Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Oracle Bug Databases Security Software IT

Oracle Exec: Stop Sending Vulnerability Reports 229

florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."

Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
This discussion has been archived. No new comments can be posted.

Oracle Exec: Stop Sending Vulnerability Reports

Comments Filter:
  • Piss off (Score:5, Insightful)

    by bluefoxlucid ( 723572 ) on Tuesday August 11, 2015 @01:11PM (#50294627) Homepage Journal

    We and the blackhat hacker network can find our own vulnerabilities. We will protect you on our own schedule. If you are stabbed, control the bleeding as best you can; if you are shot, try to walk it off.

    • by Anonymous Coward on Tuesday August 11, 2015 @01:38PM (#50294843)

      Mary Ann Davidson Blog
      Â Is Your Shellshocked... | Main
      No, You Really Canâ(TM)t
      By User701213-Oracle on Aug 10, 2015

      I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, weâ(TM)ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me).

      Writing mysteries is a lot more fun than the other type of writing Iâ(TM)ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why Iâ(TM)ve been writing a lot of letters to customers that start with âoehi, howzit, alohaâ but end with âoeplease comply with your license agreement and stop reverse engineering our code, already.â

      I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems. That said, you would think that before gearing up to run that extra mile, customers would already have ensured theyâ(TM)ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down â" in short, the usual security hygiene â" before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.

      Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products â" and there is so much more to assurance than running a scanning tool - there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or âoegood codeâ seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors â" at least, most of the large-ish ones I know â" have fairly robust assurance programs now (we know this because we all compare notes at conferences). Thatâ(TM)s all well and good, is appropriate customer due diligence and stops well short of âoehey, I think I will do the vendorâ(TM)s job for him/her/it and look for problems in source code myself,â even though:

      A customer canâ(TM)t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)

      A customer canâ(TM)t produce a patch for the problem â" only the vendor can do that

      A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)

      I should state at the outset that in some cases I think the customers doing reverse engineering are not always aware of what is happening because the actual work is being done by a consultant, who runs a tool that reverse engineers the code, gets a big fat printout, drops it on the customer, who then sends it to us. Now, I should note that we donâ(TM)t just accept scan reports as âoeproof that there is a there, there,â in part because whether you are talking static or dynamic analysis, a scan report is not proof of an actual vulnerability. Often, they are not much more than a pile of steaming ⦠FUD. (That is what

      • So, she's saying no heads up on zero-day vulnerabilities?

        Let's hope everyone hears that loud and clear.

      • by Fwipp ( 1473271 )

        That actually sounds pretty sensible. It seems like much of her frustration is from people blindly running static analysis tools on their code, finding false-positive vulns, and wasting Oracle's time and making it more difficult to identify legitimate security vulnerabilities.

        Much more reasonable than the summary made it out to be, thanks.

        • Someone commented and/or tweeted that having no sympathy for her stance means that you've never been handed a 400 page Nessus report and been told to "Fix it all." So, yeah, I have some sympathy from that angle. However, one can't deny the value of outside research and analysis when she writes herself that 10% of the vulnerabilities found come from either the customer base or researchers.
        • by dbIII ( 701233 ) on Tuesday August 11, 2015 @10:04PM (#50298413)

          It seems like much of her frustration is from people blindly running static analysis tools on their code, finding false-positive vulns,

          She's not happy about the true positives either - don't look at our stuff if it bugs out is the message she is sending here.

          If the vendors I buy stupidly expensive stuff from starting acting that way I would inform them where they could put their lawyers and go looking for another vendor. I've had to reverse engineer some buggy commercial software on several occasions to find workarounds so that users can get stuff done, and have informed the vendor, who then informed their other customers (known problems list), fixed it or both.

        • by rastos1 ( 601318 ) on Wednesday August 12, 2015 @02:35AM (#50299253) Homepage

          That actually sounds pretty sensible.

          No, it does not. A question "What does Oracle do if there is an actual security vulnerability?" is answered with "you found this because you reverse-engineered our code". That does not have to be true. On the other hand if I perform operation X and the product crashes, then they won't accept a submission unless you "provide a test case to verify that the alleged vulnerability is exploitable"

          I read that clearly as "we do not want you to report any problems" and that makes their vulnerability reporting system just a PR thing.

