AOH :: ISN-1452.HTM

Re: Oracle CEO Touts Security Plans




Re: Oracle CEO Touts Security Plans
Re: Oracle CEO Touts Security Plans



Forwarded from: security curmudgeon  

: http://www.internetnews.com/bus-news/article.php/3550651 
: 
: By David Needle 
: September 21, 2005 

: He tweaked Microsoft's Bill Gates for once saying his company was going 
: to devote special focus to security for the month of February.  "Our 
: first client was the CIA, and our second client was the National 
: Security Agency. That was 25 years ago. We've been working on security 
: since day one," said Ellison. He further claimed the last time an Oracle 
: database was broken into was 15 years ago, versus the 45 minutes he said 
: it took for someone to break into Microsoft's first version of its 
: Passport online ordering system.

Well isn't this a doozy of a quote. This screams a) pure ignorance or b) 
very crafty wording designed to evade any criticism.

  "last time an Oracle database was broken into was 15 years ago, vs the 
  45 minutes he said it took for someone to break into Microsoft's first 
  version of its Passport online ordering system."

How do *you* read this quote?

1. Oracle database, as in their software, meaning installed anywhere
2. Oracle database, as in a database run by Oracle Corporation
3. Oracle database, as in a consumer service like MS Passport is (?!)
4. other?

Depending on how you read this, the reply will obviously change.

1. Hacker logs onto FWP hunter database, but no information stolen
http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt 

 "Luckily, Aasheim said, the agency's databases use Oracle software, which 
  compresses inforamtion into a code that is not visible to hackers as 
  readable text."

(Yes yes, horrible quote as far as the 'readable text' part, but still 
proves the point..)

Further, not that DNS is necessarily proof, we all know that many places 
name machines based on the application it runs:

http://www.zone-h.org/en/search/what=oracle/ 

05/24/2005: http://oracle.usgovbank.us 
05/02/2005: http://oracle.riverblues.co.za/~sacx/image/ath.htm 
02/27/2005: http://www.oracle-on-linux.com 
01/31/2005: http://entrysoft.oracle.priorweb.be 
01/17/2005: http://oracle.rensreinders.nl 
11/18/2004: http://campus.pincn.com/clientpages/2004/oracle/index.html 
06/08/2004: http://www.oracle.worldzonepro.com 
12/19/2003: http://oracle.mylxhq.com 
12/14/2003: http://www.oracle-pa.com.br 
12/04/2003: http://www.oracle.berndpross.de 
10/21/2003: http://www.oracle-dba.fr.pl 
11/08/2002: http://oracle.ssnet.co.jp 
10/29/2002: http://oracle.4click.com.ua 
10/23/2002: http://www.oracle.ksu.edu 
07/18/2002: http://www.oracle.net 
06/27/2002: http://oracle.net 
06/27/2002: http://www.oracle.net 
06/17/2002: http://www.oracle-ovation.com 
04/23/2002: http://partner.oracle.co.kr 
06/27/2001: http://www.oracle.au.edu 

2. A database run by Oracle, not hacked in last 15 years (so it was hacked 
15 years ago)? But this doesn't jibe given the wording above:

 "He further claimed the last time an Oracle database was broken into was 
  15 years ago, versus the 45 minutes he said it took for someone to break 
  into Microsoft's first version of its Passport online ordering system.

This wording implies Ellison is directly comparing an Oracle product to a 
Microsoft service? If so, he is comparing a database running on the Oracle 
network, protected by multiple layers of security (presumably), to a 
public facing, publicly accessable Microsoft service. Apples and oranges 
Ellison.

3. Comparing Oracle a product, to Microsoft Passport service? Apples and 
oranges Ellison.


So, would anyone at Oracle like to back peddle and try to explain this 
comment?



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods