If you've ever considered yourself a computer geek, at any level, you recognize this scenario:
It's not bad enough we do this to ourselves, but when vendors get involved . . .
Recently, at the day job, a vendor asked to put a "portal" server, a freebie "value add" for their product, in the DMZ. Said public facing web server would then connect to the Production (!) (Read Only Warehouse, anyone?) Oracle DB inside the secure network. Read only, limited privs to specific views, etc. but nonetheless hitting the production DB, with all of the inherent risks of possible data exposure. But at least that data would be encrypted traffic between the DB and the DMZ Portal server.
Except for one thing - the Oracle "Advanced Security" suite is required if you want encrypted listener traffic. And Larry charges something like 25 thousand dollars _per_core_ to purchase it (per server - we have a _lot_ of Oracle servers), plus yearly maintenance. Not going to happen just so one department could implement a freebie add on "customer portal".
What about an SSH tunnel, you say? That's exactly what I said. Just start an SSH tunnel, and forward the Oracle traffic via SSH. Secure. And Free!
I did a little thinking and settled on whipping up a custom script in Python using the Paramiko library. All in all, probably about a day, maybe a day and a half from first glance to done, including getting the vendor to test. Definitely looks like I've avoided the time sink detailed in the XKCD, right? Well, kinda.
That was mid-December. The first week of January Oracle announced they are now bundling several features from the "Advanced Security" suite in to the base RDBMS. Among those features? End to end encryption for listener traffic.