This is so wonderful poem, "Love each others while alive, PEOPLE !!!" by Dashbalbar, which I've ever heard. Every words, every idioms, and every ideas are heard true, so I am sharing with you.
Амьддаа бие биенээ хайрла хүмүүсээ
Алив сайхнаа бусдаас битгий харамла
Хэрэггүй үгийн зэвээр зүрхийг минь бүү шархлуул
Хэн нэгнээ харанхуй нүхрүү битгий түлхэ
Архинд орсон нэгнээ шоолж бүү инээ
Аяа чиний аав чинь ч байж мэднэ шүү дээ
Амжиж чи өөрөө алдрын зэрэгт хүрсэн бол
Аз жаргалын хаалгыг бусаддаа нээж өг
Ачийг чинь тэд бас бүү мартагээ
Ганц сайхан үгээр дутаж яваа хүнд
Гарцаагүй тэрийг нь олж хэл
Гадаа нартай ч гэрт хүйтэн өдөр
Газар дээр нэг бус удаа тохиолдоноо
Чамд дурласан сайхан хөвгүүнийг
Чанга хатуу үгээр битгий номдоо бүсгүй минь
Чамайг хайрласаных нь хариуд хайрла
Чамаас сайхан хүүхэнд ч дурлаж болох шүү дээ
Бидний амьдрал ав адилхан
Бидний хоолой дээр үг хүртэл нэг янзаар зангирч
Бидний хацар дээр нулимас хүртэл нэг янзаар бөмбөрч
Бидний зам дээр ав адилхан учрал тохиолдоно
Бүсгүйн нулимасыг асуулгүйгээр арчиж өг
Бүдэрч унасан хүнийг дээр өргөж аргад
Өнөөдөр чи инээж нөгөөх нь уйлдагч
Өөр нэг өдөр чи үхэж цаадах чинь дуулах болно
Өлгий авс хоёрыг хүн бүхэн дамждаг болохоор
Өөр юу ч хэрэггүй бие биенээ л хайрла
Өргөн хорвоод хүн гэж хайраар дутаж болохгүй
Аз жаргалыг би хүний сэтгэлийн галаар төсөөлдөг болохоор
Алтан нар гэрлээн бидэнд ав адилхан хайрладаг болохоор
Амьд явахыг би бусдад хайраа түгээхийн нэр гэж бодном
Аз жаргалыг би бусдаас хайр хүлээхийн нэр гэж ойлгоно
Амьддаа бие биенээ хайрла хүмүүсээ
Алив сайхнаа бусдаас битгий харамла
Aug 4, 2009
Aug 1, 2009
In recent, I really interest some poems.
In recent, I really miss my Mongolia because I came in the USA about 4 days ago and was very happy there. Although, I hate this fucking American life style; we should adjust here for our future. When I miss my country, I read some nice poems and listen some nice songs. These can animate my happy memories. Here are two of them in the below.
Ц.Хулан : Зүгээр л нэг амьдрах юмсан
Зүгээр л нэг амьдрах юмсанЗүлгэн дээр гэрээ бариад . . .
Зүү утас нийлүүлэн хүүдээ дээл оёж
Амрагаа хүлээж
Амраг минь адуунаасаа ирж
Зүгээр л нэг амьдрах юмсан . . .
Ц.Хулан : Хайртай хүний дүр эсгэн
Хайртай хүний дүр эсгэн
Харцаа над руу бүү илгээгээрэй
Дулаахан нудэнд чинь би дасаад
Дэндүү ихээр чамайг хайрлачихбал
Андуурсан дурлалаас минь эмээгээд
Аз жаргал минь нисээд одохын цагт
Хайр минь чи хаана байна гэж
Хаанаас би хайх билээ ..
Зүү утас нийлүүлэн хүүдээ дээл оёж
Амрагаа хүлээж
Амраг минь адуунаасаа ирж
Зүгээр л нэг амьдрах юмсан . . .
Ц.Хулан : Хайртай хүний дүр эсгэн
Хайртай хүний дүр эсгэн
Харцаа над руу бүү илгээгээрэй
Дулаахан нудэнд чинь би дасаад
Дэндүү ихээр чамайг хайрлачихбал
Андуурсан дурлалаас минь эмээгээд
Аз жаргал минь нисээд одохын цагт
Хайр минь чи хаана байна гэж
Хаанаас би хайх билээ ..
Jul 15, 2009
8 Dumbest iPhone Apps
Одоо дэлхий дахинд маш өргөн хэрэглээтэй болсон iPhone Монголд ч бас өргөн хэрэглээний болоод байна. Apple компаний амжилт авчирсан энэхүү бүтээгдэхүүнд хүмүүс олон янзын тоглоом програм бүтээж байна. Анх Apple Store 500 гаруйхан програм гаргаж байсан бол одоо 55 000 гаруй болоод байна. Зарим нь үнхээр хэрэгцээтэй байхад зарим үнхээр уйтгартай тэнэг байх жишээтэй. Үүнээс хамгийн тэнэг гэгдэх 8н тоглоомыг нэрэлсэн байна. Надад iNap@Work гэдэг нь хамгийн хөгжилтэй алиа нь санагдсан.
1. iNap@Work
Developer: SilentLogic Studios
Price: $0.99
This app promises to generate random office sounds -- mouse clicks, keyboard taps, pencil sharpeners, coughs, and rustling paper -- to give power-nappers some cover. Little sliders are supposed to control your "productivity" level and the frequency of each sound. In our tests, however, the noises were a little too random to sound convincing. Besides, which is worse: to get caught napping, or to get caught using a lame iPhone app to pretend that you aren't?
2. Zips
Developer: Jake Landon
Price: $0.99
(Also available in a free version, Zips Lite)
"Zippers," reads the promotional copy. "Sexy, suggestive, and seductive." OK. But what's the point of a virtual zipper that you can drag up and down until the fun -- and the sexiness -- wears off?
To keep things lively the app comes with underwear you can change with a tap of the finger. The $0.99 version includes a camera icon that lets you add your own suggestive pictures.
3. Hold the Button
Developer: Me Mundo iPhone SL
Price: Free
Here's the deal: The image of a fingerprint appears on the screen, you put your finger on it and hold it there. Keep holding. And holding. Forever. Or until you remember that you have a life.
The game is supposed to be a test of patience or stamina or will power or something. When you finally give in, you can compare your score with slackers all over the world.
4. Sexy Girl Talk - Sexy Alphabet Deluxe
Developer: theM Dev
Price: $0.99
From the creators of such classic apps as Moronizer and Angry Kittens Attack comes the 26 letters of the alphabet spoken by a "professional voice model...in a sexual and sophisticated way." Sexual enough, apparently, for Apple to rate this application 12+ for "Infrequent/Mild Sexual Content or Nudity."
You could have fooled us. What's it good for? The developer -- for whom English is apparently a second language -- offers several suggestions: "Listen to some Sexy Alphabet. Listen to some nice pronunciation. Fun for all the guys."
5. Taxi Hold'em
Developer: iSignz
Price: Free
Designed for tourists who fear that big-city cabbies will ignore their waves and whistles and drive on by, this app does the whistling for you. And when you tilt your iPhone horizontally, it flashes the word "TAXI" colorfully and rapidly enough to require a disclaimer. (It can trigger seizures when used near epileptics.)
One reviewer suggested that if you are going to wave it around the streets of New York, it should really be flashing "STEAL ME."
6. FatBurner2k
Developer: Daily Burn
Price: $0.99
It's a good thing Apple put this app in the "Entertainment" category. Otherwise one might be tempted to take seriously the claim that it can "help your body consume fat molecules using disharmonic, molecule to molecule, physical oscillations."
Translation: It vibrates on your tummy. It will not, however, have the same effect -- as the developer implies -- as "moving and shaking...at some expensive members-only gym where people just stand around drinking coffee trying to look hot all day."
7. Hair Clinic: For Man and Woman
Developer: Sociag Project
Price: $3.99
If you believe an iPhone can make your love handles disappear, you'll probably buy this, too: an app that promises to give you "healthy and abundant" hair by generating "various types of inaudible high and low frequencies to promote blood circulation around hair roots and under the head skin."
A helpful disclaimer adds that the Hair Clinic app is not a cure for alopecia and can, in fact, cause headaches if the iPhone's built-in speaker is held too close to the ears.
8. Cow Toss
Developer: Digital Thought Software
Price: $0.99
Another publication rated Cow Toss the 4th stupidest app ever written for the iPhone, but that doesn't do justice to all the other dumb apps.
The rules are simple: You flick the image of a cow with your finger to send it flying through space -- mooing and bouncing all the way -- and score points according to a system that is never fully explained. The developers say they hoped with the latest update to be rated "most stupid." They're not even close.
ЭХ МЭДЭЭЛЭЛ (YAHOO FINANCE)
1. iNap@Work
Developer: SilentLogic Studios
Price: $0.99
This app promises to generate random office sounds -- mouse clicks, keyboard taps, pencil sharpeners, coughs, and rustling paper -- to give power-nappers some cover. Little sliders are supposed to control your "productivity" level and the frequency of each sound. In our tests, however, the noises were a little too random to sound convincing. Besides, which is worse: to get caught napping, or to get caught using a lame iPhone app to pretend that you aren't?
2. Zips
Developer: Jake Landon
Price: $0.99
(Also available in a free version, Zips Lite)
"Zippers," reads the promotional copy. "Sexy, suggestive, and seductive." OK. But what's the point of a virtual zipper that you can drag up and down until the fun -- and the sexiness -- wears off?
To keep things lively the app comes with underwear you can change with a tap of the finger. The $0.99 version includes a camera icon that lets you add your own suggestive pictures.
3. Hold the Button
Developer: Me Mundo iPhone SL
Price: Free
Here's the deal: The image of a fingerprint appears on the screen, you put your finger on it and hold it there. Keep holding. And holding. Forever. Or until you remember that you have a life.
The game is supposed to be a test of patience or stamina or will power or something. When you finally give in, you can compare your score with slackers all over the world.
4. Sexy Girl Talk - Sexy Alphabet Deluxe
Developer: theM Dev
Price: $0.99
From the creators of such classic apps as Moronizer and Angry Kittens Attack comes the 26 letters of the alphabet spoken by a "professional voice model...in a sexual and sophisticated way." Sexual enough, apparently, for Apple to rate this application 12+ for "Infrequent/Mild Sexual Content or Nudity."
You could have fooled us. What's it good for? The developer -- for whom English is apparently a second language -- offers several suggestions: "Listen to some Sexy Alphabet. Listen to some nice pronunciation. Fun for all the guys."
5. Taxi Hold'em
Developer: iSignz
Price: Free
Designed for tourists who fear that big-city cabbies will ignore their waves and whistles and drive on by, this app does the whistling for you. And when you tilt your iPhone horizontally, it flashes the word "TAXI" colorfully and rapidly enough to require a disclaimer. (It can trigger seizures when used near epileptics.)
One reviewer suggested that if you are going to wave it around the streets of New York, it should really be flashing "STEAL ME."
6. FatBurner2k
Developer: Daily Burn
Price: $0.99
It's a good thing Apple put this app in the "Entertainment" category. Otherwise one might be tempted to take seriously the claim that it can "help your body consume fat molecules using disharmonic, molecule to molecule, physical oscillations."
Translation: It vibrates on your tummy. It will not, however, have the same effect -- as the developer implies -- as "moving and shaking...at some expensive members-only gym where people just stand around drinking coffee trying to look hot all day."
7. Hair Clinic: For Man and Woman
Developer: Sociag Project
Price: $3.99
If you believe an iPhone can make your love handles disappear, you'll probably buy this, too: an app that promises to give you "healthy and abundant" hair by generating "various types of inaudible high and low frequencies to promote blood circulation around hair roots and under the head skin."
A helpful disclaimer adds that the Hair Clinic app is not a cure for alopecia and can, in fact, cause headaches if the iPhone's built-in speaker is held too close to the ears.
8. Cow Toss
Developer: Digital Thought Software
Price: $0.99
Another publication rated Cow Toss the 4th stupidest app ever written for the iPhone, but that doesn't do justice to all the other dumb apps.
The rules are simple: You flick the image of a cow with your finger to send it flying through space -- mooing and bouncing all the way -- and score points according to a system that is never fully explained. The developers say they hoped with the latest update to be rated "most stupid." They're not even close.
