Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Oracle Breakable After All 878

Posted by CmdrTaco
from the well-duh dept.
Billy writes "Unless you've been living in a cave, you've seen Oracle's Unbreakable campaign (Can't break it. Can't break in.), which was kicked-off by Larry Ellison personally at Comdex last November. Now U.K. security researcher David Litchfield says you can break in, thanks to at least seven different security holes in Oracle 9i, according to this SecurityFocus story. Oracle's top security manager is quoted as saying that "unbreakable" doesn't really mean unbreakable, or something."
This discussion has been archived. No new comments can be posted.

Oracle Breakable After All

Comments Filter:
  • by Anonymous Coward
    Unless you've been living in a cave, you've seen Oracle's Unbreakable campaign

    I guess I've been living in a cave.
  • by NiftyNews (537829) on Wednesday January 16, 2002 @04:32PM (#2850685) Homepage
    Wouldn't it be great if the inverse also worked?

    MS could just announce that "Our software code is like swiss cheese when it comes to security" and #POOF#, all the holes would be sealed for good.
  • by ViceClown (39698) on Wednesday January 16, 2002 @04:33PM (#2850688) Homepage Journal
    • Liability (Score:4, Insightful)

      by JabberWokky (19442) <slashdot.com@timewarp.org> on Wednesday January 16, 2002 @05:49PM (#2851274) Homepage Journal
      I brought up the topic of Liability for software bugs with my Dad (he's a VP at one of the big banks). He replied that the current software companies would be "shot in the street". Now, I was confused until he explained: "Shot in the Street" simply means that the public and government would turn on them so hard legally that they would be driven out of business. Sure, some people would have legitimite grounds for a lawsuit, but most would be pressing legal action for their "piece of the pie". The companies (we were discussing MS in particular) wouldn't even have the *option* of beefing up QA and addressing the issues.

      The more I've thought about this, the more likely it seems. And a key aspect to this is that my OS vendor, SuSE, and ilk (Red Hat, Mandrake, etc) would be nailed just as much as MS, except with less money in the bank, they would be killed much more swiftly. Now, two of those are outside of the USA, so it's not a direct correlation, but there are some serious ramifications to software liability that occur in as reactive a society as we have today.

      Certainly this announcement would instantly have a dozen law firms seeking people running Oracle to launch a multi-billion dollar suit of some flavor. And while certainly not "unbreakable", and (IMO) a bit overpriced, Oracle being available is a Good Thing. Of course they have holes. I'm equally sure that they will likely address them quickly (Quickly being relative to the company involved). Introducing *sane* liability (at least in America) is going to be very difficult in a society that is making it neigh impossible to be a medical doctor, and is driving up medical costs due to the extensive CYA documentation (videotapes, extensive reports, etc) now required by industry insurance.

      --
      Evan "I'm pretty sure this is ontopic" E.

  • ...unsinkable didn't mean unsinkable, after all...
  • Security Myth (Score:2, Insightful)

    by Partisan01 (547933)
    I think the flaw here was that Oracle claimed that no one can break into their software. There's always goign to be a way to get into software. It just might take a while. Unless some security team audited every single line of code over and over, which I can't imagine seeing the size of the software, there's goign to be some holes. To make a truly secure piece of software some performance is risked. From what I know of Oracle they pride themselves on performance. So my money says that they took care of the big holes, and missed a few of the smaller harder to exploit holes.

    Nate Tobik
    • yeah, but how to get an security analyse for free?
      Announce your softaware is unbreakable :)
    • Re:Security Myth (Score:3, Flamebait)

      by Brendan Byrd (105387)
      So my money says that they took care of the big holes

      Oh really? A buffer overflow isn't a big hole? Buffer overflow bugs can be prevented by a middle-school hacker. This is elementary stuff. Doesn't anybody believe in putting limits on characters? This is simple to prevent.

      Why are their STILL companies that fall victim to buffer overflow holes?!
      • by Tom7 (102298) on Wednesday January 16, 2002 @08:01PM (#2851880) Homepage Journal
        > Buffer overflow bugs can be prevented by a
        > middle-school hacker. This is elementary stuff.
        > Doesn't anybody believe in putting limits on
        > characters? This is simple to prevent.

        This is pure bullshit. Are the programmers of
        Apache, IIS, Half-Life, Quake 3 Arena, Perl, SSHD, glibc, wu_ftpd, or BIND at the middle school level? Windows NT? How about the linux kernel? All have had buffer overflows, and I'll bet that many of them still do.

        Unfortunately it is not always as simple as "putting limits on characters". The simple fact is that the C language is practically designed to make buffer overflow bugs easy to write and easy to exploit.

