Oracle Breakable After All

Billy writes "Unless you've been living in a cave, you've seen Oracle's Unbreakable campaign (Can't break it. Can't break in.), which was kicked-off by Larry Ellison personally at Comdex last November. Now U.K. security researcher David Litchfield says you can break in, thanks to at least seven different security holes in Oracle 9i, according to this SecurityFocus story. Oracle's top security manager is quoted as saying that "unbreakable" doesn't really mean unbreakable, or something."

Would this qualify under

[ViceClown]

Laws to Punish Insecure Software Vendors? [slashdot.org]

Security Myth

[Partisan01]

I think the flaw here was that Oracle claimed that no one can break into their software. There's always goign to be a way to get into software. It just might take a while. Unless some security team audited every single line of code over and over, which I can't imagine seeing the size of the software, there's goign to be some holes. To make a truly secure piece of software some performance is risked. From what I know of Oracle they pride themselves on performance. So my money says that they took care of the big holes, and missed a few of the smaller harder to exploit holes.

Nate Tobik

A Definition

[timdorr]

unbreakable
adj.

1. Impossible to break; able to withstand rough usage.
2. Able to withstand an attempt to break.

I dunno. That definition seems to contradict what's happened here.. =D

I'd like to know...

[Sawbones]

given the many discussions on /. of late re: full disclosure of security holes, partial disclosure, disclosure to the company only, etc - what does the crowd here think of the way these exploits have been handled? The story says the Litchfield has commented publicly and explicitly on the nature of one of the holes that already has a patch available, but that he's holding close the holes that have patches still under development.

I guess another question would be, while Oracle is by no means a small company, if the company name started with an M and ended with 'icrosoft' would we be demanding more information?

Correction!

[The Turd Report]

Once you have a karma of -4 or -5, your posts have a score of -1 by default. When this is the case, no-one bothers to mod you down anymore.

Not true. Some Slashdot Janitors and Crack-addicted Mods have modded down posts of mine that were posted with a default '-1'. Jamie was made aware of this according to these [slashdot.org] journal entries [slashdot.org]. Don't even get us started on unlimited editor mod points and the Janitors that abuse those rights.

does anyone actually expose the DB to the world?

[zzzeek]

Had an argument about this awhile back.....the database listener services are not usually trusted as a secure thing for the outside world in my somewhat limited experience, there is always some kind of application layer as the public interface to these things (these days the outside world's interface is often HTTP based), particularly for services accessed over a WAN. How many people out there have oracle listening to an open port on the internet ?

Re:does anyone actually expose the DB to the world

[The Man]

Of course we would hope people would not expose the database to the world, but there are plenty of people who do. And more interestingly, the database is usually exposed to some internal networks (for example, a database for financials might sit well inside a firewall in the accounting department - on a corporate network). So there is still risk at least from people who can compromise firewalls, bypass poor security checks in applications, or from disgruntled employees.

The fact that defense in depth is a good idea does not justify allowing one of the layers to be weak. The defenses at every level should be as strong as possible, and that ideally means a bug-free app server and a bug-free database.

Wow, someone actually agrees...

[Lethyos]

You mention how negative moderations are done more frequently than positive. Well, I certainly would like to observe that this is a bad thing [slashdot.org]. It seems that michael [slashdot.org] had to come in and shoot the notion down [slashdot.org]. Perhaps the editors realize that negative moderations are a bad idea and are too arrogant to change it? You'll notice that other news sites [kuro5hin.org] tend to follow the path of public, positive-only moderation. I guess that would be like giving in.

Negative moderation has got to stop. It only hurts the forums and does absolutely nothing to encourage intelligent posting. If anything, it only encourages more trolling as trolls giggle with delight when some jackass gives them a negative score.

Change the system.

Nobody bothered to read the challenge...

[aralin]

Apparently nobody bothered to read the Oracle challenge. Oracle states that not the database itself, but the database in certain environment, properly configured and secured within the environment is unbreakable, which still is.

The only thing that this researcher proved is that in certain environments you can break in the system, which basicly holds true for every system.

No matter what, you can be sure that contrary to M$, these holes will be worked on 24/7 and fixed like yesterday. :)

Anyway, enjoy you uninformed, senseless bashing and flaming... trolls.

Marketing at work, that's all.

[mystery_bowler]

The reality of it is that most DBAs, programmers and database developers in the working world scoffed at the ad campaign the moment it began. Sure, Oracle has a great product, but we all knew it wasn't bulletproof, no matter how may awards for "best of class security" it supposedly won.

The only real losers in this, other than organizations whose Oracle databases were victimized by a security flaw, were the corporate purchasers who were sold on the hype. They'll have to live with the fact that their DBMS isn't "unbreakable." Honestly, though, there are relatively few of those (none I can think of that are well-publicized, at least), as they are usually run on well locked-down *nix boxes.

It's not anything new. It's just agressive advertising. Some might argue that it's false advertising, but that's probably being a bit harsh. It's more like...overly boastful advertising.

Re:The first Slashdot troll post investigation

[Anonymous Coward]

Can you quantify what you mean?
Offtopic, I guess so, but anyone could point out hundreds of (+5) comments on slashdot that are offtopic, but get (+5) because they bash Micro$haft.
In the posts favour, it is very interesting and well written.

Quote the Security Manager?

[Havokmon]

As if ANYONE on this site hasn't ever had to explain something that a some moron ^H^H^H^H^H^H manager said could or couldn't be done..

HIS boss is still the boss, wtf is he supposed to say?

It was a marketing ploy

[nzhavok]

It was a marketing ploy and any professional administator who looked at and said "wow, unbreakable, lets buy it" probably wasn't a professional at all.

It's not surprising that a system as complex as Oracle is going to have security flaws. However if you mistaken believed that Oracle had created the perfect piece of software, may I suggest you stow it away in the closet next to your Abdominizer and set of stay-sharp-steak-knives.

Re:Nobody bothered to read the challenge...

[dgoodman]

And of course those certain environments and configurations would be:

• Unplugged from any network
• Unplugged from any power source

Otherwise there will be some hole to exploit...one cannot expose features without also exposing some vulnerability (be it only social hacking)

To paraphrase an old koan:

[mblase]

A software company said to the public, "Our product is unbreakable." The public replied, "No, you are not unbreakable."

Another software company said to the public, "Our product is not unbreakable." And the public replied, "You're right, you are not unbreakable."

Re:Weinberg's law of programming;

[Mr. Slippery]

One word: Pyramids

...which were the end result of centuries of evoluion in tomb design. The first pyramid to be built successfully is surrounded by ruins of decades of failed attempts.

Here's a more optimistic quote:

"Around computers it is difficult to find the correct unit of time to measure progress. Some cathedrals took a century to complete. Can you imagine the grandeur and scope of a program that would take as long?" -- Epigrams in Programming, ACM SIGPLAN Sept. 1982

Give us time. Meanwhile, be very wary of trusting anything important to software.

Re:The first Slashdot troll post investigation

[jeremy f]

I want this to be taken in zero offense whatsoever, but the fact that your post is currently at a +3 is testament to the inherent flaws of the /. moderation system.

Which, in the current light of this thread, is quite ironic. And humorous.

Liability

[JabberWokky]

I brought up the topic of Liability for software bugs with my Dad (he's a VP at one of the big banks). He replied that the current software companies would be "shot in the street". Now, I was confused until he explained: "Shot in the Street" simply means that the public and government would turn on them so hard legally that they would be driven out of business. Sure, some people would have legitimite grounds for a lawsuit, but most would be pressing legal action for their "piece of the pie". The companies (we were discussing MS in particular) wouldn't even have the *option* of beefing up QA and addressing the issues.

The more I've thought about this, the more likely it seems. And a key aspect to this is that my OS vendor, SuSE, and ilk (Red Hat, Mandrake, etc) would be nailed just as much as MS, except with less money in the bank, they would be killed much more swiftly. Now, two of those are outside of the USA, so it's not a direct correlation, but there are some serious ramifications to software liability that occur in as reactive a society as we have today.

Certainly this announcement would instantly have a dozen law firms seeking people running Oracle to launch a multi-billion dollar suit of some flavor. And while certainly not "unbreakable", and (IMO) a bit overpriced, Oracle being available is a Good Thing. Of course they have holes. I'm equally sure that they will likely address them quickly (Quickly being relative to the company involved). Introducing *sane* liability (at least in America) is going to be very difficult in a society that is making it neigh impossible to be a medical doctor, and is driving up medical costs due to the extensive CYA documentation (videotapes, extensive reports, etc) now required by industry insurance.

--
Evan "I'm pretty sure this is ontopic" E.

irony

[trb]

From the SecurityFocus article:

But Oracle chief security officer Mary Ann Davidson says the criticism is unfair. In an emailed response to Mullen's commentary, Davidson wrote that Oracle is giving the holes reported by Litchfield the "highest priority," but suggested that everything depends on what your definition of "unbreakable" is.

Rather than representing a literal claim that Oracle's products are impregnable, the campaign "speaks to" fourteen independent security evaluations that Oracle's database server passed, Davidson wrote, and "represents Oracle's commitment to a secure product lifecycle for our entire product suite."

So Oracle says it's fair that they assert that their software is unbreakable when it is not, but they say it's unfair when others criticize their misleading and errant claim. What's wrong with this picture?

Buffer Overflows Myth

[Tom7]

> Buffer overflow bugs can be prevented by a
> middle-school hacker. This is elementary stuff.
> Doesn't anybody believe in putting limits on
> characters? This is simple to prevent.

This is pure bullshit. Are the programmers of
Apache, IIS, Half-Life, Quake 3 Arena, Perl, SSHD, glibc, wu_ftpd, or BIND at the middle school level? Windows NT? How about the linux kernel? All have had buffer overflows, and I'll bet that many of them still do.

Unfortunately it is not always as simple as "putting limits on characters". The simple fact is that the C language is practically designed to make buffer overflow bugs easy to write and easy to exploit.

I agree with you that buffer overflows are serious, though. That's why I think it is ridiculous that we still write security-critical network software in C. Sometimes it is hard to get around, like in the linux kernel when you need to do hardware access (a microkernel architecture might make it easier to write certain parts in higher-level languages). You might argue that performance would be impacted (I don't think this is true, especially with network software where the network is the real bottleneck), but even this argument falls through for 99% of users, since most users are far from full utilization of their processor. However, almost all users *are* affected by security holes.

Re:Buffer Overflows Myth

[Vulture_]

The solution to this problem is quite simple, really -- write it all in Java instead. That way, if there's a buffer overflow, it's your JVM vendor's fault. ;)

You can't make a buffer overflow in Java. Trying to overflow an array will simply throw an ArrayIndexOutOfBoundsException. In most other cases, memory is allocated as needed. It's perfectly safe, for instance, to read a line of text (as in many plain-text protocols, like HTTP, IRC, etc):

Socket socket; // ... initialized elsewhere

BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
for (String s = reader.readLine(); s != null; s = reader.readLine())
System.out.println("Read from socket: " + s);
System.out.println("Socket closed!");

That code fragment reads everything that's received on a network socket, one line at a time, until the socket is closed. Note the absence of any opportunity for creating any buffer overflows...

Larry Ellison

[mwalker]

Ellison to me is just a Bill Gates who never got the chance. He doesn't want Microsoft toppled as a monopoly because Microsoft is bad for consumers; he wants Microsoft toppled so he can treat consumers badly and profit from it. He's just a less successful version of Bill Gates in my mind.

FUD like this "unbreakable" business just proves that he's cut from the same mold. What's truly sad is that our society selects people like Ellison and Gates as leaders because ruthlessness is a competitive advantage - and I mean "selects" in the evolutionary sense.

Oracle: the unbreakable national ID card. The whole idea gives me chills.

Re:Larry Ellison

[pmc]

Larry Ellison is a braggart and a blowhard. However, his words do contain a kernal of truth, and must be interpreted with moderation to get the true message. When he says "unbreakable" he means "less breakable". When he says "100 times faster" he means slightly faster.

Unfortuately, when he says National-ID card, he means it.

Re:The first Slashdot troll post investigation

[heliocentric]

Ok, here's an ontopic (ie, to the /. article) post that just happens to be attached to the infamous OT post. If this comment get's mod'd offtopic by editors and not users then we can postulate that assuming a responce to something deemed OT does not imply it (the responce) is also OT and there is a flaw in the script that is hitting all comments here.

Anyway, I found this article late, and that's why I'm posting here. I was thinking about the implications of the recent US ruling about liability of software makers for security vulerabilities. I am to a degree in favor of this type of thing as I think we need a little better accountability, however I fear what it may mean, and this Oracle issue is sort of in the spot light now with it. One can use pre/post conditions to their functions and one can then create a formal proof by dragging their post conditions across the code and see how this relates to the pre conditions. Similarly, methods exist to prove that a loop will end given certain conditions (ie the pre conditions). But, there is a fundamental concept of computer science, the halting problem, that says you can not use a computer to see if a program will run forever. Similarly I fear issues exist in proving that one piece of source both runs properly and is secure. Plus, a major issue of computer security is how computer software is used. This anticipation is discussed in this paper [counterpane.com] which I read recently and seems to have more interest given the recent changes in attitude towards security.