- Congress ignores blocking Web sites and social networks
- Microsoft keeps 'Windows 7' name for next client OS
- Market surges, Gates predicts 9% unemployment
- Microsoft reveals critical holes in Active Directory
- Microsoft lays out SQL Server improvements
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Oracle once marketed its database as "unbreakable," but security researcher David Litchfield has a lesser opinion of the software.
"God forbid that any of our critical national infrastructure runs on this product," he said recently on the widely read Bugtraq security mailing list. "Oops it does."
Security researchers like Litchfield, managing director of Next Generation Security Software, in Sutton, England, make their living finding flaws in other people's software. And while this can put them at odds with software makers, the relationship between Oracle and people like Litchfield has been particularly bad.
In Litchfield's case, the problems go back to 2004, when he published details of an unpatched Oracle vulnerability in a presentation written for the Black Hat security conference. By Litchfield's account, Oracle had given him the go-ahead to discuss the vulnerability, but changed its mind at the last minute. Litchfield changed the topic of his presentation, but he was unable to remove his slides from the conference hand-out.
The next day, the Wall Street Journal wrote about the flaws and, ever since, the relationship between Oracle and the tight network of security researchers who hack its products has been tense.
This antagonism has prevented Oracle from receiving the independent testing and security advice that would have improved its products, said Cesar Cerrudo, CEO of security research firm Argeniss in Parana, Argentina. "Oracle has ignored researchers and also attacked them, saying that researchers are the problem," he said. "The problem is Oracle's flawed software and Oracle's amateur handling of security related issues."
From Oracle's perspective, researchers like Litchfield profit from the publicity they get for exposing Oracle's security flaws, but that exposure comes at a price: more risk for Oracle's customers.
There is often little upside to cooperating with companies that do not understand Oracle and who profit from publishing security vulnerabilities, according to Oracle Chief Security Officer Mary Ann Davidson.
"What I really want is a world where there can be fair and accurate criticisms," she said. "I'm all for dialogue, but you have to establish trust."
In the past few months, however, there have been a few signs that things may be changing at the Redwood Shores, Calif., company.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment