Oracle Breakable After All

Billy writes "Unless you've been living in a cave, you've seen Oracle's Unbreakable campaign (Can't break it. Can't break in.), which was kicked-off by Larry Ellison personally at Comdex last November. Now U.K. security researcher David Litchfield says you can break in, thanks to at least seven different security holes in Oracle 9i, according to this SecurityFocus story. Oracle's top security manager is quoted as saying that "unbreakable" doesn't really mean unbreakable, or something."

Reverse Psychology

Wouldn't it be great if the inverse also worked?

MS could just announce that "Our software code is like swiss cheese when it comes to security" and #POOF#, all the holes would be sealed for good.

To paraphrase an old koan:

A software company said to the public, "Our product is unbreakable." The public replied, "No, you are not unbreakable."

Another software company said to the public, "Our product is not unbreakable." And the public replied, "You're right, you are not unbreakable."

Would this qualify under

Laws to Punish Insecure Software Vendors? [slashdot.org]

Liability

I brought up the topic of Liability for software bugs with my Dad (he's a VP at one of the big banks). He replied that the current software companies would be "shot in the street". Now, I was confused until he explained: "Shot in the Street" simply means that the public and government would turn on them so hard legally that they would be driven out of business. Sure, some people would have legitimite grounds for a lawsuit, but most would be pressing legal action for their "piece of the pie". The companies (we were discussing MS in particular) wouldn't even have the *option* of beefing up QA and addressing the issues.

The more I've thought about this, the more likely it seems. And a key aspect to this is that my OS vendor, SuSE, and ilk (Red Hat, Mandrake, etc) would be nailed just as much as MS, except with less money in the bank, they would be killed much more swiftly. Now, two of those are outside of the USA, so it's not a direct correlation, but there are some serious ramifications to software liability that occur in as reactive a society as we have today.

Certainly this announcement would instantly have a dozen law firms seeking people running Oracle to launch a multi-billion dollar suit of some flavor. And while certainly not "unbreakable", and (IMO) a bit overpriced, Oracle being available is a Good Thing. Of course they have holes. I'm equally sure that they will likely address them quickly (Quickly being relative to the company involved). Introducing *sane* liability (at least in America) is going to be very difficult in a society that is making it neigh impossible to be a medical doctor, and is driving up medical costs due to the extensive CYA documentation (videotapes, extensive reports, etc) now required by industry insurance.

--
Evan "I'm pretty sure this is ontopic" E.

Buffer Overflows Myth

> Buffer overflow bugs can be prevented by a
> middle-school hacker. This is elementary stuff.
> Doesn't anybody believe in putting limits on
> characters? This is simple to prevent.

This is pure bullshit. Are the programmers of
Apache, IIS, Half-Life, Quake 3 Arena, Perl, SSHD, glibc, wu_ftpd, or BIND at the middle school level? Windows NT? How about the linux kernel? All have had buffer overflows, and I'll bet that many of them still do.

Unfortunately it is not always as simple as "putting limits on characters". The simple fact is that the C language is practically designed to make buffer overflow bugs easy to write and easy to exploit.

I agree with you that buffer overflows are serious, though. That's why I think it is ridiculous that we still write security-critical network software in C. Sometimes it is hard to get around, like in the linux kernel when you need to do hardware access (a microkernel architecture might make it easier to write certain parts in higher-level languages). You might argue that performance would be impacted (I don't think this is true, especially with network software where the network is the real bottleneck), but even this argument falls through for 99% of users, since most users are far from full utilization of their processor. However, almost all users *are* affected by security holes.

Too true

"Hello, helpdesk? I forgot my Oracle password."

"Hello, helpdesk? I need to edit the Oracle config files, and I forgot the Oracle user's unix password."

"Hello, helpdesk? Brad Pitt's a friend of mine and will go out with you if you give me the root password for the Oracle box."

I'd like to know...

given the many discussions on /. of late re: full disclosure of security holes, partial disclosure, disclosure to the company only, etc - what does the crowd here think of the way these exploits have been handled? The story says the Litchfield has commented publicly and explicitly on the nature of one of the holes that already has a patch available, but that he's holding close the holes that have patches still under development.

I guess another question would be, while Oracle is by no means a small company, if the company name started with an M and ended with 'icrosoft' would we be demanding more information?

Mirror:

http://saintaardvarkthecarpeted.com/oracle [saintaardv...rpeted.com]

Unbreakable in a legal sense...

Oracle9i. Unbreakable. Can't break it. Can't break in.

Legally they are correct. The DMCA says you can't break it, and various other laws say you can't break in.

Slashdot New Flash...

...impossible claim proved wrong. Film at eleven. I can't tell if Ellison's claim that Oracle was bulletproof was the act of a madman or genius. Why genius? Nothing gets security experts to test your software with such vigor than when you tell them it's invulnerable. Question is, does this make the NSA more or less secure in choosing Oracle products?

crazy fucking ceos

i would have to loved to have been a fly on the wall in the oracle engineering department the day ellison announced that their software was unbreakable. i guarantee you the engineers at oracle wouldn't have supported that campaign, if they even knew about it before ellison announced it at comdex. it's tough enough to keep your software secure when your ceo isn't directly taunting every hacker in the world.

Re:crazy fucking ceos

i would have to loved to have been a fly on the wall in the oracle engineering department the day ellison announced that their software was unbreakable.

Well, here's how the conversation went:

Dilbert [dilbert.com]: Hey, Wally! Larry just announced that 9i's unbreakable! I guess this means we can stop working on those bug-fixes.
Wally: Way ahead of you there.

Chris Beckenbach

Wasn't Breaking in the whole point ?

Didn't they start this campaign to get 'hacked' ? so they could close some more holes they couldnt find them selves ?

Now i wonder, it worked they all readdy found 7!

Quazion.

And this comes from...

the guy who wants all Americans to be on a unified national ID card, having all our personal information in a central database.

That leaves me feeling warm and fuzzy inside.

That's odd....

"The Oracle database server itself runs on some sixty odd different operating systems,"


How many non-odd operating systems does it run on??

Re:does anyone actually expose the DB to the world

Of course we would hope people would not expose the database to the world, but there are plenty of people who do. And more interestingly, the database is usually exposed to some internal networks (for example, a database for financials might sit well inside a firewall in the accounting department - on a corporate network). So there is still risk at least from people who can compromise firewalls, bypass poor security checks in applications, or from disgruntled employees.

The fact that defense in depth is a good idea does not justify allowing one of the layers to be weak. The defenses at every level should be as strong as possible, and that ideally means a bug-free app server and a bug-free database.

Weinberg's law of programming;

If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.

(this is twenty years old)

Re:Weinberg's law of programming;

I hate that quote.
When we have been programming for as long as we have been building things, then that quaote will be valid.
I am willing to bet that the buildings that where built during the first 50 years the human race had been building building wheren't all that good.

Yikes, what a sentence.

Re:Weinberg's law of programming;

Attributed to osiris@halcyon.halcyon.com (J.David Ruggiero)

Dear Mr. Architect:
Please design and build me a house. I am not quite sure of what I need, so you should use your discretion.

My house should have between two and forty-five bedrooms. Just make sure the plans are such that the bedrooms can be easily added or deleted. When you bring the blueprints to me, I will make the final decision of what I want. Also, bring me the cost breakdown for each configuration so that I can arbitrarily pick one.

Keep in mind that the house I ultimately choose must cost less than the one I am currently living in. Make sure, however, that you correct all the deficiencies that exist in my current house (the floor of my kitchen vibrates when I walk across it, and the walls don't have nearly enough insulation in them).

As you design, also keep in mind that I want to keep yearly maintenance costs as low as possible. This should mean the incorporation of extra-cost features like aluminum, vinyl, or composite siding. (If you choose not to specify aluminum, be prepared to explain your decision in detail.)

Please take care that modern design practices and the latest materials are used in construction of the house, as I want it to be a showplace for the most up-to-date ideas and methods. Be alerted, however, that kitchen should be designed to accommodate, among other things, my 1952 Gibson refrigerator.

To insure that you are building the correct house for our entire family, make certain that you contact each of our children, and also our in-laws. My mother-in-law will have very strong feelings about how the house should be designed, since she visits us at least once a year. Make sure that you weigh all of thses options carefully and come to the right decision. I, however, retain the right to overrule any choices that you make.

Please don't bother me with small details right now. Your job is to develop the overall plans for the house: get the big picture. At this time, for example, it is not appropriate to be choosing the color of the carpet. However, keep in mind that my wife likes blue.

Also, do not worry at this time about acquiring the resources to build the house itself. Your first priority is to develop detailed plans and specifications. Once I approve these plans, however, I would expect the house to be under roof within 48 hours.

While you are designing this house specifically for me, keep in mind that sooner or later I will have to sell it to someone else. It therefore should have appeal to a wide variety of potential buyers. Please make sure before you finalize the plans that there is a consensus of the population in my area that they like the features this house has.

I advise you to run up and look at my neighbor's house he constructed last year. We like it a great deal. It has many features that we would also like in our new home, particularily the 75-foot swimming pool. With careful engineering, I believe that you can design this into our new house without impacting the final cost.

Please prepare a complete set of blueprints. It is not necessary at this time to do the real design, since they will be used only for construction bids. Be advised, however, that you will be held accountable for any increase of construction costs as a result of later design changes.

You must be thrilled to be working on as an interesting project as this! To be able to use the latest techniques and materials and to be given such freedom in your designs is something that can't happen very often. Contact me as soon as possible with your complete ideas and plans.

PS: My wife has just told me that she disagrees with many of the instructions I've given you in this letter. As architect, it is your responsibility to resolve these differences. I have tried in the past and have been unable to accomplish this. If you can't handle this responsibility, I will have to find another architect.

PPS: Perhaps what I need is not a house at all, but a travel trailer. Please advise me as soon as possible if this is the case.

First Titanic, now this!

In the other news, the largest ship in the world Titanic that was named unsinkable, has sunk.

Comments by the CEO: -Well, you can take it both ways, really, we are defining what Unsinkable really means! The other ship building companies in our field are looking up to us to be half as unsinkable as we are. It's great, really, how our compain brings the best out of this situation.

"We believe the market effect of the 'Unsinkable' campaign raises the unsinkability bar and therefore improves unsinkability overall, both in forcing us to live up to the statement, and forcing others in the industry to begin to do the same," wrote Bruce Ismay. "If our unsinkability today is imperfect but better than the competition, and if customers make a buying decision based on that criteria, than in the long term you will see all products in the market improve."

Larry Ellison is The Rock

I dunno... I think Larry could take Bill.

Larry looks more than a little like The Rock in this photo [oracle.com]. Ever notice how you never see both The Rock and Ellison together at the same time? Hmmm? Coincidence? Perhaps not.

Nobody bothered to read the challenge...

Apparently nobody bothered to read the Oracle challenge. Oracle states that not the database itself, but the database in certain environment, properly configured and secured within the environment is unbreakable, which still is.

The only thing that this researcher proved is that in certain environments you can break in the system, which basicly holds true for every system.

No matter what, you can be sure that contrary to M$, these holes will be worked on 24/7 and fixed like yesterday. :)

Anyway, enjoy you uninformed, senseless bashing and flaming... trolls.

Re:Nobody bothered to read the challenge...

Which means a C2 system with no network access, at Fort Meade and all their couter-measures, and a pack of rapid, hungry hyenas sitting around it in a New York stuido sized apartment.

Yea, we understand what these marketing slogans mean. Unfortunately, nobody has lived up to one yet.

Marketing at work, that's all.

The reality of it is that most DBAs, programmers and database developers in the working world scoffed at the ad campaign the moment it began. Sure, Oracle has a great product, but we all knew it wasn't bulletproof, no matter how may awards for "best of class security" it supposedly won.

The only real losers in this, other than organizations whose Oracle databases were victimized by a security flaw, were the corporate purchasers who were sold on the hype. They'll have to live with the fact that their DBMS isn't "unbreakable." Honestly, though, there are relatively few of those (none I can think of that are well-publicized, at least), as they are usually run on well locked-down *nix boxes.

It's not anything new. It's just agressive advertising. Some might argue that it's false advertising, but that's probably being a bit harsh. It's more like...overly boastful advertising.