        I agree with you that buffer overflows are serious, though. That's why I think it is ridiculous that we still write security-critical network software in C. Sometimes it is hard to get around, like in the linux kernel when you need to do hardware access (a microkernel architecture might make it easier to write certain parts in higher-level languages). You might argue that performance would be impacted (I don't think this is true, especially with network software where the network is the real bottleneck), but even this argument falls through for 99% of users, since most users are far from full utilization of their processor. However, almost all users *are* affected by security holes.
    • Too true (Score:5, Funny)

      by Mr. Fred Smoothie (302446) on Wednesday January 16, 2002 @05:33PM (#2851166)
      "Hello, helpdesk? I forgot my Oracle password."

      "Hello, helpdesk? I need to edit the Oracle config files, and I forgot the Oracle user's unix password."

      "Hello, helpdesk? Brad Pitt's a friend of mine and will go out with you if you give me the root password for the Oracle box."

  • by Sawbones (176430) on Wednesday January 16, 2002 @04:38PM (#2850731)
    given the many discussions on /. of late re: full disclosure of security holes, partial disclosure, disclosure to the company only, etc - what does the crowd here think of the way these exploits have been handled? The story says the Litchfield has commented publicly and explicitly on the nature of one of the holes that already has a patch available, but that he's holding close the holes that have patches still under development.

    I guess another question would be, while Oracle is by no means a small company, if the company name started with an M and ended with 'icrosoft' would we be demanding more information?
  • Mirror: (Score:3, Informative)

    by Saint Aardvark (159009) on Wednesday January 16, 2002 @04:39PM (#2850733) Homepage Journal
  • by _DMan_ (105238) on Wednesday January 16, 2002 @04:39PM (#2850736)
    Oracle9i. Unbreakable. Can't break it. Can't break in.

    Legally they are correct. The DMCA says you can't break it, and various other laws say you can't break in.
    • If they'd said "You may not break it" then maybe you'd have something...

      Wasn't there some kind of cash prize for anyone who could break an oracle db?

  • by gpinzone (531794) on Wednesday January 16, 2002 @04:40PM (#2850743) Homepage Journal
    ...impossible claim proved wrong. Film at eleven. I can't tell if Ellison's claim that Oracle was bulletproof was the act of a madman or genius. Why genius? Nothing gets security experts to test your software with such vigor than when you tell them it's invulnerable. Question is, does this make the NSA more or less secure in choosing Oracle products?
  • by dildofire (308572) on Wednesday January 16, 2002 @04:41PM (#2850758)
    i would have to loved to have been a fly on the wall in the oracle engineering department the day ellison announced that their software was unbreakable. i guarantee you the engineers at oracle wouldn't have supported that campaign, if they even knew about it before ellison announced it at comdex. it's tough enough to keep your software secure when your ceo isn't directly taunting every hacker in the world.
    • by Sir Tristam (139543) on Wednesday January 16, 2002 @05:16PM (#2851012)
      i would have to loved to have been a fly on the wall in the oracle engineering department the day ellison announced that their software was unbreakable.
      Well, here's how the conversation went:
      Dilbert [dilbert.com]: Hey, Wally! Larry just announced that 9i's unbreakable! I guess this means we can stop working on those bug-fixes.
      Wally: Way ahead of you there.
      Chris Beckenbach
  • by Quazion (237706) on Wednesday January 16, 2002 @04:43PM (#2850773) Homepage
    Didn't they start this campaign to get 'hacked' ? so they could close some more holes they couldnt find them selves ?

    Now i wonder, it worked they all readdy found 7!

    Quazion.
    • i guess that would make sense. daring the entire world to hack your platform would be one way to make it secure. but it seems that if you've got live customers running the software, they may not appreciate being made into targets for hackers.

      i tend to think that this campaign was purely a marketing thing, not an engineering decision. i know i would prefer to keep the software in qa a little longer, rather than take on the world. i mean, if they still had buffer overflow errors in the code, it's far from unbreakable. don't you think they would've cleared out all the obvious bugs if it was their decision. gotta love runaway execs.
  • By essentially daring people to find holes, Oracle gets QA for the cost of embarassment, which I suspect for L.E. is about one cent.
  • by denzo (113290) on Wednesday January 16, 2002 @04:44PM (#2850778)
    the guy who wants all Americans to be on a unified national ID card, having all our personal information in a central database.

    That leaves me feeling warm and fuzzy inside.

    • When you get to the airport, they want to see your Larry-Ellison-approved National ID Card, or at least several forms of ID, take off your hat, jacket, shoes, belt, cellphone, beeper, PDA, and steel hip joint, and then decide whether to let you ride on the airplane you bought a ticket for. But when Larry Ellison gets to the airport, he gets on his own plane. Does he have to go through the security gate where they check his National ID card and say "Sorry, Mr. Ellison, you've gotten 15 tickets for violating quiet hours at San Jose Airport by landing after midnight, so we're not going to take the Big Orange Boot off your airplane wheel unless you show us a flight plan that gets you in by 11pm?" Not bloody likely.
    • by FallLine (12211)
      Where did he say he wants _all_ our information in a central database? There is a world of difference between having a reasonably secure national ID system that contains reasonable identification measures and _all_ of information (e.g., habits, medical history, etc) in one system. As much as I find Ellison a despicable person, please do not put words in his mouth or misrepresent the words of anyone that might advocate this. It may well be true that he wants that to sell his product, but that's not the same as actually advocating that. Furthermore, this same argument could be said for MS or the developers of mysql even...
  • by RoscoHead (162604) on Wednesday January 16, 2002 @04:45PM (#2850788)

    "The Oracle database server itself runs on some sixty odd different operating systems,"


    How many non-odd operating systems does it run on??
    • How many non-odd operating systems does it run on??

