Please join us for a set of informative discussions about Information Security in the Oracle Security Online Forum, sponsored by Oracle and Accenture, where leading industry executives and Oracle product experts will come together to discuss security trends, best practices, and proven solutions for your business.

The illustrious lineup includes:

• Mary Ann Davidson, Oracle’s Chief Security Officer—on industry-leading standards, technologies, and practices that ensure that Oracle products—and your entire system—remain as secure as possible
• Jeff Margolies, Partner, Accenture’s Security Practice—on key security trends and solutions to prepare for in 2011 and beyond
• Tom Kyte, Senior Technical Architect and Oracle Database Guru—on how you can safeguard your enterprise application data with Oracle’s Database Security solutions
• Vipin Samar, Vice President of Oracle Database Security Solutions—on new approaches to protecting data and database infrastructure against evolving threats
• Nishant Kaushik, Oracle’s Chief Identity Strategist—on how organizations can use Oracle Identity Management solutions to reduce fraud and streamline compliance

Additionally, security solution experts will be on live chat throughout the event to answer your toughest questions.

You can register for the event here.

Hope to “see” you there.

I am pleased to announce the official public webcast introducing Oracle Identity Management 11g:

Date: Wednesday, July 21, 2010
Time: 10:00 a.m. PT / 1:00 p.m. ET

Amit Jasuja,  Oracle’s Vice President Identity Management and Security Products, will lead the discussion, as he and other Oracle executives:

“… introduce a new and revolutionary approach in application security – Oracle Identity Management 11g.

“Modern enterprise architectures are evolving rapidly, yet many security solutions in use today represent decade old technology. Businesses must adapt swiftly to stay competitive, yet bolted-on security controls impede IT agility. Compliance mandates continue to grow in number, while organizations continue to struggle with their staggering costs and complexity.

“Oracle Identity Management 11g redefines the architectures that secure the modern enterprise, ushering in a new era of agile security, rapid ROI, and sustainable compliance. Join us to learn more about the exciting new developments.”

I’m looking forward to this event.  We hope you can join us, too.

You can register by clicking here.

In a recent post, I highlighted a new Oracle white paper entitled, “Protecting the Electric Grid in a Dangerous World,” which describes how Oracle Identity Management solutions and the Oracle data security portfolio offer an effective, defense-in-depth security strategy to help meet this challenge, playing a key role in the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards.

An Oracle colleague asked appropriately, What about the oil and gas industry?  Isn’t this part of the energy industry also considered part of the critical infrastructure in the United States?  Isn’t the oil and gas industry vulnerable to cyber attack? Aren’t methods for protecting information assets in the oil and gas industry similar to those in the electrical distribution industry? 

The answer to each question is a resounding “Yes,” but with some differences. Let’s explore a bit of history and discuss the focus of Information Security in the Oil and Gas Critical Infrastructure. This post is longer than most of my blog posts, but I felt the length was justified to give a good overview of the topic.

Historical Perspective

The Federal Government official recognition of the vulnerability of critical infrastructure in the US began with the Presidential Decision Directive NSC-63 on Critical Infrastructure Protection, signed by Bill Clinton on May 22, 1988.  The executive summary of that directive reads in part:

The United States possesses both the world’s strongest military and its largest national economy. Those two aspects of our power are mutually reinforcing and dependent. They are also increasingly reliant upon certain critical infrastructures and upon cyber-based information systems.

Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Many of the nation’s critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security.

The Homeland Security Presidential Directive – HSPD-7 – entitled “Critical Infrastructure Identification, Prioritization, and Protection", signed by President George W. Bush, on December 17, 2003, served to amplify the focus and attention on Critical Infrastructure Protection.

Terrorists seek to destroy, incapacitate, or exploit critical infrastructure and key resources across the United States to threaten national security, cause mass casualties, weaken our economy, and damage public morale and confidence.

America’s open and technologically complex society includes a wide array of critical infrastructure and key resources that are potential terrorist targets. The majority of these are owned and operated by the private sector and State or local governments. These critical infrastructures and key resources are both physical and cyber-based and span all sectors of the economy.

Critical infrastructure and key resources provide the essential services that underpin American society. The Nation possesses numerous key resources, whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction, or could profoundly affect our national prestige and morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or destruction, through terrorist attack, could have a debilitating effect on security and economic well-being.

While it is not possible to protect or eliminate the vulnerability of all critical infrastructure and key resources throughout the country, strategic improvements in security can make it more difficult for attacks to succeed and can lessen the impact of attacks that may occur. In addition to strategic security enhancements, tactical security improvements can be rapidly implemented to deter, mitigate, or neutralize potential attacks.

In response to this directive, seventeen CIP sectors of national importance were specified:

1. Information technology
2. Telecommunications
3. Chemicals
4. Transportation systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems
5. Emergency services
6. Postal and shipping services
7. Agriculture, food (meat, poultry, egg products)
8. Public health, health care, and food (other than meat, poultry, egg products)
9. Drinking water and waste water treatment systems
10. Energy, including the production refining, storage, and distribution of oil and gas, and electric power
11. Banking and finance
12. National monuments and icons
13. Defense industrial base

The US Department of Energy (DOE) bears responsibility for leadership of the Energy sector, encompassing  the production refining, storage, and distribution of oil and gas, and electric power except for commercial nuclear power facilities.  DOE responsibilities in this sector include:

• collaboration with all relevant Federal departments and agencies, State and local governments, and the private sector, including with key persons and entities in their infrastructure sector;
• conducting or facilitating vulnerability assessments of the sector; and
• encouraging risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources.

In June 2006, the U.S. Department of Homeland Security (DHS) announced completion of the National Infrastructure Protection Plan (NIPP) Base Plan, including a sector-specific plan for the Energy Sector.  The Vision statement for the energy sector stated:

The Energy Sector envisions a robust, resilient energy infrastructure in which continuity of business and services is maintained through secure and reliable information sharing, effective risk management programs, coordinated response capabilities, and trusted relationships between public and private security partners at all levels of industry and government.

Relevant Systems

The following diagrams included in the Energy Sector plan highlight the components in the relevant systems addressed by this sector.  Each of these sectors is highly dependent of information systems to administer and control complex, interconnected systems.

The descriptions accompanying each diagram came from the National Infrastructure Protection Plan (Energy Sector).

The electrical distribution grid

The U.S. electricity segment contains more than 5,300 power plants with approximately 1,075 gigawatts of installed generating capacity. Approximately 49 percent of electricity is produced by combusting coal (primarily transported by rail), 19 percent in nuclear power plants, and 20 percent by combusting natural gas. The remaining generation is provided by hydroelectric plants (7 percent), oil (2 percent), and by renewable (solar, wind, and geothermal) and other sources (3 percent). Electricity generated at power plants is transmitted over 211,000 miles of high-voltage transmission lines. Voltage is stepped down at substations before being distributed to 140 million customers over millions of miles of lower voltage distribution lines. The electricity infrastructure is highly automated and controlled by utilities and regional grid operators using sophisticated energy management systems that are supplied by supervisory control and data acquisition (SCADA) systems to keep the system in balance.

 The Petroleum System

The petroleum segment entails the exploration, production, storage, transport, and refinement of crude oil. The crude oil is refined into petroleum products that are then stored and distributed to key economic sectors throughout the United States. Key petroleum products include motor gasoline, jet fuel, distillate fuel oil, residual fuel oil, and liquefied petroleum gases. Both crude oil and petroleum products are imported, primarily by ship, as well as produced domestically. Currently, 66 percent of the crude oil required to fuel the U.S. economy is imported. In the United States, there are more than 500,000 crude oil-producing wells, 30,000 miles of gathering pipeline, and 51,000 miles of crude oil pipeline. There are 133 operable petroleum refineries, 116,000 miles of product pipeline, and 1,400 petroleum terminals. Petroleum also relies on sophisticated SCADA and other systems to control production and distribution; however, crude oil and petroleum products are stored in tank farms and other facilities.

The Flow of Natural Gas

Natural gas is also produced, piped, stored, and distributed in the United States. Imports of liquefied natural gas (LNG) are increasing to meet growing demand. There are more than 448,000 gas production and condensate wells and 20,000 miles of gathering pipeline in the country. Gas is processed (impurities removed) at over 550 operable gas processing plants and there are almost 302,000 miles of interstate and intrastate pipeline for the transmission of natural gas. Gas is stored at 399 underground storage fields and 103 LNG peaking facilities. Finally, natural gas is distributed to homes and businesses over 1,175,000 miles of distribution pipelines. The heavy reliance on pipelines highlights the interdependency with the Transportation Sector and the reliance on the Energy Sector for power means that virtually all sectors have dependencies with the Energy Sector.

