Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oracle Breakable After All

CmdrTaco posted more than 11 years ago | from the well-duh dept.

878

Billy writes "Unless you've been living in a cave, you've seen Oracle's Unbreakable campaign (Can't break it. Can't break in.), which was kicked-off by Larry Ellison personally at Comdex last November. Now U.K. security researcher David Litchfield says you can break in, thanks to at least seven different security holes in Oracle 9i, according to this SecurityFocus story. Oracle's top security manager is quoted as saying that "unbreakable" doesn't really mean unbreakable, or something."

cancel ×

878 comments

Sorry! There are no comments related to the filter you selected.

The first Slashdot troll post investigation (0, Flamebait)

negativekarmanow tm (518080) | more than 11 years ago | (#2850660)

The last few months I have been doing some research into the trolling phenomenon on slashdot.org. In order to do this as thoroughly as possible, I have written both normal and troll posts, 1st posts, etc., both logged in and anonymously, and I have found these rather shocking results:

  • More moderator points are being used to mod posts down than up. Furthermore, when modding a post up, every moderator seems to follow previous moderators in their choices, even when it's not a particularly interesting or clever post [slashdot.org] . There are a LOT more +5 posts than +3 or +4.
  • Logged in people are modded down faster than anonymous cowards. Presumably these Nazi Moderators think it's more important to burn a user's existing karma, to silence that individual for the future, than to use the moderation system for what it's meant for : identifying "good" and "bad" posts (Notice how nearly all oppressive governments in the past and present do the same thing : marking individuals as bad and untrustworthy because they have conflicting opinions, instead of engaging in a public discussion about these opinions)
  • Once you have a karma of -4 or -5, your posts have a score of -1 by default. When this is the case, no-one bothers to mod you down anymore. This means a logged in user can keep on trolling as much as he (or she) likes, without risking a ban to post on slashdot. When trolling as an anonymous user, every post starts at score 0, and you will be modded down to -1 ON EVERY POST. When you are modded down a certain number of times in 24 hour, you cannot post anymore from your current IP for a day or so. So, for successful trolling, ALWAYS log in.
  • A lot of the modded down posts are actually quite clever [slashdot.org] , funny [slashdot.org] , etc., and they are only modded down because they are offtopic. Now, on a news site like slashdot, where the number of different topics of discussion can be counted on 1 hand, I must say I quite like the distraction these posts offer. But no, when the topic is yet another minor version change of the Linux kernel [slashdot.org] , they only expect ooohs and aaahs about this great feat of engineering. Look at the moderation done in this thread [slashdot.org] to see what I mean.
  • Digging deep into the history of slashdot, I found this poll [slashdot.org] , which clearly indicates the vast majority does NOT want the moderation we have here today. 'nuff said.

Feel free to use this information to your advantage. I thank you for your time.

Re:The first Slashdot troll post investigation (0, Offtopic)

AnalogBoy (51094) | more than 11 years ago | (#2850723)

I just want to say.. Thank you.
I'm sure you'll be modded down as a troll, as /. doesn't like dissenters in the population. They try to keep you silent and impotent.

I firmly believe once a community reaches a certain size, it has certain duties to perform, to the truth, the absence of sensationalism, and most of all, equality.

Moderators: I have posted without my +1 bonus. This post is admittedly offtopic. Don't waste your moderation points on a reply. I suggest you use moderation points on parent posts. Its more economical. And remember - mod UP intelligent posts, mod DOWN klerckisms.

Do you want to finger me? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850834)

Tee-hee!

Re:Do you want to finger me? (0, Funny)

Anonymous Coward | more than 11 years ago | (#2850876)

Your ideas intrigue me and I wish to subscribe to your newsletter.

Re:The first Slashdot troll post investigation (0, Interesting)

Hooya (518216) | more than 11 years ago | (#2850726)

at the risk of getting my karma burned... mod this up!! one of the things i've found on slashdot is that it doesn't pay to offer up a different viewpoint. i have no complaints about rejected stories that i submited since they were crappy to begin with. on the other hand, i've noticed that when others post some pretty clever things but not necessarily affirming the /. mentality, they've been modded down.

MS is evil!! -- my cheap shot at karmafying myself...

