Larry Ellison is setting himself up for a nasty fall by marketing Oracle as hack-proof
If people think that they are safe behind an impenetrable wall, they are not very likely to build up defenses beyond that point.
Well, maybe not all of us.
Larry Ellison, CEO of Oracle, recently revealed a phenomenal aspect of the Oracle architecture that is unique in the world: It is unbreakable! During his keynote address at Comdex, Ellison told the audience that they could "keep their Microsoft Outlook, and we will make it unbreakable; and unbreakable means you can't break it, and you can't break in."
The problem here is that I think Ellison actually believes it! In itself, there is really nothing wrong with that -- he can believe what he wants to believe. However, if others follow suit and start thinking the same way, there will be problems.
At the core of his presentation in Vegas was the power of Oracle 9i's cluster configuration. Though technically superficial and simplistic in its examples, the clustering overview and demonstration did indeed present some impressive capabilities in the product's handling of system fail over and database redundancy. Reportedly, Oracle 9i can now transparently handle enterprise-wide replication of database transactions without customers changing a single line of application code, and can seamlessly provide uninterrupted access to applications even when multiple servers fail and "smoke is pouring out of the box," as Ellison put it. If it actually does work the way it was described, I think the database doyen may have something to be proud of.
However, this "God Himself could not sink this ship" marketing fluff is just too much.
It's not even as though Ellison blurted out "unbreakable" in the heat of the address: Oracle's entire marketing theme revolves around the Unbreakable premise. I wouldn't be surprised if they tried to put a ™ behind the word. I can understand the want to keep or even increase its approximately 34% share of an eight billion dollar market, but it should not come at the expense of Oracle's credibility. It is almost as if they are trying to over-compensate for the loss of at least three key executives that have left the company in recent months; the latest being Jay Nussbaum, the executive VP of service industries, who left just last week after ten years with the company.
This "pelotas grandes" marketing attitude may make some quick sales, but it is a classic example of Executive Management writing checks that Product Development has to cash-- and that is not good business in the long run. It is also a bad idea to create an environment where one's customers become targets just for spite.
I'm not so hung up on "can't break it" as I am on "can't break in." If code is running on a computer, it can be broken into. Touting a hack-proof piece of commercial software is simply foolish.
The very same day that Ellison boasted that no one could break into Oracle, David Litchfield of NGSSoftware found several exploitable vulnerabilities in the Oracle 9i Application Server. Ironic, huh? During an impromptu gathering at the recent Blackhat Security Briefings in Amsterdam, I watched him exploit 9iAS to remotely create an administrative user on the server. I also saw examples of unchecked buffers where overflows could be used to run other arbitrary code on the box. By the end of the demonstration, he covered four exploits against 9iAS that could allow an attacker to gain remote root.
The question is not if you can break in -- it is how one will choose to do so.
Of course, Mr. Litchfield advised Oracle of these issues, and the company is currently working to patch the problems. He says he will not release details of the vulnerabilities until Oracle has had a chance to fix them and publish an official patch, which should be sometime in the very near future.
I tried to check Oracle's Technet site to see if they had any information available on the patches, but the Web site was down for part of the weekend. So, maybe Oracle has figured out how to make something "unbreakable"-- make it "unreachable."
Interacting with systems as if they are truly unbreakable takes away from security-in-depth, and that is really what I am worried about in all of this.
If people think that they are safe behind an impenetrable wall, they are not very likely to build up defenses beyond that point. Break through the wall, or simply go around it, and you have free reign of the castle grounds. When you break into 9iAS, you not only own it, you own everything that it is protecting. Furthermore, the implications of owning a box that is trusted by all the replication partners or clusters in the enterprise are far reaching.
If you want to move your mail to a database server or deploy applications on redundant clusters, then go for it -- but do so with your eyes open and employ different layers of security along the way. Don't put all of your bits in one basket... Because when the feces hits the oscillator and you find out exactly what really can be broken, you might also find your employment contract included in the list.