Re: SERVICE_CLASS parameter is SID_DISC in listener.ora

DA Morgan wrote:
> Vladimir M. Zakharychev wrote:
> > DA Morgan wrote:
> >> hypermodest_at_gmail.com wrote:
> >>> Vladimir M. Zakharychev wrote:
> >>>> hypermodest_at_gmail.com wrote:
> >>>>> Hello.
> >>>>> Does anybody have *any* information about SERVICE_CLASS parameter? What
> >>>>> does it mean and which values it can accept?
> >>>>> Thanks in advance.
> >>>> Where did you see it being used in listener configuration? Which
> >>>> value did it have? Why do you want to know other possible values
> >>>> for it? Which Oracle version? Which platform? Do you experience
> >>>> any issues with this parameter being set or it's pure curiosity?
> >>> I'm reverse engineer and I'm clearly see how Listener checks SID_DESC
> >>> branch for SERVICE_CLASS parameter. By the way, default value for it is
> >>> just "ORACLE". Checked versions: at least 8.0, 8.1.7, 9.2.*, 10.1.*,
> >>> 10.2.*. Platforms: at least windows/x86 linux.
> >>> I'm security researcher and one my another question is directly
> >>> connected with this parameter. That's why I'm looking for any info.
> >> I would strongly urge you to have your attorney read your Oracle
> >> license and explain it to you. Make sure you have sufficient funds
> >> to cover a retainer given what you just wrote.
> >
> > As you may be aware, in some legislations reverse engineering
> > is not prohibited under some circumstances and any explicit
> > prohibition of RE in a license agreement is waived. Things change
> > in this area following the pressure from software vendors, but
> > some countries still allow RE regarless if it's prohibited in the
> > license agreement. Speaking more generally, isn't the whole
> > point of science to reverse-engineer the universe? Do gods and
> > deities prohibit reverse-engineering their creations? :)
> >
>
> Some countries allow murder too as long as you kill the "right" people.
> I don't know where the OP is. But I'd bet someone at Oracle is looking
> into it right now.
> --
> Daniel A. Morgan
> University of Washington
> damorgan_at_x.washington.edu
> (replace x with u to respond)
> Puget Sound Oracle Users Group
> www.psoug.org

Not some - all. When you're at war, you are allowed, even obliged to kill anyone belonging the enemy camp. And instead of being prosecuted, you are awarded. Unless you've mass-murdered too many civilians, and even in this case you can get away if you can prove that it was unintentional or justified ("I just dropped that A-bomb, how would I know it would kill so many civilians? I didn't even see any of them. And they deserved it anyway. What was the name of the place? Hiro-something?" or "Let's just kill a LOT of civilians. If we kill many enough, maybe they will just give up. Here, look, let's bomb this Hamburg until it looks like Moon's surface...") Sorry, offtopic.

Let me ask you this: how do you think security researches find bugs in software, including Oracle software? Not without help of RE, that's for sure. Are they all criminals then?

And another question: assume no white hats RE Oracle code being afraid of legal actions against them and all security bugs go unnoticed and unreported. Black hats, who clearly have criminal intent, will eventually find those bugs and will use them to their advantage without letting anyone know. If they break into your databases using some 0day exploit for a bug Oracle didn't know about because no white hat found and reported it being afraid of legal action taken against her, who will you blame? Prohibiting RE is another way of hiding your faults. "If nobody can legally find them then they do not exist. And if somebody finds them - we will sue them. As of the customers... well, the license agreement clearly defines boundaries for our liability, which is none." I love software business - you can sell crap for hard cash and if it doesn't work you say "hey, we told you it can malfunction, we are not responsible for any damage our software caused to your business. We may fix it in the future, but this will cost you some extra as we don't fix bugs for those without support."

regards,

    Vladimir M. Zakharychev
    N-Networks, makers of Dynamic PSP(tm)     http://www.dynamicpsp.com Received on Fri Jun 23 2006 - 03:46:34 CDT