Archive for August, 2006

A simple intro to database normalization

August 30th, 2006 by Sjan Evardsson

I found a very clear, well-written introductory example to database normalization on devshed. Although it is in the MySQL portion of the site, it applies equally well across the board to other RDBMSs.

To get more details on normalization, the normal forms, and general good database development in general, check out Database Design for Mere Mortals: A Hands-On Guide to Relational Database Design, Second Edition by Michael J. Hernandez. Without a doubt the most useful db development book I’ve ever laid my hands on.

Here they come . . .

August 14th, 2006 by Sjan Evardsson

In the eEye security bulletin for today the news of not just one, but two worms in the wild based on the Server Service vulnerability. If you still haven’t patched do it now, unless you’ve been infected, in which case eEye recommends “to wipe the system clean and rebuild it from the last uninfected backup.”

Patch! Patch! Patch!

August 11th, 2006 by Sjan Evardsson

As much as this should be ingrained in our computing habits, this still needs to be said: Apply patches when they come out!

The Microsoft Security Bulletin MS06-040 came out on the 8th, and a module to exploit the flaw came shortly after. Tech e-zine eWeek reported that Immunity and Core Security Technologies had both released what they deemed “reliable exploits” for the flaw and declared it wormable on all Windows versions.

Dave Aitel, CEO of Immunity said in an interview with eWeek “A worm is coming. This bug is just too easy to exploit.”

This is a vulnerability that would allow for remote takeover of an unpatched Windows machine. It will be interesting to see how widespread the damage is when (not if) a worm is released.

Patches are available from the bulletin (follow the links) or from Windows Update.

Ultimate Boot CD

August 6th, 2006 by Sjan Evardsson

Anyone who has ever had need of bootable recovery tools knows what a pain it is to try to build a bootable CD containing all the needed tools. Why do it all the hard way? There is a very handy one already built and ready for download at . This is a Linux-based live CD with lots of Linux tools. There is a Windows-based version as well. While the Linux-based version comes with its own kernel, and allows for adding modules (available at SourceForge) the Windows version requires that you have your own WindowsXP CD with SP1 (and preferably 2) – although they also have a utility to help you slipstream the service packs if your disk doesn’t have them.

10 Windows Password Myths

August 2nd, 2006 by Sjan Evardsson

I saw this article (Ten Windows Password Myths) over at Security Focus and thought it was worth sharing. And something I didn’t know about Windows (2000/XP) passwords:

If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password.

The nice thing about that is that it then becomes impossible for your password to be cracked from the SAM database, since we kow it isn’t actually null.

Perhaps the most interesting point the article makes, (and though it has been made many times before it bears repeating) is that despite every other security measure we put into place, without strong passwords our defenses are easily overcome.