[ISN] Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

InfoSec News isn at c4i.org
Tue Oct 11 00:01:13 EDT 2005


Forwarded from: security curmudgeon <jericho at attrition.org>

There have been two good responses to this, both supporting David 
Litchfield's stance and citing more examples.

: ---------- Forwarded message ----------
: From: David Litchfield <davidl at ngssoftware.com>
: To: bugtraq at securityfocus.com, ntbugtraq at listserv.ntbugtraq.com
: Date: Thu, 6 Jan 2005 16:01:26 -0000
: Subject: Opinion: Complete failure of Oracle security response and utter neglect
:       of their responsibility to their customers
: 
: Dear security community and Oracle users,
: 
: Many of my customers run Oracle. Much of the U.K. Critical National 
: Infrastructure relies on Oracle; indeed this is true for many other 
: countries as well. I know that there's a lot of private information 
: about me stored in Oracle databases out there. I have good reason, like 
: most of us, to be concerned about Oracle security; I want Oracle to be 
: secure because, in a very real way, it helps maintain my own personal 
: security. As such, I am writing this open letter


http://archives.neohapsis.com/archives/bugtraq/2005-10/0060.html

From: Cesar (cesarc56 @yahoo.com)
To: David Litchfield (davidl at ngssoftware.com), bugtraq at securityfocus.com, 
tbugtraq at listserv.ntbugtraq.com
Date: Thu, 6 Oct 2005 11:41:33 -0700 (PDT)
Subject: Re: Opinion: Complete failure of Oracle security response and 
utter neglect of their responsibility to their customers

I support David 100% and I would like to add a few comments (I cant avoid 
doing this :)):

I remember reading an article where Larry Ellison said that Oracle 
database server were used by FBI, CIA, USSR goverment, etc. he referenced 
that as saying our software is the most secure, top goverment agencies 
from the most powerful nations use it. If you hear or read that it sounds 
great and if you were looking for a database server at that moment maybe 
you would run to buy Oracle software, the same when you hear and read 
Oracle Unbreakable everywhere. What Larry Ellison says it is very easy to 
say but it is also very difficult to prove. It seems that this kind of 
statements have been useful for Oracle since the company continues doing 
the same, just talking. I can say that we at Argeniss break Oracle 
database server all the time, we are tired of breaking Oracle, its so 
easy, Oracle software is full of security vulnerabilities and this is 
nothing new, most security researchers know about this and also the bad 
guys who are actively exploiting the vulnerabilities. But I can say this 
and I can also prove it, we have found more than a hundred vulnerabilities 
and we can show them to people. I wonder if Larry Ellison can prove all 
the statements he says or Oracle people say. 

[..]


http://archives.neohapsis.com/archives/bugtraq/2005-10/0079.html

From: ak at red-database-security.com
To: bugtraq at securityfocus.com
Date: 7 Oct 2005 20:13:13 -0000
Subject: Re: Re: Opinion: Complete failure of Oracle security response and 
utter neglect of their responsibility to their customers

I agree with Davids and Cesars opinion.

Here are 3 examples how Oracle is dealing with security:

[..] 





More information about the ISN mailing list