lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY104-F24EDA07BD881142FE3CD57DE790@phx.gbl>
Date: Mon, 10 Oct 2005 08:59:30 -0500
From: "Silent / Saracoth" <saracoth@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Re: Opinion: Complete failure of Oracle security response and utter neglect of t


http://en.wikipedia.org/wiki/Ad_hominem
http://en.wikipedia.org/wiki/Style_over_substance_fallacy

All right, I figured that a 14-message long thread would have some kind of 
credible defense for Oracle, but nope. All I see are generalizations that 
don't apply and logical fallacies (which, if your best response to a 
person's message is to attack the person or the way they delivered their 
message, that person should take it as a compliment). Sure, the article 
against security researchers had good points. But "it takes weeks" and 
arguments against arbitrary 5, 15, and 30 day fixes are out of scope of 
years-old critical bugs that are only half-assed fixed.

As for the Davidson's stand against researches who "exaggerate the 
dimensions of security problems," I say, "What?" From what I've seen, nobody 
on this list has shown claims of years-old critical bugs to be exaggerated. 
If a company releases crap, they can and should expect to get crap about it 
until they fix it. As for publicly releasing flaws making users vulnerable, 
does anyone really expect that only honest security researchers know of 
these holes? The issue is really more complicated than that. Do you keep 
these things "secret" while a select few in the underbelly of the Internet 
exploit them, or do you get enough of them public so the company either has 
to shape up fast or their customers can at least become aware enough of the 
problems to consider bailing out? Neither solution is good (though the 
second is probably worse overall), but neither of those would be an issue in 
the first place if Oracle's security weren't as bad as many people here have 
pointed out. In other words, the state of Oracle security is no one's fault 
as much as it is Oracle's.

So please, PLEASE, if someone has any real argument FOR Oracle security, or 
at least the ability to back up claims that they aren't among the worst, do 
so. I enjoy seeing balanced, honest debate, not personal attacks and claims 
that not being 100% polite will make Oracle cry. And if you've got the time, 
read up on the link below. Short of taking a class, it's a good way to get 
better at making and at interpreting statements in debates and what-not. I'm 
all for people learning :)

http://en.wikipedia.org/wiki/Logical_fallacy




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