1 00:00:00,042 --> 00:00:02,292 MING CHOW: Good afternoon, everyone. 2 00:00:02,334 --> 00:00:05,501 My name is Ming Chow and I will be speaking today 3 00:00:05,501 --> 00:00:08,000 about NoSQL databases. 4 00:00:08,000 --> 00:00:15,792 How people here are using a NoSQL database such as Mongo, 5 00:00:15,792 --> 00:00:22,209 Redis, Cassandra, many, many, to name. 6 00:00:22,209 --> 00:00:24,626 How is your experience so far with them? 7 00:00:24,626 --> 00:00:25,999 AUDIENCE MEMBER: Good. 8 00:00:25,999 --> 00:00:28,918 MING CHOW: Yeah, so far, so good. 9 00:00:29,000 --> 00:00:30,834 They are fast. 10 00:00:30,834 --> 00:00:32,209 They are transactional. 11 00:00:32,209 --> 00:00:33,751 They are very easy to use. 12 00:00:33,751 --> 00:00:35,501 You don't need SQL to use them. 13 00:00:35,876 --> 00:00:41,918 You know, and if you want to insert data, search for stuff, it's 14 00:00:41,918 --> 00:00:45,999 all based on the computer science principle 15 00:00:45,999 --> 00:00:48,751 of key value pairs. 16 00:00:48,751 --> 00:00:49,751 Okay? 17 00:00:49,751 --> 00:00:52,459 So if you have never seen a Mongo database or 18 00:00:52,459 --> 00:00:56,626 a NoSQL database, typically how you want to find data 19 00:00:56,626 --> 00:01:00,083 is I'm connected to a financial news database 20 00:01:00,083 --> 00:01:05,125 on Mongo right now, but if you want to find something, it's going 21 00:01:05,125 --> 00:01:10,417 to be something like the database, the name of the collection, then 22 00:01:10,417 --> 00:01:15,751 the find routine, and typically, it would take in JSON. 23 00:01:15,999 --> 00:01:23,125 So the key is going to be screen name, let's say for the screen name is going 24 00:01:23,125 --> 00:01:25,709 to be CBS News. 25 00:01:25,792 --> 00:01:26,792 Okay? 26 00:01:26,792 --> 00:01:29,459 So what I'm going to do here, just a very simple example 27 00:01:29,459 --> 00:01:32,709 is to show how you find all financial news that's 28 00:01:32,709 --> 00:01:35,250 from CBS News on Twitter. 29 00:01:35,250 --> 00:01:37,999 And so what happens is those are all of your results. 30 00:01:37,999 --> 00:01:38,999 Okay? 31 00:01:38,999 --> 00:01:42,876 So really nice and easy, but that's only just one way, one 32 00:01:42,876 --> 00:01:48,999 of many ways to search for stuff in a NoSQL database such as Mongo. 33 00:01:49,626 --> 00:01:53,626 What about security of NoSQL databases? 34 00:01:53,751 --> 00:01:55,792 That's another story. 35 00:01:55,792 --> 00:01:57,083 That's all over the place. 36 00:01:57,792 --> 00:02:02,417 Right now we have a mixture of heterogeneous and homogenous 37 00:02:02,417 --> 00:02:07,876 security issues and that's what I'm here to talk about. 38 00:02:08,999 --> 00:02:10,334 Okay? 39 00:02:11,626 --> 00:02:14,542 I'm actually very surprised that the topic 40 00:02:14,542 --> 00:02:20,375 of just NoSQL databases has never, ever been covered here at DEF CON. 41 00:02:20,375 --> 00:02:25,626 Two years ago, I talked about building, you know, the issues of using HTML 5, 42 00:02:25,626 --> 00:02:28,959 which is the application side. 43 00:02:29,083 --> 00:02:33,375 There's a lot to just the database side of things and a lot has changed 44 00:02:33,375 --> 00:02:35,209 in two years. 45 00:02:35,709 --> 00:02:39,209 One thing that hasn't changed is we're all still new 46 00:02:39,209 --> 00:02:41,834 to NoSQL databases. 47 00:02:42,834 --> 00:02:46,834 You know, we're all new to this, and the only thing largely a lot 48 00:02:46,834 --> 00:02:50,125 of us care about is just making it work. 49 00:02:50,751 --> 00:02:52,792 Just making it work. 50 00:02:52,792 --> 00:02:55,834 And, of course, that certainly that has some, 51 00:02:55,834 --> 00:02:59,959 you know you know how usually that goes, especially 52 00:02:59,959 --> 00:03:04,999 if you leave security into the hands of developers. 