Oracle Tells Customers To Stop Trying To Find Vulnerabilities In Oracle Products... Because 'Intellectual Property'
from the huh? dept
Update: After writing this, but before I had a chance to publish, it appears that someone at Oracle realized how terrible this looked and deleted the original post, though you can see an archived copy here.Computer security guru Matt Blaze called our attention to a bizarre (and bizarrely written) blog post by Oracle's Chief Security Officer, Mary Ann Davidson, telling people to stop reverse engineering Oracle products in search of security vulnerabilities. As Blaze points out, the article is so bizarre that he thought that Oracle must have been hacked and the story posted as a parody.
My first assumption after reading this was that Oracle's web server was hacked and this article is a parody. https://t.co/ODpT4L76TE
— matt blaze (@mattblaze) August 11, 2015Q. But the tools that decompile products are getting better and easier to use, so reverse engineering will be OK in the future, right?But this makes no sense. There's no reason to "protect intellectual property" solely for the sake of protecting intellectual property. Davidson seems to clearly admit that the security researchers doing this reverse engineering aren't doing it to "copy" the code or to leak it/resell it/post it to The Pirate Bay or whatever. They're just doing it to look for security vulnerabilities. What does that have to do with "intellectual property" at all? Absolutely nothing. It's just one of those things that people yell when they have no other argument. "But intellectual property!" It just seems nonsensical, because nothing about this has anything to do with intellectual property other than as an excuse for why Oracle doesn't want to hear from security researchers.
A. Ah, no. The point of our prohibition against reverse engineering is intellectual property protection, not “how can we cleverly prevent customers from finding security vulnerabilities – bwahahahaha – so we never have to fix them – bwahahahaha.” Customers are welcome to use tools that operate on executable code but that do not reverse engineer code. To that point, customers using a third party tool or service offering would be well-served by asking questions of the tool (or tool service) provider as to a) how their tool works and b) whether they perform reverse engineering to “do what they do.” An ounce of discussion is worth a pound of “no we didn’t,” “yes you did,” “didn’t,” “did” arguments. *
On to point (2).
Now is a good time to reiterate that I’m not beating people up over this merely because of the license agreement. More like, “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.” I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.And then down in the FAQ section:
Q. Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!Look, it's actually great that Oracle finds most of its own vulnerabilities. That's kind of what you'd expect. If it were otherwise, then, um, Oracle should be searching for a new Chief Security Officer. But that's really not the point. These things are not mutually exclusive. Of course a company should discover most of its own security vulnerabilities, but that doesn't lessen the need for more eyes looking for more vulnerabilities, because some of those holes may be quite big and quite problematic -- and why wouldn't Oracle want to encourage its own customers and the security researchers they hire to do more work to help improve Oracle's products?
A.Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)
I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.
So, no, Oracle doesn't need to do a bug bounty. That's obviously a choice that each company can make for itself -- but it's difficult to see why Oracle seems to be so actively trying to piss off security researchers and its own paying customers.
The post is also chock full of just ridiculous analogies:
Q. Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why would you try to restrict the behavior of customers with good motives?But, uh, this is not anything like "but everybody else is cheating on his or her spouse." This is your argument makes no sense. The point raised by that "question" is that this whole thing about "protecting intellectual property" makes no sense, because the people who are actually looking to violate your intellectual property rights don't care about your license agreement in the first place. The issue here are customers and their security researchers who aren't looking to do anything nefarious but are actually looking to help Oracle make a better, more secure product. How is that anything like cheating on your spouse?
A. Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.
At this point, I think I am beating a dead – or should I say, decompiled – horse. We ask that customers not reverse engineer our code to find suspected security issues: we have source code, we run tools against the source code (as well as against executable code), it’s actually our job to do that, we don’t need or want a customer or random third party to reverse engineer our code to find security vulnerabilities. And last, but really first, the Oracle license agreement prohibits it. Please don’t go there.
Or this one:
Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?But that's not what's happening either. As the rest of the post makes clear, Davidson is talking about Oracle customers (i.e., those paying for Oracle licenses) doing some vulnerability testing themselves to make sure that the systems are really secure. So it's not the bizarre analogy of breaking into a house. It's more like renting a house and checking to make sure that the doors are actually secure, and then pointing out to the landlord if they're not and that they should be fixed.
A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked. I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true. We do require development teams (on premises, cloud and internal development organizations) to use security vulnerability-finding tools, we’ve had a significant uptick in tools usage over the last few years (our metrics show this) and we do track tools usage as part of Oracle Software Security Assurance program. We beat up – I mean, “require” – development teams to use tools because it is very much in our interests (and customers’ interests) to find and fix problems earlier rather than later.
Oracle obviously has every right to determine how it handles its security efforts and how it relates to its own customers and security researchers, but this post seems incredibly tone deaf and designed to piss off Oracle's own customers in the name of "protecting intellectual property" for no reason other than "that's our intellectual property, which you paid for, and how dare you want to make sure it's safe."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: intellectual property, mary ann davidson, reverse engineering, security, security research
Companies: oracle
Reader Comments
The First Word
“Anyone who ever says "To protect our intellectual property"...
...should be forced to explain exactly what they are protecting it from, and how the measure that they are proposing is related to and will achieve that end.Subscribe: RSS
View by: Time | Thread
Neo: "But I chased the white rabbit."
Oracle: "Let the agents do their thing. Here, have a cookie."
Neo: "But there is no cookie."
Oracle: "Now you're getting it."
Neo: "Guess there's nothing to do now but stare at the woman in the red dress."
[ link to this | view in chronology ]
I mean, none of these solutions are good for Oracle so if they ever read this they should develop channels to encourage people to tell them about such flaws while explicitly protecting them from lawsuits.
[ link to this | view in chronology ]
Either way, it does not make your company look very good.
[ link to this | view in chronology ]
Don't mind me, just moving to a more secure database...
So if I read this correctly, you're saying you don't want to find those 3% of bugs that you fail to find yourselves?
Great idea, Oracle. Way to give me confidence in your software.
[ link to this | view in chronology ]
Re: Don't mind me, just moving to a more secure database...
[ link to this | view in chronology ]
Re: Don't mind me, just moving to a more secure database...
Now consider instead that evidence comes out that a security researcher told you this was going to happen 3 years ago. Suddenly you are liable for a whole slew of crap, and it's all that damn security researcher's fault ;)
[ link to this | view in chronology ]
Re: Don't mind me, just moving to a more secure database...
[ link to this | view in chronology ]
Re: Re: Don't mind me, just moving to a more secure database...
I say theoretically because it wouldn't be all that difficult for a database vendor to make it so that non-parameterized queries automatically return an error by default, (with an opt-out for ad-hoc queries by database tools, etc,) which would shut SQL injection down cold... but AFAIK no relational database has ever actually done this.
[ link to this | view in chronology ]
Re: Re: Re: Don't mind me, just moving to a more secure database...
That function belongs to the application interface not the DBMS. It is the programmers responsibility to handle this not the DBMS. It requires a case by case analysis of the business activity for the interface interaction not the vendor interference.
Secondly, this ORACLE we are talking about. They can't even deal with normal customer bug indicators.
[ link to this | view in chronology ]
Re: Re: Re: Re: Don't mind me, just moving to a more secure database...
How do you figure? Because if the parser and the AST it produces are designed in any remotely reasonable way at all, this is trivial: iterate over all binary expressions in the WHERE clause and determine if any of them don't contain a parameter reference.
Yeah, that's been the go-to excuse for poor language design for decades now. "It's the programmer's responsibility for getting all the little details right. It's not the language's fault that everyone keeps making the very same class of mistake that's incredibly easy to make because doing it the obvious way is the wrong way to do it." It's always been a bunch of crap, and it still is.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Don't mind me, just moving to a more secure database...
The DBMS should parse the sent SQL properly (like any parser) but it is not the DBMS's responsibility to determine what SQL is required.
Language syntax and semantics are a completely different kettle of fish from the responsibility of the programmer. If the programmer is using a specific language then it is the responsibility of the programmer to understand both syntax and semantics of the language. If they keep getting it wrong then they should be moving onto a more favourable language. Secondly, if you are really having difficulties handling syntax, either, use a syntax directed editor or stop programming because you aren't suited to it. You are probably better suited driving a bus.
Just because a language is completely skew-whiff, doesn't lesson the programmer responsibility in program writing or knowing the ins and outs of the specific language.
Finally, if you don't like a specific language, either develop your own (and see how really hard it is to get right) or change to a different language that you personally are more comfortable with.
I would suggest the following language for simplicity: Remorse (it only has 2 characters . and _)
I would suggest the following language for getting tasks done: ICON, UnIcon, LISP, FORTH. Each of these have a variation in learning curve, but all allow you to be effective in getting the tasks done. I would also suggest that you leave all the modern versions of COBOL alone (C#, C++, Java, ISO 2014-COBOL, etc).
[ link to this | view in chronology ]
Re: Re: Re: Re: Don't mind me, just moving to a more secure database...
They have a scheduled close-down system.
Basically they set your 'case' to closedown early on a Saturday morning, and tick a box marked 'do not inform customer'. then the case is simply shut and no one takes responsibility.
