Oracle Breakable After All 878
Billy writes "Unless you've been living in a cave, you've seen Oracle's Unbreakable campaign (Can't break it. Can't break in.), which was kicked-off by Larry Ellison personally at Comdex last November. Now U.K. security researcher David Litchfield says you can break in, thanks to at least seven different security holes in Oracle 9i, according to this SecurityFocus story. Oracle's top security manager is quoted as saying that "unbreakable" doesn't really mean unbreakable, or something."
Would this qualify under (Score:3, Insightful)
Security Myth (Score:2, Insightful)
Nate Tobik
A Definition (Score:0, Insightful)
adj.
1. Impossible to break; able to withstand rough usage.
2. Able to withstand an attempt to break.
I dunno. That definition seems to contradict what's happened here.. =D
I'd like to know... (Score:3, Insightful)
I guess another question would be, while Oracle is by no means a small company, if the company name started with an M and ended with 'icrosoft' would we be demanding more information?
Correction! (Score:0, Insightful)
Not true. Some Slashdot Janitors and Crack-addicted Mods have modded down posts of mine that were posted with a default '-1'. Jamie was made aware of this according to these [slashdot.org] journal entries [slashdot.org]. Don't even get us started on unlimited editor mod points and the Janitors that abuse those rights.
does anyone actually expose the DB to the world? (Score:2, Insightful)
Re:does anyone actually expose the DB to the world (Score:4, Insightful)
The fact that defense in depth is a good idea does not justify allowing one of the layers to be weak. The defenses at every level should be as strong as possible, and that ideally means a bug-free app server and a bug-free database.
Wow, someone actually agrees... (Score:0, Insightful)
Negative moderation has got to stop. It only hurts the forums and does absolutely nothing to encourage intelligent posting. If anything, it only encourages more trolling as trolls giggle with delight when some jackass gives them a negative score.
Change the system.
Nobody bothered to read the challenge... (Score:5, Insightful)
The only thing that this researcher proved is that in certain environments you can break in the system, which basicly holds true for every system.
No matter what, you can be sure that contrary to M$, these holes will be worked on 24/7 and fixed like yesterday. :)
Anyway, enjoy you uninformed, senseless bashing and flaming... trolls.
Marketing at work, that's all. (Score:3, Insightful)
The only real losers in this, other than organizations whose Oracle databases were victimized by a security flaw, were the corporate purchasers who were sold on the hype. They'll have to live with the fact that their DBMS isn't "unbreakable." Honestly, though, there are relatively few of those (none I can think of that are well-publicized, at least), as they are usually run on well locked-down *nix boxes.
It's not anything new. It's just agressive advertising. Some might argue that it's false advertising, but that's probably being a bit harsh. It's more like...overly boastful advertising.
Re:The first Slashdot troll post investigation (Score:0, Insightful)
Offtopic, I guess so, but anyone could point out hundreds of (+5) comments on slashdot that are offtopic, but get (+5) because they bash Micro$haft.
In the posts favour, it is very interesting and well written.
Quote the Security Manager? (Score:4, Insightful)
HIS boss is still the boss, wtf is he supposed to say?
It was a marketing ploy (Score:3, Insightful)
It's not surprising that a system as complex as Oracle is going to have security flaws. However if you mistaken believed that Oracle had created the perfect piece of software, may I suggest you stow it away in the closet next to your Abdominizer and set of stay-sharp-steak-knives.
Re:Nobody bothered to read the challenge... (Score:3, Insightful)
To paraphrase an old koan: (Score:4, Insightful)
Another software company said to the public, "Our product is not unbreakable." And the public replied, "You're right, you are not unbreakable."
Re:Weinberg's law of programming; (Score:2, Insightful)
Here's a more optimistic quote:
Give us time. Meanwhile, be very wary of trusting anything important to software.
Re:The first Slashdot troll post investigation (Score:0, Insightful)
Which, in the current light of this thread, is quite ironic. And humorous.
