amuck-landowner

Oracle tells its customers to stop analyzing its code

Hxxx

Active Member
http://www.extremetech.com/computing/212038-oracle-tells-its-customers-to-stop-analyzing-its-code-for-security-flaws#disqus_thread

Source ^ :

Quote said:
Oracle’s chief security officer, Mary Ann Davidson, would really, really like it if the company’s customers and independent security researchers would stop performing any kind of analysis on the company’s code base. And she probably has a new mystery novel coming out soon!

In a now-deleted blog post, Davidson name-dropped her non-de-plume as a mystery author (she works in collaboration with her sister), before getting to the heart of the matter — she’s just plain sick and tired of pesky customers who hire independent contractors or analysts to perform a code analysis of Oracle software, then have the gall to send those analyses to Oracle and claim there might be a problem. Thanks to the magic of Google and some annoyed researchers, her post remains available in various corners of the web.

In the post, Davidson acknowledges that the current state of Internet security is enough to make anyone paranoid, but then states that consumers should take every possible step to lock down every possible flaw before even considering performing a code analysis. She’d also like you to know that under the terms of the Oracle license agreement, you are explicitly forbidden from performing that analysis anyway, regardless of how important you think it is.

Oracle.pngOracle’s organization.

The entire post is a masterful exercise in condescension to the same customers that pay her company huge licensing fees. Customer concern about zero-day exploits is dismissed as hyperventilating. According to Davidson, customers should be “talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or ‘good code’ seals) like Common Criteria certifications or FIPS-140 certifications.” Actual research is for chumps and license violators — real customers know that security is provided by a logo, a sticker, and a bit of glue.

MAD1.jpgMary Ann Davidson. The title on the slide really makes this work.

The worst customers are the ones who use tools (or hire analysts to use tools) and then submit those reports to Oracle and ask for clarification over whether or not a detected flaw is actually real. Davidson correctly notes that scan reports aren’t actually proof of a real problem, but if Oracle detects that a report was generated by reverse-engineering their code, “we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already.”

 

Sinning. A word generally defined as an immoral act considered to be a transgression against divine law. I’m no religious scholar, but I don’t recall the Gospel According to EULA, in which Christ rails against security consultants and declares “Blessed are the naively trusting, for they shall not be hacked.” Davidson hates code analysis, as she makes clear in other blog posts.

I’d just like to take a moment to remind everyone that Oracle — the company screaming “No, seriously, TRUST US,” also maintains and continues to ship Java.

That is all.
Whats your take on this? 
 

wlanboy

Content Contributer
This was a big *lol* for me.
It is a solution for their bug-o-matic software to kill everyone who finds a security issue - but there are enough people searching for them.
To sue the white-hats is not clever at all.
 
 

IndoVirtue

New Member
Verified Provider
Real men use 'security by obscurity'. Oh wait...

Joking aside, Oracle should actually be thankful that those 'customers and independent security researchers' took their time doing it, which is actually a good intent to improve the code base towards so called perfect. If anything, it's harmless. And it's a lot better than the actual evil hacker discovering it in the future and mess the company and its customer up.
 
Last edited by a moderator:

GIANT_CRAB

New Member
Oracle is no longer relevant. MySQL is replaced by MariaDB. Java is starting to become disabled on browsers. PeopleSoft has shitty code and people are starting to move away from shit.

Where else can they generate their revenue?
 

AuroraZero

Active Member
The more people like this complain about it, the more people will do it. The only thing she has done is piss off a bunch of people and made them want to prove to her that there are flaws and they can find them now. I would not be surprised if Oracle has an influx of reports now. She has defeated her purpose, unless she did this as some kind of stunt to get more attention. It may backfire on her though and cost Oracle and a lot of other people some things they were not willing to pay though.
 

pcan

New Member
It's just another proof of the long-time Oracle attitude towards their customers. This is not even the worst one, they are used to sudden increases of maintenance fees and to force-buying unnecessary services. Some Oracle software is technically good, but the rentless exploitation of vendor lock-in is a hopelessy outdated sales tool. Not even IBM does this as it used to do in the past. 

One of my first priorities at work was to kill all Oracle applications, one by one, no matter how good they worked and what they costed to build (usually in the range of several 100K each). This was painful at first, but saved lots of money and headaches in the long run.
 

joepie91

New Member
Gosh. I sure wonder what the effect of this is going to be on the supply of Oracle vulnerabilities on the black market.
 

Tyler

Active Member
You should thank someone for analyzing your code and pointing out its holes. People pay for that service. Rather than telling customers to f*ck off, maybe it's time for Oracle to f*ck off.
 

libro22

Member
Oh wow, I wonder what will replace Java in the enterprise market in the near future.. 

Depending on seals alone and distrusting security analysts, oh just wow, I can't imagine the chaos. I worry for her future.
 

Kephael

New Member
Oracle is no longer relevant. MySQL is replaced by MariaDB. Java is starting to become disabled on browsers. PeopleSoft has shitty code and people are starting to move away from shit.

Where else can they generate their revenue?

Oracle makes their money selling various software solutions to all sorts of industries, they don't make their money from Java and MySQL. Java browser applets have been dead for years but Java is easily the most popular language for business applications.
 

wlanboy

Content Contributer
Oh wow, I wonder what will replace Java in the enterprise market in the near future.. 

Depending on seals alone and distrusting security analysts, oh just wow, I can't imagine the chaos. I worry for her future.

Java will not die soon.
A lot of DB2 and cobol stuff was ported to Java using the native interface for C/C++. Second big bag is all the SAP stuff. Third one are the Oracle databases.
Travelindustry, insurance corps, banks, ... are using Java. They moved their stuff from X/Y/Z to java some years ago. Spent billions and are now running their backends on Java. 
Hiding all the business logic and databases behind Jax-B/Jax-WS/Jax-RS (XML, Webservices, Restservices).
Frontend systems normally based on Java, PHP, JS.

Keep in mind that the "all things have to build with one tool" are over. Seeing a lot of Oracle databases feeded with WPF clients and Phython based web frontends.
 

Hxxx

Active Member
Worth mentioning that big companies have their core systems running in a mix of MS SQL and Oracle. 
 

Dylan

Active Member
Oracle is no longer relevant. MySQL is replaced by MariaDB. Java is starting to become disabled on browsers. PeopleSoft has shitty code and people are starting to move away from shit.

Where else can they generate their revenue?

The same way they've always generated their revenue: enterprise software like RDBMS and Fusion.
 

graeme

Active Member
I love the second last para. Oracle refers to those reverse engineering its code as "sinning". The article says:

Sinning. A word generally defined as an immoral act considered to be a transgression against divine law. I’m no religious scholar, but I don’t recall the Gospel According to EULA, in which Christ rails against security consultants and declares “Blessed are the naively trusting, for they shall not be hacked.” Davidson hates code analysis, as she makes clear in other blog posts.
Not such an issue for Java: you could just use the pure open source version, I do not think there is much difference between them any more, and OpenJDK is what you will get from most LInux repos (which makes updates easier).

On the other hand, its not going to stop people using Oracle, but it is going to put at least some people off. What have they got to hide?
 

fixidixi

Active Member
Oracle is no longer relevant. MySQL is replaced by MariaDB. Java is starting to become disabled on browsers. PeopleSoft has shitty code and people are starting to move away from shit.

Where else can they generate their revenue?

Oh man have you every seen an enterprise db? well there are some a whole bunch of sw solutions using it along with all the sw they ship themselves..

hint http://www.oracle.com/us/products/applications/siebel/overview/index.html

trust me oracle is such a monster and their db alone is used in enough core systems that its going to be around for... [sigh] yeah you never know but.. ..long enough :)
 

fixidixi

Active Member
You should thank someone for analyzing your code and pointing out its holes. People pay for that service. Rather than telling customers to f*ck off, maybe it's time for Oracle to f*ck off.

..or at least should to real audits on its own codebase.. ..and be thankful for those who report issues.. ..as im sure there are *some*..
 

Hxxx

Active Member
Exactly, i mean if you have a million of customers behind your code, testing it, exploiting but they are reporting the findings, i dont see how it is an issue, as long as they impose a set of rules for these reports/findings.
 

HN-Matt

New Member
Verified Provider
I love the second last para. Oracle refers to those reverse engineering its code as "sinning". The article says:

Sinning. A word generally defined as an immoral act considered to be a transgression against divine law. I’m no religious scholar, but I don’t recall the Gospel According to EULA, in which Christ rails against security consultants and declares “Blessed are the naively trusting, for they shall not be hacked.”

The security industry exists to serve the 'naively trusting' and the ignorant among others, to protect them from getting hacked. Ergo,

*gets mad at the whitehats*

Maybe Oracle has enough grey-blackhat protection rackets in place and is tired of superfluous whitehat intervention?
 
Last edited by a moderator:
Top
amuck-landowner