Oracle Database 10g given away for free

Brilliant move by oracle - while not cannibalizing their existing customers
(by restricting the product somewhat), but upskilling 1000's of people in
their software - many of whom will have future purchasing authority.

http://www.oracle.com/technology/software/products/database/xe/index.html

 

This was publiished on the 28th of last month
http://www.securityfocus.com/brief/28
A research paper released this week spells out weaknesses in the password mechanism
for Oracle databases and describes how to break system passwords in
minutes.

A number of decisions made by the database maker weakens the password
algorithm, according to Joshua Wright of the SANS Institute and Carlos Cid
of the University of London. Passwords in Oracle databases use the account
name to randomize the password hashing process, converts all characters to
uppercase letters and uses a fairly weak hashing algorithm, the two
researchers said in the paper.

and this is the pdf detailing the above vulnerability
http://www.sans.org/info/911/


this was published 02/11 (presumably this morning our time)
http://www.securityfocus.com/brief/32
An Oracle worm posted to the Full-disclosure mailing list on Monday may be
harmless now, but with the source code available it may not stay that way.

The worm scans local subnets looking for other database servers, and then tries
various common username and password combinations. If this succeeds, a
table 'x' is placed on the server and the cycle is repeated. With the
source code in the wild, it is trivial to change this table creation to
something less benign.

Oracle has been criticized in the past for its lax response to security
issues, and given the company’s prior slogan of being "Unbreakable" this
worm shows the importance of acting swiftly on vulnerabilities, before
they become widespread problems.


The source code to the worm can be found here
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.html


enjoy

 

Interesting, but I'm not sure how this relates to Oracle giving away it's
software for free?

 

Not sure if it is brilliant or desperate....Oracle bought some software
"critical" to Mysql, which is generally seen as a move to curtail
mysql's growing market share.

GPL (or similar licence) databases are coming....like MS and Linux the
next battleground becomes the applications on top of the OS, databases
are expensive and are a prime candidate for the good enough market.

Oracle charges silly amounts for its software, something like $40k per
cpu, ditto MS's SQL.

Mysql on the other hand and a few others are free or just about free and
you can buy support if needed and will do 50%+ of what most databases
are used for.

It will be interesting to watch........

regards

Thing

 

LOL!!! That's really funny!!!

Mentioning MySQL and Oracle in the same breath shows a complete lack
of understanding of database technology.

 

Shane understands that commercial companies giving away solid,
commercial software renders open source irrelevant, and are therefore
a threat.

Those that are not prepared to pay for quality commercial software no
longer have to turn to the products made by hobbyists in their spare
time.

Well done Oracle, I say.

 

You think MySQL is made by hobbyists? Sure, it may not be in the same
league as Oracle, but it's a commercial company who pays their
developers to develop their open source database products.

http://www.mysql.com/company/jobs/

It is quite interesting that Oracle is doing this though. However, you
can only use the free version on smaller databases (4GB of user data in
total) but still very interesting.

 

I wasn't talking about MySQL specifically in that comment, although
re-reading it I can see how it could be interpreted that way with my
comment elsewhere regarding comparing mySQL and Oracle, which is a bit
of a joke. I was more commenting in general - some posters here appear
to be very against commercial software being free, as it erodes what
htey see as the competitive advantage of open source software - ie
that it is free (as in beer).

MySQL is a great, fast, lite little DBMS. Better yet, it's free in
many situations. Oracle is the holy grail high-end enterprise-level
and above DBMS. Both are good, and both definately have their place.
However, there is no place for comparisons between the two.

A very interesting move. I wonder if Microsoft will make Access free
in response? Which, of course, is about what it's worth, but that's a
different thread... ;-)

 

I _think_ that the very same day that Oracle announce their software
giveaway, is the day Oracle makes it to Security focus' frontpage because
someone (in their omnipotent wisdom) has released source code for a
working worm
As can _clearly_ be seen by the articles I quoted from, all that is
required for the worm to become malicious is to change the payload, so
instead of making table x, shellcode (for example) is inserted

The _smart_ thing to do is to wait a few days for Oracle to respond to the
flaws reported, and to patch them accordingly, or declare the 10g
unaffected
And _then_ download the products (saving a possible double-up)


I do like how you turn a "heads up" into something personal though HOG, I
have to say it really does show the strength(or lack there of) of your
argument(s)
Is this because youre a complete moron?


You really have to wonder about some people

 

I think the implications speak for themselves, wait a week or two to see
if the free products are affected ... then download

 

Well I don't really care. They will patch this eventually I would suppose.
Just like microsoft.

Surely if your machine is firewalled and you are only using this within the
'intranet' then there is no problem right?

 

It is simply a worm that "scans for common username/password
combinations". That's not a vulnerability, that's a slack DBA.

