[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Oracle in war of words with security researcher
- From: "Jonathan Komorek" <jonathan.komorek@xxxxxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Oracle in war of words with security researcher
- Date: Fri, 27 Jan 2006 17:32:54 -0500
>I also wanted to comment on this issue.
>
>All this discusion on Full-Disclosure, why not compare software to any
other goods we buy, it should be possible to sue the software vendors
for making crappy code.
>
>If a person buys a car and the breaks do not work, and there is an
accident, well then you can sue the car manufactor.
>
>Why if this not something you can do or should do with software."
Dennis,
Could you provide an example of how "the brakes do not work, and there
is an accident" in which you feel the software company should be held
liable?
- Johnny
-----Original Message-----
From: CIRT.DK Mailinglists [mailto:mailinglists@xxxxxxx]
Sent: Friday, January 27, 2006 3:53 PM
To: 'Martin O'Neal'; 'Paul Schmehl'; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Oracle in war of words with security
researcher
Hey there
I also wanted to comment on this issue.
All this discusion on Full-Disclosure, why not compare software to any
other goods we buy, it should be possible to sue the software vendors
for making crappy code.
If a person buys a car and the breaks do not work, and there is an
accident, well then you can sue the car manufactor.
Why if this not something you can do or should do with software.
Dennis
-----Original Message-----
From: Martin O'Neal [mailto:martin.oneal@xxxxxxxxxxxx]
Sent: Friday, January 27, 2006 9:26 PM
To: Paul Schmehl; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Oracle in war of words with security
researcher
> You must be a developer rather than someone who is responsible for
security on a network.
No, I'm a consultant and indirectly responsible for thousands of
networks
across hundreds of customers.
> The benefit is this: if I know of a vulnerability...
This is just the usual full disclosure discussion. Read back; I've
already
said that I'm in favour.
However, and it is a big however, it needs to be responsible and
appropriate. If not, then everyone's days will be perpetually spent
running
around trying to guard against the latest vuln that went public without
a
vendor fix (anyone for a daily WMF?).
> Why does Oracle get to decide what's best for me?
Because, believe it or not, it isn't just about you. It is about *all*
of
the Oracle customers. One size does not fit all; for every competent
admin,
there will be a dozen who are not so competent. Releasing publicly
before a
fix is ready may help a few customers, but will typically put many more
at
greater risk. If the vulnerability was in the wild and being actively
exploited, then there is a good argument to get the information out so
that
the competent ones have a chance to protect themselves. If not, then an
early release isn't a benefit.
Martin...
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
****************************************************************************************
BENEFITFOCUS.COM CONFIDENTIALITY NOTICE: This electronic message is intended only for the individual or entity to which it is addressed and may contain information that is confidential and protected by law. Unauthorized review, use, disclosure, or dissemination of this communication or its contents in any way is prohibited and may be unlawful. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please notify the original sender immediately by e-mail or telephone, return the original message to the original sender or to bfpostmaster@xxxxxxxxxxxxxxxx, and destroy all copies or derivations of the original message. Thank you. (BFeComNote Rev. 08/01/2005)
***************************************************************************************
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
Brought to you by http://www.webappsec.org
Search this site
|