Digg this story   Add to del.icio.us  
Memo to Oracle: Nothing is 'Unbreakable'
Tim Mullen, 2001-12-10

Larry Ellison is setting himself up for a nasty fall by marketing Oracle as hack-proof

I'm not sure why, but I always seem to find myself in ironic situations. When I was enrolled in a CPR course as a teenager, our instructor had a heart attack just hours into the class. In college we started a small electrical fire while trying to disconnect a dorm room smoke detector. And not too long ago, I rented the movie "Unbreakable," but when I got home, the video tape was busted. I guess I should not be too surprised, as we all know that everything breaks at some point.

Well, maybe not all of us.

Larry Ellison, CEO of Oracle, recently revealed a phenomenal aspect of the Oracle architecture that is unique in the world: It is unbreakable! During his keynote address at Comdex, Ellison told the audience that they could "keep their Microsoft Outlook, and we will make it unbreakable; and unbreakable means you can't break it, and you can't break in."

The problem here is that I think Ellison actually believes it! In itself, there is really nothing wrong with that -- he can believe what he wants to believe. However, if others follow suit and start thinking the same way, there will be problems.

At the core of his presentation in Vegas was the power of Oracle 9i's cluster configuration. Though technically superficial and simplistic in its examples, the clustering overview and demonstration did indeed present some impressive capabilities in the product's handling of system fail over and database redundancy. Reportedly, Oracle 9i can now transparently handle enterprise-wide replication of database transactions without customers changing a single line of application code, and can seamlessly provide uninterrupted access to applications even when multiple servers fail and "smoke is pouring out of the box," as Ellison put it. If it actually does work the way it was described, I think the database doyen may have something to be proud of.

However, this "God Himself could not sink this ship" marketing fluff is just too much.

It's not even as though Ellison blurted out "unbreakable" in the heat of the address: Oracle's entire marketing theme revolves around the Unbreakable premise. I wouldn't be surprised if they tried to put a ™ behind the word. I can understand the want to keep or even increase its approximately 34% share of an eight billion dollar market, but it should not come at the expense of Oracle's credibility. It is almost as if they are trying to over-compensate for the loss of at least three key executives that have left the company in recent months; the latest being Jay Nussbaum, the executive VP of service industries, who left just last week after ten years with the company.

This "pelotas grandes" marketing attitude may make some quick sales, but it is a classic example of Executive Management writing checks that Product Development has to cash-- and that is not good business in the long run. It is also a bad idea to create an environment where one's customers become targets just for spite.

Breaking it Down
I'm not so hung up on "can't break it" as I am on "can't break in." If code is running on a computer, it can be broken into. Touting a hack-proof piece of commercial software is simply foolish.

The very same day that Ellison boasted that no one could break into Oracle, David Litchfield of NGSSoftware found several exploitable vulnerabilities in the Oracle 9i Application Server. Ironic, huh? During an impromptu gathering at the recent Blackhat Security Briefings in Amsterdam, I watched him exploit 9iAS to remotely create an administrative user on the server. I also saw examples of unchecked buffers where overflows could be used to run other arbitrary code on the box. By the end of the demonstration, he covered four exploits against 9iAS that could allow an attacker to gain remote root.

The question is not if you can break in -- it is how one will choose to do so.

Of course, Mr. Litchfield advised Oracle of these issues, and the company is currently working to patch the problems. He says he will not release details of the vulnerabilities until Oracle has had a chance to fix them and publish an official patch, which should be sometime in the very near future.

I tried to check Oracle's Technet site to see if they had any information available on the patches, but the Web site was down for part of the weekend. So, maybe Oracle has figured out how to make something "unbreakable"-- make it "unreachable."

Interacting with systems as if they are truly unbreakable takes away from security-in-depth, and that is really what I am worried about in all of this.

If people think that they are safe behind an impenetrable wall, they are not very likely to build up defenses beyond that point. Break through the wall, or simply go around it, and you have free reign of the castle grounds. When you break into 9iAS, you not only own it, you own everything that it is protecting. Furthermore, the implications of owning a box that is trusted by all the replication partners or clusters in the enterprise are far reaching.

If you want to move your mail to a database server or deploy applications on redundant clusters, then go for it -- but do so with your eyes open and employ different layers of security along the way. Don't put all of your bits in one basket... Because when the feces hits the oscillator and you find out exactly what really can be broken, you might also find your employment contract included in the list.

SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
...and "anal retentive" has a hyphen when used as an adjective. 2001-12-11
Matthew X. Economou <xenophon@irtnog.org> (5 replies)
...and 2001-12-13
...and 2001-12-14
Anonymous (2 replies)
...and 2002-01-02
Earth Wolf
...and 2002-01-17
Read between the lines.... 2001-12-17
...and 2001-12-18
...and 2001-12-18
Lets hear it again, FUD~FUD~FUD 2001-12-14
Anonymous (2 replies)
Lets hear it again, FUD~FUD~FUD 2001-12-15
Rod Judy (2 replies)
FUD~I think so. 2001-12-17
The man has a point 2001-12-21
Lets hear it again, FUD~FUD~FUD 2001-12-15
Anonymous (3 replies)
FUD - Sounds fair and balanced. 2001-12-17
Anonymous (1 replies)
FUD - Sounds fair and balanced. 2002-01-18
That One Guy
This is FUD. 2001-12-20
This is FUD. 2001-12-20
OK where did he mention MS? 2001-12-21
Nothing is 'Unbreakable' HA!! 2001-12-21
Memo to Tim: "Shut up." 2001-12-22
Memo to Oracle: Nothing is 'Unbreakable' 2001-12-26
get a life... where did XP get into this? 2001-12-30
dim blimb (1 replies)
Zealots 2002-01-01
Pride 2002-01-03
Andrew Hurley
Memo to Oracle: KEEP IT UP 2002-01-16
What Oracle mean by 'Unbreakable' 2002-01-17
Did most of you read the article? 2002-01-20


Privacy Statement
Copyright 2010, SecurityFocus