# Oracle tells its customers to stop analyzing its code



## Hxxx (Aug 13, 2015)

http://www.extremetech.com/computing/212038-oracle-tells-its-customers-to-stop-analyzing-its-code-for-security-flaws#disqus_thread

Source ^ :



Quote said:


> Oracle’s chief security officer, Mary Ann Davidson, would really, really like it if the company’s customers and independent security researchers would stop performing any kind of analysis on the company’s code base. And she probably has a new mystery novel coming out soon!
> 
> In a now-deleted blog post, Davidson name-dropped her non-de-plume as a mystery author (she works in collaboration with her sister), before getting to the heart of the matter — she’s just plain sick and tired of pesky customers who hire independent contractors or analysts to perform a code analysis of Oracle software, then have the gall to send those analyses to Oracle and claim there might be a problem. Thanks to the magic of Google and some annoyed researchers, her post remains available in various corners of the web.
> 
> ...


Whats your take on this?


----------



## wlanboy (Aug 13, 2015)

This was a big *lol* for me.
It is a solution for their bug-o-matic software to kill everyone who finds a security issue - but there are enough people searching for them.
To sue the white-hats is not clever at all.


----------



## IndoVirtue (Aug 13, 2015)

Real men use 'security by obscurity'. Oh wait...

Joking aside, Oracle should actually be thankful that those 'customers and independent security researchers' took their time doing it, which is actually a good intent to improve the code base towards so called perfect. If anything, it's harmless. And it's a lot better than the actual evil hacker discovering it in the future and mess the company and its customer up.


----------



## GIANT_CRAB (Aug 13, 2015)

Oracle is no longer relevant. MySQL is replaced by MariaDB. Java is starting to become disabled on browsers. PeopleSoft has shitty code and people are starting to move away from shit.

Where else can they generate their revenue?


----------



## AuroraZero (Aug 13, 2015)

The more people like this complain about it, the more people will do it. The only thing she has done is piss off a bunch of people and made them want to prove to her that there are flaws and they can find them now. I would not be surprised if Oracle has an influx of reports now. She has defeated her purpose, unless she did this as some kind of stunt to get more attention. It may backfire on her though and cost Oracle and a lot of other people some things they were not willing to pay though.


----------



## pcan (Aug 15, 2015)

It's just another proof of the long-time Oracle attitude towards their customers. This is not even the worst one, they are used to sudden increases of maintenance fees and to force-buying unnecessary services. Some Oracle software is technically good, but the rentless exploitation of vendor lock-in is a hopelessy outdated sales tool. Not even IBM does this as it used to do in the past. 

One of my first priorities at work was to kill all Oracle applications, one by one, no matter how good they worked and what they costed to build (usually in the range of several 100K each). This was painful at first, but saved lots of money and headaches in the long run.


----------



## joepie91 (Aug 15, 2015)

Gosh. I sure wonder what the effect of this is going to be on the supply of Oracle vulnerabilities on the black market.


----------



## Tyler (Aug 15, 2015)

You should _thank_ someone for analyzing your code and pointing out its holes. People pay for that service. Rather than telling customers to f*ck off, maybe it's time for Oracle to f*ck off.


----------



## libro22 (Aug 15, 2015)

Oh wow, I wonder what will replace Java in the enterprise market in the near future.. 

Depending on seals alone and distrusting security analysts, oh just wow, I can't imagine the chaos. I worry for her future.


----------



## Kephael (Aug 16, 2015)

GIANT_CRAB said:


> Oracle is no longer relevant. MySQL is replaced by MariaDB. Java is starting to become disabled on browsers. PeopleSoft has shitty code and people are starting to move away from shit.
> 
> Where else can they generate their revenue?



Oracle makes their money selling various software solutions to all sorts of industries, they don't make their money from Java and MySQL. Java browser applets have been dead for years but Java is easily the most popular language for business applications.


