Slashdot Mirror
Oracle's Chief Security Officer Speaks Out
s0u1d13r writes "ZDNet Australia posted a special article from Oracle's CSO regarding the treatment and publishing of exploits and vulnerabilities by security researchers. From the article: 'There's a myth about security researchers that goes like this: Vendors are made up of indifferent slugs who wouldn't fix security vulnerabilities quickly -- if at all -- if it weren't for noble security researchers using the threat of public disclosure to force them to act.' An interesting read from the perspective of one of the largest software vendors accused of ignoring vulnerabilities by software researchers."
Nothing but a very short, low-on-detail slagging off of independent secuiryt researchers with totally nothing about how she does her job and what her department does. She does touch on some good points, such as clients not wanting to implement fixes during critical reporting periods, but fails to mention that systems that are used for such reporting are usually never exposed to the evil internet. /. again please.
Don't read the 'article' - don't post stories like this onb
But that's true, at least for extensive vulnerabilities that can require a lot of effort to fix and/or test!
Let's see, you're a development manager and you have a crazy schedule forced on you from above by some idiotic VP. Now this guy from product support comes along and tells you about this horrible flaw that will require you to shut down all development for two weeks, slip the schedule and have your best people fix it. Then you shut down testing for a month and have your best testers test it. Then there's a pain of pushing out a patch and notifying the customers and bad PR associated with that.
I can easily see how some of the less obvious vulnerabilities would be simply brushed off using "no one is ever going to find out" line of reasoning. Now if you know that someone has already found out and he will make it public in about a month, sure as heck you're going to issue a patch, even if this means slipping the schedule by a month (or in case of Windows by two years). Because if you don't, script kiddies will rape your customer and he will never give you another dollar.
A software engineer working to maintain the codebase at a company however will say that a whole new layer of protections need to be added to the application to safeguard against this kind of attack, requiring a significant effort to refactor code and maintain the maintainability of the software.
Thus the security researcher expeects a quick fix while the company sees a maitainence nightmare in the making. It is not surprising the two groups disagree on how to handle these vulnurabilities.
Then people are going to point it out.
And so they should. Its still sort of a free country, and Oracle has no right to control people speaking about their poor engineering.
Theres ways to do this that cause Oracle more inconvenience than others, but Oracle would be the last company to dump its inflated pricing if I said to them it wasn't ethical or caused me inconvenience.
If the problem exists, accept it, and fix it as quickly as possible. Oracle are just upset that when they are informed of vulnerabilities they get exposed to more legal liability than if they can claim they didnt know anything about it.
I gots ta ding a ding dang my dang a long ling long
This is bullshit.
l ished_alerts.html
c le9R2-unpatched.txt
Oracle does _not_ take vulnerabilites seriously. I agree that the oracle database is extremely complex, and the implications of bugs is enormous, but it's not inherently complex. Because of this, claiming that they don't release patches because it's complex is bullshit. Oracle does not need to be as complex as it is.
First, the complexity:
I've been running Oracle just as long as I've been running both Mysql and Postgres (I know what you're saying - oh, he's one of those guys:)), and I know that the features oracle offers can exist without all of the useless bloat oracle tacks on. Mysql can replicate, instantly, to who knows how many databases. Oracle Dataguard is limited to 9. I can restore databases in seconds using postgres, oracle takes all damn day. Mainly because you have to have your ducks in a row with: Arch files, redo files, tnsnames, listener files, spfiles, pfiles, oratab, oracle home, etc. Oracle databases are extemely difficult to get running on a different system. Even exports (exp/imp - what _should be similiar to an sql dump) don't work across OSs. Oracle offers no native sql dump command, instead you have to figure out how to get TORA working. Oracle offers sqlplus, an old, broken command line client that requires unsightly scripting to even start the database.
Oracles documentation is very similiar to their product: Disconnected. Nothing fits. Everything (kind of) works, but noone knows how to put it together, save the people who killed what must be hundreds of thousands of brain cells by doing it by trial and error. Oracle requires java, and lots of it. Oracle requires an oracle database to monitor other oracle databases. It's wise to put this on a seperate installation/box. Doesn't seem to make a lot of sense. Now I have twice as many exploitable boxes, not to mention more to backup, administer, etc. Oracle requires an insane amount of diskspace compared to other databases.
I'm not arguing for mysql/postgres vs. oracle - I'm just trying to say that Oracle does NOT need all of the bloat it currently has. The company could stand to do a complete rewrite of it.
Now, the security:
Here's a perfect example of what I mean:
http://www.red-database-security.com/advisory/pub
The first 6 vulnerabilites are 600(!!!) days old!
Here's a perfect example of their lack of motivation.
http://packetstormsecurity.nl/0507-advisories/Ora
Basically, a vulnerability was disclosed months ago, and oracle fixed 10.x in July's update, but completed ignored 9.x. To quote TFA:
'We contacted Oracle about this issue and Oracle
confirmed it, when we asked why there is no fix
for 9iR2, Oracle said:
"Our development teams neglected to do the backports.
We are working on creating those backports now."'
Leaving production systems unpatched until October! (Assuming oracle doesn't 'neglect' to do it again.
In short, quit reading the marketing bullshit and wake up.
I'm sorry but you are way off the mark here. I'm sorry that you don't know your job, but don't blame Oracle for your own incompetency.
/. tradition all I got was flames saying "You don't know how to do your job", "You're incompetent", etc.
I don't know what gave you the impression that I didn't know my job, or that I was incompetent with oracle, but it's quite clear that you're no stranger to making assumptions.
Restore and recover takes a long time... This depends on what you're talking about. I was talking about worst case...You've got some arch files, some redo files, some dbf files and a new disk you need to get oracle on and running. Yeah, not gonna happen. Mysql? Shit, if they're the same arch (say x86) you can just scp 3 files over. Need to restore to the last transaction? Just apply the binary log.
Granted, this situation is unlikey to play out at say, US Bank, where they're probably more prepared. As in all cases, the ease/probability of successful restoration is directly related to how much you prepared for it. Mysql and Postgres require _VERY_ little prepartion and are very flexible from a restoration standpoint. Oracle requires a large amount of time dedicated to configuring everything and it's *VERY* installation specific.
Oracle Dataguard... My fault, I was confusing replication with redundancy. Well, they're mostly the same...
Starting a database is simple: sqlplus "/ as sysdba"; startup... How difficult is that?
What happens when you want to start your other database?...Oh! You have to export your SID...don't expect to find that in the documentation.
P.S. You didn't comment on the security section. I was really hoping you'd defend your bullshit above by showing me how wrong I was with the links I posted. However, in true