Interdependencies across the economy

Although the electricity, oil and gas sub-sectors are complex in and of themselves, we must also recognize that these systems interact with other key CIP sectors.  The networked connectivity among these sectors amplifies increases the probability of an attack in one sector to directly affect multiple other sectors.

It is interesting to note that even small and medium size U.S. companies included in this interconnected network:

…  are more and more exposed to cyber threats from organized crime, foreign intelligence services, and probably terrorist organizations; 85 percent of U.S. critical infrastructure is owned and operated by private companies — and these companies are especially vulnerable to determined attacks which may ruin or seriously disrupt company operations.… (source: Homeland Security Newswire: “Cyber threats now targeting traditional companies”)

In recognition of the importance of addressing information security issues, the Energy sector plan states:

Today’s developing “information age” technology has intensified the importance of CIP, in which cyber security has become as critical as physical security to protecting energy CI/KR. The Energy Sector has rapidly responded to the increasing need for enterprise-level physical and cyber security efforts and business continuity plans. Voluntarily conducted vulnerability assessments have not only improved sector security but have also demonstrated industry commitment to a secure and resilient Energy Sector. Many asset owners and operators conduct self-assessments or contract with third parties to perform energy vulnerability assessments and implement protective programs at their facilities.

Specific efforts to address information security in the Electricity subsector include:

NERC has developed Cyber Security Standards CIP-002 through 009,37 which have been filed with FERC for approval and address the following requirements:

• Data and information classification according to confidentiality
• Identification and protection of cyber assets related to reliable operation of the bulk electric systems
• Process control, SCADA, and incident reporting

NERC’s CIPC has issued a summary of several electric power vulnerability assessment methodologies, including a variation of DOE’s Vulnerability and Risk Analysis Program methodology, in a suite of potential vulnerability assessment tools that electric power companies should consider using.

Specific work to address information security in the Oil and Natural Gas subsectors include:

Establishing goals for vulnerability identification, detection and response:

• Assess  security vulnerabilities at single-point assets such as refineries, storage terminals, and other buildings, as well as networked features such as pipelines and cyber systems and
• Work toward resilient and secure cyber networks and SCADA systems to detect and respond to cyber attacks.

The AGA, the Interstate Natural Gas Association of America (INGAA), and APGA worked together to develop and release Security Guidelines: Natural Gas Industry, Transmission and Distribution. These guidelines provide an approach for vulnerability assessment, a critical facility definition, detection/deterrent methods, response and recovery guidance, cyber security information, and relevant operational standards. The industry security guidelines incorporate a risk-based approach for natural gas companies to consider when identifying critical facilities and determining appropriate actions, and are based on the DHS Homeland Security Advisory System (HSAS). The TSA, along with the PHMSA, is currently conducting onsite reviews based on these guidelines.

Importance of Energy Sector

So, just how important is the Energy Sector as a Critical Infrastructure? Though somewhat outdated, the 2006 DCSINT Handbook No. 1.02,  Threats and Terrorism states:

Energy is the infrastructure that supplies the driving force in most of American life today. Energy of some kind heats our homes, moves us for one point to another and drives our businesses and industry. The energy sector is critical to the well being of our economy, national defense and quality of life. The sector is divided into to areas, electricity and oil/natural gas. Electricity is required to operate and maintain homes, hospitals, schools, businesses and industrial plants; it is also necessary to refine oil. Disruption of electrical flow or a power grid would impact the economy and defense as well as response and recovery. Natural Gas consists of three major components: exploration and production, transmission, and distribution, with the U.S. producing 20% of the world’s natural gas supply. Oil’s infrastructure consists of five components: production, crude oil transport, refining, product transport and distribution, and control and other external support systems. The thousands of miles of pipelines offer an endless list of targets for terrorist attacks, and during transport there are opportunities for impacting more than one critical infrastructure. Over 43% of the total U.S. oil refining capacity is clustered along the Texas and Louisiana coasts. This area is subject to natural attacks as well as those of terrorists.

