Oracle executives have likened the 9i database and application server products to children's Tonka toys, claiming them to be unbreakable when used in the "right environment". But is this campaign an invitation for hacking attempts, marketing hype, or a statement of fact? A recent advertising campaign, run by Oracle Corporation for its 9i database and application server products, has been the subject of industry criticism and censure. The campaign states Oracle's 9i products are 'unbreakable', and that unauthorised users are unable to 'break it' and unable to 'break in'. It is the 'can't break in' catch-cry that is causing the most controversy and criticism in the marketplace, with industry pundits believing this to be an invitation for increased hacker activity. Oracle isn't showing much concern for industry warnings. "I absolutely believe it (the marketing campaign) is an invitation (for hacking attempts)," said Mark Jarvis, Senior VP and chief marketing officer, Oracle, in response to the claims. Oracle's chief executive, Larry Ellison, also showed confidence in the "unbreakable" claim, despite initial dissension within Oracle ranks. "One of the biggest controversies about the new ad campaign occurred within one of my meetings with the (Oracle) server technology division," said Ellison, at a keynote address at the Oracle OpenWorld event, in San Francisco in December. According to Ellison, the team asked if he was "crazy" and suggested he "just invite all hackers to just stop what they are doing and attack our sites." "Everybody from the Soviet Union to Redmond, Washington is going to be attacking our site," quoted Ellison, before continuing, "Xbox is going to come with a special 'send a billion messages to Oracle' spam game." The last quote referred directly to Microsoft's gaming console, Xbox, and touched on Oracle's well-documented public battles with Microsoft. Despite initial reservations, the Oracle IT team has now embraced the campaign, and is working to ensure the "unbreakable" claim is valid. Gary Roberts, senior VP Global Information Technologies, for Oracle Corporation stated that he is "confident" that the products are unbreakable, and revealed that Oracle has a "group dedicated to testing and technical assessment of products before they go to market." Hacker attempts
Oracle executives, Jarvis and Ellison, have both stated that the quasi-invitation offered by the campaign has been accepted by a number of hackers, as well as security professionals. Jarvis claimed that the number of malicious attempts to break into its database and application server products has increased ten-fold since it first commenced the 'unbreakable' marketing campaign. Ellison supported these claims, but pointed out that there have been "zero successful attempts". Oracle customers have also expressed concerns about security in relation to this new campaign. CERN (European Organisation for Nuclear Research), the world's largest nuclear research organisation, is currently utilising the capabilities of the Oracle 9i database for its Large Hadron Collider (LHC) project. CERN database group manager, Jamie Shiers, believes that the security risk in using Oracle 9i products lies in the fact that Oracle is so well known. "The one downside about going with very well-known solutions is that you are much more open to attack. Everyone at home can just play, so there is much more chance that someone will try to break in," said Shiers. Bend-able, but not break-able?
The attempts on the software so far have not only come from malicious quarters, but also from the security community looking to expose vulnerabilities before hackers are able to exploit them. One vulnerability was discovered and exposed on a security community site, Security Focus -- which hosts the Bugtraq mailing list -- in September 2001. The mailing list discussion announced: "Oracle 9i Application Server could allow a remote attacker to obtain the full path to the Web directory. A remote attacker can send an HTTP request to the server for a non-existent '.jsp' file to cause an error message to display that contains the path to the Web directory. An attacker could use this information to launch further attacks against the affected server." It was also revealed that this vulnerability applied to all versions of Oracle9i Application Server. According to security vendor Internet Security Systems (ISS), this vulnerability allowed users with malicious intent to view company site structures. "It's like opening a window to the inside of your house so a burgular has a good idea of how things are laid out inside before breaking in," said Grant Slender, principal consultant, Australasia for ISS. Slender added that ISS, a security vendor that utilises the talents of its own X-force group to expose vulnerabilties in marketed software, had "played a role in advising Oracle of the vulnerability." Oracle was reportedly made aware of the flaw and had issued a patch for it within a very short space of time. "In this particular case, this flaw was quickly resolved by Oracle with a patch. Whilst a vulnerability was found, there was no case of it being used for malicious intent," said Slender. There have also been rumours of two other vulnerabilities existing in the 9i products; a buffer overflow capability and a denial of service attack vulnerability. Oracle's Roberts denied knowledge of the existence of any buffer overflow capability issue, and explained that other reasons existed for the denial of service vulnerabilities. "I had heard about denial of service problems, but they are not related to our (Oracle's) products," said Roberts. He added: "The last time we saw anything that would have caused a denial of service attack it was specifically pointed at [Microsoft's] IIS servers." Jarvis responded to claims of vulnerabilities with an explanation that the customer -- or end user -- had a part to play in the "unbreakable" campaign. "There is a huge amount of stuff in our software to make it unbreakable, but just like anything you have to put it in the right environment to make it unbreakable," Jarvis said. He then compared the Oracle 9i products to the Tonka brand of children's toy vehicles. "With a Tonka toy, on the box it says unbreakable, but ...if you drive a car over it, it will be in several pieces after that," said Jarvis. ISS's Slender agreed with Jarvis, explaining that even after software companies issued patches for known vulnerabilities, users could be slow to take action. He suggested companies needed to take more "responsibility" for the set-up of their security systems. Marketing hype?
Oracle executives that have spearheaded the campaign, Jarvis and Ellison, both stated that the campaign has been a great success, despite the criticism it has drawn. According to Jarvis, the campaign is one that "IBM would have been happy to have," due to the ease of branding that a one-word campaign delivers. IBM's market manager for data management in Australia and New Zealand, Ursula Paddon disproved this theory, noting that "customers look for a proven track record, not marketing claims." Nicole Bellamy attended Oracle OpenWorld as a guest of Oracle. More enterprise IT news in ZDNet UK's Tech Update Channel Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet news forum. Let the editors know what you think in the Mailroom. And read other letters.