[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <C18CD3C8.826A%thor@hammerofgod.com>
Date: Fri, 24 Nov 2006 16:52:24 -0700
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair
comparison?)
Inline:
On 11/24/06 10:46 AM, "stopmakingnoise@...il.com"
<stopmakingnoise@...il.com> opined:
> Having said this, do we really need a paper telling us:
>
> - "SQL Server code is just more secure than Oracle code."
>
> - "Does Oracle have an equivalent of SDL?
> Looking at the results, I don‚t think so."
>
> - "[...] given these results one should not be looking at Oracle as a serious
> contender."
>
> I don't think so. This is plain FUD.
> Want to write a paper comparing flaws found in these two DBMS? That's fine.
> Please write down numbers and graphs, but - please! - refrain from any
> comments which are not
> factual but are your own's.
>
> To get to the point: I may agree and sympathize with your personal point of
> view (in fact, I do)
> but these sentences have NOTHING to do in a supposedly research-oriented
> paper.
David Litchfield is one of the most predominant security researchers in the
field, particularly in the area of database security. He and NGS have
discovered more combined security vulnerabilities in leading DBMS products
than anyone else in the world.
Given this fact, I think that not only is it appropriate for David to give
whatever opinions he chooses in his research, but that it is his opinions
that actually give the research real, tangible, applicable value. With his
indisputable status as an authority on database security and his unwavering
integrity, I have no problem whatsoever in considering Dave's opinions to be
"fact."
> As a matter of fact, if we start talking about things such as "looking at
> Oracle as a serious contender", you wouldn't arrive at the point of evaluating
> SQL Server because there would be no point at all in considering Microsoft's
> Operating Systems, given their extremely negative security records, as
> "serious contenders" themselves.
Any point that you may have had regarding "FUD" and "comments that are not
factual but one's own" were totally lost by this statement in a sadly ironic
way.
T
Powered by blists - more mailing lists