[40635] in bugtraq
Re: Opinion: Complete failure of Oracle security response and utter
daemon@ATHENA.MIT.EDU (Rainer Duffner)
Thu Oct 6 17:10:04 2005
Message-ID: <4345785D.2050907@ultra-secure.de>
Date: Thu, 06 Oct 2005 21:17:49 +0200
From: Rainer Duffner <rainer@ultra-secure.de>
MIME-Version: 1.0
To: David Litchfield <davidl@ngssoftware.com>, bugtraq@securityfocus.com
In-Reply-To: <02b101c5caa7$1b094a30$0100a8c0@ngssoftware.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
David Litchfield wrote:
> Hey,
> I know you this wasn't your intent when you wrote it, but:
>
>> That means 70 000 000 € spend by Larry for the silly Yacht - you,
>> David, could charge 100 000 per day and still deliver more value.
>
>
> I just want to make it clear that all I'm looking for from Oracle is,
> not a job to review their code, but to treat security properly and
> give their customers the respect they paid for.
> Cheers,
> David
>
I'm sorry if it sounded that way - I'm also not jealous of Mr. Ellison's
riches (I've not directly contributed to them, mind you).
I just wanted to make the proportions visible ;-)
From my view, there is no doubt that you alone have done a great deal
of work to secure Oracle products - I assume with little financial
reward from Oracle itself.
This enforces the popular view that (most) big corporations don't
"value" something until it costs money - and if it costs a lot of money,
it must be of big value...
Sounds like a Dilbert-esque PHB'ism, but that's the impression I get.
Unless a whistleblower (image of Larry keelhauling him comes up...)
comes forward, only Ms. Davidson can shade some light on how exactly the
QA- and patch-creation process works and why it can take literally years
to put out a security-update (that turns out to be little less than a
placebo) to a currently shipped product.
cheers,
Rainer
