10 Years After SQL Slammer - Slashdot

Please create an account to participate in the Slashdot moderation system

×

10 Years After SQL Slammer 58

Posted by Soulskill on Friday January 25, 2013 @04:18PM from the lesson-learned dept.

Trailrunner7 writes "Ten years ago today, on Jan. 25, 2003, a new worm took the Internet by storm, infecting thousands of servers running Microsoft's SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. This is the inside story of SQL Slammer, told by David Litchfield, the researcher who found the bug and wrote the exploit code that was later taken by Slammer's authors and used as part of the worm."

This discussion has been archived. No new comments can be posted.

10 Years After SQL Slammer

Search 58 Comments Log In/Create an Account

Comments Filter:

Google Cache Version (Score:5, Informative)

by Anonymous Coward writes: on Friday January 25, 2013 @04:38PM (#42695061)

http://goo.gl/PCkGM [goo.gl]

Share
twitter facebook
Our article on the subject: (Score:5, Informative)

by nweaver ( 113078 ) writes: on Friday January 25, 2013 @04:47PM (#42695139) Homepage

We (David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and myself) did the analysis of how it spread, including showing how it infected all the vulnerable systems in 10 minutes, and detailing flaws in the random number generator.
Our article eventually appeared in IEEE Security & Privacy [ieee.org].

Share
twitter facebook
Re:Security priorities have changed (Score:5, Informative)

by eap ( 91469 ) writes: on Friday January 25, 2013 @05:00PM (#42695271) Journal

So this guy "wrote the exploit code that was later taken by Slammer's authors and used as part of the worm", and he's not dead or serving an eleventy hojillion year federal prison sentence?
Times change indeed...
The article mentions he was paid by a company in Germany to penetrate their heavily-fortified SQL Server installations. This is when he developed the exploit code. Presumably it's not illegal for a company to pay you to security test its systems.
He also took the steps of communicating the exploit to Microsoft before releasing the code. He even asked their permission before divulging the code, and didn't do so until MS had released a fully corrective patch.
You're right, however, he'd be in jail if it happened today.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.