Which database is more secure?
Oracle vs. Microsoft
David Litchfield [davidl@ngssoftware.com]
Summary:
The paper examined the differences between the security postures of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers. Only flaws affecting the database server software itself have been considered in compiling this data. A general comparison is made covering Oracle 8, 9 and 10 against SQL Server 7, 2000 and 2005.
The number of security flaws in the Oracle and Microsoft database servers that have been discovered and fixed since December 2000 until November 2006. Graphs indicate flaws that have been discovered by external security researchers in both vendors’ flagship database products – namely Oracle 10g Release 2 and SQL Server 2005. No security flaws have been announced for SQL Server 2005. It is immediately apparent from the result graphs that Microsoft SQL Server has a stronger security posture than the Oracle RDBMS. The conclusion is clear that if security robustness and a high degree of assurance are concerns when looking to purchase database server software, given the results one should not be looking at Oracle as a serious contender.
Evaluation:
In my standpoint, I believe having conducted such research is of assistance to users of database in opting which database is more functional in terms of security. Comparison of two particular databases’ security stance could provide acquaintance and information of how these databases perform security. Assessing the paper’s format and flow of study, I could say that it was more of a statistical study. I am not certain on how the results and data are acquired. The fact is, the paper did not provide proper definition of its methodology as well as its abstract. However, regardless of that issue, the study is a competent research. The study is definitely of great significance and contribution to the concerned database users but I would like to suggest that further enhancement on the construction of the paper should be practiced.
Analysis of an Electronic Voting System
Tadayoshi Kohno, Adam Stubblefielf, Aviel D. Rubin, Dan S. Wallach
February 2004
Summary:
The study is concerned with U.S. federal adopting paperless electronic voting systems. Analysis showed that this voting system is far below even the most minimal security standards applicable in other contexts. Researchers identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. The most fundamental problem with such a voting system is that the entire election hinges on the correctness, robustness, and security of the software within the voting terminal. They concluded that the voting system is unsuitable for use in a general election. Any paperless electronic voting system might suffer similar flaws, despite any “certification” it could have otherwise received.
Using publicly available source code, an analysis was performed of the April 2002 snapshot of Diebold’s AccuVote-TS 4.3.1 electronic voting system. Significant security flaws were found. Based on analysis of the development environment, including change logs and comments, an appropriate level of programming discipline for a project was not maintained. There appears to have been little quality control in the process. The model where individual vendors write proprietary code to run elections appears to be unreliable, and if the process of designing the voting systems is not changed, there will have no confidence that the election results will reflect the will of the electorate.
On the other hand, an open process would result in more careful development, as more scientists, software engineers, political activists, and others who value their democracy would be paying attention to the quality of the software that is used for their elections. Alternatively, security models such as the voter-verified audit trail allow for electronic voting systems that produce a paper trail that can be seen and verified by a voter. In such a system, the correctness burden on the voting terminal’s code is significantly less as voters can see and verify a physical object that describes their vote. They suggested that the best solutions are voting systems having a “voter-verifiable audit trail,” where a computerized voting system might print a paper ballot that can be read and verified by the voter.
Evaluation:
In accordance to perform a steadfast election, concerns on what and how a voting system is implemented is always being considered. With regard to the study, I deem that conduction of this kind of research is significant to the public and to the assurance of trustworthiness of an election. In conformity with evolving technology, an electronic voting system is being manipulated to try out the reliability of security of adopting paperless electronic voting system. Testing and simulation of the said system is done to be able to examine its security assurance. I actually find this research complicated to perform. Findings showed that such system may be unreliable and recommendations of exploiting open process and other particular system is advised. The study is commendable and I would like to propose that to further elaborate the function of the study, I think a number of systems should be taken into consideration to become subjects of the study.
Open Standards, Open Formats, and Open Source
Davide Cerri and Alfonso Fuggetta
CEFRIEL - Politecnico di Milano
January 2007
Summary:
The paper proposed some comments and reflections on the notion of “openness” and on how it relates to three important topics which are open standards, open formats, and open source. Often, these terms are considered equivalent and/or mutually implicated: “open source is the only way to enforce and exploit open standards”. This position is misleading, as it increases the confusion about this complex and extremely critical topic. The paper clarified the basic terms and concepts. This is instrumental to suggest a number of actions and practices aiming at promoting and defending openness in modern ICT products and services.
