Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

From: Rainer Duffner (rainer_at_ultra-secure.de)
Date: 10/06/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 846-1] New cpio packages fix several vulnerabilities" 
    Date: Thu, 06 Oct 2005 21:17:49 +0200
To: David Litchfield <davidl@ngssoftware.com>, bugtraq@securityfocus.com

    David Litchfield wrote:

    > Hey,
    > I know you this wasn't your intent when you wrote it, but:
    >
    >> That means 70 000 000 € spend by Larry for the silly Yacht - you,
    >> David, could charge 100 000 per day and still deliver more value.
    >
    >
    > I just want to make it clear that all I'm looking for from Oracle is,
    > not a job to review their code, but to treat security properly and
    > give their customers the respect they paid for.
    > Cheers,
    > David
    >

    I'm sorry if it sounded that way - I'm also not jealous of Mr. Ellison's
    riches (I've not directly contributed to them, mind you).
    I just wanted to make the proportions visible ;-)
     From my view, there is no doubt that you alone have done a great deal
    of work to secure Oracle products - I assume with little financial
    reward from Oracle itself.
    This enforces the popular view that (most) big corporations don't
    "value" something until it costs money - and if it costs a lot of money,
    it must be of big value...
    Sounds like a Dilbert-esque PHB'ism, but that's the impression I get.

    Unless a whistleblower (image of Larry keelhauling him comes up...)
    comes forward, only Ms. Davidson can shade some light on how exactly the
    QA- and patch-creation process works and why it can take literally years
    to put out a security-update (that turns out to be little less than a
    placebo) to a currently shipped product.

    cheers,
    Rainer

  • Next message: Martin Schulze: "[SECURITY] [DSA 846-1] New cpio packages fix several vulnerabilities"

    Relevant Pages