История изменений

There had been a well known vulnerability/back door that Oracle wrote into their networking/sync protocol for YEARS that went unaddressed. The vulnerability allowed an attacker to clone the entire database, amongst other nasty things, with no records (able to rewrite db access records, basically giving them more control than the actual owner of the DB). It's highly likely that this was an NSA back door that they refused to fix and/or was unable to fix due to it being written into the syntax of the protocol that the software was written to follow.

Imagine someone on your network just randomly answering a db call that was do go to another database shard, then sending your db data, then your DB just starts responding to that instead because it thinks it's actually part of the database. It was bad enough that we basically couldn't tell if someone was actively hacking our database because there were always hung connections that could be some virtual machine that had already done its job and stopped existing.

There answer to this little problem was to upgrade to Oracle 11, when it comes out. These databases are so ingrained into company's business logic, that even with a huge vulnerability like this that basically made your most valuable data open to corruption and copying, a lot of businesses only option was to wait until they rewrote their protocol and released it in a new product.

What this «engineer» is saying is, well you've already given us this much power over your business, you might as well sit down and shut up if you have any complaints about the quality of our software. Maybe you haven't reverse engineered this communication data, but anyone on your network can see how the databases are talking to each other and slip in data to take control, and Oracle's answer is to just don't look there.

There had been a well known vulnerability/back door that Oracle wrote into their networking/sync protocol for YEARS that went unaddressed. The vulnerability allowed an attacker to clone the entire database, amongst other nasty things, with no records (able to rewrite db access records, basically giving them more control than the actual owner of the DB). It's highly likely that this was an NSA back door that they refused to fix and/or was unable to fix due to it being written into the syntax of the protocol that the software was written to follow.

Imagine someone on your network just randomly answering a db call that was do go to another database shard, then sending your db data, then your DB just starts responding to that instead because it thinks it's actually part of the database. It was bad enough that we basically couldn't tell if someone was actively hacking our database because there were always hung connections that could be some virtual machine that had already done its job and stopped existing.

There answer to this little problem was to upgrade to Oracle 11, when it comes out. These databases are so ingrained into company's business logic, that even with a huge vulnerability like this that basically made your most valuable data open to corruption and copying, a lot of businesses only option was to wait until they rewrote their protocol and released it in a new product.

What this «engineer» is saying is, well you've already given us this much power over your business, you might as well sit down and shut up if you have any complaints about the quality of our software. Maybe you haven't reverse engineered this communication data, but anyone on your network can see how the databases are talking to each other and slip in data to take control, and Oracle's answer is to just don't look there.