Re:The first Slashdot troll post investigation (-1, Offtopic)

susano_otter (123650) | more than 11 years ago | (#2850764)

You're new here, aren't you?

Hear, hear! (-1)

cyborg_monkey (150790) | more than 11 years ago | (#2850730)

werd up.

Re:The first Slashdot troll post investigation (-1, Offtopic)

Mr Thinly Sliced (73041) | more than 11 years ago | (#2850748)

I'm more than willing to burn the karma in the hope that some moderators MOD UP the parent post [slashdot.org] .

It's intelligent, factual, and above all interesting.

Mr Thinly Sliced

Re:The first Slashdot troll post investigation (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#2850816)

Not to mention over rated, troll, flamebait, and off topic...

Re:The first Slashdot troll post investigation (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850826)

And compared to some of the gibberish that pops up on here, a damn sight more interesting.

Re:The first Slashdot troll post investigation (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850842)

Yes, nothing like a troll to prove the parent correct.

Mod this UP.

Correction! (0, Insightful)

The Turd Report (527733) | more than 11 years ago | (#2850762)

Once you have a karma of -4 or -5, your posts have a score of -1 by default. When this is the case, no-one bothers to mod you down anymore.

Not true. Some Slashdot Janitors and Crack-addicted Mods have modded down posts of mine that were posted with a default '-1'. Jamie was made aware of this according to these [slashdot.org] journal entries [slashdot.org] . Don't even get us started on unlimited editor mod points and the Janitors that abuse those rights.

Re:The first Slashdot troll post investigation (0, Interesting)

anon757 (265661) | more than 11 years ago | (#2850817)

After doing my duty and modding this up... I would like to see a story on this. Let the community discuss moderation & see if there are better ideas than are currently in place.

Re:The first Slashdot troll post investigation (-1)

Tasty Beef Jerky (543576) | more than 11 years ago | (#2850841)

You better have modded it up using a different account, otherwise YAAD!

Re:The first Slashdot troll post investigation (-1, Offtopic)

checkyoulater (246565) | more than 11 years ago | (#2850843)

As I tried to return to this post from one of the links it was gone.

It was modded down.

Wow, someone actually agrees... (0, Insightful)

Lethyos (408045) | more than 11 years ago | (#2850856)

You mention how negative moderations are done more frequently than positive. Well, I certainly would like to observe that this is a bad thing [slashdot.org] . It seems that michael [slashdot.org] had to come in and shoot the notion down [slashdot.org] . Perhaps the editors realize that negative moderations are a bad idea and are too arrogant to change it? You'll notice that other news sites [kuro5hin.org] tend to follow the path of public, positive-only moderation. I guess that would be like giving in.

Negative moderation has got to stop. It only hurts the forums and does absolutely nothing to encourage intelligent posting. If anything, it only encourages more trolling as trolls giggle with delight when some jackass gives them a negative score.

Change the system.

Re:The first Slashdot troll post investigation (-1, Offtopic)

Mike Schiraldi (18296) | more than 11 years ago | (#2850869)

Very nice. Keep up the good work. I'm glad i spotted this post before it was modded down.

Please continue your research and keep us updated.

Re:The first Slashdot troll post investigation (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850873)

Moderation Totals: Offtopic=6, Troll=1, Insightful=4, Interesting=3, Informative=3, Total=17.

This post had better make it into meta moderation.

Re:The first Slashdot troll post investigation (0, Insightful)

Anonymous Coward | more than 11 years ago | (#2850895)

Can you quantify what you mean?
Offtopic, I guess so, but anyone could point out hundreds of (+5) comments on slashdot that are offtopic, but get (+5) because they bash Micro$haft.
In the posts favour, it is very interesting and well written.

Re:The first Slashdot troll post investigation (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850898)

And, like an idiot, just undid my 4 moderations to this article, including undoing my mod down of this post.

frost pist (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850663)

I'm back, and it hurts and stuff.

Re:frost pist (-1)

negativekarmanow tm (518080) | more than 11 years ago | (#2850677)

No, you lost. Now THAT will hurt

You mean to tell me... (0, Flamebait)

smaug195 (535681) | more than 11 years ago | (#2850664)

Larry Ellison is a egotistical ass? I am shocked!

