Oracle Breakable After All

Billy writes "Unless you've been living in a cave, you've seen Oracle's Unbreakable campaign (Can't break it. Can't break in.), which was kicked-off by Larry Ellison personally at Comdex last November. Now U.K. security researcher David Litchfield says you can break in, thanks to at least seven different security holes in Oracle 9i, according to this SecurityFocus story. Oracle's top security manager is quoted as saying that "unbreakable" doesn't really mean unbreakable, or something."

This Is Why People Wait

[TRoLLaXoR]

Who falls for such ludicris, ridiculous claims? I can't imagine an IT guy taking any of Ellison's claims seriously. Maybe someone that went to DeVry...

We're waiting on moving to 9i. No, wait, we're not even waiting. We just moved to 8i last year and there's no reason to move to 9i for us now, no matter how "unbreakable" or not 9i is.

Happily, though, these holes will get plugged and when we *do* move to 9i, it might be closer to being *giggle* unbreakable.

Re:The first Slashdot troll post investigation

[Hooya]

at the risk of getting my karma burned... mod this up!! one of the things i've found on slashdot is that it doesn't pay to offer up a different viewpoint. i have no complaints about rejected stories that i submited since they were crappy to begin with. on the other hand, i've noticed that when others post some pretty clever things but not necessarily affirming the /. mentality, they've been modded down.

MS is evil!! -- my cheap shot at karmafying myself...

Wasn't Breaking in the whole point ?

[Quazion]

Didn't they start this campaign to get 'hacked' ? so they could close some more holes they couldnt find them selves ?

Now i wonder, it worked they all readdy found 7!

Quazion.

A method to the madness, maybe?

[Mark of THE CITY]

By essentially daring people to find holes, Oracle gets QA for the cost of embarassment, which I suspect for L.E. is about one cent.

Re:The first Slashdot troll post investigation

[anon757]

After doing my duty and modding this up... I would like to see a story on this. Let the community discuss moderation & see if there are better ideas than are currently in place.

There is a sucker born every minute...

[ngoy]

After reading the article, it struck me as funny how things never change. There are tons of PHB's out there buying up any big flashy ad in their free (if you fill out free survey, otherwise pay $XXX a year) industry mags. I am a Windows user (yeah yeah) but at least I am not stupid enough to buy anything first from Microsoft until they come out with one service pack first. Of course, here at unnamed large x86 cpu company (my company contracts here), they have decided to move to Microsoft's tune within 90 days of them releasing a product. So we have people (not just IT people, HR people, finance people) etc... installing the wonderful IT "engineered" version of WinXP. (Don't get me started on how in the world they think they make Microsoft's stuff more stable through their "engineering".) That anyone would buy into Larry's BS is bizarre. But the PHB's are entirely ignorant of the real world and would gladly believe that Windows XP is crashproof and utterly stable if Bill told them so. I hope somebody has their Oracle9i system hacked and then sue's Oracle for false advertising, amongst other things. --Shango

Re:There is a sucker born every minute...

[grassy_knoll]

We all know there is a difference between the real world and what we see in meetings.

I tend to think Larry put this challenge out to get free security testing from the community. The engineers knew his announcement would be heard as "I fart in your general direction" and geared up the patch writers accordingly.

Yes, some sorry PHB will only remember the campaign, not the bugs. Yes, sales will increase. Perhaps that was the goal, not the free bug testing... but you can't ignore either benefit for Oracle.

Re:Unbreakable in a legal sense...

[Harinath]

It does -- at least according to Alan Cox.

The reasoning is that

- Oracle has several "access control" features

- Customers use those "access control" features to control copyrighted material

- An Oracle exploit would then end up being a copyright control circumvention of some customer or the other

Re:Nobody bothered to read the challenge...

[Angry Black Man]

No matter what, you can be sure that contrary to M$, these holes will be worked on 24/7 and fixed like yesterday. :)

As opposed to most of MS's exploits, which had patches out like 3 months before the exploit became widespread.

Right, it says more about the certification

[Mr. Fred Smoothie]

Is it source-code-level certification? If so, then the value of the certification would seem extremely lame if they can't catch a buffer overflow.

If it's "let's attack the binary and see if we can break it", that's potentially harder to catch something like this, but then again, how hard can it be to see if the binary links against the system C library at the known offsets of gets, fgets, sprintf, etc.

What would be lamest of all is if the certification process goes something like, "What's your security engineering process? Oh, sounds secure to us."

Re:The first Slashdot troll post investigation

[jgerman]

Ummm if you are going to present finding based on statistics you need to post your methods and data. I could easily post a similar post that proves the opposite of your conclusions with no difficulty because you back nothing up. I'm not saying that you are right or wrong, but I'd like to see the data that you drew your conclusions from. But to address some of your points:

I have written both normal and troll posts, 1st posts, etc., both logged in and anonymously, and I have found these rather shocking results:

Statistics based only on your posts are definitely not enough. For starters, maybe you experienced more modding down because you don't post anything interesting, even when you mean to. Your assumption that there are concrete objective categories for modding is without merit. The distinction between troll and normal posts is a judgment call, if it were not the moderation system would not be needed.

even when it's not a particularly interesting or clever post [slashdot.org]. There are a LOT more +5 posts than +3 or +4.

Again, this is a judgement call, apparently it was interesting to enough people to get it modded up.

Digging deep into the history of slashdot, I found this poll [slashdot.org], which clearly indicates the vast majority does NOT want the moderation we have here today. 'nuff said.

I didn't even bother to check the results of this poll, anyone who points to a web poll as statistical evidence should have all of his conclusions immediately called into question, even if they appear to be solid, which your do not. Trying to prove anything by an easily stuffable poll is ridiculous. But for arguments sake let's say that each vote represents the opinion of one and only one person. Still the poll's accuracy is highly questionable. In fact if I were to predict the outcome of such a poll ahead of time I would have guessed that the greatest number would vote against the moderation system. Why? Because those that post anonymously or having nothing to say would have more reason to vote (negatively) since they are the ones constantly being modded down.

Of course as off topic as your post and my resultant response (damn I'll take two karma hits in one day) were I do commend you for trying.

As one final thought let me leave you with this, I disagree with the action of modding (not the fact that it exists) for the most part. But you need to remember that most likely the majority of the readers of slashdot are the young and the internet, that's a natural result of popularity and a sure reason to expect the lowest common denominator.

Re:Wow, someone actually agrees...

[csbruce]

No, the issue is not with the 50-point cap, it's that you post a message the people mod up to say 5, and then some other people come along later and mod it down to 3. Through no fault of your own, if you were are 50 before, you're now at 48, even though your message is still modded up one point. It's the fault of the over-eager early moderators, something quite beyond your control. This has happened to me at least five times (though to 49). Rather than applying the mods individually, the net mod should be computed on a per-message basis.

Re:The first Slashdot troll post investigation

[Anonymous Coward]

Speaking as someone who gets to moderate quite freqently lately (hence, posting anonymously now).

> The last few months I have been doing some research into the trolling phenomenon

It would have been good to provide some specifics (how many posts, of which type, etc.)

> More moderator points are being used to mod posts down than up.

That's because it's a lot easier and quicker to spot trolls, firsts posts, links to goatse and assorted other crap, so more of them will get moderated. No big surprise there. Time may be a factor (see below)

>Furthermore, when modding a post up, every moderator seems to follow previous moderators in their choices

That's an interesting one, probably a case of (unconscious?) karma whoring on the part of moderators. This may be an area where tweaking with the point system may prevent this herd mentality, so I hope Taco or whomever is reading this thread.

> Logged in people are modded down faster than anonymous cowards.

I don't think there's any conspiracy against ACs or individual posters. This probably happens because moderators often may browse at 1 instead of -1, instructions to the contrary notwithstanding. That means you won't see the ACs at all; no conspiracy theory necessary to explain this, just that the moderator can't or won't browse at 0 or -1.

For some reason my turn to moderate has come up an unusually large number of times in the past two months or so. I tend to do moderation at work but not during work hours (first thing in the morning, or in the late afternoon). If I happen to be having a busy day at work (which is most of the time) I may decide to browse at a higher level to be done more quickly, on the theory that it's better to do some moderation than none at all.

For the same reason (lack of time, the mod points about to expire, etc.) it takes a lot less time to moderate down a first post, troll, etc. than to wade through 300+ messages looking for some good ones. So if you're busy (or tired of reading junk) it's the most expedient thing to do.

