By Tim Mullen I'm not sure why, but I always seem to find myself in ironic situations.

When I was enrolled in a CPR course as a teenager, our instructor had a

heart attack just hours into the class. In college we started a small

electrical fire while trying to disconnect a dorm room smoke detector. And

not too long ago, I rented the movie "Unbreakable," but when I got home, the

video tape was busted. I guess I should not be too surprised, as we all know

that everything breaks at some point.

Well, maybe not all of us.

Larry Ellison, CEO of Oracle, recently revealed a phenomenal aspect of the

Oracle architecture that is unique in the world: It is unbreakable! During

his keynote address at Comdex, Ellison told the audience that they could

"keep their Microsoft Outlook, and we will make it unbreakable; and

unbreakable means you can't break it, and you can't break in."

The problem here is that I think Ellison actually believes it! In itself,

there is really nothing wrong with that -- he can believe what he wants to

believe. However, if others follow suit and start thinking the same way,

there will be problems.

At the core of his presentation in Vegas was the power of Oracle 9i's

cluster configuration. Though technically superficial and simplistic in its

examples, the clustering overview and demonstration did indeed present some

impressive capabilities in the product's handling of system fail over and

database redundancy. Reportedly, Oracle 9i can now transparently handle

enterprise-wide replication of database transactions without customers

changing a single line of application code, and can seamlessly provide

uninterrupted access to applications even when multiple servers fail and

"smoke is pouring out of the box," as Ellison put it. If it actually does

work the way it was described, I think the database doyen may have something

to be proud of.

However, this "God Himself could not sink this ship" marketing fluff is just

too much.

It's not even as though Ellison blurted out "unbreakable" in the heat of the

address: Oracle's entire marketing theme revolves around the Unbreakable

premise. I wouldn't be surprised if they tried to put a behind the word. I

can understand the want to keep or even increase its approximately 34% share

of an eight billion dollar market, but it should not come at the expense of

Oracle's credibility. It is almost as if they are trying to over-compensate

for the loss of at least three key executives that have left the company in

recent months; the latest being Jay Nussbaum, the executive VP of service

industries, who left just last week after ten years with the company.

This "pelotas grande" marketing attitude may make some quick sales, but it

is a classic example of Executive Management writing checks that Product

Development has to cash-- and that is not good business in the long run. It

is also a bad idea to create an environment where one's customers become

targets just for spite.

Breaking it Down

I'm not so hung up on "can't break it" as I am on "can't break in." If code

is running on a computer, it can be broken into. Touting a hack-proof piece

of commercial software is simply foolish.

The very same day that Ellison boasted that no one could break into Oracle,

David Litchfield of NGSSoftware found several exploitable vulnerabilities in

the Oracle 9i Application Server. Ironic, huh? During an impromptu gathering

at the recent Blackhat Security Briefings in Amsterdam, I watched him

exploit 9iAS to remotely create an administrative user on the server. I also

saw examples of unchecked buffers where overflows could be used to run other

arbitrary code on the box. By the end of the demonstration, he covered four

exploits against 9iAS that could allow an attacker to gain remote root.

The question is not if you can break in -- it is how one will choose to do

so.

Of course, Mr. Litchfield advised Oracle of these issues, and the company is

currently working to patch the problems. He says he will not release details

of the vulnerabilities until Oracle has had a chance to fix them and publish

an official patch, which should be sometime in the very near future.

I tried to check Oracle's Technet site to see if they had any information

available on the patches, but the Web site was down for part of the weekend.

So, maybe Oracle has figured out how to make something "unbreakable"-- make

it "unreachable."

Interacting with systems as if they are truly unbreakable takes away from

security-in-depth, and that is really what I am worried about in all of

this.

If people think that they are safe behind an impenetrable wall, they are not

very likely to build up defenses beyond that point. Break through the wall,

or simply go around it, and you have free reign of the castle grounds. When

you break into 9iAS, you not only own it, you own everything that it is

protecting. Furthermore, the implications of owning a box that is trusted by

all the replication partners or clusters in the enterprise are far reaching.

If you want to move your mail to a database server or deploy applications on

redundant clusters, then go for it -- but do so with your eyes open and

employ different layers of security along the way. Don't put all of your

bits in one basket... Because when the feces hits the oscillator and you

find out exactly what really can be broken, you might also find your

employment contract included in the list. Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software