* Posts by Countershill

2 posts • joined 5 Apr 2013

Patch time for PostgreSQL



If developers of database software actually cared about security, it would not matter whether you expose Apache or Postgresql.

But we have all been conditioned to expect database servers to have almost no security at all. You have to question whether that Expectation Of Shit is acutally correct.


Meeeep. Wrong.

When I used Oracle 8 more than ten years ago, it could be crashed by simply telneting into the listener port and then randomly hitting the keyboard. Note that I did NOT use the official API, I did not use any userids or passwords. Such was the extremely crappy state of Oracle security. If I had been a blackhat, I would have developed an exploit to own the entire database, there's little doubt about that.

Then MS, I read they had a very similar weakness which was discovered by some minor "fuzzing" of the client-server data stream. You could use that also before you entered a password.

Then MySQL. Just recently a colleague of mine discovered you could crash it by means of setting a trigger on an integer column and then inserting a "too big" value.

To conclude, commercial software typically is a Can Of Worms, security-wise.

I used Postgresql and found it to be quite regular, simple and not at all more complicated than anything else from DB/2 to Mysql. I BET Postgresql is much more secure, as we can inspect the code, while with the commercial vendors you have to trust the pledges of a slimy creature who only cares about extracting your money and diverting it into his pockets.

Elite software users such as Deutsche Börse get rid of Oracle and the other commercialware and are moving all their systems to Linux, Postgres, gcc and the like.



Biting the hand that feeds IT © 1998–2017