Larry Ellison

The Story

In 1977, Larry Ellison read Edgar F. Codd's paper on relational database theory and saw something IBM had overlooked: a commercial product. Codd, working at IBM's San Jose Research Laboratory, had published "A Relational Model of Data for Large Shared Data Banks" in 1970, describing a system where data was stored in tables, related by keys, and queried through a declarative language. IBM built a research prototype called System R and developed a query language called SEQUEL (later shortened to SQL). But IBM was slow to commercialize it, worried about cannibalizing their existing hierarchical database product, IMS.

Ellison didn't have an existing product to protect. He and co-founders Bob Miner and Ed Oates started Software Development Laboratories — later renamed Oracle — and built a relational database management system that implemented SQL. Oracle Version 2 shipped in 1979 (there was no Version 1; Ellison reportedly skipped it because no one wants to buy a 1.0). The CIA was an early customer, which gave the product its name — Oracle was the codename for a CIA project the founders had worked on.

Oracle grew through the 1980s by being aggressive where IBM was cautious. Ellison's sales strategy was legendary for its intensity: overpromise capabilities, close the deal, then make the engineering team deliver. This approach produced a company culture that prioritized market dominance over engineering rigor. It also produced the dominant database in enterprise computing. By the 1990s, Oracle was the database that banks ran their transactions on, that governments stored their records in, that airlines used for reservations. SQL — the language Oracle commercialized — became the universal interface for structured data.

The SQL connection to TechnicalDepth is fundamental. SQL was designed as a human-readable query language — Codd and the System R team wanted non-programmers to be able to retrieve data by describing what they wanted, not how to get it. This readability was a feature. It was also the precondition for SQL injection. When a query language is text-based and human-readable, and when applications construct queries by concatenating user input with query text, users can inject their own query logic. Every SQL injection attack documented in TechnicalDepth — every Concatenated Query exhibit, every data breach that started with ' OR 1=1 -- — runs on infrastructure that Oracle helped establish.

Oracle didn't create SQL injection. The vulnerability is inherent in the pattern of constructing queries from concatenated strings, regardless of database vendor. But Oracle's dominance meant that the database most likely to be on the other end of an injection attack was Oracle. And Oracle's response to security research was, for years, actively hostile.

In 2001, Oracle launched the "Unbreakable" marketing campaign: full-page ads declaring Oracle software unbreakable, with imagery of fortress walls and invulnerability claims. Security researchers took it as a challenge. What followed was a steady stream of critical vulnerability disclosures in Oracle Database, Oracle Application Server, and Oracle's web infrastructure. David Litchfield, a prominent database security researcher, documented hundreds of Oracle vulnerabilities over the following years, including buffer overflows in the database server itself — bugs that allowed unauthenticated remote code execution on the machine running the world's most-deployed enterprise database.

Oracle's response to security researchers was not the Trustworthy Computing memo. It was legal threats, DMCA notices, and a pattern of delayed patching that became industry-notorious. Oracle's Chief Security Officer, Mary Ann Davidson, published a blog post in 2015 titled "No, You Really Can't" — telling customers to stop reverse-engineering Oracle software to find security bugs. Oracle quickly retracted it, but the sentiment captured the company's historical posture: security through obscurity and legal intimidation, not transparency and rapid response.

The acquisition era compounded this. Oracle bought PeopleSoft, Siebel, BEA Systems, Sun Microsystems (and with it, Java and MySQL), and dozens of other companies. Each acquisition brought new codebases, new attack surfaces, and new vulnerability backlogs. The quarterly Critical Patch Update — Oracle's bundled security release — routinely contained hundreds of fixes. A single CPU in 2023 addressed 433 vulnerabilities. The sheer volume told a story about the accumulated complexity of software that had been acquired, integrated, and maintained under a company culture that historically treated security as a marketing problem rather than an engineering one.

The Oracle v. Google lawsuit over Java APIs — filed in 2010, not fully resolved until the Supreme Court ruled in Google's favor in 2021 — revealed another dimension of Ellison's approach. Oracle acquired Sun Microsystems in 2010, gaining ownership of Java. It then sued Google for using Java APIs in Android, arguing that the structure and organization of an API was copyrightable. Had Oracle prevailed, the implications for software interoperability would have been severe — every API reimplementation, every compatible interface, every clean-room implementation could have been grounds for litigation.

Why They're in the Hall

Ellison is a Pioneer and Builder whose impact on TechnicalDepth is infrastructural. He didn't invent the relational model, and he didn't design SQL. But he commercialized both, and commercialization is what makes a technology inescapable.

Pioneer: Oracle made relational databases commercially viable at enterprise scale. Before Oracle, relational databases were research projects and academic curiosities. After Oracle, they were the foundation of every business that stored structured data. The relational model — tables, rows, keys, joins, transactions — became the default mental model for how data is organized. Every TechnicalDepth exhibit that involves data storage, data integrity, or data retrieval operates on the conceptual infrastructure Oracle established in the marketplace.

Builder: Oracle Database is the artifact. Millions of instances running in production, holding financial records, medical data, government systems, telecommunications infrastructure. Oracle's reliability at scale — its ability to handle transactions, maintain ACID guarantees, and recover from failures — is genuine engineering achievement. The database works. Enterprises bet their operations on it for decades because it delivered on its core promise: your data will be consistent, durable, and available.

The "both" designation reflects the gap between Oracle's technical achievement and its security posture. Oracle built the infrastructure. Oracle also aggressively marketed that infrastructure as "unbreakable" while shipping hundreds of vulnerabilities per quarter, threatening researchers who found bugs, and treating security disclosures as PR problems rather than engineering priorities. The database that stored the world's most sensitive data was maintained by a company that, for years, would rather sue you than thank you for finding a hole in it.

The SQL injection connection is the deepest link to TechnicalDepth. Oracle didn't cause SQL injection — the vulnerability predates Oracle's dominance and affects every SQL database. But Oracle's success in making SQL the universal query language meant that SQL's design-level vulnerability to injection became universal too. The Concatenated Query exhibit exists because SQL is text that applications compose at runtime. That design choice was made for human readability, but the commercial ubiquity that Oracle drove ensured it became the most exploited vulnerability class in web application history.

Ellison built the infrastructure that stores the world's data. He also built a company culture that treated the security of that infrastructure as secondary to sales, marketing, and legal dominance. The database is real. The "unbreakable" marketing was not. TechnicalDepth documents the distance between those two claims.