Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Opinion: Complete failure of Oracle security response and utter neglect of t
From: "Silent / Saracoth" <saracoth () hotmail com>
Date: Mon, 10 Oct 2005 08:59:30 -0500


All right, I figured that a 14-message long thread would have some kind of credible defense for Oracle, but nope. All I see are generalizations that don't apply and logical fallacies (which, if your best response to a person's message is to attack the person or the way they delivered their message, that person should take it as a compliment). Sure, the article against security researchers had good points. But "it takes weeks" and arguments against arbitrary 5, 15, and 30 day fixes are out of scope of years-old critical bugs that are only half-assed fixed.

As for the Davidson's stand against researches who "exaggerate the dimensions of security problems," I say, "What?" From what I've seen, nobody on this list has shown claims of years-old critical bugs to be exaggerated. If a company releases crap, they can and should expect to get crap about it until they fix it. As for publicly releasing flaws making users vulnerable, does anyone really expect that only honest security researchers know of these holes? The issue is really more complicated than that. Do you keep these things "secret" while a select few in the underbelly of the Internet exploit them, or do you get enough of them public so the company either has to shape up fast or their customers can at least become aware enough of the problems to consider bailing out? Neither solution is good (though the second is probably worse overall), but neither of those would be an issue in the first place if Oracle's security weren't as bad as many people here have pointed out. In other words, the state of Oracle security is no one's fault as much as it is Oracle's.

So please, PLEASE, if someone has any real argument FOR Oracle security, or at least the ability to back up claims that they aren't among the worst, do so. I enjoy seeing balanced, honest debate, not personal attacks and claims that not being 100% polite will make Oracle cry. And if you've got the time, read up on the link below. Short of taking a class, it's a good way to get better at making and at interpreting statements in debates and what-not. I'm all for people learning :)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]