53 00:03:05,375 --> 00:03:08,999 So a homogenous problem, a very simple one right off the bat, 54 00:03:08,999 --> 00:03:12,999 if you know database vendor, you know the IP address, you know 55 00:03:12,999 --> 00:03:15,083 the port number. 56 00:03:15,083 --> 00:03:16,999 You have almost won the game. 57 00:03:17,292 --> 00:03:18,292 Okay? 58 00:03:18,501 --> 00:03:19,501 Why? 59 00:03:19,501 --> 00:03:21,999 Why is it just knowing just the IP address, 60 00:03:21,999 --> 00:03:26,792 the database vendor and the port number is good enough? 61 00:03:26,999 --> 00:03:33,999 That's because of this next thing, which is authentication and encryption. 62 00:03:33,999 --> 00:03:37,375 It's almost nonexistent or extremely weak. 63 00:03:37,918 --> 00:03:41,501 If you use many if not all NoSQL databases out there, 64 00:03:41,501 --> 00:03:46,292 if you take them out of the box, you take them out of the box, 65 00:03:46,292 --> 00:03:51,292 and administrative user, authentication turned off. 66 00:03:52,083 --> 00:03:53,751 Turned off. 67 00:03:53,751 --> 00:03:54,751 Okay? 68 00:03:54,751 --> 00:04:02,083 Even if they do support features such as encryption and auditing, 69 00:04:02,083 --> 00:04:10,751 not only do you have to turn them on yourselves, but also, the scheme 70 00:04:10,751 --> 00:04:13,584 is really weak. 71 00:04:13,999 --> 00:04:19,876 Because for example, among still uses MD5 in CouchDB. 72 00:04:19,999 --> 00:04:25,542 If you ever read the documentation of Mongo or Couch 73 00:04:25,542 --> 00:04:28,999 or Redis or Cassandra. 74 00:04:35,792 --> 00:04:37,876 We urge you to use this database system 75 00:04:37,876 --> 00:04:40,083 on a trusted environment. 76 00:04:40,083 --> 00:04:41,083 (Chuckles). 77 00:04:42,999 --> 00:04:45,751 That's from the documentation. 78 00:04:46,083 --> 00:04:47,667 Just read the documentation. 79 00:04:47,667 --> 00:04:48,999 It's quite mind boggling. 80 00:04:48,999 --> 00:04:51,876 Security is a complete after thought. 81 00:04:52,167 --> 00:04:58,083 How big is how big is NoSQL databases out there. 82 00:05:02,250 --> 00:05:05,083 If you do a search on Shodan, it's 40,000 instances 83 00:05:05,083 --> 00:05:08,999 of Mongo that are out there, it has and there are also 20,000 instances 84 00:05:08,999 --> 00:05:10,999 of Redis running. 85 00:05:10,999 --> 00:05:12,584 So it's a big deal! 86 00:05:12,999 --> 00:05:14,209 It's already there. 87 00:05:14,375 --> 00:05:18,459 So this is a these are homogenous issues that 88 00:05:18,459 --> 00:05:24,083 we have seen that affects all NoSQL databases. 89 00:05:24,417 --> 00:05:25,417 Okay. 90 00:05:25,417 --> 00:05:29,250 So there's a lot of chatter on this thing known as okay. 91 00:05:29,999 --> 00:05:32,792 NoSQL not only do I not need to know SQL anymore, 92 00:05:32,792 --> 00:05:36,209 but this whole problem that I think you guys might have heard 93 00:05:36,209 --> 00:05:39,167 of called SQL injection goes away. 94 00:05:40,792 --> 00:05:47,375 Actually, in my humble opinion, the injection problem has gotten worse. 95 00:05:47,375 --> 00:05:48,375 Okay? 96 00:05:48,709 --> 00:05:54,542 Now, okay, sure SQL injection is gone, but now we have three I say three 97 00:05:54,542 --> 00:05:58,999 different classes of injection attacks. 98 00:05:59,209 --> 00:06:00,209 Okay. 99 00:06:00,209 --> 00:06:01,334 One is called schema. 100 00:06:02,375 --> 00:06:05,792 Now, NoSQL databases, how they work, they are based 101 00:06:05,792 --> 00:06:08,375 off of dynamic data model. 102 00:06:08,417 --> 00:06:09,417 Okay? 103 00:06:09,417 --> 00:06:14,709 If you insert a record or if you create a if you create 104 00:06:14,709 --> 00:06:21,999 a database that doesn't exist, automatically create it for you, right 105 00:06:21,999 --> 00:06:24,125 on the fly. 106 00:06:24,209 --> 00:06:25,209 Okay? 107 00:06:25,209 --> 00:06:26,999 Yeah, it goes back to the original point that 108 00:06:26,999 --> 00:06:30,999 the NoSQL databases are really, really easy to use. 109 00:06:30,999 --> 00:06:32,999 It's very, very flexible. 110 00:06:32,999 --> 00:06:33,999 That's a good thing. 111 00:06:33,999 --> 00:06:38,125 Of course, a bad thing is, you know, you have flexible dynamic record 112 00:06:38,125 --> 00:06:40,292 and data entry. 113 00:06:40,292 --> 00:06:43,792 Also, if you can easily overwrite existing 114 00:06:43,792 --> 00:06:49,584 values for keys, very, very simply, last key wins. 115 00:06:49,751 --> 00:06:50,751 Okay? 116 00:06:50,751 --> 00:06:54,083 So I'm going to show you a few demos. 117 00:06:54,375 --> 00:06:56,792 Schema I will do last. 118 00:06:56,999 --> 00:07:01,167 You can do query, with many unsaved queries very simply 119 00:07:01,167 --> 00:07:05,834 by string concatenation and now this gem. 120 00:07:05,834 --> 00:07:06,918 I love this one. 121 00:07:06,918 --> 00:07:09,250 How many people are good at JavaScript here? 122 00:07:09,667 --> 00:07:10,999 Okay. 123 00:07:10,999 --> 00:07:11,999 Learn it! 124 00:07:11,999 --> 00:07:12,999 Okay. 125 00:07:12,999 --> 00:07:13,999 Learn it! 126 00:07:13,999 --> 00:07:22,083 It now a lot of these NoSQL databases, they have taken JavaScript functions 127 00:07:22,083 --> 00:07:27,792 as parameters to search and insert okay? 128 00:07:27,792 --> 00:07:31,209 And I will give you an example of using the where clause. 129 00:07:31,209 --> 00:07:35,999 Now, here, I am now going to give a quick demo 130 00:07:35,999 --> 00:07:39,792 on hopefully this works. 131 00:07:41,999 --> 00:07:43,209 Okay. 132 00:07:45,375 --> 00:07:47,375 Search by handle. 133 00:07:48,999 --> 00:07:52,918 So what I have done in this example is I have created 134 00:07:52,918 --> 00:07:55,792 a new search system, okay? 135 00:07:55,792 --> 00:07:58,834 There's a whole bunch of Twitter handles that I use 136 00:07:58,834 --> 00:08:03,626 by the Bloomberg terminal and I have actually stored 4,000 tweets 137 00:08:03,626 --> 00:08:05,083 in all. 138 00:08:05,125 --> 00:08:09,584 But let's say that I know that one of the Twitters 139 00:08:09,584 --> 00:08:14,459 on the Bloomberg handle is venture beat. 140 00:08:14,709 --> 00:08:17,999 I type in venture beat and hit search. 141 00:08:18,292 --> 00:08:22,334 This is a collection of all the news that's returned 142 00:08:22,334 --> 00:08:25,292 by venture beat, that has been tweeted 143 00:08:25,292 --> 00:08:30,125 out by venture beat for, I don't know, a few days. 144 00:08:30,542 --> 00:08:31,542 Okay? 145 00:08:31,542 --> 00:08:32,584 All right. 146 00:08:32,751 --> 00:08:33,999 Works well. 147 00:08:33,999 --> 00:08:34,999 CBS News. 148 00:08:37,999 --> 00:08:44,459 And so we have found 208 items. 149 00:08:44,459 --> 00:08:45,459 Okay? 150 00:08:45,709 --> 00:08:48,292 Now, how can we beat this system? 151 00:08:48,709 --> 00:08:52,918 One thing is, what we can do, if you want 152 00:08:52,918 --> 00:08:57,709 to see more records than you want, okay, and PHP 153 00:08:57,709 --> 00:09:04,417 is a very interesting beast working with Mongo databases. 