[ link to this | view in chronology ]
Re: Re: Re: Don't mind me, just moving to a more secure database...
So what do you expect to achieve with such a "feature"?
[ link to this | view in chronology ]
Re: Don't mind me, just moving to a more secure database...
And the primary analogy for possessive would be a box with a "don't open it!"-clause involved. Usually if you need a coffee maker to work in a specific way you are allowed to modify it to work as needed. Any analogy to rented items usually fall on the item unharmed.
As for the landlords of the hotel analogy, having the landlord aggressively abuse you for messing around and demanding compensation seems to be sweet Mary Anns part in this play.
[ link to this | view in chronology ]
Re: Re: Don't mind me, just moving to a more secure database...
[ link to this | view in chronology ]
Re: Re: Don't mind me, just moving to a more secure database...
Lets see..who uses Oracle as a back-end...Sony...AshleyMadison and the Office of Personnel Management.
Now..what do all those have in common?
[ link to this | view in chronology ]
Bogus numbers
Far more are discovered by customers than they are admitting.
[ link to this | view in chronology ]
Re: Don't mind me, just moving to a more secure database...
[ link to this | view in chronology ]
Re: Re: Don't mind me, just moving to a more secure database...
[ link to this | view in chronology ]
A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.
If it's my door and my house and the locks aren't working as stated then fuck yeah we have an issue.. Locks and latches and Oracle Knobs.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
What I learned
Rest? Blahdee, blahdee, blah...
[ link to this | view in chronology ]
A. Sigh.. No it doesn't.. Just like you can't tell your neighbor that they left their door unlocked when they left for vacation, you can't tell us when you find a security vulnerability in our product.. Get it through your thick heads! This is why we have Intellectual Property laws!
[ link to this | view in chronology ]
Wow... a fine example on how to drive away customers
[ link to this | view in chronology ]
Good summary
[ link to this | view in chronology ]
Re: Good summary
[ link to this | view in chronology ]
What I get of Oracle's view is that it'd be better if "white hat" "researchers" didn't pick at code so much that ends up only helping "black hats",
The person is talking about decisions ON THE MARGIN with complex trade-offs and drawbacks. He even states that simply likes doing it "OUR" way. All sounds reasonable...
Unless your purpose in life is carping! -- I don't get what you're railing about, let alone agree it's important enough for mighty Techdirt, so maybe this person has exactly the problem you do: is a weenie with lousy communication skills. -- Well, in your case, it's more NEEDED A TOPIC and this was first you saw that fit a slot in your template, having what's actually an irrelevant mention of "intellectual property".
In any case, Oracle can't and won't stop it, and then, wisely seeing how difficult the point was to convey and how weenies would pick at it, has in effect retracted, leaving Techdirt in its usual state of flailing at imaginary shadows.
Maybe this will put Oracle's view in a way you can get it: I don't understand why you 'dirters don't like me finding vulnerabilities in the writing here! I'm a "white hat" critic, see? Only want to improve the product.
[ link to this | view in chronology ]
Re:
Enjoy your DMCA vote.
[ link to this | view in chronology ]
Re: What I get of Oracle's view is that it'd be better if "white hat" "researchers" didn't pick at code so much that ends up only helping "black hats",
[ link to this | view in chronology ]
Re: What I get of Oracle's view is that it'd be better if "white hat" "researchers" didn't pick at code so much that ends up only helping "black hats",
So, you're saying that the black hats could never find code on their own and there'd be less problems if only the people actually trying to help secure the product would stop doing so? That's even dumber than the idea of "security through obscurity".
"I don't understand why you 'dirters don't like me finding vulnerabilities in the writing here! I'm a "white hat" critic, see? Only want to improve the product."
No, you lie, distort and launch impotent personal attacks, all with a misplaced sense of smug self-importance. This is not constructive criticism, and doesn't improve anything more than your broken ego.
If you wanted to "improve the product", you'd give constructive criticism about what was actually incorrect, with solid citations and suggestions on why it was wrong. Instead, you supplied a laughable premise, and whining that Mike picked a phrase stated in the first quoted "answer" paragraph of Oracle's Q&A to use in this article's title. How dare he accurately quote them! On top of that, given that the Oracle article has been removed since this was written, even they realise it's indefensible.
Oh well, keep at it, you might stumble across factual logic at least once.
[ link to this | view in chronology ]
Really, Oracle's best option at this point is to claim that they were hacked. No one would believe them, but it'd probably still be less embarrassing in the long run.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The Real reason
[ link to this | view in chronology ]
Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR "intellectual property" you want kept secret?
