You can find Jim Starkey's post archived on the IB-Architect list at egroups. The the post appeared before the fix was published.
I have just checked Jim's post on egroups and I was mistaken. Jim's post does contain download instructions for the fix which means that the fix was available when the problem was revealed.
Where is there any reference to this? They actually waited until after Christmas and a patch in place
before releasing any information and after repeated attempts to contact Borland.
You can find Jim Starkey's post archived on the IB-Architect list at egroups. The the post appeared before the fix was published.
And if someone had found the exploit while the patch was being distributed (not unlikely, You get a
patch from Borland with instructions to install it urgently. Your database works fine now. Why bother)?
It is not uncommeon for security hot-fixes to the issued with no detailed explanation of the problem they fix. There's a good reason for this. The chances of someone else discovering the problem *and* exploting it, before the fix had been distributed and applied, would have been minimal and IMO worth taking.
And that's the firebird teams fault how? If there are still people out there who aren't willing to take the
effort to watch the accepted security advisary mailing lists then they deserve what they get.
Of couse it's not Firebird's fault. In most cases the customers are responsible for their own actions (or in this case, lack of action),
but we have to take reality in to account too. Interbase is widely used as an embedded database; Many customers might not realize that they have
an Interbase server running on their system. The majority of non-IT companies have no knowledge of CERT and the like and they will never hear of
the problem unless their supplier notifies them. Heck, I would even claim that
most IT companies doesn't know about CERT. I work at the largest Interbase VAR in my country and I'm sure our compay doesn't read CERT
alerts. We must presume that the security alert is meant as a benefit to the users of the affected systems. If the majority of the users benefits
most from a delayed alert, I think it should be delayed. Naturally I'm just speculating here - I can't say for sure what most users do or want.
They hated them sooo much they went out of their way to provide binary patches when the patch that
was released by Borland was a non-patch. And they even attempted to contact them at all. They could
have just gone to CERT with the advisory, Borland be damned. Borland looks like a criminal for putting a
backdoor in their software and the firebird team look like saviours. No extra effort needed.
I can't really userstand your point here. Are you saying they shouldn't have or didn't have to make the patch because that was Borland's
responsibility? Nobody has complained about Jim's patch and nobody has said they shouldn't contact Borland. Your statement about the backdoor
indicates to me that you haven't understood the intended purpose of the backdoor, but that might just be me misunderstandning you so never mind.
Oh, and btw, from what I've read, Borland's patch is actually more secure than Jim's. I'm not claiming that there's anything wrong with Jim's
patch. One doesn't have to be wrong for the other to be right.
So petty bickering is more important to Borland than their customers security.
Please don't but words in my mouth. Borland got the message and acted on it. This whole situation could have been handled better by both
sides and they both seem to be getting their act together now. Maybe this whole fubar will clear the air between them. My original post came
as a reaction to the, in my eyes, completely one sided discussion of this situation.
Whats the bet that sys admins around the globe are considering ditching all Borland software because it can no longer be
considered trustworthy.
For those who has read more than the headlines, I would say the chances are minimal.
Your attempts to hack a Borland database show more you lack of knowledge than any real proof that the
security hole wasn't all that bad.
What's your point? I haven't caimed to be a security expert or having done extensive tests and analysis on this problem. I have worked with
Interbase since version 4 and know it very well. I told you
of *my* experience in the hope that someone could tell me I were right or wrong. Just assuming that I'm a lying incompetent bastard doesn't do anybody
any good.
I think I would trust the knowledge of people who actually hack the
software over a poster on slashdot with a very large user id (=> recently registered) and having only
posted once (=> someone from Borland with sour graphs?).
What's the purpose of trying to discredit me? I've told of my observations and my opinions. You can disagree with me, but they are still
my opinions. Would you rather have me shut up and just hear one side of the story? I don't get it.
True, I haven't posted on/. before because there haven't been anything for me to post about before, but doesn that automatically mean I
can't be trusted. Most of the people you say you would rather trust also just registered on/. for this discussion.
Instead of attacking me, you could have asked for references; I would have been happy to supply them.
I do not work for Borland and never has (can't you tell English isn't my native language), but I'm an active member of the Delphi community.
I have chosen to remain passive and lurking in the Interbase community because of the issues I have spoken of. I won't be part of
a community which bites the hand that has fed it (and has fed me through Delphi).
That's it for me on this issue. I've said my piece.
P.S. Jim Starkey has just issued a formal apology to Charlie Caro, Borland, through on the IB-Architect list. Kudos to Jim for this.
Yeah, the IBPhoenix/Firebird guys are real heroes. We have a lot to thank them for:
* They (Jim Starkey) revealed the backdoor to the public before a fix was in place. They didn't reveal the actual username/password, but they made it very clear where, how and what to look for. After that most people found it in no time.
