Monday, May 16, 2016

True Story: A WiFi Security Issue at a Coffee Shop

In a cold spring afternoon, Jim ordered a cup of coffee at a local coffee shop and walked to his table with his laptop. He logged into the shop's WiFi and began to surf Internet.

Jim was always a good computer user. His laptop was being protected by up-to-date antivirus and anti-spyware programs. His Windows firewall was ON. He only used HTTPS to access sensitive web services.

He opened up his browser and began to check his XXX credit card balance. He typed in the URL of the credit card company and a message appeared: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. Do you want to proceed?" He clicked the "View Certificate" button on the message window and found most information inside was normal except a paragraph as "This certificate cannot be verified up to a trusted certification authority."

He clicked OK to accept the certificate and then proceeded to check his online credit card account as usual.

After two days, Jim received calls from his credit card company asking about some suspicious transactions with his credit card. Then he found his card was compromised.

What's the matter?

The coffee shop was a well-established one that Jim has visited many times since five years ago. His laptop was clean. Everything seemed fine.

On-the-spot Investigation

We accessed the APs in the coffee shop via wired and wireless connection and found one more hop on the WiFi traceroute, which means there was a MITM AP.

The attacker used a fake SSL certificate that was pushed to Jim, once Jim accepted this fake certificate, the SSL connection between Jim and the MITM AP would be established.

Thursday, August 20, 2015

5W1H for DBA's Database Health Check Role (Part I)

A DBA usually needs to perform activities of maintaining healthy database servers.

To simplify the road map for DBA's health check role, we present the outline of the task by the famous Five Ws as below:
  • What is a database server health check?
  • Why does a DBA need to perform the check?
  • When should a DBA perform health check?
  • Which tools should a DBA use to perform health check?
  • Where to store information collected from the check?
  • How to use (analyze) data collected in a check?
1. What is a database server health check?

A database server health check is a routine performance assessment, audit or analysis on a collection of metadata metrics. For MS SQL Server, we may have two types of metrics:
  • Windows performance monitor counters (real time & log data) related to server's resources.
  • Dynamic management objects (DMO) (i.e. views and functions) for SQL server instance. There are server-scoped and database-scoped DMOs with different permissions.
 2. Why does a DBA need to perform the check?

 The reason is straightforward, performing health check can help DBA ensure the performance, security, stability of the database. It will also be helpful before auditing, migration, upgrading, backup, etc.

3. When should a DBA perform health check?

Once an initial health check is done, it should be repeated regularly. Follow-up health check usually will be faster.

4.  Which tools should a DBA use to perform health check?

First, a DBA needs an inventory list on server landscape questions as below:
  • Where & what are the servers? What are their domains?
  • How can you connect the servers? (SSMS, RDP mstsc)
  • Version, build, service pack, etc.?
  • Type of authentication (Windows or SQL)? 
  • Clustered? virtual or physical?
Second, a DBA needs to develop a systematic checkpoints checklist about data to be collected. For example, we can categorize the checkpoints as:
  • Resources & State of Health: CPU, memory and disk I/O. Usage, up-time status, etc.
  • Configuration: Server info, tempdb
  • Query performance: Blocking, locking, and deadlocks.
Third, MS SQL Server itself is a fully featured DBMS, in which we could find tools like:
  • Activity Monitor
  • Activity and performance reports from SSMS + Performance Dashboard Reports
  • T-SQL, DMOs (system views, functions, stored procedures) 
  • SQL Trace/Profiler/X-Events
  • PowerShell
  • Management Data Warehouse (MDW): 2008 + : 
    • SSMS > Database Server > Management> Data Collection
Fourth, there are some additional Windows and Microsoft tools:
  • System and event logs
  • Performance Monitor (Control Panel > System & Security > Admin Tools)
    • SQL Server Performance Monitor (Data Collector): setup ODBC first.
  • Performance Analysis of Logs (PAL)
  • SQL Server Best Practices Analyzer (2012) 
We have summarized how a DBA can maintain healthy database servers in a 5W1H way. I discussed the first 4W, and will present the last 1W and 1H in Part II.

5. Where to store information collected from the check? (To be continued)

6. How to use (analyze) data collected in a check? (To be continued)

Sunday, April 5, 2015

How to translate the Qingming Festival in China?

The Qingming Festival, aka. Chinese Memorial Day or Ancestor's Day, is a traditional Chinese festival in Spring season for people to memorialize their passed family members and even ancestors.

However, the existed translation are not perfect, especially the Qingming itself does not make any sense.

I propose a new translation as "Cherished Memorial Day", which not only sounds similar as the corresponding Chinese pronunciation (Cher-Mem), but also won't be confused with the war-related Memorial Day.

Wednesday, January 14, 2015

Program's Multitasking

Being multitasking is a great feature of a programming language. There are two types of multitasking: process-based and thread-based.
The process-based multitasking which allows a computer to run several programs at the same time, is mostly a function of the operating system.
The thread-based multitasking is more involved with the language-level support. Because one process can have several threads of execution.
However, many languages have no bulit-in support for multi-threading. To achieve the target, the programer has to reply on OS functions to create, begin, synchronize and end threads. It could be a nightmare, and the code won't be portable also.
Java has a easy-to-use built-in multithreading model. We can regard a program as a collection of parallel tasks (threads) that interact with one another.
The java.lang.Thread class is for creating and controlling threads.

First of all, we need create a subclass of Thread that include a run method.
  • The code within the run method performs the thread's task.
  • Each instantiation of the subclass corresponds to a single thread.
Then the controlling program invokes the java.lang.Thread.start method to start the thread.

The thread is implicitly stopped when the run method terminates.
We can also use the sleep method in the Thread class to cease execution for a desired time (ms).

Friday, January 9, 2015

Make OO Design Patterns Simple

I am a person who wants to make complex simple. There are tons of thick books about OO design patterns, but I prefer starting with the most commonly used ones.

First of all, why do we need design pattern? Generally, understanding OO design patterns could help you better plan your design stage before rushing to coding. Now let's see the following common patterns.

1. Facade

When you have a complex subsystem, you'd better use one simple interface to the subsystem by hiding the in-system classes in one black-box class.
For example, a QR code scanner subsystem of our smartphone may include many classes, however, a developer who wants to use the scanner subsystem may just need a simple facade class to return the result (e.g. decoded content).

2. Strategy

If we believe that an object may use different strategies for doing a task, we can set slots for the strategy module.
For example, we need to develop a robot that can recommend different recipes as per the age, weather,  planned activities in the next 6 hours and other conditions. Then the first step is to define an interface, Strategy, and have it implemented in different strategy classes.
We then pass a Strategy object to the Robot's constructor and provide a method (setStrategy) in Robot that sets its strategy. The setStrategy can be called from main or another higher-level class.

3. Singleton

Suppose we create a CoinMaker object mycoin in a game, so how can we give other classes access to mycoin by making the CoinMaker instance accessible to clients?
public class MyCoinHandle
{ private static CoinMaker myCoinStat;
   protected MyCoinHandle() {}
   public static CoinMaker getMyCoin(String myName)
   { if (myCoinStat == null)
        myCoinStat = new CoinMaker(myName);
      return myCoinStat;
Now other method can use all CoinMaker's methods. For example:
  CoinMaker tom = MyCoinHandle.getMyCoin("Thomas Obama");

Thursday, December 18, 2014

Web Access Safty

Is Secure Web Access Safe Enough?

When we access a web site with https://, we usually believe the connection is safe. Generally speaking, it's safe because the web site is authenticated by a trusted CA, and user's identity is encrypted when accessing the site.

However, we still need to understand some potential security issues with https:// connection.

I present an essay about BEAST attack on SSL/TLS.

Thursday, October 30, 2014

Understanding the Online Bookstore System

1. The online bookstore web application was implemented in MVC architecture with JSP.

2. For simplicity's sake, the database tentatively uses Access in testing environment.

3. Install the bookstore suite on Tomcat 5.08 and configure ODBC data source.

4. Plan the testing after understand the functionality and user's requirements.

5. Use MS-Project to schedule and follow up the testing tasks.