----------



## wlanboy (Aug 16, 2015)

libro22 said:


> Oh wow, I wonder what will replace Java in the enterprise market in the near future..
> 
> Depending on seals alone and distrusting security analysts, oh just wow, I can't imagine the chaos. I worry for her future.



Java will not die soon.
A lot of DB2 and cobol stuff was ported to Java using the native interface for C/C++. Second big bag is all the SAP stuff. Third one are the Oracle databases.
Travelindustry, insurance corps, banks, ... are using Java. They moved their stuff from X/Y/Z to java some years ago. Spent billions and are now running their backends on Java. 
Hiding all the business logic and databases behind Jax-B/Jax-WS/Jax-RS (XML, Webservices, Restservices).
Frontend systems normally based on Java, PHP, JS.

Keep in mind that the "all things have to build with one tool" are over. Seeing a lot of Oracle databases feeded with WPF clients and Phython based web frontends.


----------



## Hxxx (Aug 16, 2015)

Worth mentioning that big companies have their core systems running in a mix of MS SQL and Oracle.


----------



## Dylan (Aug 16, 2015)

GIANT_CRAB said:


> Oracle is no longer relevant. MySQL is replaced by MariaDB. Java is starting to become disabled on browsers. PeopleSoft has shitty code and people are starting to move away from shit.
> 
> Where else can they generate their revenue?



The same way they've always generated their revenue: enterprise software like RDBMS and Fusion.


----------



## graeme (Sep 7, 2015)

I love the second last para. Oracle refers to those reverse engineering its code as "sinning". The article says:



> Sinning. A word generally defined as _an immoral act considered to be a transgression against divine law._ I’m no religious scholar, but I don’t recall the Gospel According to EULA, in which Christ rails against security consultants and declares “Blessed are the naively trusting, for they shall not be hacked.” Davidson _hates_ code analysis, as she makes clear in other blog posts.


Not such an issue for Java: you could just use the pure open source version, I do not think there is much difference between them any more, and OpenJDK is what you will get from most LInux repos (which makes updates easier).

On the other hand, its not going to stop people using Oracle, but it is going to put at least some people off. What have they got to hide?


----------



## fixidixi (Sep 8, 2015)

> Oracle is no longer relevant. MySQL is replaced by MariaDB. Java is starting to become disabled on browsers. PeopleSoft has shitty code and people are starting to move away from shit.
> 
> Where else can they generate their revenue?



Oh man have you every seen an enterprise db? well there are some a whole bunch of sw solutions using it along with all the sw they ship themselves..

hint http://www.oracle.com/us/products/applications/siebel/overview/index.html

trust me oracle is such a monster and their db alone is used in enough core systems that its going to be around for... [sigh] yeah you never know but.. ..long enough


----------



## fixidixi (Sep 8, 2015)

> You should _thank_ someone for analyzing your code and pointing out its holes. People pay for that service. Rather than telling customers to f*ck off, maybe it's time for Oracle to f*ck off.



..or at least should to real audits on its own codebase.. ..and be thankful for those who report issues.. ..as im sure there are *some*..


----------



## Hxxx (Sep 8, 2015)

Exactly, i mean if you have a million of customers behind your code, testing it, exploiting but they are reporting the findings, i dont see how it is an issue, as long as they impose a set of rules for these reports/findings.


----------



## HN-Matt (Sep 9, 2015)

> I love the second last para. Oracle refers to those reverse engineering its code as "sinning". The article says:
> 
> 
> 
> > Sinning. A word generally defined as _an immoral act considered to be a transgression against divine law._ I’m no religious scholar, but I don’t recall the Gospel According to EULA, in which Christ rails against security consultants and declares “Blessed are the naively trusting, for they shall not be hacked.”



The security industry exists to serve the 'naively trusting' and the ignorant among others, to protect them from getting hacked. Ergo,

*gets mad at the whitehats*

Maybe Oracle has enough grey-blackhat protection rackets in place and is tired of superfluous whitehat intervention?


----------

