Feed aggregator

Put Up or Shut Up

Mary Ann Davidson - Fri, 2012-08-17 15:10

One of the (usually) unfortunate concomitants of being a veteran in the cybersecurity space (“veteran” as in, I can remember when everyone called it “information security”) is that you get to hear the same themes over and over again (and solve the same security problems over and over again, only with different protocols).* Not to mention, you experience many technical revival meetings, which is industry’s way of promoting the same old same old under new exhortations (“Praise the Lord! I found eternal life with <insert sexy technology cult du jour>!”)

One of the topics that I am tired of talking about and would like us collectively to do something about is (drum roll) information sharing. Now, information sharing is not a cure-all for every ill in cybersecurity. It is a means to anend, not an end in itself. Specifically, information sharing is a means to enhance situational awareness, which in turn helps networked entities defend themselves better (“Excuse me, I see a mugger is about to swipe your purse. You might want to hit him with it or switch it to your other shoulder.”)

As a basic enabler of better defense, information sharing is certainly a no-brainer, and yet it largely doesn’t happen, or doesn’t happen enough, at least among the good guys. The bad guys, of course, are really good at information sharing. Techniques, tools, top ten lists of badly secured web sites – bring it on, woo hoo. The hacker toolkits are so good now that even someone as technically challenged as I am could probably become a competent Internet evildoer (not that I have any plans to do so). And yet industry and government have spent more time writing tomes, doing PPTs and drafting policy papers that use the magic words “public-private partnership” than making actual – make that “almost any” – progress. Sharing policy papers, I hasten to add, is not the kind of information sharing that solves actual problems. So here it is, all y’all: time to put up or shut up on information sharing.

I say this in my experience as a member of the IT industry Information Sharing and Analysis Center (IT-ISAC) (OK, I am the current president, but I am not speaking for the IT-ISAC) and as a security weenie at Oracle. I can state pretty categorically that I have been astonished – and depressed – at what currently passes for information sharing, despite years of gum flapping about it. The government agencies that are tasked with it generally don’t do it, for example. I find it ironic that the same entities that can’t or won’t tell you you are being broken into – or are about to be – think in some cases that the better solution is for them to just take over protection of your company’s networks after you’ve being broken into. Huh?

More to the point, surprisingly, and delightedly, other agencies that are not tasked with information sharing (e.g., an entity I cannot name by name but that is not part of the Department of Homeland Security (DHS)) recently went to great lengths to contact the IT-ISAC and bring “interesting information” to the attention of the IT-ISAC because they’d seen suspicious activity related to some member companies. Bravo Zulu to you, Unnamed Government Entity. It was not your mission to share that information, but you made an effort and did it, anyway. I wish you'd make a hostile takeover attempt on the entity that is supposed to share information and doesn’t, probably because their lawyers are still mulling it over. If I sound harsh, consider that I have spent 10 years having the exact same conversations over and over and over and nothing seems to change except the people you are having the conversations with. To quote Yoda, “Do or do not. There is no try.”

Other government agencies may call you but you get mysterious intimations and in some cases nothing actionable. I certainly understand that a recipient doesn’t – and probably shouldn’t – receive information about how the reporter got the information (e.g., sources and methods). I know I don’t have a “need to know.” But the information has to be actionable or it’s useless. For example (and I know they meant well), I once got a phone call from Agency X who said, “we have a credible threat that an entity in Country Y (and We All Know Who That Is) is interested in stealing (only they used a more bureaucratic term) the source code for Oracle Product Foo.” Gosh, really? The only news there would be if that country were not out to rip off…er…steal…er…conduct industrial espionage…er…enhance their native manufacturing capacity by ‘active acquisition’… of someone else’s core intellectual property. The next statement was even less helpful: “The details about the threat are classified.” On the one hand, glad Agency X called. Points for trying. On the other hand, the warning was so vague it was not actionable and it certainly didn’t tell me anything I didn’t already know. I wish they’d saved the 35 cents that the call cost and used it to reduce our national debt.

So, the agencies that should share information don’t share much if anything and ones that do in some cases don’t give you information in enough detail such that you can do anything with it. And other good agencies do the right thing although they aren’t tasked with it. It’s not a great report card for the government (more on industry below, lest anyone think I am being one-sided in my criticism). Note that there are people across the political spectrum (and better security really should be an ecumenical issue) who, to their credit, have tried to pass legislation that would help provide “better information sharing” as one of several things we could do to help improve cybersecurity. “Better information sharing” seems a mom-and-secure-apple-pie proposition if ever there was one. Except that a bill that proposed that – and various other iterations of bills – did not pass and for now Congress has gone on vacation like so many of us do in August. There are many reasons why there hasn’t been a consensus cyber bill passed – and I’m not going to go into all that **– but for Pete’s sake, improving government information sharing with industry and vice versa really should be something everyone agrees on.

Another reason that even “kumbaya information sharing 101” couldn’t get a consensus was because of Privacy Concerns. You do wonder about people who are really happy telling intimate details of their lives on Facebook but don’t think the government should be able to receive information about anybody’s attempts to hack critical infrastructure. (Because that’s what we are talking about, not “sending information about the amount of time you spent visiting cutepuppiesandbunniesandduckies.com to the National Security Agency,” which, I am pretty sure, is truly not interested in that information – they have bigger evil fish to fry – and doesn’t view your bunny obsession as a national security threat.)

This is a good time to say that the type of information sharing I am talking about is the voluntary kind (though “highly encouraged” information sharing pursuant to a court order is also good – I’m nothing if not law-abiding). I have zero interest in handing over everything, including the digital kitchen sink, because someone decides they should get everything you have and only then figure out what they actually need. “Need to know” goes for the government, too.

Ergo, at a macro level, I’m glad there are people who are concerned and involved as regards digital privacy. But at the same time, I am frustrated because any time there is even a common sense proposal (legislative or otherwise) about information sharing, privacy hawks seem to come out of the woodwork and Express Grave Concern that either national security or homeland security agencies might actually get useful information from industry to enable them to do their national or homeland security jobs better. Or, God forbid, that industries under non-stop attack from bad guys (including hostile nation states intent on ripping us all off) might actually receive useful and actionable intelligence to help them close open digital doors and windows and keep vermin out. Wouldn’t that be awful?

Because I like analogies, I’d like to offer some perspectives from the real (non-cyber) world that will, at least, illustrate why I am so frustrated and want us to stop talking and start doing. I’d observe that in the physical world, we really don’t seem to have these Concerned Discussions,*** mostly because people understand that we live in communities and that we have a collective interest in making sure we have a secure commons. (Duh, it’s exactly the same issue in the digital world.) Here we go:

Scenario 1: I see a couple walking their dog on the street. They walk by my house and my neighbor’s house. The dog is a Labradope that barks incessantly and the owners don’t clean up after him. ****

Result: I might not like the fact the dog doo-dooed on the arctic willows I painstakingly planted, but this is not a national emergency and it’s not suspicious activity. I’ll clean up after the dog and be done with it. I’m not calling the Wood River Animal Shelter Dog Doo Hotline or the Ketchum Police Department Canine Crap Cop.

Scenario 2: I see someone attempting to enter a window in my neighbor’s house, at 7PM, when my neighbor has gone to the Sun Valley Symphony (they are playing Mahler, whom I don’t care for, which is why I am home instead of at the symphony).

Result: I’m calling the police. I’m also going to give the police as much information as I can about the person doing the B and E (breaking and entering) – what he looks like, how old, how he is dressed, etc. What I am not going to do is think, “Wait, I can’t provide a description of the breaker-inner because gosh, that might violate the perp’s right to privacy and bad taste in clothes. The police showing up when the criminal is doing a breaking and entering job is creating a hostile work environment for him, too.” If you are breaking into someone’s home, you do not have a right to privacy while doing it. Even realizing that there might be false positives (it’s the neighbor's kid, he locked himself out and is breaking into his own house), most of us would rather err on the side of caution and call the cops. We aren’t telling everyone on the planet about “attempted break-in on Alpine Lane,” but we are providing targeted information about a malefactor to the group (Ketchum Police Department) that can do something about it.

In short, if I am a decent neighbor, I should do what I can to protect my neighbor’s house. And as long as I am on the subject, if every house in the neighborhood has been broken into, I would like to know that before someone tries to break into my house. It would be nice if the police told me if there is a rash of B and Es in my neighborhood. (Given it’s a small town in Idaho and we have really good police department, I’m pretty sure they will tell me.)*****

This is what information sharing is, folks. It’s not telling everybody everything whether or not it is interesting or useful. The above examples all have “cyber equivalents” in terms of the difference between sharing “all information” and “sharing interesting information” – which is exactly what we are talking about when we speak of information sharing. There isn’t a neighbor in the world that is busy taping everyone walking dogs by their house (and don’t forget those close-ups of the Labrador committing indiscretions on your plants). Nobody cares about your incontinent Labrador. You share information that is targeted, of value, of interest and where possible, actionable. That’s true in the physical world and in the cyber world.

I’ve been doing a bit of government bashing regarding “failure of government agencies to share information.” Is it only fair that I also do some industry bashing, because information sharing is something some sectors do a lot better than others, yet it is something everyone could and should benefit from. Not to mention, I am mindful of the Biblical wisdom of “Physician, heal thyself” (Luke 4:23).

While the government can add value in information sharing, it is not their job to defend private networks, especially when the private sector – merely by virtue of the fact that they have more digital real estate – gets to see more and thus potentially has more information to share with their neighbors. Not to mention, industry cannot have it both ways. There is a lot of legitimate concern about regulation of cyberspace, mostly because so much regulation has unintended, expensive and often unfortunate consequences. This is all the more reason to Be A Good Cyber Citizen instead of waiting for the government to be the source of all truth or to tell you How To Be A Good Cyber Citizen. Industry participation in information sharing forums is a demonstration of voluntary sector cybersecurity risk management without the force of regulation. As I said earlier, “put up or shut up,” which goes just as much if not more for industry as for government.

While ISACs are not the only information sharing vehicles that exist, they were set up specifically for that purpose (in response to Presidential Decision Directive 63, way back in 1998). It’s a fair cop that some of the ISACs have done better at performing their mission than others. Not all ISACs are equal or even have the same mission. Still, each ISAC has its own examples of success and it is often difficult for those not participating in specific ISACs to see the value they deliver to members (to protect member information that is shared, most ISACs have non-disclosure agreements that prevent information from being shared outside the ISAC membership).

I’d specifically note that the multi-state ISAC and the financial services ISAC both seem to operate very well. There are, I think, many reasons for their success. First of all, the multi-state ISAC and the financial services ISAC have more homogeneity, for lack of a better word. A state is a state is a state – it’s not also a planet. (Except California and Texas, which often seem like Mars to the rest of the country. Bless their lil’ ol’ hearts.) This makes it easier to recognize the obvious benefit of cooperation. To quote Ben Franklin: "We must, indeed, all hang together, or most assuredly we shall all hang separately.” The financial services sector gets this really well: any perceived threat to an individual financial services company is likely to affect all of them, either because of the perception problem that a successful hack creates (“online banking is insecure!”) or because criminals like to repeat successes (to quote Willy Sutton when asked why he robbed banks, “that’s where the money is”). You can’t imagine a bad guy saying, “I’m only going to hack Bank of Foobaria because I don’t like that bank, but Bank of Whateversville is a really nice bank – they hand out dog biscuits – so I am not going to hack them.”

I think leadership is also a factor. I don’t know the originators and past presidents of the Financial Services ISAC, but Bill Nelson has done a tremendous job as the current President of the Financial Services ISAC. I also know Will Pelgrin at the multi-state ISAC and he is a very good, very skilled leader, indeed, and a generous colleague, to boot. Will has been gracious with his time and expertise to me personally in my role as the IT-ISAC president, and I am grateful for it.

While the IT-ISAC has a long list of accomplishments that it is justifiably proud of, the IT-ISAC also faces unique challenges. One of them is the nature of the ISAC and its constituency. The IT industry is less homogeneous than other sectors, including both “soup to nuts” stack vendors as well as security solution vendors that make a business out of sharing threat information. Being a die-hard capitalist, I don’t expect these companies to give away their secret sauce, plus French fries and a hot apple pie to avoid Ben Franklin’s collective hanging. While I think the diversity of the IT sector, the variance in business practices and the “not giving away the store” issues are real challenges to the IT-ISAC, they also provide real benefits. The IT-ISAC provides a forum for bringing together subject matter experts from diverse companies to engage on and discuss common security threats. The IT-ISAC is also moving from an organization focused on vendor vulnerabilities to one that assists members in understanding the rapidly-changing threat environment. For example, we have established a group within the IT-ISAC membership that has agreed to share threat indicator information with each other.

