Re: [ISN] Backing Up Oracle's "Unbreakable" Vow

From: InfoSec News (isnat_private)
Date: Wed Jan 23 2002 - 00:06:37 PST

  • Next message: InfoSec News: "[ISN] Course for police on cyber crime"

    Forwarded from: Chris Drake <backpackerchristopherat_private>
    >> Calling your code "Unbreakable" is like having a big bull's-eye on  
    >> your products and your firewall. Obviously, nobody wants to be a
    >> target.
    If I'm going to buy a secure DB, I'm going to pick whichever company
    has the biggest balls - Sorry dudes - that's Oracle right now.  If
    they say "Unbreakable", whether or not it's true, the fact that
    everyone knows it's a red rag makes me and probably ever other oracle
    customer very happy because we all think they think they know what
    they're doing.
    > PGP sells pretty well with an honest name (Pretty Good Privacy).
    > Why does Oracle need a dishonest slogan to sell a product which is
    > already doing pretty well?
    No it does not.  It's an outdated standard which NAI are dumping
    because it's massive loss-making venture.  Go visit Thawte to get your
    keys signed... oh yes... you can't.  They've dropped PGP support too.
    And what does PGP do about Magic-Lantern etc?  They warn you with a
    cute sentence burried inside hundreds of pages of doc that you're on
    your own - bad luck.
    > I for one only trust open source software to have any security at
    > all, and only then because if required to, I could audit the code,
    > or subcontract someone to do so.
    That's about the most amusing thing I ever heard.  If you ever spent
    even as little as 10 seconds looking at the actual source, you'd
    notice that no matter what product it is, it's been cobbled together
    by a dozen or more benevolent hackers who combined had only half a
    clue what they were doing, and even less about how it should be done.  
    And you "trust" this?  Have you *any* idea how easy it is to insert
    deliberate yet heavily obfuscated backdoors?  What's the chance of an
    open source programmer getting sacked if they're busted?  Hmmm.  So
    what deterant is there??
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 02:42:12 PST