Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: What so special about PostgreSQL and other RDBMS?

Re: What so special about PostgreSQL and other RDBMS?

From: Jim Kennedy <kennedy-downwithspammersfamily_at_attbi.net>
Date: Sun, 16 May 2004 22:57:05 GMT
Message-ID: <5lSpc.62944$xw3.3682312@attbi_s04> 






"Greg D. Moore (Strider)" <mooregr_deleteth1s_at_greenms.com> wrote in message
news:PPRpc.199824$M3.111450_at_twister.nyroc.rr.com...


>

> "Jim Kennedy" <kennedy-downwithspammersfamily_at_attbi.net> wrote in message

> news:AuEpc.19040$6f5.1748445_at_attbi_s54...

> >>

> > You are probably in a small shop then.

>

> Huh?  So what you're basically saying is that large shops can ignore basic

> security steps and then complain when they get bit?

>

> It doesn't matter if I have 1 or 1000 SQL Servers, the basic security

steps


> (such as blocking port 1433 to the outside world) are the same.  If

> corporations had simply blocked 1433 and 1434 at the firewall, Slammer

would


> have been a non-event, patches or no patches.

>

>



Fire wall is blocked on those ports and many more, has been for a many
years.  That's not the problem.  The problem is when one of these things
gets inside the firewall then the firwall doesn't help much does it?  Gee,
don't have this problem on port 1521 with Oracle.  If it were as shoddily
written as MS SQLServer's security  you know people would be attacking it
and it would be in the news.  It isn't because the products come from 2
different mind sets.  When someone's mainframe goes down or suffers an
undexpected service interuption then the CEO is on the phone with the CEO of
the mainframe company demanding to know why and when the fix is going to be
installed.  I remember encountering a problem with Oracle's SQLNet product
to DB2 running on a mainframe, where if the client rebooted it locked up a
CPU on the mainframe.  American Transtech called Oracle and Oracle had
someone out there to fix it the next morning. (from California to
Jacksonville)  When someone's PC goes down people don't call MS (because
that is useless); they just reboot and hope it goes away.  Same project.
Tried a sophisticated mail merge with Word and the OS would crash after 50
documents (Windows 3.11 which was the latest version at the time) due to a
memory leak in Word and Excel.  Sent MS a test case and they admitted it was
a defect.  No solution, it might get fixed some day.  Never mind we had to
do a mail merge of 150,000 letters and documents.  We had paid about
$350,000 for super special support from MS and that was the best they could
do, tell us to wait for some future release and it might be fixed then,  50
at a time wasn't going to cut the mustard.  We switched to WordPerfect.



But clearly the company attitudes are very different with regards to
stability, security, and performance.  I agree that one should use the right
tool for the right job.  However, one should also look at all the costs one
is going to occur in using the tool.  (unexpected downtime, loss of data,
performance etc.)  If the trade offs are okay, go for it; just don't be
niave they don't exist.




> >We have tens of thousands of

> > computers on our global network.  Bank of America got hit, Siebel's site

> was

> > down for days.  Yet look at Sun or Oracle, nary a hiccup.  Gee, might be

a


> > pattern here....  I guess we could do what the CIA and NSA do and make

> sure

> > there isn't a connection to the outside world, the ultimate firewall.

>

> Funny though.  I can get to servers of the CIA and the NSA.  But I can't

get


> to critical systems.  So if you "guess" you could do that, I'd suggest

> that's exactly what you do.  Partitioning systems that are required to be

> secure from non-secure systems is basic security 101.




You can get to their public web servers.  Big woop.  That's as far as you
can get.



>

> The biggest pattern I've seen is that most Windows administrators don't

know


> the basics about administering in a high security and high availability

> environment.




The big problem is that Bill declared the shortest month of the year
security month.  Says a lot doesn't it.  It isn't important to MS.  They
give lip service to it.  When programming security is like performance and
scalability; they are aspects of the job, not things to be bolted on
afterwards.  You have to do them all the time, not "at the end of the
project" if we have time.  That attitude means it isn't important.
MS is mainly a marketing organization,



>

> Take a Unix administrator w/o a snobbish attitude (and yes, I've found

quite


> a few that are snobs and a number that are open-minded) and you'll find

that


> many of the same techniques that can be used to secure Unix systems and

make


> them highly available can be applied to Windows systems with similar

degrees


> of success.

>

> The problem in my experience is not so much the OS as the operators.

You can't fix something broken by design.  How many Security certifications
does SQL Server or Windows 2000 have? (none)
Jim




>

>

> > Jim

> >

> >

>

>

Received on Sun May 16 2004 - 17:57:05 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US