[ED: Deleted Per Oracle's Request]



  • This message (Major bugs in ODP.NET Driver 10.2.0.2 Beta) was removed per request from a developer at Oracle:

    Would you be willing to delete this thread?

    http://thedailywtf.com/forums/thread/80071.aspx

    It exposes a security issue with our .NET provider. When the poster contacted us about it, we immediately stopped our production release and fixed the security hole.



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    Why do they use "key.GetHashCode()" instead of "key"? The hashtable itself is able to handle collissions(), but of course it needs the real key, not the hashvalue of the key, to do that.



    (
    ) if not, it's time to dump .net



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    I'm unable to recreate this error.  [ ... removed ... ]



  • I just got it.  [ ... removed ...]



  • Aaand the new version works properly, at least on my machine.  Upgrade to 10.2.0.2.20 ASAP!



  • bug is only present in

    10.2.0.2.10 Beta

    it is solved in

    10.2.0.2.20 Final



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    Sorry guys, I details from the post for security reasons.



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    @CeeJay said:

    Post remove per request from a developer at Oracle:

    Would you be willing to delete this thread?

    http://thedailywtf.com/forums/thread/80071.aspx

    It exposes a security issue with our .NET provider. When the poster contacted us about it, we immediately stopped our production release and fixed the security hole.

     

    HAHAHAHAHAHA. 

    I zee noth-ing!



  • @Rotary Jihad said:

    Wow. This got quashed really fast in a few places. http://www.google.com/search?hs=XZ&hl=en&lr=&client=opera&rls=en&q=ODP.NET+Driver+10.2.0.2+Beta+security+bug&btnG=Search You know when Microsoft does this its decried as near criminal. Are the fast patches as well as the insider silencing normal in the Oracle community?

    I think it's a fair point, why was this removed? the real reason please? why did you agree? how much were you paid? Did they threaten you with legal action?

    Since when does TDWTF sensor articles?

    I would have personally refused, sorry you lost some cred with me when I saw this removed. Lame Alex lame, very disappointed.

     



  • Re: Major bugs in ODP.NET Driver 10.2.0.2 Beta

    I'm sorry - we're not allowed to discuss Oracle bugs in the I-Hate-Oracle-Club? 

    (I hate to say it but) WTF?



  • At least they've fixed the bug.  It could be worse.



  • @codenator said:

    I think it's a fair point, why was this removed? the real reason please? why did you agree? how much were you paid? Did they threaten you with legal action?

    Since when does TDWTF sensor articles?

    I would have personally refused, sorry you lost some cred with me when I saw this removed. Lame Alex lame, very disappointed.

    Why? Beacause I'm not a dick.

    A fellow developer (who happens to work at Oracle) emailed me personally and asked very nicely if I could remove it. Should I have said say, "no your product is teh sux0rs and you are a l00zer, how could you work for Oroable?! I must expose the truth about your product!!!"

    If Oracle's Legal Machine emailed me and demanded I remove it or face legal action, I still would have. But that's because I'm a pussy.

    With the DMCA, they can shut down websites. Heck, they could even sue. And in America, lawyers cost money. Lots of it. Yeah, they woulda lost. Yeah, they woulda had to reimburse my legal fees. Keyword there is "reimburse" -- anyone wanna guess the retainer I'd need for such a suit? I'd say $5,000, minimum. Yeah, I'm all for free speech, blah blah blah, but don't sign me up as the martyr.

    Personally, the fact that Oracle emailed me (yes, I verified it was from them) and requested I remove it is much funnier than the fact that ODP.NET has a bug. In fact, I'm even going to change the title of this post because I think it's funnier that way.



  • [quote user="codenator"]

    I think it's a fair point, why was this removed? the real reason please? why did you agree? how much were you paid? Did they threaten you with legal action?

    Since when does TDWTF sensor articles?

    I would have personally refused, sorry you lost some cred with me when I saw this removed. Lame Alex lame, very disappointed.

     [/quote]

     

    Wow, that post has "teenager" written all over it.   You don't think it's a bit irresponsible to have a public posting of a security exploit on a widely-used application?  It's not only oracle's problem, it's also a potential problem for everyone using their product...



  • [quote user="shadowman"][quote user="codenator"]

    I think it's a fair point, why was this removed? the real reason please? why did you agree? how much were you paid? Did they threaten you with legal action?

    Since when does TDWTF sensor articles?

    I would have personally refused, sorry you lost some cred with me when I saw this removed. Lame Alex lame, very disappointed.

     [/quote]

     

    Wow, that post has "teenager" written all over it.   You don't think it's a bit irresponsible to have a public posting of a security exploit on a widely-used application?  It's not only oracle's problem, it's also a potential problem for everyone using their product...

    [/quote]

     

    Thanks for you input, you sound like a complete upper management idiot whom I couldn't possibly begin to explain software enginerring responsibility to. By the way I'm well past those teenage years and probably been in this business more than most.

     Somehow I get the feeling you are a hacker who pumps out any old crap onto your customers and then release quick fixes to cover your incompetence.

    We call it all care no responsibility.....Oracle's devs are the company's own worst enemy.....their product suite is a pile of stinking crap

     What's the risk in not exposing the risk in a widely used application? huh c'mon smartarse...

     It's Oracle's problem and they should be named and shamed. Why not exactly?



  • [quote user="Alex Papadimoulis"]

    Why? Beacause I'm not a dick.

    [/quote]

    Sometimes I tend to disagree

    [quote user="Alex Papadimoulis"]

    A fellow developer (who happens to work at Oracle) emailed me personally and asked very nicely if I could remove it. Should I have said say, "no your product is teh sux0rs and you are a l00zer, how could you work for Oroable?! I must expose the truth about your product!!!"

    [/quote]

    I'm sorry is that credability being flushed down the toilet?

    [quote user="Alex Papadimoulis"]

    If Oracle's Legal Machine emailed me and demanded I remove it or face legal action, I still would have. But that's because I'm a pussy.

    With the DMCA, they can shut down websites. Heck, they could even sue. And in America, lawyers cost money. Lots of it. Yeah, they woulda lost. Yeah, they woulda had to reimburse my legal fees. Keyword there is "reimburse" -- anyone wanna guess the retainer I'd need for such a suit? I'd say $5,000, minimum. Yeah, I'm all for free speech, blah blah blah, but don't sign me up as the martyr.

    [/quote]

    On what grounds exactly? c'mon lawyer hot shot? I laughed at this, have you not proven this flaw to be true, this is not slander or false accusations so c'mon explain it.

    [quote user="Alex Papadimoulis"]

    Personally, the fact that Oracle emailed me (yes, I verified it was from them) and requested I remove it is much funnier than the fact that ODP.NET has a bug. In fact, I'm even going to change the title of this post because I think it's funnier that way.

    [/quote]

    ok true...



  • codenator,

    Just because you happen to be 30 (or however old you are) doesn't mean you aren't acting like a teenager.  

     

    Also, I think it's funny that Oracle reads the Oracle Hate Club Board. 



  • [quote user="tster"]

    codenator,

    Just because you happen to be 30 (or however old you are) doesn't mean you aren't acting like a teenager.  

    [/quote]

     

    Thanks for your pointless opinion.....I've read some of your posts on this site and your opinion doesn't have an weight with me.

     

    what part of questioning this is teenager behaviour?

     



  • [quote user="codenator"][quote user="Alex Papadimoulis"]Heck, they could even sue. [/quote]On what grounds exactly? c'mon lawyer hot shot? I laughed at this[/quote]

    Are you serious? Do you have any idea how the civil courts work in the US?

    Unlike a criminal case, you do not need "probable cause" to bring suit against another. So long as you fill out the right paperwork and pay the court fees, you can sue ANYONE for ANY REASON whatsoever.

    If the suit is frivolous, you MAY be lucky enough to have a competent lawyer file a motion for summary judgment. Wanna guess how much that'll cost? But chances are the judge will want to hear the case. That's where the real money gets spent. If you're REALLY lucky, your lawyer might be able to win  countersuit for his fees.

    [Harsh comments removed]

    OK, I admit, I was embarassingly harsh there. It was late, I was tired, etc.

    But my point stands: the moment you get sued, you've already lost. Be it time, money, sanity, etc. That's just how it works in the US.



  • I guess Alex has better things to worry about than that. You jump first.

    Btw, this link is especially for you, you know why. 



  • [quote user="codenator"]What do you mean you may be lucky enough to get a competent lawyer? [/quote]

    How many trial lawyers do you know? If you thought the software industry was filled with incompetence, you need to check out the legal industry. Half the lawyers out there are walking WTFs.

    [quote user="codenator"]lucky to win countersuit for his fees?[/quote]

    Do you really think that the winning defendent gets his legal bill picked up by the plantif? That ain't how it works in Ohio or any other state I know of: you need to countersue and demonstrate the suit was baseless and frivelous.

    Oh wait a minute, perahps in your fantasy civil legal system, one can just defend himself? That might be how it works in Judge Judy or small claims, but in the real court system you'll find yourself in default or contempt quicker than you can say "pro se."

    [quote user="codenator"]Sound to me like you have no idea and a little scared to stand up to those bullies in Oracle, they are bluffing and it looks like they are winning.  [/quote]

    No. "They" didn't threaten me or bully me at all; a developer asked me nicely. It was simply funnier to "censor" it. Plus, that had the benefit of reducing the minimal risk of any trouble to zero. I just don't care enough about the IHOC to put up a fight about it.

    On the other hand, if the "real Virtudyne" were to come to me and do something, I'd stand up for myself because I care about TDWTF. But then again, it'd be pretty silly for them to take any action (be it a C&D, subpoena, libel suit, etc) because that would definitely make a front-page post and most certainly would identify who the real company behind Virtudyne is ...

    Yes, I do have integrity. But I also have wisdom and know what battles are worth fighting.



  • Call them back and tell them you want to put your content back, when can we expect patch to be distributed?

     

    >8)

    -viz 



  • [quote user="Rotary Jihad"]Wow. This got quashed really fast in a few places.

    http://www.google.com/search?hs=XZ&hl=en&lr=&client=opera&rls=en&q=ODP.NET+Driver+10.2.0.2+Beta+security+bug&btnG=Search

    You know when Microsoft does this its decried as near criminal.

    Are the fast patches as well as the insider silencing normal in the Oracle community?[/quote]

    It's called social responsibility.

    If you post an unknown exploit in public, you endanger a lot of people's information, possibly your own. Security 101. The harm is far greater than the good of publishing it.

    think about it...

    However, there needs to be a timeframe when they'll fix it and it had better be fast. Once people know that there is an issue with something like the .Net provider, every h4x0r and his brother will be poking at it to find out what that is, the clock is ticking and it's only a matter of time before the wrong people figure it out. In fact, If I were the moderator of this board, I'd clean up the parts that specify where the vulnerability is, as well as the exploit.

    Once it's patched and distributed it's perfectly ok to release the exploit for educational purposes.
     

     -Viz
     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.