This paper concentrated on some of the issues and claims associated with open source. In particular, it will discuss the relationship among open source, open standards, open formats, and, in general, the protection of customers’ rights. Indeed, many consider open source as the most appropriate way to define and enforce open standards and open formats. In particular, the promotion of open standards and open formats is confused with the open source movement. Certainly, these issues are interrelated, but it is wrong to overlap them. For these reasons, the ultimate goal of the paper is to provide a coherent, even if preliminary, framework of concepts and proposals to promote the development of the market and to address customers’ needs and requests.
Evaluation:
It has always been an arguable issue about openness, open source and its relevant concerns. We too have discussed and tackled these issues. I believe the impact of this kind of study is favorable. It has identified a number of definitions for the term “open standard”, based on the different practices in the market. Moreover, the paper contains some proposals to deal with the different issues and challenges related to the notions of openness, customers’ right, and market development. The study used some historical data in compilation of various definitions of open standard. It is an evaluation or overview of related subjects of open standard. This study is somewhat a descriptive research.
Saturday, July 25, 2009
Sample Scientific Researches
Posted by r o s s i n i at 6:27 AM 1 comments
COMDDAP Annual IT Event 09
COMDDAP (Computer Manufacturer Distributors and Dealers Association of the Philippines) have just presented an IT event, The COMDDAP Davao Expo 2009 scheduled on the 2nd on to the 4th of July this year and that was held at the Grand Ballroom Hall of the Apo View Hotel. The said affair exhibited various new-fangled innovations and technology. They also held seminars, workshops, and presentations sample some software and systems. The event was filled with different participants and spectators, from students, teachers, critics, businessmen, media or journalist, and people whose field are IT related or even non-IT people who just took interest on the said event.
July 2, first day schedule of the event, we went to attend the seminars that we signed up online to. Since the slots that were offered and available were limited, first come, first serve basis of registration online was imposed. Luckily, a lot of IC (Institute of Computing) students from USEP (University of Southeastern Philippines) made reservations on the seminars held on the 1st day. In fact, we were dominating in number of participants who took part in the event. I was really amazed for the reasons that many up-to-date and latest versions of well-liked and trendy software and hardware were showcased in the affair. There were also open source software displayed there. And the idea that I was most fond of was there even some models and endorsers present and ooh believe me, they were very eye-catching.
The main event and the purpose of our participation and involvement is our attendance in the seminars. I believe our foremost intention of being there is to participate on the seminars. The seminars were handled and sponsored by The Nexus Group (TNG). The seminars comprised of presentation of different topics.
During the session, the first presentation was presented by Mr. Celmer L. Santos was about ERIC DMS (Dealer Management System). JSI (Jupiter System, Inc.) is an expert in software development, business consulting, e-business enablement, specializing in ERP for manufacturing, automotive dealership and distribution companies. JSI’s world class creation is Enterprise Resource Information and Control System (ERIC). It is an integrated financial, distribution, manufacturing and personnel software application. The ERIC DMS is an end-to-end software solution for automotive sales parts and service businesses. It covers full range of dealer activities from customer prospecting and vehicle services. It supports full functionality for vehicle dealership business from Pre-Sales, Vehicle Sales and Administration, Service Management and Post Sales.
Well, basically, it is more beneficial for car businesses. At first, I was misled of what the presentation was all about. I know there are variety of systems specialized for this kind of IT field, but I did not think that it would be one of the topics that will be presented. Anyways, I was not really paying attention from the moment I was not able to catch up with the car stuffs he was discussing (rude much). In general thought of what I have perceived, the system entails overall package of the operations.
