Y'all "professional DBAs" are going to keep squawking about transactions and stored procedures (for crying out loud, it's GOT transactions - use innodb!) and whining about MySQL while your jobs go bye-bye as people realize that for the vast majority of databases that they use, transactions and stored procedures aren't necessary. Most folks are NOT running a bank.
I for one will be laughing my ass off when that day arrives.
More things that I'm sure people will talk about: The Dells are 1U and 2U boxes designed for rack enclosures meaning they'll be more heat and power effecient not to mention they take up about 1/3 the physical space as the enormous PowerMac G5.
Rack-designed enclosures don't mean that there'll be less heat - 1655MC blade servers, for instance, effectively consume.5 U, but pump out gobs and gobs of heat, and are rated at 6A nominal/12A maximal. Placing 11kw in one 42U rack is enormously difficult to cool. Recent article in
ComputerWorld talks about this issue.
Apple's been posting consistently flat growth rates for years. The reason Apple's been having inventory supply problems is that they are being VERY careful about not oversupplying the channel: hot death considering Apple's mercurial product demands.
Apple is most definitely concerned with market share - it's the only way they can keep the platform from further being ghetto-ized. I'm not saying Boo about Apple's innovation - they "get it", already. They need to somehow get everyone ELSE to "get it".
Apple has succeeded in the last two years simply by not offering a commodity product, and that's the balance that Apple has to try and walk: create amazingly cool shit that folks will somehow differentiate from a $600 costco PC, and be willing to spend the difference. The eMac is certainly a great deal, but why can't we buy it in Costco, where I'm certain it would sell? Apple is obviously NOT emphasizing these low-profit models, and it's probably why they're as healthy as they are.
I've got an idea that won't let me go. IF it were
possible to create a reasonable identification
system that would effectively remove anonymity on
the internet (eg, every packet tagged with unique
and verifiable identification info, assume crypto),
COULD this solve a set of somewhat similar problems, such as copyright violation, SPAM, sysadmin abuse,
and lousy signal-noise ratio for Internet discourse?
My officemate thinks as I do that it could drastically reduce a large portion of these problems, but that it would never fly because of (legitimate) privacy concerns and the difficulty of repudiation.
In some part, I agree with my officemate, but think that the cost of implementing such a system will, given present abuse trends, start to become appealing enough to become viable. How much crack am I smoking?
You are absolutely correct about Dell, and we're coming to regret our general policy to buy PowerEdge servers.
We've found that Dell:
a) IGNORES their stated SLAs. I waited three weeks for Dell to replace a production server supposedly covered under next-day replacement, because Dell first insisted on shipping us PARTS, rather than a complete replacement (this was for a blade server modules). Never again: I'll spend three hours of their toll-free time to get a manager on the phone and GET ME MY DAMN SERVER. I've never seen a company so retarded - three hours keeping me on hold and having their support droog run around with his head cut off surely costs more than just cross-shipping me a new box.
b) Provides RAID controllers every bit as as flaky as you describe. I think it's quite likely that the Dell tech dispatched to replace your drive actually did the job correctly. I've lost degraded RAID drives more than once when swapping drives.
Recovery ability in these controllers is really, really bad (the DAC960 controllers we had in our old VA boxes, slow as they were, always managed to recover from degraded).
c) Provides support from hell. Ironically, this is one of the reasons we SELECTED Dell (presuming they had their shit together, unlike VA's dying days). They just don't.
The paper that describes the attack in question is "Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)". You're reading the paper BELOW that one: "Robustness to Inflated Subscription in Multicast Congestion Control"
This is an architectural "flaw" of TCP (the authors seem to conclude that its retransmission mechanism is sound and necessary, but can't be effectively protected against for this DoS -for the sake of argument, let's call it a flaw) - whom would you propose "fix" the problem before the vulnerability is widely known?
Since the architectural flaw seems to be in the retransmission recovery sequences of TCP, eg, it can be spoofed in a way undistinguishable from normal retransmission recovery sequences, actual source of the packet can't be used as a deterrent to attacks.
The attack seems to exploit the mechanisms of congestion flow itself, so larger window sizes or in-order deliver of packets (I presume this is what you mean by sequenced packets) will not be sufficient to avoid this attack. The paper does examine several variants of TCP, with similarly glum results.
In the scenario illustrated by the paper, TCP enters its exponential backup phase, throttling the window to a single packet size and doubles the retransmission timeout (which starts off at 1 second). The paper seems to be saying that by timing the attacking responses to closely match that of the sender's RTO, we can cause the connection to effectively remain in exponential backoff.
To my thinking this would affect throughput for only the attacker's TCP flow, but the authors say that ALL TCP flows can be affected. I'm just not smart enough to understand why all TCP flows can be induced into the same exponential backoff phase.
Absolutely bang-on. We handled close to 300,000 SoBIG.F viruses in the first 24 hours. Then the responses started to come in. You just can't plan for that kind of 100x traffic increase.
Big business kidney punches the consumer once again.
It's not like I can't understand their concern - I work for a company selling proprietary software (running on open-source OSes), and I'm not thrilled
about the notion of someone else fielding a product we can't compete with (assuming feature parity).
If someone does, however, then more power to them. They went to the effort, and they decided that all should benefit from the fruits of their labor. That's downright noble.
What big business seems to be doing here is using process rather than product to beat down the barbarian hordes. Why shouldn't the intellectual property concerns of open source advocates be taken into consideration when formulating a world IP policy?
People who like to think they know what they're talking about saying how dumb the SCO executives are.
And utterly failing to realise that the SCO executives are rich. And will get much richer as a result of this, completely regardless of the outcome. And there you'll be at the end of this, crowing about how right you were, and how dumb they were, while they move into bigger mansions, or buy that third yacht. Hence why they're rich, and you're languishing as a second-rate programmer.
You seem to be making the old assumption that
rich and powerful equals smart. Are SCO executives
smart? Possibly. Shrewd? Probably. They certainly
appear to be voracious, litigious bastards, whatever other qualities as humans they may possess. In general, my observation has been that the rich and powerful have gotten that way not by being especially warm and caring individuals, but by possessing enough charisma to allow them to exercise their machiavellian tendencies without arousing the lynch mob.
I know I'll be marked down as a troll for praising MS, but I'm actually quite impressed with this.
It's bloody hard to compete against free software and I'm actually amazed to see them try this approach instead of their usual media contamination methods.
Of course, I don't hope they win as I think Windows stinks (you can pry my OS X from my cold, dead fingers) but kudos to them for playing fairly for once.
To be a bit cynical about this, MS is unlikely to actually play fair, but they're certainly going to go to some effort to APPEAR fair and objective.
The studies that MS releases will always show MS to be ahead of the game (and it's possible they will be, as in the fateful Mindcraft study). MS will NEVER release press showing their product does not perform as well as Linux (that would be called, "not acting in our shareholders' best interests"), so you are likely to see highly tailored studies that reflect a certain performance metric in which MS does well and
Linux does particularly poor.
We already know the arenas in which MS is attempting to devalue Linux installations: Apache, LDAP, MySQL, SAMBA, and probably PHP. I would imagine MS will focus first on interoperability issues between Linux and Windows, as reasons to stabilize their existing userbase. These will be easy marks for them, as MS is well-known for subtly enhancing protocols to ensure MS lock-in.
They will then claim this to be a short-coming of Linux rather than their unwillingness to follow RFCs.
I find it a bit laughable that some folks think that MS will actually CONTRIBUTE to the products they are keeping tabs on. MS has many reasons for wanting such an open source lab, but increasing the viability of these apps is the LAST reason they'd want such a facility.
Without getting too over-the-top Oliver Stone about this, let's think about what MS has to gain:
1) Better understanding of the products that compete directly against MS products.
2) The ability to characterize the fragility of the protocols used by open source products. This lets them tweak interoperability of their products ever so slightly to insure that MS and open source will not coexist. This would include increasing incompatibility between OpenLDAP and ActiveDirectory, Apache and ISA Server, CIFS and Samba, ODBC and MyODBC, etc.
3) They have the potential of pulling Mindcraft-after-Mindcraft types of tests. These will be difficult to combat, as they'll have a unique understanding of MS and open source weak points.
I'm not an X-Plane user myself, so I don't know how difficult it is to build a model that actually flies. If the physics are really realistic, that'd be quite a challenge. The plane building program will probably lend you a hand, though...
