Last 4.8 filepro Release

Fairlight fairlite at fairlite.com
Fri Oct 15 15:42:15 PDT 2004


The honourable and venerable John Esak spoke thus:
> What is SFAIK (sh*t, for all I know??) or did you mean AFAIK? Or is there
> some new thingy... I don't know about yet?

"So far as I know."  :)

Just "so" instead of "as".

> But, I think there is a version a little higher than 4.8.12, maybe 13, maybe
> even 14... but no matter it is (at least, _has_ been) un-gettable from FP
> Technologies... :-(  (I leave this frown because I think it should be
> available [at reasonable... even unreasonable, even gouging] cost to the
> original buyer/owner's of the 4.8 release.... JMO... but it is a damned
> strong one. I will always use 5.0... need the 5.0 features, period... BUT,
> those who did not want to upgrade to 5 should be allowed to buy the latest
> version of that preoduct... BECAUSE, they were _never_ afforded this
> opprotunity from the moment the 5.0 release came out... There should have
> been a notice and a period of time where original owner's could have bought
> all the bugfixes up to the latest version... some would say "be given" not
> bought... but I think most 4.8 owners would not have minded paying for the
> final fixes. It is _extremely_ unfair and even unconscionable for this
> option never to hve been offered...  (opinion flag off).

FWIW, I have the same problem with what they did with fpcgi.  There is a
Denial of Service potential that I raised when 2.0 was in final beta.  With
a mere 11 lines of perl, one can inexpensively drain a target system running
fpcgi of all available filepro licenses as fast as you can make the
connections.  You can do this, and it requires -manual- intervention to
actually go kill off all the filepro processes that never die.  Meanwhile,
the system will bog very heavily at least on linux, as you can create
multiple polling loops that suck as much CPU as they can completely dry.
The processes eat CPU in realtime.

They -did- fix this in fpcgi v2.0 with an environment variable pair, using
their own method, and they borrowed my even stronger suggestion.  So people
with v2.0 have the -option- of protecting themselves, even though it's
(stupidly, IMHO) not set as the default behaviour.  I give them credit for
addressing it in 2.0.  That's all fine and well.

However, when I asked if the fix would be back-ported to v1.0 and made
available to everyone regardless of whether they upgrade, I was told
flat-out "no".  It is a bug fix -only- available by plunking down $325 to
upgrade to 2.0.  $625+ on Solaris and iSeries Linux.  After November 1, it
will be $395 and $795 respectively.  

And that's more than just features or bug fixes--that's system security.
Anyone who doesn't upgrade is running a risk, plain and simple.

I wrote the proof of concept code to exploit the weakness (after perceiving
it in the first place) and delivered it to fP-Tech via a developer, and
believe me, it's -trivial- to accomplish the kind of attack very cheaply
for the attacker, and really entirely cripple the targetted system.  One
developer actually had the guts to tell me I'm the only one that would
come up with such goofy possibilities, and you'd have to know the system
really well, etc.  They're -so- wrong.  I'm one of the white-hat folks.
The black-hats think about this stuff like the rest of us think about a
good dinner--it's second nature, and it's tempting to them.   

And my opinion is that -security- updates should be free, period.  Holding
the safety of a system hostage for revenue is -never- a good thing.  THAT
is gouging in the worst possible sense.

As for fP 4.8...I just got off an hour+ long debugging session with someone.
It appears that if you don't have at least one record in a file, at least
old-style indexes blow up on 4.8.12.  I ship completely empty key and data
segments with a distribution of a filePro table, and it's always worked on
5.0.10 and up.  It was a rude shock to run into this on 4.8, but at least I
now know the remedy.

I agree with your opinion regarding fP 4.8, John.  But mine's even stronger
where fpcgi 1.0 vs 2.0 is concerned.  My advice to anyone still using fpcgi
v1.x is to upgrade ASAP, if you insist on clinging to that particular
product.

mark->
-- 
Bring the web-enabling power of OneGate to -your- filePro applications today!

Try the live filePro-based, OneGate-enabled demo at the following URL:
               http://www2.onnik.com/~fairlite/flfssindex.html


More information about the Filepro-list mailing list