      Have you turned on a computer lately? We've got desk lamp appearing things that have buttons that look like they should be licked instead of clicked. We've got most beige boxes being upgraded to Fisher Price's My First GUI. We've got most of the remainder running a GUI which answers "how many widget sets can you fit into a phone booth". And we've got operating systems designed by the occasional upstart company who thinks they can suddenly "break in" to a saturated market dominated by network effects and owned by organizations who all agree that giving your product away for free is at least better than letting the competition make money.

      There are no non-odd operating systems.
  • Had an argument about this awhile back.....the database listener services are not usually trusted as a secure thing for the outside world in my somewhat limited experience, there is always some kind of application layer as the public interface to these things (these days the outside world's interface is often HTTP based), particularly for services accessed over a WAN. How many people out there have oracle listening to an open port on the internet ?
    • by The Man (684) on Wednesday January 16, 2002 @04:52PM (#2850845) Homepage
      Of course we would hope people would not expose the database to the world, but there are plenty of people who do. And more interestingly, the database is usually exposed to some internal networks (for example, a database for financials might sit well inside a firewall in the accounting department - on a corporate network). So there is still risk at least from people who can compromise firewalls, bypass poor security checks in applications, or from disgruntled employees.

      The fact that defense in depth is a good idea does not justify allowing one of the layers to be weak. The defenses at every level should be as strong as possible, and that ideally means a bug-free app server and a bug-free database.

  • by eclectro (227083) on Wednesday January 16, 2002 @04:47PM (#2850807)


    If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.

    (this is twenty years old)
    • I hate that quote.
      When we have been programming for as long as we have been building things, then that quaote will be valid.
      I am willing to bet that the buildings that where built during the first 50 years the human race had been building building wheren't all that good.

      Yikes, what a sentence.
      • Yes, it's a well-known fact that several civilizations were wiped out when their stone roofs collapsed into the straw huts they put them on.
      • I agree. Let me point out that the first buildings were most likely in a poorer state in their beginnings than programs were. They were certainly at least as bad, and I don't think I need to point out that the first woodepecker did NOT destroy civilization.


        Besides, building now are not bullet proof:


        catch(Exception caughtFire) { building.burnDown(); }


        Anything not used as expected will cause problems, at least with code we have more room to work.

    • by AnotherBlackHat (265897) on Wednesday January 16, 2002 @05:14PM (#2851000) Homepage
      Attributed to osiris@halcyon.halcyon.com (J.David Ruggiero)

      Dear Mr. Architect:
      Please design and build me a house. I am not quite sure of what I need, so you should use your discretion.

      My house should have between two and forty-five bedrooms. Just make sure the plans are such that the bedrooms can be easily added or deleted. When you bring the blueprints to me, I will make the final decision of what I want. Also, bring me the cost breakdown for each configuration so that I can arbitrarily pick one.

      Keep in mind that the house I ultimately choose must cost less than the one I am currently living in. Make sure, however, that you correct all the deficiencies that exist in my current house (the floor of my kitchen vibrates when I walk across it, and the walls don't have nearly enough insulation in them).

      As you design, also keep in mind that I want to keep yearly maintenance costs as low as possible. This should mean the incorporation of extra-cost features like aluminum, vinyl, or composite siding. (If you choose not to specify aluminum, be prepared to explain your decision in detail.)

      Please take care that modern design practices and the latest materials are used in construction of the house, as I want it to be a showplace for the most up-to-date ideas and methods. Be alerted, however, that kitchen should be designed to accommodate, among other things, my 1952 Gibson refrigerator.

      To insure that you are building the correct house for our entire family, make certain that you contact each of our children, and also our in-laws. My mother-in-law will have very strong feelings about how the house should be designed, since she visits us at least once a year. Make sure that you weigh all of thses options carefully and come to the right decision. I, however, retain the right to overrule any choices that you make.

      Please don't bother me with small details right now. Your job is to develop the overall plans for the house: get the big picture. At this time, for example, it is not appropriate to be choosing the color of the carpet. However, keep in mind that my wife likes blue.

      Also, do not worry at this time about acquiring the resources to build the house itself. Your first priority is to develop detailed plans and specifications. Once I approve these plans, however, I would expect the house to be under roof within 48 hours.

      While you are designing this house specifically for me, keep in mind that sooner or later I will have to sell it to someone else. It therefore should have appeal to a wide variety of potential buyers. Please make sure before you finalize the plans that there is a consensus of the population in my area that they like the features this house has.

