Re: [ISN] Backing Up Oracle's "Unbreakable" Vow

From: InfoSec News (isnat_private)
Date: Mon Jan 21 2002 - 00:34:07 PST

  • Next message: InfoSec News: "[ISN] Surprise Settlement Evenly Splits Microsoft"

    Forwarded from: Chris Wilson <chrisat_private>
    
    
    On Tue, 15 Jan 2002, InfoSec News wrote:
    
    > http://www.businessweek.com/bwdaily/dnflash/jan2002/nf20020115_8894.htm
    
    <snip>
    
    > Calling your code "Unbreakable" is like having a big bull's-eye on
    > your products and your firewall. Obviously, nobody wants to be a
    > target. But when we thought about it, we thought what does
    > "Unbreakable" really speak to? It speaks to product assurance. I
    > stand behind that commitment and our products.
    
    So Ms. Davidson is willing to stand behind that which she knows to be
    untrue?
    
    > A: Well, think about what the opposite of "Unbreakable" would be:
    > "Our products can be broken into, and we don't care."
    
    Firstly, is that really the "opposite"? I think "breakable" would be
    the direct opposite, and whether or not anybody cares it orthogonal to
    the breakability of the product.
    
    Secondly, this is not an issue of black or white. I think everyone who
    understands practical software security would agree that there is no
    absolute security, and "absolute" insecurity probably doesn't exist in
    practice either. So why bring the extremes into the argument at all?
    Oracle, like all other software in production use in the real world,
    _must_ occupy some point in the middle ground.
    
    > Look, our core customers are among the most security-conscious in
    > the world. I respectfully and somewhat lovingly refer to them as
    > the professional paranoid. I'm not allowed to say who they are,
    > but you can guess.
    
    And that excuses Oracle's lying to them about the security of their
    product? Or are they expected to ignore any such claims?
    
    > Even if we don't do things perfectly but we do it much better than
    > our competition and customers purchase Oracle on that basis, you
    > will see the overall level of security improve in the industry.
    > "Unbreakable"  gives us something to live up to.
    
    That's certainly a worthy goal, and I would be greatly impressed if
    Oracle (or anyone) could produce a database server with NO bugs. I do
    not expect it to happen anytime soon, and it certainly isn't true
    right now. So is it responsible to claim that a product has certain
    features when in fact they are a distant goal?
    
    > It really does concentrate the mind wonderfully.
    
    Perhaps Ms. Davidson suspects that Oracle is to be hanged in a
    fortnight? (apologies to Samuel Johnson).
    
    > The general thought is don't embarrass the company.  Nobody wants
    > to be the group that makes us violate it.
    
    I'm afraid it's much too late. It is already violated.
    
    > A: He has always been concerned about it, and he has always been
    > very knowledgeable about it. He knew that we had a security group,
    > and he knew what we built, down to a fairly technical
    > understanding of the product. But I think "Unbreakable" is a
    > reflection of a big change.  [It used to be] security was
    > something that only the professional paranoid worried about. Now
    > with the growth of the Internet, security is something that
    > everyone now has to be concerned about. You must admit, from a
    > marketing standpoint, it has a punchy sound. It's a lot better
    > than "Pretty Darned Good Security."
    
    PGP sells pretty well with an honest name (Pretty Good Privacy). Why
    does Oracle need a dishonest slogan to sell a product which is already
    doing pretty well?
    
    Also, isn't it illegal to use misleading advertising?
    
    > Q: How did Oracle go about securing its products? What did you do
    > differently?
    > 
    > A: Not that much different, actually. We used the same processes
    > we have used before in terms of putting secure programming and
    > development standards in place.
    
    I am _so_ encouraged by this. "Instead of building security into the
    system from the ground up, we retrofitted it using standard design
    methodology".
    
    > We are being more stringent and, dare I say, draconian, in making
    > sure people adhere to coding standards and product check-off lists
    > before we ship products.
    
    But the product still shipped with several buffer overflows. Was the
    code audited by outside contractors?
    
    > A: In addition to having coding standards, we make every group
    > that owns a line item in our product components complete a
    > questionnaire that is geared toward making sure we avoid the top
    > 15 stupid security mistakes companies get burned on.
    
    So Oracle isn't really unbreakable, just slightly defended against the
    most common 15 attacks. I'd venture that there are more than 15 kinds
    of mistakes a programmer can make which introduce security
    vulnerabilities, and that some of them are not documented anywhere
    yet.
    
    > The check-offs go down to things like forced password changes for
    > default accounts. [While] a lot of it is Security 101, some of it
    > is more technical. With those lists, it's 100% compliance. We are
    > not going to allow any deviation at all.
    
    Why does Oracle ship with a default login/password of "scott/tiger"?
    Surely it would be better not to have such a standardised security
    hole? And why do administrators have to correct Oracle's mistakes by
    manually deleting the account?
    
    > A: You can't slap it on at the end. If you don't commit to a
    > secure product [throughout its entire life cycle], you can't
    > engineer it in at the end and expect to have secure products.
    
    Ahh, some sense at last. I guess Ms Davidson does know what she's
    talking about. So why did Oracle do it that way anyway?
    
    > A: The line in real estate is "location, location, location." In
    > security, it's not as straightforward but it's the same idea --
    > "culture of security, culture of security, culture of security."
    > If you don't maintain a corporate culture that puts security as an
    > important thing, you can't convince your developers to make your
    > code as bulletproof as possible.
    
    And if developers don't know how to make their software secure (and
    most don't, including myself) then how can they be expected to live up
    to their "corporate culture"? Perhaps Oracle should focus on making
    security a process rather than a corporate culture. At least it's
    better than defining security as a product!
    
    > Q: Has security sealed any deals for you with people who were
    > sitting on the fence?
    > 
    > A: Absolutely. You have seen our marketing campaigns from the
    > past. I was joking we should run one that said two out of three
    > e-paranoids run on Oracle.
    
    I think Ms Davidson might actually believe that to be the case, which
    would be very unfortunate. I for one only trust open source software
    to have any security at all, and only then because if required to, I
    could audit the code, or subcontract someone to do so.
    
    Ciao, Chris.
       ___ __     _  
     / __// / ,__(_)_  | Chris Wilson <chrisat_private> | Phone: 01223 503 190 |
    / (_ / ,\/ _/ /_ \ | Tech Director - Caliday Project | RITC (Cambridge) Ltd |
    \ _//_/_/_//_/___/ | Unix Systems & Network Engineer | Cambridge CB5 8LA UK |
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 03:53:41 PST