Oracle Zero-Day Flaw Project Cancelled

← Back to Stories (view on slashdot.org)

Oracle Zero-Day Flaw Project Cancelled

Posted by ScuttleMonkey on Wednesday November 29, 2006 @06:54AM from the patches-not-so-welcome dept.

Benny Folds writes "Cesar Cerrudo of Argeniss has suddenly cancelled plans to release daily zero-day flaws in Oracle databases during the first week in December. Just days before the project was due to start, Cerrudo announced that 'due to many problems,' the WoODB (Week of Oracle Database Bugs) is being scrapped. He did not elaborate on the reasons for the cancellation."

61 comments

Min score:

Reason:

Sort:

oracle by crushkill · 2006-11-29 06:56 · Score: 4, Funny

he probably wanted to focus more on family issues, since its christmas season
1. Re:oracle by icebike · 2006-11-29 10:00 · Score: 3, Funny
  
  Or equally likely, the mysterious packet slipped under his door at
  midnight with pictures of his loved ones photographed through
  that sniper scope sort of changed his priorities.
  
  Why is that same white van parked across the street again...
  
  --
  Sig Battery depleted. Reverting to safe mode.
They didn't cancel the project! by Anonymous Coward · 2006-11-29 06:56 · Score: 2, Funny

The fully patched oracle backend to their web server crashed and it just appears the project is off.
LOL by 1001011010110101 · 2006-11-29 06:57 · Score: 4, Funny

1. Start a security consulting firm
2. Request 0 day vulnerabilities from everyone for an event
3. Cancel Event
4. Profit!
1. Re:LOL by Josh+Lindenmuth · 2006-11-29 07:01 · Score: 3, Insightful
  
  Seems like this was his plan from the beginning. I can't imagine he would risk his clients' security by releasing all these bugs ... he already got tons of publicity from /. and elsewhere.
  
  --
  Huh? Don't mind me, I'm just the new guy.
2. Re:LOL by Anonymous Coward · 2006-11-29 07:14 · Score: 2, Insightful
  
  I can't imagine he would risk his clients' security by releasing all these bugs ...
  It may surprise you to learn that some of us pay security consultancies to find bugs in software we use. I don't really care if they then spray them all over milw0rm or keep them quiet for use in their next pen-test; I can make an informed decision on whether to use it, and if so, what sort of controls to include to cover the risk.
3. Re:LOL by rs232 · 2006-11-29 07:24 · Score: 2, Insightful
  
  1. Start a security consulting firm
  2. Request 0 day vulnerabilities from everyone for an event
  3. Get threatened with litigation
  4. Cancel Event
  
  "[We] do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing "zero day" exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack ", Eric Maurice
  
  "Oracle might have caught a break with Cerrudo but the upcoming release of a hacking handbook by database security guru David Litchfield .. titled The Oracle Hacker's Handbook .. promises an in depth examination of all the techniques and tools that hackers use to break into Oracle database servers"
  
  --
  davecb5620@gmail.com
If only by vga_init · 2006-11-29 06:58 · Score: 3, Funny

If only they would cancel the production of flaws too. :-/
1. Re:If only by Barryke · 2006-11-29 10:45 · Score: 1
  
  But .. that's what the article already said:
  
  "Cesar Cerrudo of Argeniss has suddenly CANCELLED PLANS TO RELEASE DAILY ZERO-DAY FLAWS in Oracle databases during the first week in December."
  
  I'm thrilled. Still sticking with mySQL though.
  
  --
  Hivemind harvest in progress..
Mission Accomplished by Salvance · 2006-11-29 06:59 · Score: 2, Interesting

Sounds like he got what he wanted: publicity and a response from Oracle (hopefully with some better responsiveness to bugs on their part in the future). Why anger his clients if he has already received the desired response?

--
Crack - Free with every butt and set of boobs
With good reason by SuperKendall · 2006-11-29 07:03 · Score: 4, Funny

One reason may have been the scary looking bearded dude holding a samurai sword staring at him through the window every day...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:With good reason by bill_mcgonigle · 2006-11-29 07:43 · Score: 5, Funny
  
  This isn't too hard to figure out. Look at the announcement retraction page. See that field of seemingly unimportant binary numbers in the background? Run it through OCR and take the digits as sets of 16-bit big-endian numbers, and you come up with the following numbers: 17,21,39,76,203,230,238,245,279. Now, look at the letters at each of those positions in the announcement and you get:
  
  The Week of OracLe DAtabase Bugs
  
  We aRe sad to announce that due to many pRoblems the Week of Oracle Database Bugs gets suspended.
  
  We would like to ask for apologizes to people who supported this and were reallY excited with the idea, alSo we woUld likE to thank the people who contributeD with Oracle vulnerabilities.
  
  Coincidence? Yeah, sure.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
2. Re:With good reason by Anonymous Coward · 2006-11-29 07:53 · Score: 0
  
  Where is the "announcement retraction page" you are refering too?
3. Re:With good reason by thue · 2006-11-29 08:02 · Score: 2, Informative
  
  http://www.argeniss.com/woodb.html I am guessing - I am still trying to figure out how he got the numbers out of it.
4. Re:With good reason by genooma · 2006-11-29 08:13 · Score: 1
  
  Here it is.
5. Re:With good reason by Anonymous Coward · 2006-11-29 08:24 · Score: 2, Interesting
  
  Has to have been a joke. The first five digits -do- make 17, but then you have to skip a digit (a 1) and the next series will also make 21 (note that both 17 and 21 are palindromes in binary). After that, though, you have to do some hunting to find a series of digits that will make 39. I stopped looking at that point.
6. Re:With good reason by jackspenn · 2006-11-29 14:43 · Score: 1
  
  You are a regular Dan Brown.
  
  --
  Respect the Constitution
Fear Him! by ill_conditioned · 2006-11-29 07:05 · Score: 0, Flamebait

Goes to show that while Microsoft, the RIAA, the MPAA, and the other big boys will just throw cease and desist letters and lawyers at you, Larry Ellison will skip that and just fuck you up. Have you SEEN that guy? He eats nails for breakfest.
1. Re:Fear Him! by udderly · 2006-11-29 07:11 · Score: 4, Funny
  
  Have a look--it's obvious that this guy's a homicidal manic.
  
  From the main page:
  
  It's an old joke in Silicon Valley. Q: What's the difference between God and Larry Ellison? A: God doesn't think he's Larry Ellison.
2. Re:Fear Him! by Capt+James+McCarthy · 2006-11-29 07:17 · Score: 2, Informative
  
  "Goes to show that while Microsoft, the RIAA, the MPAA, and the other big boys will just throw cease and desist letters and lawyers at you, Larry Ellison will skip that and just fuck you up. Have you SEEN that guy? He eats nails for breakfest." You don't become a [B,M]illionaire by being nice. All of those organizations/people will knock you off if you threaten their profits. It's cheaper the court and easier today.
  
  --
  There are no loopholes. It's either legal or it's not.
3. Re:Fear Him! by Anonymous Coward · 2006-11-29 08:37 · Score: 0
  
  He looks like an Angry Uncle Rico (Napoleon Dynamite).
4. Re:Fear Him! by Anonymous Coward · 2006-11-29 09:02 · Score: 0
  
  Goes to show that while Microsoft, the RIAA, the MPAA, and the other big boys will just throw cease and desist letters and lawyers at you, Larry Ellison will skip that and just fuck you up. Have you SEEN that guy? He eats nails for breakfest.
  Now, Larry..! We talked about this talking about yourself in the third person in our last session, remember? And I thought we'd agreed that you'd keep the physical threats out of my office? If there's something you'd like to bring to the group, I'm sure we'd all like to hear it -- when it's your turn.
  That's OK, Larry, that's my job.
  Please, carry on, Taco.
5. Re:Fear Him! by funfail · 2006-11-29 23:28 · Score: 1
  
  He eats nails for breakfest.
  
  Fingernails or toenails?
  
  --
  Search RapidShare and MegaUpload!
Larry Ellison by Cally · 2006-11-29 07:08 · Score: 3, Interesting

...probably made him an offer he couldn't refuse.

--
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
1. Re:Larry Ellison by djdavetrouble · 2006-11-29 07:24 · Score: 1
  
  +11 insightful.
  He is after all, made of money...
  
  --
  music lover since 1969
2. Re:Larry Ellison by Anonymous Coward · 2006-11-29 10:41 · Score: 0
  
  A million dollar to spend a night with his wife?
The two thugs who visited his family by stox · 2006-11-29 07:08 · Score: 3, Funny

had nothing to do with it. They were just trying to let him know about a new life insurance plan.

--
"To those who are overly cautious, everything is impossible. "
So has he by Timesprout · 2006-11-29 07:10 · Score: 2, Interesting

provided details of these supposed exploits to Oracle yet?

--
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Two words.... by 8127972 · 2006-11-29 07:15 · Score: 2, Insightful

..... Lawsuit threat

--
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
1. Re:Two words.... by LurkerXXX · 2006-11-29 09:23 · Score: 2, Interesting
  
  Yup. Most likely.
  