Re:You mean to tell me... (1)

steve (1027) | more than 11 years ago | (#2850710)

Well anyone in this industry who even thinks of using words like "unbreakable" or "100% " is just asking to get beaten to death with a stick.

Re:You mean to tell me... (2, Funny)

Jburkholder (28127) | more than 11 years ago | (#2850747)

3 words..

White Star Line [prodigy.com]

Does seem to be tempting fate to say "unbreakable", doesn't it>

I haven't seen it! (2, Funny)

Anonymous Coward | more than 11 years ago | (#2850670)

Unless you've been living in a cave, you've seen Oracle's Unbreakable campaign

I guess I've been living in a cave.

Re:I haven't seen it! (0)

Anonymous Coward | more than 11 years ago | (#2850732)

I guess I've been living in a cave.

Osama's alive, and he's using Sybase.

Re:I haven't seen it! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850741)

Have you seen Osama in there?

Re:I haven't seen it! (1, Offtopic)

garcia (6573) | more than 11 years ago | (#2850766)

I haven't seen it either. Oracle hasn't seen it either b/c they are over their heads in bullshit.

Dear Cave Dweller: @# +1 ; Patriotic #@ (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850831)

You are obviously against us!

"Youth is not absolution for treachery"
-John Ashcroft, Attorney General of the United
States

"Age is not obsolution for stupidity"
-AC, Slashdot

This Is Why People Wait (1, Interesting)

TRoLLaXoR (181585) | more than 11 years ago | (#2850675)

Who falls for such ludicris, ridiculous claims? I can't imagine an IT guy taking any of Ellison's claims seriously. Maybe someone that went to DeVry...

We're waiting on moving to 9i. No, wait, we're not even waiting. We just moved to 8i last year and there's no reason to move to 9i for us now, no matter how "unbreakable" or not 9i is.

Happily, though, these holes will get plugged and when we *do* move to 9i, it might be closer to being *giggle* unbreakable.

But Oracle is changing the world (-1, Troll)

Anonymous Coward | more than 11 years ago | (#2850679)

Remember all their superbowl commercials.

Security is overrated. Now Style is what I want.

Well duh! (-1)

The Turd Report (527733) | more than 11 years ago | (#2850682)

Claiming that something is 'perfect' is some respect is a tell-tale sign that it isn't.

Reverse Psychology (3, Funny)

NiftyNews (537829) | more than 11 years ago | (#2850685)

Wouldn't it be great if the inverse also worked?

MS could just announce that "Our software code is like swiss cheese when it comes to security" and #POOF#, all the holes would be sealed for good.

Re:Reverse Psychology (0)

Anonymous Coward | more than 11 years ago | (#2850832)

MS could just announce that "Our software code is like swiss cheese when it comes to security" and #POOF#, all the holes would be sealed for good.

If MS ever said that it very well could come true, for two reasons.

1. No one would bother targeting Windows for secuirty exploits. Why bother? There is no percieved challenge in it.

2. People would stop using it, at least where security is important. The number of Windows machines would go down, meaning even less exploitable machines and the trickle down effect starts there.

Re:Reverse Psychology (1)

jaavaaguru (261551) | more than 11 years ago | (#2850874)

Or that .NET is... um.... like a net?

Would this qualify under (3, Insightful)

ViceClown (39698) | more than 11 years ago | (#2850688)

Re:Would this qualify under (0)

Anonymous Coward | more than 11 years ago | (#2850714)

Nah, we already have a law that covers Ellison's egotistical remarks. It's called fraud. Not that he'll ever be prosecuted for it, but still...

Same as with the Titanic... (2, Funny)

quigonn (80360) | more than 11 years ago | (#2850692)

...unsinkable didn't mean unsinkable, after all...

Re:Same as with the Titanic... (0, Offtopic)

baronben (322394) | more than 11 years ago | (#2850844)

Wow, there are a whole lot of pissed off mods today. I'm all in favor of moderation, just look at all the -1 posts to see why, but when it gets abused like this, I can only wonder how many truly good posts have been moded down by moderators who think that the mere fact that they don't agree with some one's opinions makes that post a troll. Thank god for metamoding.

Unbreakable doesn't really mean unbreakable... (1, Funny)

Anonymous Coward | more than 11 years ago | (#2850900)

I guess it depends on how you define "unbreakable", eh?

Just like how you might define "sexual relations" huh?

