Oracle Exec: Stop Sending Vulnerability Reports 229
florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."
Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
Piss off (Score:5, Insightful)
We and the blackhat hacker network can find our own vulnerabilities. We will protect you on our own schedule. If you are stabbed, control the bleeding as best you can; if you are shot, try to walk it off.
Re:Piss off- text of her blog which was taken down (Score:4, Informative)
Mary Ann Davidson Blog
 Is Your Shellshocked... | Main
No, You Really Canâ(TM)t
By User701213-Oracle on Aug 10, 2015
I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, weâ(TM)ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me).
Writing mysteries is a lot more fun than the other type of writing Iâ(TM)ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why Iâ(TM)ve been writing a lot of letters to customers that start with âoehi, howzit, alohaâ but end with âoeplease comply with your license agreement and stop reverse engineering our code, already.â
I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems. That said, you would think that before gearing up to run that extra mile, customers would already have ensured theyâ(TM)ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down â" in short, the usual security hygiene â" before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.
Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products â" and there is so much more to assurance than running a scanning tool - there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or âoegood codeâ seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors â" at least, most of the large-ish ones I know â" have fairly robust assurance programs now (we know this because we all compare notes at conferences). Thatâ(TM)s all well and good, is appropriate customer due diligence and stops well short of âoehey, I think I will do the vendorâ(TM)s job for him/her/it and look for problems in source code myself,â even though:
A customer canâ(TM)t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)
A customer canâ(TM)t produce a patch for the problem â" only the vendor can do that
A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)
I should state at the outset that in some cases I think the customers doing reverse engineering are not always aware of what is happening because the actual work is being done by a consultant, who runs a tool that reverse engineers the code, gets a big fat printout, drops it on the customer, who then sends it to us. Now, I should note that we donâ(TM)t just accept scan reports as âoeproof that there is a there, there,â in part because whether you are talking static or dynamic analysis, a scan report is not proof of an actual vulnerability. Often, they are not much more than a pile of steaming ⦠FUD. (That is what
Re: (Score:2)
So, she's saying no heads up on zero-day vulnerabilities?
Let's hope everyone hears that loud and clear.
Re: (Score:3)
That actually sounds pretty sensible. It seems like much of her frustration is from people blindly running static analysis tools on their code, finding false-positive vulns, and wasting Oracle's time and making it more difficult to identify legitimate security vulnerabilities.
Much more reasonable than the summary made it out to be, thanks.
Re: (Score:2)
Re:Piss off- text of her blog which was taken down (Score:4, Interesting)
She's not happy about the true positives either - don't look at our stuff if it bugs out is the message she is sending here.
If the vendors I buy stupidly expensive stuff from starting acting that way I would inform them where they could put their lawyers and go looking for another vendor. I've had to reverse engineer some buggy commercial software on several occasions to find workarounds so that users can get stuff done, and have informed the vendor, who then informed their other customers (known problems list), fixed it or both.
Re:Piss off- text of her blog which was taken down (Score:4, Interesting)
No, it does not. A question "What does Oracle do if there is an actual security vulnerability?" is answered with "you found this because you reverse-engineered our code". That does not have to be true. On the other hand if I perform operation X and the product crashes, then they won't accept a submission unless you "provide a test case to verify that the alleged vulnerability is exploitable"
I read that clearly as "we do not want you to report any problems" and that makes their vulnerability reporting system just a PR thing.
Re: (Score:2)
That actually sounds pretty sensible.
Most of it is, except for the, paraphrasing, "How dare you reverse engineer our code to look for vulnerabilities, violating your license agreement, you naughty customer!"
Re: (Score:3)
static analysis of Oracle XXXXXX
Somebody should explain the idiot that the advanced tools for the code analysis are capable of checking (and instrumenting) the binary compiled code already for at least a decade.
When in the past I used the Rational Purify on the applications linked against the Oracle client, there were more that 200 Purify warnings coming from the Oracle libraries, and that before the main() was even reached. Draw conclusions yourself.
P.S. A global public variable - by all indications `int count;` - in the Oracle clien
Re:Piss off (Score:5, Interesting)
Well, Oracle (or a flack thereof) explained why they dumped the post (quoted in full [zdnet.com] in an update on TFA):
"The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers."
Methinks Ms. Davidson may find herself forced into 'spending more time with her family', and updating her resumé fairly soon...