I know, let's make the story something it isn't

Come on people. Oracle explained that they used the term "unbreakable" because it passed 14 security audits. Some people say you can't crash linux because it typically doesn't - but it can.

By and large the Oracle products are very good... We use them in some extremely large and significant datawarehousing situations and have probably managed to kill the server once in three years. Many times we've been amazed at what developers have thrown at the server without killing it - Oracle is very good at recovering from users mistakes.

Anyway, I look forward to hearing what the obvious vulnerabilities are - I dread the number of server upgrades to be tested though. The client I'm working for now has about 250 instances registered with their 24*7 DBA team already... You have no idea how hard it can be to choose a unique 4 character SID sometimes. :-)

Long live Oracle... I'm sure Larry won't lose any sleep (or money) over this since it is still clearly the best product out there.

Quote the Security Manager?

As if ANYONE on this site hasn't ever had to explain something that a some moron ^H^H^H^H^H^H manager said could or couldn't be done..

HIS boss is still the boss, wtf is he supposed to say?

slogans slogans slogans

"The more people out there saying they have an unbreakable product, it gives customers a false sense of security," says David Dittrich, senior security engineer at the University of Washington. "I'd rather they boast about having a good programming team, or a good auditing process."

Admittedly, but COME ON Dave, it's just not CATCHY. Slogans are often misleading or linguistically incorrect. Here is a list of "catchy slogans" that are either also false, irrelevant, or just silly enough just to point out.

Slogan [Product/Firm]

• "The real thing" [Coca-Cola] - I feel that I am pretty real, maybe it should be "A real thing"
  
• "Be all you can be." [U.S. Army] - What the hell does this even mean?
  
• "You'll love the way we fly" [Delta Airlines] - And if I don't?
  
• "You're in good hands." [Allstate Insurance] - The cop said I wasn't at fault. The 3 eyewitnesses said the same. Go to hell.
  
• "Just like you, it never quits." [Mennen] - Someone's credulity is running on high. Are you kidding? If it's hard, I give up. "Huh, TV is funner."
  
• "Cool, Crisp, Clear. Obey your thirst." [Sprite] - Too bad I can't patent water.
  
• "Quality is Job 1" [Ford] - HA!
  
• "It's everywhere you want to be." [VISA] - Well, I guess I'm impressed.
  
• "Solutions for a small planet." [IBM] - This is for the most part true. Yes, they do provide "solutions" and this is a relatively small planet.
  
• "We try harder." [Avis Car Rental] - Harder than what? Yesterday?
  
• "I love what you do for me." [Toyota] - Am I supposed to love what THEY do for ME or what I do for THEM?
  
• "Just slightly ahead of our time." [Panasonic] - No, Billy you can't travel into the future I don't care what the Panasonic commercial said.
  

Re:slogans slogans slogans

Advertising is by nature deceptive. They try to leave out things that would make you not want to buy the product. Here's my take on what they didn't say, but might have meant.

- "The real thing" [Coca-Cola] - if you conclude that thing is meant to be a reference to Coca-Cola, then "The real thing" is a reference to the version of Coca-Cola that they sell, as opposed to the imaginary version that the product development team is currently working on.

- "You'll love the way we fly" [Delta] - you will, at some point in the future, love the way we fly. That point in time, however, is unlikely to be now or anywhere near your flight date.

- "Quality is job 1" [Ford] - Everything else is job 0...every computer person should know that one is hardly a logical starting place.

- "We try harder" [Avis] - ...than we could. This is actually a veiled threat.

- "Just slightly ahead of our time" [Panasonic] - All of our offices are located just west of the beginning of the timezones. So, while it's technically 10:00am, are time appears closer to 10:02. We didn't say we were way ahead of our time, just slightly.

It was a marketing ploy

It was a marketing ploy and any professional administator who looked at and said "wow, unbreakable, lets buy it" probably wasn't a professional at all.

It's not surprising that a system as complex as Oracle is going to have security flaws. However if you mistaken believed that Oracle had created the perfect piece of software, may I suggest you stow it away in the closet next to your Abdominizer and set of stay-sharp-steak-knives.

