Addressing Security Concerns around Election Voting


Taking part in a democratic process to elect leadership in our association is vital for making our voices heard and enacting positive change for PASS. The election process started months ago when the Nomination Committee was formed to review the voting process, vet candidates, and submit the final slate of candidates for approval to the Board of Directors. I had the honor to serve on the Nomination Committee as the Board representative. I'm also Director over both the Membership and the Information Technology portfolios. Both have impact on and from the election process. What benefits we can develop and provide for our members come from the visions and passions of those elected representatives of our association.  Information Technology builds the functional processes for the vote casting. It is as the Director of Information Technology that I come to you now via this blog post.

The security of our voting process was called into question by a concerned community member earlier today. This individual reached out to PASS with concerns about sharing of the voting link behind the "VOTE NOW" button created from a hash of their login and password from the MYPASS website. This link is unique to each member and was never intended for sharing. Though PASS is unable to see the votes cast by a member we do need to know that a member, should they vote, only votes once. This link takes you to the secure SimplyVoting site allowing you to cast your vote and take part in our democratic process. If a member were to take purposeful steps to share the unique URL exposed through the hover action on the button or by saving the URL associated with the button through a right click action their votes could be seen if the original member had voted already or could be cast as that original member if they had not yet voted.

As Data Professionals we advocate for proper security behavior as a core message of our roles. These concerns that were raised could be easily mitigated by simply not sharing personal information. However, our community was formed around the mission of connecting and sharing. Members may not be aware that this link is unique for each member. A member who is trying to help a fellow member by providing them with the URL to vote for the PASS Board would inadvertently provide insight into their voting activity.

Our IT staff, in addition to security-focused community members, looked into the matter independently of one another. They all concluded the concern over these issues came down to making mindful decisions about how you share personal information and not violating basic security principles.  While this means that using generally-accepted guidelines to avoid sharing personal information would prevent any intrusion we also understand our community's penchant for wanting to help one another. It's feasible that in doing so consideration about security could be overlooked.

Therefore, to prevent any unintentional sharing of personalized URLs for voting our IT staff took actions immediately to implement a change to hide the URL completely from the "Vote Now" button. The hover action on sqlpass.org will no longer display the personalized URL and the target address is obfuscated from the button all together. They have already successfully made the change in the staging site for testing and will be deploying the change to production by the end of the day. I've been assured there will be no downtime incurred or negative impact on the ability of our members to continue to vote.

Please do take the time to vote and also remember it's not too late to attend the PASS Summit this month!  It's also never too late to volunteer or consider running for the Board of Directors the next election cycle.

Thank you,

Tim Ford

Membership Personas Help PASS Better Understand Global Membership

Earlier this year, PASS embarked on a project with the goal to better understand our global membership and educational priorities.  Since being founded in 1999, we have not taken the opportunity to survey our membership to understand their educational needs, professional demands and ways in which PASS can enrich the lives of our members. As we continue to growth, it’s critical for us to have a better understanding of you, our members.

When I started my second term, the PASS Board knew this was critical in our ability to continue to provide the level of educational offerings and value to our members as we looked to growing our global community.  That’s why I’m excited to say that we have completed key steps in this process, which included surveying all of our members to obtain demographics and data on preferred technologies, training budgets, member satisfaction, and how you all engage with PASS. Additionally, we met with key individuals inside and outside of PASS to get a better understanding of their awareness of PASS, identify what we could do better, and recognize where we're succeeding as a professional association.

One of the critical insights we wanted to come away with from our survey findings was identifying the makeup of our membership. Even though we operate in a fairly narrow field of study and practice we're definitely not all the same. We established that there were 10 distinct personas that make up the PASS membership.  For each persona, we identified their gender and age distribution, career and educational requirements, learning preferences and how rapidly they adopt new technologies, alongside those other aforementioned items.

The insights we uncover here build a valuable foundation as we move forward in our goals towards providing improved benefits and experiences for our current and future members. We are still compiling insights and making informed decisions as a result. As we learn more, we will of course share this with all of you.

