $album->ID));?>">Edit</a>
<a href="<?php echo $this->url('album',
- array('action'=>'delete', 'id' => $album->id));?>">Delete</a>
+ array('action'=>'delete', 'id' => $album->ID));?>">Delete</a>
</td>
</tr>
<?php endforeach; ?>
zf2-tutorial/module/Album/src/Album/Model/Album.php
class Album
{
- public $id;
- public $artist;
- public $title;
+ public $ID;
+ public $ARTIST;
+ public $TITLE;
protected $inputFilter;
public function exchangeArray($data)
{
- $this->id = (!empty($data['id'])) ? $data['id'] : null;
- $this->artist = (!empty($data['artist'])) ? $data['artist'] : null;
- $this->title = (!empty($data['title'])) ? $data['title'] : null;
+ $this->ID = (!empty($data['ID'])) ? $data['ID'] : null;
+ $this->ARTIST = (!empty($data['ARTIST'])) ? $data['ARTIST'] : null;
+ $this->TITLE = (!empty($data['TITLE'])) ? $data['TITLE'] : null;
}
public function getArrayCopy()
and
$factory = new InputFactory();
$inputFilter->add($factory->createInput(array(
- 'name' => 'id',
+ 'name' => 'ID',
'required' => true,
'filters' => array(
array('name' => 'Int'),
and
)));
$inputFilter->add($factory->createInput(array(
- 'name' => 'artist',
+ 'name' => 'ARTIST',
'required' => true,
'filters' => array(
array('name' => 'StripTags'),
and
)));
$inputFilter->add($factory->createInput(array(
- 'name' => 'title',
+ 'name' => 'TITLE',
'required' => true,
'filters' => array(
array('name' => 'StripTags'),
zf2-tutorial/module/Album/src/Album/Model/AlbumTable.php
public function getAlbum($id)
{
$id = (int) $id;
- $rowset = $this->tableGateway->select(array('id' => $id));
+ $rowset = $this->tableGateway->select(array('ID' => $id));
$row = $rowset->current();
if (!$row) {
throw new \Exception("Could not find row $id");
and
public function saveAlbum(Album $album)
{
$data = array(
- 'artist' => $album->artist,
- 'title' => $album->title,
+ 'ARTIST' => $album->ARTIST,
+ 'TITLE' => $album->TITLE,
);
- $id = (int)$album->id;
+ $id = (int)$album->ID;
if ($id == 0) {
$this->tableGateway->insert($data);
} else {
if ($this->getAlbum($id)) {
- $this->tableGateway->update($data, array('id' => $id));
+ $this->tableGateway->update($data, array('ID' => $id));
} else {
throw new \Exception('Form id does not exist');
}
and
public function deleteAlbum($id)
{
- $this->tableGateway->delete(array('id' => $id));
+ $this->tableGateway->delete(array('ID' => $id));
}
}
zf2-tutorial/module/Album/src/Album/Form/AlbumForm.php
parent::__construct('album');
$this->setAttribute('method', 'post');
$this->add(array(
- 'name' => 'id',
+ 'name' => 'ID',
'type' => 'Hidden',
));
$this->add(array(
- 'name' => 'title',
+ 'name' => 'TITLE',
'type' => 'Text',
'options' => array(
'label' => 'Title',
),
));
$this->add(array(
- 'name' => 'artist',
+ 'name' => 'ARTIST',
'type' => 'Text',
'options' => array(
'label' => 'Artist',
zf2-tutorial/module/Album/src/Album/Controller/AlbumController.php
}
return array(
- 'id' => $id,
+ 'ID' => $id,
'form' => $form,
);
}
and
}
return array(
- 'id' => $id,
+ 'ID' => $id,
'album' => $this->getAlbumTable()->getAlbum($id)
);
}
When you create applications from scratch it will be straightforward to get it all working.
Virtual Sleuthing with GeoGuessr
I don’t normally pay much attention to games, but after GeoGuessr showed up in both the Verge and Kottke.org, I took notice.
It’s a very simple, but difficult game. GeoGuessr drops you into a random place that Google has mapped with Street View, but without any metadata, just the images Google captured. You can navigate around, using the usual Street View controls, and the object is simple: figure out where in the World you are.
Simple, right?
Sometimes, yes. If you land in a populated area, with signs and businesses.
Not so simple if you land somewhere remote, like this round, where I landed on a tiny island. You’ll notice there weren’t any controls. This island was small enough to map with one look around, no walking needed. Off to the left, there’s a helicopter, indicating how Google managed to get to this remote island.
That’s pretty much it. There are points awarded for guesses, but without leaderboards or any other traditional game mechanics, it’s just a fun test of your detective and geographic skills.
Possibly Related Posts:
- Street View Makes Immortals
- Amy Jo Kim on Applying Game Mechanics to Software
- In Defense of the Logitech Revue Remote
- Mayor of Simpleton
- What I Learned from “Indie Game: The Movie”
SQL Plan Stability and CBO Statistics Myths Busted
Carlos Sierra:
Since lack of Histograms or freezing CBO Statistics do not guarantee Plan Stability, do not rely on these two myths. If what you are looking for is Plan Stability use then SQL Plan Management available since 11g or SQL Profiles available from 10g.© Eddie Awad's Blog, 2013. |
Permalink |
Add a comment |
Topic: Oracle |
Tags: performance
Related articles:
- Delete Column Histograms to Improve SQL Plan Stability
- Oracle Community Membership Statistics
- What you need to know about calling functions from SQL
Big data challenges can be overcome with the right skills, tools
Big data analysis has come to play a major role in providing enterprises with a competitive advantage. However, many firms are still struggling to effectively manage and mine these large caches of information, which are only continuing to grow, integrating new sources and formats that complicate the process. As a result, businesses need to deploy the skills of database experts in efforts to fuel more accurate and efficient decision-making.
Network World reported that a recent panel discussion at Interop in Las Vegas discussed the immense potential opportunities that come with big data analysis. According to the news source, these initiatives enable companies to gain a new level of visibility into current operations and tailor products and services based on consumer trends. And as new data storage, analytics and visualization tools emerge, enterprises have the chance to understand this information more easily than before. Bruno Aziza, vice president of marketing for SiSense, explained that the market for big data has been growing, forcing more enterprises both small and large to take notice.
"Businesses are starting to take control of the issue and figure out how they can use it," Aziza said, according to Network World.
He noted that due to the expanding amount of data available to businesses and advanced platforms for handling it, firms of all sizes can capitalize on the benefits of these analytics.
Breaking down barriers
Enterprise Apps Today reported there are still obstacles to big data implementation, however. In order to move beyond these roadblocks, firms need to adapt to demands for new skills, develop a clear plan for these projects, achieve more synchronized strategies between IT and other departments and deploy the latest solutions for handling analysis. The source explained that by "reskilling," enterprises can better train IT teams to utilize new technologies as well as empower other areas of the company to apply these analytics. This is a complicated process, however, and may require remote dba services for support. Enterprise Apps Today pointed out that IT needs to understand how to handle sensor-derived or unstructured data, such as social media information and other external sources. Unstructured sources could include smartphone photos or GPS tracking data, and is often the most valuable for providing companies with insight into customers.
The real advantages of big data come with customization, however. With support and guidance, firms can automate unnecessary tasks and engage in new ways with customers using in-depth analytics and searches that are tailored to address specific issues or concerns.
RDX's business intelligence and big data experts assist customers in leveraging data contained in large data stores. For more information, please visit our Business Intelligence and Predictive Analytics pages or contact us.
Adobe Fireworks Colour Picker Problem on Mac OS X Mountain Lion
I’ve had a problem with Adobe Fireworks CS5 ever since upgrading to a Retina Display MacBook. The problem is that the eye-dropper colour picker tool just doesn’t work any more. At all. Very frustrating.
I came across a very simple workaround today which can be found here:
http://simianstudios.com/blog/post/colour-picker-bug-workaround-for-adobe-fireworks-cs4-in-os-x-lion
Naming Members in vFabric SQLFire
sqlfire.properties
# sqlfire.properties for data store or accessor member
license-serial-number=XXXXXXXXXXX
name=server1
Note: The same can be done with GemFire as well.
Then when the system is up the ID for each system member includes the given name as shown below.
sqlf> select substr(id, 1 , 35) as "Member" from sys.members; Member ----------------------------------- 172.16.62.1(server2:38971)<v2>:4265 172.16.62.1(server1:38970)<v1>:1660 127.0.0.1(38744):29535 3 rows selectedhttp://feeds.feedburner.com/TheBlasFromPas
IT demonstrates immense opportunities and challenges to adopting trends
Due to the emergence of new mobile devices, the proliferation of cloud computing and other complexities contributing to the "Internet of Things," many enterprises have had to overhaul IT departments to meet new needs and objectives. However, a growing skills gap has left many firms unable to capitalize on the advantages of these IT trends. By leveraging remote dba services, enterprises can support effective database administration and ensure the analytical and operational benefits of these new solutions are realized.
According to research by TechServe Alliance, IT employment has grown 5.1 percent since April 2012 totaling 4,424,200 total jobs as of last month.
"I am pleased to see demand for IT professionals remains very strong," said TechServe Alliance CEO Mark Roberts. "With April's numbers, IT employment has grown for the 17th consecutive month hitting yet another all-time high. IT continues to handily outperform most other sectors with an annual growth rate of more than three times the growth rate of the general workforce."
Meeting new demands
But there are more factors that are driving complications in IT staffing. A Cisco study revealed that as businesses increase the number of new application rollouts, IT organizations face challenges to aligning network strategies to fulfill the requirements of the business. Cisco's research found that while 63 percent of IT professionals are confident in their ability to respond to business needs, almost one-third still cited very limited visibility into the company's initiatives. This lack of understanding has the potential to greatly hinder any possible positive impact from new technology-related projects.
Survey participants ranked cloud readiness (29 percent) as the most important network initiative in the coming year, followed by "converging IT technology and operations technology" (28 percent) and data center consolidation and virtualization (27 percent). When asked about what main factors were slowing new application rollouts, most cited the budget, while 26 percent claimed data center infrastructure readiness was hindering these efforts.
"More than ever, IT has the potential to make a profound impact on the business – and opportunity to act as a strategic partner – by building a network architecture that can leverage multiple technology transitions," said Rob Soderbery, senior vice president and general manager for Cisco Enterprise Networking Group.
By working with a reputable IT services provider, enterprises can ready the network for bring-your-own-device (BYOD), cloud migration and any other trend that can promote a competitive advantage, all without the risk of business interruptions during the deployment process.
RDX is a leading provider of advanced remote database management and monitoring solutions. For more information about database administration and management, please visit our Services page or contact us.
Clustering Factor Calculation Improvement Part II (Blocks On Blocks)
Exalytics - Now with 2.4 Tb of Flash
While I haven't seen one in action yet, the flash pack seems to be 6 Sun Flash Accelerator F40 PCIe Cards each of which has a capacity of 400 Gb. These cards run amazingly fast with read times of more than 2 GB/second (write time is about half that speed at 1+ GB/second). These cards normally sell for almost $6K each, so Oracle is providing the flash add-on pack for no more markup than you'd get if you bought them on your own (but you'd then have to get them into the Exalytics machine all on your own).
This Matters If You Own EssbaseWhy would you want this? Essbase, primarily. Essbase uses a ton of disk I/O and one of the ways Exalytics can speed up Essbase is by pulling your cubes into a RAMDisk (since you have 1 Tb of RAM to play with). At some point, though, it has to get that data from physical drives to a RAMDisk (unless you're building all your cubes at start up in memory each time). Having blazingly speedy flash drives with .25 millisecond read latency allows you to store your cubes on the flash drive and then pull into RAM much more quickly than reading from traditional drives.
We have tested Essbase running on flash drives and it helps everything (particularly minimizes the negative effects of fragmentation since seek time drops to basically nothing on flash). For customers buying Exalytics primarily for Essbase, the Exalytics Flash Upgrade Kit should be strongly considered with every Exalytics purchase (and if you already own Exalytics, buy it to put on top).
OBIEE is much less affected by hard drives, so while it may help OBIEE, this really matters a lot more to Essbase customers.
Oracle EPM Fully Supported on ExalyticsSince we're on the subject of Exalytics, now that 11.1.2.3 is out, all Oracle EPM/Hyperion components certified to run on Linux will run on Exalytics PS2. These include:
- Administration Services
- Calculation Manager
- EPM Workspace
- Essbase Server
- Essbase Studio Server
- Financial Reporting
- Interactive Reporting (32-bit only)
- Oracle HTTP Server
- Planning
- Profitability and Cost Management
- Production Reporting (32-bit only)
- Provider Services
- Reporting and Analysis Framework Services and Web Application
- Shared Services
- Web Analysis
I Love Standards…There Are So Many Of Them
The title is not an original bon mot by me – it’s been said often, by others, and by many with more experience than I have in developing standards. It is with mixed emotions that I feel compelled to talk about a (generally good and certainly well-intentioned) standards organization: the US National Institute of Standards and Technology (NIST). I should state at the outset that I have a lot of respect for NIST. In the past, I have even urged a Congressional committee (House Science and Technology, if memory serves) to try to allocate more money to NIST for cybersecurity standards work. I’ve also met a number of people who work at NIST – some of whom have since left NIST and brought their considerable talents to other government agencies, one of whom I ran into recently and mentioned how I still wore a black armband years after he had left NIST because he had done such great work there and I missed working with him. All that said, I’ve seen a few trends at NIST recently that are – of concern.
When in Doubt, Hire a Consultant
I’ve talked in other blog entries about the concern I have that so much of NIST’s outwardly-visible work seems to be done not by NIST but by consultants. I’m not down on consultants for all purposes, mind you – what is having your tires rotated and your oil changed except “using a car consultant?” However, in the area of developing standards or policy guidance it is of concern, especially when, as has been the case recently, the number of consultants working on a NIST publication or draft document is greater than the number of NIST employees contributing to it. There are business reasons, often, to use consultants. But you cannot, should not, and must not “outsource” a core mission, or why are you doing it? This is true in spades for government agencies. Otherwise, there is an entire beltway’s worth of people just aching to tell you about a problem you didn’t know you had, propose a standard (or regulation) for it, write the standard/regulation, interpret it and “certify” that Other Entities meet it. To use a song title, “Nice Work If You Can Get It.”* Some recent consultant-heavy efforts are all over the map, perhaps because there isn’t a NIST employee to say, "you say po-TAY-to, I sy po-TAH-to, let's call the whole thing off." ** (Or at least make sure the potato standard is Idaho russet – always a good choice.)
Another explanation – not intentionally sinister but definitely a possibility – is that consultants’ business models are often tied to repeat engagements. A short, concise, narrowly-tailored and readily understandable standard isn’t going to generate as much business for them as a long, complex and “subject to interpretation – and five people will interpret this six different ways” – document.
In short: I really don’t like reading a document like NISTIR 7622 (more on which below) where most of the people who developed it are consultants. NIST’s core mission is standards development: NIST needs to own their core mission and not farm it out.
Son of FISMA
I have no personal experience with the Federal Information Security Management Act of 2002 (FISMA) except the amount of complaining I hear about it second hand, which is considerable. The gist of the complaints is that FISMA asks people to do a lot of stuff that looks earnestly security oriented, not all of which is equally important.
Why should we care? To quote myself (in an obnoxiously self-referential way): “time, money and (qualified security) people are always limited.” That is, the more security degenerates into a list of the 3000 things you Must Do To Appease the Audit Gods, the less real security we will have (really, who keeps track of 3000 Must Dos, much less does them? It sounds like a demented Girl Scout merit badge). And, in fact, the one thing you read about FISMA is that many government agencies aren’t actually compliant because they missed a bunch of FISMA checkboxes. Especially since knowledgeable resources (that is, good security people) are limited, it’s much better to do the important things well then maintain the farce that you can check 3000 boxes, which certainly cannot all be equally important. (It’s not even clear how many of these requirements contribute to actual security as opposed to supporting the No Auditor Left Behind Act.)
