I was just showing a youngster some MS-SQL stuff on a remote Internet
enabled shared server. He logged in with my User Name and Password. I
was busy for a minute. Then he said, "This (stored procedure) doesn't
seem to have anything to do with the db we talked about." I looked at it
and said, "What the hell is that?"
It seems he had clicked on the wrong DB. And it was entirely open to
him, including data edit. We checked the other DBs ... all the same. I
e-mailed tech support and of course they are right on it! Sure ....
So I thought about all the MS-SQL servers I had "experienced" over the
past five years. And it occurred to me that none of them was secure.
Maybe I laughed about these problems when they occurred (as the time the
db administrator told me I couldn't add an employee record and I
duplicated Stella Woo to append her twin sister and room mate, Deja. We
terminated Deja before payroll time. I also moved my nephew from Grade
12 to kindergarten; he was upset when the bus started to come for him
only every other day.)
Reads of rogue VTI files on my Interland Web site used to turn up DB
names, USER IDs and Passwords (not mine; I think mine were reserved for
other sites), cleverly d i s g u i s e d, or u n i c o d e d. I could
never decide which. When "decoded" they worked. When I contacted
Interland about this they said, "No problem, Just delete those files!"
UH HUH! That's about the time I left Interland, also P___ED because of
the difficulty in getting a backup (Whose data is this anyway?).
The db for a rather large US professional organization was another
example of being completely open. I had a job to do for them but
couldn't get the required db clearance (bureaucracy). So I logged in
with "Admin" and "Password" and everything was right there. Also there
were hidden (to the extent they appeared in no sprocs, views,
applications) columns of sexual comments about many of the females at
the head office. YUK ... bad enough to be an asshole but why make it so
obvious?
The system admin for an organization I used to work with consistently
used his last name and "Password" for everything. But the organization
couldn't keep him; he went to IBM for big bucks.
In my latest project I showed up at my prototype user's office the other
day because she had lost her connection. So we used the Access ADP
connection dialog to reconnect. Wham ... 25 Servers available (what kind
of an organization needs 25 servers anyway?). Could we connect to them
all? Yeppers? Could we connect to all the databases on each? Well, we
could to those few we tried. And how many databases does she work with?
Hint ... more than one and less than three.
SO back to my question. Have you ever worked with a secure MS-SQL
server/database? How do you know for sure?
Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?