…

Recently the oil industry occupied the headlines, and the criticality of this infrastructure is not lost on terrorists. In mid-December 2004, Arab television aired an alleged audiotape message by Usama bin Laden in which he called upon his followers to wreak havoc on the U.S. and world economy by disrupting oil supplies from the Persian Gulf to the United States. The U.S. uses over 20.7 million barrels a day of crude oil and products and imports 58.4% of that requirement. On 19 January 2006 al-Qaeda leader Osama bin Laden announced in a video release that, “The war against America and its allies will not be confined to Iraq…..”, and since June of 2003 there have been 298 recorded attacks against Iraqi oil facilities. Terrorists conduct research as to the easiest point to damage the flow of oil or to the point where the most damage can be done.

Scenarios involving the oil fields themselves, a jetliner crashing into the Ras Tanura
facility in Saudi Arabia could remove 10 percent of the world’s energy imports in one
act. Maritime attacks are also option for terrorists; on October 6, 2002 a French tanker carrying 397,000 barrels of crude oil from Iran to Malaysia was rammed by an explosive laden boat off of the port of Ash Shihr, 353 miles east of Aden. The double-hulled tanker was breached, and maritime insurers tripled the rates. Energy most travel often long distances from the site where it is obtained to the point where it is converted into energy for use, a catastrophic event at any of the sites or along its route can adversely impact the energy infrastructure and cause ripples in other infrastructures. The security of the pipeline in Alaska increases in importance as efforts are made to make America more independent on energy use.

Securing Information and Control Systems

Of course, the business of oil and gas production and distribution relies heavily on security information management systems, the systems which control energy production and distribution represent widely points of access for potential cyber attacks.

In a report entitled, “21 Steps to Improve Cyber Security of SCADA Networks,” the US Department of Energy stressed the importance of security in control systems:

The U.S. energy sector operates the most robust and reliable energy infrastructure in the world. This level of reliability is made possible by the extensive use of Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), and other control systems that enable automated control of energy production and distribution. These systems integrate a variety of distributed electronic devices and networks to help monitor and control energy flows in the electric grid and oil and gas infrastructure.

Automated control has helped to improve the productivity, flexibility, and reliability of energy systems. However, energy control systems communicate with a multitude of physically dispersed devices and various information systems that can expose energy systems to malicious cyber attacks. A successful cyber attack could compromise control systems and disrupt energy networks and the critical sectors that depend on them.

Securing control systems is a key element in protecting the Nation’s energy infrastructure. The National Research Council identified "protecting energy distribution services by improving the security of SCADA systems" as one of the 14 most important technical initiatives for making the nation safer across all critical infrastructures.

In addition, the National Strategy to Secure Cyberspace states that "securing DCS/SCADA is a national priority".

Athough the NERC CIP standards apply specifically to electricity generation and distribution, the major categories could just as well apply to the Petroleum and Natural Gas subsectors:

1. Identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the [oil or gas distribution system].
2. Minimum security management controls in place to protect critical cyber assets.
3. An appropriate level of personnel risk assessment, training, and security awareness for personnel having authorized cyber or unescorted physical access to critical cyber assets, including contractors and service vendors.
4. Identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter.
5. Implementation of a physical security program for the protection of critical cyber assets.
6. Defined methods, processes, and procedures for securing those systems determined to be critical cyber Assets, as well as the non-critical cyber assets within the electronic security perimeters.
7. Identification, classification, response, and reporting of cyber security incidents related to critical cyber assets.
8. Recovery plans for critical cyber assets that follow established business continuity and disaster recovery techniques and practices.

Recognized best practices for data security that are aligned with and answer the demands of these requirements include:

1. Critical asset identification and documentation.
2. Data classification.
3. Encryption of data at rest and in transit.
4. Data masking to hide information, for example, in test and development environments.
5. Access control to assure robust identification, authentication and authorization of system users.
6. Separation of duties to define administrative roles according to need.
7. Privileged user access control, closely tied to separation of duties, allows administrators only that access required to perform their jobs.
8. Database access monitoring, alerting and reporting.
9. Change control and configuration management.
10. Audit controls for all security processes.

