Forwarded from: security curmudgeon <jericho@private> : http://www.internetnews.com/bus-news/article.php/3550651 : : By David Needle : September 21, 2005 : He tweaked Microsoft's Bill Gates for once saying his company was going : to devote special focus to security for the month of February. "Our : first client was the CIA, and our second client was the National : Security Agency. That was 25 years ago. We've been working on security : since day one," said Ellison. He further claimed the last time an Oracle : database was broken into was 15 years ago, versus the 45 minutes he said : it took for someone to break into Microsoft's first version of its : Passport online ordering system. Well isn't this a doozy of a quote. This screams a) pure ignorance or b) very crafty wording designed to evade any criticism. "last time an Oracle database was broken into was 15 years ago, vs the 45 minutes he said it took for someone to break into Microsoft's first version of its Passport online ordering system." How do *you* read this quote? 1. Oracle database, as in their software, meaning installed anywhere 2. Oracle database, as in a database run by Oracle Corporation 3. Oracle database, as in a consumer service like MS Passport is (?!) 4. other? Depending on how you read this, the reply will obviously change. 1. Hacker logs onto FWP hunter database, but no information stolen http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt "Luckily, Aasheim said, the agency's databases use Oracle software, which compresses inforamtion into a code that is not visible to hackers as readable text." (Yes yes, horrible quote as far as the 'readable text' part, but still proves the point..) Further, not that DNS is necessarily proof, we all know that many places name machines based on the application it runs: http://www.zone-h.org/en/search/what=oracle/ 05/24/2005: http://oracle.usgovbank.us 05/02/2005: http://oracle.riverblues.co.za/~sacx/image/ath.htm 02/27/2005: http://www.oracle-on-linux.com 01/31/2005: http://entrysoft.oracle.priorweb.be 01/17/2005: http://oracle.rensreinders.nl 11/18/2004: http://campus.pincn.com/clientpages/2004/oracle/index.html 06/08/2004: http://www.oracle.worldzonepro.com 12/19/2003: http://oracle.mylxhq.com 12/14/2003: http://www.oracle-pa.com.br 12/04/2003: http://www.oracle.berndpross.de 10/21/2003: http://www.oracle-dba.fr.pl 11/08/2002: http://oracle.ssnet.co.jp 10/29/2002: http://oracle.4click.com.ua 10/23/2002: http://www.oracle.ksu.edu 07/18/2002: http://www.oracle.net 06/27/2002: http://oracle.net 06/27/2002: http://www.oracle.net 06/17/2002: http://www.oracle-ovation.com 04/23/2002: http://partner.oracle.co.kr 06/27/2001: http://www.oracle.au.edu 2. A database run by Oracle, not hacked in last 15 years (so it was hacked 15 years ago)? But this doesn't jibe given the wording above: "He further claimed the last time an Oracle database was broken into was 15 years ago, versus the 45 minutes he said it took for someone to break into Microsoft's first version of its Passport online ordering system. This wording implies Ellison is directly comparing an Oracle product to a Microsoft service? If so, he is comparing a database running on the Oracle network, protected by multiple layers of security (presumably), to a public facing, publicly accessable Microsoft service. Apples and oranges Ellison. 3. Comparing Oracle a product, to Microsoft Passport service? Apples and oranges Ellison. So, would anyone at Oracle like to back peddle and try to explain this comment? _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Sep 26 2005 - 23:48:21 PDT