"I did not have sexual relations with that woman" (it was the cigar that did!!!) I just keep wondering if he smoked the cigar afterwards? :-)

Is the gov't still going to use it (1, Troll)

alen (225700) | more than 11 years ago | (#2850693)

to hold all the info about you like birthdate, medical records, genetic map, criminal record and all the porn you've ever downloaded?

Re:Is the gov't still going to use it (3, Funny)

ndfa (71139) | more than 11 years ago | (#2850907)

all the porn you've ever downloaded
Just imagine :
select * from downloaded_porn_table where porn_search_string like '%Natalie Portman scared and petrified%'

All software is breakable - (0, Troll)

eclectro (227083) | more than 11 years ago | (#2850694)


unless it's coded in Forth. [forth.org]

Re:All software is breakable - (0)

Anonymous Coward | more than 11 years ago | (#2850722)

... in which case, nobody uses it anyway, since Forth is a dead language.

Re:All software is breakable - (4, Offtopic)

Chris Mattern (191822) | more than 11 years ago | (#2850761)

Well, because Forth to understand, like Yoda you must speak, that is.

Chris Mattern

Conflicted (1)

spatrick_123 (459796) | more than 11 years ago | (#2850698)

Part of me wants to say "Is there ANYONE who still thinks corporate slogans are actually a reflection of the performance of a product?". But then I realize that many, many people who are responsible for purchasing software probably think exactly that.

So I'm not sure how I feel about this, but it will be funny to see Ellison squirm a little bit - this should do wonders for his campaign to be the official database of Big Brother.

Re:Conflicted (1)

Anonymous Coward | more than 11 years ago | (#2850803)

I dunno... I agree that it's caveat emptor when you take a company's word for its own products. Master lock may show you a padlock taking a bullet, when you know good and well you can snap the hasp with a bolt cutter or any decent source of leverage. But they don't call their padlocks unbreakable. Volkswagon may tout it's nifty computerized wheel differential thingy, but they don't say "the car that cannot skid!"


And it seems from the article that, insult to injury, some of the holes (i.e. buffer overflow problems) are very basic security flaws. Their spokewoman can obsfucate alls he wants but the fact is that rather than make a claim they could justify (good security and fast response to problems) they made an unjustifiable claim they were bound to have to eat at some point.

Barenaked Ladies knew it all along (0)

gtaluvit (218726) | more than 11 years ago | (#2850699)

"Anyone perfect must be lieing." - Falling For the First Time

The National ID card database . . . (0, Offtopic)

Pituritus Ani (247728) | more than 11 years ago | (#2850702)