ЭХ МЭДЭЭЛЭЛ (YAHOO FINANCE)
Jul 13, 2009
The Best Small Town in the USA to live
АНУ-ын амьдархад хамгийн тохиромжтой жижиг хотуудын жагсаалтыг CNNMoney.com дээр явуулсан 43 000 гаруй хүн орсон судалгаагаар гаргасан байна. Энэ судалгаанд оролцсон хүмүүс гол төлөв ажил олдох байдалаар саналаа түлхүү өгсөн байгаа. Эдгээр хотуудын мэдээллийн Onboard Statistic-ийн судалгаагаар тогтоосон бөгөөд эдгээр нь 8 000 - 50 000 тооны оршин суугчтай хотууд. Эдгээр хотуудыг санал өгсөн хүмүүс сонгохдоо ажлын боломжоос гадна гэмт хэрэг бага гардаг, амьдрах байрны нөхцөл байдал, сургуулийн хангамж хүрэлцээ бас эрүүл мэндийн хангамжын байдлыг их анхаарсан.
2. Chanhassen, MN
1. Louisville, CO
 |
Top 100 rank: 1
Population: 18,800
Typical single-family house: $325,000
Estimated property taxes: $1,590
Unemployment rate: 6.0% (county)
Fun fact: Rail service to Boulder and Denver is scheduled to begin in 2017.
Pluses: Hiking, biking, golfing, skiing…
Minuses: No major negatives (That’s why it’s No. 1!)
2. Chanhassen, MN
 |
Top 100 rank: 2
Population: 23,700
Typical single-family house: $310,000
Estimated property taxes: $3,500
Unemployment rate: 6.1%
Fun fact: The musician Prince owns a recording studio in town.
Pluses: Low crime, fiscal strength, lots of green space
Minuses: Scant nightlife, brutal winters
3. Papillion, NE
 |
Top 100 rank: 3
Population: 22,200
Typical single-family house: $200,000
Estimated property taxes: $4,000
Unemployment rate: 4.5% (county)
Fun fact: 30% of the town is green space.
Pluses: Strong economy, affordable homes
Minuses: Lackluster downtown, little diversity
4. Middleton, WI
 |
Top 100 rank: 4
Population: 16,900
Typical single-family house: $350,000
Estimated property taxes: $6,000
Unemployment rate: 5.9% (county)
Fun fact: Mattel’s American Girl brand is based here.
Pluses: Small-town charm close to big-town amenities
Minuses: Brrr!
5. Milton, MA
 |
Top 100 rank: 5
Population: 25,400
Typical single-family house: $460,000
Estimated property taxes: $5,400
Unemployment rate: 6.8%
Fun fact: All public elementary schools here offer French immersion starting in first grade.
Pluses: Good schools, short commutes, diversity
Minuses: Few restaurants or small businesses
6. Warren, NJ
 |
Top 100 rank: 6
Population: 16,100
Typical single-family house: $500,000
Estimated property taxes: $7,500
Unemployment rate: 6.9%
Fun fact: A dozen Revolutionary War vets are buried here.
Pluses: Lots of open space, culture, and recreation nearby
Minuses: Pricey homes, no real downtown
7. Keller, TX
 |
Top 100 rank: 7
Population: 38,100
Typical single-family house: $300,000
Estimated property taxes: $7,430
Unemployment rate: 5.8%
Pluses: Strong economy, affordable homes
Minuses: Rapid growth, strip malls
8. Peachtree City, GA
 |
Top 100 rank: 8
Population: 34,500
Typical single-family house: $344,000
Estimated property taxes: $4,670
Unemployment rate: 7.4%
Pluses: Low crime, excellent schools, innovative layout
Minuses: Not-so-low unemployment
9. Lake St. Louis, MO
 |
Top 100 rank: 9
Population: 13,900
Typical single-family house: $230,000
Estimated property taxes: $3,000
Unemployment rate: 7.6%
Pluses: Affordable homes, activities galore
Minuses: Significant jobless rate, little diversity
10. Mukilteo, WA
 |
Top 100 rank: 10
Population: 20,500
Typical single-family house: $435,000
Estimated property taxes: $3,260
Unemployment rate: 7.1%
Pluses: Great natural beauty, good schools
Minuses: Rain, traffic
Jul 7, 2009
Computer and Video Game 17 500$
Сүүлийн үед залхуу хүрээд элдэв юм бичихгүй их л удлаа.
Өнөөдөр харин энд тэндхийн мэдээ уншиж байсан чинь ЖЖ Хэндрикс гэдэг нөхөр нэгэн та биднийхээр сайн мэдэх Nintendo-ийн тоглоомийг 17 500$ оор авсан байна.
The 17,500$ Video Game
Тоглоом нь жирийн л нэг тоглоом: Алтан шаргал өнгөтэй, нийт 6 мин 21 сек үргэлжилдэг, мөн 3 хэсэгтэй. Гол онцлог нь Nintendo зориулсан тоглоомуудын нэгэн тэмцээнд түрүүлж байсан.
Миний хувьд хамгийн үнэтэй тоглоом гэвэл 9-р ангидаа Гутлын 22-н тэнд байсан Анун төвөөс 25$ оор Fifa98-ийг хамаг байдаг бүх мөнгөө худлан үнэн ярин байж цуглуулж авч байсан. Хайран мөнгө. :)
Хамгийн сүүлд гэвэл STEAM Counter-Strike 1.6-ийн багцыг 10$оор авсан юм байна.
Хүмүүс яаж сэтгэхээрээ нэг тоглоомыг 17 500$ оор авдаг байна.
Өнөөдөр харин энд тэндхийн мэдээ уншиж байсан чинь ЖЖ Хэндрикс гэдэг нөхөр нэгэн та биднийхээр сайн мэдэх Nintendo-ийн тоглоомийг 17 500$ оор авсан байна.
The 17,500$ Video Game
Тоглоом нь жирийн л нэг тоглоом: Алтан шаргал өнгөтэй, нийт 6 мин 21 сек үргэлжилдэг, мөн 3 хэсэгтэй. Гол онцлог нь Nintendo зориулсан тоглоомуудын нэгэн тэмцээнд түрүүлж байсан.
Миний хувьд хамгийн үнэтэй тоглоом гэвэл 9-р ангидаа Гутлын 22-н тэнд байсан Анун төвөөс 25$ оор Fifa98-ийг хамаг байдаг бүх мөнгөө худлан үнэн ярин байж цуглуулж авч байсан. Хайран мөнгө. :)
Хамгийн сүүлд гэвэл STEAM Counter-Strike 1.6-ийн багцыг 10$оор авсан юм байна.
Хүмүүс яаж сэтгэхээрээ нэг тоглоомыг 17 500$ оор авдаг байна.
Apr 26, 2009
TOP 10 Vulnerability Checker Tools
In recently, a hacking interest are being developed quickly. There are many ways as SQL-Injection, Code Injection, and so on. When a programmer writes a code, he or she should think about all of these. I am just gonna write about TOP 10 useful hacking tools and how they works because we can check our programs ourselves. It means we can find vulnerabilities and fix it.
1. Nmap
(http://nmap.org/download.html)
Nmap (Network Mapper) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running.
2. Nessus Remote Security Scanner
(http://www.nessus.org/)
Nessus is the worlds most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the worlds largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.
3. John the Ripper
(http://www.openwall.com/john/)
John the Ripper is a fast password cracker. Its primary purpose is to detect weak Unix passwords. Besides several crypt password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and
Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
4. Nikto
(http://www.net-security.org/software.php?id=223)
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items. Scan items and plugins are frequently updated and can be automatically updated. Nikto is a good CGI scanner, there are some other tools that go well with Nikto.
5. SuperScan
Powerful TCP port scanner, pinger, resolver. If you need an alternative for nmap on Windows with a decent interface, I
suggest you check this out, it’s pretty nice.
6. p0f
P0f can identify the operating system on:
- machines that connect to your box (SYN mode),
- machines you connect to (SYN+ACK mode),
- machine you cannot connect to (RST+ mode),
- machines whose communications you can observe.
Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.
7. Wireshark
Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.
8. Yersinia
Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
9. Eraser
Eraser is an advanced security tool, which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
10. PuTTY
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4. 0r wanting to telnet or SSH from Windows without having to use the crappy default MS command
line clients.
Before, I used NMAP, Nessus, John the Ripper and PuTTy. PuTTy is also useful for SSH and Telnet connection. I think the best program is Nessus because it can show what kind of holes and bugs is in my program and what I should do. You guys should try do use yourself. I mean these programs are very useful.
1. Nmap
(http://nmap.org/download.html)
Nmap (Network Mapper) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running.
