22 Oct 2002 ib   » (Master)


How can _anyone_ release software that is known to have security flaws. I'm not talking about the 'everything is insecure' paradigm, I am speaking about tangible, known, reported, fixable, exploits. Oracle and Microsoft seem to be prime candidates for a "truth in advertising" suit - but then, who'd want to argue the meaning of "secure" with their $1k/h lawyers.

I went over to Cupertino to meet an (here unnamed) friend of mine who spends his days being a security minion for a major DDM/data mining company. According to him, his company has found and communicated no less than nineteen root-level exploits in one of those huge database thingies, and not a single one has been fixed, despite active release cycles.

What's even worse - the company has communicated the flaws internally to its SEs and asked them to NOT discuss security other than by pointing at the official documentation, which a) claims 100% security, b) disclaims any responsibilities if a) is to be found incorrect.

Luckily enough, at least I am surrounded by Open Source. Not that there are less flaws and holes to be found here, but at least nobody will be able to lie about it for an extended period of time.

Which reminds me, I need to get back to that Oracle dude we had over here last week - he even had the guts to claim 9i was still unbreakable and there are no known exploits ever since the initial release.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!