I personally want to thank those thousands of members who took time to complete the survey or talk to us regarding their experiences with PASS.

Enriching the PASS Member Experience


Membership, and in particular adding value to membership in PASS, is important to me. It’s why I’ve volunteered my time to PASS across many roles since 2002. All of the programs PASS provides, including PASS Summit, Business Analytics (BA) Conference, SQLSaturday, and our online and virtual learning are produced for you. PASS strives to build a community for our members in Chapters, both virtual and geographical, and to provide enriched learning experiences for all of you.

At the start of the new term of leadership that began January 1, 2016, a new portfolio was created: Membership and IT. That is because these two efforts are closely aligned. The purpose of this new portfolio is to enhance our understanding of, and engagement with, our members, helping to provide an enriched member experience.

PASS wants to provide great opportunities for all of our members to Connect, Share, and Learn. We want to do more to provide the right opportunities, programs, services, and professional growth initiatives our membership wants. But to provide a better PASS experience, one that extends beyond and between Summits and BA Conferences, we need to know more about your demographics, requests, and needs. Beyond that we need a better understanding of the geographical regions that our events are both over-serving and underserving to make better use of our resources and reach more members.

How are we going to do this? With better data about each member of our community. We need to have a clearer understanding of who you are, your experiences attending PASS events, and what benefits you want PASS to provide. We have already begun the process of updating our website and will reveal a completely new web experience later this year. In the process, we will also re-engineer our membership data structure and will initiate processes to ask our members for more insights into these aforementioned areas as unobtrusively as possible. We will change how we register and account for event attendance, allowing us to provide the best learning experiences based on the interests and experiences of our individual members.

To start things off, we’re about to undertake a research project to better understand and engage our technical data audience. This will provide a better understanding of our member demographics and learning patterns, and identify key insights into your educational needs and interests to help us deliver enhanced learning and professional development experiences. If you are interested in participating in surveys or interviews to support this research, please go to the MyVolunteering section on the PASS website and ensure that you include “Community Feedback” as an area of interest. Once we have the new website, insights, and improved data sources about our membership, we can then start to develop improvements to existing programs and potentially new programs we’ve not even considered yet.

But these are all efforts that I cannot achieve alone. I’ll need your help as outreach happens, to gather more information about our members. I’ll need your participation. It’s a small thing we ask and in return we build a better understanding about our members for an even better PASS experience for all of you in years to come.

Thank you,

Tim Ford
Director, PASS Membership

PASS Website Security Update

As many of you may now be aware, on January 4, at approximately 11:15 PM PST the VM that runs the PASS Database, which is hosted in Azure Cloud, unexpectedly went down. The database was down until 11:45 PM. A default DNN installation error message screen revealed a single username of a PASS member. There was no security breach and no personal information or passwords were revealed or accessed.

This default DNN installation screen appeared for any user attempting to access all PASS websites. The confusion surrounding the potentially revealed personal information occurred as a result of the default DNN message. This error page has now been revised with more accurate messaging in the event that there is an outage in the future.

Once notified of the website outage, the IT team had to manually reconnect the database and PASS websites, as this had not occurred automatically, which is why website access was unavailable for a longer period of time than the half-hour Azure downtime window. As part of the existing PASS IT disaster recovery plan, two new mechanisms will be put in place: a more proactive monitoring system that will allow real-time database and application monitoring, ensuring we are instantly aware of website failures; and redundancy protection by provisioning PASS websites over multiple Azure data centers.

On behalf of the entire PASS Board, I want to stress that we take protecting your personal information very seriously and implement every reasonable measure to ensure it is kept safe.

Tim Ford
PASS Membership

Evelyn Maxwell proves you're never too young to get involved in our community

I was delighted to see an unconventional abstract submission for the next SQLSaturday in Cleveland, OH recently. This entry came from Evelyn Maxwell, who submitted a session on PowerPoint skills for the event’s Professional Development track. You may wonder why I’d highlight this presentation from the thousands that have been submitted just this year alone. (After all, we have sessions covering non-SQL topics at our events.)

