From oracle-l-bounce@freelists.org Mon Oct 10 11:05:22 2005 Return-Path: Received: from air891.startdedicated.com (root@localhost) by orafaq.com (8.12.10/8.12.10) with ESMTP id j9AG5M5j026748 for ; Mon, 10 Oct 2005 11:05:22 -0500 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air891.startdedicated.com (8.12.10/8.12.10) with ESMTP id j9AG5JvX026734 for ; Mon, 10 Oct 2005 11:05:19 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id F41991FA256; Mon, 10 Oct 2005 11:05:15 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02377-05; Mon, 10 Oct 2005 11:05:15 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 6C3EB1FA399; Mon, 10 Oct 2005 11:05:15 -0500 (EST) Date: Mon, 10 Oct 2005 12:03:12 -0400 From: Ray Stell To: oracle-l Subject: Re: Oracle Security Blasted Message-ID: <20051010160312.GA5771@locust.cns.vt.edu> References: <7F24308CD176594B8F14969D10C02C6C8A0476@exch-mail2.win.slac.stanford.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7F24308CD176594B8F14969D10C02C6C8A0476@exch-mail2.win.slac.stanford.edu> User-Agent: Mutt/1.5.9i X-archive-position: 26640 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: stellr@cns.vt.edu Precedence: normal Reply-To: stellr@cns.vt.edu X-list: oracle-l X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian) at avenirtech.net X-mailscan-MailScanner-Information: Please contact the ISP for more information X-mailscan-MailScanner: Found to be clean X-MailScanner-From: oracle-l-bounce@freelists.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on air891.startdedicated.com X-Spam-Level: X-Spam-Status: No, hits=-3.7 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 How many here responded, in your house, wrt this thread? Why/why not? Oracle's security approach forces admins to rely on the firewall as the last line of defense; as if apps should be allowed to be wholey, as if this is somebody elses problem. Let me just say, I hate the fact that my firewall is the last line of defense. When it gets breached (not if), I'll want the app to be secure and that will be a dba problem. So, why should dba types not ping their management to request Oracle Corp to get real? An ounce of prevention... Oracle Corp activity seems reminiscent of the old Steve Martin Watergate routine, "What Nixon really needed was a banjo." If you remember that you have me sympathy. On Fri, Oct 07, 2005 at 09:40:36AM -0700, MacGregor, Ian A. wrote: > Our security officer sent me this. > > Title: David Litchfield writes an open letter to the security community > and Oracle customers > Author: Pete Finnigan > Source: Pete Finnigan's Oracle security weblog > > Excerpt: > > David is calling for Oracle customers to contact Oracle and demand a > better security service and those customers should demand fixes. Cesars > comments mirror those of David with some comparisons to Microsoft a few > years ago and he also threatens to release a 0day remote exploit. > > For complete article see: > http://www.petefinnigan.com/weblog/archives/00000576.htm > http://www.securityfocus.com/archive/1/412666/30/0/threaded > http://www.argeniss.com/products.html > > Ian MacGregor > Stanford Linear Accelerator Center > -- > http://www.freelists.org/webpage/oracle-l ============================================================ Ray Stell stellr@vt.edu (540) 231-4109 Tempus fugit 28^D -- http://www.freelists.org/webpage/oracle-l