Re:Piss off (Score:5, Insightful)
She should, and Oracle should stop hiring incompetent rich idiots for executive positions where they should actually know something about Security and Programming.
This is the biggest problem, The trend over the past 15 years, Executives in many american corporations are drooling morons when it comes to knowing anything about what they are supposed to be in charge of.
CSO should have a frigging clue.
Re:Piss off (Score:4, Insightful)
Re: (Score:2)
It should be a mix of both.
You need to look both inwards & outwards before determining your strategies.
Re:Piss off (Score:5, Insightful)
A Business manager should be able to recognize their own company's Strengths, Weaknesses, Opportunities and Threats (SWOT)
If they think that having customers notify them when they identify a Weakness in their product then they are missing out on an Opportunity to identify a Threat, or three of the four things that they should be doing, definitely not a Strength that will keep them in their position
Sticking her head in the sand, so to speak, prevents her from getting her own product experts involved, improving their product, allaying the fears of their customers and holding both their competitors and the 'bad guys' at bay.
Re: (Score:3)
They *DO* need to know enough that the answer to their questions doesn't sound like "We must astrocate the frobnicator or someone might wibble the flibberdejibit forthwith".
If they want to be at all respected among the ranks, they must know enough not to instruct the janitorial staff to be on the lookout for the token that fell out of a network cable.
Don't make me use that anecdote (Score:2)
They need to know enough about a topic to be able to know what questions to ask their experts otherwise they are not fit to be anything other than an administrative assistant to someone who does. Not having enough background leads to stupid and expensive mistakes.
One in a company I worked for, who "knew about management", was put in charge of a non-destructive testing division. He failed to consider that in
Re: (Score:2)
Well, it's easy to diss someone that you don't know. From one blog post, you assume that you know everything about her?
I've actually emailed with her over a big security issue. She delt with it quickly and professionally. She understood the significance and very quickly (almost unheard of quickness for Oracle) had a patch produced and a security notice issued.
She is not a moron, even if she has a different perspective from you.
And this was around 20 years ago. I'm sure she's got more knowledgeable since.
Re: (Score:2)
It tells us quite a bit about what she has written in the blog post - which is far more than I want to know about her and does not impress at all. It's not exactly very professional is it? It looks like she has a very different idea of what her job is to what the customers think her job is. The message along the lines of "report the bug and we send in the lawyers", presented with various
Re: (Score:2)
The message along the lines of "report the bug and we send in the lawyers",
Thus my favourite tweet [twitter.com] about this:
It stops the reverse engineering or else it gets the EULA again.
Brilliant.
Re: (Score:3)
Bah, C-level position at a company like Oracle ... even if they fired her she'll probably walk out with a few tens of millions of "shareholder value" for her troubles.
Because, you know, hiring unqualified people at the C level doesn't mean when you fire them you don't pay them the severance.
I'll make an open offer to any fortune 500 company .... I'll incompetently manage your company for 25% of what you're paying your current CEO and 25% of the severance, provided total compensation is no less than $20 mill
Re: (Score:2)
Re: (Score:2)
Except nobody ever bothers with that.
They take someone who has already failed as a CEO and decide that failing there means an improved chance of success over there.
And then they end up with a CEO who has failed at another place.
And then another board decides that having failed twice as a CEO, they're either a really good candidate to be CEO, or should at least sit on the board to pick the next CEO.
Re: (Score:2)
Re:Piss off (Score:5, Interesting)
This policy is long-standing. Probably over 10 years ago at this point we found and fixed a connection leak in Oracle's own JDBC driver by decompiling, fixing, and recompiling the affected class. To say they were displeased would be polite.
It was a production-down issue, we fixed it after their support flailed on it for several days, and they still had the nerve to send us a nastygram for it.
Re: (Score:2)
Same story here, production-halting problem and Oracle's support was completely useless, the "consultant" that was eventually sent on-site was completely useless... we decompiled it, fixed it and got things going again. We were then even nice enough to send our analysis to the support, explained the bug and added the fix - guess what, they told us we couldn't possibly know and our fix was wrong.
Three months(!) later they finally published an official patch with pretty much the exact same code. Frakk oracle.
Cocaine (Score:4, Insightful)
I did not realise that this was available for free use to Oracle executives to help them reduce the stress induced by pesky customers who are trying to obtain a good service.
