Breaking the Unbreakable?


Think twice before making security claims in advertising


True to form, Oracle chairman and CEO Larry Ellison made a big splash at Comdex last fall when he declared that his company's database software was "unbreakable."

Following the announcement and the launch of the new "Unbreakable" marketing campaign, Oracle said hacking attempts soared, but none had succeeded. But the company apparently forgot about deflecting analysts and security experts as well.

Giga Information Group recently issued a report that identified three vulnerabilities in the market-leading database product: PL/SQL Apache module buffer-overflow, a path-revealing vulnerability and a PL/SQL Apache module directory

traversal vulnerability.

Soon after the news surfaced, Oracle offered free "Unbreakable Security eKits" on its Web site. The company, however, is still proclaiming its database "unbreakable."

Giga analyst Mike Rasmussen cautions vendors against making public security challenges. "A fair number of these attempts actually end up as an embarrassment to the vendor,"

Rasmussen reported. "Vendors that consider this line of marketing should think again."