. . . could have been 0wn3d! 0|-/\&ltL3 15 |\|0t 1337, 5|_|x0|-z!

~~~

Security Myth (2, Insightful)

Partisan01 (547933) | more than 11 years ago | (#2850712)

I think the flaw here was that Oracle claimed that no one can break into their software. There's always goign to be a way to get into software. It just might take a while. Unless some security team audited every single line of code over and over, which I can't imagine seeing the size of the software, there's goign to be some holes. To make a truly secure piece of software some performance is risked. From what I know of Oracle they pride themselves on performance. So my money says that they took care of the big holes, and missed a few of the smaller harder to exploit holes.

Nate Tobik

Re:Security Myth (2, Funny)

puppy0341 (161295) | more than 11 years ago | (#2850740)

yeah, but how to get an security analyse for free?
Announce your softaware is unbreakable :)

A Definition (0, Insightful)

timdorr (213400) | more than 11 years ago | (#2850718)

unbreakable
adj.

1. Impossible to break; able to withstand rough usage.
2. Able to withstand an attempt to break.

I dunno. That definition seems to contradict what's happened here.. =D

Re:A Definition (0)

Anonymous Coward | more than 11 years ago | (#2850742)

Thank you Mr. Webster for that insight.

Hopping on the Karma Bandwagon (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#2850769)

About Oracle [oracle.com]

Twenty-five years ago, Larry Ellison saw an opportunity other companies missed when he came across a description of a working prototype for a relational database and discovered that no company had committed to commercializing the technology. Ellison and his co-founders, Bob Miner and Ed Oates, realized there was tremendous business potential in the relational database model--but they may not have realized that they would change the face of business computing forever.

Today Oracle (Nasdaq: ORCL) is still at the head of the pack. Oracle technology can be found in nearly every industry around the world and in the offices of 98 of the Fortune 100 companies. Oracle is the first software company to develop and deploy 100% internet-enabled enterprise software across its entire product line: database, business applications, and application development and decision support tools. Oracle is the world's leading supplier of software for information management, and the world's second largest independent software company.

Oracle has always been an innovative company. It was one of the first companies to make its business applications available through the internet--today, that idea is pervasive. Now Oracle is committed to making sure that all of its software is designed to work together--the suite approach--and other companies, analysts, and the press are beginning to acknowledge that Oracle is right. What's in store for tomorrow? We will continue to innovate and to lead the industry--while always making sure that we're focused on solving the problems of the customers who rely on our software.

Re:A Definition (1, Funny)

Anonymous Coward | more than 11 years ago | (#2850791)

It's not a contradiction...the article describes
buffer overflows and interception attacks.

If a cup overflows, it doesn't necessarily break.
If a football is intercepted, it doesn't necessarily break.

The above is a public service announcement from the Clinton Language Interpretation Council.

Well, most software is breakable (1)

commonchaos (309500) | more than 11 years ago | (#2850719)

I doubt that most software is unbreakable in their current form. Unless the developer worked to make it unbreakable from the start or rewrote with that objective. And I doubt that it is possible to "fix" software to be unbreakable without doing a rewrite.

Who is suprised at this anyway?

Whoops! (1, Troll)

MoneyT (548795) | more than 11 years ago | (#2850724)

Well, someone in marketing screwed up big time. Last I knew companies couldn't leagaly make such strong claims about a product, espesialy about a security product.

But I guess all this just shows that no matter what security (or anti-piracy if you're the RIAA) measures you put into place, someone will find a way arround it. Although, buffer overflows are not anything new, how did they miss that?

I'd like to know... (3, Insightful)

Sawbones (176430) | more than 11 years ago | (#2850731)

given the many discussions on /. of late re: full disclosure of security holes, partial disclosure, disclosure to the company only, etc - what does the crowd here think of the way these exploits have been handled? The story says the Litchfield has commented publicly and explicitly on the nature of one of the holes that already has a patch available, but that he's holding close the holes that have patches still under development.

I guess another question would be, while Oracle is by no means a small company, if the company name started with an M and ended with 'icrosoft' would we be demanding more information?

oracle junk apps (1)

avandesande (143899) | more than 11 years ago | (#2850734)

Everyone knows just to use the Oracle database and throw away the other apps. Does anyone out there even use their application server?

Re:oracle junk apps (1)

alyandon (163926) | more than 11 years ago | (#2850800)

Since lots of companies use Oracle Applications the answer is unfortunate yes....