  It'd be a shame if he put his list of flaws in an Oracle Database running on the net... and someone hacked it and published them anonymously...
  
  It wouldn't be his fault at all, so he'd be immune from their lawsuits at that point, and still get them out there.
Paid by waTR · 2006-11-29 07:18 · Score: 0

It is obvious that he got something from Oracle (especially with the recent news about its lack of security). This is simply a case of damage control by Oracle. Cannot really blame them for it, it is war afterall.

--
Huh? [devShell.org]
PS3? by TheRealBurKaZoiD · 2006-11-29 07:18 · Score: 1

He must've been one of the few people fortunate to snag a PS3 during the Black Friday rush...
Beware of Larry by Anonymous Coward · 2006-11-29 07:19 · Score: 0

Nobody f@%#s Larry, Larry f@%#s you... fakesteve.blogspot.com/2006/10/die-red-hat-die.htm l
I think the phone call went like this by User+956 · 2006-11-29 07:19 · Score: 4, Funny

Cesar Cerrudo of Argeniss has suddenly cancelled plans to release daily zero-day flaws in Oracle databases during the first week in December.

I think the phone call with Oracle went like this: "Hi, Is this Cesar? Yeah, this is Oracle. We found a suitcase full of money, we think it belongs to you."

--
The theory of relativity doesn't work right in Arkansas.
1. Re:I think the phone call went like this by jonnythan · 2006-11-29 07:23 · Score: 3, Funny
  
  More like "We found a suitcase full these funny red sticks with clocks attached. Where did your wife park her car today?"
2. Re:I think the phone call went like this by Anonymous Coward · 2006-11-29 07:36 · Score: 1, Funny
  
  Will the security researcher be driving his usual car home tonight?
3. Re:I think the phone call went like this by Tim+C · 2006-11-29 08:19 · Score: 2, Funny
  
  Probably more like "We have a room full of lawyers, we think they'd like to talk to you".
  
  --
  It's official. Most of you are morons.
4. Re:I think the phone call went like this by Anonymous Coward · 2006-11-29 13:32 · Score: 0
  
  More like "We found a suitcase full these funny red sticks with clocks attached. Where did your wife park her car today?"
  
  On Main street in front of McDonalds. Please hurry!
Cancelled due to lack of poverty by 192939495969798999 · 2006-11-29 07:24 · Score: 3, Funny

"Due to this new lack of poverty, er I mean bugs, the oracle bug project has been cancelled."

--
stuff |
Oracle by RAMMS+EIN · 2006-11-29 07:30 · Score: 4, Insightful

Consider the hostile position Oracle takes when it comes to publishing benchmark results, I would not at all be surprised if they had an even more hostile position regarding publishing vulnerabilities.

--
Please correct me if I got my facts wrong.
after what happened to the head of Siebel... by SuperBanana · 2006-11-29 07:37 · Score: 2, Funny

One reason may have been the scary looking bearded dude holding a samurai sword staring at him through the window every day...
Seems a reasonable concern, given we all know what happened to the head of Siebel.

--
Please help metamoderate.
The Truth.. 6 bugs just won't cut it.. by madsheep · 2006-11-29 07:45 · Score: 3, Funny

Well it's obvious why it had to be cancelled guys. When you have a week that's 7 days long and you can only come up with 6 bugs, you've got to cancel the things. Imagine the embarassment of starting on Sunday.. getting to Saturday and being one short.
Simple by Billosaur · 2006-11-29 07:50 · Score: 4, Funny

Larry Ellison assured him there were no flaws in Oracle.

--
GetOuttaMySpace - The Anti-Social Network
the database by BSAlert · 2006-11-29 07:57 · Score: 2, Funny

I heard his gold level support expired and his database system crashed and he couldn't recover the list of bugs.
Unbreakable when in court by Anonymous Coward · 2006-11-29 08:05 · Score: 2, Insightful

This is obviously due to legal threats from Oracle towards Cerrudo.

It's not as if database hacking isn't still the easiest way to compromise a server.
The DBA's are angry about 0-day exploits being released as they don't want to do what they are payed for: Keep the server current.
Oracle is angry because it makes them look worse as their competition, which is maybe even true. Hey... the database is vastly known for its complexity and we techies all know how much security and complexity like one another.
Finding 7 non exposed oracle security bugs is not even a challenge!

--
Wil
I thought that Oracle has zero-days already... by mikelang · 2006-11-29 08:18 · Score: 1

I thought that Oracle has a number of unpatched zero-days already.
Justified by SuperKendall · 2006-11-29 08:18 · Score: 1

Now in that case I'd say Larry was perfectly justified, having had to work with Siebel in the past...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
just because? by edis · 2006-11-29 08:23 · Score: 0

yep, because aim of project itself was pretty shitty - why not to write nicely designed letter to Oracle before THIS THING anniversary?

Peace,

--
Servant of karma
His bug database crashed by Bright+Apollo · 2006-11-29 09:42 · Score: 2, Funny

Maybe we should create a communal top-ten?

1) His Oracle XE database of bugs crashed
2) He looked on Metalink and found them all listed under "fixed in 11g"

et al...
I want to learn from the pros! by TheSpatulaOfLove · 2006-11-29 09:48 · Score: 2, Interesting

I am simply amazed by the Oracle sales force. These guys must tell an amazing story when they make the final presentation to big wigs, because they land multi-million dollar contracts and promise the world...always to fall very short of the intended outcome.

Every single company I've worked for or interacted with that chose to go with Oracle has been driven into the ground during the roll-out and for months, sometime years after the fact with system failures. I've actually seen a few go completely out of business and many employees who were let go cite Oracle implementation as the beginning of the end.

I've lovingly adopted a new name for Oracle. I call it "Fish-eye". It focuses on one thing and everything else is blurry - That one thing? Ruining successful companies.
1. Re:I want to learn from the pros! by Angvaw · 2006-11-29 10:58 · Score: 2, Informative
  
  Yeah, the Oracle Database totally destroyed eBay, Amazon, The Sims Online, World of Warcraft...
2. Re:I want to learn from the pros! by TobiasS · 2006-11-29 12:44 · Score: 1
  
  This type of stuff typically happens when you buy into overzealous DBA's that want to transform your DB into an app server instead of just treating it as a place to store your data properly.
  
  I am sure back in the day a fair amount of overselling was going on as well which can break your wallet with Oracle.
Re:2 words by suggsjc · 2006-11-29 11:04 · Score: 1

Isn't that three? When did and or '&' stop becoming a word?

--
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
Finally by professorfalcon · 2006-11-29 11:16 · Score: 1

Can we call bullshit now?
List of exploits was stored in... by belphegore · 2006-11-29 11:19 · Score: 2, Funny

Obviously, his list of exploits to be published was stored in an Oracle DB, which got hacked.
How Lame. by kiwioddBall · 2006-11-29 12:31 · Score: 1

Slag off Oracle and its security record, and then back down without giving a reason. It is OK to slag off Oracle but when you back down it is OK not to give reasons?

Weak.

That said, perhaps he took the sensible line and told Oracle about any flaws he may have had, they will fix them and the consumer wins.
you have no idea... by Anonymous Coward · 2006-11-29 13:27 · Score: 0

I was married to an Oracle sales weasel for eight years - that job is the next best thing to hitting the lottery! they get paid multi-six (some seven) figures to sell software most of them don't know the 1st thing about. if they make their quota they get a free trip (w/spouse) to Hawaii (usually though Banf & Whistler have been in the mix lately) - we were on Maui (courtesy of Oracle) on 9/11. I could tell some serious stories from those trips... I occasionally heard them talk about "technical" issues and just have to bite my tongue to keep from laughing.

good work if you can get it...
Receptionst: Cesar, Mr Ellison is on line 1 by sp3298622 · 2006-11-29 15:23 · Score: 4, Funny

L: Cesar, Listen, there are no vulnerabilities in Oracle - Cancel your show
C: No bugs!? You're kidding, I have had so many submissions, I might have to extend it to a month!
Receptionist: Cesar, you're wife is in line two, something about the power at home being off, do you want to take it now?
C: Just a sec, I am giving our old buddy here the low-down
L: As I was saying, there are NO vulnerabilities
C: what are you talking about, I just said...
Receptionist: Cesar, it's Bobby on line three, he's asking if it's ok if he goes and plays with this new friend he met?
C: What new friend? he's home sick today! I'll take it in a minute.
L: So about those vulnerabilities, you sure about that?
C: Larry, you must be living in LA LA Land, what don't you understand?
Receptionist: Cesar, it's your mom on Line four, she's saying thanks for arranging the nice social worker and he's going to take her for a quiet relaxing walk.
C: social worker? I don't remember anything about that, ask her to ...
L: Cesar, I don't think you understand.
C: I don't understand?! you are the who doesn't understand, I am going to disclose every single...
Receptionist: Cesar, Your dad just called to ask where exactly is that restaurant he's suppose to meet you for lunch at 12?
C: Lunch? I am going to see him tomorrow for dinner..
L: Optimistic fella you are ol' Cesar.
C: hmm, well actually now that you mention it, there weren't really that many submissions.
L: Well, are we still on for Golf then?