When discussing the public exposure of
Oracle vulnerabilities, opinions about those who publicize hacking
techniques. Some suggest that the hacking expert is doing a
public service while others believe that exposing an Oracle
vulnerability enables an unethical DBA to hack into a database.
Sadly, not all database professionals have scruples, as we
see in these
real-world examples of Oracle hacker horror stories.
While publically exposing
vulnerabilities may be illegal in parts of the United States (the
aiding and abetting), there are some
European Oracle "researchers" who offer "black hat" and
"secret" Oracle hacking tutorials.
The question is none of ethics and whether there is any
legitimate use for the disclosure of Oracle vulnerabilities? Oracle
Corporation responds with a resounding NO!
According to this
eWeek article, Oracle Corporation condemned a hacker as being
selfish and irresponsible for putting Oracle customers at "severe
"A few hours after [the hacker] went public
with a technical description of the flaw, including a blow-by-blow
demonstration of ease in which an attack could occur,
back, accusing the British researcher of putting its customers at
severe risk for selfish, irresponsible reasons."
Most Oracle DBA's agree that it is best to quietly work with Oracle
on a patch before publishing details on any bug, but there are
vulnerabilities that are not within the purview of Oracle,
vulnerabilities in 3rd party products.
In these cases, most
professionals would find that exposing a non-Oracle vulnerability to
be encouraged, provided that they no not expect that the publication
could be used by criminals.
Is publishing Oracle hacks aiding and abetting a
Ethics aside, we must ask
if publishing an Oracle hack constitutes a crime, anywhere in the
world where the article might be read. In the USA, the FindLaw
aiding and abetting a criminal, publically exposing an
Oracle hack appears to fit the definition for "secret" and black
hat" Oracle hacking:
While not all of the Oracle hackers have ill intent, many are aiding
and abetting criminals by publically exposing vulnerabilities within
the Oracle software.
"A criminal charge of
aiding and abetting or accessory can usually be brought against
anyone who helps in the commission of a crime, though legal
distinctions vary by state.
A person charged with
aiding and abetting or accessory is usually not present when the
crime itself is committed, but he or she has knowledge of the
crime before or after the fact, and may assist in its commission
Despite claims of some self-proclaimed
European Oracle experts, a properly installed and configured Oracle
cannot be hacked, even with the most sophisticated methods.
Recent Internet law has indicated that web authors are
responsible for what they publish that causes harm, anywhere in the
If your shop gets hacked because of information
published by an Oracle hacking expert, you may want to seek the
advice of your local attorney Generals office to see if the advice
of the hacker warrants arrest and prosecution.
Get the Complete
Oracle SQL Tuning Information
The landmark book
SQL Tuning The Definitive Reference" is
filled with valuable information on Oracle SQL Tuning.
This book includes scripts and tools to hypercharge Oracle 11g
performance and you can
for 30% off directly from the publisher.