She represents what is special about the PASS community

Evelyn volunteered at SQLSaturday events as a non-speaker and attended many sessions before deciding to submit an abstract and commit to sharing her knowledge with others. That makes her special because, like so many others in our community, she is giving up her valuable free time on a weekend to connect, share, and learn with (and from) other like-minded community members.

She is a non-traditional PASS member

Evelyn is not your typical PASS volunteer and speaker. She is unemployed, she can’t drive, and she likely has a curfew under the laws of her city. You see, Evelyn Maxwell recently turned 13.

In her own words

After being made aware of Evelyn’s abstract I thought this would be the perfect opportunity to write a post that would highlight an example of what good news exists in our community. I also wanted to bridge the gap between my final days leading the PASS SQLSaturday portfolio and moving on to a new portfolio that will strive to enhance engagement with our members and deliver enriched community events. Evelyn’s story of volunteerism, passion for learning, and drive to share highlight the core of our mission and does so in a very unique way.

I reached out to Evelyn through her father, David Maxwell, to see if perhaps she would be willing to share advice with our PASS members who may be looking to become a community speaker or simply more involved in their local SQL Server communities.

TF: Hi Evelyn, thank you for taking time to speak with me and the PASS community at large. Can you tell us a bit about yourself as we begin?

EM: Well, I’m 13 years old, (I just had a birthday), I play percussion in the 7th grade concert band, I’m the second member in a trio of friends, and I help run a student-run club at my school. Other than that, I’m a pretty typical 7th grade girl.

TF: Your dad is very well known in the SQL Server community and just recently won the PASS Speaker Idol contest at the 2015 PASS Summit. What direction has he given you in speaking publicly?

EM: I’ve learned a lot about public speaking from my dad, mostly though watching him present at SQL Saturdays, and just watching him practice in the basement. Practice is, after all, very important in putting together a good presentation. I’ve also learned that when presenting, most people are going to be supportive and encouraging, which is nice, but also that not everyone is going to be positive, and that's something I’ll just have to accept.

TF: Can you speak to some of the things you've done at SQLSaturdays previously? In addition to speaking in 2016 at the Cleveland SQLSaturday, I've heard you've been a volunteer at events in the past.

EM: Generally at SQLSaturdays, I just like to go and attend sessions on a beginner level, and see if I can learn something. I try to take productive notes, and write down questions later to ask my dad. I also like to give feedback to the presenters. Last year I was a volunteer at SQLSaturday Columbus, and got to help register people, set up for lunch, and wipe down pretty much every flat surface there was. I even got to pull names for the raffle and throw T-shirts at people. Now how fun is that?

TF: Besides being a public speaker and PASS volunteer what are your other interests?

EM: I enjoy reading, percussion, and writing fan fiction. I also help my friend run Special FX club, which is a student-run club that helps teach kids about the art of movie makeup. We do a ton of different stuff, from mild bruises, to zombie skin. It’s a lot of fun. I also was in drama club last year. Unfortunately, there was no club this year, although I would have joined if given the chance.

TF: I know I tend to “nerd-out” about SQL around my house. Does your dad spend a lot of time talking about SQL?

EM: Dad doesn't really talk a lot about SQL at home. If my brother or I have a question, he’ll answer it, and sometimes he’ll give us a heavilysimplified explanation about something at work, but other than that, he saves the SQL talk for SQLSaturdays.

TF: Evelyn, what is your one piece of advice for any new speaker/community member looking to broaden their own experience?

EM: I would say that if you want to try speaking at an event, or do any kind of public speaking for that matter, don’t overthink things. You obviously want to know your topic, and be able to answer questions from the audience, but don't focus on your presentation so much it makes your head hurt. I had this problem when I was first writing my abstract. Instead of just thinking what would be in the presentation and why, I completely overthought it, and ended up having to start over. But once I let all of that go, I was able to come up with a successful abstract, which got my point across.

TF: Christmas is coming. Do you want to share some of your Christmas list with us? Maybe it will improve your chances with Santa Claus, you never know.