If the scuttlebutt I hear is accurate, the only thing that could make FISMA worse is – you guessed it –adding more checkboxes. It is thus with considerable regret that I heard recently that NIST updated NIST Special Publication 800-53 (which NIST has produced as part of its statutory responsibilities under FISMA). The Revision 4 update included more requirements in the area of supply chain risk management and software assurance and trustworthiness. Now why would I, a maven of assurance, object to this? Because a) we already have actual standards around assurance, b) having FISMA-specific requirements means that pretty much every piece of Commercial Off-the-Shelf (COTS) software will have to be designed and built to be FISMA compliant or COTS software/hardware vendors can’t sell into the Federal government and (c) we don’t want a race by other governments to come up with competing standards, to the point where we’re checking not 3000 but 9000 or 12000 boxes and probably can’t come up with a single piece of COTS globally let alone one that meets all 12000 requirements. (Another example is the set of supply chain/assurance requirements in the telecom sector in India that include a) asking for details about country of origin and b) specific contractual terms that buyers anywhere in the supply chain are expected to use. An unintended result is that a vendor will need to (a) disclose sensitive supply chain data (which itself may be a trade secret) and (b) modify processes around global COTS to sell into one country.)
Some of the new NIST guidance is problematic for any COTS supplier. To provide one example, consider:
“The artifacts generated by these development activities (e.g., functional specifications, high-level/low-level designs, implementation representations [source code and hardware schematics], the results from static/dynamic testing and code analysis (emphasis mine)) can provide important evidence that the information systems (including the components that compose those systems) will be more reliable and trustworthy. Security evidence can also be generated from security testing conducted by independent, accredited, third-party assessment organizations (e.g., Common Criteria Testing Laboratories (emphasis mine), Cryptographic/Security Testing Laboratories, and other assessment activities by government and private sector organizations.)”
For a start, to the extent that components are COTS, such “static testing” is certainly not going to happen by a third party nor will the results be provided to a customer. Once you allow random customers – especially governments – access to your source code or to static analysis results, you might as well gift wrap your code and send it to a country that engages in industrial espionage, because no vendor, having agreed to this for one government, will ever be able to say no to Nation States That Steal Stuff. (And static analysis results, to the extent some vulnerabilities are not fixed yet, just provide hackers a road map for how and where to break in.) Should vendors do static analysis themselves? Sure, and many do. It’s fair for customers to ask whether this is done, and how a supplier ensures that the worst stuff is fixed before the supplier ships product. But it is worth noting – again – that if these tools were easy to use and relatively error free, everyone would be at a high level of tools usage maturity years ago. Using static analysis tools is like learning Classic Greek – very hard, indeed. (OK, koinic Greek isn’t too bad but Homeric Greek or Linear B, fuhgeddabout it.)
With reference to the Common Criteria (CC), the difficulty now is that vendors have a much harder time doing CC evaluations than in the past because of other forces narrowing CC evaluations into a small set of products that have Protection Profiles (PPs). The result has been and will be for the foreseeable future – fewer evaluated products. The National Information Assurance Partnership (NIAP) – the US evaluation scheme – has ostensibly good reasons for their “narrowed/focused” CC-directions. But it is more than a little ironic that the NIST 800-53 revision should mention CC evaluations as an assurance measure at a time when the pipeline of evaluated products is shrinking, in large part due to the directions taken by another government entity (NIAP). What is industry to make of this apparent contradiction? Besides corporate head scratching, that is.
There are other – many other sections – I could comment upon, but one sticks out as worthy of notice:
“Supply chain risk is part of the advanced persistent threat (APT).”
It’s bad enough that “supply chain risk” is such a vague term that it encompasses basically any and all risk of buying from a third party. (Including “buying a crummy product” which is not actually a supply chain-specific risk but a risk of buying any and all products.) Can bad guys try to corrupt the supply chain? Sure. Does that make any and all supply chain risks “part of APT?” Heck, no. We have enough hysteria about supply chain risk and APT without linking them together for Super-Hysteria.
To sum up, I don’t disagree that customers in some cases – and for some, not all applications – may wish higher levels of assurance or have a heightened awareness of cyber-specific supply chain threats (e.g., counterfeiting and deliberate insertion of malware in code). However, incorporation of supply chain provisions and assurance requirements into NIST 800-53 has the unintended effect of requiring any and all COTS products to be sold to government agencies – which is all of them as far as I know – to be subject to FISMA.
What if the state of Idaho decided that every piece of software had to attest to the fact that No Actual Moose were harmed during the production of this software and that any moose used in code production all had background checks? What if every other state enumerated specific assurance requirements and specific supply chain risk management practices? What if they conflict with each other, or with the NIST 800-53 requirements? I mean really, why are these specific requirements called out in NIST 800-53 at all? There really aren’t that many ways to build good software. FISMA as interpreted by NIST 800-53 really, really shouldn’t roll its own.
IT Came from Outer Space – NISTIR 7622
I’ve already opined at length about how bad the NIST Interagency Report (NISTIR) 7622 is. I had 30 pages of comments on the first 80-page draft. The second draft only allowed comments of the Excel Spreadsheet form: “Section A.b, change ‘must’ to ‘should,’ for the reason ‘because ‘must’ is impossible’” and so on. This format didn’t allow for wholesale comments such as “it’s unclear what problem this section is trying to solve and represents overreach, fuzzy definition and fuzzier thinking.” NISTIR 7622 was and is so dreadful that an industry association signed a letter that said, in effect, NISTIR 7622 was not salvageable, couldn’t be edited to something that could work, and needed to be scrapped in toto.
I have used NISTIR 7622 multiple times as a negative example: most recently, to an audience of security practitioners as to why they need to be aware of what regulations are coming down the pike and speak up early and often. I also used it in the context of a (humorous) paper I did at the recent RSA Conference with a colleague, the subject of which was described as “doubtless-well-intentioned legislation/regulation-that-has-seriously-unfortunate-yet-doubtless-unintended-consequences.” That’s about as tactful as you can get.
Alas, Dracula does rise from the grave,*** because I thought I heard noises at a recent Department of Homeland Security event that NISTIR 7622 was going to move beyond “good advice” and morph into a special publication. (“Run for your lives, store up garlic and don’t go out after dark without a cross!”) The current version of NISTIR 7622 – after two rounds of edits and heaven knows how many thousands of hours of scrutiny – is still unworkable, overscoped and completely unclear: you have a better chance of reading Linear B**** than understanding this document (and for those who don’t already know, Linear B is not merely “all Greek to me” – it’s actually all Greek to anybody). Ergo, NISTIR 7622 needs to die the true death: the last thing anyone should do with it is make a special publication out of it. It’s doubling down on dreck. Make it stop. Now. Please.
NIST RFI
The last section is, to be fair, not really about NIST per se. NIST has been tasked, by virtue of a recent White House Executive Order, with developing a framework for improving cybersecurity. As part of that tasking, NIST has published a Request For Information (RFI) seeking industry input on said framework. NIST has also scheduled several meetings to actively draw in thoughts and comments from those outside NIST. As a general rule, and NISTIR 7622 notwithstanding, NIST is very good at eliciting and incorporating feedback from a broad swath of stakeholders. It’s one of their strengths and one of the things I like about them. More importantly, I give major kudos to NIST and its Director Pat Gallagher for forcefully making the point that NIST would not interfere with IT design, development and manufacture, in the speech he gave when he kicked off NIST’s work on the Framework: “the Framework must be technology neutral and it must enable critical infrastructure sectors to benefit from a competitive [technology] market. (…) In other words, we will not be seeking to tell industry how to build your products or how to run your business.”
The RFI responses are posted publicly and are, well, all over the map. What is concerning to me is the apparent desire of some respondents to have the government tell industry how to run their businesses. More specifically, how to build software, how to manage supply chain risk, and so forth. No, no, and no. (Maybe some of the respondents are consultants lobbying the government to require businesses to hire these consultants to comply with this or that mandate.)
For one thing, “security by design” concepts have already been working their way into development for a number of years: many companies are now staking their reputations on the security of their products and services. Market forces are working. Also, it’s a good time to remind people that more transparency is reasonable – for example, to enable purchasers to make better risk-based acquisition decisions – but when you buy COTS you don’t get to tell the provider how to build it. That’s called “custom code” or “custom development.” Just like, I don’t get to walk into <insert name of low-end clothing retailer here> and tell them, that I expect my “standard off-the-shelf blue jeans” to ex post facto be tailored to me specifically, made of “organic, local and sustainable cotton” (leaving aside the fact that nobody grows cotton in Idaho), oh, and embroidered with not merely rhinestones but diamonds. The retailer’s response should be “pound sand/good luck with that.” It’s one thing to ask your vendor “tell me what you did to build security into this product” and “tell me how you help mitigate counterfeiting” but something else for a non-manufacturing entity – the government – to dictate exactly how industry should build products and manage risk. Do we really want the government telling industry how to build products? Further, do we really want a US-specific set of requirements for how to build products for a global marketplace? What’s good for the (US) goose is good for the (European/Brazilian/Chinese/Russian/Indian/Korean/name your foreign country) gander.
An illustrative set of published responses to the NIST RFI – and my response to the response – follows:
1. “NIST should likewise recognize that Information Technology (IT) products and services play a critical role in addressing cybersecurity vulnerabilities, and their exclusion from the Framework will leave many critical issues unaddressed.”
Comment: COTS is general purpose software and not built for all threat environments. If I take my regular old longboard and attempt to surf Maverick’s on a 30 foot day and “eat it,” as I surely will, not merely because of my lack of preparation for 30-foot waves but because you need, as every surfer knows, a “rhino chaser” or “elephant gun” board for those conditions, is it the longboard shaper’s fault? Heck, no. No surfboard is designed for all surf conditions; neither is COTS designed for all threat environments. Are we going to insist on products designed for one-size-fits-all threat conditions? If so, we will all, collectively, “wipe out.” (Can’t surf small waves well on a rhino chaser. Can’t walk the board on one, either.)
Nobody agrees on what, precisely, constitutes critical infrastructure. Believe it or not, some governments appear to believe that social media should be part of critical national infrastructure. (Clearly, the World As We Know It will come to an end if I can’t post a picture of my dog Koa on Facebook.) And even if certain critical infrastructure functions – say, power generation – depend on COTS hardware and software, the surest way to weaken their security is to apply an inflexible and country-specific regulatory framework to that COTS hardware and software. We have an existing standard for the evaluation of COTS IT, it’s called the Common Criteria (see below): let’s use it rather than reinvent the digital wheel.
2. “Software that is purchased or built by critical infrastructure operators should have a reasonable protective measures applied during the software development process.”
Comment: Thus introducing an entirely new and undefined term into the assurance lexicon: “protective measures.” I’ve worked in security – actually, the security of product development – for 20 years and I have no idea what this means. Does it mean that every product should self defend? I confess, I rather like the idea of applying the Marine Corps ethos – “every Marine a rifleman” – to commercial software. Every product should understand when it is under attack and every product should self-defend. It is a great concept but we do not, as an industry, know how to do that - yet. Does “protective measures” mean “quality measures?” Does it mean “standard assurance measures?” Nobody knows. And any term that is this nebulous will be interpreted by every reader as Something Different.
3. “Ultimately, <Company X> believes that the public-private establishment of baseline security assurance standards for the ICT industry should cover all key components of the end-to-end lifecycle of ICT products, including R&D, product development, procurement, supply chain, pre-installation product evaluation, and trusted delivery/installation, and post-installation updates and servicing.”
Comment: I can see the religious wars over tip-of-tree vs. waterfall vs. agile development methodologies. There is no single development methodology, there is no single set of assurance practices that will work for every organization (for goodness’ sake, you can’t even find a single vulnerability analysis tool that works well against all code bases).
Too many in government and industry cannot express concerns or problem statements in simple, declarative sentences, if at all. They don’t, therefore, have any business attempting to standardize how all commercial products are built (what problem will this solve, exactly?). Also, if there is an argument for baseline assurance requirements, it certainly can’t be for everything, or are we arguing that “FindEasyRecipes.com” is critical infrastructure and need to be built to withstand hostile nation state attacks that attempt to steal your brioche recipe if not tips on how to get sugar to caramelize at altitude?
4. “Application of this technique to the Common Criteria for Information Technology Security Evaluation revealed a number of defects in that standard. The journal Information and Software Technology will soon publish an article describing our technique and some of the defects we found in the Common Criteria.”
Comment: Nobody ever claimed the Common Criteria was perfect. What it does have going for it is a) it’s an ISO standard and b) by virtue of the Common Criteria Recognition Arrangement (CCRA), evaluating once against the Common Criteria gains you recognition in 20-some other countries. Putting it differently, the quickest way to make security much, much worse is to have a Balkanization of assurance requirements. (Taking a horse and jumping through mauve, pink, and yellow hoops doesn’t make the horse any better, but it does enrich the hoop manufacturers, quite nicely.) In the security realm, doing the same thing four times doesn’t give you four times the security, it reduces security by four times, as limited (skilled) resource goes to doing the same thing four different ways. If we want better security, improve the Common Criteria and, by the way, major IT vendors and the Common Criteria national schemes – which come from each CCRA member country’s information assurance agency, like the NSA in the US – have been hard at work for the last few years applying their considerable security expertise and resources to do just that. Having state-by-state or country-by-country assurance requirements will make security worse – much, much worse.
5. “…vendor adoption of industry standard security models. In addition, we also believe that initiatives to motivate vendors to more uniformly adopt vulnerability and log data categorization, reporting and detection automation ecosystems will be a significant step in ensuring security tools can better detect, report and repair security vulnerabilities.”
Comment: There are so many flaws in this, one hardly knows where to start. There are existing vulnerability “scoring” standards – namely, the Common Vulnerability Scoring System (CVSS), ***** though there are some challenges with it, such as the fact that the value of the data compromised should make a difference in the score: a “breach” of Aunt Gertrude’s Whiskey Sauce Recipe is not, ceteris paribus, as dire as a breach of Personally Identifiable Information (PII) if for no other reason than a company can incur large fines for the latter, far exceeding Aunt Gertrude’s displeasure at the former. Even if she cuts you out of her will.
Also, there is work going on to standardize descriptions of product vulnerabilities (that is, the format and type). However, not all vendors release the exact same amount of information when they announce security vulnerabilities and should not be required to. Oracle believes that it is not necessary to release either exploit code or the exact type of vulnerability; e.g., buffer overflow, cross-site request forgery (CSRF) or the like because this information does not help customers decide whether to apply a patch or not: it merely enables hackers to break into things faster. Standardize how you refer to particular advisory bulletin elements and make them machine readable? Sure. Insist on dictating business practices (e.g., how much information to release) – heck, no. That’s between a vendor and its customer base. Lastly, security tools cannot, in general “repair” security vulnerabilities – typically, only patch application can do that.
6. “All owners and operators of critical infrastructure face risk from the supply chain. Purchasing hardware and software potentially introduce security risk into the organization. Creation of a voluntary vendor certification program may help drive innovation and better security in the components that are essential to delivery of critical infrastructure services.”
Comment: The insanity of the following comment astounds: “Purchasing hardware and software potentially introduce security risk into the organization.” News flash: all business involves “risk.” Not doing something is a risk. So, what else is new? Actually, attempting to build everything yourself also involves risk – not being able to find qualified people, the cost (and ability) to maintain a home-grown solution, and so forth. To quote myself again: “Only God created something from nothing: everyone else has a supply chain.”****** In short, everyone purchases something from outside their own organization. Making all purchases into A Supply Chain Risk as opposed to, say, a normal business risk is silly and counterproductive. It also makes it far less likely that specific, targeted supply chain threats can be addressed at all if “buying something – anything – is a risk” is the threat definition.
At this point, I think I’ve said enough. Maybe too much. Again, I appreciate NIST as an organization and as I said above the direction they have set for the Framework (not to $%*& with IT innovation) is really to their credit. I believe NIST needs to in-source more of their standards/policy development, because it is their core mission and because consultants have every incentive to create perpetual work for themselves (and none whatsoever to be precise and focused). NIST should adopt a less-is-more mantra vis-a-vis security. It is better to ask organizations do a few critical things well than to ask them to do absolutely everything – with not enough resource (which is a collective industry problem and not one likely to be solved any time soon). Lastly, we need to remember that we are a proud nation of innovators. Governments generally don’t do well when they tell industry how to do their core mission – innovate – and, absent a truly compelling public policy argument for so doing, they shouldn’t try.
