By Tim Mullen I'm not sure why, but I always seem to find myself in ironic situations.
When I was enrolled in a CPR course as a teenager, our instructor had a
heart attack just hours into the class. In college we started a small
electrical fire while trying to disconnect a dorm room smoke detector. And
not too long ago, I rented the movie "Unbreakable," but when I got home, the
video tape was busted. I guess I should not be too surprised, as we all know
that everything breaks at some point.
Well, maybe not all of us.
Larry Ellison, CEO of Oracle, recently revealed a phenomenal aspect of the
Oracle architecture that is unique in the world: It is unbreakable! During
his keynote address at Comdex, Ellison told the audience that they could
"keep their Microsoft Outlook, and we will make it unbreakable; and
unbreakable means you can't break it, and you can't break in."
The problem here is that I think Ellison actually believes it! In itself,
there is really nothing wrong with that -- he can believe what he wants to
believe. However, if others follow suit and start thinking the same way,
there will be problems.
At the core of his presentation in Vegas was the power of Oracle 9i's
cluster configuration. Though technically superficial and simplistic in its
examples, the clustering overview and demonstration did indeed present some
impressive capabilities in the product's handling of system fail over and
database redundancy. Reportedly, Oracle 9i can now transparently handle
enterprise-wide replication of database transactions without customers
changing a single line of application code, and can seamlessly provide
uninterrupted access to applications even when multiple servers fail and
"smoke is pouring out of the box," as Ellison put it. If it actually does
work the way it was described, I think the database doyen may have something
to be proud of.
However, this "God Himself could not sink this ship" marketing fluff is just
It's not even as though Ellison blurted out "unbreakable" in the heat of the
address: Oracle's entire marketing theme revolves around the Unbreakable
premise. I wouldn't be surprised if they tried to put a behind the word. I
can understand the want to keep or even increase its approximately 34% share
of an eight billion dollar market, but it should not come at the expense of
Oracle's credibility. It is almost as if they are trying to over-compensate
for the loss of at least three key executives that have left the company in
recent months; the latest being Jay Nussbaum, the executive VP of service
industries, who left just last week after ten years with the company.
This "pelotas grande" marketing attitude may make some quick sales, but it
is a classic example of Executive Management writing checks that Product
Development has to cash-- and that is not good business in the long run. It
is also a bad idea to create an environment where one's customers become
targets just for spite.
Breaking it Down
I'm not so hung up on "can't break it" as I am on "can't break in." If code
is running on a computer, it can be broken into. Touting a hack-proof piece
of commercial software is simply foolish.
The very same day that Ellison boasted that no one could break into Oracle,
David Litchfield of NGSSoftware found several exploitable vulnerabilities in
the Oracle 9i Application Server. Ironic, huh? During an impromptu gathering
at the recent Blackhat Security Briefings in Amsterdam, I watched him
exploit 9iAS to remotely create an administrative user on the server. I also
saw examples of unchecked buffers where overflows could be used to run other
arbitrary code on the box. By the end of the demonstration, he covered four
exploits against 9iAS that could allow an attacker to gain remote root.
The question is not if you can break in -- it is how one will choose to do
Of course, Mr. Litchfield advised Oracle of these issues, and the company is
currently working to patch the problems. He says he will not release details
of the vulnerabilities until Oracle has had a chance to fix them and publish
an official patch, which should be sometime in the very near future.
I tried to check Oracle's Technet site to see if they had any information
available on the patches, but the Web site was down for part of the weekend.
So, maybe Oracle has figured out how to make something "unbreakable"-- make
Interacting with systems as if they are truly unbreakable takes away from
security-in-depth, and that is really what I am worried about in all of
If people think that they are safe behind an impenetrable wall, they are not
very likely to build up defenses beyond that point. Break through the wall,
or simply go around it, and you have free reign of the castle grounds. When
you break into 9iAS, you not only own it, you own everything that it is
protecting. Furthermore, the implications of owning a box that is trusted by
all the replication partners or clusters in the enterprise are far reaching.
If you want to move your mail to a database server or deploy applications on
redundant clusters, then go for it -- but do so with your eyes open and
employ different layers of security along the way. Don't put all of your
bits in one basket... Because when the feces hits the oscillator and you
find out exactly what really can be broken, you might also find your
employment contract included in the list. Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software