* Either they panicked or saw this as their chance for 15 minutes of fame. Given that this backdoor has gone unnoticed, and presumably unexploited, for years they could have worked with Borland to come up with a solution and had this solution distributed to the customers before the problem was publicised. The majority of Interbase sites are end-users who do not read CERT alerts,/. or the Interbase and Firebird newsgroups and mailing lists. These sites are screwed now.
* Presumably they *did* try to work with Borland, but who did they send to make the contact; The people in the IBPhoenix/Firebird community who hates Borland the most and who uses every chance they get to harm Borland; Ann and Jim. That Borland refused to speak with them can hardly come as a surprise to them given their common history during the last year. If my company where the target of Ann and Jim's attacks, I too would forbid all contact with them.
* They (Jim again) repeatedly insult and slander Borland and the people who works or has worked on the Interbase development team, thereby making cooperation between Interbase and Firebird close to impossible. They don't seem to care that if they succeed in making Borland and Interbase look bad, they will probably scare the existing, paying, Interbase users away, leaving Interbase/Firebird with a fraction of the popularity is has now.
* They have made sure that Borland will think twice before they ever release another of their products as Open Source. Borland has received nothing but bad will from the IBPhoenix/Firebird community since the source was released (and even before that). People seem to forget that in reality they don't have the right to claim anything from Borland. Interbase is Borland's property and they should be grateful for anything they get for free. Borland could have deep-sixed Interbase but they didn't. Is IBPhoenix/Firebird happy about that? Oh no, they are mad at Borland because Borland *might* have deep-sixed it. Ann and Jim had their chance with Interbase a long time ago and they sold it on their own free will. Yet Jim continue to behave as if it's still their database and that all the improvements that have been done to it since then are crude unworthy hacks made by the incompetents at Borland. If I had believed a fraction of the negative propagande I've read on the Interbase-Architect list (used primarily by Firebird), I would have abandoned Interbase long ago and moved to Oracle or MS-SQL.
That said, yes, the backdoor is a security flaw, it shouldn't have been there in the first place and even though I don't know the details of what problem it was supposed to fix, it was evidently a stupid solution.
It would have been nice if the implications of the backdoor had been analyzed before the problem was publicised. The CERT alert and the biased description on the interbase2000 site makes the problem sound like a doomesday machine, but from what I have been able to determine, it is actually quite limited what one can do through the backdoor account. I have been able to attach to an Interbase server and retrieve meta-data, but that's it; I have *not* been able to view, insert, delete or modify data, I have *not* been able to create, modify or delete meta-data and I have *not* been able to add, modify, drop or execute stored procedures. There *are* reports that some people have been able to crash the database process by attempting some of these operations. If that's the scope of the security problem, I personally can live with it.
Slashdot Mirror
I have just checked Jim's post on egroups and I was mistaken. Jim's post does contain download instructions for the fix which means that the fix was available when the problem was revealed.
I apologize for this.
Where is there any reference to this? They actually waited until after Christmas and a patch in place before releasing any information and after repeated attempts to contact Borland.
You can find Jim Starkey's post archived on the IB-Architect list at egroups. The the post appeared before the fix was published.
And if someone had found the exploit while the patch was being distributed (not unlikely, You get a patch from Borland with instructions to install it urgently. Your database works fine now. Why bother)?
It is not uncommeon for security hot-fixes to the issued with no detailed explanation of the problem they fix. There's a good reason for this. The chances of someone else discovering the problem *and* exploting it, before the fix had been distributed and applied, would have been minimal and IMO worth taking.
And that's the firebird teams fault how? If there are still people out there who aren't willing to take the effort to watch the accepted security advisary mailing lists then they deserve what they get.
Of couse it's not Firebird's fault. In most cases the customers are responsible for their own actions (or in this case, lack of action), but we have to take reality in to account too. Interbase is widely used as an embedded database; Many customers might not realize that they have an Interbase server running on their system. The majority of non-IT companies have no knowledge of CERT and the like and they will never hear of the problem unless their supplier notifies them. Heck, I would even claim that most IT companies doesn't know about CERT. I work at the largest Interbase VAR in my country and I'm sure our compay doesn't read CERT alerts. We must presume that the security alert is meant as a benefit to the users of the affected systems. If the majority of the users benefits most from a delayed alert, I think it should be delayed. Naturally I'm just speculating here - I can't say for sure what most users do or want.
They hated them sooo much they went out of their way to provide binary patches when the patch that was released by Borland was a non-patch. And they even attempted to contact them at all. They could have just gone to CERT with the advisory, Borland be damned. Borland looks like a criminal for putting a backdoor in their software and the firebird team look like saviours. No extra effort needed.
I can't really userstand your point here. Are you saying they shouldn't have or didn't have to make the patch because that was Borland's responsibility? Nobody has complained about Jim's patch and nobody has said they shouldn't contact Borland. Your statement about the backdoor indicates to me that you haven't understood the intended purpose of the backdoor, but that might just be me misunderstandning you so never mind. Oh, and btw, from what I've read, Borland's patch is actually more secure than Jim's. I'm not claiming that there's anything wrong with Jim's patch. One doesn't have to be wrong for the other to be right.