      I advise you to run up and look at my neighbor's house he constructed last year. We like it a great deal. It has many features that we would also like in our new home, particularily the 75-foot swimming pool. With careful engineering, I believe that you can design this into our new house without impacting the final cost.

      Please prepare a complete set of blueprints. It is not necessary at this time to do the real design, since they will be used only for construction bids. Be advised, however, that you will be held accountable for any increase of construction costs as a result of later design changes.

      You must be thrilled to be working on as an interesting project as this! To be able to use the latest techniques and materials and to be given such freedom in your designs is something that can't happen very often. Contact me as soon as possible with your complete ideas and plans.

      PS: My wife has just told me that she disagrees with many of the instructions I've given you in this letter. As architect, it is your responsibility to resolve these differences. I have tried in the past and have been unable to accomplish this. If you can't handle this responsibility, I will have to find another architect.

      PPS: Perhaps what I need is not a house at all, but a travel trailer. Please advise me as soon as possible if this is the case.
      • what makes you think construction isn't like this?

        Programming is no more complex or harder or easier than any of a number (undetermined) another disciplines. Building happens to be a particularly apt comparison. Why do you think there are so many borrowed terms, like, for instance 'build'?
    • Programmer's aren't craftsmen. I'm a programmer and I'll admit that.

      Part of it is the tools. A builder uses a hammer to drive a nail into a 2x4. It doesn't matter who made the hammer, it's going to work the same way. That's not quite the same with any development tool. Besides, how many programmers expect their code to still be in use after they die? How many programmers even feel it's their responsibility to fix something after the contract's done?
    • The unique thing about software is that it is infinitely clonable. Once you've written a subroutine, you can call it as often as you want. This means that almost everything we do as software developers is something that has never been done before. This is very different than what construction workers do. Herman the Handyman, who just installed a tile floor for me, has probably installed hundreds of tile floors. He has to keep installing tile floors again and again as long as new tile floors are needed. We in the software industry would have long since written a Tile Floor Template Library (TFTL) and generating new tile floors would be trivial.

      from http://www.joelonsoftware.com/news/fog0000000337.h tml [joelonsoftware.com]
  • The Germans also thought the same about Enigma...
  • by roman_mir (125474) on Wednesday January 16, 2002 @04:49PM (#2850822) Homepage Journal
    In the other news, the largest ship in the world Titanic that was named unsinkable, has sunk.

    Comments by the CEO: -Well, you can take it both ways, really, we are defining what Unsinkable really means! The other ship building companies in our field are looking up to us to be half as unsinkable as we are. It's great, really, how our compain brings the best out of this situation.

    "We believe the market effect of the 'Unsinkable' campaign raises the unsinkability bar and therefore improves unsinkability overall, both in forcing us to live up to the statement, and forcing others in the industry to begin to do the same," wrote Bruce Ismay. "If our unsinkability today is imperfect but better than the competition, and if customers make a buying decision based on that criteria, than in the long term you will see all products in the market improve."
    • I did not mean to be funny, damn it! It was supposed to be Insightful. I dug out Bruce Ismay's name for xxx's sake!
    • Great, so Clinton's wrangling over the true meaning of the word 'is' has spilled over into the marketing gurus ath major companies... this is just double unplus good.
    • Interesting you should mention that they are defining what "unsinkable" should mean. Check out this garbage:

      While Oracle's vulnerabilities are no greater in number or severity than those found in other major software products, some experts charge that the steady stream of security holes transforms "unbreakable" from a harmless marketing gimmick into a potentially dangerous misstatement.

      They should have said: "Unbreakable compared to Sendmail", or "Unbreakable compared to MS SQL server with the default password". Or how about "Unbreakable compared to BIND"?

      Also notice in the quote I pasted the last word: "misstatement".

      WTF is a misstatement? The author isn't George Orwell, so there is no reason for him to use DoubleSpeak. It's a lie. Call it what it is and stop being a lying wimp.

  • Larry would likely end up in prison for some of the inflammatory stuff he says, if he weren't one of the richest asshoerr guys in the world. Imagine his mouth vs. a cop, judge, jury..

    Hell, i'd like to see a Gates vs. Ellison boxing match on pay-per-view, as long as the money didn't go to either of them (and they had to match 1000 to 1). Seeing as they are both a little lanky, it could be interesting. Just let them use physical equivilants of business tactics.

    I'm sure oracle has to struggle to meet the goals spewed larry's big mouth. A "The president just said WHAT on national tv" type response, i.e. NASA in the 60's.
  • What happens when Unbreakable Larry Elliott's Unsinkable ego runs into an iceberg called reality?

    Thrill as the largest man-made ego in the world shows it too can make a mistake! Gasp as the master engineer makes a crucial error that sinks the RMS Unbreakable! Cry as the star-crossed developers try to escape the sinking PR disaster! Bemoan the lack of escape boats for the VPs who will pay for Ellison's boast!