As President of the IT-ISAC, I am committed to doing what I can to try to expand membership, to find common ground (e.g., threat information that even security vendors feel comfortable sharing that benefits everyone, without expecting them to share secret sauce recipes), and finding ways to work with our counterparts in the public sector. I am not the first, and won’t be the last, IT-ISAC president, and I am blessed with an extremely capable executive director and with the generosity of colleagues on the Board. As I learned in my Navy days, I must do my best to steer a steady course to favorable shores.

Lastly, I think the biggest hurdle we in industry collectively need to get over is the trust issue. We seem to be more fearful of other companies than we are of being hacked by bad guys. (“If I share this information, will a competitor use it against me?”) Trust has to be earned, but it can be garnered by outreach and by making an effort to start somewhere. I think of a fine gentleman and public servant who has recently retired from NSA, Tony Sager. Tony was a public face of NSA in terms of working with industry in the information assurance directorate (IAD). He and his team did a lot of outreach: here’s who we are, here’s what we do, let’s talk. Tony did a lot of listening, too. I have said often that if I had a problem in a particular area, I’d not hesitate to call Tony and his team. They had the creds, they had the smarts, and they had earned – yes, earned – my trust. We in industry, who see most of the threats, who are so often the direct victims of them, should take a cue from Tony. Use our “creds” and our intelligence (of all types) to improve the commons. We can start by sharing useful, actionable, valuable information that will help all of us be more secure. It is often said the bad guys are a step ahead of the defenders. This is true with information sharing as well: the bad guys play nicely with other bad guys – so why can’t we good guys get along?

If you are sitting on the sidelines, it is time to get involved and engaged. Instead of sitting on the outside complaining that there is no effective way to share information, join an information sharing organization (I’m partial to ISACs), get involved in it, and help shape and move the organization so that it meets your needs. Just get on with it, already!

* The fact that technology changes but stupidity repeats endlessly is job security for security weenies. Rule number 1 of  nformation security is “never trust any unverified data from a client.” Rule 2 is “see rule 1.” Most security defects stem from failure to heed rule 1 – and we keep doing it every time we introduce new clients or new protocols. The excuse for lazy-ass servers or middle tiers is always, “Gosh, it’s just so much easier to accept any old thing the client hands you because it is computationally intensive to verify it. And nobody would send evil data to a middle tier, wouldthey?” Right. Just like, think of all the cycles we’d save if we didn’t verify passwords. I’m sure if a client says he is John Doe, he IS John Doe! (Good luck with that.)

** Ok, I lied. One of the reasons various bills failed is because the bill drafters wanted “better security to protect critical infrastructure” but could not actually define “critical infrastructure.” If “it” is important enough to legislate, “it” should be clearly defined in the language of the bill, instead of subject to interpretation (and vast scope increase ex post facto). Just my opinion.

*** With the prospect of increased drone use in our domestic environs, we are going to have a lot more privacy discussions. What I barbecue in my backyard is none of anyone else’s goldurn business.

**** Ok, I know a lot of people love Labs. Apologies to anybody I offended.

***** Since I live a couple of blocks from the police, it’s pretty darn stupid of anybody to try to break into any house in the neighborhood.

Put Up or Shut Up

Mary Ann Davidson - Fri, 2012-08-17 15:10



Intellectual Property
EOP
Joint Strategic Plan, Intellectual Property
12.00



Normal
0





false
false
false

EN-US
X-NONE
X-NONE













MicrosoftInternetExplorer4














DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>






















UnhideWhenUsed="false" QFormat="true" Name="Title"/>



UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>




UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>




UnhideWhenUsed="false" Name="Table Grid"/>

UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
UnhideWhenUsed="false" Name="Light Shading"/>
UnhideWhenUsed="false" Name="Light List"/>
UnhideWhenUsed="false" Name="Light Grid"/>
UnhideWhenUsed="false" Name="Medium Shading 1"/>
UnhideWhenUsed="false" Name="Medium Shading 2"/>
UnhideWhenUsed="false" Name="Medium List 1"/>
UnhideWhenUsed="false" Name="Medium List 2"/>
UnhideWhenUsed="false" Name="Medium Grid 1"/>
UnhideWhenUsed="false" Name="Medium Grid 2"/>
UnhideWhenUsed="false" Name="Medium Grid 3"/>
UnhideWhenUsed="false" Name="Dark List"/>
UnhideWhenUsed="false" Name="Colorful Shading"/>
UnhideWhenUsed="false" Name="Colorful List"/>
UnhideWhenUsed="false" Name="Colorful Grid"/>
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
UnhideWhenUsed="false" Name="Light List Accent 1"/>
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
Name="Revision"/>
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
UnhideWhenUsed="false" Name="Light List Accent 2"/>
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
UnhideWhenUsed="false" Name="Light List Accent 3"/>
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
UnhideWhenUsed="false" Name="Light List Accent 4"/>
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
UnhideWhenUsed="false" Name="Light List Accent 5"/>
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
UnhideWhenUsed="false" Name="Light List Accent 6"/>
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>





/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}


One of the (usually) unfortunate concomitants of being a veteran in the cybersecurity space (“veteran” as in, I can remember when everyone called it “information security”) is that you get to hear the same themes over and over again (and solve the same security problems over and over again, only with different protocols).* Not to mention, you experience many technical revival meetings, which is industry’s way of promoting the same old same old under new exhortations (“Praise the Lord! I found eternal life with <insert sexy technology cult du jour>!”)


One of the topics that I am tired of talking about and would like us collectively to do something about is (drum roll) information sharing. Now, information sharing is not a cure-all for every ill in cybersecurity. It is a means to an
end, not an end in itself. Specifically, information sharing is a means to enhance situational awareness, which in turn helps networked entities defend themselves better (“Excuse me, I see a mugger is about to swipe your purse. You might want to hit him with it or switch it to your other shoulder.”)


As a basic enabler of better defense, information sharing is certainly a no-brainer, and yet it largely doesn’t happen, or doesn’t happen enough, at least among the good guys. The bad guys, of course, are really good at information sharing. Techniques, tools, top ten lists of badly secured web sites – bring it on, woo hoo. The hacker toolkits are so good now that even someone as technically challenged as I am could probably become a competent Internet evildoer (not that I have any plans to do so). And yet industry and government have spent more time writing tomes, doing PPTs and drafting policy papers that use the magic words “public-private partnership” than making actual – make that “almost any” – progress. Sharing policy papers, I hasten to add, is not the kind of information sharing that solves actual problems. So here it is, all y’all: time to put up or shut up on information sharing.


