Oracle CEO Ellison Says Database Customers Shouldn't Fear NSA Spying

While many technology executives have dodged questions about National Security Agency spying, Oracle CEO Larry Ellison says his customers have nothing to fear.

"To the best of our knowledge, an Oracle database hasn’t been broken into in a couple of decades, by anybody. It's so secure, there are people who complain," Ellison said Wednesday evening at a conference in San Francisco, in response to an audience members' question about NSA spying on Oracle's cloud customers.

One unique aspect of Oracle's database is that administrators can't look at the data inside, Ellison said. "If you create an IBM database, you get to see the data," Ellison said. With Oracle's database, "you have a bunch of authority but you can't look at the data."

[Related: Oracle Hardware Channel Chief Breen Exits Amid Sales 'Civil War' ]

Brett Helm, CEO of DB Networks, a Carlsbad, Calif.-based database security vendor, told CRN Oracle's database is susceptible to SQL injection attacks, a common type of database attack that has been responsible for some of the biggest credit card data heists in history.

"You could say that an application has to be vulnerable for SQL injection to happen. Ellison can say it's not the database's fault, and that it's just fulfilling the request, but that's splitting hairs." Helm said in an interview.

Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security consultancy, said Oracle is "notorious" for not patching security vulnerabilities in a timely fashion. "Our penetration testers have little trouble breaking into Oracle platforms, including their database," he told CRN.

Oracle's database partners have a different view. Rhos Dyke, executive vice president of Cloud Creek Systems, a Westlake Village, Calif.-based Oracle partner, said Ellison's assessment of Oracle database security was "spot-on."

"Many of our clients are businesses that have grown up on open source, MS SQL, DB2 and other database management system platforms. They have all ported to an Oracle repository because they collect and manage a lot of information about all kinds of people," Dyke said in an email.

Ellison has been making bold claims about Oracle database security for more than a decade. In 2001, he touted the Oracle 9i database as "unbreakable," but it didn't take long for security researchers to unearth several potentially serious vulnerabilities.

At the conference, Ellison also pointed out that the Central Intelligence Agency was Oracle's first database customer. Ellison and Oracle co-founders Robert Miner and Ed Oates started Software Development Laboratories in 1977 and began developing database software for the CIA under the code name "Oracle." After that project failed, the company changed its name to Oracle in 1982.

PUBLISHED JAN. 30, 2014