Oracle Tells Customers To Stop Trying To Find Vulnerabilities In Oracle Products... Because 'Intellectual Property'

from the huh? dept

Update: After writing this, but before I had a chance to publish, it appears that someone at Oracle realized how terrible this looked and deleted the original post, though you can see an archived copy here.

Computer security guru Matt Blaze called our attention to a bizarre (and bizarrely written) blog post by Oracle's Chief Security Officer, Mary Ann Davidson, telling people to stop reverse engineering Oracle products in search of security vulnerabilities. As Blaze points out, the article is so bizarre that he thought that Oracle must have been hacked and the story posted as a parody.
The full post needs to be read to be fully appreciated, but the core argument is that (1) reverse engineering is bad because "intellectual property!" and (2) Oracle discovers most of its own bugs itself, so go away you annoying security researchers, Oracle doesn't need you. I'm not joking. Here's just some of the text around point (1) as part of an "FAQ" part of the post:
Q. But the tools that decompile products are getting better and easier to use, so reverse engineering will be OK in the future, right?

A. Ah, no. The point of our prohibition against reverse engineering is intellectual property protection, not “how can we cleverly prevent customers from finding security vulnerabilities – bwahahahaha – so we never have to fix them – bwahahahaha.” Customers are welcome to use tools that operate on executable code but that do not reverse engineer code. To that point, customers using a third party tool or service offering would be well-served by asking questions of the tool (or tool service) provider as to a) how their tool works and b) whether they perform reverse engineering to “do what they do.” An ounce of discussion is worth a pound of “no we didn’t,” “yes you did,” “didn’t,” “did” arguments. *
But this makes no sense. There's no reason to "protect intellectual property" solely for the sake of protecting intellectual property. Davidson seems to clearly admit that the security researchers doing this reverse engineering aren't doing it to "copy" the code or to leak it/resell it/post it to The Pirate Bay or whatever. They're just doing it to look for security vulnerabilities. What does that have to do with "intellectual property" at all? Absolutely nothing. It's just one of those things that people yell when they have no other argument. "But intellectual property!" It just seems nonsensical, because nothing about this has anything to do with intellectual property other than as an excuse for why Oracle doesn't want to hear from security researchers.

On to point (2).
Now is a good time to reiterate that I’m not beating people up over this merely because of the license agreement. More like, “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.” I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.
And then down in the FAQ section:
Q. Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!

A. Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)

I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.
Look, it's actually great that Oracle finds most of its own vulnerabilities. That's kind of what you'd expect. If it were otherwise, then, um, Oracle should be searching for a new Chief Security Officer. But that's really not the point. These things are not mutually exclusive. Of course a company should discover most of its own security vulnerabilities, but that doesn't lessen the need for more eyes looking for more vulnerabilities, because some of those holes may be quite big and quite problematic -- and why wouldn't Oracle want to encourage its own customers and the security researchers they hire to do more work to help improve Oracle's products?

So, no, Oracle doesn't need to do a bug bounty. That's obviously a choice that each company can make for itself -- but it's difficult to see why Oracle seems to be so actively trying to piss off security researchers and its own paying customers.

The post is also chock full of just ridiculous analogies:
Q. Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why would you try to restrict the behavior of customers with good motives?

A. Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.

At this point, I think I am beating a dead – or should I say, decompiled – horse. We ask that customers not reverse engineer our code to find suspected security issues: we have source code, we run tools against the source code (as well as against executable code), it’s actually our job to do that, we don’t need or want a customer or random third party to reverse engineer our code to find security vulnerabilities. And last, but really first, the Oracle license agreement prohibits it. Please don’t go there.
But, uh, this is not anything like "but everybody else is cheating on his or her spouse." This is your argument makes no sense. The point raised by that "question" is that this whole thing about "protecting intellectual property" makes no sense, because the people who are actually looking to violate your intellectual property rights don't care about your license agreement in the first place. The issue here are customers and their security researchers who aren't looking to do anything nefarious but are actually looking to help Oracle make a better, more secure product. How is that anything like cheating on your spouse?

Or this one:
Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?

A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked. I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true. We do require development teams (on premises, cloud and internal development organizations) to use security vulnerability-finding tools, we’ve had a significant uptick in tools usage over the last few years (our metrics show this) and we do track tools usage as part of Oracle Software Security Assurance program. We beat up – I mean, “require” – development teams to use tools because it is very much in our interests (and customers’ interests) to find and fix problems earlier rather than later.
But that's not what's happening either. As the rest of the post makes clear, Davidson is talking about Oracle customers (i.e., those paying for Oracle licenses) doing some vulnerability testing themselves to make sure that the systems are really secure. So it's not the bizarre analogy of breaking into a house. It's more like renting a house and checking to make sure that the doors are actually secure, and then pointing out to the landlord if they're not and that they should be fixed.

Oracle obviously has every right to determine how it handles its security efforts and how it relates to its own customers and security researchers, but this post seems incredibly tone deaf and designed to piss off Oracle's own customers in the name of "protecting intellectual property" for no reason other than "that's our intellectual property, which you paid for, and how dare you want to make sure it's safe."
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: intellectual property, mary ann davidson, reverse engineering, security, security research
Companies: oracle


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Violynne (profile), 11 Aug 2015 @ 7:16am

    Oracle: "I'm sorry, Neo, but you are not the one to challenge our Matrix."
    Neo: "But I chased the white rabbit."

    Oracle: "Let the agents do their thing. Here, have a cookie."
    Neo: "But there is no cookie."

    Oracle: "Now you're getting it."
    Neo: "Guess there's nothing to do now but stare at the woman in the red dress."

    link to this | view in thread ]

  2. icon
    Ninja (profile), 11 Aug 2015 @ 7:17am

    Even if the post was deleted it shows that this point of view is at least considered an option at Oracle. Which means that if you find out vulnerabilities you may risk being sued, harassed or something worse by Oracle. Given we had this insight on their ideas the best route now would be to stop trying to find vulnerabilities and stop using Oracle stuff since their priority is to hide their problems instead of being honest and working to fix them. Or keep going after the vulnerabilities and release them publicly and anonymously and let Oracle deal with the ensuing shitstorm instead of trying to help and telling them about such vulnerabilities privately.

    I mean, none of these solutions are good for Oracle so if they ever read this they should develop channels to encourage people to tell them about such flaws while explicitly protecting them from lawsuits.

    link to this | view in thread ]

  3. icon
    Chris-Mouse (profile), 11 Aug 2015 @ 7:40am

    If customers are reporting bugs that you've already found, then either you are releasing code with known bugs, or else you're releasing code before analyzing it for bugs.
    Either way, it does not make your company look very good.

    link to this | view in thread ]

  4. icon
    Cdaragorn (profile), 11 Aug 2015 @ 7:40am

    Don't mind me, just moving to a more secure database...

    Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers.

    So if I read this correctly, you're saying you don't want to find those 3% of bugs that you fail to find yourselves?

    Great idea, Oracle. Way to give me confidence in your software.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 11 Aug 2015 @ 7:41am

    Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?

    A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.


    If it's my door and my house and the locks aren't working as stated then fuck yeah we have an issue.. Locks and latches and Oracle Knobs.

    link to this | view in thread ]

  6. icon
    Vidiot (profile), 11 Aug 2015 @ 7:44am

    What I learned

    Her dog speaks Hawaiian, not Latin.

    Rest? Blahdee, blahdee, blah...

    link to this | view in thread ]

  7. icon
    crade (profile), 11 Aug 2015 @ 7:51am

    Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?

    A. Sigh.. No it doesn't.. Just like you can't tell your neighbor that they left their door unlocked when they left for vacation, you can't tell us when you find a security vulnerability in our product.. Get it through your thick heads! This is why we have Intellectual Property laws!

    link to this | view in thread ]

  8. icon
    crade (profile), 11 Aug 2015 @ 7:53am

    Re: Don't mind me, just moving to a more secure database...

    Those are the 3% that they already know about but don't want to acknowledge because they would cost a lot to fix.

    link to this | view in thread ]

  9. identicon
    Matthew A. Sawtell, 11 Aug 2015 @ 7:54am

    Wow... a fine example on how to drive away customers

    link to this | view in thread ]

  10. icon
    John Fenderson (profile), 11 Aug 2015 @ 7:55am

    Good summary

    Mary Ann Davidson's blog post demonstrates very well one of the main reasons why I do not use, and recommend against using, Oracle software unless there is literally no other option.

    link to this | view in thread ]

  11. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Aug 2015 @ 8:03am

    What I get of Oracle's view is that it'd be better if "white hat" "researchers" didn't pick at code so much that ends up only helping "black hats",

    who might otherwise never find problem areas, and even more importantly learn how to find them.

    The person is talking about decisions ON THE MARGIN with complex trade-offs and drawbacks. He even states that simply likes doing it "OUR" way. All sounds reasonable...

    Unless your purpose in life is carping! -- I don't get what you're railing about, let alone agree it's important enough for mighty Techdirt, so maybe this person has exactly the problem you do: is a weenie with lousy communication skills. -- Well, in your case, it's more NEEDED A TOPIC and this was first you saw that fit a slot in your template, having what's actually an irrelevant mention of "intellectual property".

    In any case, Oracle can't and won't stop it, and then, wisely seeing how difficult the point was to convey and how weenies would pick at it, has in effect retracted, leaving Techdirt in its usual state of flailing at imaginary shadows.

    Maybe this will put Oracle's view in a way you can get it: I don't understand why you 'dirters don't like me finding vulnerabilities in the writing here! I'm a "white hat" critic, see? Only want to improve the product.

    link to this | view in thread ]

  12. icon
    crade (profile), 11 Aug 2015 @ 8:08am

    Re: Don't mind me, just moving to a more secure database...

    Consider a bug that you "never found" causing a major client company a major loss. Major client is pissed, but you can't be 100% perfect and never claim you are, so life goes on for you and the client...

    Now consider instead that evidence comes out that a security researcher told you this was going to happen 3 years ago. Suddenly you are liable for a whole slew of crap, and it's all that damn security researcher's fault ;)

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:10am

    Re:

    Randomly shitting on everything is not improving by any definition.

    Enjoy your DMCA vote.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:19am

    As Blaze points out, the article is so bizarre that he thought that Oracle must have been hacked and the story posted as a parody.


    Really, Oracle's best option at this point is to claim that they were hacked. No one would believe them, but it'd probably still be less embarrassing in the long run.

    link to this | view in thread ]

  15. icon
    crade (profile), 11 Aug 2015 @ 8:20am

    Re: Good summary

    "unless there is literally no other option" Good thing for Oracle.. there probably isn't.. Because Intellectual Property! :)

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:25am

    The Real reason

    When people get really touchy about security and people actually scrutinizing something that is being payed for, it usually means giant flaws built right in and purposefully ignored. Either they were put in for government abuse, or they were reported early on and told to ignore. Either way that to me signals it is time to never ever work with this company again.

    link to this | view in thread ]

  17. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Aug 2015 @ 8:26am

    Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR "intellectual property" you want kept secret?

    I think Oracle is simply saying that even "friendly" attacks become annoying. It's definitely easy for those NOT being attacked to jeer that they should be cheerful about being attacked.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:26am

    Apparently with this interpretation intellectual property rights can now be used to enforce exclusivity of knowledge.

    link to this | view in thread ]

  19. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Aug 2015 @ 8:28am

    Re: Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR

    By the way, thanks for making me comment through TOR, and then some more blocking. Gives me time and cause to add and sharpen comments!

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:31am

    Re: Don't mind me, just moving to a more secure database...

    What they dont tell you is the 87% was just simple spelling mistakes, the 3% was were actual remote code execution bugs.

    link to this | view in thread ]

  21. icon
    Mason Wheeler (profile), 11 Aug 2015 @ 8:36am

    Re: Re: Don't mind me, just moving to a more secure database...

    Actually, databases are kinda funny like that. "Actual remote code execution" is one of the most common security problems in database-driven programs: it's known as SQL Injection, and unlike most instances of code execution vulnerability, it's (theoretically) not the database's fault, but the fault of the program that's accessing it for not parameterizing their queries properly.

    I say theoretically because it wouldn't be all that difficult for a database vendor to make it so that non-parameterized queries automatically return an error by default, (with an opt-out for ad-hoc queries by database tools, etc,) which would shut SQL injection down cold... but AFAIK no relational database has ever actually done this.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:37am

    Re:

    Isn't the why IP was created in the first place, well many IP firms would have you believe that anyway.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:39am

    Re:

    It's probably better than how I read the article. Sounds to me that Oracle would rather have security researchers sell vulnerabilities to third parties than actually protect their customers. Epic Fail on their part, and I will gladly wait with popcorn for Full Disclosure to start showing multiple vulns just for laughs.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:45am

    It doesn't say much for Oracle when their CSO says "trust, but DON'T verify."

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:46am

    Re: Re:

    What's that you copyright fanboys like to claim? If you abuse it, you have it taken away? And now you're trying to bypass the very same spam filters you support and trigger, using a tool you claim is exclusively for piracy usage.

    What a sad, sad little freak you are.

    link to this | view in thread ]

  26. icon
    John Fenderson (profile), 11 Aug 2015 @ 8:50am

    Re: Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR "intellectual property" you want kept secret?

    Of course it's annoying. So what?

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:51am

    Re: Don't mind me, just moving to a more secure database...

    No. She is actually saying that she doesn't want the 13% of vulnerabilities they didn't find. What is worse: With the scorched earth policy towards any type of reverse engineering and no bounties in place, the bug-finding numbers are worthless as an argument: They were already scaring away anyone able to do the work needed to find more severe bugs!

    And the primary analogy for possessive would be a box with a "don't open it!"-clause involved. Usually if you need a coffee maker to work in a specific way you are allowed to modify it to work as needed. Any analogy to rented items usually fall on the item unharmed.

    As for the landlords of the hotel analogy, having the landlord aggressively abuse you for messing around and demanding compensation seems to be sweet Mary Anns part in this play.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:52am

    Re: What I get of Oracle's view is that it'd be better if "white hat" "researchers" didn't pick at code so much that ends up only helping "black hats",

    Dont feel like that Bob/Blue/Other, I enjoy reading your posts! They make me giggle, even if i dont know which one of you guys are behind the keyboard.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 11 Aug 2015 @ 9:08am

    Re: Re: Don't mind me, just moving to a more secure database...