154 00:09:04,417 --> 00:09:08,792 Let's put in for this query parameters known as search box, 155 00:09:08,792 --> 00:09:12,417 we add square brackets, dollar sign and E. 156 00:09:12,417 --> 00:09:17,999 And dollar sign and E in Mongo, means not equal to. 157 00:09:18,375 --> 00:09:22,292 You can use dollar sign and E to search for things that are not equal 158 00:09:22,292 --> 00:09:24,167 for something. 159 00:09:25,626 --> 00:09:28,876 What PHP does, any inputs that are 160 00:09:28,876 --> 00:09:34,083 within square brackets, they are automatically converted 161 00:09:34,083 --> 00:09:37,209 to an associate format. 162 00:09:37,209 --> 00:09:41,083 How will you read this is, okay so what this now this query 163 00:09:41,083 --> 00:09:47,209 will do, the original stuff I showed you was, okay, give me everything that 164 00:09:47,209 --> 00:09:50,584 is CBS News or venture beat. 165 00:09:50,667 --> 00:09:53,334 Now, what we just did is we just modified the query 166 00:09:53,334 --> 00:09:56,667 and we just changed it on the fly and we said, okay, 167 00:09:56,667 --> 00:10:00,792 give me everything that is not equal to CBS News. 168 00:10:01,459 --> 00:10:02,959 Hit enter. 169 00:10:04,167 --> 00:10:10,999 Now, we have all of these records, all of these news items that are 170 00:10:10,999 --> 00:10:16,667 from sources on Twitter that are not CBS News. 171 00:10:16,999 --> 00:10:17,999 Okay? 172 00:10:17,999 --> 00:10:19,999 We have returned back everything. 173 00:10:20,125 --> 00:10:21,751 So what's the culprit here? 174 00:10:21,792 --> 00:10:23,209 What's the culprit? 175 00:10:24,626 --> 00:10:32,626 So if I can show you the source, search by handle.php, and I'm going 176 00:10:32,626 --> 00:10:37,709 to show you the line, that one right there, 177 00:10:37,709 --> 00:10:46,292 "collection find array, search for screen name equals something." 178 00:10:46,626 --> 00:10:49,667 Now remember what I said, if you use square brackets 179 00:10:49,667 --> 00:10:53,999 for your query parameters those things will be in that will be translated 180 00:10:53,999 --> 00:10:56,375 into an associative array. 181 00:10:56,834 --> 00:10:59,042 What this will do will be the associated array 182 00:10:59,042 --> 00:11:02,999 will be screen name, arrow and the value will be in an array, 183 00:11:02,999 --> 00:11:05,584 an associative ray format. 184 00:11:05,751 --> 00:11:09,999 Not equal to as the operator and what did I use? 185 00:11:09,999 --> 00:11:10,999 I think I used CBS News. 186 00:11:12,292 --> 00:11:13,626 Okay? 187 00:11:14,250 --> 00:11:17,999 Now I'm going to show you an example of JavaScript injection. 188 00:11:18,626 --> 00:11:19,999 Okay? 189 00:11:19,999 --> 00:11:21,250 Search "hack me.php." 190 00:11:27,459 --> 00:11:30,918 Very, really plain looking box here. 191 00:11:30,959 --> 00:11:35,083 What you can't do I didn't give any directions on how to use this, 192 00:11:35,083 --> 00:11:37,999 but what we can do is this. 193 00:11:38,334 --> 00:11:41,209 We can actually use JavaScript functions. 194 00:11:41,209 --> 00:11:44,083 We will type in a few JavaScript functions. 195 00:11:44,250 --> 00:11:45,250 Function. 196 00:11:45,792 --> 00:11:46,792 Okay. 197 00:11:46,792 --> 00:11:50,083 Now let's say I want to return all the news items from, 198 00:11:50,083 --> 00:11:52,542 let's say NBC News. 199 00:11:52,542 --> 00:12:00,999 So we return this.screen name equals, equals and the string is going 200 00:12:00,999 --> 00:12:03,999 to be NBC News. 201 00:12:04,209 --> 00:12:05,626 Okay? 202 00:12:05,999 --> 00:12:11,834 Semicolon, close the statement, close the function and here we go. 203 00:12:12,584 --> 00:12:13,999 Return. 