        • by Raenex ( 947668 )

          That actually sounds pretty sensible.

          Most of it is, except for the, paraphrasing, "How dare you reverse engineer our code to look for vulnerabilities, violating your license agreement, you naughty customer!"

      • static analysis of Oracle XXXXXX

        Somebody should explain the idiot that the advanced tools for the code analysis are capable of checking (and instrumenting) the binary compiled code already for at least a decade.

        When in the past I used the Rational Purify on the applications linked against the Oracle client, there were more that 200 Purify warnings coming from the Oracle libraries, and that before the main() was even reached. Draw conclusions yourself.

        P.S. A global public variable - by all indications `int count;` - in the Oracle clien

    • Re:Piss off (Score:5, Interesting)

      by Penguinisto ( 415985 ) on Tuesday August 11, 2015 @01:54PM (#50294951) Journal

      Well, Oracle (or a flack thereof) explained why they dumped the post (quoted in full [zdnet.com] in an update on TFA):

      "The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers."

      Methinks Ms. Davidson may find herself forced into 'spending more time with her family', and updating her resumé fairly soon...

      • Re:Piss off (Score:5, Insightful)

        by Lumpy ( 12016 ) on Tuesday August 11, 2015 @01:58PM (#50294995) Homepage

        She should, and Oracle should stop hiring incompetent rich idiots for executive positions where they should actually know something about Security and Programming.

        This is the biggest problem, The trend over the past 15 years, Executives in many american corporations are drooling morons when it comes to knowing anything about what they are supposed to be in charge of.

        CSO should have a frigging clue.

        • Re:Piss off (Score:4, Insightful)

          by bluefoxlucid ( 723572 ) on Tuesday August 11, 2015 @02:13PM (#50295145) Homepage Journal
          They don't need to know anything about security and programming; they need to know about management. Managers should come ask the technical people how this impacts their business in a practical sense, not go whining about whatever throws them into a purely-emotional fit of pearl-clutching. That's what makes a VP or CEO competent: the ability to survey their business and identify how every significant factor impacts their strategies.
          • It should be a mix of both.

            You need to look both inwards & outwards before determining your strategies.

          • Re:Piss off (Score:5, Insightful)

            by garyisabusyguy ( 732330 ) on Tuesday August 11, 2015 @02:44PM (#50295395)

            A Business manager should be able to recognize their own company's Strengths, Weaknesses, Opportunities and Threats (SWOT)

            If they think that having customers notify them when they identify a Weakness in their product then they are missing out on an Opportunity to identify a Threat, or three of the four things that they should be doing, definitely not a Strength that will keep them in their position

            Sticking her head in the sand, so to speak, prevents her from getting her own product experts involved, improving their product, allaying the fears of their customers and holding both their competitors and the 'bad guys' at bay.

          • by sjames ( 1099 )

            They *DO* need to know enough that the answer to their questions doesn't sound like "We must astrocate the frobnicator or someone might wibble the flibberdejibit forthwith".

            If they want to be at all respected among the ranks, they must know enough not to instruct the janitorial staff to be on the lookout for the token that fell out of a network cable.

          • They don't need to know anything about security and programming; they need to know about management

            They need to know enough about a topic to be able to know what questions to ask their experts otherwise they are not fit to be anything other than an administrative assistant to someone who does. Not having enough background leads to stupid and expensive mistakes.

            One in a company I worked for, who "knew about management", was put in charge of a non-destructive testing division. He failed to consider that in

        • by bungo ( 50628 )

          Well, it's easy to diss someone that you don't know. From one blog post, you assume that you know everything about her?

          I've actually emailed with her over a big security issue. She delt with it quickly and professionally. She understood the significance and very quickly (almost unheard of quickness for Oracle) had a patch produced and a security notice issued.

          She is not a moron, even if she has a different perspective from you.

          And this was around 20 years ago. I'm sure she's got more knowledgeable since.

          • by dbIII ( 701233 )

            Well, it's easy to diss someone that you don't know. From one blog post, you assume that you know everything about her?

            It tells us quite a bit about what she has written in the blog post - which is far more than I want to know about her and does not impress at all. It's not exactly very professional is it? It looks like she has a very different idea of what her job is to what the customers think her job is. The message along the lines of "report the bug and we send in the lawyers", presented with various

            • The message along the lines of "report the bug and we send in the lawyers",

              Thus my favourite tweet [twitter.com] about this:

              It stops the reverse engineering or else it gets the EULA again.

              Brilliant.

      • Bah, C-level position at a company like Oracle ... even if they fired her she'll probably walk out with a few tens of millions of "shareholder value" for her troubles.

        Because, you know, hiring unqualified people at the C level doesn't mean when you fire them you don't pay them the severance.

        I'll make an open offer to any fortune 500 company .... I'll incompetently manage your company for 25% of what you're paying your current CEO and 25% of the severance, provided total compensation is no less than $20 mill

        • Hiring competent CEOs would obviously save money.
          • Except nobody ever bothers with that.

            They take someone who has already failed as a CEO and decide that failing there means an improved chance of success over there.

            And then they end up with a CEO who has failed at another place.

            And then another board decides that having failed twice as a CEO, they're either a really good candidate to be CEO, or should at least sit on the board to pick the next CEO.

      • Re:Piss off (Score:5, Interesting)

        by Aaden42 ( 198257 ) on Tuesday August 11, 2015 @04:54PM (#50296559) Homepage

        This policy is long-standing. Probably over 10 years ago at this point we found and fixed a connection leak in Oracle's own JDBC driver by decompiling, fixing, and recompiling the affected class. To say they were displeased would be polite.

        It was a production-down issue, we fixed it after their support flailed on it for several days, and they still had the nerve to send us a nastygram for it.

        • by HnT ( 306652 )

          Same story here, production-halting problem and Oracle's support was completely useless, the "consultant" that was eventually sent on-site was completely useless... we decompiled it, fixed it and got things going again. We were then even nice enough to send our analysis to the support, explained the bug and added the fix - guess what, they told us we couldn't possibly know and our fix was wrong.

          Three months(!) later they finally published an official patch with pretty much the exact same code. Frakk oracle.

  • Cocaine (Score:4, Insightful)

    by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Tuesday August 11, 2015 @01:13PM (#50294639) Homepage

    I did not realise that this was available for free use to Oracle executives to help them reduce the stress induced by pesky customers who are trying to obtain a good service.

    • by KGIII ( 973947 )

      I have done a lot of cocaine - enough to make Kieth Richards blush, and I feel obligated to tell you that cocaine use does not reduce stress. It does make you gabby. It does not do a damned thing to relax you. That is what opiates are for.

  • Link to full text (Score:5, Informative)

    by aitikin ( 909209 ) on Tuesday August 11, 2015 @01:13PM (#50294645)
    As it's been taken down: http://www.scribd.com/doc/2741... [scribd.com]
  • by Anonymous Coward on Tuesday August 11, 2015 @01:14PM (#50294647)

    The masses are so much more compliant when you convince them that crime is a sin.

    Fuck you, Oracle.

    • Matthias: Look, I don't think it should be a sin, just for saying "Jehovah".
      [Everyone gasps]
      Jewish Official: You're only making it worse for yourself!

  • Account to CSO (Score:5, Interesting)

    by binarylarry ( 1338699 ) on Tuesday August 11, 2015 @01:14PM (#50294657)

    It's interesting that Mary Ann Davidson was an accountant and then became the CSO at Oracle.

    • by Pseudonymous Powers ( 4097097 ) on Tuesday August 11, 2015 @01:28PM (#50294757)

      CEO (on phone): Hey, I want to promote Mary Ann Davidson for her years of excellent service in our accounting department. We're going to make her CFO!

      HR Director: Wow, you're making Mary Ann CSO?

      CEO: Yes, CFO! Congratulate her for me.

      HR Director: Are you sure, sir? I mean... Mary Ann... CSO?

      CEO: Yes, of course! She'll make a great CFO!

      HR Director: Do you think she's qualified to be CSO?

      CEO: What do you mean? Of course she's more than qualified to be CFO!

      HR Director: Wait, you're saying CSO, right?

      CEO: Yeah, CFO!

      HR Director: CSO?

      CEO: CFO.

      HR Director: CSO?

      CEO: CFO!

      HR Director: Okay, I think we're on the same page here.

    • Re:Account to CSO (Score:5, Informative)

      by ClickOnThis ( 137803 ) on Tuesday August 11, 2015 @01:44PM (#50294895) Journal

      It's interesting that Mary Ann Davidson was an accountant and then became the CSO at Oracle.

      Accountant? Citation please. I can't find any evidence she was ever an accountant at Oracle.

      According to the brief wikipedia article on her, she joined Oracle in 1988 as a product manager, and became a product marketing manager in their computer-security division in 1993. Not exactly hard-core tech, but not an accountant either.

      https://en.wikipedia.org/wiki/... [wikipedia.org]
      http://www.oracle.com/us/corpo... [oracle.com]

    • It's interesting that Mary Ann Davidson was an accountant and then became the CSO at Oracle.

      Dear god, are you kidding?

      So the qualifications for Oracle's CSO are ... what exactly?

      That said, you would think that before gearing up to run that extra mile, customers would already have ensured they've identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down -- in short, the usual security hygien

      • by Aaden42 ( 198257 )

        So the qualifications for Oracle's CSO are ... what exactly?

        The ability to make customers feel like the company Takes Security Seriously.

        So basically Oracle is [more] interested in license revenue than security?

        Yes.

      • So basically Oracle is interested in license revenue [rather] than security?

        Well, uhh, yeah, of course. Why are you even asking that question?

  • by jimmifett ( 2434568 ) on Tuesday August 11, 2015 @01:20PM (#50294695)

    Aside from Java (which has it's own issues), Oracle's products are imo, craptastic. Horrid UIs, constantly crashing, slow, design decisions that make no sense, not modernizing, barely follow modern standards if at all, insanely overpriced (the least of the problems).

  • There. Fixed that for you.

  • Every single time (Score:5, Interesting)

    by silentcoder ( 1241496 ) on Tuesday August 11, 2015 @01:20PM (#50294699)

    ORACLE is in the news they confirm yet again that quitting was the single best career decision I ever made.
    The greatest thing about being an ex-oracle engineer is not working for Oracle anymore. I very much doubt anybody who has ever resigned from Oracle regrets it.

    Worst company I've ever had the misery to work for.

  • by Anonymous Coward on Tuesday August 11, 2015 @01:24PM (#50294723)

    And the irony is ...

    https://twitter.com/addelindh/status/631040188010131456

  • It just shows that Oracle is really more bark than bite. They *WARN* the researchers that they may take legal action.... but they never do. It's probably just as well anyway. Oracle probably has more lawyers than engineers now.
  • by phantomfive ( 622387 ) on Tuesday August 11, 2015 @01:27PM (#50294745) Journal
    Oracle has been reportedly working hard in Washington trying to make security research illegal [twitter.com].

    Of course, malicious hackers will always be finding exploits, and using them.
  • Note to self (Score:5, Insightful)

    by denbesten ( 63853 ) on Tuesday August 11, 2015 @01:27PM (#50294749)

    If I find myself in the position to report a flaw in Oracle products, do so through a responsible disclosure site (e.g. cert.org) and request anonymity.

    • by leonbev ( 111395 )

      Or you could sell it to a group like Hacking Team and probably get a big paycheck for your efforts.

  • by nimbius ( 983462 ) on Tuesday August 11, 2015 @01:29PM (#50294769) Homepage
    I know many security professionals may be alarmed at this practice but i can assure you other examples exist where this tactic proves effective. For example, by ignoring or forbidding climate change discussion we actually prevent it from ever happening (clapping your hands helps too.) prior to abstinence only education, teenage pregnancy was ridiculously prevalent in the US. now that most sex-education courses in america are unstandardized and avoid covering things like condoms, birth control even simple intercourse, kids are a model of puritanical living.

    im also told that the nuanced and layered complexity of immigration reform and homeless war veterans can be tackled by a large wall, and simply not looking at homeless people.
  • by Anonymous Coward on Tuesday August 11, 2015 @01:31PM (#50294787)

    While the tone of the piece is more than a little condescending, there's an actual issue here, and she's not wrong about it.

    Most customers would only reach out to a vendor with a bug report when they've actually found a real problem. Those bug reports are always welcome by any reputable vendor. They might be performance, or integrity bugs, or security bugs. Real bugs are good. They're welcome.

