Re: Backing Up Oracle's "Unbreakable" Vow

[InfoSec News <isn () c4i org>]

Forwarded from: Jay D. Dyson <jdyson () treachery net>

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 23 Jan 2002, InfoSec News wrote:

> If I'm going to buy a secure DB, I'm going to pick whichever company has
> the biggest balls - Sorry dudes - that's Oracle right now.  If they say
> "Unbreakable", whether or not it's true, the fact that everyone knows
> it's a red rag makes me and probably ever other oracle customer very
> happy because we all think they think they know what they're doing. 

        And we all know how far that went with Adobe's ebooks, eh?

        Ah, the "benefits" of living in the time of DMCA.  Companies can
claim that their product solves world hunger if they want to, and anyone
who seeks to tear their software apart to determine otherwise can be
hauled in for violating the law. 

        Like it or not, the companies don't have "big balls" because they
have faith in their product; they have _el cojones grande_ because they
know they can stick it to whoever disassembles their code and proves them
liars.

        The Emperor has no clothes, and pointing that out will get you the
fine Federal treatment that Dmitry Sklyarov got last July.

> No it does not.  It's an outdated standard which NAI are dumping because
> it's massive loss-making venture.  Go visit Thawte to get your keys
> signed... oh yes... you can't.  They've dropped PGP support too.  And
> what does PGP do about Magic-Lantern etc?  They warn you with a cute
> sentence burried inside hundreds of pages of doc that you're on your own
> - bad luck. 

        NAI had that caveat in place long before Magic Lantern.  Though
many were adamant that NAI PGP on Windows didn't suffer from any
possibility that the user's pass phrase or cleartext wouldn't wind up in
the Windows swap, they docs nonetheless indicated that all bets were off.

> > I for one only trust open source software to have any security at
> > all, and only then because if required to, I could audit the code,
> > or subcontract someone to do so.
>
> That's about the most amusing thing I ever heard.  If you ever spent
> even as little as 10 seconds looking at the actual source, you'd notice
> that no matter what product it is, it's been cobbled together by a dozen
> or more benevolent hackers who combined had only half a clue what they
> were doing, and even less about how it should be done. 

        Got some examples to back this up?

> And you "trust" this?  Have you *any* idea how easy it is to insert
> deliberate yet heavily obfuscated backdoors?  What's the chance of an
> open source programmer getting sacked if they're busted?  Hmmm.  So what
> deterant is there?? 

        The deterrent is that the source is open to public and critical
review, unlike closed-source software that will get you criminal penalties
when you reverse-engineer it.

        What do you think keeps academic research honest?  Peer review.
Same story with Open Source software.  We can only wish that closed source
commercial products were subject to the same scrutiny.

- -Jay

   (    (                                                         _______
   ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
 C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    = |-'
  `--' `--'  `--------- Quietem nemo impune lacessit. ---------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPE7YRLlDRyqRQ2a9AQHhTQP9EeCsesDWSWyvHLry0RAXcPzJ0Y4sHXeR
TtNmaAgMvkbfKmDtr4v7J7Zz0lh07cRavTi8/G5VV4dJ32y67j1pl834LmFJpJWy
WDLhCRuFDI7H81YJX7HRju1MDJT3Fj9NnCpVbQtNA5NCdOmHLPsZF8E/MlG83DRU
u8XWwwgIaTA=
=lPF1
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.