lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 24 Nov 2006 16:52:24 -0700
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair
 comparison?)

Inline:

On 11/24/06 10:46 AM, "stopmakingnoise@...il.com"
<stopmakingnoise@...il.com> opined:

> Having said this, do we really need a paper telling us:
> 
> - "SQL Server code is just more secure than Oracle code."
> 
> - "Does Oracle have an equivalent of SDL?
> Looking at the results, I don‚t think so."
> 
> - "[...] given these results one should not be looking at Oracle as a serious
> contender."
> 
> I don't think so. This is plain FUD.
> Want to write a paper comparing flaws found in these two DBMS? That's fine.
> Please write down numbers and graphs, but - please! - refrain from any
> comments which are not
> factual but are your own's.
> 
> To get to the point: I may agree and sympathize with your personal point of
> view (in fact, I do)
> but these sentences have NOTHING to do in a supposedly research-oriented
> paper.

David Litchfield is one of the most predominant security researchers in the
field, particularly in the area of database security.  He and NGS have
discovered more combined security vulnerabilities in leading DBMS products
than anyone else in the world.

Given this fact, I think that not only is it appropriate for David to give
whatever opinions he chooses in his research, but that it is his opinions
that actually give the research real, tangible, applicable value.  With his
indisputable status as an authority on database security and his unwavering
integrity, I have no problem whatsoever in considering Dave's opinions to be
"fact." 

> As a matter of fact, if we start talking about things such as "looking at
> Oracle as a serious contender", you wouldn't arrive at the point of evaluating
> SQL Server because there would be no point at all in considering Microsoft's
> Operating Systems, given their extremely negative security records, as
> "serious contenders" themselves.

Any point that you may have had regarding "FUD" and "comments that are not
factual but one's own" were totally lost by this statement in a sadly ironic
way.

T

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