    However, there's a second category of people (and she's write that bug bounty programs have somewhat encouraged them) that are the security equivalent of script kiddies - they downloaded a "sploits!" kit off the the internet (in this case, often a combination of a decomplier and static analyzer). They don't really understand how the kit works or what it does, but ZOMG I ran it against your code and it found issues! Your software is insecure! See? It says so right here! Now pay me something for all my hard work! I may not understand exactly what it's telling me, but it's telling me you have a bug! This group of people adds very little in the way of new bug discovery (again, most of their output really is known or false positive).

    That second category of people (especially the ones who demand to be welcomed as liberating heroes) can in many cases get annoying. Because vendors really do run these kits against their code, so most of the time anything that isn't a false positive is a known issue. The back and forth with the customer really can sap time and energy (especially for customers who get strident and demand a "patch" right away or they'll go to the press and tell everyone how bad your code is).

    I don't really blame someone who works in security for feeling frustrated that this small subgroup of customers continues to flood inboxes with "bug reports" that often they themselves don't understand, and which are often not useful.

    That said, this is an absolutely idiotic tone to take in a blogpost directed at your customers. The problem can certainly be expressed in a way that doesn't sound childish, or scolding. This is a seriously dumb way for a company to semi-officially communicate with its customers.

    Disclaimer: I do not and have never worked for Oracle. I don't even particularly like Oracle after the SSO suit against Google.

    • Indeed. Clearly specifying that they will accept bug reports for the bug bounty program only from their customers and will only pay out a bug bounty if an Oracle engineer confirms that the issue is a bug (with no appeals process) would be, I think, a reasonable policy and could be clearly explained along the lines of your explanation.

    • by Anonymous Coward on Tuesday August 11, 2015 @02:21PM (#50295207)

      Yes, in reading it I found there was a reasonable point in there somewhere: a giant dump from an analysis tool does not constitute a bug report. Too bad it was buried under a ton of condescension and whining about "m-m-m-muh intellectual property!!1!!"

    • I agree - several points resonated.

      But the tone and writing quality of the document suggested she was having a stroke. How many off-topic topics can one blog post have?

    • There is no issue here and you're getting the wrong end of the stick. The point here is this is a company who is firmly stuck in the 80s and early 90s and believes that no one is going to be able to do anything with their software as long as they enforce licensing agreements. They do also, despite her pathetic protestations to the contrary, believe they can keep security problems and ones yet to be discovered under control by using that method. Other software companies have had to learn very quickly how to
    • However, there's a second category of people (and she's write that bug bounty programs have somewhat encouraged them) that are the security equivalent of script kiddies - they downloaded a "sploits!" kit off the the internet (in this case, often a combination of a decomplier and static analyzer). They don't really understand how the kit works or what it does, but ZOMG I ran it against your code and it found issues! Your software is insecure!

      Yup, and that is something I can sympathise with her for. We've run into exactly this in the past, the conversation went something like:

      Zomg your servers have [whatever that day's OpenSSL security vuln was]!
      Our servers don't use OpenSSL, it's a false positive.
      But our consluttants' scanner is reporting an OpenSSL vuln! Fix it!
      We don't use OpenSSL, it's a FP.
      Fix it! Fix it! Fix it!
      There's nothing to fix, it's a FP.
      We can't accept you as a business partner until our consluttants' scan shows no vulns.
      OK, which scanner are you using...

      We resolved the problem by finding a way to crash their scanner (I think it was using OpenSSL to do the scan), so when it scanned our servers it'd die and not report the FP any more.

  • by xxxJonBoyxxx ( 565205 ) on Tuesday August 11, 2015 @01:44PM (#50294901)

    In Oracle's defense, if you're still using their cash cow database it's fair to say that it will do more financial damage to your company than most hackers could ever do.

  • by NostalgiaForInfinity ( 4001831 ) on Tuesday August 11, 2015 @01:54PM (#50294957)

    Not sending reports to Oracle is a good idea: use open source alternatives and submit the reports there.

    • by Lumpy ( 12016 )

      Actually for everything, post it in multiple locations anonymously.

      Only fools try and get credit for it, because the lawyers and feds love to punish good deeds.

  • That is among the worst C-level communication I've ever read from a large corporation. Is "CSO" not a real C-level executive position with staff that edits (or just writes) their execs communication? Whether or not she's a good security exec, she is a truly horrific corporate communicator.
  • She might have a point that there's no need for customers to do static code analysis or reverse engineering to look for vulnerabilities *if* the black hat hackers weren't able to do so with impunity since they have no moral qualms about violating license agreements.

    I can believe that she's tired of vetting customer reported security bugs, especially when they are dupes of known bugs that Oracle is working on, but a bug is a bug and if they don't want to expose their bug tracker to customers to let them see

  • by gweihir ( 88907 ) on Tuesday August 11, 2015 @02:25PM (#50295241)

    If I remember correctly, reverse-engineering to fix bugs that prevent software from working as intended and to secure systems is always legal in Europe, no matter what the contract says. But it is nice that Oracle confirmed that they do not care about their customers at all except as cash-cows. Not that this is a surprises to anybody.

  • Would the CSO be happier if, instead of reporting the vulns, the customers published exploits for the vulns they found
  • by sjbe ( 173966 ) on Tuesday August 11, 2015 @02:38PM (#50295341)

    How cute that they think they can prevent people from finding flaws in their product with a licensing agreement. Why didn't I think of securing out network via legal agreements? The Bad Guys would never dream of doing something I told them not to do.

    • Well, in fairness, you have a contract with your customers and don't have one with random Bad Guys in the internet. You can sue your customers, but good luck suing the bad guys. That should not be taken to mean that I believe suing your customers for finding vulnerabilities in software they're running on their systems is a good or even remotely acceptable idea. Just that it's possible.

  • ... and I'll say it again... Oracle is in trouble. They charge too much for their products, they treat customers badly, and now apparently they are admitting that they think they can plug security holes with legal crap.

    If that worked you could dispense with bank vaults, put the millions of dollars in gold bars in box on someone's desk... and then just put a sticker on it that said "don't steal me."

    Why do we go to the trouble of having steel plated concrete reinforced walls? Why are we putting 2~3 foot bank

  • Oracle to customer base, we don't gave a f**k about your security concerns.

    'I think my response was, ‘What idiot dreamed this up?’ " — Mary Ann Davidson, Oracle’s chief security officer, in typically blunt manner, remembering her reaction to the company’s scheme to brand its databases as "unbreakable."'

    'we need to build on a solid infrastructure platform, take an engineering approach - build secure software'
  • Errm is simply looking at the Oracle binaries and observing their vulnerabilities considered reverse engineering? I thought that term was to do with creating work alikes.

    • No, many of these tools are decompiling the code and then running static analysis on them. When hundreds or thousands of alleged "vulnerabilities" are found, they send the full report to Oracle. Naturally, most of these are false flags, as you'd expect from such a system. So, the frustration is somewhat understandable.

      What's not understandable is how she could possibly imagine such a childish rant should be made in public.

  • Oh, Oracle doesn't want them? I'm sure that there are lots of "businesses" like Hacking Team (and a bunch of other names that came up in the HBGary case) that are willing to pay top dollar for interesting exploits.
  • So (un)reliable they won't even let you look for bugs...
  • Due to Mary Ann Davidson's statements I'll post this here.

    If you manage to get a Solaris clock set before 1970 the loader doesn't work. It means that anything running will keep running but you can't start any new programs (including init and shutdown). Talk about a great way to keep a sysadm out of a system.

    There is also no way to wipe sensitive data from ZFS file systems. You need an option to say "this pool overwrites blocks" so that scrubbing works correctly. The reasons for this will come to light w

    • by dbIII ( 701233 )

      There is also no way to wipe sensitive data from ZFS file systems

      While that does suck it's pretty obvious that if it's an occasional thing you can snapshot after deletion, send the snapshot elsewhere and destroy the original.
      Some people's definition of "security" is very different to others. Intentionally losing data with no possible way to get it back may be high on the list for some but it's completely off the radar to others.
      The 1970 one is amusing, but setting back a few years in general in Solaris is

  • ... these tools *do* often have a ridiculous false positive rate.

"We don't care. We don't have to. We're the Phone Company."

Working...