Oracle Data Security Solutions

Oracle provides a wide range of information security products to meet the needs of industry requirements and information security best practices, including:

1. Encryption (for data at rest and in transit)
2. Data Masking
3. Privileged Database User Access Control
4. Identity and Role Administration
5. Access Control
6. Audit and Compliance Management
7. Label Security
8. Information Rights Management

In addition, complementary products from other vendors can be combined with the Oracle suite of products to implement a Defense-in-Depth Critical Infrastructure Protection security strategy strategy for the oil and gas industries.

Phew!  That’s a lot of information from many sources.  I hope you find this helpful.

A partial list of sources I used:

1. Oracle White Paper: Protecting the Electric Grid in a Dangerous World
2. Energy: Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan (Redacted)
3. North American Energy Reliability Corporation (NERC)
4. NERC Critical Infrastructure Protection (CIP) cyber security standards
5. Presidential Decision Directive NSC-63 on Critical Infrastructure Protection
6. Homeland Security Presidential Directive – HSPD-7
7. DHS Sector-specific plan for the Energy Sector
8. National Infrastructure Protection Plan (Energy Sector)
9. DCSINT Handbook No. 1.02,  Threats and Terrorism
10. 21 Steps to Improve Cyber Security of SCADA Networks
11. National Strategy to Secure Cyberspace (February 2003)

Thanks for getting this far!  If you have any input or suggestions, please submit a comment or drop me an email.

When he learned I would be re-joining Oracle after my time at Sun Microsystems, my son suggested that I take a drive down Oracle Street in Mesa, Arizona, to celebrate.  It is a small street with a big name, located about a mile from my house.  Here is evidence that I took the trip.

Boomerang:

• noun, “a bent or curved piece of tough wood used by the Australian Aborigines as a throwing club, one form of which can be thrown so as to return to the thrower.”
• verb, “to come back or return, as a boomerang”

I first joined Oracle in 1997, as a pre-sales consultant on the Oracle Telecommunications sales team, and then spent an intense three years literally travelling around the world in support of Oracle sales activities to many telecommunications companies.  I learned much, worked with outstanding people, had great experiences, and then was lured away to a Silicon Valley startup just before the .com bubble burst. A series of interesting experiences with small companies led me to Sun.  It turns out that the executive who initially hired me at Oracle was the same one who referred me into Sun.

So now, after nearly a decade,  I will be leaping back into the Oracle fold with my Sun colleagues, eager with anticipation, looking forward to many more exciting years.

As Sun transitions into Oracle, the bright expectations of new opportunities have been accompanied with the gut-wrenching impact of learning which friends were not invited to make the leap.  Thursday and Friday were difficult for me, as I heard from outstanding people I have learned to admire and trust that they were opening new doors in their lives.

As a tribute to them and all other friends I have come to know and respect during my sojourn at Sun, I offer a few lines I penned several years ago …

A Tapestry Of Miracles

Like brilliant golden strands
Woven delicately yet boldly
Among more dreary threads
To create a magnificent tapestry,
Our lives converge
In brief but sparkling brightness,
And then intertwine into
Radiant relationships
Borne of common hopes and dreams.

Countless encounters
Of human souls,
Guided by an unseen hand,
Link our lives together,
Creating cascading
Miracles of light,
Illuminating our hearts and minds
Amidst the harshness and the gloom
Of mortal life,
Ever weaving and preparing
The glorious, eternal tapestry
Of humankind.

Mark G. Dixon
November 15, 1996

Photo credit: A quilt entitled “The Woodpeckers” by Kathy Swartz, based on a tapestry of the same name by William Morris.

In August, 2007, the Sun National Sales Conference featured Oracle/Sun luggage tags for all attendees, which was terribly ironic for those of us in the software business, which competed head to head with Oracle.  Little did we realize at that time how prophetic those luggage tags would be!

Thanks to my colleague Patie McCracken for sharing this nostalgic song … to the tune of the old favorite “American Pie” by Don McLean. Patie isn’t the author, but she received it from colleagues in Europe.

A long, long time ago….
I can still remember when
Unix used to make them smile.
And we knew that if we had a chance
Sun could make those networks dance
And, maybe, they’d be happy for a while.

But DEC and Apollo make us shiver
With every workstation they’d deliver.
Competition camped out on doorsteps
We had to fight for each step.

I remember how hard we tried
To win each system that they buy
Yes, something touched me deep inside
The day Sun Microsystems died.

So bye-bye, dear ‘ole S–M–I
We drove those networks to the limit
And made applications fly!!
Them corporate boys have kissed Sun good-bye,
Singing, “Time to give Oracle a try.
Time to give Oracle a try!!”

Have you heard of Solaris OS?
And do you believe in Open Source?
If the European Union tells you so…..
Do you have faith in MySQL?
Can Java save your mortal soul?
And, can you keep data from moving slow….

Well, I know that Larry’s in the groove
`cause I saw his keynote on You-Tube.
Oracle and Sun have hit the news!!
Man, I dig them targeting Big Blue.

I was a great Sun Sales Rep kicking butt
With a SPARC based server and tons of spunk
But I knew I was out of luck
The day the Sun Microsystems died.

So bye-bye, dear ‘ole S–M–I
We drove those networks to the limit
And made applications fly!!
Them corporate boys have kissed Sun good-bye,
Singing,  “Time to give Oracle a try.
Time to give Oracle a try!!”

For nearly 27 years we’ve been on our own
Now our revenue’s gone down and confidence is blown.
But, that’s not how it used to be.
When Scott ruled with Ed and Joe,
And installed systems around the globe
With a OS that came from BSD….

Oh, and while Scott was flying around,
The jester grabbed his SMI crown.
The stock-holders were concerned;
The SUNW brand was over turned.

While Johnathan played his agenda in the dark,
IBIS ran in stops and starts,
We just kept selling Solaris and Sparc
The day Sun Microystems died.

We were singing,
Bye-bye, dear ‘ole S–M–I
We drove those networks to the limit
And made applications fly
Them corporate boys have kissed Sun good-bye.
Singing, “Time to give Oracle a try.
Time to give Oracle a try!!”

Re-orgs and RIFs in a March disaster.
The IBM bid fell upon us in a news flash after
Analysts screamed high and then fell fast……
IBM’s bid landed foul on the grass.
The players tried for an Oracle pass,
With the European Union looking on aghast.

This acquisition news was sweet perfume.
The industry spun up many tunes.
The Stock holders all lined up to dance,
But…they never got the chance!
`cause when Oracle tried to take the field;
The European Union refused to yield.
Do you recall what was revealed
The day the day Sun Microsystems died?

They started singing,
Bye-bye, dear ‘ole S–M–I
You drove those networks to the limit
And made applications fly!!
Them corporate boys have kissed Sun good-bye.
Singing,  “Time to give Oracle a try.
Time to give Oracle a try!!”

So, now we are all here in one place,
An acquisition stuck in space
With no time left to start again.
So, Larry be nimble, Larry be quick!
Use your brains and might and wit,
‘Cause profit is the market’s only friend.

As this plays out on the world stage
My hands are clenched in fists of rage.
Can this angel born in hell
Break those devils’ spell?
Our company falls deeper every night
And crumbles under this burdensome rite,
I saw the competition laughing with delight
The day Sun Microsystems died.

They were singing,
Bye-bye, dear ‘ole S–M–I
You drove those networks to the limit
And made applications fly!!
Them corporate boys have kissed Sun good-bye,
Singing, “Time to give Oracle a try.
Time to give Oracle a try.”

I met a guy who wrote some code
And I asked him what the future bodes,
But he just smiled and typed away.
So, I went on to the Inter Net
Where I’d played with Sun years before,
But the sites there said that Sun had gone away.

And in the streets: the customers screamed,
The partners cried, and the programmers dreamed.
But not a word was spoken;
The systems all were broken.
And those groups I admire most:
The Engineers, Sales Reps and Service folks,
They caught the last train for the coast
The day Sun Microsytems died.

They were singing,
Bye-bye, dear ‘ole S–M–I
We drove those networks to the limit
And made applications fly!!
Them corporate boys have kissed Sun good-bye,
Singing, “Time to give Oracle a try.
Time to give Oracle a try.”

So…….
Bye-bye, dear ‘ole S–M–I
We drove those networks to the limit
And made applications fly!!
Them corporate boys have kissed Sun good-bye,
Singing, “Time to give Oracle a try.
Time to give Oracle a try.”