Shostack + Friends Blog Archive

Security & Orientation

When Larry Ellison said “We have the security problem solved,” [link to http://australianit.news.com.au/articles/0,7204,18341811%5E15841%5E%5Enbv%5E,00.html no longer works] a lot of jaws dropped. A lot of people disagree strongly with that claim. (Ed Moyle has some good articles: “Oracle’s Hubris: Punishment is Coming,” “Oracle to World: ‘Security Mission Accomplished…’“ [link to http://www.securitycurve.com/blog/archives/000342.html no longer works] ) That level of dripping sarcasm is fairly widespread amongst the security experts I talk to, based on their technical evaluations of Oracle’s promises and delivery.

Dave Litchfield actually explained it to me. Let me say that again, because I’ve been told that David Litchfield isn’t liked in certain neighborhoods of Redwood Shores. I can’t understand why. David explained that Oracle is using “security” in a specific way, which is to say that they have certifications and processes [link to http://niap.nist.gov/cc-scheme/index.html no longer works] that their customers care about. That Oracle is speaking to their customers at the executive level, not the security or technology level. The way they use security is just as correct as the way in which I use security, and means quite different things. [Updated for clarity.]

I should have seen this sooner. I’ve spoken extensively about how privacy has many meanings, and the same is true of security. I regularly discuss Boyd’s concept of orientation, and even have had a category for it. [Old category link removed]

The picture? Suruga Bay, from Hiroshige’s 36 Views of Mt. Fuji [link to http://www.koitsu.com/Fuji/Hiroshige-%2036%20Views%20Of%20Mt%20Fuji%20-%20Suruga%20Bay.html no longer works].

Originally published by adam on 18 Mar 2006
Last modified on 22 Aug 2023
Categories:   Orientations   Security