Operating systems

"The Oracle database server itself runs on some sixty odd different operating systems," says Litchfield.

First I have to say I'm impressed, I had no idea. Secondly, what are those 60 different operating systems? Does anybody have a list? BSD, Linux, Windows, sun, novell, QNX, MacOS in all their flavors.

But what is the rest?

Re:Operating systems

Other are just ports.

Well, yes and no. Oracle is developed in two layers, VOS or "Virtual Operating System" abstracts all the primitives like threads, pipes, file handling etc from the underlying OS, and Oracle itself, which is written to VOS APIs. So the core Oracle engineering team code for pure functionality, and the VOS teams keep their APIs in sync with each other on different platforms. If Oracle want to target a new OS or platform, they simply develop a VOS for it.

I believe the Oracle engineers work on Suns, but they are targetting VOS, not Solaris directly.

That's why you have to start the service before you can start the instance on NT. Win32 is sufficiently different from Unix-like systems to need an environment in place before starting Oracle, whereas Unix-like systems can just link the VOS into the main binary. It needs to work like this because Oracle is Oracle, on any platform, once you log into SQL*Plus, it's exactly the same. Oracle is more complex than many operating systems, it provides its own scheduling, resource quotas (storage and CPU), IPC mechanisms (AQ, DBMS_PIPE, DBMS_ALERT, etc), programming languages (PL/SQL and Java) and a whole lot more. It is a platform in its own right.

irony

From the SecurityFocus article:

But Oracle chief security officer Mary Ann Davidson says the criticism is unfair. In an emailed response to Mullen's commentary, Davidson wrote that Oracle is giving the holes reported by Litchfield the "highest priority," but suggested that everything depends on what your definition of "unbreakable" is.

Rather than representing a literal claim that Oracle's products are impregnable, the campaign "speaks to" fourteen independent security evaluations that Oracle's database server passed, Davidson wrote, and "represents Oracle's commitment to a secure product lifecycle for our entire product suite."

So Oracle says it's fair that they assert that their software is unbreakable when it is not, but they say it's unfair when others criticize their misleading and errant claim. What's wrong with this picture?

Not "unbreakable", but "is unbreakable"

..."unbreakable" doesn't really mean unbreakable, or something...
Oracle said that 9i "is unbreakable". As President Clinton could easily tell you [pitt.edu], the key word here is 'is'.

What about PostgreSQL?

How does PostgreSQL compare to Oracle? Is PostgreSQL more or less secure than Oracle? I don't know. I've never heard of a problem with it nor have I had one. Is PostgreSQL faster or slower than Oracle? I don't know, and apparently Oracle desperately doesn't want anyone to find out. From benchmarks that have had Oracle results deleted [jamesthornton.com] to benchmarks that someone (I wonder who?) has gotten the ISP to remove [angelfire.com] for "violation of our Terms of Service" (this used to be a benchmark), Oracle is very aggressive in preventing anyone from finding out how their database really performs. I wonder why? (However what might be another version of the second benchmark seems to have survived [angelfire.com] by carefully avoiding the mention of names of proprietary products.) All I know is that after trying to deal with the bloat of Oracle on a less-than-mainframe-class PC, PostgreSQL was a lean, mean breath of fresh air. Converting PL/SQL to PL/pgSQL was easy [postgresql.org], too.

Hmm, well....

When I used to use Oracle it was unbreakable. The only people who had complete access was the DBA and some guy named Scott Tiger....

Re:All software is breakable -

Well, because Forth to understand, like Yoda you must speak, that is.

Chris Mattern

Larry Ellison

Ellison to me is just a Bill Gates who never got the chance. He doesn't want Microsoft toppled as a monopoly because Microsoft is bad for consumers; he wants Microsoft toppled so he can treat consumers badly and profit from it. He's just a less successful version of Bill Gates in my mind.

FUD like this "unbreakable" business just proves that he's cut from the same mold. What's truly sad is that our society selects people like Ellison and Gates as leaders because ruthlessness is a competitive advantage - and I mean "selects" in the evolutionary sense.

Oracle: the unbreakable national ID card. The whole idea gives me chills.