>Once you have a karma of -4 or -5, your posts have a score of -1 by default. When this is the case, no-one bothers to mod you down anymore

See above.

>A lot of the modded down posts are actually quite clever

Meta-moderation is supposed to help on this, but the feedback loop probably takes too long and furthermore you are right that overall there tend to be clear biases in the Slashdot population.

That's not an argument for not having a moderation system, though.

Rather, I think that the moderation system should perhaps distinguish moderations done to opposing or unpopular viewpoints (the odd pro-MS or anti-Linux post that's not a flamebait), and up the rewards for the moderators who do them.

So, of the two things I agree with you, they could be translated into proposals such as:

• Re: the herd mentality. If a post receives multiple "up" moderations and later gets meta-moderated favorably, the bonus karma is to be divided amongst the moderators in question. What seems to be happening now is that they all get 1 point, and what I propose is that they all get 1 / N points.
  
• Encourage diversity of viewpoints by adding another category: "good contrarian argument", or some such. If favorably meta-moderated, give an extra karma bonus to the moderator(s) in question.
  

One interesting (encouragning?) thing is that your message got modded up. Good thing, IMHO.

Re:The first Slashdot troll post investigation

[ArnoldYabenson]

While online polls in general are not to be trusted, and even a poll that prevents stuffing by reuiring login reflects a self-selecting sample, the fact that /. had such a poll is a nod toward democracy that lacks any follow-through. If the results were anti-moderation, obviously some further investigation and discussion is called for.

Whenever a new version of Slashcode is made available, there are lots of suggestions for ways to improve moderation options, but I don't recall ever seeing any substantive discussion of the topic with participation of the real powers behind /.

In short, the poll does not have to be accurate to be significant. What it signifies is subject to interpretation.

As JoelOnSoftware said just a couple weeks ago:

[GeekLife.com]

The unique thing about software is that it is infinitely clonable. Once you've written a subroutine, you can call it as often as you want. This means that almost everything we do as software developers is something that has never been done before. This is very different than what construction workers do. Herman the Handyman, who just installed a tile floor for me, has probably installed hundreds of tile floors. He has to keep installing tile floors again and again as long as new tile floors are needed. We in the software industry would have long since written a Tile Floor Template Library (TFTL) and generating new tile floors would be trivial.

from http://www.joelonsoftware.com/news/fog0000000337.h tml [joelonsoftware.com]

Re:slogans slogans slogans

[fishbowl]

>We try harder." [Avis Car Rental] - Harder than >what? Yesterday?

You're too young, no doubt, to remember the Slogan Wars between Avis and Hertz of the early 60's.

In those days, it was considered taboo for an advertiser to directly mention the competitor's product when making comparisons. In fact, it was quite a shock when, in the mid 1970's we started seeing TV commercials where one brand explicitly stated that their product was better than a specific competitor's product. It's pretty common now, but you never saw it back in the day.

Anyway, some consumer survey gave Hertz marketroids the idea that they were the #1 car rental company (in an unbound domain, with unspecified terms, naturally). Hertz went to town
with this "fact." Worthy of note, the Hertz sign atop the infamous Texas School Book Depository building.

Avis countered Hertz with their own ingenious slogan: various flavors "We're #2, but we try harder."

At the same time, they made yet another marketing innovation -- they designed all their ads so that they could be distinguished at a distance of 40 feet. Thank Helmut Krone for that.

Re:The first Slashdot troll post investigation

[Fitascious]

This whole -1 thing is screwed. I worked at Andover.net (now OSDN) back in January and Feburary of 2000. I was a contractor brough on board to help build the Slashdot cage at Exodus, in fact I wrote my name with a magic marker on the bottom of the Quad Zeon VALinux box that probably still runs the main Mysql DB. At the time I thought it was pretty cool to be involved with the whole open source scene...

You know what I learned? I learned that most of the "Famous" and "Big Names" in the linux scene are attention starved name dropping weenies.

It after my assigment at Andover.net ended that I realized the whole Open Source movement is over. Done with. There are way to many people with way to much ego. All of the linux people in charge of the project were too busy stroking their ego's and counting their stock options.

