Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Interesting MetaLink notice

Re: Interesting MetaLink notice

From: Mladen Gogala <gogala_at_sbcglobal.net>
Date: Sun, 05 Feb 2006 14:07:27 -0500
Message-Id: <1139166447l.4369l.1l@medo.noip.com> 






On 02/05/2006 01:17:26 PM, Jared Still wrote:
.


> 

> It seemed very interesting as Litchfield has grown increasingly

> frustrated with Oracle regarding the patching of serious security

> holes.

> 

> Oracle's response to this is rather more candid that what is

> usually seen, and seems to indicate Oracle's increasing frustration

> with Litchfield.




Just with David. They seem to be fine with Niall



> 

> Questions that arise from this, and have certainly arisen a number

> of times previously to this:

> 

> * If the only people that know about these security holes are researchers

> that devote considerable time to finding these holes, what is gained by

> releasing the info before the patches are available? (no know exploits

> for most of these have been found in the wild)




The answer to that is rather simple: by releasing the exact techniques, 
one increases the danger of the actual exploit being created and, therefore,
increases the pressure on the software company to fix the problem. Software
companies can rather persistently decline to fix the problem, even to the
point where one company's refusal to do so gave birth to an entire industry
of anti-virus software. 


> 

> * Is this just a ploy by Litchfield to gain publicity, or is it

> one-upmanship

> among security researchers?  I mean no disrespect to Litchfied, but the

> question must be asked.




Of course it is. By locking horns with Oracle, David Litchfield has created
a name brand for himself. Why would that be a problem? After all, as a DBA, I
am interested primarily in the security of my databases. If there are holes,
I tend not to question the motives of the people exposing them, I just want
those holes to be fixed - yesterday. Gosh, it feels good to be able to say
that!




> 

> Litchfield released a workaround for this hole, but it has not had the

> extensive

> testing that Oracle must do before releasing a workaround to be applied

> to http.conf.




Hmmm, judging by the software quality of 9.2.0.5 and 9.2.0.6 (patch for the CRS in
9.2.0.6 patchset was actually downgrading the software), Oracle should invest a 
little bit more into the testing. Outsourcing didn't help with instilling confidence,
either.



> The state of Oracle security has been somewhat questionable as of late.




And they don't seem to be willing to fix the holes in a timely fashion, either.



> 

> Some of Litchfield's frustration is understandable, as some flaws in Oracle

> have

> been uncorrected for literally years after they were notified of the

> problems.





It's not just frustration. It's an opportunity. He can make some money and become
a name brand. After all, that's what all of us have been doing for a long time. Why
would that be wrong when David Litchfield is in question and not when Larry Ellison
is?




> 

> Frustration on the part of the lowly DBA increases as well.

> 

> Here we are, applying non trivial patches (which sometimes need to be

> done twice if you are an unfortunate early adopter), knowing full well

> that there are known issues that are not addressed by the patch.




Well, databases are usually behind a firewall and accessed from an application
server. If there is a person in the company that I'm working for that can 
make a Java program using WebLogic to break into my database and see what it
shouldn't see, and all that without being explicitly granted access to the
database, I'd recommend him to the management as a new DBA. He would be much
better then me, probably equally as good as Jonathan Lewis, Cary Millsap or
Tom Kyte. In that case, I've run into my better and can only humbly accept my
fate. Probability of that happening in a small marketing company in Fairfield, CT
is negligible. This lowly DBA is not overly concerned, as the measures to defeat
the possible intruders are complex and many and there isn't much to gain by
successfully breaking into the company.



> 

> Even those problems that are addressed by security problems are

> not always corrected, requiring only a small change in the exploit

> to get around the security 'fix'.




Software companies, not just Oracle, simply love the concept of "security through
obscurity", which is not one of my favorites. I think that David Litchfield is 
enormously useful in making Oracle Corp. more responsive.





> 

> Gotta go now, breakfast is ready.  :)





Now, that's the attitude I like!

-- 
Mladen Gogala
http://www.mgogala.com

--
http://www.freelists.org/webpage/oracle-l


Received on Sun Feb 05 2006 - 13:07:27 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US