Unbreakable in a legal sense... (3, Offtopic)

_DMan_ (105238) | more than 11 years ago | (#2850736)

Oracle9i. Unbreakable. Can't break it. Can't break in.

Legally they are correct. The DMCA says you can't break it, and various other laws say you can't break in.

Re:Unbreakable in a legal sense... (1)

Lao-Tzu (12740) | more than 11 years ago | (#2850779)

This comment appears in every security discussion on slashdot...

The Digital Millenium Copyright Act makes it illegal to create software that circumvents copyright enforcing technology, such as CSS.

Oracle's database has nothing to do with copyrights.

My favorite quote: (1, Funny)

Anonymous Coward | more than 11 years ago | (#2850737)

Apparently they hired Bill Clinton to head their PR Dept. Look at this quote:

everything depends on what your definition of "unbreakable" is.

It may also depend on what your definition of "IS" is.

Questions (0)

gtaluvit (218726) | more than 11 years ago | (#2850739)

Were these errors in 8i which was the production release when this all started?

Larry once said that programming a database is more difficult than an OS. Does this absolve any MS exploit that's been found?

I think its a little presumptious (sp.) to say that some program with a server end is "unbreakable". I could always physical hammer the hard disk. However, in terms of exploits vs. complexity, I think Oracle is doing pretty well. Its not like they have CodeRed.

Slashdot New Flash... (3, Funny)

gpinzone (531794) | more than 11 years ago | (#2850743)

...impossible claim proved wrong. Film at eleven. I can't tell if Ellison's claim that Oracle was bulletproof was the act of a madman or genius. Why genius? Nothing gets security experts to test your software with such vigor than when you tell them it's invulnerable. Question is, does this make the NSA more or less secure in choosing Oracle products?

A questions to ask (1)

www.sorehands.com (142825) | more than 11 years ago | (#2850745)

  • How long and how many holes as compared to other products of the type?
  • How fast does it get fixed?
These is the main questions.

Do we have to ask what is is?

National (Oracle) ID Cards (1)

nesneros (214571) | more than 11 years ago | (#2850749)

Wasn't Oracle harping to provide the database infrastructure for a proposed national ID card?

Of course, if this ever gets to legislation, a non-tech Senator or Congressman will probably remember seeing the "Unbreakable" campaign somewhere and think, "Oh... their systems are unbreakable, sounds good for everyone's private information."

Can't wait for every bored teenager in the world to know about my tax returns...

Marketing Campaigh (1)

orcldba (195785) | more than 11 years ago | (#2850752)

As any other marketing campaigh this one had as a goal to make everybody to talk about RDBMS. And the goal is acheaved apparently.
As much as I would want Larry to shut up - he is a stand up comediant somewere deep inside, and you can not shut this type up. So let's at least have fun listening to him.

crazy fucking ceos (4, Offtopic)

dildofire (308572) | more than 11 years ago | (#2850758)

i would have to loved to have been a fly on the wall in the oracle engineering department the day ellison announced that their software was unbreakable. i guarantee you the engineers at oracle wouldn't have supported that campaign, if they even knew about it before ellison announced it at comdex. it's tough enough to keep your software secure when your ceo isn't directly taunting every hacker in the world.

New Oracle Campaign (0)

Anonymous Coward | more than 11 years ago | (#2850767)

They call me Mr. Glass...

Cave (1)

Krilomir (29904) | more than 11 years ago | (#2850770)

I guess I've been living in a cave then...

Wasn't Breaking in the whole point ? (3, Interesting)

Quazion (237706) | more than 11 years ago | (#2850773)

Didn't they start this campaign to get 'hacked' ? so they could close some more holes they couldnt find them selves ?

Now i wonder, it worked they all readdy found 7!

Quazion.

A method to the madness, maybe? (2, Interesting)

Mark of THE CITY (97325) | more than 11 years ago | (#2850774)

By essentially daring people to find holes, Oracle gets QA for the cost of embarassment, which I suspect for L.E. is about one cent.

And this comes from... (5, Funny)

denzo (113290) | more than 11 years ago | (#2850778)

the guy who wants all Americans to be on a unified national ID card, having all our personal information in a central database.

That leaves me feeling warm and fuzzy inside.

Re:And this comes from... (1)

themassiah (80330) | more than 11 years ago | (#2850853)

That sensation is the internal bleeding you get when someone tries to ram a national ID card into your rectum. Enjoy!

Here's how to test it (1)

plgs (447731) | more than 11 years ago | (#2850783)

When you go to sign the licence for the product, write in a warranty from Oracle that the software's unbreakable. (& when Oracle refuses to sign, phone the FTC).

Demanding vendors to step up to the mark of their own advertising is one way to deal with this kind of fraud.

That's odd.... (3, Funny)

RoscoHead (162604) | more than 11 years ago | (#2850788)


"The Oracle database server itself runs on some sixty odd different operating systems,"


How many non-odd operating systems does it run on??

Re:That's odd.... (0)

Anonymous Coward | more than 11 years ago | (#2850896)

