Re: Public announcements of SQL Security Vulnerabilities

From: Ernest DeVore (devore_ernest@hotmail.com)
Date: 07/31/02 

From: "Ernest DeVore" <devore_ernest@hotmail.com>
Date: Wed, 31 Jul 2002 10:25:05 -0500

"Chris Wood" <chris.wood@gov.ab.ca> wrote in message
news:euC8XBxNCHA.2680@tkmsftngp09...
> BP,
>
> What I am questioning is that the exploit script appear so early after the
> fix is issued. Is a few hours an ethical amount of time. Remember that the
> internet is always on and a fix and exploit code could be published after
we
> finish work and before we start again the following day or even over a
> weekend.
>
> The current set of comments all seem to think that we should thank our
lucky
> stars that the exploit code does not appear before the bug is fixed.

It's the old saw. Ignorance is bliss but it doesn't make the problem go
away.

If you go into the hacker forums and websites you'll find that they all love
to talk about what they've done and impress each other with their
brilliance. That's human nature. They all share their information and those
exploits are known in the hacker communities for quite awhile before some of
the
good guys who watch those communities pick up the information and bring it
to the public eye.

By the time you see an exploit I can guarantee you that the top 10% hackers,
which are the truly motivated and Type-A personalities, already know about
it. By publishing
the exploit and example source codes you're letting in the rest of the slow
dogs but you're also alerting us hard-working DBAs who don't have time to
browse all the hacker
communities out there. There are five other DBAs at any given time wanting
my job. I don't want my competence to be called into question by something
as silly as a buffer
overrun exploit I'd never heard about but that some hacker used to bring my
systems down.

I thank the SQL gods every day for those websites that go forth into Indian
Territory to bring us the bad news.

/E

Relevant Pages

  • Re: Public announcements of SQL Security Vulnerabilities
    ... > If you go into the hacker forums and websites you'll find that they all ... > exploits are known in the hacker communities for quite awhile before some ... > good guys who watch those communities pick up the information and bring it ... > dogs but you're also alerting us hard-working DBAs who don't have time to ...
    (microsoft.public.sqlserver.security)
  • Re: RPC Bug Fix gives database error, Pc under hacker attack... >_<
    ... No hacker just a worm that got to your unprotected computer. ... > when i installed the RPC buffer overrun fix there was no ... > xp default firewall and thus i was hacked VIA the RPC ... i tried installing the fix but i keep getting a ...
    (microsoft.public.windowsxp.security_admin)
  • Re: RPC Bug Fix gives database error, Pc under hacker attack... >_<
    ... Actually it is a hacker, b4 my system was restarted via ... restart my pc, and the thing is after my system restarted, ... you didnt say why i could not install the rpc fix. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [9fans] venti woes with brand new install
    ... I'm thinking, as i'm not a big C hacker, that a completely different change might be made to fix the problem, and the change i'm waiting for would then never appear. ... thus it works on any file witha granularity of 1 day. ...
    (comp.os.plan9)
  • RPC Bug Fix gives database error, Pc under hacker attack... >_<
    ... when i installed the RPC buffer overrun fix there was no ... i tried installing the fix but i keep getting a ... The hacker also placed a program which restarted my pc ...
    (microsoft.public.windowsxp.security_admin)