RE: [WEB SECURITY] Oracle in war of words with security researcher

["Schmidt, Albert E" <AES@xxxxxxxxxxxxxxx>]

?
Sounds like a good lawsuit

________________________________

From: CIRT.DK Mailinglists [mailto:mailinglists@xxxxxxx]
Sent: Fri 1/27/2006 3:52 PM
To: 'Martin O'Neal'; 'Paul Schmehl'; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Oracle in war of words with security researcher



Hey there

I also wanted to comment on this issue.

All this discusion on Full-Disclosure, why not compare software to any other
goods we buy, it should be possible to sue the software vendors for making
crappy code.

If a person buys a car and the breaks do not work, and there is an accident,
well then you can sue the car manufactor.

Why if this not something you can do or should do with software.

Dennis

-----Original Message-----
From: Martin O'Neal [mailto:martin.oneal@xxxxxxxxxxxx]
Sent: Friday, January 27, 2006 9:26 PM
To: Paul Schmehl; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Oracle in war of words with security researcher


> You must be a developer rather than someone who is responsible for
security on a network.

No, I'm a consultant and indirectly responsible for thousands of networks
across hundreds of customers. 

> The benefit is this: if I know of a vulnerability...

This is just the usual full disclosure discussion.  Read back; I've already
said that I'm in favour.

However, and it is a big however, it needs to be responsible and
appropriate.  If not, then everyone's days will be perpetually spent running
around trying to guard against the latest vuln that went public without a
vendor fix (anyone for a daily WMF?). 

> Why does Oracle get to decide what's best for me? 

Because, believe it or not, it isn't just about you.  It is about *all* of
the Oracle customers.  One size does not fit all; for every competent admin,
there will be a dozen who are not so competent.  Releasing publicly before a
fix is ready may help a few customers, but will typically put many more at
greater risk.  If the vulnerability was in the wild and being actively
exploited, then there is a good argument to get the information out so that
the competent ones have a chance to protect themselves.  If not, then an
early release isn't a benefit.

Martin...



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/





---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/