[40702] in bugtraq
Re: Opinion: Complete failure of Oracle security response and utter neglect of t
daemon@ATHENA.MIT.EDU (Silent / Saracoth)
Tue Oct 11 20:54:06 2005
Message-ID: <BAY104-F24EDA07BD881142FE3CD57DE790@phx.gbl>
In-Reply-To: <02b101c5caa7$1b094a30$0100a8c0@ngssoftware.com>
From: "Silent / Saracoth" <saracoth@hotmail.com>
To: bugtraq@securityfocus.com
Date: Mon, 10 Oct 2005 08:59:30 -0500
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
http://en.wikipedia.org/wiki/Ad_hominem
http://en.wikipedia.org/wiki/Style_over_substance_fallacy
All right, I figured that a 14-message long thread would have some kind of
credible defense for Oracle, but nope. All I see are generalizations that
don't apply and logical fallacies (which, if your best response to a
person's message is to attack the person or the way they delivered their
message, that person should take it as a compliment). Sure, the article
against security researchers had good points. But "it takes weeks" and
arguments against arbitrary 5, 15, and 30 day fixes are out of scope of
years-old critical bugs that are only half-assed fixed.
As for the Davidson's stand against researches who "exaggerate the
dimensions of security problems," I say, "What?" From what I've seen, nobody
on this list has shown claims of years-old critical bugs to be exaggerated.
If a company releases crap, they can and should expect to get crap about it
until they fix it. As for publicly releasing flaws making users vulnerable,
does anyone really expect that only honest security researchers know of
these holes? The issue is really more complicated than that. Do you keep
these things "secret" while a select few in the underbelly of the Internet
exploit them, or do you get enough of them public so the company either has
to shape up fast or their customers can at least become aware enough of the
problems to consider bailing out? Neither solution is good (though the
second is probably worse overall), but neither of those would be an issue in
the first place if Oracle's security weren't as bad as many people here have
pointed out. In other words, the state of Oracle security is no one's fault
as much as it is Oracle's.
So please, PLEASE, if someone has any real argument FOR Oracle security, or
at least the ability to back up claims that they aren't among the worst, do
so. I enjoy seeing balanced, honest debate, not personal attacks and claims
that not being 100% polite will make Oracle cry. And if you've got the time,
read up on the link below. Short of taking a class, it's a good way to get
better at making and at interpreting statements in debates and what-not. I'm
all for people learning :)
http://en.wikipedia.org/wiki/Logical_fallacy