    She says she also replys to submitted bugs with comments such as "please stop reversing our code" I wounder how many ppl shes shoved away by making mornic comments such as that, they really need to fire this idiot

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 11 Aug 2015 @ 9:08am

    Company Blogs

    I bet someone just lost their blogging privileges...

    I'd also bet that Oracle is re-evaluating their employee blog policy at this very moment.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 11 Aug 2015 @ 9:08am

    Oracle obviously has every right to determine how it handles its security efforts and how it relates to its own customers and security researchers, but this post seems incredibly tone deaf and designed to piss off Oracle's own customers in the name of "protecting intellectual property" for no reason other than "that's our intellectual property, which you paid for, and how dare you want to make sure it's safe."

    From my experience in dealing with Oracle, pissing off their customers is the only way Oracle knows how to do business.

    link to this | view in thread ]

  32. icon
    DaveK (profile), 11 Aug 2015 @ 9:17am

    Anyone who ever says "To protect our intellectual property"...

    ...should be forced to explain exactly what they are protecting it from, and how the measure that they are proposing is related to and will achieve that end.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 11 Aug 2015 @ 9:18am

    Re:

    Exclusivity of knowledge is one thing. Exclusivity on access to knowledge is another beast entirely. Being able to use the law to prevent others from accessing your knowledge is the complete anti-thesis of patents and partly too on copyright. That is why reverse engineering is so fundamental. Now, accessing a database remotely and illegally to perform a security scan is problematic, but we are somewhat running out of other options for acquiring the wanted fundamental knowledge about the code, which makes strict enforcement of closed source very dubious!

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 11 Aug 2015 @ 9:38am

    Dear Oracle,

    Hackers have been gaining access to my system by adding their own credentials to my system using a flaw in your product, I've been patiently waiting for you to fix this bug, and removing these malicious credentials, but everyday these hackers just add new credentials. I would report this directly to you but the last time I reported a bug i was belittled by your CSO and called a 'weenie', so not sure what action to take now, in the mean time these hacks are siphoning off my customers personal data, but dont worry they dont know, ive taken the Oracles advice and just ignored the problem until enough of my customers complain, but it would be nice finally get this bug fixed, but whenever your free after writing your "mystery fiction novels" will be fine.

    Ty and have a good day :)

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 11 Aug 2015 @ 9:40am

    Re: Don't mind me, just moving to a more secure database...

    So if I read this correctly, you're saying you don't want to find those 3% of bugs that you fail to find yourselves?
    It's 3% now, assuming their stats are accurate. A bounty might increase that percentage, though, which would make them look bad.

    link to this | view in thread ]

  36. identicon
    spodula, 11 Aug 2015 @ 9:44am

    This silly analogy...

    "just like you can’t break into a house because someone left a window or door unlocked."

    Yes, but if your house has been purchased because its on an extremely busy road, in an area with a significant proportion of criminals walking past and brazenly trying every door, and your neighbor puts a note through your door saying they tried the door and it was unlocked and you should probably lock it, rather than nicking all your stuff, then perhaps, yes a thankyou is in order.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 11 Aug 2015 @ 9:59am

    Translation: We've been sent an NSL,

    and the NSA is worried that you researchers will find all those vulns that we intentionally placed in our products.

    link to this | view in thread ]

  38. icon
    John Fenderson (profile), 11 Aug 2015 @ 10:16am

    Re: This silly analogy...

    Also, Oracle's software is NOT like a house, so the analogy fails right up front. Unless it's a weird kind of "house" that you bring into your own "house" (the computer running their questionable software).

    link to this | view in thread ]

  39. identicon
    JimB, 11 Aug 2015 @ 10:21am

    No legal leg to stand on for EULA prohibition

    Reverse engineering is legal. Google did it. They are saying that they can prohibit you based on their EULA that states that you can't reverse engineer. Really? That's like saying that you can buy this but you can't look in the box. You can't buy that electronic device and not open the contents.

    Not to mention it's the stupidest thing Bill Gates has (err I have) ever heard.

    Of fucking course you can reverse engineer. That's how things are done.

    Java is a dying tech. It needs to go as badly as Flash. The direction to go is open source and not closed Microsoft proprietary software.

    link to this | view in thread ]

  40. identicon
    Ismail, 11 Aug 2015 @ 10:23am

    If you can't...

    Provide reasonably secure products, then why not slap security researchers down with a ridiculous argument? Sure, programs like Java would be a hell of a lot securer if not for those damn meddling researchers, right? Right???

    Idiots!

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 11 Aug 2015 @ 10:23am

    So, what I'm hearing her say is:

    "We produce perfect code. You don't need to check it over for bugs. There AIN'T none!"

    Does that mean Oracle guarantees the security of all of it's products? Does this mean that Oracle will cover losses by their customers from (non-existent) bugs in their "perfect" code?