204 00:12:13,999 --> 00:12:14,999 Okay. 205 00:12:14,999 --> 00:12:16,459 This is what it's going to do. 206 00:12:16,459 --> 00:12:17,876 It will return all the news items that are 207 00:12:17,876 --> 00:12:19,834 from CBS News. 208 00:12:19,918 --> 00:12:21,918 But this is using JavaScript. 209 00:12:22,209 --> 00:12:23,626 Let's do one more. 210 00:12:23,626 --> 00:12:25,999 Let's do one more, which is pretty nice which is going 211 00:12:25,999 --> 00:12:27,999 to be function. 212 00:12:29,999 --> 00:12:30,999 Okay. 213 00:12:30,999 --> 00:12:32,626 Let's see if we get everything. 214 00:12:32,626 --> 00:12:36,999 Can we also do other mangling using JavaScript as well too? 215 00:12:36,999 --> 00:12:37,999 Sure! 216 00:12:37,999 --> 00:12:38,999 Why not? 217 00:12:38,999 --> 00:12:40,209 How about this one, this. 218 00:12:42,250 --> 00:12:43,709 Okay. 219 00:12:46,334 --> 00:12:49,918 Return this.text.we can do a regular expression matching. 220 00:12:50,083 --> 00:12:51,334 Okay? 221 00:12:51,709 --> 00:12:54,083 What we are going to search for is Apple. 222 00:12:54,999 --> 00:13:02,083 What this is going to do it's going to search for all the news items. 223 00:13:02,125 --> 00:13:04,959 All 4,000 plus records. 224 00:13:04,959 --> 00:13:07,083 Anything that has the word "apple" in them. 225 00:13:07,083 --> 00:13:08,083 Okay? 226 00:13:08,083 --> 00:13:10,375 Let's do some even more crazier things. 227 00:13:10,375 --> 00:13:23,751 We can also do this, function while one print more. 228 00:13:23,999 --> 00:13:31,417 Actually, I will put this in what this is going to do oops. 229 00:13:31,542 --> 00:13:32,999 Did I close? 230 00:13:32,999 --> 00:13:33,999 Nope. 231 00:13:33,999 --> 00:13:35,501 I'm missing one more. 232 00:13:39,709 --> 00:13:41,125 All right. 233 00:13:41,125 --> 00:13:42,125 Going. 234 00:13:42,125 --> 00:13:43,125 It's going. 235 00:13:43,125 --> 00:13:44,584 I'm going to stop this. 236 00:13:44,584 --> 00:13:46,167 You don't need this anymore. 237 00:13:46,292 --> 00:13:48,999 But what I can show you is this. 238 00:13:49,250 --> 00:14:00,083 If I SSH into the box, okay, probably going to get a password error. 239 00:14:02,709 --> 00:14:04,792 Oh, I didn't. 240 00:14:06,417 --> 00:14:07,876 Okay. 241 00:14:07,876 --> 00:14:08,876 CD/var/log. 242 00:14:08,876 --> 00:14:09,876 CDmongo db. 243 00:14:10,167 --> 00:14:19,959 See what did in Mongo in logs and more Mongo db.log. 244 00:14:19,959 --> 00:14:24,459 Oh, I don't like that. 245 00:14:24,459 --> 00:14:26,125 How about this one, how about tail. 246 00:14:29,417 --> 00:14:33,834 That was from you know, this is one result of using well, 247 00:14:33,834 --> 00:14:37,501 what you can do with, well if your query is based 248 00:14:37,501 --> 00:14:41,999 on in your injection is a JavaScript function. 249 00:14:41,999 --> 00:14:44,792 Now, I only have 20 minutes for this whole talk. 250 00:14:45,167 --> 00:14:50,959 What if you do this instead of PHP, if you use something like node, 251 00:14:50,959 --> 00:14:53,083 JS and express. 252 00:14:53,250 --> 00:14:54,501 Okay? 253 00:14:54,709 --> 00:14:58,459 Now, let's go back to the schema attacks. 254 00:14:58,459 --> 00:14:59,918 How about this one. 255 00:14:59,918 --> 00:15:00,918 I like this. 256 00:15:00,918 --> 00:15:02,083 I've got to show you this. 257 00:15:02,083 --> 00:15:04,417 So right now the server is at 19%. 