Information Security News mailing list archives
Re: Backing Up Oracle's "Unbreakable" Vow
From: InfoSec News <isn () c4i org>
Date: Tue, 29 Jan 2002 02:24:26 -0600 (CST)
Forwarded from: njharman <njharman () notanothercorporation com> [Originally sent on January 23, 2002, cleaning up the queue. - WK] I'm surprised no one else commented on this. I hope it is not a common viewpoint among the list readership.
Calling your code "Unbreakable" is like having a big bull's-eye on your products and your firewall. Obviously, nobody wants to be a target.If I'm going to buy a secure DB, I'm going to pick whichever company has the biggest balls -
Any reason you wouldn't take the more direct route and select the DB with the best/longest security record?
Sorry dudes - that's Oracle right now. If they say "Unbreakable", whether or not it's true, the fact that everyone knows it's a red rag makes me and probably ever other oracle customer very happy because we all think they think they know what they're doing.
So, you prefer "Security through Marketing"? If that's true, Microsoft has very many applications you might be greatly interested in.
I for one only trust open source software to have any security at all, and only then because if required to, I could audit the code, or subcontract someone to do so.That's about the most amusing thing I ever heard. If you ever spent even as little as 10 seconds looking at the actual source, you'd notice that no matter what product it is, it's been cobbled together by a dozen or more benevolent hackers who combined had only half a clue what they were doing, and even less about how it should be done.
This is not true and demonstrates that you must have spent no more than 10 seconds looking at open source code. Much opensource is like you say. Many other opensource projects are of excellent quality. With opensource you look at the the code to determine where it lies. Proprietary software quality can only be deduced from secondary indicators (bugs, exploits) or if you're really guallable by listening to the sales/marketing person. There are reason's several opensource projects dominate in their respective markets. And no it's not that they have well-funded marketing campaigns. How much closed source code have you looked at to determine it it's been cobbled together by a dozen or more indifferent programmers trying to meet a deadline?
And you "trust" this? Have you *any* idea how easy it is to insert deliberate yet heavily obfuscated backdoors? What's the chance of an open source programmer getting sacked if they're busted? Hmmm. So what deterant is there??
Um, any idea how easy it is to insert deliberate backdoors, bad 'hacks', hard coded passwords, extremly stupid programmer errors, etc. in closed source code and have no one the wiser? What's the chance of even knowing the names of programmers who contributed to a closed source piece of code? One of the many deterents is that everything is in the open for everyone to scruntinize and one or more people have actually taken responsibility by putting their names onto their code. Job's are easy to come by, reputations once sullied are difficult to clean. btw Oracle has decent security not because of some advertising but rather (at least in part) due to their good internal security practices which you can read about in a recent interview with their security person (forget her actually title) - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Backing Up Oracle's "Unbreakable" Vow InfoSec News (Jan 15)
- <Possible follow-ups>
- Re: Backing Up Oracle's "Unbreakable" Vow InfoSec News (Jan 21)
- Re: Backing Up Oracle's "Unbreakable" Vow InfoSec News (Jan 23)
- Re: Backing Up Oracle's "Unbreakable" Vow InfoSec News (Jan 28)
- Re: Backing Up Oracle's "Unbreakable" Vow InfoSec News (Jan 29)