*”Nice Work If You Can Get It,” lyrics by Ira Gershwin, music by George Gershwin. Don’t you just love Gershwin?
** “Let’s Call The Whole Thing Off.” Another gem by George and Ira Gershwin.
*** Which reminds me – I really hate the expression “there are no silver bullets.” Of course there are silver bullets. How many vampires and werewolves do you see wandering around?
****Speaking of which, I just finished a fascinating if short read: The Man Who Deciphered Linear B: The Story of Michael Ventris.
*****CVSS is undergoing revision.
****** If you believe the account in Genesis, that is.
Introduction to the BI Apps 11.1.1.7.1 – Use of ODI11g for ETL
In the two previous postings in this series on the Oracle BI Apps 11.1.1.7.1, we looked at the release at a high-level, and then at the product architecture including the new configuration and functional setup tools. From a technology and developer perspective though probably the most interesting thing about this new release is its use of Oracle Data Integrator as the ETL tool rather than Informatica, and the doing-away with the DAC for load orchestration and monitoring.
This introduction of ODI brings a number of potential benefits to customers and developers and gives Oracle the opportunity to simplify the product architecture, but bear in mind that there’s no migration path from the earlier 7.9.x releases to this version, with Informatica customers instead having to wait until the “patch set 2″ version due in the next twelve months; even then, migration between tools won’t be automatic, with existing Informatica-based installations expected to stay on Informatica unless they choose to re-implement using ODI.
So how does ODI work within this new release, and how has the DAC been replaced? Let’s take a look in this final piece in our short series on Oracle BI Apps 11.1.1.7.1, starting by looking at the overall role that ODI plays in the platform architecture.
Existing ODI developers will know that the tool uses two repositories, known as the Master and Work repositories, to store details of data sources and targets, mappings, data models and other aspects of an ETL project. Within the BI Apps these two repositories are stored in a schema called prefix_ODI_REPO, for example DEV_ODI_REPO, and are accompanied by a new schema called prefix_BIACOMP, again for example DEV_BIACOMP. The BIACOMP schema contains tables used by the various new WebLogic-based BI Apps supporting applications, and contain details of the functional setup of the BI Apps, load plans that have been generated and so forth. There’s also another schema called prefix_BIACOMP_IO which is used for read-write access to the BIACOMP schema, and all of these are held in a repository database alongside the usual schemas used for OBIEE, MDS and so forth.
The major difference in using ODI within this environment is that it’s treated as an “embedded” ETL tool, so that in most circumstances you won’t need to use ODI Studio itself to kick-off load plans, monitor their execution, set up sources and targets and so forth. This was the original vision for Informatica within the original BI Apps, but Oracle are able to do this far more effectively with ODI as they own all parts of the tech stack, can alter ODI to make it easier to embed, they’e got control over ODI’s various metadata APIs and so forth. What this means in practice is that the setup of the ODI topology (to connect to the ERP sources, and the target data warehouse) is done for you via a web-based application called the Oracle BI Applications Configuration Manager, and you can kick-off and then monitor your running ETL jobs from Configuration Manager and from ODI Console, the web-based operator tool that’s been around since the 11g release of ODI. The screenshot below shows Configuration Manager setting up the source database ODI topology entry, with the details that you provide then being pushed through to the ODI master repository:
Setting up a new BI Apps system involves using the Configuration Manager to define the connections through to the various source systems, then select the BI Apps modules (Financial Analytics, for example, and then the various subject areas within it) that you wish to implement. There are then a number of steps you can perform to set up system-wide settings, for example to select default currencies or languages, and then you come to run your first ODI load plan – which in this instance copies settings from your source system into the relevant tables in the BIACOMP schema, performing automatically the task that you had to do via the various domain configuration spreadsheets in the earlier 7.9.x releases – the screenshot below shows this ODI load plan listed out and having run successfully.
You can then view the execution steps and outcome either in ODI Console (embedded within Configuration Manager), or over at ODI Studio, using the Operator navigator.
Moving over to ODI Studio, the folders (or “adapters”) that in Informatica used to hold workflows and mappings for the various source systems, are contained with the BI Apps project within the Work repository and the Designer navigator. In the screenshot below you can also see the Fusion Apps adapter that’s not supported in this particular release, and the ETL Data Lineage adapter that should get enabled in an upcoming patch release.
In the screenshot above you can also see one of the loading tasks, SDE_ORA_APAgingBucketsDimenson, is a package that (were you to expand the Interfaces entry) makes reference to a regular, and also a temporary, interface.
Packages in ODI perform the same role as Informatica workflows in earlier releases of the BI Apps, and each package runs some steps to refresh variables, work out if its doing a full or incremental load, and then call the relevant ODI interface. Interfaces in ODI for the BI Apps typically load from other temporary interfaces, with these temporary interfaces performing the role of maplets in the Informatica version of the BI Apps, as you can see in the screenshot on the left below. On the right, you can see the flow for another mapping, along with one of the custom KMs that come as part of the BI Apps 11.1.1.7.1 package.
Individual packages are then assembled into the equivalent of BI Apps 7.9.x “execution plans” through a new JEE application called the Load Plan Generator, which also gets installed into ODI Studio as a plug-in so you can develop new data loading routines away from the full production setup. As you can see in the final screenshot below, these load plans are then visible from within ODI Studio (whether you generated them there, or from Configuration Manager), and like all ODI 11g load plans you can view the outcome of each load plan instance run, restart it if this feature is enabled, and so forth.
So there you have it – how ODI is used within the BI Apps 11.1.1.7.1. I’m going to take a break now as it’s almost time for the Atlanta run of the Rittman Mead BI Forum 2013, but once I’m back in the UK I’ll try and put something together for the blog on pulling together your first ETL run. Until then – have fun with the release.
Political Philosophy
This is going to be a more personal blog post than I typically make here at e-Literate.
The open letter from San José State University’s philosophy department in protest of the edX JusticeX course being taught at SJSU is getting a lot of attention, as is the follow-up statement from the SJSU faculty senate. I have some concerns with both of these letters—particularly the one from the philosophy department—but before I get into them, I’d like to emphasize my points of agreement and solidarity with the department:
- As a former philosophy major and a former teacher of philosophy courses to seventh and eighth graders, I strongly believe that a course in social justice is critical to every American’s education.
- I also strongly agree that, in order for such a course to be effective, it must be up-to-date, relevant to the students, and involve in-depth facilitated discussion.
- I agree that there is a bit of a bait-and-switch going on, possibly unintentionally, with the rhetoric about MOOCs providing superior pedagogy over lecture classes (which is probably somewhat true) and then moving to swap out discussion classes for MOOCs instead.
- I agree that some MOOC fans (though by no means all of them) have simplistic notions of how MOOCs can make university education cheaper without thinking through the consequences either to the quality of education or the fiscal health of the colleges and universities that still provide tremendous value to our nation and our culture.
- I agree that intellectual diversity is very important, particularly when discussing complex issues that are essential to a functioning democracy, and that the potential for an intellectual monoculture is a concern worth taking very seriously.
- While I have no knowledge of the negotiations between edX and SJSU, I strongly agree that such partnerships should be conceived and implemented with active consultation and collaboration with faculty unless there is exceptionally strong justification to do otherwise.
Despite all this common ground on values that are dear to me, I find aspects of the department’s letter to be deeply problematic.
To begin with, there is this:
Good quality online courses and blended courses (to which we have no objections) do not save money, but pre-packaged ones do, and a lot.
That statement is demonstrably false. Good quality online courses and blended courses can, in fact, save money. How do we know? For starters, the National Center for Academic Transformation has a long list of course redesign projects they have been doing in collaboration with colleges in universities since 1999, many of which have achieved substantial cost savings. And some of them actually achieved substantial improvement in outcomes while achieving substantial cost savings. Nor is NCAT alone. There is a growing body of empirically backed academic literature showing that we can teach more students more effectively for less money across a variety of subjects. Some subjects are easier to redesign than others. But cost savings in high-quality courses is possible as a general proposition (and does not require open content licensing, by the way). The SJSU philosophy department’s blanket denial of this possibility is not credible.
