Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

[Gadi Evron <ge () linuxbox org>]

> Having worked closely with the security teams of most large commercial 
> vendors (IBM, Oracle, Microsoft, Apple, HP, Adobe, Real) I can quite 
> honestly say that, of all of them, Oracle is the only company to still 
> treat security in this way. Most other organizations "got it" years ago 
> and while there could be improvements made in various areas the most 
> improvement could be made at Oracle.

Not many of them "got it". Some are simply worse.

> Firstly, it's due to the facts that I posted as I did. It is fact that 
> the patch for Alert 68 fails to properly fix a large number of holes it 
> was touted to fix. It is fact that a large number of companies that 
> spent a great deal of money installing the patch have wasted their time. 
> It is fact that Oracle database servers are still vulnerable to security 
> holes that were reported to Oracle years ago.

Amazing statistics. Where are statistics on others?

> Oh, this wasn't out of the blue; and there have been a great number of 
> public statements about Oracle's failings. Not just from myself, I'll 
> add, but others as well.

I'll Google. Thanks.

> > I sympathize with your concerns and I am known to be FAR from a person 
> > who doesn't voice his opinions - and loudly, but it only makes me 
> > wonder why now,
>
>
> Because enough is enough.

For security people maybe.. using Oracle for most business is a Business 
concern.

> > why them
>
>
> Because they seem to be the only ones that don't get it.

This is the place where you lost me, I am sorry. The only ones?

> Yes. Based upon the facts the Oracle security response has been a 
> failure. How else can you describe it?
>
> If you gave me a patch and said it fixed a security flaw and it turns 
> out it didn't I'd call that a failure. Multiply that by a factor of tens 
> and you've got yourself a complete failure. If I did this to my 
> customers I'd sack myself for neglect. Really, I would.

That is your choice.. although I personally believe you are being very 
extreme in your take on how alone Oracle is.

It's not that I disagree with their behavior being questionable, I 
honestly believe a survey of how all vendors do where the s**t floats to 
the top without singling out the Bad but rather the Good, would work better.

This kind of attack may be "called for" but definitely will make Oracle 
less than willing to ever work with *you* or trust the community, plus 
it will immediately become a PR issue where they may chose to go on 
lawyer-PR strategies rather than "how do we make sure this never happens 
again by getting off that list".
It simply looks like a rant, which is a shame.

Regardless, like I said, you better have a good plan on protecting 
yourself from liability. Right now, right or wrong, it appears like a 
personal attack from you. So, even if the entire community is behind 
you, most of the community won't help foot the legal bill.

Good luck,

        Gadi. /not advocating for Oracle but against public *personal* flogging

--
My blog: http://blogs.securiteam.com/?author=6

"The third principle of sentient life is the capacity for self-sacrifice 
--- the conscious ability to override evolution and self-preservation 
for a cause, a friend, a loved one."
        -- Draal, "A Voice in the Wilderness", Babylon 5.