Probably I should not have even posted the hint that I did, that led Mladen to deduce the exploit. I've kept quiet for months (hard to do, btw), and I figured it was fair-game to speak now that the patch has finally been released. This is all new to me. The whole process for dealing with exploits, for reporting them and speaking, or not speaking, about them is completely foreign to me. It didn't occur to me to hold off for a few weeks, to give people time to apply the patch. Lesson learned. I'm sorry if I've indirectly caused others grief. Best regards, Jonathan Gennick --- Brighten the corner where you are http://Gennick.com * 906.387.1698 * mailto:jonathan@xxxxxxxxxxx Join the Oracle-article list and receive one article on Oracle technologies per month by email. To join, visit http://five.pairlist.net/mailman/listinfo/oracle-article, or send email to Oracle-article-request@xxxxxxxxxxx and include the word "subscribe" in either the subject or body. Thursday, September 2, 2004, 8:50:27 PM, Paul Drake (bdbafh@xxxxxxxxx) wrote: PD> Mladen, PD> Respected professionals do not publish exploit code prior to the PD> patches being widely deployed. PD> This was not the forum in which to post such code. PD> This was not the time to post such code. PD> I am not defending Oracle dragging their feet on releasing the PD> patches, or in not identifying a gaping hole in a new feature. I am PD> not criticizing your abilities to write code, use perl or use wit. PD> I am angered due to you making this issue (alert #68) now larger for me. PD> I have been busy attempting to test these patchsets for 3 releases on PD> 2 platforms. PD> I want to make sure that I don't cripple a client site with a patchset PD> that wasn't at least moderately tested. PD> Did you read the article where David LItchfield was interviewed? PD> He does not publicly disclose exploit code until after the fixes have PD> been available long enough for people to apply them. He had to change PD> his presentations due to Oracle not releasing patchsets sooner. That PD> is responsible, professional behavior, and it helps him to avoid PD> litigation. He is a white hat. PD> Pete and Jonathan also did not reveal exploits (up to this point, that PD> I know of). PD> You now make me wish that this list was moderated. PD> Please don't post the exploit code on comp.databases.oracle.server. PD> Not everyone would have been able to deduce the exploit code from what is known. PD> You have effectively brought the exploit into the script kiddie realm. PD> Fortunately, your exploit code only affects 10.1.0.2, and not the PD> other releases. PD> If you come up with exploits for the other versions, please don't post PD> it here or in other public forums. Share it with Pete, Jonathan, David PD> Litchfield - but I would personally prefer that you share it with Mary PD> Ann Davidson or whomever else handles such issues for Oracle - through PD> the channels. Metalink, OTN, etc. PD> Steve, if I am overstepping my bounds, treat me appropriately, but PD> this was not professional behavior as stated in the email that I PD> received today when I changed accounts. Its not my place to moderate - PD> but Mladen really messed up this time - IMHO. PD> And it affected me. PD> Paul PD> Paul Drake PD> bdbafh@xxxxxxxxx PD> ========================================================== PD> Re[2]: PeteFinnigan.com Oracle advisory for bugs in dbms_scheduler ( alert #68) PD> * From: Jonathan Gennick <jonathan@xxxxxxxxxxx> PD> * To: "Gogala, Mladen" <Mladen.Gogala@xxxxxxxx> PD> * Date: Thu, 2 Sep 2004 16:16:23 -0400 PD> Well, the whole world knows now... PD> Best regards, PD> Jonathan Gennick --- Brighten the corner where you are PD> http://Gennick.com * 906.387.1698 * mailto:jonathan@xxxxxxxxxxx PD> Join the Oracle-article list and receive one PD> article on Oracle technologies per month by PD> email. To join, visit http://five.pairlist.net/mailman/listinfo/oracle-article, PD> or send email to Oracle-article-request@xxxxxxxxxxx and PD> include the word "subscribe" in either the subject or body. PD> Thursday, September 2, 2004, 12:00:41 PM, Gogala, Mladen PD> (Mladen.Gogala@xxxxxxxx) wrote: GM>> What annoys me the most is that the bug is so trivial GM>> that it should have been discovered during the beta test. GM>> You and Pete didn't specify how exactly is it possible, probably GM>> out of the goodness of your heart, so I did a little investigation GM>> of my own, and discovered that Oracle10g alows PD> --- PD> To unsubscribe - mailto:oracle-l-request@xxxxxxxxxxxxx&subject=unsubscribe PD> To read recent messages - //freelists.org/archives/oracle-l/09-2004 --- To unsubscribe - mailto:oracle-l-request@xxxxxxxxxxxxx&subject=unsubscribe To read recent messages - //freelists.org/archives/oracle-l/09-2004