XP_CMDSHELL Is Not A Security Risk

Sean McCown has a fantastic blog post on how xp_cmdshell is safe by default and turning it on is not a security risk. I’ve seen auditors freak out when they see this on and have seen DBAs obstinately refuse to use any solution which requires shelling out. This is the wrong attitude to take, as McCown points out. The xp_cmdshell command is secure by default (requiring sysadmin access to run). Instead of freaking out about this, DBAs and managers should spend more time ensuring that service accounts follow the principle of least privilege, that the number of people with sysadmin be minimized, that the SQL Server servers are correctly network segmented, and all those other things which actually improve security posture.

How to prevent all hacking attacks ever

Gizmodo had this interesting article today. I found it apropos because I had a conversation with my wife today about my PayPal account and a random e-mail I got from the company that I needed to reset my password because somebody had been monkeying around. (No worries, no money changed hands. I think it was probably because I hardly ever use the account.) Anyway, she asked if changing our password (which I did) would prevent us from being hacked. I told her “probably not.” I’m sure no hacker is dumb enough to target me on purpose, but a lot of these attacks are more like looting a grocery store. The chances of one individual egg being broken are pretty low, but when there’s so much smashing and grabbing, well, I wouldn’t get too attached to Eggbert.

I am curious as to our resident security expert’s take on the article.


SQL injection vulnerabilities were up in 2014.  Sounds like a bunch of product managers need to buy copies of Tribal SQL and read the SQL injection chapter.  Seriously, SQL injection should have died a decade ago and my presentation on the topic should simply have historical value.

On the Anthem breach, Chris Bell is fed up as well.  Check out the comments there for additional insight.  There’s no word yet on the exact nature of the breach, but given the frequency with which data gets out into the wild, someone else will get popped next week.

More On Free SSL Certs

Earlier this week, I blogged about Let’s Encrypt, a new, free certificate authority.  Let’s Encrypt looks like a great service, but it’s not out yet and I’m not sure if it will be generally applicable.  For example, if I want to host my website on Azure, I might not be able to use this service to generate an SSL certificate.

Fortunately, Troy Hunt already came to the rescue, showing us how we can use StartSSL to get a free certificate for Azure.  You still need to pay extra for Azure to allow you to use an SSL certificate ($9 a month at current prices), but it’s great that you don’t need to pay big bucks for an SSL certificate, especially if you’re running on a smaller site which doesn’t have much (or any) revenue.

Stratfor: Disband the CIA and NSA, it’s all the intelligence gathering you’ll ever need!

A friend pointed this out to me on another website. We have this brilliant tagline:

Best-selling author George Friedman founded Stratfor in 1996 to bring customers an incisive new approach to examining world affairs. Under his direction, Stratfor taps into a worldwide network of contacts and mines vast amounts of open-source information. Analysts then interpret the information by looking through the objective lens of geopolitics to determine how developments affect different regions, industries and markets.

So, they Google stuff on the internet and watch CNN. And calling geopolitics “objective” is hilarious.

Their vision:

Stratfor’s vision is to be the foremost provider of predictive geopolitical-based intelligence services.

Stratfor’s core philosophy is that transformative geopolitical events are neither random nor unpredictable. Building on nearly 20 years of experience as the world’s premier geopolitical intelligence firm, Stratfor develops constraint-based narratives for key trends around the globe — placing today’s events in context and forecasting tomorrow’s new developments well before they appear in the headlines.

This reminds me of this Dilbert comic. Wally has a ponytail because he’s discovered it makes people give him venture capital. Ah, 1999.

The core philosophy is bold, I’ll give them that. I love the idea of “constraint-based narratives,” which makes me think of unconstrained narratives. “We predict that giant robot whales will develop nuclear technology, but we think Aquaman will try to calm them down, until he realizes whales are mammals and not fish. ESPECIALLY robot whales, who are clearly robot mammals.”

Of the three experts they champion, the one thing they all have in common is that they’ve sold a lot of books. That means they’re good at convincing people to believe their bullshit, which is not the worst qualification for running a geopolitical intelligence firm, you have to admit.

You can check out their methodology, which successfully proves that they have at least one graphic artist. Oh, one of the award winning reports they author?

The very first sentence is complete horseshit.

Like nearly all of the peoples of North and South America, most Americans are not originally from the territory that became the United States.

Since you’re using “are” — indicating present tense — I would argue the exact opposite: most people who are Americans did come from the United States since, you know, no matter how bad illegal immigration is, it has yet to reach over 50%. Even if you include legal immigrants, it’s still way less than 50%. According to the Brookings Institution, it’s actually less than 20% (although it is not clear whether or not this figure includes illegal immigrants, they link to a paper I could read if I cared to break it down.)

It takes a special kind of stupidity to achieve almost complete incoherence one sentence into a flagship paper. One more insane sentence, which leads off the second paragraph:

The American geography is an impressive one.

“One?” One of what? Are you trying to say, “The American geography is an impressive geography?” Because that’s moronic. “Geography” — specifically, the science of studying the earth, or physical location on the earth of some natural feature — cannot be impressive. Would you call the “Grand Canyon an impressive geography of America?” No. You could say “the Grand Canyon is an impressive feature of American geography.” But geography, in and of itself, cannot be impressive. I’m theoretically paying damn good money for your nonsensical advice. Try to make it coherent nonsensical advice!

Oh, and a free tip (the next one is $100,000): nothing is inevitable, in a historical sense. Only Marxists think that. Wait a minute… you aren’t a big Commie, are you, Stratfor?