I am an X-Plane user, and have built a few biplanes, flying wings, and a delta wing jet. Two things:
a) The tools that X-Plane gives you could be dramatically improved without a whole lot of effort. Defining the fuselage is a bit of a pain, and positioning of wings, elevators, stabilizers, and gears are all very much unintuitive - no such thing as direct manipulation of the pieces to where you want them.
b) It's difficult to make something that actually flies. Center-of-gravity is usually for me the single-most difficult thing. I'll either have my ass dragging down the runway, or have so much weight up front that I can't rotate into the air in allotted runway space.
c) Once you have a working model, it's difficult to get a model that flies WELL, eg, responsive to controls, zero yaw, can land.
d) Once you get a model that works well, it's extremely difficult to get that model to go supersonic. After some research, I discovered the area rule.
e) Items b through d have nothing to do with X-Plane, and are damned challenging (and to my mind, enjoyable) to overcome. I have oodles more respect for aerospace engineers now.
Nothing's stopping you from downloading the X-Plane distribution - you can use all the plane maker and landscape maker programs without the CD, and test it out 5 minutes at a time.
Linux' chance to supplant Apple is going to happen at the corporation, not in the home. Companies have a large investment of ix86 that they will be loathe to throw away. If Linux does overcome Apple's market share (this seems possible), it will happen in business.
From a technical viewpoint, Linux doesn't offer much to the home user:
Aqua's a nicer interface (of course this is subjective), and X servers are still freely available for it
Most (but not all) software for Linux can port easily to MacOS X
Apple's got better game support than Linux. Barely.
Peripheral support is superb under MacOS X - plug-and-play actually works.
The AmigaOS GUI sucked ass and prevented people from buying a technically cool machine. Give your platform its due credit, but don't pimp the GUI as one of its strong points, because it wasn't, ever, not in any incarnation.
Well, you're right, of course. Many more than a million people could die, even with the present mortality rate of 3 to 4%. To keep it in perspective, however, as I mentioned in an earlier post, only 3% of men can autofellatiate.
You've got a 3% chance of dying if you get it.
This happens to be the same percentage of men who
can auto-fellatiate. Can you auto-fellatiate? No? Then don't worry.
Simply put, if you expect your web application to get any amount of decent traffic (say 100,000 pageviews+ per day), then MySQL is simply not an option. Oracle is simply the standard upon which others can only attempt to compare themselves to. MySQL may be fine for the low-end "check out my k00l dynamic site!!11!!" crowd, but for professional web applications, MySQL has a long, long ways to go.
My sites aggregate 62 million page turns a month,
running MySQL - my largest customer often turns
300,000 to 400,000 page turns in a day. MySQL
does fine.
Which is not to say your message doesn't have some
validity. What we've found in general is that up
to fairly high load, MySQL performance absolutely
DESTROYS Oracle running the same application. After that point, of course, MySQL drops off a cliff, while Oracle just slows down. Without an
exception, customers we've migrated to MySQL to Oracle are MUCH happier with their performance (again, because most of our customers aren't at that critical performance apex of MySQL). It's
like this: 95% of everything our customers want
to do can be handled with MySQL's functionality, at a mere pittance of Oracle's TCO. How much is that 5% worth, do you think? Now, this is a specific workload I'm talking about here - MySQL's peg definitely won't fit every hole our there, but it does fit some very important ones for us.
It's funny the reactions here - the folks who insist that MySQL isn't beginning to eat Oracle's lunch. It's funny because MySQL IS beginning to eat Oracle's lunch, for SOME APPLICATION LOADS. It's been pretty common for companies to just buy
Oracle, because that's What You Do, especially when you've got high-power DBAs calling the shots. Many classes of business applications don't require Oracle's power, and savvy CIOs ARE waking up and specifying cheaper, more appropriate RDBMS for their applications.
DungeonMaster was originally released only for the
Atari ST. To say it was a success would be a huge
understatement. People bought Atari STs JUST for
DM (I worked retail selling them at the time). This was a bit of a last ditch effort for FTL at the time, as SunDog, great game as it was, wasn't paying many bills. DM put them in a place where they didn't have to worry about money, if not ever, then at least for a while.
It was ported to other machines, and utilized those
machine's capabilities (eg, Mac and Amiga versions
at least had stereo sound, and I'd be super surprised if the IIGS port didn't also - Atari ST didn't support stereo).
This game was a lot of fun, and as other posters mentioned, did a good job of scaring the shit out of you.
Wrt Sandia security - though yes, it's encapsulated
within Kirtland Air Force Base, it is certainly
not contiguous. TAs are scattered all over the facility.