I thank CmdrTaco and all the rest for a good 2 or 3 years of entertaining reading, but times have changed, there is no energy left here. Time to move on, Open source has been assimilated by Corporate Practices. I sincerely feel that all that was good about Slashdot, and to an extent the Linux fenomenon is over. This Thread just ended any hope I had left. Time to bring on the next fad.

Re:The first Slashdot troll post investigation

[warez_d00d]

Well said. Instead the editors seem to have decided to mod -1 the entire thread.
Go fuck yourself, micheal!

Re:Editor: I'll take a 3-point karma hit too

[pmc]

Ah - more karma to burn. Do I care? Not really.

Anyway, much to my surprise, the moderation is not robomoderation. Some human being is, almost unbelievably, doing these by hand. What a sad person - hi there Mr Sad! (waves).

The question that we should be asking is "Who is Mr Sad?".

For the first time in my life I understand the trolls.

Re:Editor: I'll take a 3-point karma hit too

[Anonymous Coward]

Some human being is, almost unbelievably, doing these by hand. What a sad person - hi there Mr Sad! (waves).

Mr. Sad's name is Jamie McCarthy, and he calls modslapping threads "grunt work" in this post:

http://slashdot.org/comments.pl?sid=24252&cid=2641 410 [slashdot.org]

For the first time in my life I understand the trolls.

Welcome to our frustrated, pissed off, disenfranchised little world [n3.net]. We can teach you more about Slashcode and how the system really works than anyone else; but at a price. Prepare to be bitchslapped, modslapped, IP banned, $rtbl'd, and lose all your moderation priveleges. We offer knowledge at a cost.

Blue or red?

Re:The first Slashdot troll post investigation

[canadian troll]

This whole place is fucked, i remember when a link was posted with some Xbox pics, i posted a jap site with way better pics... i got modded down. Somebody had problems syncing a palm to windows XP, i offered solutions to the problems... i got modded down. This is shite!
Just because my name is canadian troll, doesn't mean that everything i say is a troll.

Oracle's software

[Anonymous Coward]

I don't believe that Oracle's software is necessarily immune to bugs. The advertising does make it sound like that but it no software can ever be completely error free. The very fact that a security problems with oracle make news indicates that it must be pretty good. Also think about the sheer number of people using Oracle's products. The more people use a product the more likely it is for problems to be found. Oracle perhaps is not mistaken in saying that their database is reliable. The mistake is of course saying that the system is completely secure. As stated many times before there is no such thing as absolute security.

Black & White colours...like these times...

[chanio]

Sorry if I am not good at understanding the whole context of english speaking. I enjoy just what I can understand. But I guess that intolerance and expectance of perfection are what are common things that are leading these times to this flat-black&white world. Everybody is afraid of getting their intentions of starting flying missinterpreted. So it is easier to follow the cattle and risk less. I propose to increase opinions, to be able to ask for votes to change things. Technical improvements must follow social ones
Emperor Marcus Aurelius once said: "If you can't change people, you must endure them..." It is very easy to destroy what others build without the compromise of proposing something new in exchange. Less ideals and more actions! (if I break something it is fair to break something inside myself at the same time) Things must be hard for everyone during these days, aren't them?

Re:The first Slashdot troll post investigation

[Faux_Pseudo]

Was I the only person who thought of the reprocutions of the meta-moderation?
Emagin lots and lots of users with the ability to kill someones chances of moderating with a fair/unfair rulling. I would not be suprised to see that meta-moderation was suspended till this thread is arcived.

Re:The first Slashdot troll post investigation

[mojo-raisin]

no. My comment is quite "insightful." no?

But seriously, there are *many* stories where it seems 50% of the comments are funny comments of this variety [slashdot.org] - not to pick on this particular poster, but it was immediately accessable and very indicative of the typical "funny" comment - ones that require the poster to be seeped in at least 3 hours of sitcom humor a day. It is very typical of the sitcom humor breed and detracts from the overall interest of /.

Re:The first Slashdot troll post investigation

[BSD is dying]

If you disagree with the moderation in this thread, please take up posting in this discussion [slashdot.org] as a protest of what's going on here. I hope there's enough people who care to get that discussion among Slashdot's most active ones. That's on the page to create a discussion if you don't know.

Sorry if it seems like I'm spamming this, but it needs to be done if the editors are going to wake up and conclude that what they did to this thread was wrong.