Sybases Edits Were Trivial

By Lisa Vaas  |  Posted 2005-04-05 Print this article Print

The subsequent editing was trivial, Anley said, being concerned with level of detail and language involved. "If you read the advisory, theres enough technical information for people to make a realistic assessment of the impact of the bugs to their organization, and they can work out what they want to do with them. Thats why we wanted to make sure the details were published." NGSS took care in the exchange of e-mails to ensure that evidence of mitigation made its way into the final draft of the advisory, Anley said.
Thats important to ensure that database administrators have enough information to make sound decisions about patch application, he said.
"Realistically, one major reason administrators want details is so they can make mature assessments of what the impact is of these bugs," Anley said. "How much does it affect them? If this database is a back end for my server, what are [the bugs] vectors? How likely is it that someone can take control of my database?" Beyond that, the advisory is 95 percent of what NGSS wrote in the first place, Anley said. The agreement reached between NGSS and Sybase pertains only to the bugs in question, not to any future vulnerability discoveries, Anley said. Hence, the question remains as to the extent to which vendors will be newly emboldened when it comes to meddling with researchers. This incident could be a harbinger of a future test case in which the legality of license agreements to restrict customers ability to talk about a given product is put to the test, Anley said. On the plus side, Anley said, Sybase was open to coming to a reasonable solution. "Weve all got mortgages to pay. We dont want to be threatened by large companies, whether theyve got a case or not," he said. "I dont know what initiated the process on their side: why they thought it was a good idea. Certainly we werent going to just sit back and say, All right then, were not going to publish that. But it wasnt a hugely confrontational thing. They just wanted to find an amicable solution. At the end of the day, we both have the interests of Sybase customers at heart." For its part, Sybase intends to be a "little more proactive" in working with security firms that contact the company, Schaub said. "Frankly, this doesnt happen to us this often," she said. "There were a couple of incidents over the last couple years, but its not something we run into a whole lot." Check out eWEEK.coms for the latest database news, reviews and analysis.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel