SlideShare ist ein Scribd-Unternehmen logo

Rothke - Is wild Larry now crazy Larry?

Ben Rothke
Ben Rothke

Ben Rothke writes how Oracle's Larry Ellison does not get what security is about.

TechnologieBildung
1 von 2
Downloaden Sie, um offline zu lesen
E D P A C S DECEMBER 2003 IS WILD LARRY NOW CRAZY LARRY? BEN ROTHKE R eaders here likely know of the antics and often-outrageous comments of Oracle’s CEO Larry Ellison. Ellison’s harangues at Microsoft, IBM, and myriad other Oracle adversaries are legendary. While his rants have become the norm within the IT community, recent statements of his can’t be considered a tirade, rather a spurious comment illustrating his unaware- ness of computer security. As reported in the November 26, 2001 issue of Computer World, “New Oracle Center to Tackle Security, Homeland Defense” (www.computerworld.com/securitytopics/security/ story/0,10801,66044,00.html), Ellison: ■ stated that Oracle9i is unbreakable ■ challenged the hacker community during the recent Comdex conference to break into the database ■ emphasized the 14 security certifications that Oracle has received from the federal government If one of the three topics were uttered separately, they could possibly be exonerated. Stating them all at a single event is simply an egregious utterance. Mr. Ellison needs to under- stand that corporate CEOs simply can’t make such irrelevant comments. Let’s look at each of these statements on its own. Is Oracle 9i unbreakable from a security perspective? While I can’t fault the company president for touting his own product, I chal- lenge him to find a single security expert, within Oracle or without, to back up his claim. Writing a single, secure distrib- uted Java applet is a challenge; writing an unbreakable data- base is a near impossibility. Asking the hacker community to break into Oracle to prove its security is akin to asking a terrorist to prove the airwor- thiness of an aircraft by bombing it. Hacker challenges (which lack any sort of methodology) have been effective only as marketing ploys, but never as a meaningful substantiation of security. Imagine if the FDA used similar challenges: have a few hundred sick people take a new and experimental drug; if no one dies, let’s consider it safe. Finally, government certifications, especially in the IT world, are not in and of themselves worth much. The same American Airlines Airbus that crashed into a residential neighborhood in November 2001 was flying with scores of government certifications, yet those certifications are mean- ingless to the victims’ families or to the lawyers’ litigation on their behalf. 18 © Copyright 2003 CRC Press–All rights reserved.
DECEMBER 2003 E D P A C S In the post-September 11 era, security is a hot item. Compa- nies are rushing to reposition themselves as security provid- ers and to retrofit security into their often-insecure software applications. Information security when done in a rush or as a retrofit is bound to fail. When people such as Mr. Ellison make nebulous security comments, it serves to create news- print, but does nothing to the underlying problem. While corporate America may want a magic security pixie dust to spread on its networks, such snake oil simply does not work. Navigating the often-difficult waters of security is tough enough. Comments such as those from Larry Ellison only serve to make that water murkier. Ben Rothke, CISSP, is a New York-city based senior security consultant with ThruPoint, Inc. He can be reached at brothke@thrupoint.net. The views ex- pressed are his own. OF INTEREST INTERNATIONAL INSTITUTE The Institute, a nonprofit organization, will FOR DIGITAL FORENSIC function in four specific operational domains: STUDIES ESTABLISHED 1. Research Atlanta, Georgia and Auburn Hills, Michigan. The 2. Education and training Information Systems Forensic Association has 3. Publication announced the formal chartering of the Inter- 4. Applied research and development national Institute for Digital Forensic Studies, These domains will support various commu- a digital forensics and investigation “think nities of interest, including private-sector tank” to be located in Atlanta, Georgia and corporations, public sector organizations, law Auburn Hills, Michigan. The Charter of the enforcement, the criminal justice system, Institute gives as its Mission: and the military, to name a few. The Institute will collaborate with colleges ■ Promote the application of rigorous scientific and universities internationally in the methods to research and practice in digital advancement of digital forensic science prac- forensic science, tool development, and digi- tice, research, and education. As a nonprofit tal investigation organization, the Institute will seek funding ■ Collaborate with government, business, and from corporate sponsorships, grants, endow- academia to advance the state of digital forensic practice through research, educa- ments, sponsor-funded research and applied tion, standardization, and consultation research and development, and sponsor- ■ Encourage publication of scholarly materials funded education and training. for the advancement of expertise in the field Some early initiatives to be undertaken by ■ Provide applied research and development in the Institute as it receives initial support sophisticated aspects of digital forensic science funding include: focused upon court testimony, anomaly resolu- ■ Development of education and training cur- tion, forensic readiness (security event man- ricula for forensic examiners, investigators, agement), and incident post-mortem analysis and tool developers © Copyright 2003 CRC Press–All rights reserved. 19

Empfohlen

Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
Ben Rothke
 
Rothke Securing Your Wireless Access Network
Rothke Securing Your Wireless Access NetworkRothke Securing Your Wireless Access Network
Rothke Securing Your Wireless Access Network
Ben Rothke
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
Ben Rothke
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Ben Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
Ben Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
Ben Rothke
 

Empfohlen

Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
Ben Rothke
 
Rothke Securing Your Wireless Access Network
Rothke Securing Your Wireless Access NetworkRothke Securing Your Wireless Access Network
Rothke Securing Your Wireless Access Network
Ben Rothke
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
Ben Rothke
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Ben Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
Ben Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
Ben Rothke
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
Ben Rothke
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
Ben Rothke
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
Ben Rothke
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
Ben Rothke
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
Ben Rothke
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
Ben Rothke
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
Ben Rothke
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
Ben Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Ben Rothke
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
Ben Rothke
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
Ben Rothke
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security
Ben Rothke
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Ben Rothke
 
Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professional
Ben Rothke
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction Practices
Ben Rothke
 
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke Getting A Handle On Wireless Security For Pci Dss ComplianceBen Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke
 
Virtualization, Cloud Computing And The Pci Dss
Virtualization, Cloud Computing And The Pci DssVirtualization, Cloud Computing And The Pci Dss
Virtualization, Cloud Computing And The Pci Dss
Ben Rothke
 
Ben Rothke RSA PK 2010
Ben Rothke RSA PK 2010Ben Rothke RSA PK 2010
Ben Rothke RSA PK 2010
Ben Rothke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 

Weitere ähnliche Inhalte

Mehr von Ben Rothke

Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
Ben Rothke
 

Mehr von Ben Rothke (20)

E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
 
Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professional
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction Practices
 
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke Getting A Handle On Wireless Security For Pci Dss ComplianceBen Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance
 
Virtualization, Cloud Computing And The Pci Dss
Virtualization, Cloud Computing And The Pci DssVirtualization, Cloud Computing And The Pci Dss
Virtualization, Cloud Computing And The Pci Dss
 
Ben Rothke RSA PK 2010
Ben Rothke RSA PK 2010Ben Rothke RSA PK 2010
Ben Rothke RSA PK 2010
 

Kürzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Rothke - Is wild Larry now crazy Larry?