    I haven't tried to wade through the License Agreement, and have no intention of doing it, BUT, I'd be willing to bet there's lawyerspeak by the pound indemnifying Oracle for anything and everything faintly resembling bugs, errors, typos, etc., in their "perfect" code. If you don't believe that, or challenge them, keep in mind they probably have more lawyers than Microsoft.

    The other thing to keep in mind is that few organizations have the spare cash floating around to hire consultants for the sole purpose of fishing expeditions in a commercial product. Granted, it's possible, but IMHO unlikely.

    Such projects are usually the direct result of a problem with the software. Likely, they first took it to Oracle, who blew them off, then they got serious and spent money to fix it, because switching to a competitor's product is much too expensive in time, training, and license fees and they're stuck with the busted software.

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 11 Aug 2015 @ 10:29am

    link to this | view in thread ]

  43. identicon
    Anonymous Coward, 11 Aug 2015 @ 11:03am

    Not 3%, nor 13%, but 100%

    They find 87% of bugs themselves? They probably forgot that they put them there themselves, and since its their damn job to NOT have bugs in their own software, this percentage is meaningless.

    Let's state it that way: of all the bugs that they did not discover and fix themselves, 100% can potentially be discovered and used by hackers...

    link to this | view in thread ]

  44. identicon
    Anonymous Coward, 11 Aug 2015 @ 11:05am

    Because...

    1 - Terrorism (whistleblowing...)
    2 - "Piracy" (file-sharing...)
    3 - Children (child porn, "piracy", terrorism...)

    link to this | view in thread ]

  45. identicon
    Anonymous Coward, 11 Aug 2015 @ 11:11am

    Re: Not 3%, nor 13%, but 100%

    Maybe they are looking at it this way, if customers dont found that 13%, then oracle would be finding 100%, yay math!

    link to this | view in thread ]

  46. icon
    PT (profile), 11 Aug 2015 @ 11:42am

    Re: No legal leg to stand on for EULA prohibition

    I agree. The idea that decompiling and reverse engineering has anything to do with copyright should have been knocked on the head forty years ago.

    link to this | view in thread ]

  47. icon
    Coyne Tibbets (profile), 11 Aug 2015 @ 12:04pm

    They'r'e all criminals

    Let's make this very clear: anyone who is looking for weaknesses in our product is a criminal. We'd very much prefer to limit such activities to the criminals who rob and abuse our customers, but do it in secret. We really hate criminals who talk to the ******* press.

    link to this | view in thread ]

  48. icon
    Uriel-238 (profile), 11 Aug 2015 @ 12:37pm

    Wow. So many slants to choose from!

    Security through obscurity

    We don't want you to discover the NSA backdoor

    IP is more important than Your P

    We don't test our software and neither should you!

    Our reputation before your satisfaction!

    link to this | view in thread ]

  49. identicon
    Anonymous Coward, 11 Aug 2015 @ 1:21pm

    This is Oracle right? the company who's database is so 'secure' that by two simple keyboard shortcuts you can effectively bypass their entire security system and gain full control of everything in ANY setting?

    Oracle's security is a complete joke and their 'code analysts' one of ITs longest running jokes....

    link to this | view in thread ]

  50. identicon
    Anonymous Coward, 11 Aug 2015 @ 1:22pm

    Is this also the Oracle who take security so seriously that for several years they had an open server at employee.oracle.com (username oracle, password Oracle) which gave access to the salary info of every single employee they had? (including data on outside contractors!)?

    link to this | view in thread ]

  51. identicon
    Anonymous Coward, 11 Aug 2015 @ 1:24pm

    I remember watching a video of some of the richest people on earth.
    First was Bill Gates, showing how the Gates foundation was looking for cures for malaria and other diseases.
    Then came Larry Ellison, who's entire contribution was to show how many classic cars he owns and how big his house is.

    link to this | view in thread ]

  52. icon
    That One Guy (profile), 11 Aug 2015 @ 1:27pm

    Say goodbye to private disclosure, and hello to public

    Treating security researchers like this, as though they are the enemy to be stopped, is a great way to get them to stop privately contacting you regarding bugs or vulnerabilities they find. At that point there's two options, neither of them good.

    1. (Bad for the company) Instead of privately informing them of a vulnerability, researchers make it public, hopefully anonymously, and force them to fix it. At this point the company in question has to scramble both to fix the problem, and deal with the PR hit they just took.

    2. (Bad for the public) Security researchers don't inform anyone, which might seem great at first. Except just because they aren't looking, doesn't mean others aren't, and eventually(not 'if', but 'when') someone with less noble intentions will find what vulnerabilities there are, and use them.

    I get the feeling Oracle is probably hoping for the latter, as it screws over their customers rather than them, and why would they care about their customers?

    link to this | view in thread ]

  53. identicon
    Anonymous Coward, 11 Aug 2015 @ 1:49pm

    Re: Anyone who ever says "To protect our intellectual property"...

    So walk it through. Does reverse engineering alone violate any of Oracle's ...