Does that include the C64?

does anyone actually expose the DB to the world? (2, Insightful)

zzzeek (43830) | more than 11 years ago | (#2850795)

Had an argument about this awhile back.....the database listener services are not usually trusted as a secure thing for the outside world in my somewhat limited experience, there is always some kind of application layer as the public interface to these things (these days the outside world's interface is often HTTP based), particularly for services accessed over a WAN. How many people out there have oracle listening to an open port on the internet ?

Re:does anyone actually expose the DB to the world (4, Insightful)

The Man (684) | more than 11 years ago | (#2850845)

Of course we would hope people would not expose the database to the world, but there are plenty of people who do. And more interestingly, the database is usually exposed to some internal networks (for example, a database for financials might sit well inside a firewall in the accounting department - on a corporate network). So there is still risk at least from people who can compromise firewalls, bypass poor security checks in applications, or from disgruntled employees.

The fact that defense in depth is a good idea does not justify allowing one of the layers to be weak. The defenses at every level should be as strong as possible, and that ideally means a bug-free app server and a bug-free database.

Re:does anyone actually expose the DB to the world (0)

Anonymous Coward | more than 11 years ago | (#2850908)

How many people out there have oracle listening to an open port on the internet ?

Specifically, I know two companies that use Oracle, and neither of them have it on an open IP address (recommended by the company I work for.)

However, I also know companies that use MS-SQL - and THREE of them have it listening on an open port on the internet (against my recommendations) because "they have to for their software to work properly" (Two of these companies also run other services, such as Exchange SMTP/POP3 on their MS-SQL server.)

I'm sure there are (MCSE-run) Oracle installations out there that are open to the internet.

I am fat! (0)

Anonymous Coward | more than 11 years ago | (#2850804)

And its all slashdots fault! Thats the last time i compile the linux kernel in my stomach!

Weinberg's law of programming; (3, Funny)

eclectro (227083) | more than 11 years ago | (#2850807)



If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.

(this is twenty years old)

Re:Weinberg's law of programming; (4, Troll)

geekoid (135745) | more than 11 years ago | (#2850887)

I hate that quote.
When we have been programming for as long as we have been building things, then that quaote will be valid.
I am willing to bet that the buildings that where built during the first 50 years the human race had been building building wheren't all that good.

Yikes, what a sentence.

unbreakable... (2, Funny)

Mainframer (530235) | more than 11 years ago | (#2850815)

The Germans also thought the same about Enigma...

unsinkable (1)

zzzeek (43830) | more than 11 years ago | (#2850852)

and the USA about the titanic

First Titanic, now this! (5, Funny)

roman_mir (125474) | more than 11 years ago | (#2850822)

In the other news, the largest ship in the world Titanic that was named unsinkable, has sunk.

Comments by the CEO: -Well, you can take it both ways, really, we are defining what Unsinkable really means! The other ship building companies in our field are looking up to us to be half as unsinkable as we are. It's great, really, how our compain brings the best out of this situation.

"We believe the market effect of the 'Unsinkable' campaign raises the unsinkability bar and therefore improves unsinkability overall, both in forcing us to live up to the statement, and forcing others in the industry to begin to do the same," wrote Bruce Ismay. "If our unsinkability today is imperfect but better than the competition, and if customers make a buying decision based on that criteria, than in the long term you will see all products in the market improve."

Uncle Larry and his problems. (2)

AnalogBoy (51094) | more than 11 years ago | (#2850855)

Larry would likely end up in prison for some of the inflammatory stuff he says, if he weren't one of the richest asshoerr guys in the world. Imagine his mouth vs. a cop, judge, jury..

Hell, i'd like to see a Gates vs. Ellison boxing match on pay-per-view, as long as the money didn't go to either of them (and they had to match 1000 to 1). Seeing as they are both a little lanky, it could be interesting. Just let them use physical equivilants of business tactics.

I'm sure oracle has to struggle to meet the goals spewed larry's big mouth. A "The president just said WHAT on national tv" type response, i.e. NASA in the 60's.

Here's an idea. (0)

Anonymous Coward | more than 11 years ago | (#2850859)

Have someone inform the FBI of what he did. Next time he comes to the U.S., he can get arrested.

Oh, wait. We only arrest people from countries where extradition isn't a problem.

Ignorance IS bliss!

Titanic Oracle (2, Funny)

Mittermeyer (195358) | more than 11 years ago | (#2850860)

What happens when Unbreakable Larry Elliott's Unsinkable ego runs into an iceberg called reality?

