Oracle’s chief security officer is tired of customers performing their own security tests on Oracle software, and she’s not going to take it anymore. That was the message of a post she made to her corporate blog on August 10 – a post that has since been taken down.
Strangely satisfying to watch this trainwreck unfold. Perhaps because the trainwreck in question is one of the most despicable companies in tech?
Usually whenever they make statement like this that “do not do static binary checking of our code”, then no one can release any bug that they don’t want to be published. This means, they can defend it in the court by claiming that it has been static binary analysis of code ergo reverse engineering!
I have been talking to one of their senior java quality test managers about this and it seems this is the culture in their group. They actually believe in it. They just don’t want someone who doesn’t understand their internal management structure of development to inject stuff that they have not plan for. This is just unbelievable since many others actually depend on their JDK.
I really don’t understand why this oracle sick culture exist when they are making profit of others work (nosql, redhat, and so on).
Edited 2015-08-12 19:15 UTC
If you read her entire blog post you’ll notice her real complaint is actually that a lot of customers runs a static code analyzer on the binaries, then forward the (useless) report to Oracle. She is basically annoyed that a bunch of “security experts” that have no idea what they are doing and are expecting Oracle to take a closer look to something that is often 99% false positives.
A good analogy is perhaps to compare it to someone stating that a library is broken because their application is crashing. Then they forward their non-trivial huge program as proof.
The reverse engineering thing is just her sad way of trying to stop such people from even trying to analyze the code. And her entire rant is surprisingly clueless (at the social level) for someone with a C-level title. She really should know better and know nobody will read her blog post the way she wanted it to be read.
Yeah, she *may* have a valid complaint about clueless users who just run fuzzers on the code. But, using a EULA to squash it is silly and wrong. She comes off not just disparaging of the fuzz runners, but of real legit security researchers who do incredible work to protect Oracle’s customers from Oracle’s code.
I don’t think a rational court would rule that running a fuzzer on code constitutes reverse engineering. They were not at any point attempting to create a competing product or otherwise limit their future sales of any product. They really were just doing their due diligence. Simply taking Oracle’s word that their code is secure is silly and laughable given Java’s track record.
The worst insult I could possibly give to them is that their attitude around security is most reminiscent of 1990’s Microsoft.
Completely agree on that.
Hardly,
A classical example of the kind of reasoning someone would come up with if they think the world works like a computer program.
I’d still say the entire quote reeks of someone that just heatedly debated with a customer whether they should do an out-of-band patch just for them. Should they have? I don’t know – depends on the exact nature of this bug/exploit and the size of the customer.
That’s why I believe it’s vague to their benefit. I cannot accept someone in that level just said something like this without a majority or at least meaningful agreement in the group. And for people who know how to analyse these logs they should know there are analytical tools used to check them before making some poor expert going through them all for evaluation. There are automatic tools for this.
Don’t be absurd, of course they can. Only in the software world could this nonsense behaviour be acceptable. It’s like if Ford would tell people they can’t look for flaws in their cars and not tell anyone about any problems they might find.
Edited 2015-08-13 03:44 UTC
Um, Volkswagen, for example, did sue successfully so that researchers couldn’t release information on the vulnerabilities they found: http://arstechnica.com/security/2015/08/researchers-reveal-electron…
That is, to be perfectly candid, utterly f–king ridiculous. Public safety is more important than Volkswagens’ profits. I certainly expected better from the Netherlands.
Edited 2015-08-14 02:00 UTC
Soulbender,
Agreed, but you’ve got to admit that was the perfect rebuttal
I wonder if there will be a recall now that it got out? Seems possible if mainstream media runs it.
Why the surprise? This is from a company who’s founder think Google using Java is evil but the government spying on it’s citizens is perfectly ok.
A very stupid thing to say. They’ll just look harder now. Regardless of the post’s original intent, they’ll be wondering just what it is Oracle don’t want found. It’s like when a church tells you “don’t read this book” or “don’t watch this movie.” Your first reaction will generally be to wonder just what’s in there that they don’t want you to see.
Of course doing so would break the EULA!
Obviously, that is universally regarded as a sacred document that no criminals would dare violate even for large personal financial gain.
Maybe she really was tired of these reports, but I find her post totally ironic in that it built good arguments against using oracle’s proprietary stuff: user’s can’t independently vet the security of the source code, and then they can’t fix it either.
I seriously doubt this clause is legally valid anywhere in the world (except maybe the US….).
The software industry is gloriously and hilariously full of itself.
From a commenter in the article:
http://www.bonkersworld.net/images/2011.06.27_organizational_charts…
“Stop gouging us and we’ll stop analyzing your code”
To the other commenters: EULA is NOT a valid binding agreement in most countries outside the US, Burma, Jamaica and Liberia.
Basically she is asking people not to flood them with dodgy reports generated in a half-cocked manner.
She is also making it clear that because you sent some crappy report in does Not mean Oracle will pay you (nor give a discount) because of your “gracious act”. Because you submit something doesn’t mean a patch will be released.
However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem
I have had clients try to demand discounts/rebates for finding “bugs”. It takes a considerable time to sort out and quite often is a misunderstanding of the expected behaviour.
Edited 2015-08-13 08:34 UTC
Her post is a beautiful description why closed-source software is really bad for customers. In her own words, direct quote:
– A customer can’t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)
– A customer can’t produce a patch for the problem – only the vendor can do that
– A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)
No wonder her post was taken down by Oracle so quickly.
is:
One Rich Ass Called Larry Ellison
and it’s absolutely true.