I grew up on KAFB, and eventually worked at Sandia,
but one of the more vivid examples of "layered"
security was when, as a pimply-faced teenager living
off-base and not affilitated with either KAFB or
Sandia, delivered pizza on-base.
The routine went like this - drive down the street
to the entrance of KAFB, where the gate personnel
would stop me. Show them my pizza, tell them I
had a pizza delivery, and they'd wave me on-base.
Pretty funny, huh?
So my delivery is way out past the main tech
areas, and I'm on dirt roads, and finally I
get to the area - don't remember the TA, Sandians,
sorry - and it's a lethal force area. So I'm
outside three rings of concertina-topped chainlink, signs with "lethal force authorized" all around, and a guy with an M-16 approaches.
He's not exactly pointing it at me, but it's
also not slung over his shoulder. Gives me the
dough, I give him the pizza, and that's it.
Basically, in this day and age, your setup from the Internet in to your internal LAN, should be (as a minimum):
Internet router(s) => Firewall(s) => Web servers (HTTP, mail relays, proxies, VPN termination, etc.) => Firewall(s) => backend servers (SQL, internal mail etc..) => Internal network.
I am not in agreement. Two layers of firewall
will provide marginally better protection in a
standard two-tier layout, but it is not necessary,
and is expensive.
(digression: your $500 example is suitable only for very lightly loaded networks - it may be
able to handle your first layer firewall, but almost certainly will saturate at the second layer: a PIX 525 firewall, at approx $30k for a redundant pair can handle about 370Mbits/second.
So, I've got 6 webservers with Gigabit ethernet trying to talk to twelve back-end database servers, also gigabit ethernet. Look into prices for firewalls that can handle even 1000Mbps sometime and you'll see my point.)
Anyway, unnecessary:
a database that has only open ports 22 and, say, 3306 (I like MySQL) is going to look very similar to a a machine behind a firewall that only lets
port 22 and 3306 through. There are a few classes of DoS attack that could be stemmed through use of a firewall, but really, the value of your environment is your data. Run a sniffer on a compromised webserver, and you've almost certainly got the information you need to make backend connections to the database servers.
Slashdot Mirror
Y'all "professional DBAs" are going to keep squawking about transactions and stored procedures (for crying out loud, it's GOT transactions - use innodb!) and whining about MySQL while your jobs go bye-bye as people realize that for the vast majority of databases that they use, transactions and stored procedures aren't necessary. Most folks are NOT running a bank.
I for one will be laughing my ass off when that day arrives.
Apple is most definitely concerned with market share - it's the only way they can keep the platform from further being ghetto-ized. I'm not saying Boo about Apple's innovation - they "get it", already. They need to somehow get everyone ELSE to "get it".
Apple has succeeded in the last two years simply by not offering a commodity product, and that's the balance that Apple has to try and walk: create amazingly cool shit that folks will somehow differentiate from a $600 costco PC, and be willing to spend the difference. The eMac is certainly a great deal, but why can't we buy it in Costco, where I'm certain it would sell? Apple is obviously NOT emphasizing these low-profit models, and it's probably why they're as healthy as they are.
sloth jr
Sell more music
Sell more iPods on which to play iTunes downloaded music. Integration will probably be seamless.
Get general consumers less afraid of Apple the company, and more willing to consider buying Macs
Sell more Macs, with aims to pull 10% market share in a year.
sloth jr
My officemate thinks as I do that it could drastically reduce a large portion of these problems, but that it would never fly because of (legitimate) privacy concerns and the difficulty of repudiation.
In some part, I agree with my officemate, but think that the cost of implementing such a system will, given present abuse trends, start to become appealing enough to become viable. How much crack am I smoking?
sloth jr
Keep up the good work.
sloth jr
Charities suck ASS on the phone. Not only do I have to interrupt my life to deal with their plea, I get guilt tripped by saying no!
sloth jr
We've found that Dell:
a) IGNORES their stated SLAs. I waited three weeks for Dell to replace a production server supposedly covered under next-day replacement, because Dell first insisted on shipping us PARTS, rather than a complete replacement (this was for a blade server modules). Never again: I'll spend three hours of their toll-free time to get a manager on the phone and GET ME MY DAMN SERVER. I've never seen a company so retarded - three hours keeping me on hold and having their support droog run around with his head cut off surely costs more than just cross-shipping me a new box.
