Oracle Zero-Day Project Cancelled
|
UPDATED: Cesar Cerrudo has suddenly cancelled plans to release Cerrudo, founder and CEO of Argeniss Information Security, did not elaborate on the reasons for the cancellation but it is likely the result of (legal?) pressure from some quarters.
Database administrators absolutely detest the release of zero-day exploits because it means additional trouble and work and it's no stretch to imagine that Cerrudo's customers -- many are security firms that deal with angry DBAs -- weren't exactly pleased with his planned project.
Oracle used its official security blog to comment on Cerrudo's project, lashing out at the "irresponsible" nature of releasing information on unpatched vulnerabilities.
Here's Eric Maurice, Manager for Security in Oracle's Global Technology Business Unit:
"[We] do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing "zero day" exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack ... We closely monitor the publication of such "zero day" to assess the reality of the threat they pose, communicate our findings to our customers, and potentially issue a security fix through the Critical Patch Update or Security Alert mechanisms."
Oracle might have caught a break with Cerrudo but the upcoming release of a hacking handbook by database security guru David Litchfield is sure to cause some agita in Redwood City.
Litchfield's book, titled The Oracle Hacker's Handbook and due in January 2007, promises an in depth examination of all the techniques and tools that hackers use to break into Oracle database servers.
UPDATE:
Cerrudo offers an explanation of sorts on the Daily Dave mailing list:
Believe me I'm not happy at all with cancelling WoODB.
Oracle didn't contact me at all, I expected that, they just don't care.
The only intention of WoODB was to kick Oracle's ass, showing how their products suck and that they don't care about security.
We have many 0days...Argeniss can stand everything, we are not afraid of big vendors and pressures, but what Argeniss can't stand and won't never let that happen is a customer being "indirectly" hurt by [our] actions.
We guess Oracle employed some old and effective tactics: "divide and conquer" and "if you can't defeat your enemy go for their allies."
Again, I'm really sorry, WoODB was a honest intention but unfortunately it had to be suspended. Anyways I will continue trying to show Oracle's insecurity every time it's possible.
Create, Communicate, Collaborate with IT Professionals at Ziff Davis Enterprise IT Link
Comments (9)
Well, at least Cerrudo is honest about his intentions - 'showing how [Oracle's] products suck'. Sorry, but I think there are better ways of making a point than 'kick[ing] Oracle's a..'
I am curious about his beef. Was he fired by Oracle, a lose a contract to them? Sounds like there is more to the story...
Posted by JD | November 30, 2006 3:02 PM
Mr. Cerrudo is an irresponsible hacker on an ego trip. He is so obsessed with "kicking Oracle's ass" that he doesn't care who gets hurt, including Oracle's customers and *their* customers.
Posted by Tom O'Brien | November 30, 2006 3:09 PM
I have to agree with the above two posts - IMHO independent security analysis has become a key element of today's software industry. But, the approach Mr. Cerrudo takes, taken along with his attitude, clearly shows that his concern is not with providing a valuable service to software users - instead, he's concerned primarily with his own over-inflated ego and attempting to settle scores with software companies. Security research and analysis, as an industry, is better off without this kind of unprofessional, really childish, behavior. For all it's faults, Oracle has delivered far more value to far more organizations and individuals than the author is ever likely to - he should show a modicum of respect for Oracle's customers and to Oracle itself.
Posted by Anonymous | December 1, 2006 11:43 AM
All three of you are seriously borderline if not complete idiots. From eWeek's post itself - "Again, I'm really sorry, WoODB was a honest intention but unfortunately it had to be suspended." That was Ceasar stressing how he canceled his project due to an unhappy *Customer!*. Now for the ridiculous comment by Mr . O'Brien - " He is so obsessed with "kicking Oracle's ass" that he doesn't care who gets hurt, including Oracle's customers and *their* customers." YOU are obviously incompetent, learn to read English before flaming in a public forum.
Oracle is notorious for ignoring or postponing vulnerability patches for well over 6 months. Look at Litchfield's previous work and number of times he's had to cancel presentations due to Oracle being completely irresponsible. I'd never take MS's side under normal circumstances, but Oracle can learn a thing or two from Microsoft's serious _attempt_ at properly releasing patches. They've got a ton of practices to perfect, but have also come a long way.
Posted by Tom O'Brien's Mom | December 1, 2006 12:22 PM
"Tom O'Briend's Mom"
"All three of you are seriously borderline if not complete idiots"
Are you serious? Nasty, childish, completely unnecessary. Really, this kind of garbage does no service to anyone and simply reinforces the idea that our profession is full of obnoxious prima donnas. Grow up.
"YOU are obviously incompetent, learn to read
English before flaming in a public forum"
Well, tell me then, how exactly was this misread:
"The only intention of WoODB was to kick Oracle's ass, showing how their products suck and that they don't care about security." Cerrudo's own words - they're pretty clear to me - but apparently my English skills are lacking.
And one of your points:
"Look at Litchfield's previous work and number of times he's had to cancel presentations due to Oracle being completely irresponsible"
Oracle's main concern should be Litchfield's presentation schedule? Why should Oracle's be concerned with Litchfield's schedule? Oracle needs to be more concerned with it's customers - Litchfield, Cerrudo, etc. need to be more concerned with the customers of those products they find flaws in. No, I'm not happy about Oracle's speed of response. But I have to tell you, I'm not happy about the likes of Cerrudo and Litchfield exposing the specifics of security holes to hackers either. See, I'm the customer - the user - stuck in the middle - the one who's supposed to be the concern here. Also the one who's likely to get nailed - both because Oracle has a flaw and because this jack-a** went and gave a bunch of criminals the specifics of how to exploit it. From where I sit, the likes of Cerrudo and Litchfield (and yourself, apparently) are just as arrogant and self-obsessed in their approach to security flaws as Oracle is and Microsoft was. From the standpoint of the customer, they're both dead wrong. Personally, sounds to me like Mr. Cerrudo and Larry Ellison have an awful lot in common.
Posted by Scott | December 1, 2006 2:59 PM
Quote from Scott, "I'm the customer - the user - stuck in the middle - the one who's supposed to be the concern here. Also the one who's likely to get nailed - both because Oracle has a flaw and because this jack-a** went and gave a bunch of criminals the specifics of how to exploit it."
Hmm, that is rather big assumption that the criminal element are reliant on the public disclosure of security flaws, and you know what they say about assuming. I am not a big fan a security via obscurity.
I'm a customer also and I would prefer that Oracle actually fix the security flaws in a timely manner.
Fix and timely being the key words.
Posted by Bert | December 4, 2006 3:46 PM
Bert, all due respect but I think that assuming a criminal element won't obtain, be enlightened by, take advantage of, these security gurus is pretty naive. I'm not saying they're reliant on - clearly, they're not - they've found plenty of hole without the security guys - in fact, the security guys are around because the criminals, in many case, are just as good and came first. Point is, they don't need any help. I agree - of course I'd prefer Oracle fix the flaw - but I also don't want to get hacked and I don't like these security guys holding me up (ie. the customer) in front of Oracle (ie. the vendor) as some kind of hostage without any say. Like I say, I see more in common between the likes of Cerrudo/Litchfield and Ellison/Gates than I see different - oversized egos with a pretty narrow sense of responsibility to the user/customer.
Scott
Posted by Scott | December 5, 2006 4:51 PM
Imagine the following scenario (humor me for a moment):
4 characters - you, your neighbor, your neighbor's child, bad guy
You cannot believe your neighbor will not lock the doors at night.
You: "Lock the doors at night! Something bad could happen."
Neighbor: "Ok, Ok. I will work on it."
Neighbor continues to make little effort to lock the doors at night. Fed up, you publicly post the following information:
- Your neighbor's address
- The fact that your neighbor does not lock the door.
Two days later your neighbor's child is dead from a botched robbery. Hmmm. Yeah, that will teach them.
----
Yep, less-than-perfect allegory. But think about it - what is being accomplished by harming the Oracle customer? Nothing but legally supporting the hacking effort. Set aside free speech and Oracle's slack response to fixes for a moment and think about the consequences of yelling "fire" in a crowded theatre in order to teach the theatre owners a lesson.
Tom O'Brien's Mom: There are better ways to make a point than consorting with the enemy. Like it or not, that just makes you the enemy.
Posted by JD | December 7, 2006 2:49 PM
To JD: yeah, nice and moving example of the neighbour's child. Except that, of course, to be relevant to the case this scenario should go under some major modifications:
- it's not about your neighbour's child, it's about your neighbour's customer. It's not about your neighbour at all. It's about, say, the bank that hold half the U.S. citizen savings in its safes.
- The bank safes are made of painted wood, instead of steel.
- Full disclosure means putting a sign in front of the bank warning customers of the risk they take trusting said bank, and giving proof of what you advance so that no one can charge you with only wanting to hurt its business.
So... Yes, customers of the bank may get killed during a botched robbery. This is why I would rather:
-1- put a sign warning that I know of bad practices for one month,
-2- warn the bank that one month from now I'll put more details on the sign,
-3- execute my threat if the bank did nothing to fix the hole, or postpone it if they can prove that they at least tried to improve. Note that *I* am the one to choose the delay, because the bank would rather it be "never". And it if means the bank goes bankrupt because it's more expensive to replace wooden safes than it would have been to use steel from the beginning, well... Life's unfair sometimes. I won't be sorry for them.
I can *not* condone security through obscurity. Not more than calling names on the disgruntled whistle blowers. Those may be less disgruntled and more "responsible" if being "responsible" was at least enough to avoid being sued (at least 3 counter-examples immediately pop in my mind).
Unfortunately, companies'd rather sew one's mouth shut through trial. Lobbying. Money. (in no particular order)
And unfortunately, law makers nowadays are not encouraging people to be "reasonable" and Oracle to get better. They do pass laws that forbid talking about the safe design or even *looking at it*. Most of them are just being utterly stupid about this in most of the "civilized" (read "corporate") world *right now*.
Posted by DG | December 20, 2006 7:33 AM