| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Oct 2005 18:14:56 +0100 From: "David Litchfield" <davidl@...software.com> To: "Gadi Evron" <ge@...uxbox.org> Cc: <bugtraq@...urityfocus.com>, <ntbugtraq@...tserv.ntbugtraq.com> Subject: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Hi Gadi, > With all due respect to your wishes and intent, a research on different > vendors, showing what vendor responds to threats, after how long and how > effectively plus how many security issues appear with each would have made > sense to me. Having worked closely with the security teams of most large commercial vendors (IBM, Oracle, Microsoft, Apple, HP, Adobe, Real) I can quite honestly say that, of all of them, Oracle is the only company to still treat security in this way. Most other organizations "got it" years ago and while there could be improvements made in various areas the most improvement could be made at Oracle. > Showing the Good and thus flushing the Bad without dissing anyone. Pure > facts. Firstly, it's due to the facts that I posted as I did. It is fact that the patch for Alert 68 fails to properly fix a large number of holes it was touted to fix. It is fact that a large number of companies that spent a great deal of money installing the patch have wasted their time. It is fact that Oracle database servers are still vulnerable to security holes that were reported to Oracle years ago. > Attacking one vendor may make sense in some cases.. yes, again, attacking > one vendor in public in *this* *fashion* may be long over-due, but it also > seems to me to be rather.. in poor taste? Especially coming out of the > blue with no past public statements. Oh, this wasn't out of the blue; and there have been a great number of public statements about Oracle's failings. Not just from myself, I'll add, but others as well. > > I sympathize with your concerns and I am known to be FAR from a person who > doesn't voice his opinions - and loudly, but it only makes me wonder why > now, Because enough is enough. > why them Because they seem to be the only ones that don't get it. > and why here. I tried my local newspaper but they weren't interested. Bugtraq was my second choice ;) Seriously though, where else would you post this? Wasn't this one of the main reasons for bugtraq being created in the first place? > > Now, I am not an Oracle advocate - far from it, but your subject line says > it all, and makes me look-down on your post automatically, which is a > shame: > "Complete failure of Oracle security response and utter neglect of their > responsibility to their customers" > > Complete? Failure? Utter neglect? Yes. Based upon the facts the Oracle security response has been a failure. How else can you describe it? If you gave me a patch and said it fixed a security flaw and it turns out it didn't I'd call that a failure. Multiply that by a factor of tens and you've got yourself a complete failure. If I did this to my customers I'd sack myself for neglect. Really, I would. Cheers, David
Powered by blists - more mailing lists