I’m worried about Oracle. Last week, we had the open letter from David Litchfield and the responses to his letter. In my opinion, Oracle’s been getting “ the slap” from a security perspective in the court of public opinion; as I’ve said before, I think they’ve been getting so much heat because their actions fall short of their own standard. Today Mary Ann continues the hypocritical trend by offering her perspective on how IT security should be approached in the federal realm. Removing the references to military history from the article, here are the lessons Mary Ann offers:
- Intelligence has value only if you act on it.
- A second lesson is the hubris of assuming that enemies cannot break
ciphers and codes.
- Interior defensive perimeters are critical.
I'm all behind this advice; I agree with it one thousand percent. However, what’s interesting to me is the extent to which Oracle itself follows (or doesn’t follow) Mary Ann’s advice. Of the three guidelines presented, it is clear that Oracle doesn't follow at least two.
I, for one, agree that intelligence only has value if acted upon; so then why does Oracle fail to act on the intelligence provided to it free of charge by the research community to build a better product? Researchers tell us for example, that security vulnerabilities reported to Oracle can remain unpatched for years. They tell us that Oracle publishes security patches that don’t fully address the issues It would seem to me that Oracle is not "using the intelligence"; Oracle seems not to heed their own advice.
I also agree that there is hubris associated with assuming enemies can’t break codes or ciphers. However, isn't there also hubris associated with assuming enemies can’t break a product? Their "unbreakable" campaign aside, Larry Ellison told us flat out that Oracle hasn’t been broken in 15 years. Again, researchers tell us it isn’t true. We’ve heard for example, that there are folks out there “tired of breaking Oracle because it's so easy." Oracle assumes that the product is unbreakable - just like the codes and ciphers Mary Ann points to. Hubris.
I don't have any insight on the third of Mary Ann's points insofar as Oracle's internal controls or "internal defensive perimeter", so I can't comment there. Maybe they're great at that... or maybe not. Either way, I have to question why Oracle is in a position to offer this advice when their own house clearly isn't in order on at least two of the three points.
People in glass houses...
Posted by Ed at October 19, 2005 05:00 PM