Liability (Score:4, Insightful)
The more I've thought about this, the more likely it seems. And a key aspect to this is that my OS vendor, SuSE, and ilk (Red Hat, Mandrake, etc) would be nailed just as much as MS, except with less money in the bank, they would be killed much more swiftly. Now, two of those are outside of the USA, so it's not a direct correlation, but there are some serious ramifications to software liability that occur in as reactive a society as we have today.
Certainly this announcement would instantly have a dozen law firms seeking people running Oracle to launch a multi-billion dollar suit of some flavor. And while certainly not "unbreakable", and (IMO) a bit overpriced, Oracle being available is a Good Thing. Of course they have holes. I'm equally sure that they will likely address them quickly (Quickly being relative to the company involved). Introducing *sane* liability (at least in America) is going to be very difficult in a society that is making it neigh impossible to be a medical doctor, and is driving up medical costs due to the extensive CYA documentation (videotapes, extensive reports, etc) now required by industry insurance.
--
Evan "I'm pretty sure this is ontopic" E.
irony (Score:3, Insightful)
Buffer Overflows Myth (Score:4, Insightful)
> middle-school hacker. This is elementary stuff.
> Doesn't anybody believe in putting limits on
> characters? This is simple to prevent.
This is pure bullshit. Are the programmers of
Apache, IIS, Half-Life, Quake 3 Arena, Perl, SSHD, glibc, wu_ftpd, or BIND at the middle school level? Windows NT? How about the linux kernel? All have had buffer overflows, and I'll bet that many of them still do.
Unfortunately it is not always as simple as "putting limits on characters". The simple fact is that the C language is practically designed to make buffer overflow bugs easy to write and easy to exploit.
I agree with you that buffer overflows are serious, though. That's why I think it is ridiculous that we still write security-critical network software in C. Sometimes it is hard to get around, like in the linux kernel when you need to do hardware access (a microkernel architecture might make it easier to write certain parts in higher-level languages). You might argue that performance would be impacted (I don't think this is true, especially with network software where the network is the real bottleneck), but even this argument falls through for 99% of users, since most users are far from full utilization of their processor. However, almost all users *are* affected by security holes.
Re:Buffer Overflows Myth (Score:1, Insightful)
You can't make a buffer overflow in Java. Trying to overflow an array will simply throw an ArrayIndexOutOfBoundsException. In most other cases, memory is allocated as needed. It's perfectly safe, for instance, to read a line of text (as in many plain-text protocols, like HTTP, IRC, etc):
That code fragment reads everything that's received on a network socket, one line at a time, until the socket is closed. Note the absence of any opportunity for creating any buffer overflows...
Larry Ellison (Score:4, Insightful)
FUD like this "unbreakable" business just proves that he's cut from the same mold. What's truly sad is that our society selects people like Ellison and Gates as leaders because ruthlessness is a competitive advantage - and I mean "selects" in the evolutionary sense.
Oracle: the unbreakable national ID card. The whole idea gives me chills.
Re:Larry Ellison (Score:0, Insightful)
Unfortuately, when he says National-ID card, he means it.
Re:The first Slashdot troll post investigation (Score:0, Insightful)
Anyway, I found this article late, and that's why I'm posting here. I was thinking about the implications of the recent US ruling about liability of software makers for security vulerabilities. I am to a degree in favor of this type of thing as I think we need a little better accountability, however I fear what it may mean, and this Oracle issue is sort of in the spot light now with it. One can use pre/post conditions to their functions and one can then create a formal proof by dragging their post conditions across the code and see how this relates to the pre conditions. Similarly, methods exist to prove that a loop will end given certain conditions (ie the pre conditions). But, there is a fundamental concept of computer science, the halting problem, that says you can not use a computer to see if a program will run forever. Similarly I fear issues exist in proving that one piece of source both runs properly and is secure. Plus, a major issue of computer security is how computer software is used. This anticipation is discussed in this paper [counterpane.com] which I read recently and seems to have more interest given the recent changes in attitude towards security.