    I swear, can't tell who we need to get first, Gates or Ellison. Neither one is good for computing.
  • by aralin (107264) on Wednesday January 16, 2002 @04:54PM (#2850861)
    Apparently nobody bothered to read the Oracle challenge. Oracle states that not the database itself, but the database in certain environment, properly configured and secured within the environment is unbreakable, which still is.

    The only thing that this researcher proved is that in certain environments you can break in the system, which basicly holds true for every system.

    No matter what, you can be sure that contrary to M$, these holes will be worked on 24/7 and fixed like yesterday. :)

    Anyway, enjoy you uninformed, senseless bashing and flaming... trolls.

    • by Hangtime (19526) on Wednesday January 16, 2002 @05:06PM (#2850950) Homepage
      Which means a C2 system with no network access, at Fort Meade and all their couter-measures, and a pack of rapid, hungry hyenas sitting around it in a New York stuido sized apartment.

      Yea, we understand what these marketing slogans mean. Unfortunately, nobody has lived up to one yet.
    • Oh, come on... read their marketing fluff...

      From http://www.oracle.com/ip/deploy/database/oracle9i/ index.html?content.html [oracle.com]

      The Unbreakable Database Can't break it. Can't break in. Oracle9i Database won't go down if your server fails and won't go down if your site fails. What's more, Oracle holds 14 international security evaluations. IBM DB2 has none. Microsoft SQL Server has only one.

      If you *can* break it, which clearly you can, their marketing campaign is untrue. Saying "read the fine print" is making excuses for typical marketingese (or, more likely, Ellisonese). If they still try to say that 9i is "unbreakable," they'll be a laughingstock.

      • Hmmm when my server fails, and locks up completely I'm willing to bet that Oracle has gone down as well, and when they power gets cut I'm almost positive. Of course there's no way to prove this case, you can make an inductively strong argument, but it's even worse than seeing what happens to the light in the refrigerator when you close it, at least in that situation you can close the fridge while you're in it.
        • it's even worse than seeing what happens to the light in the refrigerator when you close it, at least in that situation you can close the fridge while you're in it.

          Oh go on, upload your brain into your dual-Pentium 4 server then provoke it into blue-screening. Dare ya!

    • And of course those certain environments and configurations would be:
      • Unplugged from any network
      • Unplugged from any power source
      Otherwise there will be some hole to exploit...one cannot expose features without also exposing some vulnerability (be it only social hacking)
    • No matter what, you can be sure that contrary to M$, these holes will be worked on 24/7 and fixed like yesterday. :)

      As opposed to most of MS's exploits, which had patches out like 3 months before the exploit became widespread.
  • by mystery_bowler (472698) on Wednesday January 16, 2002 @04:55PM (#2850870) Homepage
    The reality of it is that most DBAs, programmers and database developers in the working world scoffed at the ad campaign the moment it began. Sure, Oracle has a great product, but we all knew it wasn't bulletproof, no matter how may awards for "best of class security" it supposedly won.

    The only real losers in this, other than organizations whose Oracle databases were victimized by a security flaw, were the corporate purchasers who were sold on the hype. They'll have to live with the fact that their DBMS isn't "unbreakable." Honestly, though, there are relatively few of those (none I can think of that are well-publicized, at least), as they are usually run on well locked-down *nix boxes.

    It's not anything new. It's just agressive advertising. Some might argue that it's false advertising, but that's probably being a bit harsh. It's more like...overly boastful advertising.

  • by Anonymous Coward on Wednesday January 16, 2002 @04:56PM (#2850881)
    Come on people. Oracle explained that they used the term "unbreakable" because it passed 14 security audits. Some people say you can't crash linux because it typically doesn't - but it can.

    By and large the Oracle products are very good... We use them in some extremely large and significant datawarehousing situations and have probably managed to kill the server once in three years. Many times we've been amazed at what developers have thrown at the server without killing it - Oracle is very good at recovering from users mistakes.

    Anyway, I look forward to hearing what the obvious vulnerabilities are - I dread the number of server upgrades to be tested though. The client I'm working for now has about 250 instances registered with their 24*7 DBA team already... You have no idea how hard it can be to choose a unique 4 character SID sometimes. :-)

    Long live Oracle... I'm sure Larry won't lose any sleep (or money) over this since it is still clearly the best product out there.
    • Is it source-code-level certification? If so, then the value of the certification would seem extremely lame if they can't catch a buffer overflow.

      If it's "let's attack the binary and see if we can break it", that's potentially harder to catch something like this, but then again, how hard can it be to see if the binary links against the system C library at the known offsets of gets, fgets, sprintf, etc.

      What would be lamest of all is if the certification process goes something like, "What's your security engineering process? Oh, sounds secure to us."

    • We use them in some extremely large and significant datawarehousing situations and have probably managed to kill the server once in three years

      Then you certainly have not tried the following thing:
      -Install forms 4.5 now. Forms 4.5 is year 2000 complient, the installer crashes (!)(there is a patch but.....)
      -use plsql records in a 7.3.4. DB. Bye bye instance.
      -use designer 2000 1.2.

      and the list goes on and on.
    • Oracle 8i not only failed to be SQL99 compliant, but wasn't even compliant with SQL92! Certainly it may be scalable (upwards... it sure as hell ain't downwards-scalable) and more reliable than most smaller solutions, but "very good" is not a label I can see applying to a product that doesn't even make a serious effort to be standards-compliant.
  • After reading the article, it struck me as funny how things never change. There are tons of PHB's out there buying up any big flashy ad in their free (if you fill out free survey, otherwise pay $XXX a year) industry mags. I am a Windows user (yeah yeah) but at least I am not stupid enough to buy anything first from Microsoft until they come out with one service pack first. Of course, here at unnamed large x86 cpu company (my company contracts here), they have decided to move to Microsoft's tune within 90 days of them releasing a product. So we have people (not just IT people, HR people, finance people) etc... installing the wonderful IT "engineered" version of WinXP. (Don't get me started on how in the world they think they make Microsoft's stuff more stable through their "engineering".) That anyone would buy into Larry's BS is bizarre. But the PHB's are entirely ignorant of the real world and would gladly believe that Windows XP is crashproof and utterly stable if Bill told them so. I hope somebody has their Oracle9i system hacked and then sue's Oracle for false advertising, amongst other things. --Shango
    • We all know there is a difference between the real world and what we see in meetings.

      I tend to think Larry put this challenge out to get free security testing from the community. The engineers knew his announcement would be heard as "I fart in your general direction" and geared up the patch writers accordingly.

      Yes, some sorry PHB will only remember the campaign, not the bugs. Yes, sales will increase. Perhaps that was the goal, not the free bug testing... but you can't ignore either benefit for Oracle.
  • by Havokmon (89874) <rick&havokmon,com> on Wednesday January 16, 2002 @05:01PM (#2850916) Homepage Journal
    As if ANYONE on this site hasn't ever had to explain something that a some moron ^H^H^H^H^H^H manager said could or couldn't be done..

    HIS boss is still the boss, wtf is he supposed to say?
  • by ekephart (256467) on Wednesday January 16, 2002 @05:02PM (#2850919) Homepage
    "The more people out there saying they have an unbreakable product, it gives customers a false sense of security," says David Dittrich, senior security engineer at the University of Washington. "I'd rather they boast about having a good programming team, or a good auditing process."

    Admittedly, but COME ON Dave, it's just not CATCHY. Slogans are often misleading or linguistically incorrect. Here is a list of "catchy slogans" that are either also false, irrelevant, or just silly enough just to point out.

    Slogan [Product/Firm]
    • "The real thing" [Coca-Cola] - I feel that I am pretty real, maybe it should be "A real thing"
    • "Be all you can be." [U.S. Army] - What the hell does this even mean?
    • "You'll love the way we fly" [Delta Airlines] - And if I don't?
    • "You're in good hands." [Allstate Insurance] - The cop said I wasn't at fault. The 3 eyewitnesses said the same. Go to hell.
    • "Just like you, it never quits." [Mennen] - Someone's credulity is running on high. Are you kidding? If it's hard, I give up. "Huh, TV is funner."
    • "Cool, Crisp, Clear. Obey your thirst." [Sprite] - Too bad I can't patent water.
    • "Quality is Job 1" [Ford] - HA!
    • "It's everywhere you want to be." [VISA] - Well, I guess I'm impressed.
    • "Solutions for a small planet." [IBM] - This is for the most part true. Yes, they do provide "solutions" and this is a relatively small planet.
    • "We try harder." [Avis Car Rental] - Harder than what? Yesterday?
    • "I love what you do for me." [Toyota] - Am I supposed to love what THEY do for ME or what I do for THEM?
    • "Just slightly ahead of our time." [Panasonic] - No, Billy you can't travel into the future I don't care what the Panasonic commercial said.
    • "Quality is Job 1" [Ford]

      That's not misleading. In the 80s, it just meant they can't even get the first step right.

      "We try harder." [Avis Car Rental]

      Good. I'll try just as hard to pay my bill.

      "Just slightly ahead of our time." [Panasonic]

      In some ways, this one might be the worst of them all. Many innovations have been ahead of their time yet fallen by the wayside. Just because it's better doesn't mean it will last (BetaMax). Maybe they should change their name to "Gamble your paycheck on our product's longevity."
    • by curunir (98273) on Wednesday January 16, 2002 @06:22PM (#2851417) Homepage Journal
      Advertising is by nature deceptive. They try to leave out things that would make you not want to buy the product. Here's my take on what they didn't say, but might have meant.

      - "The real thing" [Coca-Cola] - if you conclude that thing is meant to be a reference to Coca-Cola, then "The real thing" is a reference to the version of Coca-Cola that they sell, as opposed to the imaginary version that the product development team is currently working on.

      - "You'll love the way we fly" [Delta] - you will, at some point in the future, love the way we fly. That point in time, however, is unlikely to be now or anywhere near your flight date.

      - "Quality is job 1" [Ford] - Everything else is job 0...every computer person should know that one is hardly a logical starting place.

      - "We try harder" [Avis] - ...than we could. This is actually a veiled threat.

      - "Just slightly ahead of our time" [Panasonic] - All of our offices are located just west of the beginning of the timezones. So, while it's technically 10:00am, are time appears closer to 10:02. We didn't say we were way ahead of our time, just slightly.
    • >We try harder." [Avis Car Rental] - Harder than >what? Yesterday?

      You're too young, no doubt, to remember the Slogan Wars between Avis and Hertz of the early 60's.

      In those days, it was considered taboo for an advertiser to directly mention the competitor's product when making comparisons. In fact, it was quite a shock when, in the mid 1970's we started seeing TV commercials where one brand explicitly stated that their product was better than a specific competitor's product. It's pretty common now, but you never saw it back in the day.

      Anyway, some consumer survey gave Hertz marketroids the idea that they were the #1 car rental company (in an unbound domain, with unspecified terms, naturally). Hertz went to town
      with this "fact." Worthy of note, the Hertz sign atop the infamous Texas School Book Depository building.

      Avis countered Hertz with their own ingenious slogan: various flavors "We're #2, but we try harder."

      At the same time, they made yet another marketing innovation -- they designed all their ads so that they could be distinguished at a distance of 40 feet. Thank Helmut Krone for that.
  • by nzhavok (254960) on Wednesday January 16, 2002 @05:05PM (#2850938) Homepage
    It was a marketing ploy and any professional administator who looked at and said "wow, unbreakable, lets buy it" probably wasn't a professional at all.

    It's not surprising that a system as complex as Oracle is going to have security flaws. However if you mistaken believed that Oracle had created the perfect piece of software, may I suggest you stow it away in the closet next to your Abdominizer and set of stay-sharp-steak-knives.
  • "The word un-blow-upable is tossed around a lot these days but..."

    (BOOM)
  • they were just "bullshitting".

    (with Apologies to Elwood Blues)

    Seriously, though, IMNSHO they should get charged under the truth in advertising laws.

  • by SevenTowers (525361) on Wednesday January 16, 2002 @05:15PM (#2851010) Homepage
    "The Oracle database server itself runs on some sixty odd different operating systems," says Litchfield.
    First I have to say I'm impressed, I had no idea. Secondly, what are those 60 different operating systems? Does anybody have a list? BSD, Linux, Windows, sun, novell, QNX, MacOS in all their flavors.

    But what is the rest?
    • forgot OS/390 and VMS
    • Well, the most widely used is HPUX, the system is developed on SOLARIS as primary OS and there is NT branch. Other are just ports. Usually the first ports are: HPUX, AIX, Linux. Of course you have to count in different version of these OSes. I am not sure there is port for MacOS or QNX. There, but basicly any UNIX out there has most likely a port of the RDBMS.
      • Re:Operating systems (Score:5, Informative)

        by sql*kitten (1359) on Thursday January 17, 2002 @04:32AM (#2853326)
        Other are just ports.

        Well, yes and no. Oracle is developed in two layers, VOS or "Virtual Operating System" abstracts all the primitives like threads, pipes, file handling etc from the underlying OS, and Oracle itself, which is written to VOS APIs. So the core Oracle engineering team code for pure functionality, and the VOS teams keep their APIs in sync with each other on different platforms. If Oracle want to target a new OS or platform, they simply develop a VOS for it.

        I believe the Oracle engineers work on Suns, but they are targetting VOS, not Solaris directly.

        That's why you have to start the service before you can start the instance on NT. Win32 is sufficiently different from Unix-like systems to need an environment in place before starting Oracle, whereas Unix-like systems can just link the VOS into the main binary. It needs to work like this because Oracle is Oracle, on any platform, once you log into SQL*Plus, it's exactly the same. Oracle is more complex than many operating systems, it provides its own scheduling, resource quotas (storage and CPU), IPC mechanisms (AQ, DBMS_PIPE, DBMS_ALERT, etc), programming languages (PL/SQL and Java) and a whole lot more. It is a platform in its own right.
    • First I have to say I'm impressed, I had no idea. Secondly, what are those 60 different operating systems? Does anybody have a list? BSD, Linux, Windows, sun, novell, QNX, MacOS in all their flavors.

      Yes, please allow me to list them for you:

      Windows NT 3.x
      Windows NT 4.x
      Windows 2K
      Windows XP
      Linux 1.0
      Linux 1.1
      Linux 1.2
      Linux 1.3
      Linux 1.4
      Linux 1.5
      Linux 1.6
      Linux 1.7
      Linux 1.8
      Linux 1.9
      Linux 2.0
      Linux 2.1
      Linux 2.2
      Linux 2.3
      Linux 2.4
      ...

