Re: [ISN] Oracle CEO Touts Security Plans

From: InfoSec News (isn@private)
Date: Mon Sep 26 2005 - 23:10:42 PDT


Forwarded from: security curmudgeon <jericho@private>

: http://www.internetnews.com/bus-news/article.php/3550651
: 
: By David Needle 
: September 21, 2005 

: He tweaked Microsoft's Bill Gates for once saying his company was going 
: to devote special focus to security for the month of February.  "Our 
: first client was the CIA, and our second client was the National 
: Security Agency. That was 25 years ago. We've been working on security 
: since day one," said Ellison. He further claimed the last time an Oracle 
: database was broken into was 15 years ago, versus the 45 minutes he said 
: it took for someone to break into Microsoft's first version of its 
: Passport online ordering system.

Well isn't this a doozy of a quote. This screams a) pure ignorance or b) 
very crafty wording designed to evade any criticism.

  "last time an Oracle database was broken into was 15 years ago, vs the 
  45 minutes he said it took for someone to break into Microsoft's first 
  version of its Passport online ordering system."

How do *you* read this quote?

1. Oracle database, as in their software, meaning installed anywhere
2. Oracle database, as in a database run by Oracle Corporation
3. Oracle database, as in a consumer service like MS Passport is (?!)
4. other?

Depending on how you read this, the reply will obviously change.

1. Hacker logs onto FWP hunter database, but no information stolen
http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt

 "Luckily, Aasheim said, the agency's databases use Oracle software, which 
  compresses inforamtion into a code that is not visible to hackers as 
  readable text."

(Yes yes, horrible quote as far as the 'readable text' part, but still 
proves the point..)

Further, not that DNS is necessarily proof, we all know that many places 
name machines based on the application it runs:

http://www.zone-h.org/en/search/what=oracle/

05/24/2005: http://oracle.usgovbank.us
05/02/2005: http://oracle.riverblues.co.za/~sacx/image/ath.htm
02/27/2005: http://www.oracle-on-linux.com
01/31/2005: http://entrysoft.oracle.priorweb.be
01/17/2005: http://oracle.rensreinders.nl
11/18/2004: http://campus.pincn.com/clientpages/2004/oracle/index.html
06/08/2004: http://www.oracle.worldzonepro.com
12/19/2003: http://oracle.mylxhq.com
12/14/2003: http://www.oracle-pa.com.br
12/04/2003: http://www.oracle.berndpross.de
10/21/2003: http://www.oracle-dba.fr.pl
11/08/2002: http://oracle.ssnet.co.jp
10/29/2002: http://oracle.4click.com.ua
10/23/2002: http://www.oracle.ksu.edu
07/18/2002: http://www.oracle.net
06/27/2002: http://oracle.net
06/27/2002: http://www.oracle.net
06/17/2002: http://www.oracle-ovation.com
04/23/2002: http://partner.oracle.co.kr
06/27/2001: http://www.oracle.au.edu

2. A database run by Oracle, not hacked in last 15 years (so it was hacked 
15 years ago)? But this doesn't jibe given the wording above:

 "He further claimed the last time an Oracle database was broken into was 
  15 years ago, versus the 45 minutes he said it took for someone to break 
  into Microsoft's first version of its Passport online ordering system.

This wording implies Ellison is directly comparing an Oracle product to a 
Microsoft service? If so, he is comparing a database running on the Oracle 
network, protected by multiple layers of security (presumably), to a 
public facing, publicly accessable Microsoft service. Apples and oranges 
Ellison.

3. Comparing Oracle a product, to Microsoft Passport service? Apples and 
oranges Ellison.


So, would anyone at Oracle like to back peddle and try to explain this 
comment?



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Mon Sep 26 2005 - 23:48:21 PDT