2. Nessus Remote Security Scanner
(http://www.nessus.org/)
Nessus is the worlds most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the worlds largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.
3. John the Ripper
(http://www.openwall.com/john/)
John the Ripper is a fast password cracker. Its primary purpose is to detect weak Unix passwords. Besides several crypt password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and
Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
4. Nikto
(http://www.net-security.org/software.php?id=223)
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items. Scan items and plugins are frequently updated and can be automatically updated. Nikto is a good CGI scanner, there are some other tools that go well with Nikto.
5. SuperScan
Powerful TCP port scanner, pinger, resolver. If you need an alternative for nmap on Windows with a decent interface, I
suggest you check this out, it’s pretty nice.
6. p0f
P0f can identify the operating system on:
- machines that connect to your box (SYN mode),
- machines you connect to (SYN+ACK mode),
- machine you cannot connect to (RST+ mode),
- machines whose communications you can observe.
Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.
7. Wireshark
Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.
8. Yersinia
Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
9. Eraser
Eraser is an advanced security tool, which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
10. PuTTY
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4. 0r wanting to telnet or SSH from Windows without having to use the crappy default MS command
line clients.
Before, I used NMAP, Nessus, John the Ripper and PuTTy. PuTTy is also useful for SSH and Telnet connection. I think the best program is Nessus because it can show what kind of holes and bugs is in my program and what I should do. You guys should try do use yourself. I mean these programs are very useful.
Mar 24, 2009
Database security
Database security is one of the most effective and major security. I am going to write about MySQL and how to supply security of it because it is most popular database in the world. It is often used with PHP, Java, and etc on the Internet.
If it was installed default, there are some vulnerability. Example: root user doesn't have password, and it is befall able to buffer over attacks, so it means default MySQL database is easy to accessible for attackers.
Security requirements:
In order to achieve the highest possible level of security, the installation and configuration of MySQL should be performed in accordance with the following security requirements:
* MySQL database must be executed in a chrooted environment;
* MySQL processes must run under a unique UID/GID that is not used by any other system process;
* Only local access to MySQL will be allowed;
* MySQL root's account must be protected by a hard to guess password;
* The administrator's account will be renamed;
* Anonymous access to the database (by using the nobody account) must be disabled;
* All sample databases and tables must be removed.
Network security:
As with securing a network, securing a database by looking at the various layers that are involved is an effective approach. Security of databases can be defined as preventing unauthorized or accidental disclosure, alteration, or destruction of data.
Network design incorporates the three layers of a Web application running on different servers, usually set apart by firewalls that have specific rules to only let traffic through to the specific port on a specific server at whichever layer that the user is trying to access:
Internet -> Firewall -> Web -> Firewall -> Application -> Firewall -> Database
Something else that it should demonstrate is that it is very costly to implement such a design because firewalls and servers are not cheap. Oftentimes, a sys admin will choose a compromise, combining the application and database servers. This isn’t ideal from a security perspective; nevertheless, it is a vast improvement over leaving a sensitive database facing the Internet directly.
Access Control:
Access to information contained in the tables must be properly regulated. This can be done with control over direct access to the tables, and also through views. Views and privileges assigned to the views can be created to limit users to only see specified portions of data contained within a table.
In order to fully implement a secure MySQL database, it is necessary to learn the MySQL access control system. There are four privilege levels that apply:
1. Global: these privileges apply to all databases on a server.
2. Database: these privileges apply to all tables in a database.
3. Table: these apply to all columns within a table.
4. Column: these apply to individual columns in a table.
The usage of these commands is varied:
GRANT priv_type [(column_list)] [, priv_type [(column_list)] ...]
ON {tbl_name | * | *.* | db_name.*}
TO user_name [IDENTIFIED BY [PASSWORD] 'password']
[, user_name [IDENTIFIED BY 'password'] ...]
[REQUIRE
NONE |
[{SSL| X509}]
[CIPHER cipher [AND]]
[ISSUER issuer [AND]]
[SUBJECT subject]]
[WITH [GRANT OPTION | MAX_QUERIES_PER_HOUR # |
MAX_UPDATES_PER_HOUR # |
MAX_CONNECTIONS_PER_HOUR #]]
REVOKE priv_type [(column_list)] [, priv_type [(column_list)] ...]
ON {tbl_name | * | *.* | db_name.*}
FROM user_name [, user_name ...]