I say this in my experience as a member of the IT industry Information Sharing and Analysis Center (IT-ISAC) (OK, I am the current president, but I am not speaking for the IT-ISAC) and as a security weenie at Oracle. I can state pretty categorically that I have been astonished – and depressed – at what currently passes for information sharing, despite years of gum flapping about it. The government agencies that are tasked with it generally don’t do it, for example. I find it ironic that the same entities that can’t or won’t tell you you are being broken into – or are about to be – think in some cases that the better solution is for them to just take over protection of your company’s networks after you’ve being broken into. Huh?


More to the point, surprisingly, and delightedly, other agencies that are not tasked with information sharing (e.g., an entity I cannot name by name but that is not part of the Department of Homeland Security (DHS)) recently went to great lengths to contact the IT-ISAC and bring “interesting information” to the attention of the IT-ISAC because they’d seen suspicious activity related to some member companies. Bravo Zulu to you, Unnamed Government Entity. It was not your mission to share that information, but you made an effort and did it, anyway. I wish you'd make a hostile takeover attempt on the entity that is supposed to share information and doesn’t, probably because their lawyers are still mulling it over. If I sound harsh, consider that I have spent 10 years having the exact same conversations over and over and over and nothing seems to change except the people you are having the conversations with. To quote Yoda, “Do or do not. There is no try.”


Other government agencies may call you but you get mysterious intimations and in some cases nothing actionable. I certainly understand that a recipient doesn’t – and probably shouldn’t – receive information about how the reporter got the information (e.g., sources and methods). I know I don’t have a “need to know.” But the information has to be actionable or it’s useless. For example (and I know they meant well), I once got a phone call from Agency X who said, “we have a credible threat that an entity in Country Y (and We All Know Who That Is) is interested in stealing (only they used a more bureaucratic term) the source code for Oracle Product Foo.” Gosh, really? The only news there would be if that country were not out to rip off…er…steal…er…conduct industrial espionage…er…enhance their native manufacturing capacity by ‘active acquisition’… of someone else’s core intellectual property. The next statement was even less helpful: “The details about the threat are classified.” On the one hand, glad Agency X called. Points for trying. On the other hand, the warning was so vague it was not actionable and it certainly didn’t tell me anything I didn’t already know. I wish they’d saved the 35 cents that the call cost and used it to reduce our national debt.


So, the agencies that should share information don’t share much if anything and ones that do in some cases don’t give you information in enough detail such that you can do anything with it. And other good agencies do the right thing although they aren’t tasked with it. It’s not a great report card for the government (more on industry below, lest anyone think I am being one-sided in my criticism). Note that there are people across the political spectrum (and better security really should be an ecumenical issue) who, to their credit, have tried to pass legislation that would help provide “better information sharing” as one of several things we could do to help improve cybersecurity. “Better information sharing” seems a mom-and-secure-apple-pie proposition if ever there was one. Except that a bill that proposed that – and various other iterations of bills – did not pass and for now Congress has gone on vacation like so many of us do in August. There are many reasons why there hasn’t been a consensus cyber bill passed – and I’m not going to go into all that **– but for Pete’s sake, improving government information sharing with industry and vice versa really should be something everyone agrees on.


Another reason that even “kumbaya information sharing 101” couldn’t get a consensus was because of Privacy Concerns. You do wonder about people who are really happy telling intimate details of their lives on Facebook but don’t think the government should be able to receive information about anybody’s attempts to hack critical infrastructure. (Because that’s what we are talking about, not “sending information about the amount of time you spent visiting cutepuppiesandbunniesandduckies.com to the National Security Agency,” which, I am pretty sure, is truly not interested in that information – they have bigger evil fish to fry – and doesn’t view your bunny obsession as a national security threat.)


This is a good time to say that the type of information sharing I am talking about is the voluntary kind (though “highly encouraged” information sharing pursuant to a court order is also good – I’m nothing if not law-abiding). I have zero interest in handing over everything, including the digital kitchen sink, because someone decides they should get everything you have and only then figure out what they actually need. “Need to know” goes for the government, too.


Ergo, at a macro level, I’m glad there are people who are concerned and involved as regards digital privacy. But at the same time, I am frustrated because any time there is even a common sense proposal (legislative or otherwise) about information sharing, privacy hawks seem to come out of the woodwork and Express Grave Concern that either national security or homeland security agencies might actually get useful information from industry to enable them to do their national or homeland security jobs better. Or, God forbid, that industries under non-stop attack from bad guys (including hostile nation states intent on ripping us all off) might actually receive useful and actionable intelligence to help them close open digital doors and windows and keep vermin out. Wouldn’t that be awful?


Because I like analogies, I’d like to offer some perspectives from the real (non-cyber) world that will, at least, illustrate why I am so frustrated and want us to stop talking and start doing. I’d observe that in the physical world, we really don’t seem to have these Concerned Discussions,*** mostly because people understand that we live in communities and that we have a collective interest in making sure we have a secure commons. (Duh, it’s exactly the same issue in the digital world.) Here we go:


Scenario 1: I see a couple walking their dog on the street. They walk by my house and my neighbor’s house. The dog is a Labradope that barks incessantly and the owners don’t clean up after him. ****


Result: I might not like the fact the dog doo-dooed on the arctic willows I painstakingly planted, but this is not a national emergency and it’s not suspicious activity. I’ll clean up after the dog and be done with it. I’m not calling the Wood River Animal Shelter Dog Doo Hotline or the Ketchum Police Department Canine Crap Cop.


Scenario 2: I see someone attempting to enter a window in my neighbor’s house, at 7PM, when my neighbor has gone to the Sun Valley Symphony (they are playing Mahler, whom I don’t care for, which is why I am home instead of at the symphony).


