Forwarded from: security curmudgeon <jericho@attrition.org>
: http://www.internetnews.com/bus-news/article.php/3550651
:
: By David Needle
: September 21, 2005
: He tweaked Microsoft's Bill Gates for once saying his company was going
: to devote special focus to security for the month of February. "Our
: first client was the CIA, and our second client was the National
: Security Agency. That was 25 years ago. We've been working on security
: since day one," said Ellison. He further claimed the last time an Oracle
: database was broken into was 15 years ago, versus the 45 minutes he said
: it took for someone to break into Microsoft's first version of its
: Passport online ordering system.
Well isn't this a doozy of a quote. This screams a) pure ignorance or b)
very crafty wording designed to evade any criticism.
"last time an Oracle database was broken into was 15 years ago, vs the
45 minutes he said it took for someone to break into Microsoft's first
version of its Passport online ordering system."
How do *you* read this quote?
1. Oracle database, as in their software, meaning installed anywhere
2. Oracle database, as in a database run by Oracle Corporation
3. Oracle database, as in a consumer service like MS Passport is (?!)
4. other?
Depending on how you read this, the reply will obviously change.
1. Hacker logs onto FWP hunter database, but no information stolen
http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt
"Luckily, Aasheim said, the agency's databases use Oracle software, which
compresses inforamtion into a code that is not visible to hackers as
readable text."
(Yes yes, horrible quote as far as the 'readable text' part, but still
proves the point..)
Further, not that DNS is necessarily proof, we all know that many places
name machines based on the application it runs:
http://www.zone-h.org/en/search/what=oracle/
05/24/2005: http://oracle.usgovbank.us
05/02/2005: http://oracle.riverblues.co.za/~sacx/image/ath.htm
02/27/2005: http://www.oracle-on-linux.com
01/31/2005: http://entrysoft.oracle.priorweb.be
01/17/2005: http://oracle.rensreinders.nl
11/18/2004: http://campus.pincn.com/clientpages/2004/oracle/index.html
06/08/2004: http://www.oracle.worldzonepro.com
12/19/2003: http://oracle.mylxhq.com
12/14/2003: http://www.oracle-pa.com.br
12/04/2003: http://www.oracle.berndpross.de
10/21/2003: http://www.oracle-dba.fr.pl
11/08/2002: http://oracle.ssnet.co.jp
10/29/2002: http://oracle.4click.com.ua
10/23/2002: http://www.oracle.ksu.edu
07/18/2002: http://www.oracle.net
06/27/2002: http://oracle.net
06/27/2002: http://www.oracle.net
06/17/2002: http://www.oracle-ovation.com
04/23/2002: http://partner.oracle.co.kr
06/27/2001: http://www.oracle.au.edu
2. A database run by Oracle, not hacked in last 15 years (so it was hacked
15 years ago)? But this doesn't jibe given the wording above:
"He further claimed the last time an Oracle database was broken into was
15 years ago, versus the 45 minutes he said it took for someone to break
into Microsoft's first version of its Passport online ordering system.
This wording implies Ellison is directly comparing an Oracle product to a
Microsoft service? If so, he is comparing a database running on the Oracle
network, protected by multiple layers of security (presumably), to a
public facing, publicly accessable Microsoft service. Apples and oranges
Ellison.
3. Comparing Oracle a product, to Microsoft Passport service? Apples and
oranges Ellison.
So, would anyone at Oracle like to back peddle and try to explain this
comment?
_________________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org
