Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: SERVICE_CLASS parameter is SID_DISC in listener.ora

Re: SERVICE_CLASS parameter is SID_DISC in listener.ora

From: joel garry <joel-garry_at_home.com>
Date: 23 Jun 2006 11:58:05 -0700
Message-ID: <1151089085.321358.215860@b68g2000cwa.googlegroups.com> 






Vladimir M. Zakharychev wrote:


> Brian Peasland wrote:

> > Vladimir M. Zakharychev wrote:

> > > Brian Peasland wrote:

> > >>> Speaking more generally, isn't the whole

> > >>> point of science to reverse-engineer the universe? Do gods and

> > >>> deities prohibit reverse-engineering their creations? :)

> > >> Since when did reverse-engineering proprietary software become

> > >> "science"? Maybe the OP should try the above arguments at his defense

> > >> trial....

> > >>

> > >> Cheers,

> > >> Brian

> > >>

> > > Define the term "science" then. You seem to be falling into

> > > the same trap Don Burleson did with "Oracle scientists." :)

> > > By the way, some call reverse-engineering an art... Irrespective

> > > of the target. But of course, common sense has nothing to do

> > > with modern copyright laws and software license agreements.

> > > Which is not to say that I do not obey the laws I don't like.

> > > Dura lex, sed lex.

> > >

> > > Regards,

> > >     Vladimir M. Zakharychev

> > >     N-Networks, makers of Dynamic PSP(tm)

> > >     http://www.dynamicpsp.com

> > >

> >

> > My definition of science can be found here:

> >

> > http://www.athabascau.ca/html/services/advise/geninfo.htm#science

> >

> > Typically, the body of work is for one of the accepted

> > sciences....mathematics, biology, chemistry, physics, etc.

> >

> > One could use the definition of science found on Wikipedia:

> >

> > http://en.wikipedia.org/wiki/Science

> >

> > in where in its broadest sense, science is a systematic, repeatable

> > process used to gain knowledge. But even this definition has at its

> > foundation, the understanding that science is gathered through

> > "research" (http://en.wikipedia.org/wiki/Research) where the results of

> > that research contribute to practical applications through laws and

> > theories.

> >

> > Reverse engineering (RE) is more taking something apart to see how it

> > works. RE applies to one specific product. Taking a Honda Accord apart

> > to see how it works does not give you immutable facts on how all motor

> > vehicles work. All RE has done in this case (and in the OP's case) is to

> > see how the specific instance of something works. While one could apply

> > scientific methods to their process, how does this contribute to the

> > body of science as a whole? Even if scientists use RE to figure out how

> > something works, they would not create laws and theories based on the

> > results of the RE effort. They would need something more to convert

> > their theories into laws and theorems. While RE is a tool a scientist

> > uses, by itself, it is not science.

> >


>




> Well, your arguments are of course valid, RE is not a science,

> but a scientific tool. This being agreed upon, does Honda

> prohibit disassembling their engines? Don't think so. Copy

> them - yes, that's prohibited, but simply taking them apart to

> see how they work and possibly repair them if they don't work

> as they should or look for potential problems?




Interesting example, as some other Japanese automobile companies
filched other automakers designs - to the point that internal engine
parts were interchangeable.  Copying parts is only prohibited by patent
law - which varies by jurisdiction, in duration, details, and by
treaties.


>




> Further, if knowledge is gained through research, then how

> software security research differs from any other scientific

> research? And reverse-engineering is an intergal part of

> this research. After all, we are not interested in theoretic

> flaws possible in software. We are interested in specific

> bugs in widely used software which pose real-world problems

> and endangers its users. Applied science, but still science.




Agree it can be an applied science using the scientific method.
Whether it is used that way is problematic.  There have certainly been
non-scientific hacks.


>




> That RE applies to one specific product I disagree, too. That it

> can be applied to one specific product doesn't limit its application

> to that specific product only. You can RE any other software

> product using the same systematic approach and tools.

> You can even use certain patterns to detect problematic

> code without reverse-engineering the whole product. Actually,

> definition of such patterns and creation of the tools that

> apply them to detect flaws in software is an academic

> research topic.




Agree that it is a worthy academic research topic.  Personally, I think
the bigger crime is making legitimate research a crime.


>




> On practical side - would you rather know that the flaw exists

> and the vendor works on/has a fix for it or pretend that there

> is no flaw and wait until some black hat discovers it and uses

> it to wreak havoc or steal information from your system? RE is

> not evil, RE of commercial proprietary software isn't evil

> either - it keeps pressure on its vendors to improve their

> products and fix dangerous defects in them. And I simply

> can't imagine a black hat openly announcing in c.d.o.* that

> he's trying to crack Oracle software - unless it's some very

> smart social engineering attempt. :)




This is where things get hinky.  I know _I_ want to know how the
blackhats will get into my systems, before they do get in.  I know _I_
don't trust Oracle to fix things in a timely manner, not to mention
Symantec, F-Prot (who I've idolized for years, by the way), etc.



It becomes a fundamental issue - do you let people know, and how and
when?  There have been accusations that security researchers are simply
self-promoting by publishing these things.  Whether true or not, that
has verisimilitude.  There is no denying that there are script-kiddees
who otherwise wouldn't do these things without being spoon-fed.
Shouldn't DBA's have the same opportunities on their own systems?
Making reverse-engineering illegal really doesn't help - that's one of
those things that hurts the good guys more than the bad, and since
there is no World Government can get silly.  But the plain fact is, it
is illegal in some places, and violates Oracle's adhesion contract
everywhere contract law is subscribed to.



As to keeping pressure on the vendors - there certainly is validity to
that since any economic pressure is too little too late... but do you
think forcing out production patch code under pressure is a going to
lead to a better code situation?  Do you really think releasing the
attack to the black hats before the vendors patch is the right kind of
pressure?  Doesn't that unfairly transfer pressure to customers?  And
how can you know if anyone is a black or white hat anyways?  Maybe
there's a bunch of guys standing in a circle taking their hat off and
putting it on the next guy...



As to cdos... I guess you haven't been paying attention, there have
been some very stupid social engineering attempts.  There are also
periodic questions where it is groaningly obvious some student thinks
he can write better code in his fantasy world, doesn't know about
Concepts Manual.  Everyone's a security researcher, riiiiight...



jg

--
@home.com is bogus.
"...to write on the web itself, not on a web page. Disappear from any
central location; instead, inhabit the web as a sort of spirit. My
personality, commentary, reflections, stories, notions popping up on
other web sites." - Justin Hall


Received on Fri Jun 23 2006 - 13:58:05 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US