Slashdot Mirror
Oracle 9i Isn't Quite Unbreakable
BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug. ... Thanks [H]ardOCP for the link to the Article At SiliconValley.com.
For more information see the official notice on SecurityFocus. More proof that Microsoft does not hold a monopoly on bugs. And of course a black eye to Mr. Larry 'Big Mouth' Ellison. I'm still waiting for my network computer, Larry."
Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.
The difficulty may be assomtopic to infinity, but it never hits the "unbreakable" axis.
/. really needs to revamp their whole moderator system. I post info (not like the dribble I posted above) and get modded down 3 times for being redundent?!? Hello, just because someone posted a similar reply 4 seconds before I hit "submit" doesn't mean I'm redundent, it means I type slower.
Now for my beef-
As some other poster has in his/her sig, the more good comments you right the greater the chance you get modded down! (Gee, how long until this post gets "offtopic" (even though the first paragraph deals with the topic) or flamebait (for speaking about the bias that occurs here?)
Hint for newbies, always LOVE Linux, always HATE Microsoft, be ambiguent about MaxOSX, and speek a lot of "Elite" words like symmetric anal rapings- 'cause you would be in jail And I mean IN
Vote monkeys into Congress. They are cheaper and more trustworthy.
Nobody in their right mind declares software to be unbreakable. It is just like in science, even after the closest scrutiny all you can say about a theory is: "Not YET disproven". Even after the closest scrutiny you'll say about the program: "not yet broken". Because no matter how much review you did, there could be someone smarter then you.
Use Adsense for Charity
More proof that Microsoft does not hold a monopoly on bugs.
Oh, the self-righteous smarniness of chauvinists everywhere. If we needed more proof that Microsoft does not hold a monopoly on bugs, one only need look at any major open-sourced project. The Changelog for the Linux kernel, for instance, documents beaucoup bugs that users were living with on their OS (forget about their DB, which as someone else pointed out is most likely stashed away behind a firewall anyways). Why does such bugginess there not bear the same level of ridicule ?
You'd think they'd be a big hit with the Slashdot set seeing as they boot Linux with X off a CD, and have Ethernet, USB, a modem and VGA support built in, all for $200. I guess lame jokes predicated on them not existing are more fun.
You're still waiting for his network computer? It's been out for years, and he's actually making a profit off it. www.thinknic.com
A buffer overflow on a DB server isn't as deadly as on a web server or other offered public services.
If the perimeter defense is setup properly, DB should never be directly accesible from the Internet (unless some abnormal setup). Just for information, for those web application driven by DB, I prefer to have a different subnet behind the web server using the internal IP address, so the DB is only accessible through the Web server (from the Internet). Any overflow attacker will have to go through the Web server and then the DB server.
Having said that, there is still risk for internal attack (not to mention a lot of security risk comes from internal). So a quick patch is still very necessary.
I have had a few sites the require access from business partners thru VPN to directly access the DB, I see this as a high threat and try my best effort to guard it. Especially because you cannot have a proxy type of filter from another vendor to screen the content (such as e-mail and web). IDS and firewall will not catch a lot of the direct attack. So, the best way to allow access to DB is still via indirect method (such as letting business partner use a web interface to access data.