As a result, the authors of the letter are also less credible when they write,
In addition to providing students with an opportunity to engage with active scholars, expertise in the physical classroom, sensitivity to its diversity, and familiarity with one’s own students is just not available in a one-size-fits-all blended course produced by an outside vendor….When a university such as ours purchases a course from an outside vendor, the faculty cannot control the design or content of the course; therefore we cannot develop and teach content that fits with our overall curriculum and is based on both our own highly developed and continuously renewed competence and our direct experience of our students’ abilities and needs.
There appears to be a significant disconnect here. On the one hand, the department argues (correctly, in my view) that philosophy students gain great benefit from “the opportunity to engage with active scholars.” On the other hand, they assert that the philosophy department has “expertise in the physical classroom” and a “highly developed and continuously renewed competence” despite the overwhelming likelihood that most of the faculty have not had significant opportunities to engage with active scholars in pedagogy-related fields.
They could have made their case just as effectively without foreclosing the possibility of improving on what they already do. As the letter from the SJSU Faculty Association notes in response to the improved completion rates of the edX course,
The pedagogical infrastructure and work that has gone into the preparation of the edX material could easily be replicated if SJSU made a commitment to pedagogy and made training in pedagogy central to all faculty.
This is a defensible argument that the philosophy department could have made. But it didn’t. Instead, it implicitly denied the existence of the scholarship of teaching and explicitly blamed the university’s financial issues on “industry” for “demanding that public universities devote their resources to providing ready-made employees, while at the same time…resisting paying the taxes that support public education.” The collective effect of these rhetorical moves is to absolve the department of all responsibility for addressing the real problems the university is facing.
By ignoring the scholarship of teaching, the department missed an opportunity to engage the MOOC question in a different way. Rather than thinking of MOOCs as products to be bought or rejected, they could have approached them as experiments in teaching methods that can be validated, refuted, or refined through the collective efforts of a scholarly community. Researchers collaborate across university boundaries all the time. The same can be true in the scholarship of teaching. The faculty could have demanded access to the edX data and the freedom to adjust the course design. The letter authors seem deeply invested in positioning the edX course as something that is locked down from a third-party commercial vendor. But in reality, the edX course is developed by a faculty member and provided by a university-based non-profit entity. Perhaps the department felt that there wasn’t sufficient opportunity in this particular course design to make a request to have a collaboration worthwhile. But their rhetoric gives no indication that there is any room for such exploration under any circumstances, or indeed that the department has anything to learn about use of educational technology that could lead to either improved outcomes or lower costs.
Equally disturbing is the tendency in both letters to dismiss the fiscal crisis as something caused solely by greedy capitalists. It’s worth requoting the earlier referenced comment from the philosophy department letter here:
Industry is demanding that public universities devote their resources to providing ready-made employees, while at the same time they are resisting paying the taxes that support public education.
To begin with, “industry” isn’t alone in demanding that public universities devote their resources to producing employable graduates. Students and their parents are asking for it too, as are individual human taxpayers. On this last point, I am not a Californian, but I understand that individual human taxpayers have an unusually direct say regarding tax rates in the state of California. The purpose of education as a public good is a serious and complicated question that deserves more careful treatment from people who should know better.
Nor are taxes the only issue. While it is true that there has been progressive defunding of public colleges and universities in the United States, it is also true that tuition costs have been rising dramatically across the country in private as well as public schools. And it is true that the public colleges and universities in California in particular are struggling with unanticipated swelling enrollments as they strive to meet the as-yet-unfulfilled moral imperative of universal access to education. Given all of this, it is not a morally defensible position to simply point the finger at the rich guys and say, “It’s their fault. Make them fix it.” To the degree that course redesign can positively impact student access to education, faculty have a moral obligation to be leading the charge. And from a strategic perspective, they are more likely to prevent dumb ideas—such as gutting quality residential education in favor of least-common-denominator, video-driven xMOOCs—from taking hold.
But perhaps the worst aspect of the simplistic finger pointing is the way in which it pollutes the civic discourse. It encourages individual stakeholders to harden into an “us vs. them” position that reduces the likelihood of citizens coming together to solve real, hard problems that are deeply intwined with issues of social justice. Here’s an example of a comment made on this blog in response to a post about the California SB 520 bill:
Remember that when the Nazis led the people into the gas chamber they told them that it was a refreshing shower after a long train ride. Do not be fooled! This sweet sounding bill is the gas chamber of good education in California. Once we are in the questions will be pointless. As the pellets drop we will realize we should have questioned things sooner.
Setting aside the fact that the only justifiable use of genocide as an analogy is when talking about another genocide, this kind of rhetoric is enormously damaging to the possibility of a productive dialectic regarding how to solve the very real and complicated problems that our system of higher education faces, including both the need to increase access and the complexities of funding that imperative. And, sadly, this comment was written by a member of the SJSU philosophy department.
The post Political Philosophy appeared first on e-Literate.
Parse Time
Dominic Brooks published a note recently about some very nasty SQL – originally thinking that it was displaying a run-time problem due to the extreme number of copies of the lnnvl() function the optimizer had produced. In fact it turned out to be a parse-time problem rather than a run-time problem, but when I first read Dominic’s note I was sufficiently surprised that I decided to try modelling the query.
Unfortunately the query had more than 1,000 predicates, (OR’ed together) and some of them included in-lists. Clearly, writing this up by hand wasn’t going to be a good idea, so I wrote a script to generate both the data, and the query, as follows – first a table to query:
create table t1
as
with generator as (
select --+ materialize
rownum id
from dual
connect by
level <= 1e4
)
select
rownum id1,
rownum id2,
rownum id,
lpad(rownum,10) v1,
rpad('x',100) padding
from
generator v1,
generator v2
where
rownum <= 1e5
;
create index t1_i1 on t1(id1, id2);
begin
dbms_stats.gather_table_stats(
ownname => user,
tabname =>'T1',
method_opt => 'for all columns size 1'
);
end;
/
Then a piece of code to write a nasty query:
set pagesize 0
set feedback off
set termout off
spool temp1.sql
prompt select * from t1 where 1 = 2
select
'or (id1 = ' || rownum || ' and id2 = ' || (rownum + 1) || ')'
from
t1
where
rownum <= 750
union all
select
'or ( id1 = ' || (rownum + 1000) || ' and id2 in (' || rownum || ',' || (rownum+1) || '))'
from
t1
where
rownum <= 250
;
prompt /
spool off
Here’s an example of the text generated by the code – with the parameters set to 5 and 3 respectively (and notice how I’ve rigged the query so that it doesn’t return any data, whatever the optimizer thinks):
select * from t1 where 1 = 2 or (id1 = 1 and id2 = 2) or (id1 = 2 and id2 = 3) or (id1 = 3 and id2 = 4) or (id1 = 4 and id2 = 5) or (id1 = 5 and id2 = 6) or ( id1 = 1001 and id2 in (1,2)) or ( id1 = 1002 and id2 in (2,3)) or ( id1 = 1003 and id2 in (3,4)) /
So here’s the plan from the above query:
---------------------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
---------------------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 8 | 1008 | 16 (0)| 00:00:01 |
| 1 | CONCATENATION | | | | | |
| 2 | TABLE ACCESS BY INDEX ROWID | T1 | 1 | 126 | 3 (0)| 00:00:01 |
|* 3 | INDEX RANGE SCAN | T1_I1 | 1 | | 2 (0)| 00:00:01 |
| 4 | TABLE ACCESS BY INDEX ROWID | T1 | 1 | 126 | 3 (0)| 00:00:01 |
|* 5 | INDEX RANGE SCAN | T1_I1 | 1 | | 2 (0)| 00:00:01 |
| 6 | TABLE ACCESS BY INDEX ROWID | T1 | 1 | 126 | 3 (0)| 00:00:01 |
|* 7 | INDEX RANGE SCAN | T1_I1 | 1 | | 2 (0)| 00:00:01 |
| 8 | INLIST ITERATOR | | | | | |
| 9 | TABLE ACCESS BY INDEX ROWID| T1 | 5 | 630 | 7 (0)| 00:00:01 |
|* 10 | INDEX RANGE SCAN | T1_I1 | 5 | | 6 (0)| 00:00:01 |
---------------------------------------------------------------------------------------
Predicate Information (identified by operation id):
---------------------------------------------------
3 - access("ID1"=1003)
filter("ID2"=3 OR "ID2"=4)
5 - access("ID1"=1002)
filter((LNNVL("ID1"=1003) OR LNNVL("ID2"=3) AND LNNVL("ID2"=4)) AND
("ID2"=2 OR "ID2"=3))
7 - access("ID1"=1001)
filter((LNNVL("ID1"=1002) OR LNNVL("ID2"=2) AND LNNVL("ID2"=3)) AND
(LNNVL("ID1"=1003) OR LNNVL("ID2"=3) AND LNNVL("ID2"=4)) AND ("ID2"=1 OR
"ID2"=2))
10 - access(("ID1"=1 AND "ID2"=2 OR "ID1"=2 AND "ID2"=3 OR "ID1"=3 AND
"ID2"=4 OR "ID1"=4 AND "ID2"=5 OR "ID1"=5 AND "ID2"=6))
filter((LNNVL("ID1"=1001) OR LNNVL("ID2"=1) AND LNNVL("ID2"=2)) AND
(LNNVL("ID1"=1002) OR LNNVL("ID2"=2) AND LNNVL("ID2"=3)) AND
(LNNVL("ID1"=1003) OR LNNVL("ID2"=3) AND LNNVL("ID2"=4)))
As you can see, the first five predicates end up in line 10 of the plan with 10 repetitions (5 * 2) of the lnnvl() function. The last three predicates show up in lines 3, 5, and 7 – and the on each line we see two more lnnvl() calls than on the previous – just imagine, then, how many lnnvl() calls the optimizer will have added to the query plan by the time we have 750 occurrences in the inlist iterator (line 8) and 250 occurrences of the slightly complex predicate. Here are the relevant CPU stats (from v$session_stats) from running the generated script on 11.1.0.7, on Windows 32-bit, 2.8GHz CPU:
Name Value ---- ----- recursive cpu usage 1,848 CPU used when call started 1,854 CPU used by this session 1,854 DB time 1,870 parse time cpu 1,847 parse time elapsed 1,862
Clearly the parse time is extreme – though not as dramatic as in Dominic’s example; but having set up the first draft of the sample code it’s easy enough to change the number of occurrences of each type of predicate, and it’s pretty easy to make longer in-lists in the more complex of the two types of predicate. It’s not too difficult to get an execution plan that mimics Dominic’s in length and time to parse.
It’s not just the parse times that are interesting when you start doing this, by the way – it’s worth playing around to see what happens. It’s probably best to run the query to pull the plans from memory if you want to see the plans, though – if you try using “explain plan” then you start using memory in the SGA for some of the work: in one of my examples I had to abort the instance after a few minutes.
ISS
I’d like to dedicate this posting to fellow Oak Table member Richard Foote, for reasons that the readers we have in common will immediately recognise: http://www.youtube.com/watch?v=KaOC9danxNo
The singer is Canadian astronaut Commander Chris Hadfield who has been tweeting and posting pictures from space – be careful, you may get hooked: https://twitter.com/Cmdr_Hadfield/status/332819772989378560/photo/1
Update:When I posted the link to the video it had received 1.5M views; less than 24 hours later it’s up to roughly 7M. (And they weren’t all Richard Foote). Clearly the images have caught the imagination of a lot of people. If you have looked at the twitter stream it’s equally inspiring – and not just for the pictures.
Submit Oracle Excellence Award Nominations Now!
With Oracle OpenWorld 2013 in San Francisco on the horizon you may have already seen some mention of the Oracle Excellence Awards. But do you know what these awards are all about?
The Oracle Excellence Awards recognize the achievements of members of the Oracle community in eleven award categories across the spectrum of roles involved in making things happen in enterprise IT. Several categories will be of particular interest to Oracle Technology Network members. These include:
Data Warehouse Leader of the Year
Database Administrator of the Year
Oracle Fusion Middleware Innovation
This category recognizes accomplishments in the following sub-categories:
- Oracle Exalogic Elastic Cloud
- Oracle Cloud Application Foundation
- Oracle Service-Oriented Architecture & Business Process Management
- Oracle WebCenter
- Oracle Identity Management
- Oracle Data Integration
- Oracle Application Development Framework and Fusion Development
- Business Analytics (Oracle BI, Oracle EPM, and Oracle Exalytics)
Oracle Magazine Technologist of the Year
Recognizes individual accomplishment in the following categories:
- Big Data Architect
- Cloud Architect
- Database Developer
- Enterprise Architect
- Mobile Architect
- Social Architect
Winners in each category in the Oracle Excellence Awards get complimentary passes to Oracle OpenWorld 2013 in San Francisco, along with other benefits. This is a big deal!
Nominations for the categories listed above close June 21, 2013. So if you or someone you know is worthy of this recognition, what are you waiting for?
Click the links above for more information.
Agenda and Details for the Atlanta RM BI Forum 2013
Well, Brighton is now a wrap and we’re all now over in Atlanta, getting ready for the second leg of the 2013 Rittman Mead BI Forum, running from this Wednesday, 15th May 2013 through to Friday, 17th May. Photos from the Brighton event are up on Flickr now, but for anyone who’s coming down to the Georgia Tech Hotel & Conference Center for later this week, this posting contains the detailed agenda for the event, along with a preview of what’s coming in terms of social events, guest speakers and the masterclass.
Wednesday starts with the optional one-day masterclass, this year on Oracle Data Integration and led by myself, Stewart Bryson and Michael Rainey. I previewed the data integration masterclass previously on the blog, and the planned timetable for the masterclass looks like this:
Day 1 : Optional Oracle Data Integration Masterclass, followed by Registration, Drinks and Keynote/Meal
10.00 – 11.00 : Welcome, and Introduction to Oracle Data Integrator 11g (Stewart Bryson)
11.00 – 11.15 : Morning Coffee
11.15 – 11.45 : ODI and the Oracle Reference Architecture for Information Management (Stewart Bryson)
11.45 – 12.45 : ODI and GoldenGate – A Perfect Match… (Michael Rainey)
12.45 – 13.30 : Lunch
13.30 – 14.30 : ODI and Hadoop, MapReduce and Big Data Sources (Mark Rittman)
14.30 – 15.30 : The Three R’s of ODI Fault Tolerance : Resuming, Restarting and Restoring (Stewart Bryson)
15.30 – 16.30 : Scripting and Automating ODI using Groovy and the ODI SDK (Michael Rainey)
The event itself officially opens at 4pm on Wednesday, May 15th 2013 with registration taking place then, and a drinks reception in the hotel bar from 5pm to 6pm. At 6pm we have the Oracle keynote led by Jack Berkowitz and Philippe Lions, and then an informal meal in the hotel restaurant from 7pm – 10pm.
The main conference then opens at 8am on the Thursday morning, with registration open from 8am – 8.45am, opening remarks from myself at 8.45am and the first session starting at 9am. Here’s the timetable as planned for Thursday:
Day 2 : Main Conference Sessions, Guest Speaker and Gala Meal
8.45am – 9.00am : Opening Remarks Mark Rittman, Rittman Mead
9.00am – 10.am : Rene Kuipers, VX Company, “It’s all in the genes – The power of Oracle Exadata and the Oracle Database”
10.00am – 10.30am : Morning coffee
10.30am – 11.30am : Jack Berkowitz, Oracle : “OBI Presentation, Interaction and Mobility”
11.30am – 12.30am : Venkatakrishnan J, Rittman Mead, “In Memory Analytics – Times Ten, Essbase 11.1.2.2 – Analysis – A Comparison”
12.30pm – 1.15pm : Lunch
1.15pm – 1.30pm : TED Session 1 : Kevin McGinley – “OBIEE and OEID: What if…?”
1.30pm – 1.45pm : TED Session 2 : Jon Mead, Rittman Mead, “Why I want to be working with Business Intelligence in 5 years time”
1.45pm – 2.00pm : TED Session 3 : Jeremy Harms – “A BI Publisher Beginner’s MacGyver-Hack for Financial Reporting with OBIEE: A Quickie!”
2.15pm – 3.15pm : Alan Lee, Oracle, “Update on BI Metadata Architecture and Design Tool”
3.15pm – 3.45pm : Afternoon coffee and beers
3.45pm – 4.45pm : Jeff McQuigg, KPI Partners Inc, “Performance Tuning the BI Apps with a Performance Layer”
After the first day’s presentations we’ll take a short break, and then convene again back in the conference room at 5pm for our special guest speaker session, this year being provided by Method R’s Cary Millsap, who many of you will know from his Optimizing Oracle Performance book and his “response time” approach to performance tuning. Just after Cary’s session at around 6.30pm we’ll then be taken by coach to “4th and Swift”, the venue for the gala meal, where we’ll be from around 7pm through to around 10pm.
5.00pm – 6.00pm : Guest Keynote: Cary Millsap– “Thinking Clearly about Performance”
6.30pm – 7.00pm : Depart for Restaurant
7.00pm – 10.00pm : Gala Meal – 4th and Swift, Atlanta
Day 3 : Main Conference Sessions, and Close
The final day of the BI Forum is all about big data, and the BI Apps, with a special session from Pythian’s Alex Gorbachev on Hadoop and Oracle Data Warehousing, sessions by Oracle on Big Data and OBIEE, a big data debate, an an extended session by Oracle’s Florian Schouten and Accenture’s Kevin McGinley on the BI Apps 11.1.1.7.1.
We also have sessions on Endeca, OBIEE time-series analysis and extending OBIEE using plug-ins, so hopefully everyone will be able to stay until 5pm when the event will close.
8.30am – 9.30am : Tim Vlamis, Vlamis Software Solutions Inc,”Forecasting and Time Series Analysis in Oracle BI”
9.30am – 10.30am : Special Guest: Alex Gorbachev, Pythian – “Hadoop versus the Relational Data Warehouse.”
10.30am – 11.00am : Morning Coffee
11.00am – 12.00pm : Christian Screen, Capgemini, “How to Create a Plug-In for Oracle BI 11g”
12.00pm – 1pm : Marty Gubar and Alan Lee – OBIEE and Hadoop/Big Data
1.00pm – 1.45pm : Lunch
1.45pm – 2.45pm : Debate – “Big Data – Hype, or the Future or Oracle BI/DW?”
2.45pm – 4.15pm : Florian Schouten (Oracle) and Kevin McGinley (Accenture) – Oracle BI Apps 11g and ODI
4.15pm – 5.00pm : Adam Seed, Rittman Mead – “Endeca – Looking beyond the general demos”
You’ll notice we’ve brought back the popular “debate” section this year, with this year’s topic being “Big Data – Hype, or the Future of BI/DW?”. I’ll be looking for volunteers to argue the case for either of the two sides in the debate, so if you’ve got a view on whether big data is going to be the salvation of BI, whether it’ll turn us in to the COBOL programmers of the future, or whether its just a load of hot air (or you just like having an argument), let me know when you arrive and we’ll pull the debating teams together.
Other than that – have a safe journey over, and see at least some of you in Atlanta later in the week!
Fishbowl Solutions featured on Oracle Blog for WebCenter Partners Week
Fishbowl Solutions was recently featured on Oracle’s Blog during WebCenter Partners Week, showcasing our mobile application for iPhone/Android – FishbowlToGo. Mobility product manager, Kim Negaard authored a post detailing how our newest mobility venture helps WebCenter customers get the most from their investment.
Access Oracle WebCenter Content on your iPhone or Android with FishbowlToGo
Fishbowl Solutions has been working with Oracle WebCenter customers since 2010 to extend WebCenter Content to mobile devices. We started working with mobile sales force enablement and have since extended our offerings to meet expanding customer needs. We are excited to announce the release of our newest mobile app, FishbowlToGo.
Read the whole blog post here: http://bit.ly/ZHLDxX
The post Fishbowl Solutions featured on Oracle Blog for WebCenter Partners Week appeared first on C4 Blog by Fishbowl Solutions.
Small businesses catching on to cloud benefits for growth
According to recent research, cloud deployments continue to rise as enterprises finally grasp how these technologies can offer efficiency, agility and a leaner business model. As more companies embrace the cloud, however, realizing these benefits may depend on support from a third-party, such as dba services, for effective implementation.
SmallBusiness reported that in fact, 70 percent of small and medium-sized enterprises (SMEs) in a Fasthosts study said that cloud adoption will be a critical factor for growth over the next 12 months. Simon Yeoman, general manager of Fasthosts commented on the implications of the study's findings.
'"Many large enterprises have firmly established their cloud strategies but SMEs have up until now found the concept of cloud quite alien and therefore haven't integrated it into business operations," he said, according to the news source. "The results of this survey demonstrate that SMEs are starting to think seriously about the cloud and that they are taking important steps to use it to their business advantage."
When asked which aspect of business these companies felt the cloud would be most helpful in, 38 percent cited flexibility and scalability.
Agile adaption
A major reason that more firms have turned to a cloud model is that software-as-a-service (SaaS) has enabled companies of all sized and budgets to quickly integrate the latest technologies at an affordable rate. Business 2 Community contributor Sara Harold revealed that for many SMEs, SaaS has transformed the IT infrastructure, offering dramatic savings as well as more powerful computing. Harold noted that these factors allow firms to experiment with new IT concepts and tools and adapt to a rapidly changing business environment.
Another key driver of cloud initiatives is the transition from capital expenditures to only paying for operating costs. Harold explained that SaaS and the cloud offer low subscription-based payment models, so there are no technological obstacles or need for hefty investments in hardware, maintenance and upgrades. As an example, she pointed out that ten years ago enterprises had to buy multiple copies of virus protection software and constantly invest in new solutions as technologies became more advanced. However, now businesses can purchase a single-user license and scale this software up in the cloud as the business expands, addressing new risks and needs.
One of the most important aspects of the cloud is that it is easier and more cost-effective to adjust the technology based on actual company demands, which allows for smarter investments and budgeting as well as boosts the bottom line.
RDX offers a full suite of cloud migration and administrative services that can be tailored to meet any customer's needs. To learn more our full suite of cloud migration and support services, please visit our Cloud DBA Service page or contact us.
The Importance of an Action Plan
When I started my work in IT, I used to be in a very small shop, and even though we had people in several places in the same state, everything used to be very centralized and from 9 to 5, and because we were basically only 2 people , our action plan used to be a talk over the lunch table and that would be it, we would go ahead and execute it after 5 PM, and I won’t lie sometimes before 5 :) .
Over the years I have understood that even if you are a 2 guy shop or a team of 15 separated by oceans and being miles apart, communication is the most important thing to have on your team, and one of the means of communication is having an action plan in place for any major/medium change you do in your organization. First this will generate discussions amongst your teammates and it will reduce the possibility of errors when you are faced with time and pressure constraints when implementing it.
This might sometimes feel like a mundane and boring task, as it will take an effort to come up with it and it will take time to verify it, but when game day comes along you will see the great benefit of having an action plan.
Another great benefit of having an action plan is that you also have a road map if you need to rollback your change, and that is also critical, because normally any major change or rollback is not done only by one person, take for example a change that takes about 7 or 8 hours to be done, and at the end when the UAT (User Application Testing) is done, 1 or 2 more hours ,the application team decides that a rollback is needed, you are probably not in a good state of mind to do the rollback after 8 hours of continuous work, if you have an action plan, one of your teammates can step in and you can have a rest, even if it is to go to the kitchen and have a sandwich and a coke and forget 10 minutes about that pressure.
As with life and with us being human, having an action plan doesn’t mean that everything will go smoothly or you won’t have an error in there, but believe me, it will reduce in a big way the possibility of an error if you execute it by memory or by doing one yourself without revision.
I do hope that you already have an action plan as part of your major/medium changes, but if you don’t, it is time to get FIT-ACER, here is an example of one (Kudos to Cesar Sanchez as it is his Action Plan Template), use it and modify it to your needs, it is a good start.