Role-based authentication should be considered when adding access to any database. Typical roles for access include administrator, user, programmer and operator.
Encryption:
The sensitivity of the data will logically determine the need for the use of encryption. There are a few things to consider when thinking about implementing encryption:
1. Will the data stored in the database need to be encrypted or just the user passwords?
2. Will you need to encrypt the data only in the local instance of the database, or do you need to also encrypt the data in transit?
Many of the standard secure database design principles apply to MySQL. Of course, it has many of its own intricacies that need to be understood and audited carefully before any database is fully implemented. Lastly, it is important to keep in mind that other layers of security apply when hosting a database, such as network and operating system security.
In last, I used some internet resources as http://www.securityfocus.com, MYSQL forum, WikiPedia.
If it was installed default, there are some vulnerability. Example: root user doesn't have password, and it is befall able to buffer over attacks, so it means default MySQL database is easy to accessible for attackers.
Security requirements:
In order to achieve the highest possible level of security, the installation and configuration of MySQL should be performed in accordance with the following security requirements:
* MySQL database must be executed in a chrooted environment;
* MySQL processes must run under a unique UID/GID that is not used by any other system process;
* Only local access to MySQL will be allowed;
* MySQL root's account must be protected by a hard to guess password;
* The administrator's account will be renamed;
* Anonymous access to the database (by using the nobody account) must be disabled;
* All sample databases and tables must be removed.
Network security:
As with securing a network, securing a database by looking at the various layers that are involved is an effective approach. Security of databases can be defined as preventing unauthorized or accidental disclosure, alteration, or destruction of data.
Network design incorporates the three layers of a Web application running on different servers, usually set apart by firewalls that have specific rules to only let traffic through to the specific port on a specific server at whichever layer that the user is trying to access:
Internet -> Firewall -> Web -> Firewall -> Application -> Firewall -> Database
Something else that it should demonstrate is that it is very costly to implement such a design because firewalls and servers are not cheap. Oftentimes, a sys admin will choose a compromise, combining the application and database servers. This isn’t ideal from a security perspective; nevertheless, it is a vast improvement over leaving a sensitive database facing the Internet directly.
Access Control:
Access to information contained in the tables must be properly regulated. This can be done with control over direct access to the tables, and also through views. Views and privileges assigned to the views can be created to limit users to only see specified portions of data contained within a table.
In order to fully implement a secure MySQL database, it is necessary to learn the MySQL access control system. There are four privilege levels that apply:
1. Global: these privileges apply to all databases on a server.
2. Database: these privileges apply to all tables in a database.
3. Table: these apply to all columns within a table.
4. Column: these apply to individual columns in a table.
The usage of these commands is varied:
GRANT priv_type [(column_list)] [, priv_type [(column_list)] ...]
ON {tbl_name | * | *.* | db_name.*}
TO user_name [IDENTIFIED BY [PASSWORD] 'password']
[, user_name [IDENTIFIED BY 'password'] ...]
[REQUIRE
NONE |
[{SSL| X509}]
[CIPHER cipher [AND]]
[ISSUER issuer [AND]]
[SUBJECT subject]]
[WITH [GRANT OPTION | MAX_QUERIES_PER_HOUR # |
MAX_UPDATES_PER_HOUR # |
MAX_CONNECTIONS_PER_HOUR #]]
REVOKE priv_type [(column_list)] [, priv_type [(column_list)] ...]
ON {tbl_name | * | *.* | db_name.*}
FROM user_name [, user_name ...]
Role-based authentication should be considered when adding access to any database. Typical roles for access include administrator, user, programmer and operator.
Encryption:
The sensitivity of the data will logically determine the need for the use of encryption. There are a few things to consider when thinking about implementing encryption:
1. Will the data stored in the database need to be encrypted or just the user passwords?
2. Will you need to encrypt the data only in the local instance of the database, or do you need to also encrypt the data in transit?
Many of the standard secure database design principles apply to MySQL. Of course, it has many of its own intricacies that need to be understood and audited carefully before any database is fully implemented. Lastly, it is important to keep in mind that other layers of security apply when hosting a database, such as network and operating system security.
In last, I used some internet resources as http://www.securityfocus.com, MYSQL forum, WikiPedia.
Subscribe to:
Posts (Atom)