    ... patents? No, the patent discloses the invention, so reverse engineering will not disclose anything about the patent not already disclosed.

    ...copyrights? No, because making identical copies does not require reverse engineering in the first place and because something more, such as making a derivative work, would be needed in addition to the reverse engineering.

    ...trademarks? No, because there are no trademark rights in reverse-engineered code and mere reverse engineering is not use-in-commerce.

    ...trade secrets? No, because if they are distributing them to customers, they are not trade secrets.

    So, no, this is not about protecting intellectual-property rights. This is about the next paragraph in a typical Oracle agreement:
    ORACLE DOES NOT GUARANTEE THAT THE PROGRAMS WILL PERFORM ERROR-FREE OR UNINTERRUPTED OR THAT ORACLE WILL CORRECT ALL PROGRAM ERRORS.

    All that's missing is a statement at the end saying, "...or that Oracle even wants to know about all program errors." Ignorance is bliss.

    link to this | view in thread ]

  54. identicon
    Anonymous Coward, 11 Aug 2015 @ 2:38pm

    Re: Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR "intellectual property" you want kept secret?

    This makes me think of the neighbor's kid coming over to tell me my door is unlocked. Right after I lock it and sit back down, knock knock knock... he's back to inform me that my bathroom window is open. Then again with the back door, and after that an observation that I left my lawn mower out and my car keys are still in my car, which is also unlcoked. One disclosure at a time. Of course, he'd also appreciate a cookie for his efforts.

    Yeah, that would get really annoying after a while. But you know what? That's what every day is like in IT security. And you get not just ONE kid, but hundreds of them, all telling you your front door is unlocked (which of course is probably due to the fact that you keep opening it to talk to them).

    So sure, there's vulnerabilities and there's vulnerabilities. Some are known and mitigated, but keep being reported, and some are "Wait -- our product has behaved like that for HOW MANY YEARS????" vulnerabilities. You put up with the first because of the second. And the second isn't likely to be found by an internal team.

    So Oracle was framing it in terms of "We don't want other people analyzing how we do things... we KNOW how we do things thank you very much, and how we do it is what makes us unique/valuable in the DB market" and the parent commenter was framing it in terms of "These 'helpful' researchers are bloody annoying. Please let us get back to actually securing/improving the product, stop wasting our time, and stop attacking us."

    In truth, if you make computer hardware/software that is accessible from the Internet, you're being attacked all the time. Those who prod and report aren't attacking, they're securing a product they're actually using. This is also why they want to know how it works -- so that they know how to mitigate potential issues -- because there ARE people out there attacking the product, and THEY, not Oracle, will be the victims.

    link to this | view in thread ]

  55. identicon
    Mark Wing, 11 Aug 2015 @ 3:20pm

    The emperor wears no code.

    link to this | view in thread ]

  56. icon
    DaveK (profile), 11 Aug 2015 @ 3:35pm

    >"this is not about protecting intellectual-property rights"

    Oh, there's one thing you left out, probably because it shouldn't even need saying, but clearly it does:

    Infosec researchers are not reversing Oracle's software in order to pirate it.

    link to this | view in thread ]

  57. identicon
    Anonymous Coward, 11 Aug 2015 @ 4:49pm

    Re: Re: Re: Don't mind me, just moving to a more secure database...

    You should know better than to make such a stupid statement like that. Think about what you've said and you'll realise that it is easier to have the DBMS automate many of the normal DBA activities than it is for the DBMS to determine if a query is non-parameterised.

    That function belongs to the application interface not the DBMS. It is the programmers responsibility to handle this not the DBMS. It requires a case by case analysis of the business activity for the interface interaction not the vendor interference.

    Secondly, this ORACLE we are talking about. They can't even deal with normal customer bug indicators.

    link to this | view in thread ]

  58. icon
    Mason Wheeler (profile), 11 Aug 2015 @ 4:59pm

    Re: Re: Re: Re: Don't mind me, just moving to a more secure database...

    Think about what you've said and you'll realise that it is easier to have the DBMS automate many of the normal DBA activities than it is for the DBMS to determine if a query is non-parameterised.

    How do you figure? Because if the parser and the AST it produces are designed in any remotely reasonable way at all, this is trivial: iterate over all binary expressions in the WHERE clause and determine if any of them don't contain a parameter reference.

    It is the programmers responsibility to handle this not the DBMS. It requires a case by case analysis of the business activity for the interface interaction not the vendor interference.

    Yeah, that's been the go-to excuse for poor language design for decades now. "It's the programmer's responsibility for getting all the little details right. It's not the language's fault that everyone keeps making the very same class of mistake that's incredibly easy to make because doing it the obvious way is the wrong way to do it." It's always been a bunch of crap, and it still is.

    link to this | view in thread ]

  59. identicon
    Lawrence D’Oliveiro, 11 Aug 2015 @ 5:54pm

    Copy Also Available ...

    ... at seclists.org (link courtesy of Ars Technica).

    link to this | view in thread ]

  60. identicon
    Anonymous Coward, 11 Aug 2015 @ 6:04pm

    Leave the heavy lifting to the Russians and the Chinese, let's move on to something else.

    link to this | view in thread ]

  61. identicon
    Anonymous Coward, 11 Aug 2015 @ 6:08pm

    Re: Hey, why don't you be completely transparent about Techdirt's defenses, and encourage everyone to test them? Or is that YOUR "intellectual property" you want kept secret?

    Thank you for your wisdom. Mike refuses to listen to my assertions of my superior intelligence and even censors the well-deserved criticism I offer, despite my significant experience in aerospace and other areas of legal expertise. I found your dissertation to keep the cost of medicines high in support of the patents surrounding them to be most insightful.

    Please, allow me to bear your children.

    link to this | view in thread ]

  62. icon
    ltlw0lf (profile), 11 Aug 2015 @ 6:27pm

    Re:

    So, what I'm hearing her say is:

    "We produce perfect code. You don't need to check it over for bugs. There AIN'T none!"


    Sadly, her boss (Larry Ellison) said it nearly 12 years ago, and at that time she visited my company and did a song and dance at the time about how he didn't really mean it the way everyone heard it and that "Oracle is unbreakable, you can't break it" really depended on what the meaning of "is" is.

    We laughed her out of our company then and sadly, we still have idiots in our company that still use their product to this day despite numerous requests from the security team and the management to avoid the software like the plague, after they told us that they wouldn't release software patches unless we paid the ridiculous software support agreements for software we had already purchased at far more than we should have.

    I am with John on this one...if you still trust Oracle, after all these years, than you deserve all the pain you are feeling. Bush's "Fool me once, shame on you, fool me... you can't get fooled again" works really appropriately here.

    link to this | view in thread ]

  63. icon
    Uriel-238 (profile), 11 Aug 2015 @ 7:29pm

    Maybe she's just generally defensive.

    Really not digging Mary Ann Davidson's don't worry your pretty little heads attitude.

    I'm also bothered about her defensiveness over hypothetical porn lit on her bookshelf in bad analogies. Her response is that we're misinterpreting the titles of her bookshelf when equally valid (if not more so) is It's my friggen bookshelf. I can have whatever steamy titles on it I want, and how dare you judge me!

    The last thing I want to hear from Ms. Davidson when some hacker cracks my Oracle system and publicizes its contents online is I'd take your Oracle issues more seriously if you weren't using our software to secure porn.

    link to this | view in thread ]

  64. identicon
    Anonymous Coward, 11 Aug 2015 @ 8:25pm

    Re: Re: Re: Re: Re: Don't mind me, just moving to a more secure database...

    How do you figure? Because if the parser and the AST it produces are designed in any remotely reasonable way at all
    Because this is pre-parser processing. The final string from the application interface is passed to the DBMS for processing (parsing, etc). The application interface does not (and should not) parse. Its job is to process the individual parameters and quote them correctly before concatenating these with the rest of the SQL appropriately and then forwarding the result to the DBMS. This is the programmer responsibility. The application interface and the SQL generated is business of the programmer and the business of the business.

    The DBMS should parse the sent SQL properly (like any parser) but it is not the DBMS's responsibility to determine what SQL is required.

    Yeah, that's been the go-to excuse for poor language design for decades now. "It's the programmer's responsibility for getting all the little details right. It's not the language's fault that everyone keeps making the very same class of mistake that's incredibly easy to make because doing it the obvious way is the wrong way to do it." It's always been a bunch of crap, and it still is.
    Language syntax and semantics are a completely different kettle of fish from the responsibility of the programmer. If the programmer is using a specific language then it is the responsibility of the programmer to understand both syntax and semantics of the language. If they keep getting it wrong then they should be moving onto a more favourable language. Secondly, if you are really having difficulties handling syntax, either, use a syntax directed editor or stop programming because you aren't suited to it. You are probably better suited driving a bus.

    Just because a language is completely skew-whiff, doesn't lesson the programmer responsibility in program writing or knowing the ins and outs of the specific language.

    Finally, if you don't like a specific language, either develop your own (and see how really hard it is to get right) or change to a different language that you personally are more comfortable with.

    I would suggest the following language for simplicity: Remorse (it only has 2 characters . and _)
    I would suggest the following language for getting tasks done: ICON, UnIcon, LISP, FORTH. Each of these have a variation in learning curve, but all allow you to be effective in getting the tasks done. I would also suggest that you leave all the modern versions of COBOL alone (C#, C++, Java, ISO 2014-COBOL, etc).

    link to this | view in thread ]

  65. identicon
    Anonymous Coward, 11 Aug 2015 @ 9:53pm

    Re: Re: Don't mind me, just moving to a more secure database...

