Kung Hei Fatt Choy

Happy Chinese New Year...the year of the dog. I would guessed that most folks would have followed the debate between David Litchfield and Oracle. It's a shame, really. I don't like the fact that the security researchers are releasing details of vulnerbilities immediately after a patch release much less before they are fixed.

Yeah I know the logic behind it and that the hard-cored hackers already know about the vulnerbilities, etc. The fact remains that the customers (like my employer) are at risk and will be at greater risk now that it is guaranteed that every hackers and lackeys know about the vulnerbility. What is this about Alex K releasing a version 2.0 of his rootkit where

"The new version will allow attackers to disguise malicious elements without modifying the database views, Kornbrust said. Also, evidence of the hack will disappear whenever the database is restarted, Kornbrust said."

Okay, what is the purpose of the rootkit, then? This is akin to saying that you are designing a tool (not for the sole purpose of destroying or killing someone) but never did put in the necessary safeguards to ensure that the tool cannot be misused by accident (at least guns have safety locks that has to be dis-engaged before they can be fired). Can my employer sue Red Database Security if the rootkit was utilized by a hacker to cover their tracks after setting up backdoors and data logger?

Edited: Feb 2/06
As RN pointed out in his comment, that I had misunderstood the nature of rootkit. My apologies and my thanks to RN. I've edited the entry to clarify what I really meant to say. My original statement was "Can my employer sue Red Database Security if the rootkit was utilized by someone to hack into their databases?" which was totally incorrect as the nature of a rootkit

Oracle Jan 2006 Patch & Exploits publication

As many of you very well know, Oracle released its Jan2006 CPU on Jan 17th and almost immediately after, Alex of Red Database Security released details of exploits of 5 of the bugs fixed in the latest patch plus Impreva also released details of another exploit of a bug fixed in the patch.

Okay, it's fine to release the exploits in get credit or whatever knowledgement but come on, we (Oracle customers) are in a bind as now we have to get the patches applied as quickly as possible and hope that we are not exposed while trying to apply the patch to all the databases within our organization. This is damm irresponsible of Alex and Impreva! Impreva can forget about getting any business from my organization now and in future. We are essentially put in a position of being at risk if we don't apply the patch sooner or at the risk of something else breaking by applying the patch without fullly testing to ensure that existing critical applications still works.

Grrrr!

New Oracle Q&A "repository"

Eddie Awad recently launched his new Oracle Q & A site which generated some strong opinions from Howard Rogers and others but Tom Kyte and others are for the new site.

I, myself, think that it is great that there is yet another resource for the Oracle community to go to for answers but I can see validity in the points that Howard had made. It would be nice to able to identify the versions that these "tips" applied to but I think, regardless, that it is prudent for each individual to actually test and verify these "tips" before applying them to their environments. "Trust but Verify" is a very good motto to live by in our Oracle world as is evident from lots of other sites that still posts advice and/or tips that are either no longer valid or are very specific to unique situations.

On the other hand, David Aldridge has to deal with an interesting problem where one of his article was published word for word on another blog without permission (although there was acknowledgement that David was the source). In this case, I would request that the blogger remove the entry and provide a link unless he (the blogger) was providing an extract of David's article. I actually peruse that blog and didn't like some of the articles and entries as they listed tips/articles that are no longer valid or very specific to unique environments/situations.

New US law slipped through under unrelated bill

ZDNet News has an interesting article on a new bill just signed into law in the US. Apparently this was bundled in with an unrelated bill and now make it a criminal offense to "annoy" someone online without divulging your real identity and is punishable by up to two years in prison.

If true, then Google is going to be busy with legal requests/subpoenas asking for the identities of various folks who frequent the c.d.o.s. Usenet groups as well as anyone involved in online forums/blogs where their identity are unknown or anonymous.

Now, it didn't say whether the bill is retroactive to past postings. I would suspect not and nor do I understand what the implications are to non-US residents like myself. For example, if you are not based in the US but uses a US-based service (e.g. Google), are you then subject to this new law?

I think it would be purdent to keep an eye/ear on how this will progress via the Electronic Frontier Foundation as they definitely will have updates on the implications/cases of this new bill.

2005 - Year in review

Looking back on 2005 (Wow! 5 years after the Y2K fiasco), it seems to be the year of natural catastrophic disasters (the Tsunami, Katrina, South Asia Earthquake) but there's more.

On the Canada front, we were faced with politic scandal and corruption under the Liberal government which eventually led to a political first (the Opposition tabling a vote of non-confidence) and the Liberal minority government was brought down. We also have the legalization of same-sex marriages. The push is on to legalize marijuana but not before the US managed to have the Canadian authorities arrest a leading proponent for selling marijuana seeds over the Internet to US citizens.

On the family front, we welcome our third baby girl who came 10 weeks earlier than expected and gave us a good scare. Thankfully everything is working out and she's now almost 11 months and healthy.

On the work front, it's dealing with security and people-related issues that was keeping me busy. Started this blog to provide an outlet for me to vent but it has turn to something more. Got into some pretty interesting "debate" with certain Oracle folks and also made a lot more acquitances/friends in the Oracle community.

Here's to 2006 and the new challenges that it brings. Happy blogging!