Result: I’m calling the police. I’m also going to give the police as much information as I can about the person doing the B and E (breaking and entering) – what he looks like, how old, how he is dressed, etc. What I am not going to do is think, “Wait, I can’t provide a description of the breaker-inner because gosh, that might violate the perp’s right to privacy and bad taste in clothes. The police showing up when the criminal is doing a breaking and entering job is creating a hostile work environment for him, too.” If you are breaking into someone’s home, you do not have a right to privacy while doing it. Even realizing that there might be false positives (it’s the neighbor's kid, he locked himself out and is breaking into his own house), most of us would rather err on the side of caution and call the cops. We aren’t telling everyone on the planet about “attempted break-in on Alpine Lane,” but we are providing targeted information about a malefactor to the group (Ketchum Police Department) that can do something about it.


In short, if I am a decent neighbor, I should do what I can to protect my neighbor’s house. And as long as I am on the subject, if every house in the neighborhood has been broken into, I would like to know that before someone tries to break into my house. It would be nice if the police told me if there is a rash of B and Es in my neighborhood. (Given it’s a small town in Idaho and we have really good police department, I’m pretty sure they will tell me.)*****


This is what information sharing is, folks. It’s not telling everybody everything whether or not it is interesting or useful. The above examples all have “cyber equivalents” in terms of the difference between sharing “all information” and “sharing interesting information” – which is exactly what we are talking about when we speak of information sharing. There isn’t a neighbor in the world that is busy taping everyone walking dogs by their house (and don’t forget those close-ups of the Labrador committing indiscretions on your plants). Nobody cares about your incontinent Labrador. You share information that is targeted, of value, of interest and where possible, actionable. That’s true in the physical world and in the cyber world.


I’ve been doing a bit of government bashing regarding “failure of government agencies to share information.” Is it only fair that I also do some industry bashing, because information sharing is something some sectors do a lot better than others, yet it is something everyone could and should benefit from. Not to mention, I am mindful of the Biblical wisdom of “Physician, heal thyself” (Luke 4:23).


While the government can add value in information sharing, it is not their job to defend private networks, especially when the private sector – merely by virtue of the fact that they have more digital real estate – gets to see more and thus potentially has more information to share with their neighbors. Not to mention, industry cannot have it both ways. There is a lot of legitimate concern about regulation of cyberspace, mostly because so much regulation has unintended, expensive and often unfortunate consequences. This is all the more reason to Be A Good Cyber Citizen instead of waiting for the government to be the source of all truth or to tell you How To Be A Good Cyber Citizen. Industry participation in information sharing forums is a demonstration of voluntary sector cybersecurity risk management without the force of regulation. As I said earlier, “put up or shut up,” which goes just as much if not more for industry as for government.


While ISACs are not the only information sharing vehicles that exist, they were set up specifically for that purpose (in response to Presidential Decision Directive 63, way back in 1998). It’s a fair cop that some of the ISACs have done better at performing their mission than others. Not all ISACs are equal or even have the same mission. Still, each ISAC has its own examples of success and it is often difficult for those not participating in specific ISACs to see the value they deliver to members (to protect member information that is shared, most ISACs have non-disclosure agreements that prevent information from being shared outside the ISAC membership).


I’d specifically note that the multi-state ISAC and the financial services ISAC both seem to operate very well. There are, I think, many reasons for their success. First of all, the multi-state ISAC and the financial services ISAC have more homogeneity, for lack of a better word. A state is a state is a state – it’s not also a planet. (Except California and Texas, which often seem like Mars to the rest of the country. Bless their lil’ ol’ hearts.) This makes it easier to recognize the obvious benefit of cooperation. To quote Ben Franklin: "We must, indeed, all hang together, or most assuredly we shall all hang separately.” The financial services sector gets this really well: any perceived threat to an individual financial services company is likely to affect all of them, either because of the perception problem that a successful hack creates (“online banking is insecure!”) or because criminals like to repeat successes (to quote Willy Sutton when asked why he robbed banks, “that’s where the money is”). You can’t imagine a bad guy saying, “I’m only going to hack Bank of Foobaria because I don’t like that bank, but Bank of Whateversville is a really nice bank – they hand out dog biscuits – so I am not going to hack them.”


I think leadership is also a factor. I don’t know the originators and past presidents of the Financial Services ISAC, but Bill Nelson has done a tremendous job as the current President of the Financial Services ISAC. I also know Will Pelgrin at the multi-state ISAC and he is a very good, very skilled leader, indeed, and a generous colleague, to boot. Will has been gracious with his time and expertise to me personally in my role as the IT-ISAC president, and I am grateful for it.


While the IT-ISAC has a long list of accomplishments that it is justifiably proud of, the IT-ISAC also faces unique challenges. One of them is the nature of the ISAC and its constituency. The IT industry is less homogeneous than other sectors, including both “soup to nuts” stack vendors as well as security solution vendors that make a business out of sharing threat information. Being a die-hard capitalist, I don’t expect these companies to give away their secret sauce, plus French fries and a hot apple pie to avoid Ben Franklin’s collective hanging. While I think the diversity of the IT sector, the variance in business practices and the “not giving away the store” issues are real challenges to the IT-ISAC, they also provide real benefits. The IT-ISAC provides a forum for bringing together subject matter experts from diverse companies to engage on and discuss common security threats. The IT-ISAC is also moving from an organization focused on vendor vulnerabilities to one that assists members in understanding the rapidly-changing threat environment. For example, we have established a group within the IT-ISAC membership that has agreed to share threat indicator information with each other.


As President of the IT-ISAC, I am committed to doing what I can to try to expand membership, to find common ground (e.g., threat information that even security vendors feel comfortable sharing that benefits everyone, without expecting them to share secret sauce recipes), and finding ways to work with our counterparts in the public sector. I am not the first, and won’t be the last, IT-ISAC president, and I am blessed with an extremely capable executive director and with the generosity of colleagues on the Board. As I learned in my Navy days, I must do my best to steer a steady course to favorable shores.


Lastly, I think the biggest hurdle we in industry collectively need to get over is the trust issue. We seem to be more fearful of other companies than we are of being hacked by bad guys. (“If I share this information, will a competitor use it against me?”) Trust has to be earned, but it can be garnered by outreach and by making an effort to start somewhere. I think of a fine gentleman and public servant who has recently retired from NSA, Tony Sager. Tony was a public face of NSA in terms of working with industry in the information assurance directorate (IAD). He and his team did a lot of outreach: here’s who we are, here’s what we do, let’s talk. Tony did a lot of listening, too. I have said often that if I had a problem in a particular area, I’d not hesitate to call Tony and his team. They had the creds, they had the smarts, and they had earned – yes, earned – my trust. We in industry, who see most of the threats, who are so often the direct victims of them, should take a cue from Tony. Use our “creds” and our intelligence (of all types) to improve the commons. We can start by sharing useful, actionable, valuable information that will help all of us be more secure. It is often said the bad guys are a step ahead of the defenders. This is true with information sharing as well: the bad guys play nicely with other bad guys – so why can’t we good guys get along?


