Ben Rothke writes how Oracle's Larry Ellison does not get what security is about.

1. E D P A C S DECEMBER 2003
IS WILD LARRY NOW
CRAZY LARRY?
BEN ROTHKE
R eaders here likely know of the antics and often-outrageous
comments of Oracle’s CEO Larry Ellison. Ellison’s harangues
at Microsoft, IBM, and myriad other Oracle adversaries are
legendary. While his rants have become the norm within the
IT community, recent statements of his can’t be considered a
tirade, rather a spurious comment illustrating his unaware-
ness of computer security.
As reported in the November 26, 2001 issue of Computer
World, “New Oracle Center to Tackle Security, Homeland
Defense” (www.computerworld.com/securitytopics/security/
story/0,10801,66044,00.html), Ellison:
■ stated that Oracle9i is unbreakable
■ challenged the hacker community during the recent Comdex
conference to break into the database
■ emphasized the 14 security certifications that Oracle has
received from the federal government
If one of the three topics were uttered separately, they could
possibly be exonerated. Stating them all at a single event is
simply an egregious utterance. Mr. Ellison needs to under-
stand that corporate CEOs simply can’t make such irrelevant
comments.
Let’s look at each of these statements on its own. Is Oracle
9i unbreakable from a security perspective? While I can’t fault
the company president for touting his own product, I chal-
lenge him to find a single security expert, within Oracle or
without, to back up his claim. Writing a single, secure distrib-
uted Java applet is a challenge; writing an unbreakable data-
base is a near impossibility.
Asking the hacker community to break into Oracle to prove
its security is akin to asking a terrorist to prove the airwor-
thiness of an aircraft by bombing it. Hacker challenges (which
lack any sort of methodology) have been effective only as
marketing ploys, but never as a meaningful substantiation of
security. Imagine if the FDA used similar challenges: have a
few hundred sick people take a new and experimental drug; if
no one dies, let’s consider it safe.
Finally, government certifications, especially in the IT
world, are not in and of themselves worth much. The same
American Airlines Airbus that crashed into a residential
neighborhood in November 2001 was flying with scores of
government certifications, yet those certifications are mean-
ingless to the victims’ families or to the lawyers’ litigation on
their behalf.
18 © Copyright 2003 CRC Press–All rights reserved.

2. DECEMBER 2003 E D P A C S
In the post-September 11 era, security is a hot item. Compa-
nies are rushing to reposition themselves as security provid-
ers and to retrofit security into their often-insecure software
applications. Information security when done in a rush or as
a retrofit is bound to fail. When people such as Mr. Ellison
make nebulous security comments, it serves to create news-
print, but does nothing to the underlying problem.
While corporate America may want a magic security pixie
dust to spread on its networks, such snake oil simply does not
work. Navigating the often-difficult waters of security is tough
enough. Comments such as those from Larry Ellison only
serve to make that water murkier.
Ben Rothke, CISSP, is a New York-city based senior security consultant with
ThruPoint, Inc. He can be reached at brothke@thrupoint.net. The views ex-
pressed are his own.
OF INTEREST
INTERNATIONAL INSTITUTE The Institute, a nonprofit organization, will
FOR DIGITAL FORENSIC function in four specific operational domains:
STUDIES ESTABLISHED 1. Research
Atlanta, Georgia and Auburn Hills, Michigan. The 2. Education and training
Information Systems Forensic Association has 3. Publication
announced the formal chartering of the Inter- 4. Applied research and development
national Institute for Digital Forensic Studies, These domains will support various commu-
a digital forensics and investigation “think nities of interest, including private-sector
tank” to be located in Atlanta, Georgia and corporations, public sector organizations, law
Auburn Hills, Michigan. The Charter of the enforcement, the criminal justice system,
Institute gives as its Mission: and the military, to name a few.
The Institute will collaborate with colleges
■ Promote the application of rigorous scientific and universities internationally in the
methods to research and practice in digital advancement of digital forensic science prac-
forensic science, tool development, and digi-
tice, research, and education. As a nonprofit
tal investigation
organization, the Institute will seek funding
■ Collaborate with government, business, and
from corporate sponsorships, grants, endow-
academia to advance the state of digital
forensic practice through research, educa-
ments, sponsor-funded research and applied
tion, standardization, and consultation research and development, and sponsor-
■ Encourage publication of scholarly materials funded education and training.
for the advancement of expertise in the field Some early initiatives to be undertaken by
■ Provide applied research and development in the Institute as it receives initial support
sophisticated aspects of digital forensic science funding include:
focused upon court testimony, anomaly resolu- ■ Development of education and training cur-
tion, forensic readiness (security event man- ricula for forensic examiners, investigators,
agement), and incident post-mortem analysis and tool developers
© Copyright 2003 CRC Press–All rights reserved. 19