Oracle Breach Cover-Up and Git Turns 20 | Tech News of the Week

[00:00:00.00]
Announcer: Welcome to Tech News of the Week with your host, The Longest Yard, which is actually a meter.

[00:00:06.23]
Ned: Welcome to Tech News of the Week. This is our weekly Tech News podcast where Chris and I discuss four interesting articles that caught our attention. I'm going to jump in with Git turns 20. Now, that's commitment. You get it? That's what I wanted to hear. Source control software, Git, is celebrating its 20th anniversary since the first commit on the project made by Internet curmudgeon and general scallywag, Linus Torvalds, on April seventh, 2005. Now, Linus is best known as being the creator and maintainer of the Linux kernel for the past 34 years. But he also wrote the original code behind Git. In an interview with GitHub to celebrate celebrate the anniversary of Git, Linas... Linas. Yes, that's real good. Linas explained that he was unhappy with the source control situation that he was using prior to Git. It was a product called Bitkeeper, and that was being used for kernel development. However, the product was missing features that he wanted. It was very slow to merge patches together and was closed source to boot, which is the antithesis of this whole open source thing he was trying to After looking around at all the other options, Linus decided none of them were up to the task, and he decided, I'm going to write my own.

[00:01:39.09]
Ned: After spending a few months thinking about what he would like in a source control solution and the data structures needed to support it, he sat down in March of 2020... Not 2025, that would be weird. He sat down in March of 2005 and wrote the basic code in about 10 days. What followed was nothing less than a revolution in software development. Git was decentralized, lightweight, and lightning fast compared to solutions like Subversion and CVS. Linus handed the project over to Junio Humano, who has maintained it ever since. I didn't start using Git until it was about a decade old, and I can tell you that the learning curve is steep and the commands are somewhat arcane. But much like democracy, it's the best, worst option that we have.

[00:02:28.16]
Chris: Oracle has major cyber security incident decides to go ahead and lie about it. Over the course of this show, we have talked about a lot of companies that suffered cyber security breaches, security configuration failures, S3 bucket, shenanigans, et cetera. Things that led to the exposure of customer data. None of these things are ever ideal, of course, but some companies have been honest and forthright about what happened, why it happened, and what they're going to do to fix it. Not so, though, for law firm Oracle. Reports have been swirling on the dark web that Oracle Cloud was breached in the vicinity of the last few weeks of March. The threat actor showed pretty conclusive evidence that they had a lot of access, including right access and control within sites with a fairly uncomplicated to unravel DNS names of, say, I don't know, usdc2. Auriclcloud. Com.

[00:03:37.13]
Ned: Seems important.

[00:03:38.06]
Chris: A giveaway there. For their part, Oracle has claimed that everything is fine and that the incidents the threat actor showed proof of didn't happen. The claim by the bad actor states, I've dug into your cloud dashboard infrastructure and found a massive vulnerability that has handed me full access to info on 6 million users, which might be all the users of Oracle Cloud. That's a burn.

[00:04:09.03]
Ned: That's a burn, Ned. I got it. I picked up on it.

[00:04:14.01]
Chris: Oracle has been placing requests to block archive. Org from showing the pages on Oracle Cloud that the threat actor has breached, effectively trying to pretend that those sites never existed. Unfortunately for them, they, of course, missed a few. Large customers have reported that Oracle is admitting to the breach, but only on the phone, only orally. Everything's fine, though. I'm totally sure everything's fine. We've always been at war with East Asia. Update. I hope you put in a cool sound effect for that.

[00:04:53.01]
Ned: I said a cool sound effect for that. Better.

[00:05:00.26]
Chris: Literally minutes after I finished writing this, Oracle appears to have admitted to a tiny fraction of a breach. Just a little like a breachlet, like the tiniest, like a little guy.

[00:05:11.17]
Ned: It's so small. It's cute even.

[00:05:13.22]
Chris: This might be because at least one major law firm is working on a potential class action lawsuit. This is all I've got right now. It definitely qualifies as breaking news. Keep your eyes peeled for more.

[00:05:30.05]
Ned: I want to add one thing that I learned when I was reading about this, and it's the fact that the vulnerability that the attacker exploited was a vulnerability in Oracle's own Access Manager software that a patch had been available for since 2021, but they had not applied to these servers.

[00:05:49.22]
Chris: So Oracle had not applied the Oracle patch to the Oracle software?

[00:05:55.10]
Ned: That is correct.

[00:05:57.06]
Chris: Fantastic.

[00:05:59.13]
Ned: Indeed. I can't wait for the legal discovery. Microsoft owes big over licensing shenanigans. Microsoft is playing chicken with the European Union all over again, and the Timer is ticking on them. The tech giant promised to whip up a multi-tenant hybrid cloud, for the European service providers after the cloud infrastructure service providers of Europe, or CISPE, CISPE? I don't called them out for making it absurdly more expensive to run Windows server on anything other than Azure, or times more expensive in some cases. Like all massive projects, they're nowhere near ready, and mid-April's deadline is basically a lost cause. Despite some lavish whining and dining with CISPE in Redmond, progress has been slower than a Windows 95 boot up. Meanwhile, pricing shenanigans have not gone anywhere. Microsoft is still, well, they're not really jacking up the costs for third-priority providers. They're just giving themselves a huge cost break. For those not familiar, Microsoft offers folks a hybrid benefit option if they already have Windows Server licenses that they would like to use when launching an Azure virtual machine. But they don't extend that courtesy over to other cloud vendors like AWS and GCP. The result is that end users can save up to 40% of the cost of running a virtual machine by not having to pony up for a license that they already own.

[00:07:41.08]
Ned: This is on top of the fact that AWS and GCP have to buy licenses from Microsoft to run Windows on their clouds. But I'm pretty sure that Azure, being part of Microsoft, doesn't have to do that. I was actually commissioned by Microsoft to compare costs of running a Windows workload on AWS versus Azure, and the deciding factor was almost always the hybrid license benefit. I can't blame the EU for taking umbrage to this strong-armed licensing approach.

[00:08:14.25]
Chris: Open SSH 10 released, now with 200% more quantum. Or was it no more quantum? Or was it both? Quantum jokes. Open SSH is one of the most important important programs in the world that you've never heard of. That is not just me being hyperbolic, mind you. I'm going to go ahead and let them be hyperbolic instead. Openssh is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, Open SSH provides large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options. They then also go on to say, Open SSH is incorporated into many commercial products, but very few of those companies assist Open SSH with funding. Which is shamefully true. Crack open your wallets and kick them a few shekels, you cheap skates. You know who you are and you know you can afford it. Anyway, this week, OpenSSH released a major update, lucky number 10. This first major update since 2022 introduces a number of what are called PQ algorithms. That's postquantum to those in the know. The idea being once we have quantum computers, they're going to ruin pretty much all encryption, except for this encryption.

[00:09:49.25]
Chris: We're going to get ahead of it with this version. Release number 10 also drops support for weaker signatures like DSA, and according to the release notes, quote, fixes the Disable Forwarding Directive, which was failing to disable X11 Forwarding as documented. So good.

[00:10:11.01]
Ned: Yeah.

[00:10:11.16]
Chris: Glad we got that not nailed down. Now, all this is a big deal. It all builds on the 9. 9 part 2 release that was released just a few months ago. I suspect that we will start to see more and more releases like this from software like this as things like the NIST Competition for PQ, postquantum, if you forgot already. Algorithms continue to bear fruit.

[00:10:38.27]
Ned: I believe NIST just released the next batch of approved PQ algorithms. Wow. There's a lot more of them out there than there was a couple of years ago. All right, that's it. We're done now. Go away. Bye..