The second presentation was presented by Mr. Leonardo Zapa was about The HP’s new product: Thin Client. It is a petite or a thin sized system unit that is quite portable. Unlike any other typical system unit, it has no hard drive. It uses flash storage, IDE flash specifically. This new innovation supports data security, reliability, easier management and virtualization. Through out the discussion, we have come up of an idea that thin clients are best suited to be utilized in a network because of its client virtualization and remote client solution specializing in connection over networks. Aside from that, there are numerous number of advantages like having hardened embedded operating system and free management tools, with ¼ failure rate, 10x higher MTBF, in a solid state, provides longer life span. It is also up to 80% lower power or 11 to 20 watts, it has space savings feature that takes less than 1/15 volume, reduced foam up to 75% and board packaging up to 40% and it is of minimal heat generating device. What I have mentioned are just few characteristics of a thin client. With the idea of promoting green computing, I guess that this product would be helpful in environment conservation.
To end this, I consider that credits should be conferred to the individuals who made the event possible. It has been an informative affair. I look forward to any other events relating to IT that would feed us students with supplementary knowledge about the hip and newest technology.
Posted by r o s s i n i at 6:25 AM 0 comments
University New Enrollment System Assessment
At most every semester as we have observed, the University’s enrollment system is always changing. Yeah, we could say that every revisions made are for the better. Of course it is, it SHOULD be. But as we always have come to notice it (how can we not?hehe), thanks to our instructor (Sir Gamboa) who persistently aids us to give attention to every detail of the ever-changing (tma man db? hehe) USEP (University of the Southeastern Philippines) enrollment system due to the involvements and contributions of some of our very own faculties.
To assist students to ease up and to be able to keep on the right track in the process of enrollment, the university posted tarpaulins in various particular locations where it entails the information of step-by-step processes of enrollment with respect to different type of students (new, old, transferees and shifters). Frankly, I was a bit amazed by the university’s act on contributing assistance to the students/ enrollees. The university really put up efforts on initiating that operation. With the size (they were huge hehe) and number of the tarps situated almost every corner of the school, they actually reserved budget for the implementation of the action. Though, we (higher year/ old students) may have overlooked its use during the enrollment since we are already familiar of the process of enrollment, I think it was very handy for the freshmen students and transferees. But if you will really give attention to every factor of the diagrams presented, we could somehow assess that there are some inaccuracy and error. Yes, surely a difference was made by having those tarpaulins as a guide. Other than, as we have examined through it, we have all agreed that there are possibilities that there were misconceptions and confusions shaped with the diagrams presented.
Part of what I went through all these years in IC (Institute of Computing) as an IT student, constructing diagrams and charts is no longer a new-fangled thing related to my field. With regard to evaluating the university’s enrollment system, any individual either possessing knowledge in this aspect or not, could perceive erroneous or flawed illustrations and figures in the diagram. There were figures of arrows that are not consistent in size. Consistency and uniformity should be observed. Some are pointing to directions that are of no sense, well some are pointing at no direction at all. There are also figures of numbers that show inexplicable indications (2/2, 1/1, etc.). When this will be thoroughly evaluated, I assume there will still be some flaws that will be spotted. This subject should be methodically constructed to avoid misinterpretation. I know this could still be improved.
In what I have experienced in this semester’s enrollment, it was sort of the same as the previous enrollment system. The first is the payment of miscellaneous and local fees. In the case of scholar students, they still need to validate their scholarship card at the OSS (Office of Student Services). Then, the submission of requirements for the evaluation by the adviser is made. A PRF (Pre Registration Form) is given to be able to proceed to the encoding of subjects. Next, you get your COR (Certificate of Registration) and validate your account in the cashier through paying the tuition fee. It is despair. Cashier line up is lengthy and unbelievable. Whew! There were just some irritating and disturbing changes made anyway. Did you know that you actually have to go over upstairs in the 2nd floor of the CAS building just to line up in either registrar or cashier? Honestly, it was very and so totally troublesome (Geez! That ruined my day). Couldn’t they think of another option? There was actually an extra alley, why did not they utilize it? Enough about that. The other thing was that all the students from all and different colleges were merged turning out a helpless almost never ending (exaggerated lang) line up in the registrar. The previous system was way better than the new one if the transactions in the registrar would be the basis. It is where submission of all the requirements in enrollment is passed (lots of paper.receipts.tsk). When you get through the registrar, you are now officially enrolled. And an added step is the validation of library card (for old students) or applying for a library card (freshmen and shifters). The processes that are taken by the new students are just more complex and take longer than old students. Loads of requirements are being dealt by the freshmen as well as the transferees compared to old students. And concerning that they are new in the university, having a guide would be very useful, a well defined guide. That is why it is important to somehow lay notice on the diagrams made.
In the matter of the enrollment system, that software itself, as we are all aware of that there are some errors and still needs to be run through testing and debugging. I am not questioning the expertise and proficiency of the developers, who are also IC’s faculty. The fact that the time frame that was given to them that was allotted for the development of the system is insufficient, is enough valid and suitable grounds of why the system has some errors and requires adjustments and improvements. But I must admit with these flaws in the system, we have encountered many problems. There is some information in our CORs that are not right and it caused hassle and time consuming since it was redone and caused delay. It is also agreeable that the university hired its very own in-house resources in taking over the managing the university’s enrollment system rather than outsourcing. Though there may be negative views in the said act, like the IC students losing efficient instructors, I guess it is still beneficial for the university having diminished the cost of handing the enrollment system project to outsource.
To top it all, the new enrollment system provided betterment and enhanced the operation. It aimed to maximize the operational efficiency, and for the least, yes, it did. It is just inevitable that there are possibilities of problems and errors. But with improving and modifications, the system will surely be progress and develop into an even better one.
Posted by r o s s i n i at 6:14 AM 0 comments
Wednesday, July 1, 2009
USEP's Decision about Utilizing In-house Resources - Was it a good decision?
Many aspects are considered and thought-out to decide whether to outsource or to utilize in-housing. These considerations mainly involve expertise and proficiency of the workforce, monetary funding, time exploitation and observance of confidential information of the organization. Certainly any organization desires to be able to come up with a sensible and money-wise decision. Effective and efficient output is expected at a right comparable price. Various are anxious about keeping the privacy of their organization’s data. Of course, the company’s information is one of the valuable possessions.
Well, I think the university decided to make the most of in-housing mainly to be able to diminish the expense and costs of the project. Since the university’s personnel are being employed, I guess the rate of charge or simply the compensation of the employees would be less costly than hiring outsourced workforce. Next would be for the cause of concealing classified records and information of the university. In the case of opting in-housing, the university’s private data would be more secure and protected when the personal employees of the university take over the making of the project.
Was it a good decision? I have heard many opinions regarding the issue. Some say that it was not a very good decision for the reasons that various practiced and proficient IC (Institute of Computing) faculty are being put up to do the task, leaving a number of major subjects with no instructors to take over; the time frame that was given to the in-housed resources was not sufficient that the output of the system project is not yet that unstable and have some flaws; and for this cause, the IC faculty member would be occupied again with the system project thus being able not to attend to several number of subjects, and since part of developing a system is its maintenance, we should expect that those faculty members who were assigned to the task would be imprecisely and wholly unavailable to be teaching again and be doing their responsibilities as instructors.
Some would say that the university made the right choice since the cost of developing the project is less pricey than using outsourcing. I guess that would be true somehow. I suppose that the university would not take such a crucial step of making this decision if it would not do any good to the university itself. But we have to keep in mind as well that the possibility of missing some important points regarding making decision about the said issue is inevitable. I, for myself think that at some certain angles of view, the university did make a commendable decision utilizing the in-house resources and at some point, the university one way or another missed some significant details and considerations in making the decision.
I greatly believe that the developers of the system project or the IC faculty members that were tasked to develop the project are the ones who are of great benefactor to the said action of the university. They still get to earn loads of subject to handle and they are being paid by the university for the development of the project.
So I guess if I have to assess and take into consideration these benefits made, I would say that it was in some way a good decision. But I also believe that it could be improved more with appropriate and accurate balance and deliberation of the issue.
What I have stated possible reasons are simply assumptions of mine. There are neither compelling nor verified backup nor support to the enumerated reasons and basis. I suppose to validate or to clarify the valid reasons behind the in-housing decision made by the decision-makers of the university, is to address these questions directly to the board of the university.
Posted by r o s s i n i at 6:11 AM 0 comments