Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: how can I best quantify my level of disgust? (oracle alert #68)

Re: how can I best quantify my level of disgust? (oracle alert #68)

From: Jonathan Gennick <jonathan_at_gennick.com>
Date: Fri, 3 Sep 2004 08:48:01 -0400
Message-ID: <741385931904.20040903084801@gennick.com> 





Probably I should not have even posted the hint that I did,
that led Mladen to deduce the exploit. I've kept quiet for
months (hard to do, btw), and I figured it was fair-game to
speak now that the patch has finally been released. This is
all new to me. The whole process for dealing with exploits,
for reporting them and speaking, or not speaking, about them
is completely foreign to me. It didn't occur to me to hold
off for a few weeks, to give people time to apply the patch.
Lesson learned. I'm sorry if I've indirectly caused others
grief.



Best regards,



Jonathan Gennick --- Brighten the corner where you are
http://Gennick.com * 906.387.1698 * mailto:jonathan@gennick.com



Join the Oracle-article list and receive one
article on Oracle technologies per month by 
email. To join, visit http://five.pairlist.net/mailman/listinfo/oracle-article, 
or send email to Oracle-article-request_at_gennick.com and 
include the word "subscribe" in either the subject or body.




Thursday, September 2, 2004, 8:50:27 PM, Paul Drake (bdbafh_at_gmail.com) wrote:
PD> Mladen,



PD> Respected professionals do not publish exploit code prior to the
PD> patches being widely deployed.



PD> This was not the forum in which to post such code.
PD> This was not the time to post such code.


PD> I am not defending Oracle dragging their feet on releasing the
PD> patches, or in not identifying a gaping hole in a new feature. I am
PD> not criticizing your abilities to write code, use perl or use wit.

PD> I am angered due to you making this issue (alert #68) now larger for me.
PD> I have been busy attempting to test these patchsets for 3 releases on
PD> 2 platforms.




PD> I want to make sure that I don't cripple a client site with a patchset
PD> that wasn't at least moderately tested.


PD> Did you read the article where David LItchfield was interviewed?
PD> He does not publicly disclose exploit code until after the fixes have
PD> been available long enough for people to apply them. He had to change
PD> his presentations due to Oracle not releasing patchsets sooner. That
PD> is responsible, professional behavior, and it helps him to avoid
PD> litigation. He is a white hat.





PD> Pete and Jonathan also did not reveal exploits (up to this point, that
PD> I know of).



PD> You now make me wish that this list was moderated.



PD> Please don't post the exploit code on comp.databases.oracle.server.



PD> Not everyone would have been able to deduce the exploit code from what is known.



PD> You have effectively brought the exploit into the script kiddie realm.


PD> Fortunately, your exploit code only affects 10.1.0.2, and not the
PD> other releases.
PD> If you come up with exploits for the other versions, please don't post
PD> it here or in other public forums. Share it with Pete, Jonathan, David
PD> Litchfield - but I would personally prefer that you share it with Mary
PD> Ann Davidson or whomever else handles such issues for Oracle - through
PD> the channels. Metalink, OTN, etc.

PD> Steve, if I am overstepping my bounds, treat me appropriately, but
PD> this was not professional behavior as stated in the email that I


PD> received today when I changed accounts. Its not my place to moderate -
PD> but Mladen really messed up this time - IMHO.



PD> And it affected me.



PD> Paul



PD> Paul Drake


PD> bdbafh_at_gmail.com


PD> ==========================================================





PD> Re[2]: PeteFinnigan.com Oracle advisory for bugs in dbms_scheduler ( alert #68)


PD>     * From: Jonathan Gennick <jonathan_at_xxxxxxxxxxx>
PD>     * To: "Gogala, Mladen" <Mladen.Gogala_at_xxxxxxxx>
PD>     * Date: Thu, 2 Sep 2004 16:16:23 -0400





PD> Well, the whole world knows now...



PD> Best regards,



PD> Jonathan Gennick --- Brighten the corner where you are
PD> http://Gennick.com * 906.387.1698 * mailto:jonathan@xxxxxxxxxxx


PD> Join the Oracle-article list and receive one
PD> article on Oracle technologies per month by 
PD> email. To join, visit http://five.pairlist.net/mailman/listinfo/oracle-article, 
PD> or send email to Oracle-article-request_at_xxxxxxxxxxx and 
PD> include the word "subscribe" in either the subject or body.


PD> Thursday, September 2, 2004, 12:00:41 PM, Gogala, Mladen 
PD> (Mladen.Gogala_at_xxxxxxxx) wrote:
GM>> What annoys me the most is that the bug is so trivial 
GM>> that it should have been discovered during the beta test.
GM>> You and Pete didn't specify how exactly is it possible, probably
GM>> out of the goodness of your heart, so I did a little investigation
GM>> of my own, and discovered that Oracle10g alows
PD> ---




PD> To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe 
PD> To read recent messages - http://freelists.org/archives/oracle-l/09-2004


---
To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe 
To read recent messages - http://freelists.org/archives/oracle-l/09-2004


Received on Fri Sep 03 2004 - 07:44:31 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US