lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 25 Nov 2006 12:24:51 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair
 comparison?)




On 11/25/06 9:53 AM, "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbradcpa@...bell.net> opined:


> However, one cannot merely jump from the fact that Mr. Litchfield is
> beyond reproach to make his mere opinions into facts.
> 
> Expert witnesses are bound by the "Daubert test" these days (gotta love
> it when even the wikipedia has a link
> http://en.wikipedia.org/wiki/Daubert_Standard )
 
<Snip> 

> In databases, probably the most common and public security event
> affecting the database security world, I would argue, was SQL slammer,
> an incident that had a patch available ahead of time.

And of course, the vulnerability SQLSlammer leveraged was discovered by
David. It was his "mere opinion" that it was best to wait for Microsoft to
release the patch before he published any details that saved countless
installations from exploitation.  It was his "mere opinion" regarding the
propensity of worm activity that prompted immediate action on the part of
administrators to patch their systems. And when he was too ill to attend the
Singapore Blackhat conference, it was his "mere opinion" that the
vulnerability was so critical, and so important to get patched, that he
entrusted me with his personal materials so that I could give the lecture in
his stead. 

He was, of course, precisely correct on all counts.  I've known Dave for
years now... Stick by your "Daubert test," and be as pedantic as you wish
regarding what constitutes "fact" and "opinion." But for me, when it comes
to David Litchfield and computer security, they are the same thing.  If
people choose to discount Dave's contributions because they are "mere
opinion" then it is MY opinion that they do so at great risk.

t

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