Rothke - Is wild Larry now crazy Larry?


Published on

Ben Rothke writes how Oracle's Larry Ellison does not get what security is about.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rothke - Is wild Larry now crazy Larry?

  1. 1. E D P A C S DECEMBER 2003 IS WILD LARRY NOW CRAZY LARRY? BEN ROTHKE R eaders here likely know of the antics and often-outrageous comments of Oracle’s CEO Larry Ellison. Ellison’s harangues at Microsoft, IBM, and myriad other Oracle adversaries are legendary. While his rants have become the norm within the IT community, recent statements of his can’t be considered a tirade, rather a spurious comment illustrating his unaware- ness of computer security. As reported in the November 26, 2001 issue of Computer World, “New Oracle Center to Tackle Security, Homeland Defense” ( story/0,10801,66044,00.html), Ellison: ■ stated that Oracle9i is unbreakable ■ challenged the hacker community during the recent Comdex conference to break into the database ■ emphasized the 14 security certifications that Oracle has received from the federal government If one of the three topics were uttered separately, they could possibly be exonerated. Stating them all at a single event is simply an egregious utterance. Mr. Ellison needs to under- stand that corporate CEOs simply can’t make such irrelevant comments. Let’s look at each of these statements on its own. Is Oracle 9i unbreakable from a security perspective? While I can’t fault the company president for touting his own product, I chal- lenge him to find a single security expert, within Oracle or without, to back up his claim. Writing a single, secure distrib- uted Java applet is a challenge; writing an unbreakable data- base is a near impossibility. Asking the hacker community to break into Oracle to prove its security is akin to asking a terrorist to prove the airwor- thiness of an aircraft by bombing it. Hacker challenges (which lack any sort of methodology) have been effective only as marketing ploys, but never as a meaningful substantiation of security. Imagine if the FDA used similar challenges: have a few hundred sick people take a new and experimental drug; if no one dies, let’s consider it safe. Finally, government certifications, especially in the IT world, are not in and of themselves worth much. The same American Airlines Airbus that crashed into a residential neighborhood in November 2001 was flying with scores of government certifications, yet those certifications are mean- ingless to the victims’ families or to the lawyers’ litigation on their behalf. 18 © Copyright 2003 CRC Press–All rights reserved.
  2. 2. DECEMBER 2003 E D P A C S In the post-September 11 era, security is a hot item. Compa- nies are rushing to reposition themselves as security provid- ers and to retrofit security into their often-insecure software applications. Information security when done in a rush or as a retrofit is bound to fail. When people such as Mr. Ellison make nebulous security comments, it serves to create news- print, but does nothing to the underlying problem. While corporate America may want a magic security pixie dust to spread on its networks, such snake oil simply does not work. Navigating the often-difficult waters of security is tough enough. Comments such as those from Larry Ellison only serve to make that water murkier. Ben Rothke, CISSP, is a New York-city based senior security consultant with ThruPoint, Inc. He can be reached at The views ex- pressed are his own. OF INTEREST INTERNATIONAL INSTITUTE The Institute, a nonprofit organization, will FOR DIGITAL FORENSIC function in four specific operational domains: STUDIES ESTABLISHED 1. Research Atlanta, Georgia and Auburn Hills, Michigan. The 2. Education and training Information Systems Forensic Association has 3. Publication announced the formal chartering of the Inter- 4. Applied research and development national Institute for Digital Forensic Studies, These domains will support various commu- a digital forensics and investigation “think nities of interest, including private-sector tank” to be located in Atlanta, Georgia and corporations, public sector organizations, law Auburn Hills, Michigan. The Charter of the enforcement, the criminal justice system, Institute gives as its Mission: and the military, to name a few. The Institute will collaborate with colleges ■ Promote the application of rigorous scientific and universities internationally in the methods to research and practice in digital advancement of digital forensic science prac- forensic science, tool development, and digi- tice, research, and education. As a nonprofit tal investigation organization, the Institute will seek funding ■ Collaborate with government, business, and from corporate sponsorships, grants, endow- academia to advance the state of digital forensic practice through research, educa- ments, sponsor-funded research and applied tion, standardization, and consultation research and development, and sponsor- ■ Encourage publication of scholarly materials funded education and training. for the advancement of expertise in the field Some early initiatives to be undertaken by ■ Provide applied research and development in the Institute as it receives initial support sophisticated aspects of digital forensic science funding include: focused upon court testimony, anomaly resolu- ■ Development of education and training cur- tion, forensic readiness (security event man- ricula for forensic examiners, investigators, agement), and incident post-mortem analysis and tool developers © Copyright 2003 CRC Press–All rights reserved. 19