SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

You require WHAT for a license?

I was trying to acquire a license for a product I was trying to look at using a free program. Now, because the organization is providing the license for free, I expect some strings to be attached. Want me email? Yup, how else would you send me the license? You need to know my mailing address? Okay, I get that's part of the deal. But today the organization in question asked for something I wasn't expecting:

the SQL Server name.

At which point I politely declined and explained it was against policy to do so. In my mind, this falls in the same boat as needing to know the login to SQL Server that I ran across once upon a time. My first thought is, "What does it matter what the SQL Server name is? What can you possibly do with it that will either further your product or my experience?" The short answer is there isn't anything. Asking for the SQL Server name also raises the hairs on the back of my neck from the security side.

Spear phishing is about targeting a person or organization from what appears to be a position of trust. For instance, the spoofed LinkedIn emails are an example. If I use LinkedIn and I get an email, I am more likely to consider it legitimate than I would ACME Professional Connection Services. So if I have the computer name, I could create a spear phishing email targeting an individual asking that person to install a particular patch on said computer in order to remove a security vulnerability. Since I have the computer name in the email, I look more legitimate and it may convince a user that the email came from someone in their IT department (or the ones who specifically manage workstations/servers, if we're talking about another IT pro being targetted). This is just one example and while it won't work most of the time (which is true of most phishing attacks), if I get it to work just once I could have a trojan onto a DBA's workstation, for instance. Think about the damage that could be done there.

That's why I was rather surprised that the organization asked for the SQL Server name. Given that the SQL Server name, unless aliased, is the machine name, you enter into the potential scenario I just described. What makes it particularly head scratching that it was a license for a security product. Given Symantec's recent revelation, I know better than to trust security companies or security products any more than I do any other (which is very little). However, while I know what reality is, I am still disappointed when I see practices like these from a security company or for a security product. So when they didn't budge, I politely declined to proceed and gave them the example and bid them well. There are plenty of other products out there in this same space and I'm not going to get tied up over one.

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.


Posted by slowder on 27 January 2012

Could you have given then a bogus name like "sqlserver1"?  Or would the key require the machine name to match?

Posted by K. Brian Kelley on 27 January 2012

I'm not going to lie to install a product, especially for evaluation purposes. I would just as soon not use the product, especially considering there were other options available.

Posted by Elliott Whitlow on 27 January 2012

For a product that is licensed to the machine I might go along with that, Red-Gate does this.  However they are not so obvious about it.  You can't really know all they are sending to their licensing server.  I would hope that they build some hash based on the machine and don't send the actual machine name but who can know..

Leave a Comment

Please register or log in to leave a comment.