Re: (Score:2)
I have done a lot of cocaine - enough to make Kieth Richards blush, and I feel obligated to tell you that cocaine use does not reduce stress. It does make you gabby. It does not do a damned thing to relax you. That is what opiates are for.
Link to full text (Score:5, Informative)
Re: (Score:2)
Perhaps a slightly better mirror / archive of the text:
https://web.archive.org/web/20... [archive.org]
Dune Messiah - crime = sin (Score:3, Insightful)
The masses are so much more compliant when you convince them that crime is a sin.
Fuck you, Oracle.
Re: (Score:2)
Matthias: Look, I don't think it should be a sin, just for saying "Jehovah".
[Everyone gasps]
Jewish Official: You're only making it worse for yourself!
Account to CSO (Score:5, Interesting)
It's interesting that Mary Ann Davidson was an accountant and then became the CSO at Oracle.
frog protection (Score:5, Funny)
CEO (on phone): Hey, I want to promote Mary Ann Davidson for her years of excellent service in our accounting department. We're going to make her CFO!
HR Director: Wow, you're making Mary Ann CSO?
CEO: Yes, CFO! Congratulate her for me.
HR Director: Are you sure, sir? I mean... Mary Ann... CSO?
CEO: Yes, of course! She'll make a great CFO!
HR Director: Do you think she's qualified to be CSO?
CEO: What do you mean? Of course she's more than qualified to be CFO!
HR Director: Wait, you're saying CSO, right?
CEO: Yeah, CFO!
HR Director: CSO?
CEO: CFO.
HR Director: CSO?
CEO: CFO!
HR Director: Okay, I think we're on the same page here.
Re:Account to CSO (Score:5, Informative)
It's interesting that Mary Ann Davidson was an accountant and then became the CSO at Oracle.
Accountant? Citation please. I can't find any evidence she was ever an accountant at Oracle.
According to the brief wikipedia article on her, she joined Oracle in 1988 as a product manager, and became a product marketing manager in their computer-security division in 1993. Not exactly hard-core tech, but not an accountant either.
https://en.wikipedia.org/wiki/... [wikipedia.org]
http://www.oracle.com/us/corpo... [oracle.com]
Re: (Score:2)
So she has even less knowledge of Security or Software than the Accountant.
She has a BSME (Bachelor of Science in Mechanical Engineering) so I'd say she has far more tech cred than an accountant.
I'm not defending what she said. I'm just saying she's not an accountant.
Re: (Score:2)
Is that what Americans call a "Bachelor of Mechanical Engineering" or is it a cut down version taking a year or more less to complete?
Re: (Score:2)
Dear god, are you kidding?
So the qualifications for Oracle's CSO are ... what exactly?
Re: (Score:2)
The ability to make customers feel like the company Takes Security Seriously.
Yes.
Re: (Score:2)
So basically Oracle is interested in license revenue [rather] than security?
Well, uhh, yeah, of course. Why are you even asking that question?
Yet another reason to avoid Oracle (Score:4, Insightful)
Aside from Java (which has it's own issues), Oracle's products are imo, craptastic. Horrid UIs, constantly crashing, slow, design decisions that make no sense, not modernizing, barely follow modern standards if at all, insanely overpriced (the least of the problems).
Re:Yet another reason to avoid Oracle (Score:5, Informative)
Re:Yet another reason to avoid Oracle (Score:5, Informative)
Fucking over it's customers, business partners, employees, investors, family, government, religion, charities, etc.
Oracle is probably the worst company in tech, in every category.
Re:Yet another reason to avoid Oracle (Score:5, Funny)
Re: (Score:2)
Now now, Sony is mostly consumer electronics involving tech ... both Oracle and Sony can still suck equally.
Re: (Score:2)
Sony begs to differ.
And Microsoft
And Apple
And Google is trying
Wait, are there good companies in IT?
Re: (Score:3)
Re:Yet another reason to avoid Oracle (Score:5, Informative)
I recently experienced this - we had purchased a complete Micros package for a hotel and everything was going along well. Now that Oracle bought them, support goes to a callcenter where they have no idea what they're talking about and just try to upsell you paid services.
If you're ever looking for something that was from (formerly) Micros, now Oracle Hospitality; run, don't walk.
Also, I've found that InfoGenesis is much better for POS and LMS is excellent for hotel management systems (even though it's based on the iSeries).
Former Oracle Exec: Stop Sending... (Score:2)
There. Fixed that for you.
Every single time (Score:5, Interesting)
ORACLE is in the news they confirm yet again that quitting was the single best career decision I ever made.
The greatest thing about being an ex-oracle engineer is not working for Oracle anymore. I very much doubt anybody who has ever resigned from Oracle regrets it.
Worst company I've ever had the misery to work for.
Re: (Score:3, Funny)
And you weren't even a customer!
Re: (Score:2)
Oracle blog (was?) vulnerable to XSS exploit... (Score:5, Interesting)
And the irony is ...
https://twitter.com/addelindh/status/631040188010131456
toothless (Score:2)
In Washington trying to make research illegal (Score:5, Informative)
Of course, malicious hackers will always be finding exploits, and using them.
Note to self (Score:5, Insightful)
If I find myself in the position to report a flaw in Oracle products, do so through a responsible disclosure site (e.g. cert.org) and request anonymity.
Re: (Score:2)
Or you could sell it to a group like Hacking Team and probably get a big paycheck for your efforts.
Comment removed (Score:5, Funny)
Re:similar approaches have succeeded. (Score:5, Funny)
Actually, I think the homeless problem requires a little more than a large wall.
Let's put in three more walls just to be sure.
And a roof.
There! Problem solved!
Re: (Score:2, Insightful)
On the other side of the spectrum, if you take guns from people who use them lawfully, it will really reduce crime!
Re: (Score:2)
Not entirely wrong. (Score:5, Insightful)
While the tone of the piece is more than a little condescending, there's an actual issue here, and she's not wrong about it.
Most customers would only reach out to a vendor with a bug report when they've actually found a real problem. Those bug reports are always welcome by any reputable vendor. They might be performance, or integrity bugs, or security bugs. Real bugs are good. They're welcome.
However, there's a second category of people (and she's write that bug bounty programs have somewhat encouraged them) that are the security equivalent of script kiddies - they downloaded a "sploits!" kit off the the internet (in this case, often a combination of a decomplier and static analyzer). They don't really understand how the kit works or what it does, but ZOMG I ran it against your code and it found issues! Your software is insecure! See? It says so right here! Now pay me something for all my hard work! I may not understand exactly what it's telling me, but it's telling me you have a bug! This group of people adds very little in the way of new bug discovery (again, most of their output really is known or false positive).
That second category of people (especially the ones who demand to be welcomed as liberating heroes) can in many cases get annoying. Because vendors really do run these kits against their code, so most of the time anything that isn't a false positive is a known issue. The back and forth with the customer really can sap time and energy (especially for customers who get strident and demand a "patch" right away or they'll go to the press and tell everyone how bad your code is).
I don't really blame someone who works in security for feeling frustrated that this small subgroup of customers continues to flood inboxes with "bug reports" that often they themselves don't understand, and which are often not useful.
That said, this is an absolutely idiotic tone to take in a blogpost directed at your customers. The problem can certainly be expressed in a way that doesn't sound childish, or scolding. This is a seriously dumb way for a company to semi-officially communicate with its customers.
Disclaimer: I do not and have never worked for Oracle. I don't even particularly like Oracle after the SSO suit against Google.
Re: (Score:2)
Indeed. Clearly specifying that they will accept bug reports for the bug bounty program only from their customers and will only pay out a bug bounty if an Oracle engineer confirms that the issue is a bug (with no appeals process) would be, I think, a reasonable policy and could be clearly explained along the lines of your explanation.
Re:Not entirely wrong. (Score:4, Insightful)
Yes, in reading it I found there was a reasonable point in there somewhere: a giant dump from an analysis tool does not constitute a bug report. Too bad it was buried under a ton of condescension and whining about "m-m-m-muh intellectual property!!1!!"
Re: (Score:2)
I agree - several points resonated.
But the tone and writing quality of the document suggested she was having a stroke. How many off-topic topics can one blog post have?
Re: (Score:2)
Re: (Score:2)
However, there's a second category of people (and she's write that bug bounty programs have somewhat encouraged them) that are the security equivalent of script kiddies - they downloaded a "sploits!" kit off the the internet (in this case, often a combination of a decomplier and static analyzer). They don't really understand how the kit works or what it does, but ZOMG I ran it against your code and it found issues! Your software is insecure!
Yup, and that is something I can sympathise with her for. We've run into exactly this in the past, the conversation went something like:
Zomg your servers have [whatever that day's OpenSSL security vuln was]!
Our servers don't use OpenSSL, it's a false positive.
But our consluttants' scanner is reporting an OpenSSL vuln! Fix it!
We don't use OpenSSL, it's a FP.
Fix it! Fix it! Fix it!
There's nothing to fix, it's a FP.
We can't accept you as a business partner until our consluttants' scan shows no vulns.
OK, which scanner are you using...
We resolved the problem by finding a way to crash their scanner (I think it was using OpenSSL to do the scan), so when it scanned our servers it'd die and not report the FP any more.
Re: (Score:2)
Over ten percent of their vulnerabilities are reported by outsiders. That's a justification. That makes the 90% that's crap worthwhile.
OSVDB reports 3,700 vulns in Oracle products [osvdb.org]. If that's 10% of the total (the rest are Oracle-internal) as Davidson claims that means Oracle products have around 40,000 security vulns in them.
Someone earlier mentioned that Oracle products are the security equivalent of Swiss cheese, but with 40,000 vulns it's more like chicken wire, or maybe a small keep out sign in the corner.
If you're still using Oracle... (Score:5, Funny)
In Oracle's defense, if you're still using their cash cow database it's fair to say that it will do more financial damage to your company than most hackers could ever do.
Re: (Score:2)
Re: (Score:2)
Now , now..... don't tempt the troll....
That was my point to the OP. A humor-impaired moderator didn't get it.
yes, stop sending reports (Score:5, Insightful)
Not sending reports to Oracle is a good idea: use open source alternatives and submit the reports there.
Re: (Score:2)
Actually for everything, post it in multiple locations anonymously.
Only fools try and get credit for it, because the lawyers and feds love to punish good deeds.
Truly awful C-level communication (Score:2)
Too bad black hats don't read license agreements (Score:2)
She might have a point that there's no need for customers to do static code analysis or reverse engineering to look for vulnerabilities *if* the black hat hackers weren't able to do so with impunity since they have no moral qualms about violating license agreements.
I can believe that she's tired of vetting customer reported security bugs, especially when they are dupes of known bugs that Oracle is working on, but a bug is a bug and if they don't want to expose their bug tracker to customers to let them see
Should be legal in Europe (Score:5, Interesting)
If I remember correctly, reverse-engineering to fix bugs that prevent software from working as intended and to secure systems is always legal in Europe, no matter what the contract says. But it is nice that Oracle confirmed that they do not care about their customers at all except as cash-cows. Not that this is a surprises to anybody.
Maybe exploit instead of submit? (Score:2)
Security through licensing? (Score:3)
How cute that they think they can prevent people from finding flaws in their product with a licensing agreement. Why didn't I think of securing out network via legal agreements? The Bad Guys would never dream of doing something I told them not to do.
Re: (Score:2)
Well, in fairness, you have a contract with your customers and don't have one with random Bad Guys in the internet. You can sue your customers, but good luck suing the bad guys. That should not be taken to mean that I believe suing your customers for finding vulnerabilities in software they're running on their systems is a good or even remotely acceptable idea. Just that it's possible.
I said it before... (Score:2)
... and I'll say it again... Oracle is in trouble. They charge too much for their products, they treat customers badly, and now apparently they are admitting that they think they can plug security holes with legal crap.
If that worked you could dispense with bank vaults, put the millions of dollars in gold bars in box on someone's desk... and then just put a sticker on it that said "don't steal me."
Why do we go to the trouble of having steel plated concrete reinforced walls? Why are we putting 2~3 foot bank
Re: (Score:2)
Wrong.
http://techcrunch.com/2013/03/... [techcrunch.com]
They're getting pressed on all sides. Their once unique features can be obtained from other suppliers.
We had an article on here not long ago with the United Kingdom dumping Oracle for a competitor. I think I remember the Australians and the Canadians doing the same thing.
Business as usual is just going to lead to managed decline.
Re: (Score:2)
The article fails to mention whether the author is either paid by DataStax or has shares - because it's a pretty blatant advertisement.
And it doesn't really say much about Oracle, except that people are moving to the cloud. I can count the number of my customers doing that on the fingers of one hand, even if I cut them all off!
Now, I'm using whatever database the customer has, normally. Currently it's SQL Server 2012, about 66% of the time it's Oracle, but I've worked with Postgress as well. What is really
Re: (Score:2)
There are defections. Am I claiming Oracle doesn't have a good product? Of course not. That is part of what makes this so frustrating. If they had a shit product you could just dump them and move on.
That said, their competitors are getting more competitive and whether in fact they've caught up is itself debatable.
An issue with databases is that it is a massive pain in the ass to switch from A to B. So much so that a great many institutions maintain databases that have remained largely unchanged since the 19
Re: (Score:3)
Bingo bango bongo. People get set in their ways. And changing databases is... treated with the same trepidation that a man goes through when offered open heart surgery. I mean... you have to NEED to go in there before you even consider touching that shit.
And so businesses that don't need to change anything will often not change aspects of their core infrastructure for... decades. Again, IRS and a few banks have mainframes running software from the 70s. No really.
But new companies are going to be able to sta
Oracle to customer base .. (Score:2)
'I think my response was, ‘What idiot dreamed this up?’ " — Mary Ann Davidson, Oracle’s chief security officer, in typically blunt manner, remembering her reaction to the company’s scheme to brand its databases as "unbreakable."'
'we need to build on a solid infrastructure platform, take an engineering approach - build secure software'
Reverse engineering? (Score:2)
Errm is simply looking at the Oracle binaries and observing their vulnerabilities considered reverse engineering? I thought that term was to do with creating work alikes.
Re: (Score:3)
No, many of these tools are decompiling the code and then running static analysis on them. When hundreds or thousands of alleged "vulnerabilities" are found, they send the full report to Oracle. Naturally, most of these are false flags, as you'd expect from such a system. So, the frustration is somewhat understandable.
What's not understandable is how she could possibly imagine such a childish rant should be made in public.
0day exploits (Score:2)
Oracle (Score:2)
Dear Orrie, (Score:2)
Due to Mary Ann Davidson's statements I'll post this here.
If you manage to get a Solaris clock set before 1970 the loader doesn't work. It means that anything running will keep running but you can't start any new programs (including init and shutdown). Talk about a great way to keep a sysadm out of a system.
There is also no way to wipe sensitive data from ZFS file systems. You need an option to say "this pool overwrites blocks" so that scrubbing works correctly. The reasons for this will come to light w
Re: (Score:2)
While that does suck it's pretty obvious that if it's an occasional thing you can snapshot after deletion, send the snapshot elsewhere and destroy the original.
Some people's definition of "security" is very different to others. Intentionally losing data with no possible way to get it back may be high on the list for some but it's completely off the radar to others.
The 1970 one is amusing, but setting back a few years in general in Solaris is
She's not wrong ... (Score:2)
... these tools *do* often have a ridiculous false positive rate.
Re: (Score:2)
Python is slow (Score:3)
I'd love to, but Python is kind of slow. Has some implementation of the Python language recently become remotely comparable to Oracle HotSpot JVM in execution speed of equivalent programs? If so, which?
Re: (Score:2)
Re:Was not Oracle code in the first place (Score:4, Funny)
Wow, Java and Oracle's DB are built on Flash, that explains much.
Re: (Score:2)
Your first two assertions are contradictory. If the product is highly bugged, they are not doing quite well internally.
If their customers were complaining to them that their Highly Paid Consultants did all this reverse engineering and didn't find any bugs, fine. Then Oracle is doing well. If people who have no source code access are finding 10% of their vulnerabilities? That's not quite well. As someone who occasionally skims through the patch release notes, that's 10% of a not terribly small number...
Re: (Score:2)
Really. Oracle is not nearly that bad. If your OPS team can't manage a modern Oracle install they should all be fired.
It's nothing that a trained monkey can't do.
Even a non-helpless consumer end user should be able to manage.
Re: (Score:2)
Why would you say that!? Most cows know better than to use Oracle software and would find that statement quite offensive.
Re: (Score:2)
I imagine what the conversation with their CSO went down b4 they removed the post.
probably something along the lines of "Did you seriously just tell our customer to fuck off?"
"Certainly not, I just explained them our license policy."
"THAT'S WHAT I SAID!!"
Re: (Score:2)
If you need a large scale database, MariaDB is not a reasonable choice. Look into PostGreSQL. MariaDB is a near clone of MySQL, and not a large scale database.
(I don't guarantee that PostGreSQL would suit your needs, but it has a much better chance.)
OTOH, if you're using Oracle because that's what your CSO knew, then MariaDB might well suit you.