So petty bickering is more important to Borland than their customers security.
Please don't but words in my mouth. Borland got the message and acted on it. This whole situation could have been handled better by both sides and they both seem to be getting their act together now. Maybe this whole fubar will clear the air between them. My original post came as a reaction to the, in my eyes, completely one sided discussion of this situation.
Whats the bet that sys admins around the globe are considering ditching all Borland software because it can no longer be considered trustworthy.
For those who has read more than the headlines, I would say the chances are minimal.
Your attempts to hack a Borland database show more you lack of knowledge than any real proof that the security hole wasn't all that bad.
What's your point? I haven't caimed to be a security expert or having done extensive tests and analysis on this problem. I have worked with Interbase since version 4 and know it very well. I told you of *my* experience in the hope that someone could tell me I were right or wrong. Just assuming that I'm a lying incompetent bastard doesn't do anybody any good.
I think I would trust the knowledge of people who actually hack the software over a poster on slashdot with a very large user id (=> recently registered) and having only posted once (=> someone from Borland with sour graphs?).
What's the purpose of trying to discredit me? I've told of my observations and my opinions. You can disagree with me, but they are still my opinions. Would you rather have me shut up and just hear one side of the story? I don't get it. /. before because there haven't been anything for me to post about before, but doesn that automatically mean I
can't be trusted. Most of the people you say you would rather trust also just registered on /. for this discussion.
Instead of attacking me, you could have asked for references; I would have been happy to supply them.
True, I haven't posted on
I do not work for Borland and never has (can't you tell English isn't my native language), but I'm an active member of the Delphi community. I have chosen to remain passive and lurking in the Interbase community because of the issues I have spoken of. I won't be part of a community which bites the hand that has fed it (and has fed me through Delphi).
That's it for me on this issue. I've said my piece.
P.S. Jim Starkey has just issued a formal apology to Charlie Caro, Borland, through on the IB-Architect list. Kudos to Jim for this.
Yeah, the IBPhoenix/Firebird guys are real heroes. We have a lot to thank them for:
/. or the Interbase and Firebird newsgroups and mailing lists. These sites are screwed now.
* They (Jim Starkey) revealed the backdoor to the public before a fix was in place. They didn't reveal the actual username/password, but they made it very clear where, how and what to look for. After that most people found it in no time.
* Either they panicked or saw this as their chance for 15 minutes of fame. Given that this backdoor has gone unnoticed, and presumably unexploited, for years they could have worked with Borland to come up with a solution and had this solution distributed to the customers before the problem was publicised. The majority of Interbase sites are end-users who do not read CERT alerts,
* Presumably they *did* try to work with Borland, but who did they send to make the contact; The people in the IBPhoenix/Firebird community who hates Borland the most and who uses every chance they get to harm Borland; Ann and Jim. That Borland refused to speak with them can hardly come as a surprise to them given their common history during the last year. If my company where the target of Ann and Jim's attacks, I too would forbid all contact with them.
* They (Jim again) repeatedly insult and slander Borland and the people who works or has worked on the Interbase development team, thereby making cooperation between Interbase and Firebird close to impossible. They don't seem to care that if they succeed in making Borland and Interbase look bad, they will probably scare the existing, paying, Interbase users away, leaving Interbase/Firebird with a fraction of the popularity is has now.
* They have made sure that Borland will think twice before they ever release another of their products as Open Source. Borland has received nothing but bad will from the IBPhoenix/Firebird community since the source was released (and even before that). People seem to forget that in reality they don't have the right to claim anything from Borland. Interbase is Borland's property and they should be grateful for anything they get for free. Borland could have deep-sixed Interbase but they didn't. Is IBPhoenix/Firebird happy about that? Oh no, they are mad at Borland because Borland *might* have deep-sixed it. Ann and Jim had their chance with Interbase a long time ago and they sold it on their own free will. Yet Jim continue to behave as if it's still their database and that all the improvements that have been done to it since then are crude unworthy hacks made by the incompetents at Borland. If I had believed a fraction of the negative propagande I've read on the Interbase-Architect list (used primarily by Firebird), I would have abandoned Interbase long ago and moved to Oracle or MS-SQL.
That said, yes, the backdoor is a security flaw, it shouldn't have been there in the first place and even though I don't know the details of what problem it was supposed to fix, it was evidently a stupid solution.
It would have been nice if the implications of the backdoor had been analyzed before the problem was publicised. The CERT alert and the biased description on the interbase2000 site makes the problem sound like a doomesday machine, but from what I have been able to determine, it is actually quite limited what one can do through the backdoor account. I have been able to attach to an Interbase server and retrieve meta-data, but that's it; I have *not* been able to view, insert, delete or modify data, I have *not* been able to create, modify or delete meta-data and I have *not* been able to add, modify, drop or execute stored procedures. There *are* reports that some people have been able to crash the database process by attempting some of these operations. If that's the scope of the security problem, I personally can live with it.