On 11 August 2015 at 20:00, Alessandro Rubini rubini@gnudd.com wrote:
But most likely I didn't get the point about this post. Can you please expand?
Hmm, you're the only person so far I know of who hasn't reacted in shock.
* The attitude of security by obscurity, as if telling your customers "don't look!" stops the black hats for a second. * Don't look for security holes in Oracle, it's a violation of your license. * If you find security holes, don't tell us, it's a violation of your license to have looked and we will send a legal notice telling you to throw away the information. * It is true that someone found a pile of actual security holes, but we were totally going to fix them, honest! Some time or other. * The tone of contempt for the customer, daring to look and ascertain their own security risk.
This is precisely why we need software freedom.
As a sysadmin, I was shocked that a vendor with a high-quality free software alternative would write something like this that makes them look *utterly incompetent* in the field of security.
Reactions on Hacker News:
https://news.ycombinator.com/item?id=10039202 https://news.ycombinator.com/item?id=10040428
Someone immediately found an XSS on Oracle's site: https://twitter.com/thegrugq/status/631056841670135808
Oracle's database software is very good indeed - it gives your data back reliably and with fantastic performance. The problem is literally every other aspect of dealing with Oracle ...
- d.