Dtrace on OEL6.6 is working!

I was close to giving up. Because of the following things:

• I could not find much on the Dtrace error I got.
• I tried the commands I used last time on my VirtualBox with OEL6.6 and Oracle 12c and got a different error (could not even run dtrace -l).
• The documentation send me the wrong way. (Spoke too soon. Missed it in the documentation. It’s in there after all, all the way down.)
• I get Linux anxiety when things don’t work as they should.

Anyway. So previously I had Dtrace installed and I had an executable I could work with and the result of almost any run was: entry does not match any probes. Continue reading →

Installing dtrace on Oracle Enterprise Linux 6.6

Long ago I heard about dtrace. I’ve read some stuff about it here and there but I didn’t get it that much and my attention span is a bit short. But apparently is is a magical performance tool that was available on Solaris, but now on Linux too. Hurray!

Then I was at the UKOUG Tech 2014 conference at Phil Harman’s session and I finally got to see what dtrace was and what you can do with it. Phil showed some interesting uses of dtrace. And I definitely wanted to play with it. But first I needed a setup.

I’ve been meaning to install it on a VirtualBox with Oracle Enterprise Linux with an Oracle 12c database to play with it. In my first attempt (with OEL7) I couldn’t get the Oracle 12c install running. So then I tried a OEL6.6 setup and Oracle 12c, but … I don’t know what I did wrong exactly, but I never found the dtrace executable. Then for a while I didn’t have time for dtrace (or I set my priorities differently). Continue reading →

How to change your organization for better security (Part 2)

This is a three-part blogpost about how to change your organization for better security, even when you are not in power. Last blogpost we saw how to get our rational, analytical mind in action. This time we look how our unconcious mind can be set into motion.

 

Motivate the Elephant

So we are still following the analogy of the Elephant and the Rider from Dan and Chip Heath’s book Switch. This time we look at how we can motivate the Elephant. The Elephant, an analogy for our unconcious, emotional, automatic and irrational side of our mind.

The Elephant can often seem lazy and unwilling to go to action. The Rider can tug at the reigns all he wants, but the Elephant is much stronger. And the Rider will be left exhausted. Continue reading →

My abstract for Harmony 2015 in Estonia

Talking about goals: this year I’ve set myself the goal of speaking at an Oracle conference. I’m trying to do this with a non-technical topic: how to sell security. It’s a bit of a gamble, but hearing that many DBAs have problems with this, I think there clearly is an audience for this.

So I found out there’s a call for papers for Harmony 2015 in Estonia. I’ve written the abstract. But why just write an abstract, when you can speak?

How to change your organization for better security (Part 1)

So at your organization security has a low priority. It basically gets done after all the other stuff is done, and then some. Management says security is important, but they don’t walk the walk. Are they doing this on purpose? Is management lying when they say security is important? Or is there something else going on?

I’m inclined to believe managers that say that they think that security is important. Just like people who want to lose weight and excercise more, say they really want to, but many times don’t achieve much in that field.

Enter “Switch” by Dan and Chip Heath, a book about change. Not just change in other people. It’s equally applicable to yourself. If you think you and other people very rationally choose not to do security, this book might be an interesting one for you. The authors basically say that our hearts and minds often don’t agree about change. We want one thing, but do the other. Continue reading →

No. If I can’t hack you, you are not secure.

Ever come up against this issue? You see that something in the IT infrastructure is set up in a less than sanitary way: for example the application has dynamic SQL, or the security of the database relies on the application. One link in the chain seems incredibly weak, but an actual vulnerability has yet to be proven.

So you want to report this issue, because you suspect there might be security vulnerabilities, only to get the response that it sounds very theoretical. Which makes you think if they said the same at all those companies that got hacked recently. You know: Target, Home Depot and Sony. Continue reading →

Selling security by hacking influence (Part 3)

I’m still not quite done with the topic of how to convince organizations to work on improving security, a topic that I started after visiting the Security Roundtable at the UKOUG Tech 2014. This is part 3 of the blogpost series of selling security by hacking influence (or part 5 of the “How can we sell security? series”) and I’ve gone rather deep down the rabbit hole for this one.

 

Authority

Ah yes, authority. It’s the one thing we don’t have, do we? If we had that, we’d require to start security improvements where necessary immediately.

But what do we  actually mean with authority? Authority can be the person in power, or a very respected person, or an expert. Right off the bat, I’m going to say that if you are warning about security issues, within your organization, you are the expert. But what if they don’t listen to you regardless of that? What if they don’t feel that you are the authority? Continue reading →

Can we do without encryption?

Of course not. Don’t be rediculous.

Selling security by hacking influence (Part 2)

I’m still not quite done with the topic of how to convince organizations to work on improving security, a topic that I started after visiting the Security Roundtable at the UKOUG Tech 2014. This is part 2 of the blogpost series of selling security by hacking influence (or part 4 of the “How can we sell security? series”).

 

Social proof

In the early nineties I used to read a magazine called PC Format. PC Format covered a lot of topics I was interested in at that time: PC hardware, games, other interesting stuff you could do with a computer and British humor (Actually I’m still interested in most of that, but I don’t read PC Format anymore). On the cover PC Format boasted “450.000 readers can’t be wrong”. See here the thought process of social proof: if so many others do X, I don’t really have to think about this. Continue reading →

Selling security by hacking influence (Part 1)

At the Security Roundtable at the UKOUG Tech 2014, an important topic was how we can convince organizations to work on improving security. This is a continuation of the blogpost series “How can we sell security”. Only this third part grew so long, I had to break it up in parts.

In the last blogpost I’ve discussed how presentation techniques can help you to bring security in the spotlights. And if you followed all my advice in that blogpost, it was a lot of work, wasn’t it? How about we use psychology in our advantage this time? Hackers do it. They use social engineering to gain access to computers. Can we hack influence to improve security?

Well maybe we can. Robert Cialdini, professor at Arizona State University, did research on persuasion and marketing and found that people sometimes blindly follow certain patterns when “triggered” in a certain way. And he wrote about it, already in 1984, in a book called Influence., and this book is already in its 5th edition. Cialdini not only tells how you can influence people, but also tells how you get influenced. For that reason alone it’s a worthwhile read. Continue reading →