EM: To be perfectly honest, I don't have a Christmas list. I have a phone, and a snare drum, what more could I want? Plus, I think there's a lot more to the holidays than just receiving gifts.

My wish for you

Evelyn reminds us all that there is so much more this holiday season (regardless of the holidays your family celebrates) than material things. I want to take this opportunity to wish you, your families, and your communities a happy holiday season and end to 2015. We always have room for improvement though, so my hope is that you will experience greater success, contentment, fulfillment, and peace in the coming year.

Tim Ford
Director, PASS SQLSaturday

PASS Summit 2015, Day One Keynote: The Future of SQL Server

October 29, 2015 — Yesterday marked the first full day of community sessions at PASS Summit 2015 in Seattle. After opening remarks by PASS President Thomas LaRock, Joseph Sirosh (Corporate Vice President, Data Group) and Shawn Bice (General Manager, Database Systems Group) of Microsoft led the audience through an hour of insight into SQL Server 2016.

Joseph pointed us toward the future of the Microsoft data platform. Starting with more widely adopted Internet use in the 90s, we've seen a massive uptick in the amount of collected data in the cloud and through mobile device outlets; at the same time, analog data is all but gone. According to keynote projections, Microsoft expects that by 2025, cloud-based data will eclipse all other data sources by more than a 2:1 ratio, with almost all data residing on either mobile devices or cloud platform repositories. Microsoft continues to position itself to be the leading solution for this new data-driven culture.

After laying the groundwork for what the future holds, Shawn and Joseph took us on a tour of SQL Server 2016 and its built-in features:

    • Always Encrypted technologies will encrypt data at rest, on the fly, and in the buffer pool to help eliminate threats of intrusion at all levels, including the elusive man-in-the-middle threat of polling the buffer pool.
    • Inclusion of R language native to the SQL Server product will enable low- or no-impact analytics directly against OLTP environments in what Microsoft is calling "Real Time Operational Analytics." This feature enables you to make decisions rapidly, at your pace rather than waiting for scheduled ETL processes to load to a separate data warehouse—resulting in potential time and storage-cost savings. R is to data science what SQL is to data management, so it’s a natural match for data professions and a welcome addition to the Microsoft data platform.
    • A STRETCH DATABASE provides the ability—via a simple wizard—to stretch tables to the cloud, along with all DDL and security structures in place. This way, users can reach all data, regardless of whether it's "earthed" or hosted in Azure. This capability offers the potential for savings in all costs related to storage: hardware, utilities, and operational staffing, just to name a few.
    • SQL Server Reporting Services (SSRS) is completely overhauled in SQL Server 2016. (This news elicited a great deal of applause from the crowd.) I'd expect Power BI-like features in the SSRS product suite to be part of this "overhaul."

The Microsoft data platform is leading the way in enhancements and providing a complete solution, as evidenced by the latest Gartner Magic Quadrant Ratings. Furthermore, SQL Server has been the leader in data security stability over the past six years.

2016 is going to be a great year for the Microsoft data platform—and a great time to be positioned as a Microsoft data professional. I am anticipating the continued roll-outs of SQL Server 2016 Community Technology Previews and can only imagine what we’ll have to look forward to in the Microsoft product keynote at next year’s PASS Summit.

Tim Ford
Director, PASS SQLSaturday | PASS Headquarters

SQLSaturday Website Update Timeline

As per my blog post on April 9 regarding the SQLSaturday website, the good news is that we’re back online. So far, feedback on the site has been overwhelmingly positive. 

I first want to thank everyone for their patience last week: the organizers and sponsors who couldn’t access the site during the downtime, as well as the community members who have been waiting to hear what happened. As with any issue like this, our main priority was to rectify the situation. Therefore, we felt it best to wait until the site relaunched and all security vulnerabilities were fixed before sharing more specific details. 

But of course, full transparency is important to us and to you. Now that we’re up and running again, here is the timeline of events that occurred over the past week: 

  • • On Monday, April 6, we were alerted to a potential security vulnerability that exposed the contact information (address, city, region, and twitter handle) of some sponsors. We immediately removed this information and decided to take down the entire sponsor page for further testing. The security of information regarding our community and sponsors is of the utmost importance to us, so we wanted to conduct a thorough review of the entire website, not just that specific issue.

  • • By Monday night, we had decided to take the entire SQLSaturday site offline. We chose this option, rather than a rollback, because at the time, we estimated a rollback effort to be more time-consuming than simply taking the site offline and implementing the fix. In addition, we didn’t want to risk losing any new or changed data. We were able to minimize impact as best we could for the upcoming SQLSaturday events over the weekend of the 11th and 12th by providing access to the admin sites for the Huntington Beach and Madison SQLSaturday events. 

  • • The morning of Tuesday, April 7, we decided to ask community members for testing support. Our community comprises some of the best and brightest minds in the industry and it made sense to involve the users of the site in further testing. 

  • • The patch was completed by Tuesday night, making the site ready for testing by volunteers on Wednesday.

  • • During the testing on Wednesday, April 8, a second potential vulnerability—an HTML injection vulnerability—was identified. Because of the seriousness of this potential issue, we decided Wednesday afternoon to keep the site offline for another day so that we could thoroughly research and correct the issue and complete final testing. As we began delving into the issue, we discovered that it also existed in the old site. So again, a rollback was not an option.

  • • The problem was fixed late Wednesday night.

  • • On Thursday, April 9, PASS IT and community-member testing was complete.

  • • Satisfied with the security and usability of the site, we relaunched Thursday at 9:30pm EST.

 

PASS apologizes for this outage and for the difficulties it created for the SQLSaturday organizers, sponsors, speakers, and attendees. We thank those who provided feedback on the issues and the volunteers who stepped in to help test the solutions, particularly K. Brian Kelley (blog | @kbriankelley), Denny Cherry (blog | @mrdenny), and Argenis Fernandez (blog | @DBArgenis). To help prevent a similar issue in the future, we are looking at more extensive QA processes with a specific focus on ensuring site security. Although I believe we made the best possible decisions along this timeline, we will certainly take a different approach to future site revisions, including but not limited to earlier and wider security-based and functional testing by our volunteer experts and progressive change schedules. 

Again, thank you for your patience. If you have any further feedback or questions, please email us at sqlsaturday@sqlpass.org.

Tim Ford 
PASS Board of Directors 
SQLSaturday 

SQLSaturday Website Update

As many of you may be aware, this week PASS launched the new SQLSaturday website. 

Shortly after launching the site we were notified of a security vulnerability which meant that sponsor’s contact details (company or individual name, twitter handle, address, and zip/postal code) were all visible. The intention of this information being available was to streamline the process for sponsors to sign up for an event without having to re-enter their details each time. However, given some of our Sponsors use their home address as contact information there were concerns at having this information publicly available on the site. This information was immediately taken down and out of an abundance of caution we also made the decision to conduct a full assessment to ensure no other issues existed. 

During testing an additional security vulnerability was discovered – it was found that parts of the SQLSaturday website were exposed to HTML injection, which in this case, could allow a hacker to execute HTML and/or Javascript from the session abstract page. With the structure of the SQLSaturday website, abstract submissions will be continuously open, increasing the risks associated with this vulnerability. Further application of fixes to this issue and re-testing caused a further delay in the anticipated turnaround time for the re-launch. 

This afternoon after rigorous testing by PASS IT and volunteers from the community we are pleased to announce the site is live again. 

Further detail on the actions and decisions surrounding this event will be made available in the coming days. 

We thank you for your continued patience and understanding throughout this time and look forward to providing an enhanced experience for event organizers, attendees, speakers and sponsors of SQLSaturdays with the new site going forward. Again we would like to thank everyone who was involved in the vision, planning, feedback and testing of the site.  

- Tim Ford
PASS Director, SQLSaturdays 


 

SQLSaturday Site Redesign: Better than Ever

April 6, 2015--Over the past few weeks, we’ve been alerting people to something exciting: our new SQLSaturday website redesign. It’s now faster and easier than ever to manage, speak at, sponsor, or attend a SQLSaturday event!  After a great deal of effort by our staff and community volunteers for months (years, actually) the update is finally here—we hope you’ll stop by and take a look! The redesign will significantly improve the SQLSaturday experience for attendees, speakers, and event and chapter leaders. 

For starters, the new site makes it easier than ever to manage your SQLSaturday event or your Speaker Profile. One of the changes we’ve made is to tie in PASS accounts, so that leaders and speakers don’t need to juggle multiple account logins. 

Speakers now have a universal Speaker Profile that is associated with their PASS accounts and can be applied across events. This change and others make it easier for speakers to manage and track abstract submissions, upload presentations, and get feedback about their sessions. 

If you’re an event leader, you can now use your PASS account to access the Admin site—which has also received a facelift. The site features a cleaner, easier-to-use dashboard that will help to simplify the process of managing an event, including allowing you to associate an event with a chapter.

We’ve also improved the Session Management UI, which now supports a wider variety of session lengths as well as color-coding of tracks and rooms. Plus, you can add keynotes, rest breaks, and raffle draws as non-session items.

SQLSaturday attendees will benefit from the mobile-friendly redesign as well. Use your PASS account to manage your registrations, download SpeedPASS, pay for lunches, and deliver event feedback.

Sponsorship is an even more winning proposition, with a new slider and improved sign-up form that saves sponsors time and effort. (Sponsors will need to complete a one-time upload of new logo graphics to meet our improved display requirements, but beyond that, improvements will be effortless.)

We’re excited to hear what you think about the changes. If you have feedback or questions, we hope you’ll reach out to us at ITSupport@sqlsaturday.com.

--Tim Ford
Director, PASS SQLSaturday

Feedback Requested on SQLSaturday Numbering System

March 3, 2015 – Hello fellow SQL Community Members! It's been a great year for PASS and a banner year for SQLSaturday in particular! By the time you read this post, we will have announced our 100th SQLSaturday event for this fiscal year. By comparison, it took us 1,480 days to complete our first 100 events.  Event 200 came 510 days later, followed by event 300 after another 572 days. Thanks to the global growth of PASS and SQLSaturday and the determination and passion of our community and our organizers, we hit this last benchmark in record time.

Take some time right now to give yourselves a well-deserved pat on the back. I'll wait...

Done?

Good.

Now that we've reached this milestone and as we look to the future of SQLSaturday, I think it's time to make a small change. This adjustment will help to provide a more environmentally sustainable program while enabling our individual organizers to buy promotional items that won't expire at the end of each year. Here's the plan: We're doing away with the numbering scheme that we've traditionally used for individual events. Instead, we're going to identify individual SQLSaturdays by the name of the city or region in which they are hosted.  For example, the next time we produce a SQLSaturday in Kalamazoo, we'll call it just that – SQLSaturday Kalamazoo – rather than SQLSaturday Kalamazoo #501. Behind the scenes, we'll still use the same URL constructs and numbering (for internal purposes), but we'll market each event sans numbers. This means that we can re-use undistributed materials from year-to-year, and we can order in larger quantities for lower per-unit prices. This change allows for one of the things I love to preach about when I speak at SQLSaturdays: consistency.

I'm sure that some of you might have different ideas on the matter… perhaps ideas that lay somewhere between what I'm proposing and the status quo. The PASS Board of Directors really wants your input in the matter. We're planning on making this change mid-year, so if you want to make your voice heard, whether to let us know that you agree with the plan or to propose an alternative, reach out to the SQLSaturday Team at webmaster@sqlsaturday.com, using the Subject line "SQLSaturday Renaming Plan."

I think the time has come for this minor marketing change, and I want to offer up full transparency. I have the privilege to help guide the program, but it's our amazing local organizers who continue to push us forward with such a successful program day in and day out! Please let us know here at the Board and PASS HQ what you think – and help shape the future of PASS and SQLSaturday.

Tim Ford

PASS Director, SQLSaturday

Pages: 12NextReturn Top