258 00:15:05,250 --> 00:15:11,501 But what if what if if I run the script that I created using Ruby, 259 00:15:11,501 --> 00:15:17,626 okay, one of the nice byproducts, okay one of the nice byproducts 260 00:15:17,626 --> 00:15:21,667 of all of this, of schema attack, you know, 261 00:15:21,667 --> 00:15:27,999 of this whole dynamic model, okay, what it's going to do, I'm going 262 00:15:27,999 --> 00:15:33,501 to open up a word list of a Word list file, okay? 263 00:15:33,626 --> 00:15:38,292 And it's going to create a brand new database for each 264 00:15:38,292 --> 00:15:41,876 and every word in this file. 265 00:15:41,999 --> 00:15:44,417 One nice byproduct is you can exhaust 266 00:15:44,417 --> 00:15:47,709 the system resources on the server take up 100% 267 00:15:47,709 --> 00:15:49,584 of the space. 268 00:15:49,626 --> 00:15:50,709 Okay? 269 00:15:50,792 --> 00:15:55,083 So if you take a look, now oops. 270 00:15:55,083 --> 00:15:56,083 Not yet. 271 00:15:56,083 --> 00:15:57,083 Okay. 272 00:15:57,584 --> 00:15:59,626 We'll let this thing run. 273 00:16:00,167 --> 00:16:02,417 Let this thing run. 274 00:16:02,542 --> 00:16:03,667 Okay? 275 00:16:03,792 --> 00:16:04,999 All right. 276 00:16:04,999 --> 00:16:06,501 Heterogenous problems. 277 00:16:06,876 --> 00:16:10,459 Now, how many NoSQL databases there are? 278 00:16:11,334 --> 00:16:13,083 Too many to name. 279 00:16:14,999 --> 00:16:18,999 Different database systems, different NoSQL database systems 280 00:16:18,999 --> 00:16:22,834 and you are also dealing with different sets of term non, 281 00:16:22,834 --> 00:16:27,083 for example, Mongo, the whole idea of a table is a collection and 282 00:16:27,083 --> 00:16:30,876 the whole idea of a record is a document. 283 00:16:30,876 --> 00:16:34,542 It's completely different than Cassandra and Redis is just key value pairs 284 00:16:34,542 --> 00:16:37,083 and how about the results? 285 00:16:37,083 --> 00:16:38,999 I know different systems like, for example, CouchDB, 286 00:16:38,999 --> 00:16:42,417 they support different sets of outputs as well. 287 00:16:42,459 --> 00:16:47,167 Outputs that you can use JSON and binary JSON. 288 00:16:47,167 --> 00:16:49,667 What does it have to do with anything security? 289 00:16:49,999 --> 00:16:53,876 This infers this problem known as complexity. 290 00:16:53,959 --> 00:16:57,250 Now, in order to really understand the problem of NoSQL, you need 291 00:16:57,250 --> 00:16:59,999 to each and every documentation. 292 00:17:00,999 --> 00:17:05,999 Different systems, different features, different inputs and different outputs. 293 00:17:06,375 --> 00:17:09,125 Even MongoDB, some vendor specific items, MongoDB, 294 00:17:09,125 --> 00:17:13,501 Mongo DB, is tied to all the different interfaces. 295 00:17:13,999 --> 00:17:20,626 You can take a look at some really cool start up lab data 296 00:17:20,626 --> 00:17:25,250 and this local collection, okay? 297 00:17:25,250 --> 00:17:28,083 CouchDB, HTTP is actually opened by default. 298 00:17:29,125 --> 00:17:30,542 All right. 299 00:17:30,542 --> 00:17:34,999 So how do you actually protect yourself from so what does this all mean? 300 00:17:35,292 --> 00:17:37,584 How do you secure the NoSQL databases. 301 00:17:42,999 --> 00:17:46,876 It relies on the full perimeter security. 302 00:17:46,999 --> 00:17:49,999 It's really, really important. 303 00:17:50,083 --> 00:17:51,417 Okay? 304 00:17:51,751 --> 00:17:55,667 Configuration, if you want to make NoSQL databases work right, 305 00:17:55,667 --> 00:17:58,999 configuration is very important. 306 00:17:58,999 --> 00:18:02,125 You can't just take it out of box and sit back and use it right away. 307 00:18:02,125 --> 00:18:04,999 The whole issue of validation becomes very important. 