Thrill as the largest man-made ego in the world shows it too can make a mistake! Gasp as the master engineer makes a crucial error that sinks the RMS Unbreakable! Cry as the star-crossed developers try to escape the sinking PR disaster! Bemoan the lack of escape boats for the VPs who will pay for Ellison's boast!

I swear, can't tell who we need to get first, Gates or Ellison. Neither one is good for computing.

Nobody bothered to read the challenge... (5, Insightful)

aralin (107264) | more than 11 years ago | (#2850861)

Apparently nobody bothered to read the Oracle challenge. Oracle states that not the database itself, but the database in certain environment, properly configured and secured within the environment is unbreakable, which still is.

The only thing that this researcher proved is that in certain environments you can break in the system, which basicly holds true for every system.

No matter what, you can be sure that contrary to M$, these holes will be worked on 24/7 and fixed like yesterday. :)

Anyway, enjoy you uninformed, senseless bashing and flaming... trolls.

Marketing at work, that's all. (3, Insightful)

mystery_bowler (472698) | more than 11 years ago | (#2850870)

The reality of it is that most DBAs, programmers and database developers in the working world scoffed at the ad campaign the moment it began. Sure, Oracle has a great product, but we all knew it wasn't bulletproof, no matter how may awards for "best of class security" it supposedly won.

The only real losers in this, other than organizations whose Oracle databases were victimized by a security flaw, were the corporate purchasers who were sold on the hype. They'll have to live with the fact that their DBMS isn't "unbreakable." Honestly, though, there are relatively few of those (none I can think of that are well-publicized, at least), as they are usually run on well locked-down *nix boxes.

It's not anything new. It's just agressive advertising. Some might argue that it's false advertising, but that's probably being a bit harsh. It's more like...overly boastful advertising.

I know, let's make the story something it isn't (4, Offtopic)

Anonymous Coward | more than 11 years ago | (#2850881)

Come on people. Oracle explained that they used the term "unbreakable" because it passed 14 security audits. Some people say you can't crash linux because it typically doesn't - but it can.

By and large the Oracle products are very good... We use them in some extremely large and significant datawarehousing situations and have probably managed to kill the server once in three years. Many times we've been amazed at what developers have thrown at the server without killing it - Oracle is very good at recovering from users mistakes.

Anyway, I look forward to hearing what the obvious vulnerabilities are - I dread the number of server upgrades to be tested though. The client I'm working for now has about 250 instances registered with their 24*7 DBA team already... You have no idea how hard it can be to choose a unique 4 character SID sometimes. :-)

Long live Oracle... I'm sure Larry won't lose any sleep (or money) over this since it is still clearly the best product out there.

There is a sucker born every minute... (2, Interesting)

ngoy (551435) | more than 11 years ago | (#2850884)

After reading the article, it struck me as funny how things never change. There are tons of PHB's out there buying up any big flashy ad in their free (if you fill out free survey, otherwise pay $XXX a year) industry mags. I am a Windows user (yeah yeah) but at least I am not stupid enough to buy anything first from Microsoft until they come out with one service pack first. Of course, here at unnamed large x86 cpu company (my company contracts here), they have decided to move to Microsoft's tune within 90 days of them releasing a product. So we have people (not just IT people, HR people, finance people) etc... installing the wonderful IT "engineered" version of WinXP. (Don't get me started on how in the world they think they make Microsoft's stuff more stable through their "engineering".) That anyone would buy into Larry's BS is bizarre. But the PHB's are entirely ignorant of the real world and would gladly believe that Windows XP is crashproof and utterly stable if Bill told them so. I hope somebody has their Oracle9i system hacked and then sue's Oracle for false advertising, amongst other things. --Shango

It's all in the definition (1)

Singer4096 (134206) | more than 11 years ago | (#2850906)

I love the part where the chief security officer Mary Ann Davidson says it depends on the definition of "unbreakable". HUH? Where have I heard that kind of reasoning before? Sounds more like she should be head of marketing.

Quote the Security Manager? (4, Insightful)

Havokmon (89874) | more than 11 years ago | (#2850916)

As if ANYONE on this site hasn't ever had to explain something that a some moron ^H^H^H^H^H^H manager said could or couldn't be done..

HIS boss is still the boss, wtf is he supposed to say?

Who cares if it's broken? (1)

Aexia (517457) | more than 11 years ago | (#2850917)

It's nothing a little crazy glue won't fix. There. Good as new.

Ah... crazy glue. I love this little toob, makes alllll my problems go away wayw ay2ay

securityfocus seems to be suffering a DDoS attack? (1)

sludg-o (120354) | more than 11 years ago | (#2850918)

Anyone got a mirror? It seems that securityfocus.com is suffering from a DDoS attack.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>