  • 1. E D P A C S DECEMBER 2003 IS WILD LARRY NOW CRAZY LARRY? BEN ROTHKE R eaders here likely know of the antics and often-outrageous comments of Oracle’s CEO Larry Ellison. Ellison’s harangues at Microsoft, IBM, and myriad other Oracle adversaries are legendary. While his rants have become the norm within the IT community, recent statements of his can’t be considered a tirade, rather a spurious comment illustrating his unaware- ness of computer security. As reported in the November 26, 2001 issue of Computer World, “New Oracle Center to Tackle Security, Homeland Defense” (www.computerworld.com/securitytopics/security/ story/0,10801,66044,00.html), Ellison: ■ stated that Oracle9i is unbreakable ■ challenged the hacker community during the recent Comdex conference to break into the database ■ emphasized the 14 security certifications that Oracle has received from the federal government If one of the three topics were uttered separately, they could possibly be exonerated. Stating them all at a single event is simply an egregious utterance. Mr. Ellison needs to under- stand that corporate CEOs simply can’t make such irrelevant comments. Let’s look at each of these statements on its own. Is Oracle 9i unbreakable from a security perspective? While I can’t fault the company president for touting his own product, I chal- lenge him to find a single security expert, within Oracle or without, to back up his claim. Writing a single, secure distrib- uted Java applet is a challenge; writing an unbreakable data- base is a near impossibility. Asking the hacker community to break into Oracle to prove its security is akin to asking a terrorist to prove the airwor- thiness of an aircraft by bombing it. Hacker challenges (which lack any sort of methodology) have been effective only as marketing ploys, but never as a meaningful substantiation of security. Imagine if the FDA used similar challenges: have a few hundred sick people take a new and experimental drug; if no one dies, let’s consider it safe. Finally, government certifications, especially in the IT world, are not in and of themselves worth much. The same American Airlines Airbus that crashed into a residential neighborhood in November 2001 was flying with scores of government certifications, yet those certifications are mean- ingless to the victims’ families or to the lawyers’ litigation on their behalf. 18 © Copyright 2003 CRC Press–All rights reserved.
  • 2. DECEMBER 2003 E D P A C S In the post-September 11 era, security is a hot item. Compa- nies are rushing to reposition themselves as security provid- ers and to retrofit security into their often-insecure software applications. Information security when done in a rush or as a retrofit is bound to fail. When people such as Mr. Ellison make nebulous security comments, it serves to create news- print, but does nothing to the underlying problem. While corporate America may want a magic security pixie dust to spread on its networks, such snake oil simply does not work. Navigating the often-difficult waters of security is tough enough. Comments such as those from Larry Ellison only serve to make that water murkier. Ben Rothke, CISSP, is a New York-city based senior security consultant with ThruPoint, Inc. He can be reached at brothke@thrupoint.net. The views ex- pressed are his own. OF INTEREST INTERNATIONAL INSTITUTE The Institute, a nonprofit organization, will FOR DIGITAL FORENSIC function in four specific operational domains: STUDIES ESTABLISHED 1. Research Atlanta, Georgia and Auburn Hills, Michigan. The 2. Education and training Information Systems Forensic Association has 3. Publication announced the formal chartering of the Inter- 4. Applied research and development national Institute for Digital Forensic Studies, These domains will support various commu- a digital forensics and investigation “think nities of interest, including private-sector tank” to be located in Atlanta, Georgia and corporations, public sector organizations, law Auburn Hills, Michigan. The Charter of the enforcement, the criminal justice system, Institute gives as its Mission: and the military, to name a few. The Institute will collaborate with colleges ■ Promote the application of rigorous scientific and universities internationally in the methods to research and practice in digital advancement of digital forensic science prac- forensic science, tool development, and digi- tice, research, and education. As a nonprofit tal investigation organization, the Institute will seek funding ■ Collaborate with government, business, and from corporate sponsorships, grants, endow- academia to advance the state of digital forensic practice through research, educa- ments, sponsor-funded research and applied tion, standardization, and consultation research and development, and sponsor- ■ Encourage publication of scholarly materials funded education and training. for the advancement of expertise in the field Some early initiatives to be undertaken by ■ Provide applied research and development in the Institute as it receives initial support sophisticated aspects of digital forensic science funding include: focused upon court testimony, anomaly resolu- ■ Development of education and training cur- tion, forensic readiness (security event man- ricula for forensic examiners, investigators, agement), and incident post-mortem analysis and tool developers © Copyright 2003 CRC Press–All rights reserved. 19