If you are sitting on the sidelines, it is time to get involved and engaged. Instead of sitting on the outside complaining that there is no effective way to share information, join an information sharing organization (I’m partial to ISACs), get involved in it, and help shape and move the organization so that it meets your needs. Just get on with it, already!



* The fact that technology changes but stupidity repeats endlessly is job security for security weenies. Rule number 1 of  nformation security is “never trust any unverified data from a client.” Rule 2 is “see rule 1.” Most security defects stem from failure to heed rule 1 – and we keep doing it every time we introduce new clients or new protocols. The excuse for lazy-ass servers or middle tiers is always, “Gosh, it’s just so much easier to accept any old thing the client hands you because it is computationally intensive to verify it. And nobody would send evil data to a middle tier, would
they?” Right. Just like, think of all the cycles we’d save if we didn’t verify passwords. I’m sure if a client says he is John Doe, he IS John Doe! (Good luck with that.)


** Ok, I lied. One of the reasons various bills failed is because the bill drafters wanted “better security to protect critical infrastructure” but could not actually define “critical infrastructure.” If “it” is important enough to legislate, “it” should be clearly defined in the language of the bill, instead of subject to interpretation (and vast scope increase ex post facto). Just my opinion.


*** With the prospect of increased drone use in our domestic environs, we are going to have a lot more privacy discussions. What I barbecue in my backyard is none of anyone else’s goldurn business.


**** Ok, I know a lot of people love Labs. Apologies to anybody I offended.


***** Since I live a couple of blocks from the police, it’s pretty darn stupid of anybody to try to break into any house in the neighborhood.


“Check if the DISPLAY variable is set” error – Installing Oracle Forms from a Mac

Renaps' Blog - Mon, 2012-08-13 15:14

While installing Oracle Forms and Reports 11gR2 (11.1.2.0.0)  from a Mac (OS/x Mountain Lion) the following error occurred executing the runInstaller installation script:

$ ./runInstaller

Starting Oracle Universal Installer…
Checking Temp space: must be greater than 270 MB.   Actual 40478 MB    Passed
Checking swap space: must be greater than 500 MB.   Actual 4094 MB    Passed
Checking monitor: must be configured to display at least 256 colors
    >>> Could not execute auto check for display colors using command /usr/bin/xdpyinfo. Check if the DISPLAY variable is set.    Failed <<<<
Some requirement checks failed. You must fulfill these requirements before
continuing with the installation,
Continue? (y/n) [n] y
I have a remote session from my mac using terminal.  To export the display, I typed ssh -Y user@servername.
I have upgraded my O/S to Mountain Lion a couple of days ago.  So I though that might be the cause.  I tried to manually start X11 and I received the following message:
click on the continue button and get redirected  to the following URL: About X11 and OS X Mountain Lion explaining X11 is no longer part of the O/S and that I should use XQuartz from now on.
 download and Install XQuartz and there you go!
You can now continue with the rest of the Install via the Installer GUI.

Categories: DBA Blogs

OWB – Configuration Templates, Default Values

Antonio Romero - Mon, 2012-08-13 11:04

The 11gR2 release of OWB introduced ways of overriding the default values for properties – users may wish to change the seeded default values for properties (for all objects of a type. You can do this using the enterprise feature supplied in Configuration Templates.

These configuration templates are defined on the global tree, once you create a configuration template it is used in a configuration – then any objects created will inherit these default values.

You can create a new template and provide a name and description;

 

This then brings up the editor for the configuration template, the properties are in the tree, and the columns such as PRODUCTION_DEFAULTS is where you can change the property value.

So for example if you wanted to change the property value for Generation Mode – so rather than generation All Operating Modes which is the default, you can just generate Set Based, you would find this property;

Then change the value to Set Based for your configuration template;

Lots of property defaults are here, see there is also one for Default Operating Mode, if you were to change the default code gen to just be Set Based, it makes sense to also change the default operating mode to Set Based.

Remember these are defaults so you are not setting specific values on an object – these are the defaults of o overriden value is specified. There are many other interesting properties from tablespace info for tables to all sorts of properties for mappings.

The final piece of the jigsaw is to use this configuration template in a configuration – otherwise it will never be used.

Oracle Forms and reporting solutions

Francois Degrelle - Mon, 2012-08-13 04:40
This month, there is two reporting solutions offered to embed in your Oracle Forms application: Jasper Report by Mark Striekwold PL-jrxml2pdf by Andreas Weiden Francois

Win A Free Copy of Packt's Oracle Database XE 11gR2 Jump Start Guide eBook

Asif Momen - Mon, 2012-08-13 02:00

I am pleased to announce that Packt Publishing is organizing a giveaway especially for you. All you need to do is just comment below the post and win a free copy of Oracle Database XE 11gR2 Jump Start Guide. Two lucky winners stand a chance to win an e-copy of the book. Keep reading to find out how you can be one of the Lucky One.


Overview of Oracle Database XE 11gR2 Jump Start Guide eBook
Build and manage the Oracle Database 11gR2 XE environment with this fast paced, practical guide. The book helps beginners to install, administer, maintain, tune, backup and upgrade the Oracle Database Express Edition.

Read more about this book and download free Sample Chapter:

How to Enter?

All you need to do is head on over to this page and look through the product description of this book and drop a line via the comments below to let us know what interests you the most about these books. It’s that simple.

DeadLine:


The contest will close on 26-AUG-2012. Winners will be contacted by email, so be sure to use your real email address when you comment!


All the best !!!

The Two Ways of Doing a Job

Robert Vollman - Sat, 2012-08-11 20:19
Whether it's deployment, development, performance tuning, troubleshooting or something else, there are two fundamentally different ways of doing your job: doing it fast and doing it completely. Doing it Fast Sometimes you can make a case for doing something fast.  If you're dealing with something you're only going to do once, in a problem space you're either already deeply familiar with or Robert Vollmanhttp://www.blogger.com/profile/08275044623767553681noreply@blogger.com24

Create Google Tasks by sending email to Google GMail Address

Ittichai Chammavanijakul - Fri, 2012-08-10 07:59

I use Google Tasks for a quick to-do list. It has clean interface and is easy to use. On desktop or laptop machine, it is built-in to Google Mail for a quick access. On smartphones, many to-do apps including Tasks N Todos sync with Google tasks.

The neat thing is that in the Google Mail, you can add Gmail messages into the task list very easily by selecting the messages and then using More Actions > Add to Tasks.

What if you want to add email messages from other mails like that from work, or Yahoo Mail, etc., it doesn’t seem that there is a straightforward way to do so.

I found this web log on the automated email-to-task with Google Apps Script by DJ Adams. The Google Apps Script is able to parse the email with a specific filtered label and create a task automatically. Let’s give it a try.

The overall process is as follows:

  • Two new Gmail labels need to be created – newtask and newtaskdone. When a new email is arrived, the filter will label it with newtask. Once the script processes this email, it will be re-labeled to newtaskdone so it won’t be processed again.
  • To make sure that only specified emails – not all – are processed, one of the hidden features of Gmail will be used. The filter will look for only +task@gmail.com (such as ittichai+task@gmail.com) in the TO address to apply new label. Read this on how to use “+” (plus ) or “.” (dot) in your Gmail address.
  • The Apps Script is from the Google Spreadsheet. The original post is to use only the email’s subject for the task’s title but I modified codes a bit to include the email’s body to be the task’s body as well.
  • One of the important things is to integrate the script with Google API so it will allow to use the Google Tasks’ API service and content.
  • Schedule it to run with a needed interval. I’m doing it every 30 minutes. Note that there is a courtesy limit of 5,000 requests per day. But this should be more than enough for a normal use.

Courtesy Limit of Tasks API

  • Now just simply forward all emails to+task@gmail.com if you want to add them into the task list. It should show up in the Google Tasks within your specified interval.

All step-by-step instructions can be found at my wiki site.

Categories: DBA Blogs

Generating an EJB SDO Service Interface for Oracle SOA Suite

Edwin Biemond - Thu, 2012-08-09 13:51
In Oracle SOA Suite you can use the EJB adapter as a reference or service in your composite applications. The EJB adapter has a flexible binding integration, there are 3 ways for integrating the remote interface with your composite. First you have the java interface way which I described here this follows the JAX-WS way. It means you need to use Calendar for your Java date types and leads to one

Speaking at Enkitec Extreme Exadata Expo

Tyler Muth - Thu, 2012-08-09 09:18
I’ll be speaking at the Enkitec Extreme Exadata Expo (E4), August 13-14 in Dallas Texas (you can also attend virtually). They’ve recruited some of the top names from community including keynote speaker Andrew Mendelsohn, Arup Nanda, Cary Millsap, Jonathan Lewis, Karen Morton, Maria Colgan, Kerry Osborne and Tanel Põder. I left a lot of names off the list, many of which you probably […]
Categories: DBA Blogs, Development

OWB – ANSI and Oracle SQL code generation

Antonio Romero - Tue, 2012-08-07 10:56

There is a configuration property in OWB for switching between ANSI SQL code generation and Oracle SQL. It is under the ‘Code generation options’ in the mapping configuration. The join condition is expressed in Oracle SQL join syntax and OWB will reinterpret if generating ANSI SQL.

You can change the value to false, generate the code and inspect it inline within the mapping editor;

The 11gR2 release of OWB has changes in the join component to allow you to express the join type in a logical manner, so you can indicate outer join on a group for example.

Return a fault from an Asynchronous Web Service

Edwin Biemond - Thu, 2012-08-02 15:14
In an asynchronous web service we can't return a soap fault like a synchronous service but that does not mean you can't report back the fault to the calling asynchronous process. basically you got three options. Off course handle the fault in the error hospital and give back the response.  In the response message you can add a section ( a XSD choice with success and fault section) which can be

Book Released: "Oracle Database XE 11gR2 Jump Start Guide"

Asif Momen - Thu, 2012-08-02 08:59

I am pleased to announce my first book "Oracle Database XE 11gR2 Jump Start Guide" published by Packt Publishers. The book is available in two formats "Print Book" and "ebook".  


Please let your friends and colleagues know about the book. Have a look at the contents by following the below link:



The book is available for purchase from the publishers website (www.packtpub.com) and other leading consumer websites like Amazon, Barnes and Nobles, Waterstones etc. 

Thanks to all my readers who have encouraged me to write this book. 

Handling Large Payloads in SOA Suite 11g

Ramkumar Menon - Fri, 2012-07-27 02:45

I delivered this session at ODTUG '12 where I talked about various considerations and product features that you should know when you are working with processing large payloads with Oracle SOA Suite 11g. You can find the deck for the session at

http://www.oracle.com/technetwork/middleware/soasuite/learnmore/binarycontentlargepayloadhandling-1705355.pdf

You are also welcome to share your experiences in this area.

Handling Large Payloads in SOA Suite 11g

Ramkumar Menon - Fri, 2012-07-27 02:45

I delivered this session at ODTUG '12 where I talked about various considerations and product features that you should know when you are working with processing large payloads with Oracle SOA Suite 11g. You can find the deck for the session at

http://www.oracle.com/technetwork/middleware/soasuite/learnmore/binarycontentlargepayloadhandling-1705355.pdf

You are also welcome to share your experiences in this area.

Looping synonyms and transportable

Fairlie Rego - Thu, 2012-07-26 07:46
Whilst doing an export as part of TTS

> expdp directory=tmp_dir dumpfile=test_meta.dmp transport_tablespaces=tts_conv

Export: Release 10.2.0.4.0 - 64bit Production on Thursday, 31 May, 2012 11:03:50

Copyright (c) 2003, 2007, Oracle. All rights reserved.

Username: / as sysdba

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
Starting "SYS"."SYS_EXPORT_TRANSPORTABLE_01": /******** AS SYSDBA directory=tmp_dir dumpfile=test_meta.dmp transport_tablespaces=tts_conv
ORA-39123: Data Pump transportable tablespace job aborted
ORA-01001: invalid cursor
ORA-06512: at "SYS.DBMS_SYS_SQL", line 902
ORA-06512: at "SYS.DBMS_SQL", line 19
ORA-06512: at "SYS.DBMS_TTS", line 838
ORA-01775: looping chain of synonyms

Job "SYS"."SYS_EXPORT_TRANSPORTABLE_01" stopped due to fatal error at 11:03:59


SYS > alter system set events '1775 trace name errorstack level 3';

System altered.

From the trace file generated

the failing SQL statement is

*** 2012-06-04 10:17:14.026
ksedmp: internal or fatal error
ORA-01775: looping chain of synonyms
Current SQL statement for this session:
SELECT DISTINCT p.name, x.xmlschema, u.name FROM dba_xml_tables x, obj$ o, tab$ t, ts$ p, user$ u WHERE x.table_name = o.name AND o.obj# = t.obj# AND t.ts# =
p.ts# AND u.user# = o.owner# AND u.name = x.owner
----- Call Stack Trace -----

So if you run the command manually you receive the same error.

SYS> SELECT DISTINCT p.name, x.xmlschema, u.name FROM dba_xml_tables x, obj$ o, tab$ t, ts$ p, user$ u WHERE x.table_name = o.name AND o.obj# = t.obj# AND t.ts# =
p.ts# AND u.user# = o.owner# AND u.name = x.owner 2
3 /
SELECT DISTINCT p.name, x.xmlschema, u.name FROM dba_xml_tables x, obj$ o, tab$ t, ts$ p, user$ u WHERE x.table_name = o.name AND o.obj# = t.obj# AND t.ts# =
*
ERROR at line 1:
ORA-01775: looping chain of synonyms



> sqlplus / as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Thu May 31 11:04:03 2012

Copyright (c) 1982, 2007, Oracle. All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options

SYS> select object_name,owner,object_type from dba_objects where object_name='DBA_XML_TABLES';

OBJECT_NAME
--------------------------------------------------------------------------------
OWNER OBJECT_TYPE
------------------------------ -------------------
DBA_XML_TABLES
PUBLIC SYNONYM

So lets drop the public synonym

SYS > drop public SYNONYM DBA_XML_TABLES;

Synonym dropped.

SYS@>
and Real Application Testing options
> expdp directory=tmp_dir dumpfile=test_meta.dmp transport_tablespaces=tts_conv

Export: Release 10.2.0.4.0 - 64bit Production on Thursday, 31 May, 2012 11:05:09

Copyright (c) 2003, 2007, Oracle. All rights reserved.

Username: / as sysdba

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
Starting "SYS"."SYS_EXPORT_TRANSPORTABLE_01": /******** AS SYSDBA directory=tmp_dir dumpfile=test_meta.dmp transport_tablespaces=tts_conv
Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK
Processing object type TRANSPORTABLE_EXPORT/TABLE
Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK
Master table "SYS"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SYS.SYS_EXPORT_TRANSPORTABLE_01 is:
/tmp/test_meta.dmp
Job "SYS"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at 11:05:35

As you can see the export completes successfully

You can re-create the public synonym by running the below

catxdbv.sql:86:create or replace public synonym dba_xml_tables for dba_xml_tables;

If you do a search on MOS for the string "ORA-01775 dbms_tts" you find
Problem on DBMS_TTS ORA-01775: Looping Chain Of Synonyms [ID 1340262.1]

This note indicates the synonym can be dropped













Oracle Database 12c - New Feature: Identity Columns

Asif Momen - Wed, 2012-07-25 05:20

Well, Oracle Database 12c is not yet available but new features seems to be popping out in MOS. While troubleshooting Oracle Enterprise Manager Cloud Control 12c startup issues I came across Oracle Database 12c new feature called “Identity Columns”.

An Identity Columns is auto-incremented at the time of insertion just like in SQL Server. Going forward, I think you will not use Oracle Sequence anymore to generate unique values instead use Identity Columns.

For more information on this read:



Happy reading!!!

InteliVideo is Ramping Up!

Bradley Brown - Wed, 2012-07-25 00:24
The rubber is starting to meet the road now!  We're getting some serious traction in the market wiith InteliVideo.  J.P. O'Brien, a long time friend has joined me as a co-founder and CEO.  We're signing up customers each week.  We have customers in 3 different categories: 1) Long tail videos - just like Amazon was originally focused on the long tail books, we're focused on the long tail video market.  2) Mid tail videos - these are our ideal customer who have videos.  These companies have the best potential for knocking it out of the park with a viral video.  3) Business who want to partner with other companies in the video and entertainment space.  More about this another time.

We now have APIs for anything you can imagine.  We have players for most every device.  We have a full digital rights management platform (we protect our customer's IP).  We keep track of detailed video viewing, previewing, and every click on our site.  In other words, we have extensive analytics about our customers and our prospects.  We have full support and feedback platforms built into our platform.  We allow people to watch videos pretty much anywhere they want - from their big screen TV (i.e. on Roku) to their iPhone, iPad, Android devices and more.

Last week I offered my Oracle Application Express class to the first 10 people that signed up for free.  That provided me with considerable valuable feedback.  Thank you beta users!  10 new people have some great ApEx skills now!  I started by offering my class at $300.  My thinking was that if you attended this class (which I planned to add to over time for added value), it would cost you about $300 per day for an in person class.  This class is at your own pace and you can refer back to the materials at any time.  If it's a 5 day class (I personally think I'll end up with at least 10 days of material)...that's a $1500 value for only $300!

What we need right now is to prove out our model.  In other words, we need to prove we can sell classes online.  I'm headed to Branson, MO for my yearly family reunion/vacation for the next couple of weeks.  So I'm going to put my class out there for just $49.99.  You can buy an unlimited number of seats (one seat is for one employee) and it's not a timed copy of the class - in other words, you'll be able to watch it as long as we're around...and you'll get all of the updates that I do to the class.  All of this just for being one of my first customers!  Hopefully you'll want to train a few hundred of your employees in ApEx...or maybe it's just you. But...please sign up, pay for the class and help make a difference with the future of InteliVideo!  Think of it as a "Kickstart-like" investment!  I can assure you that you won't regret it.  If you don't like the classes, you don't see the value or whatever your reason, I'll gladly refund your money.

This is a cool look at our videos.  Please buy other videos too!  But...PLEASE, PLEASE, PLEASE buy my ApEx class.  And...if there are other classes you would like to see offered out here...let me know!  If you want to deliver your own content and offer it up to the world just as I'm doing (at whatever price you want to offer it for -within reason), that's exactly what I built InteliVideo for...sign up as a content owner and we'll be happy to help you publish and sell your content.

Again, please...and thank you!


Pages

Subscribe to Oracle FAQ aggregator