[ link to this | view in chronology ]
Re: Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR
[ link to this | view in chronology ]
Re: Re:
What a sad, sad little freak you are.
[ link to this | view in chronology ]
Re: Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR "intellectual property" you want kept secret?
[ link to this | view in chronology ]
Re: Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR "intellectual property" you want kept secret?
Yeah, that would get really annoying after a while. But you know what? That's what every day is like in IT security. And you get not just ONE kid, but hundreds of them, all telling you your front door is unlocked (which of course is probably due to the fact that you keep opening it to talk to them).
So sure, there's vulnerabilities and there's vulnerabilities. Some are known and mitigated, but keep being reported, and some are "Wait -- our product has behaved like that for HOW MANY YEARS????" vulnerabilities. You put up with the first because of the second. And the second isn't likely to be found by an internal team.
So Oracle was framing it in terms of "We don't want other people analyzing how we do things... we KNOW how we do things thank you very much, and how we do it is what makes us unique/valuable in the DB market" and the parent commenter was framing it in terms of "These 'helpful' researchers are bloody annoying. Please let us get back to actually securing/improving the product, stop wasting our time, and stop attacking us."
In truth, if you make computer hardware/software that is accessible from the Internet, you're being attacked all the time. Those who prod and report aren't attacking, they're securing a product they're actually using. This is also why they want to know how it works -- so that they know how to mitigate potential issues -- because there ARE people out there attacking the product, and THEY, not Oracle, will be the victims.
[ link to this | view in chronology ]
Re: Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR "intellectual property" you want kept secret?
Please, allow me to bear your children.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Company Blogs
I'd also bet that Oracle is re-evaluating their employee blog policy at this very moment.
[ link to this | view in chronology ]
From my experience in dealing with Oracle, pissing off their customers is the only way Oracle knows how to do business.
[ link to this | view in chronology ]
Anyone who ever says "To protect our intellectual property"...
[ link to this | view in chronology ]
Re: Anyone who ever says "To protect our intellectual property"...
... patents? No, the patent discloses the invention, so reverse engineering will not disclose anything about the patent not already disclosed.
...copyrights? No, because making identical copies does not require reverse engineering in the first place and because something more, such as making a derivative work, would be needed in addition to the reverse engineering.
...trademarks? No, because there are no trademark rights in reverse-engineered code and mere reverse engineering is not use-in-commerce.
...trade secrets? No, because if they are distributing them to customers, they are not trade secrets.
So, no, this is not about protecting intellectual-property rights. This is about the next paragraph in a typical Oracle agreement:
All that's missing is a statement at the end saying, "...or that Oracle even wants to know about all program errors." Ignorance is bliss.
[ link to this | view in chronology ]
>"this is not about protecting intellectual-property rights"
Infosec researchers are not reversing Oracle's software in order to pirate it.
[ link to this | view in chronology ]
Hackers have been gaining access to my system by adding their own credentials to my system using a flaw in your product, I've been patiently waiting for you to fix this bug, and removing these malicious credentials, but everyday these hackers just add new credentials. I would report this directly to you but the last time I reported a bug i was belittled by your CSO and called a 'weenie', so not sure what action to take now, in the mean time these hacks are siphoning off my customers personal data, but dont worry they dont know, ive taken the Oracles advice and just ignored the problem until enough of my customers complain, but it would be nice finally get this bug fixed, but whenever your free after writing your "mystery fiction novels" will be fine.
Ty and have a good day :)
[ link to this | view in chronology ]
This silly analogy...
Yes, but if your house has been purchased because its on an extremely busy road, in an area with a significant proportion of criminals walking past and brazenly trying every door, and your neighbor puts a note through your door saying they tried the door and it was unlocked and you should probably lock it, rather than nicking all your stuff, then perhaps, yes a thankyou is in order.
[ link to this | view in chronology ]
Re: This silly analogy...
[ link to this | view in chronology ]
Translation: We've been sent an NSL,
[ link to this | view in chronology ]
No legal leg to stand on for EULA prohibition
Not to mention it's the stupidest thing Bill Gates has (err I have) ever heard.
Of fucking course you can reverse engineer. That's how things are done.
Java is a dying tech. It needs to go as badly as Flash. The direction to go is open source and not closed Microsoft proprietary software.
[ link to this | view in chronology ]
Re: No legal leg to stand on for EULA prohibition
[ link to this | view in chronology ]
If you can't...
Idiots!
[ link to this | view in chronology ]
"We produce perfect code. You don't need to check it over for bugs. There AIN'T none!"
Does that mean Oracle guarantees the security of all of it's products? Does this mean that Oracle will cover losses by their customers from (non-existent) bugs in their "perfect" code?