    Perhaps Oracle would prefer that people sell them to black sites. They probably paid better anyway.

    link to this | view in thread ]

  66. identicon
    Anonymous Coward, 11 Aug 2015 @ 11:14pm

    Mnnn, maybe, just maybe, this is about their fear that their customers will discover that the product they are paying through the nose for is now just a custom compile of the open source competitor.

    link to this | view in thread ]

  67. icon
    PaulT (profile), 11 Aug 2015 @ 11:45pm

    Re: What I get of Oracle's view is that it'd be better if "white hat" "researchers" didn't pick at code so much that ends up only helping "black hats",

    " if "white hat" "researchers" didn't pick at code so much that ends up only helping "black hats" "

    So, you're saying that the black hats could never find code on their own and there'd be less problems if only the people actually trying to help secure the product would stop doing so? That's even dumber than the idea of "security through obscurity".

    "I don't understand why you 'dirters don't like me finding vulnerabilities in the writing here! I'm a "white hat" critic, see? Only want to improve the product."

    No, you lie, distort and launch impotent personal attacks, all with a misplaced sense of smug self-importance. This is not constructive criticism, and doesn't improve anything more than your broken ego.

    If you wanted to "improve the product", you'd give constructive criticism about what was actually incorrect, with solid citations and suggestions on why it was wrong. Instead, you supplied a laughable premise, and whining that Mike picked a phrase stated in the first quoted "answer" paragraph of Oracle's Q&A to use in this article's title. How dare he accurately quote them! On top of that, given that the Oracle article has been removed since this was written, even they realise it's indefensible.

    Oh well, keep at it, you might stumble across factual logic at least once.

    link to this | view in thread ]

  68. identicon
    Anonymous Coward, 12 Aug 2015 @ 7:17am

    Ars is reporting that Oracle sent the following email to the "press":
    The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.

    If true, wow.

    link to this | view in thread ]

  69. identicon
    Anonymous Coward, 12 Aug 2015 @ 8:37am

    Re: Re:

    You sick fuck, Slonecker.

    link to this | view in thread ]

  70. identicon
    Tim, 12 Aug 2015 @ 2:18pm

    Re: Re: Re: Don't mind me, just moving to a more secure database...

    I can easily concat my url parameters into my query, directly and without any quoting, and add a few parameters too, thus spoofing your "protection" mechanism. And I've seen code that does that, it's not just a hypothetical.

    So what do you expect to achieve with such a "feature"?

    link to this | view in thread ]

  71. identicon
    Anonymous Coward, 19 Aug 2015 @ 5:32am

    Re:

    Why break into something that is open?

    link to this | view in thread ]

  72. identicon
    Anonymous Coward, 19 Aug 2015 @ 1:20pm

    Re: Re: Re: Re: Don't mind me, just moving to a more secure database...

    They can deal with customers.
    They have a scheduled close-down system.
    Basically they set your 'case' to closedown early on a Saturday morning, and tick a box marked 'do not inform customer'. then the case is simply shut and no one takes responsibility.

    link to this | view in thread ]

  73. identicon
    Anonymous Coward, 19 Aug 2015 @ 1:22pm

    Re: Re: Don't mind me, just moving to a more secure database...

    Actually Oracle now has MORE people looking for that 13% of vulnerabilities.

    Lets see..who uses Oracle as a back-end...Sony...AshleyMadison and the Office of Personnel Management.

    Now..what do all those have in common?

    link to this | view in thread ]

  74. identicon
    klaus, 20 Aug 2015 @ 4:55am

    Not in the real world

    Clearly "Chief Security Officer" at Oracle must mean someone who carries a nightstick and a walkie-talkie, and not someone in charge of hardening their product line. Just off the top of my head:

    - The POODLE vulnerability was discovered by researchers at Google, not Oracle.

    - Oracle were told about TNS poisoning back in 2008 by a security researcher but didn't do a fix until 2012, and the (so called) fix is only a partial fix...

    - Oracle's encryption uses ancient ciphers. They took to heart the decade old USA stance "encryption is a weapon and cannot be exported" and actually hobbled high-end encryption in code.

    It's clear to my mind tht Oracle have adopted the TSA world-view of security. Theatre at it's best.

    link to this | view in thread ]

  75. identicon
    Klaus, 20 Aug 2015 @ 5:10am

    Bogus numbers

    I don't believe those percentages. They don't stack up against published CVE codes nor Oracle's own bug / patch codes you see on MOS (My Oracle Support, the rebadged Metalink).

    Far more are discovered by customers than they are admitting.

    link to this | view in thread ]

  76. identicon
    Anonymous Coward, 22 Aug 2015 @ 9:55am

    Them Ain't Bugs!

    Them's Features - Oracle says so! And don't you dare question them!

    link to this | view in thread ]

  77. icon
    brianbonham (profile), 10 Apr 2017 @ 8:34am

    Definitely respecting that. I myself being a small based data system(https://www.patchvantage.com/) is so careful dealing on their products and just using the proper guidelines.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.