X

Oracle: Unbreakable no more?

Mike Ricciuti Staff writer, CNET News
Mike Ricciuti joined CNET in 1996. He is now CNET News' Boston-based executive editor and east coast bureau chief, serving as department editor for business technology and software covered by CNET News, Reviews, and Download.com. E-mail Mike.
See full bio
Mike Ricciuti
2 min read

Big technology companies routinely make boastful claims about their products. Despite marketers' best efforts, most of those pledges are little noticed and quickly forgotten. But some security researchers have taken Oracle's "Unbreakable" marketing campaign to heart, even though the company has begun moving away from that label.

When Oracle launched the campaign four years ago, the company said its Oracle 9i database was "unbreakable," and that unauthorized users couldn't "break it" or "break in."

Larry Ellison, Oracle's CEO, repeatedly compared his company's security record against that of arch-rival Microsoft. "Bill Gates said he would devote the month of February to security," said Ellison, referring to an initiative at Microsoft to improve the security of its software. "February's a short month. We've devoted 25 years to security."

Not surprisingly, Oracle executives were forced to defend the unbreakable claim right from the start. "Calling your code "Unbreakable" is like having a big bull's-eye on your products and your firewall. Obviously, nobody wants to be a target," Mary Ann Davidson, Oracle's chief security officer, told BusinessWeek back in 2002.

Well, security researchers love a challenge. At the Black Hat Briefings, a security conference taking place this week in Las Vegas, two researchers will detail security flaws uncovered in Oracle's software.

Alexander Kornbrust of Red Database Security will give a presentation on ways to circumvent Oracle's database encryption, and Esteban Martinez Fayo, a researcher at security company Argeniss, is slated to show new ways to attack Oracle databases. Kornbrust, a German security researcher, earlier this month published details on a number of unpatched security flaws in Oracle software.

Finding holes in Oracle's "Unbreakable" claim isn't new. Back in 2002, a security researcher used an earlier Black Hat conference as the venue to detail a bevy of security problems in the company's database software. U.K. security researcher David Litchfield at the time detailed a serious software slip-up that could let hackers take control of corporate servers running the database program.

Meanwhile, Oracle has recently begun moving away from the campaign. It isn't actively using the unbreakable label in product marketing and advertising, a company representative said.