b) Provides RAID controllers every bit as as flaky as you describe. I think it's quite likely that the Dell tech dispatched to replace your drive actually did the job correctly. I've lost degraded RAID drives more than once when swapping drives. Recovery ability in these controllers is really, really bad (the DAC960 controllers we had in our old VA boxes, slow as they were, always managed to recover from degraded).
c) Provides support from hell. Ironically, this is one of the reasons we SELECTED Dell (presuming they had their shit together, unlike VA's dying days). They just don't.
sloth jr
The paper that describes the attack in question is "Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)". You're reading the paper BELOW that one: "Robustness to Inflated Subscription in Multicast Congestion Control"
Since the architectural flaw seems to be in the retransmission recovery sequences of TCP, eg, it can be spoofed in a way undistinguishable from normal retransmission recovery sequences, actual source of the packet can't be used as a deterrent to attacks.
The attack seems to exploit the mechanisms of congestion flow itself, so larger window sizes or in-order deliver of packets (I presume this is what you mean by sequenced packets) will not be sufficient to avoid this attack. The paper does examine several variants of TCP, with similarly glum results.
In the scenario illustrated by the paper, TCP enters its exponential backup phase, throttling the window to a single packet size and doubles the retransmission timeout (which starts off at 1 second). The paper seems to be saying that by timing the attacking responses to closely match that of the sender's RTO, we can cause the connection to effectively remain in exponential backoff.
To my thinking this would affect throughput for only the attacker's TCP flow, but the authors say that ALL TCP flows can be affected. I'm just not smart enough to understand why all TCP flows can be induced into the same exponential backoff phase.
sloth jr
sloth jr
It's not like I can't understand their concern - I work for a company selling proprietary software (running on open-source OSes), and I'm not thrilled about the notion of someone else fielding a product we can't compete with (assuming feature parity).
If someone does, however, then more power to them. They went to the effort, and they decided that all should benefit from the fruits of their labor.
That's downright noble.
What big business seems to be doing here is using process rather than product to beat down the barbarian hordes. Why shouldn't the intellectual property concerns of open source advocates be taken into consideration when formulating a world IP policy?
sloth jr
You seem to be making the old assumption that rich and powerful equals smart. Are SCO executives smart? Possibly. Shrewd? Probably. They certainly appear to be voracious, litigious bastards, whatever other qualities as humans they may possess. In general, my observation has been that the rich and powerful have gotten that way not by being especially warm and caring individuals, but by possessing enough charisma to allow them to exercise their machiavellian tendencies without arousing the lynch mob.
sloth jr
To be a bit cynical about this, MS is unlikely to actually play fair, but they're certainly going to go to some effort to APPEAR fair and objective.
The studies that MS releases will always show MS to be ahead of the game (and it's possible they will be, as in the fateful Mindcraft study). MS will NEVER release press showing their product does not perform as well as Linux (that would be called, "not acting in our shareholders' best interests"), so you are likely to see highly tailored studies that reflect a certain performance metric in which MS does well and Linux does particularly poor.
We already know the arenas in which MS is attempting to devalue Linux installations: Apache, LDAP, MySQL, SAMBA, and probably PHP. I would imagine MS will focus first on interoperability issues between Linux and Windows, as reasons to stabilize their existing userbase. These will be easy marks for them, as MS is well-known for subtly enhancing protocols to ensure MS lock-in. They will then claim this to be a short-coming of Linux rather than their unwillingness to follow RFCs.
sloth jr
Without getting too over-the-top Oliver Stone about this, let's think about what MS has to gain:
1) Better understanding of the products that compete directly against MS products.
2) The ability to characterize the fragility of the protocols used by open source products. This lets them tweak interoperability of their products ever so slightly to insure that MS and open source will not coexist. This would include increasing incompatibility between OpenLDAP and ActiveDirectory, Apache and ISA Server, CIFS and Samba, ODBC and MyODBC, etc.
3) They have the potential of pulling Mindcraft-after-Mindcraft types of tests. These will be difficult to combat, as they'll have a unique understanding of MS and open source weak points.
sloth jr.
a) The tools that X-Plane gives you could be dramatically improved without a whole lot of effort. Defining the fuselage is a bit of a pain, and positioning of wings, elevators, stabilizers, and gears are all very much unintuitive - no such thing as direct manipulation of the pieces to where you want them.
b) It's difficult to make something that actually flies. Center-of-gravity is usually for me the single-most difficult thing. I'll either have my ass dragging down the runway, or have so much weight up front that I can't rotate into the air in allotted runway space.
c) Once you have a working model, it's difficult to get a model that flies WELL, eg, responsive to controls, zero yaw, can land.
d) Once you get a model that works well, it's extremely difficult to get that model to go supersonic. After some research, I discovered the area rule.
e) Items b through d have nothing to do with X-Plane, and are damned challenging (and to my mind, enjoyable) to overcome. I have oodles more respect for aerospace engineers now.
Nothing's stopping you from downloading the X-Plane distribution - you can use all the plane maker and landscape maker programs without the CD, and test it out 5 minutes at a time.
sloth jr
From a technical viewpoint, Linux doesn't offer much to the home user:
Aqua's a nicer interface (of course this is subjective), and X servers are still freely available for it
Most (but not all) software for Linux can port easily to MacOS X
Apple's got better game support than Linux. Barely.
Peripheral support is superb under MacOS X - plug-and-play actually works.
sloth jr
Newsflash, Amigans:
The AmigaOS GUI sucked ass and prevented people from buying a technically cool machine. Give your platform its due credit, but don't pimp the GUI as one of its strong points, because it wasn't, ever, not in any incarnation.
Well, you're right, of course. Many more than a million people could die, even with the present mortality rate of 3 to 4%. To keep it in perspective, however, as I mentioned in an earlier post, only 3% of men can autofellatiate.
You've got a 3% chance of dying if you get it. This happens to be the same percentage of men who can auto-fellatiate. Can you auto-fellatiate? No? Then don't worry.
Which is not to say your message doesn't have some validity. What we've found in general is that up to fairly high load, MySQL performance absolutely DESTROYS Oracle running the same application. After that point, of course, MySQL drops off a cliff, while Oracle just slows down. Without an exception, customers we've migrated to MySQL to Oracle are MUCH happier with their performance (again, because most of our customers aren't at that critical performance apex of MySQL). It's like this: 95% of everything our customers want to do can be handled with MySQL's functionality, at a mere pittance of Oracle's TCO. How much is that 5% worth, do you think? Now, this is a specific workload I'm talking about here - MySQL's peg definitely won't fit every hole our there, but it does fit some very important ones for us.
It's funny the reactions here - the folks who insist that MySQL isn't beginning to eat Oracle's lunch. It's funny because MySQL IS beginning to eat Oracle's lunch, for SOME APPLICATION LOADS. It's been pretty common for companies to just buy Oracle, because that's What You Do, especially when you've got high-power DBAs calling the shots. Many classes of business applications don't require Oracle's power, and savvy CIOs ARE waking up and specifying cheaper, more appropriate RDBMS for their applications.
It was ported to other machines, and utilized those machine's capabilities (eg, Mac and Amiga versions at least had stereo sound, and I'd be super surprised if the IIGS port didn't also - Atari ST didn't support stereo).
This game was a lot of fun, and as other posters mentioned, did a good job of scaring the shit out of you.
I grew up on KAFB, and eventually worked at Sandia, but one of the more vivid examples of "layered" security was when, as a pimply-faced teenager living off-base and not affilitated with either KAFB or Sandia, delivered pizza on-base.
The routine went like this - drive down the street to the entrance of KAFB, where the gate personnel would stop me. Show them my pizza, tell them I had a pizza delivery, and they'd wave me on-base. Pretty funny, huh?
So my delivery is way out past the main tech areas, and I'm on dirt roads, and finally I get to the area - don't remember the TA, Sandians, sorry - and it's a lethal force area. So I'm outside three rings of concertina-topped chainlink, signs with "lethal force authorized" all around, and a guy with an M-16 approaches. He's not exactly pointing it at me, but it's also not slung over his shoulder. Gives me the dough, I give him the pizza, and that's it.
It was fun.
Anyway, unnecessary: a database that has only open ports 22 and, say, 3306 (I like MySQL) is going to look very similar to a a machine behind a firewall that only lets port 22 and 3306 through. There are a few classes of DoS attack that could be stemmed through use of a firewall, but really, the value of your environment is your data. Run a sniffer on a compromised webserver, and you've almost certainly got the information you need to make backend connections to the database servers.
sloth jr