No, you posted those links in an attempt to discredit Oracle. Nice
attempt at a backtrack, though.

That's not the first time you've called me "HOG". Google Groups just
told me WTF you are on about, and I see that a while ago another
poster by the name of "HOG" also disagreed with you. I guess in your
black and white world that makes us the same person. Quite comical,
actually, and kind of proves my point.

For the record, however, I am not "HOG".

Hmm, personal abuse. Why don't you show the strength(or lack there of)
of my argument(s) by actually addressing them for a change, rather
than resorting to your usual abuse?

That you do.

 

He he if you want to run 500 million dollars in annual sales through MySQL
then go for it.

 

Did you perchance see the *other* vulnerability?
Yes, the one where the system users password is considered *extremely*
vulnerable?

I beg your pardon, I posted those links as a heads up, nice try at putting
words into my mouth...again

Funny how you present your arguments *precisely* as he did
gosh..

Riiiiiiiiiight

er.. you saying you werent engaging in personal abuse.. nice retract

Shall I actually address them by calling people commies?
Or should I go quiet when asked to back up my comments?
http://groups.google.co.nz/group/nz.comp/msg/25eada714c22ce66?hl=en&
http://groups.google.co.nz/group/nz.comp/msg/19af15928d64f4e9?hl=en&
http://groups.google.co.nz/group/nz.general/msg/2d06991d1fc2a066?hl=en&

 

Whatever. Someone said "Look, Oracle's giving something away for
free". You, probably not even knowing who Oracle are, replied with
"Yea, but look!! Vulnerabilities!!". [Verbatim].

Sounds like an intelligent fellow.

Really, though, Shane, you are inconsequential. If you want to call me
hog, go right ahead. All it does is make you look like an idiot, since
I'm obviously not him.

I stated an opinion. Rather than addressing and debating that opinion,
*you* resorted to abuse. As usual.

Yes, you are right. I get bored sometimes trying to discuss things
with idiots and trolls who don't understand that people can have
opposing views, and sometimes just walk away.

Prime example:
http://groups.google.co.nz/group/nz.general/msg/2d06991d1fc2a066?hl=en&

This at the end of a thread when I have responded to posts you have
made that have really illustrated your black and white mind set by
pointing it out to you, only to be told to spend _my_ time coming up
with these examples - that I have directly pointed out each time!! And
in the same post you ask why I haven't given up in frustration and
walked away! And now you're making comments on the fact I did just
that!!!! Get with the programme, boy.

Bye, now.

 

Ooo look, snipped away the other links, the ones where you cant show a
single *instance* of your claims


Ah look, I posted factual goings on related directly to the OP to which
*you* respond

How is this _not_ a personal attack, how is this even remotely rebutting
my post, how is this intelligent?
In fact, this shows you *think* everything is an attack on your precious
*commercial companies*
You really have to grow up boy, this is the big bad world, mums not here
to look after you, and when theres an alert posted on security focus the
very same day Oracle releases a product, the _smart_ people wait for it
to a) patched, or b)declared unaffected
ps who funds Securityfocus?.. symantec ring any bell?.. nah cant be..
theyre a commercial organisation

Heres the funny thing, only 4 days ago I was posting about phpbb being a
security nightmare
Gosh.. does that mean Im anti OSS??????

Youre pathetic "Not Dave", and your little war is doing nothing
In fact..heres the best way to see the end of it
*plonk*

 

Hello Not,

msde (much better than access) is free and imsvho better than that primitave
version of mySQL that i played with, although i would say that - having sold
my soul to microsoft and all that ...

the only good thing about mySQL is its shit-easy to install, copy the executable
- msde (cut up version of sqls) involves an installer

now now.. be nice..

i have seen some highly polished programs done in access, of course the first
thing i said when i saw them was 'will i be converting this to .net' but
that is beside the point.

to thoes intrested the answer to my question was 'definately no'

 

Yeah eventually.. with something like this you'd hope sooner rather than
later

The 'ideal' testing situation would have to be a standalone machine,
with no network connections, the next step up would be a machine behind
another machine acting as a firewall, and limiting outbound as well as
inbound

Definitely for testing purposes have a good look at it, just keep in mind
all the 'gotchas' should you like it and want to take it to production
level

 

Hooray!!!!

 

True, actually.

Actually, the best thing about mySQL is that it a very lite and fast
DBMS designed to work on pretty average hardware. It lacks anything
resembling an "advanced" function, but is perfect for web stuff (small
to medium sites).

Obviously it's nowhere near the same league as Oracle, or even MSSQL.

See, I don't think Access is a suitable basis for commercial software,
and hence I have a hard time giving a good rating to software
utilising it. Just my opinion, of course, but it is somewhat, um,
flakey?