X
Business
Home Business Enterprise Software

Oracle's 'unbreakable' toy story

Industry experts are abuzz over Oracle's claim that its 9i database is like a Tonka toy--'unbreakable.' Is this a brilliant marketing campaign or just plain crazy?
Written by Nicole Bellamy, Contributor
Oracle Corp. executives have likened the 9i database and application server products to children's Tonka toys, claiming they are unbreakable when used in the "right environment." But is this campaign an invitation for hacking attempts, marketing hype or a statement of fact?

A recent advertising campaign, run by Oracle for its 9i database and application server products, has been the subject of industry criticism and censure. The campaign states Oracle's 9i products are "unbreakable," and that unauthorized users are unable to "break it" or "break in."

It is the "can't break in" catch-cry that is causing the most controversy and criticism in the marketplace, with industry pundits believing this to be an invitation for increased hacker activity. Oracle isn't showing much concern for industry warnings.

"I absolutely believe [the marketing campaign] is an invitation [for hacking attempts]," said Mark Jarvis, senior vice president and chief marketing officer of Oracle, in response to the claims.

Oracle's CEO, Larry Ellison, also showed confidence in the "unbreakable" claim, despite initial dissension within Oracle ranks.

"One of the biggest controversies about the new ad campaign occurred within one of my meetings with the [Oracle] server technology division," said Ellison, at a keynote address at the Oracle Open World event, in San Francisco in December.

According to Ellison, the team asked if he was "crazy" and suggested he "just invite all hackers to just stop what they are doing and attack our sites."

"Everybody from the Soviet Union to Redmond, Washington, is going to be attacking our site," quoted Ellison, before continuing facetiously, "Xbox is going to come with a special 'send a billion messages to Oracle' spam game."

The last quote referred directly to Microsoft's new gaming console and touched on Oracle's well-documented public battles with Microsoft.

Despite initial reservations, the Oracle IT team has now embraced the campaign, and is working to ensure the "unbreakable" claim is valid.

Gary Roberts, Oracle's senior vice president of Global Information Technologies, stated that he is "confident" the products are unbreakable and revealed that Oracle has a "group dedicated to testing and technical assessment of products before they go to market."

Hacker attempts
Oracle executives Jarvis and Ellison have both stated that the quasi-invitation offered by the campaign has been accepted by a number of hackers, as well as security professionals.

Jarvis claimed that the number of malicious attempts to break into Oracle database and application server products has increased ten-fold since it first commenced the "unbreakable" marketing campaign.

Ellison supported these claims, but pointed out that there have been "zero successful attempts."

Oracle customers have also expressed concerns about security in relation to this new campaign.

CERN (European Organisation for Nuclear Research), the world's largest nuclear research organisation, is currently utilising the capabilities of the Oracle 9i database for its Large Hadron Collider (LHC) project.

CERN database group manager Jamie Shiers believes that the security risk in using Oracle 9i products lies in the fact that Oracle is so well known.

"The one downside about going with very well-known solutions is that you are much more open to attack. Everyone at home can just play, so there is much more chance that someone will try to break in," said Shiers.

Bendable but not breakable?
The attempts on the software so far have not only come from malicious quarters but also from the security community looking to expose vulnerabilities before hackers are able to exploit them.

One vulnerability was discovered and exposed on a security community site, Security Focus, which hosts the Bugtraq mailing list, in September.

The mailing list discussion announced:

"Oracle 9i Application Server could allow a remote attacker to obtain the full path to the Web directory. A remote attacker can send an HTTP request to the server for a non-existent '.jsp' file to cause an error message to display that contains the path to the Web directory. An attacker could use this information to launch further attacks against the affected server."

It was also revealed that this vulnerability applied to all versions of Oracle9i Application Server.

According to security-vendor Internet Security Systems (ISS), this vulnerability allowed users with malicious intent to view company site structures.

"It's like opening a window to the inside of your house so a burgular has a good idea of how things are laid out inside before breaking in," said Grant Slender, principal consultant, Australasia, for ISS.

Slender added that ISS, a security vendor that utilizes the talents of its own X-force group to expose vulnerabilties in marketed software, had "played a role in advising Oracle of the vulnerability."

Oracle was reportedly made aware of the flaw and issued a patch for it within a short space of time.

"In this particular case, this flaw was quickly resolved by Oracle with a patch. Whilst a vulnerability was found, there was no case of it being used for malicious intent," said Slender.

There have also been rumours of two other vulnerabilities existing in the 9i products: a buffer overflow capability and a denial of service attack vulnerability.

Oracle's Roberts denied knowledge of the existence of any buffer overflow capability issue and explained that other reasons existed for the denial of service vulnerabilities.

"I had heard about denial of service problems, but they are not related to [Oracle's] products," said Roberts.

He added: "The last time we saw anything that would have caused a denial of service attack it was specifically pointed at [Microsoft's] IIS servers."

Jarvis responded to claims of vulnerabilities with an explanation that the customer--or end user--had a part to play in the "unbreakable" campaign.

"There is a huge amount of stuff in our software to make it unbreakable, but just like anything you have to put it in the right environment to make it unbreakable," Jarvis said.

He then compared the Oracle 9i products to the Tonka brand of children's toy vehicles.

"With a Tonka toy, on the box it says unbreakable, but ... if you drive a car over it, it will be in several pieces after that," said Jarvis.

ISS's Slender agreed with Jarvis, explaining that even after software companies issued patches for known vulnerabilities, users could be slow to take action. He suggested companies needed to take more responsibility for the set-up of their security systems.

Marketing hype?
Oracle executives have stated that the campaign has been a great success, despite the criticism it has drawn.

According to Jarvis, the campaign is one that "IBM would have been happy to have."

Ursula Paddon, IBM's market manager for data management in Australia and New Zealand, disputed that theory, noting that "customers look for a proven track record, not marketing claims."

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

windows-11-laptop

Microsoft is now showing ads in Windows 11's Start menu. Here's how to block them

Placeholder product image alt text

The best AI image generators to try right now