lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 25 Nov 2006 09:53:18 -0800
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@...bell.net>
Cc: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

Opinions are still... just that... opinions.

However Mr. Litchfield is in the category of expert that would be deemed 
an "expert witness" in a court of law.  His CV is impeccable, his 
factual research has much merit, his reputation in this area is 
unparalleled.

On the factual evidence of published/known vulnerabilities, the 
historically long time to patch, the revisions to released patches when 
they are found to not protect are clear evidence of a firm that needs to 
perhaps be a tad more security aware.  Those are clear historical facts 
in evidence in the public arena.

However, one cannot merely jump from the fact that Mr. Litchfield is 
beyond reproach to make his mere opinions into facts.

Expert witnesses are bound by the "Daubert test" these days (gotta love 
it when even the wikipedia has a link 
http://en.wikipedia.org/wiki/Daubert_Standard )

Given his  body of knowledge in database security, his  resume and all 
that, does his opinion hold more weight in persuasion more than 
practically anyone else on the planet?  Oh yeah.  But the parts that are 
true "opinion" are still opinion and not fact.

However, Mr. Stopmakingnoise's comment about Microsoft's extremely 
negative security records is also opinion, not quantified by facts. era, 
nor does in include an acknowledgment of our own responsibility in 
security. 

In databases, probably the most common and public security event 
affecting the database security world, I would argue, was SQL slammer, 
an incident that had a patch available ahead of time.  Granted it may 
not have been the easiest to deploy, but it was there.  In my opinion, 
those of us consumers of databases need to acknowledge own participation 
in security.  Having a vendor that takes security seriously is part of 
the equation, but buyers and implementers of databases need to do their 
part as well.  If our line of business applications won't support the 
newer, more secure databases, our data is still at risk.  And obviously 
if we're not patching those databases, we're even more still at risk.





Thor (Hammer of God) wrote:
> Inline:
>
> On 11/24/06 10:46 AM, "stopmakingnoise@...il.com"
> <stopmakingnoise@...il.com> opined:
>
>   
>> Having said this, do we really need a paper telling us:
>>
>> - "SQL Server code is just more secure than Oracle code."
>>
>> - "Does Oracle have an equivalent of SDL?
>> Looking at the results, I don‚t think so."
>>
>> - "[...] given these results one should not be looking at Oracle as a serious
>> contender."
>>
>> I don't think so. This is plain FUD.
>> Want to write a paper comparing flaws found in these two DBMS? That's fine.
>> Please write down numbers and graphs, but - please! - refrain from any
>> comments which are not
>> factual but are your own's.
>>
>> To get to the point: I may agree and sympathize with your personal point of
>> view (in fact, I do)
>> but these sentences have NOTHING to do in a supposedly research-oriented
>> paper.
>>     
>
> David Litchfield is one of the most predominant security researchers in the
> field, particularly in the area of database security.  He and NGS have
> discovered more combined security vulnerabilities in leading DBMS products
> than anyone else in the world.
>
> Given this fact, I think that not only is it appropriate for David to give
> whatever opinions he chooses in his research, but that it is his opinions
> that actually give the research real, tangible, applicable value.  With his
> indisputable status as an authority on database security and his unwavering
> integrity, I have no problem whatsoever in considering Dave's opinions to be
> "fact." 
>
>   
>> As a matter of fact, if we start talking about things such as "looking at
>> Oracle as a serious contender", you wouldn't arrive at the point of evaluating
>> SQL Server because there would be no point at all in considering Microsoft's
>> Operating Systems, given their extremely negative security records, as
>> "serious contenders" themselves.
>>     
>
> Any point that you may have had regarding "FUD" and "comments that are not
> factual but one's own" were totally lost by this statement in a sadly ironic
> way.
>
> T
>
>
>
>   

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