I haven't tried to wade through the License Agreement, and have no intention of doing it, BUT, I'd be willing to bet there's lawyerspeak by the pound indemnifying Oracle for anything and everything faintly resembling bugs, errors, typos, etc., in their "perfect" code. If you don't believe that, or challenge them, keep in mind they probably have more lawyers than Microsoft.
The other thing to keep in mind is that few organizations have the spare cash floating around to hire consultants for the sole purpose of fishing expeditions in a commercial product. Granted, it's possible, but IMHO unlikely.
Such projects are usually the direct result of a problem with the software. Likely, they first took it to Oracle, who blew them off, then they got serious and spent money to fix it, because switching to a competitor's product is much too expensive in time, training, and license fees and they're stuck with the busted software.
[ link to this | view in chronology ]
Re:
"We produce perfect code. You don't need to check it over for bugs. There AIN'T none!"
Sadly, her boss (Larry Ellison) said it nearly 12 years ago, and at that time she visited my company and did a song and dance at the time about how he didn't really mean it the way everyone heard it and that "Oracle is unbreakable, you can't break it" really depended on what the meaning of "is" is.
We laughed her out of our company then and sadly, we still have idiots in our company that still use their product to this day despite numerous requests from the security team and the management to avoid the software like the plague, after they told us that they wouldn't release software patches unless we paid the ridiculous software support agreements for software we had already purchased at far more than we should have.
I am with John on this one...if you still trust Oracle, after all these years, than you deserve all the pain you are feeling. Bush's "Fool me once, shame on you, fool me... you can't get fooled again" works really appropriately here.
[ link to this | view in chronology ]
https://twitter.com/Jose_Pagliery/status/631149599386914818
[ link to this | view in chronology ]
Not 3%, nor 13%, but 100%
Let's state it that way: of all the bugs that they did not discover and fix themselves, 100% can potentially be discovered and used by hackers...
[ link to this | view in chronology ]
Re: Not 3%, nor 13%, but 100%
[ link to this | view in chronology ]
Because...
2 - "Piracy" (file-sharing...)
3 - Children (child porn, "piracy", terrorism...)
[ link to this | view in chronology ]
They'r'e all criminals
[ link to this | view in chronology ]
Wow. So many slants to choose from!
We don't want you to discover the NSA backdoor
IP is more important than Your P
We don't test our software and neither should you!
Our reputation before your satisfaction!
[ link to this | view in chronology ]
Oracle's security is a complete joke and their 'code analysts' one of ITs longest running jokes....
[ link to this | view in chronology ]
[ link to this | view in chronology ]
First was Bill Gates, showing how the Gates foundation was looking for cures for malaria and other diseases.
Then came Larry Ellison, who's entire contribution was to show how many classic cars he owns and how big his house is.
[ link to this | view in chronology ]
Say goodbye to private disclosure, and hello to public
1. (Bad for the company) Instead of privately informing them of a vulnerability, researchers make it public, hopefully anonymously, and force them to fix it. At this point the company in question has to scramble both to fix the problem, and deal with the PR hit they just took.
2. (Bad for the public) Security researchers don't inform anyone, which might seem great at first. Except just because they aren't looking, doesn't mean others aren't, and eventually(not 'if', but 'when') someone with less noble intentions will find what vulnerabilities there are, and use them.
I get the feeling Oracle is probably hoping for the latter, as it screws over their customers rather than them, and why would they care about their customers?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Copy Also Available ...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Maybe she's just generally defensive.
I'm also bothered about her defensiveness over hypothetical porn lit on her bookshelf in bad analogies. Her response is that we're misinterpreting the titles of her bookshelf when equally valid (if not more so) is It's my friggen bookshelf. I can have whatever steamy titles on it I want, and how dare you judge me!
The last thing I want to hear from Ms. Davidson when some hacker cracks my Oracle system and publicizes its contents online is I'd take your Oracle issues more seriously if you weren't using our software to secure porn.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If true, wow.
[ link to this | view in chronology ]
Not in the real world
- The POODLE vulnerability was discovered by researchers at Google, not Oracle.
- Oracle were told about TNS poisoning back in 2008 by a security researcher but didn't do a fix until 2012, and the (so called) fix is only a partial fix...
- Oracle's encryption uses ancient ciphers. They took to heart the decade old USA stance "encryption is a weapon and cannot be exported" and actually hobbled high-end encryption in code.
It's clear to my mind tht Oracle have adopted the TSA world-view of security. Theatre at it's best.
[ link to this | view in chronology ]
Them Ain't Bugs!
[ link to this | view in chronology ]
[ link to this | view in chronology ]