Posted on by

Remember Oracle’s ludicrous ads about their ‘unbreakable’ database product? Bruce Schneier was predictably unimpressed:
‘Last November, Oracle started touting its security with an “Unbreakable” ad campaign and the slogan: “Oracle9i. Unbreakable. Can’t break it. Can’t break in.” This was a ludicrous claim then, but I decided to wait until it was actually broken before writing about it.

Well, it’s been broken. In several places. Using some pretty basic attacks. Unbreakable, it’s not.

On the one hand, I (and most people reading this newsletter) always knew that. We knew that the claims were exaggerated. We knew that the Oracle marketing department was lying. But it’s a sad commentary on the state of security discourse that Oracle wasn’t immediately laughed out of the room. Oracle9i won’t ever be unbreakable, unless the company makes some major changes in the way they design and develop software.

On the other hand, maybe it’s not just hubris. Maybe Oracle management actually believed that their product was unbreakable. Maybe they’re that clueless about security. If that’s the case, the problems run deeper than they look. The problem with believing your product is unbreakable is that you don’t bother to secure it in depth. If you think your walls are impenetrable, you’re not going to bother with guards and alarms and anything else. This is the case with Oracle9i. The attacks completely take over the database. Once the attacker has broken the “unbreakable” security, there’s nothing else to stop him.

In their backpedaling, Oracle has said that “unbreakable” didn’t mean what normal people take the word to mean. Oracle’s security chief, Mary Ann Davidson, claims that the campaign “speaks to” fourteen independent security evaluations that Oracle’s database server passed. This, to me, is the real story here. What good is a security evaluation, what good are FOURTEEN different security evaluations, if none of them can catch something as trivial as a buffer overflow? Security is hard. Think of a chain; any single weak link can break the chain. Buffer overflows are an obvious link: easy to avoid, easy to test for, easy to fix. Catching all buffer overflows doesn’t make your software secure; it’s the price of admission. The hard stuff is really hard.

So, I tried to find the fourteen independent security evaluations. I wanted to make fun of them: “Look at the fourteen security evaluations that don’t even guarantee buffer-overflow-free code.” Unfortunately, I could only find five: TCSEC, ITSEC, Common Criteria, Russian Criteria, and FIPS 140-1. Oracle marketing turned five into fourteen by counting multiple levels of TCSEC and ITSEC as independent security evaluations, and counting identical evaluations of different Oracle products as independent security evaluations. I don’t know about you, but when I hear “fourteen different,” I don’t think it means “five different, some of them multiple times with different products or different levels.” Seems like Oracle has trouble with math as well as with English.

“Unbreakable” has a meaning. It means that it can’t be broken. It doesn’t mean “Unbreakable, except by people who know how to break things.” It doesn’t mean “Passes five or so questionable security evaluations, but is still vulnerable to buffer overflows.” I don’t care who Larry Ellison is; he can’t rewrite the dictionary.’

Posted on by

Bill Gates did a cameo appearance in tonight’s Frasier. He comes on to Frasier’s radio show ostensibly to be interviewed by the host, but the switchboard is immediately deluged with callers wanting to talk to Gates about XP, multi-media players etc. — and of course Billg delightedly takes them on, leaving Frasier fuming at having been thus sidelined. Neat!

Posted on by

One of my favourite monthly reads is Bruce Schneier’s Newsletter. The current issue contains some robustly perceptive observations on what Microsoft needs to do if it really wants to take security seriously. For example:

“One of the simplest, strongest, and safest models is to enforce a rigid separation of data and code. The commingling of data and code is responsible for a great many security problems, and Microsoft has been the Internet’s worst offender. Here’s one example: Originally, e-mail was text only, and e-mail viruses were impossible. Microsoft changed that by having its mail clients automatically execute commands embedded in e-mail. This paved the way for e-mail viruses, like Melissa and LoveBug, that automatically spread to people in the victims’ address books. Microsoft must reverse the security damage by removing this functionality from its e-mail clients and many other of its products. This rigid separation of data from code needs to be applied to all products.”

Posted on by

Great column by Dan Gillmor on the way the entertainment industry is increasingly treating everyone as a thief.

“If the business people who rule the entertainment industry had been as powerful 25 years ago as they are today, you’d be breaking the law if you set your videocassette recorder to tape your favorite Olympic event for later viewing. The VCR, assuming the entertainment industry would have allowed a manufacturer to sell it, would not have a fast-forward button because it would let you skip through the commercials without viewing them.

As for tape recorders, you would not have been able to make a copy of the music you just bought so you could play it in your car.”

Hollywood studios sue makers of digital recorders.

Posted on by

Hollywood studios sue makers of digital recorders.
LA Times story.

“The lawsuits, which were brought by the largest TV networks and all seven major Hollywood movie companies, say the ReplayTV recorders violate copyrights by enabling users to send videos to other ReplayTV boxes over the Internet and skip commercials automatically. The suit filed by MGM, Fox, Universal Studios and Orion Pictures goes furthest, arguing that it’s illegal to let consumers record and store shows based on the genre, actors or other words in the program description. This claim threatens not just the ReplayTV devices, some copyright experts say, but all recorders like it. Unlike VCRs, which require users to record shows by time slot or unique number, PVRs record based on a show’s name or program description. Users don’t need to know when “Friends” is on. They just need to know the name or a leading actor. Once a program is found, the device can be set to capture it whenever it’s on the air.”

Posted on by

John Perry Barlow on the copyright land grab.

“We are born savage and self-centered, and then, unless we move to Hollywood, we get over it. We become civilized. We enter a state in which we understand that sharing is good.

And just as sharing makes us civilized, it’s sharing that makes civilization. It lets us build a great collective work from the exchange of stories, myths, songs, poems, facts, jokes, beliefs, scientific discoveries, elegant engineering hacks, and all of the other products of human thought and discourse.

I know that this is a fairly obvious observation. That’s why I’m stunned that so many kinds of sharing have suddenly, without public debate, become criminal acts. For instance, lending a book to a friend is still all right, but letting him read the same book electronically is now a theft.

Over the last several years, the entertainment industry has railroaded a number of laws and treaties through Washington and Geneva that are driving us rapidly toward a future in which the fruits of the mind cannot be shared. Instead they must be purchased — not from the human beings who created them in the first place, but only from the media megaliths. “

I love the way JPB writes. He is concerned about the same issues that enrage me, and yet manages to package them in more digestible literary packages. Comes from having been a rock lyricist in an earlier life, I suppose. Sigh.