      Do you see where I'm going with this.
  • Laws mentioned in the other article that would punish poorly secured software should target stuff like this, where software is advertized as absolutely secure. Whenever someone claims that open source software can be as insecure as commercial couterparts, they often forget that nobody says that open source is absolutely secure, often its "we think it secure, but we're not completely certain". Companies like Oracle and Microsoft instead try and advertise it as absolutely secure and give managers warm fuzzy feelings about software, to the pont where they think they don't have to worry about it ever again.
  • irony (Score:3, Insightful)

    by trb (8509) on Wednesday January 16, 2002 @06:00PM (#2851337)
    From the SecurityFocus article:

    But Oracle chief security officer Mary Ann Davidson says the criticism is unfair. In an emailed response to Mullen's commentary, Davidson wrote that Oracle is giving the holes reported by Litchfield the "highest priority," but suggested that everything depends on what your definition of "unbreakable" is.

    Rather than representing a literal claim that Oracle's products are impregnable, the campaign "speaks to" fourteen independent security evaluations that Oracle's database server passed, Davidson wrote, and "represents Oracle's commitment to a secure product lifecycle for our entire product suite."

    So Oracle says it's fair that they assert that their software is unbreakable when it is not, but they say it's unfair when others criticize their misleading and errant claim. What's wrong with this picture?
  • 2 cents (Score:2, Informative)

    by f00zbll (526151)
    Ok, I read the article and here's my thoughts as worthless as they are:

    revealed that a common programming error -- a buffer overflow -- was present in Oracle's application server, potentially allowing hackers to gain remote access to the system over the Internet.

    If the researcher is referring to Oracle 9i application server, it's really Orion Server. Since Orion is pure Java implementation, the threat is pretty low. Reguardless, the Orion developers will fix it. They're pretty quick about bug fixes.

    We can actually interject ourselves in between that communications process and run commands as SYSTEM on Windows NT or 2000. If it's running on a Unix system, we can run commands as the Oracle user remotely

    I'm not sure what this bug is referring to specifically, but it most likely is related to Oracle's GUI administration tool. If the user can run Unix commands, that doesn't necessarily mean a person can erase all the data. The suggested installation is to have the server run under the Oracle user. If ownership is root and the priv. is execute only, an instance would only be vulnerable to "kill -9". To erase the actual data, the cracker would have to login to the instance and delete the data.

    I've done some crazy tests with sql server 6 and oracle 8i on low end hardware and I have to say oracle out performs sql server hands down. This is no excuse for Oracle though. They still need to back up that slogan with real blood.

  • Next thing you know, they are gonna be telling us that Windows XP isn't the most secure OS ever. Shocking!
  • Oracle's top security manager is quoted as saying that "unbreakable" doesn't really mean unbreakable, or something

    So let's see if I have all of these straight:

    • "War is peace." Okay, if you say so...
    • "Freedom is slavery." Ummm...I'm not sure about that one...
    • "Unbreakable isn't unbreakable." Man, you're tripping!

    By the time the revolution comes, there are gonna be so many Corporate Newspeak motherfuckers that we'll have to build a bigger wall to put them up against.

  • ..."unbreakable" doesn't really mean unbreakable, or something...
    Oracle said that 9i "is unbreakable". As President Clinton could easily tell you [pitt.edu], the key word here is 'is'.
  • by ortholattice (175065) on Wednesday January 16, 2002 @06:55PM (#2851572)
    How does PostgreSQL compare to Oracle? Is PostgreSQL more or less secure than Oracle? I don't know. I've never heard of a problem with it nor have I had one. Is PostgreSQL faster or slower than Oracle? I don't know, and apparently Oracle desperately doesn't want anyone to find out. From benchmarks that have had Oracle results deleted [jamesthornton.com] to benchmarks that someone (I wonder who?) has gotten the ISP to remove [angelfire.com] for "violation of our Terms of Service" (this used to be a benchmark), Oracle is very aggressive in preventing anyone from finding out how their database really performs. I wonder why? (However what might be another version of the second benchmark seems to have survived [angelfire.com] by carefully avoiding the mention of names of proprietary products.) All I know is that after trying to deal with the bloat of Oracle on a less-than-mainframe-class PC, PostgreSQL was a lean, mean breath of fresh air. Converting PL/SQL to PL/pgSQL was easy [postgresql.org], too.
  • $0 for a copy of PostgreSQL
    $2000 for a firewall
    $1000 for a thorough security consultation
    $7000 for beer & chicken wings

    I suppose posturing and unbelievable claims are what you can expect from a company whose CEO looks like The Rock.
  • by truesaer (135079) on Wednesday January 16, 2002 @09:18PM (#2852139) Homepage
    When I used to use Oracle it was unbreakable. The only people who had complete access was the DBA and some guy named Scott Tiger....

fortune: cpu time/usefulness ratio too high -- core dumped.

Working...