- More porn sneaks onto the iPhone
- 'Swatting' case shows need to ban caller-ID spoofing
- Why the iPhone can't be "killed"
- Nortel enterprise chief wants to bring back Bay
- US sets final emergency responder wireless pilot
Oracle once marketed its database as "unbreakable," but security researcher David Litchfield has a lesser opinion of the software.
"God forbid that any of our critical national infrastructure runs on this product," he said recently on the widely read Bugtraq security mailing list. "Oops it does."
Security researchers like Litchfield, managing director of Next Generation Security Software, in Sutton, England, make their living finding flaws in other people's software. And while this can put them at odds with software makers, the relationship between Oracle and people like Litchfield has been particularly bad.
In Litchfield's case, the problems go back to 2004, when he published details of an unpatched Oracle vulnerability in a presentation written for the Black Hat security conference. By Litchfield's account, Oracle had given him the go-ahead to discuss the vulnerability, but changed its mind at the last minute. Litchfield changed the topic of his presentation, but he was unable to remove his slides from the conference hand-out.
The next day, the Wall Street Journal wrote about the flaws and, ever since, the relationship between Oracle and the tight network of security researchers who hack its products has been tense.
This antagonism has prevented Oracle from receiving the independent testing and security advice that would have improved its products, said Cesar Cerrudo, CEO of security research firm Argeniss in Parana, Argentina. "Oracle has ignored researchers and also attacked them, saying that researchers are the problem," he said. "The problem is Oracle's flawed software and Oracle's amateur handling of security related issues."
From Oracle's perspective, researchers like Litchfield profit from the publicity they get for exposing Oracle's security flaws, but that exposure comes at a price: more risk for Oracle's customers.
There is often little upside to cooperating with companies that do not understand Oracle and who profit from publishing security vulnerabilities, according to Oracle Chief Security Officer Mary Ann Davidson.
"What I really want is a world where there can be fair and accurate criticisms," she said. "I'm all for dialogue, but you have to establish trust."
In the past few months, however, there have been a few signs that things may be changing at the Redwood Shores, Calif., company.
The Leader in Network Knowledge
Comment