308 00:18:04,999 --> 00:18:07,999 Not only are you validating inputs now. 309 00:18:07,999 --> 00:18:11,083 You have more things to validate in terms of inputs, 310 00:18:11,083 --> 00:18:13,999 including JavaScript functions. 311 00:18:13,999 --> 00:18:16,626 Hey, for output, you also have to validate the binary JSON 312 00:18:16,626 --> 00:18:18,626 and JSON as well. 313 00:18:18,876 --> 00:18:20,999 So validation becomes even more critical. 314 00:18:22,209 --> 00:18:24,083 What does it all mean? 315 00:18:24,709 --> 00:18:28,999 Look, back in the good old days, the only game in town were Oracle, 316 00:18:28,999 --> 00:18:34,709 my SQL and you can build any applications using that thing now. 317 00:18:34,709 --> 00:18:38,999 But now they are not the only games in town and you have systems such 318 00:18:38,999 --> 00:18:41,667 as Mongo, Redis, Couch. 319 00:18:41,667 --> 00:18:44,083 You've got to use the right database for the right job, 320 00:18:44,083 --> 00:18:46,542 for the right application. 321 00:18:46,584 --> 00:18:47,584 Okay? 322 00:18:47,626 --> 00:18:51,083 Yeah, so not only did you okay is so you can't just assume that SQL 323 00:18:51,083 --> 00:18:53,667 injection has gone away. 324 00:18:53,667 --> 00:18:56,083 In fact, there are many, many more opportunities depending 325 00:18:56,083 --> 00:18:59,417 on what database system that you choose. 326 00:18:59,709 --> 00:19:03,417 But the thing that really, really bugged the living hell out of me, 327 00:19:03,417 --> 00:19:05,999 of these things, right now NoSQL databases are 328 00:19:05,999 --> 00:19:09,250 completely brand new but we have a problem right now with, 329 00:19:09,250 --> 00:19:13,125 A, we have technologies completely deployed naively. 330 00:19:13,125 --> 00:19:14,375 They are just out there. 331 00:19:14,375 --> 00:19:19,459 Especially if you believe the hands of developers, okay, we will not get hit. 332 00:19:19,459 --> 00:19:20,999 We will just put it out there. 333 00:19:20,999 --> 00:19:23,083 No, that's not the way, how it works. 334 00:19:23,667 --> 00:19:26,250 So now you have the technologies being deployed 335 00:19:26,250 --> 00:19:30,999 naively, and one last thing, a lot of people use NoSQL databases so we 336 00:19:30,999 --> 00:19:36,167 can get away from the whole idea of a database administration. 337 00:19:36,167 --> 00:19:38,999 Well, the DBA, death of a DBA had been greatly, 338 00:19:38,999 --> 00:19:41,999 greatly exaggerated because now, you have 339 00:19:41,999 --> 00:19:47,250 they have even more there's even more opportunities out there. 340 00:19:47,250 --> 00:19:49,083 You just have to read the documentation and, you know, 341 00:19:49,083 --> 00:19:52,250 for what this database system would support. 342 00:19:52,417 --> 00:19:53,584 Okay? 343 00:19:53,709 --> 00:19:55,709 So those are my points. 344 00:19:55,709 --> 00:19:57,209 And that's all that I have. 345 00:19:57,209 --> 00:20:00,083 Let's see if this thing actually just run. 346 00:20:00,501 --> 00:20:01,501 Nope. 347 00:20:01,501 --> 00:20:02,501 Still running. 348 00:20:02,501 --> 00:20:03,501 Still running. 349 00:20:04,209 --> 00:20:05,709 Still running. 350 00:20:05,709 --> 00:20:07,209 I don't know what happened to it. 351 00:20:07,209 --> 00:20:12,167 But what it will do, this thing will just exhaust 100% 352 00:20:12,167 --> 00:20:17,999 of the disk space on the server that I have. 353 00:20:17,999 --> 00:20:19,250 So that's all I've got. 354 00:20:19,459 --> 00:20:20,459 Okay? 355 00:20:20,459 --> 00:20:21,709 Thank you guys, so much. 356 00:20:21,709 --> 00:20:22,709 Thanks a lot.