Oracle's CSO praises Free Software
August 11, 2015 4:30 PM   Subscribe

Oracle's CSO wrote a (now deleted) blog post arguing against reverse engineering in which she mocked security researchers, compared them to cheating spouses, accused them of wasting her time, discounted bug-bounty programs, refused to credit vulnerability reporters, and promoted her sister's murder-mystery books. The reaction from the security community was unanimously opposed (1, 2, 3, ...) and some are looking on the lighter side by writing Oracle Fan Fiction.
posted by autopilot (49 comments total) 28 users marked this as a favorite
 
I guess she figures that only the NSA should be reverse engineering that code.
posted by eriko at 4:36 PM on August 11, 2015 [2 favorites]


Are spouty blog posts by C-executives the equivalent of big signs that say 'HACK ME'?
posted by Nanukthedog at 4:45 PM on August 11, 2015 [4 favorites]


This. From the company that makes Java.

I can't even.
posted by Pogo_Fuzzybutt at 4:47 PM on August 11, 2015 [31 favorites]


i'm just going to leave this short story here kthx.
posted by You Can't Tip a Buick at 4:48 PM on August 11, 2015 [3 favorites]


It is only my dreamworld where the oraclefanfic tag revealed page after page of glory.
posted by mrdaneri at 4:48 PM on August 11, 2015 [1 favorite]


Acquired Java. Sun had half a clue.
posted by idiopath at 4:51 PM on August 11, 2015 [7 favorites]


You know I was having a pretty shit day, but I didn't write something like that, so it's pretty ok right now when I think about it.
posted by iamabot at 4:51 PM on August 11, 2015 [33 favorites]


She's really a terrible writer. Like woah, why have an official blog bad.

At first I thought posting this was a misstep for Oracle but then I realized their customers already know. They know about the incomplete and inaccurate vulnerability patches from Oracle, about the insanely deflated CVSS scores applied by Oracle to their vulnerabilities, about their "whatever we can get you for" pricing models and how no one but your purchasing agent should talk to sales lest you trigger a spurious and baseless license audit.

Fuck Oracle.
posted by Matt Oneiros at 4:52 PM on August 11, 2015 [32 favorites]


I assumed at first this post could not be real, or was a parody. I mean a real Oracle executive really published this?
<Bigger sigh.> Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers
Does User701213-Oracle think she is one of the Fellow Kids?

Oracle is a terrible corporation that makes a few impressive products and surrounds them with a lot of other bullshit and sells it at a very high, sometimes fraudulent price. As an open source nerd I'm particularly sad at the way they've choked the life out of MySQL (not to mention their terrible security record). Also run Java into the ground, although it was probably on that trajectory anyway.
posted by Nelson at 4:56 PM on August 11, 2015 [6 favorites]


I have dealt with Oracle. They are indeed assholes. Very, very expensive assholes...
posted by jim in austin at 4:58 PM on August 11, 2015


Acquired Java. Sun had half a clue.

That was a hojillion years ago in Internet Time. Java is entirely their fault now.
posted by Pogo_Fuzzybutt at 5:03 PM on August 11, 2015 [5 favorites]


Well, at least they didn't put her in a position of responsibi-ohmygod.
posted by tonycpsu at 5:03 PM on August 11, 2015 [5 favorites]


If a blog post is badly crafted, does that mean the MeFi post linking to that post should also be written poorly? The main point to her argument is the license agreement. She mentions the word "license" 18 times in the now deleted blog post. MeFi post mention of license agreement? Zero.

I have no affection for Oracle, either - but if you give her even a semi-charitable read, the reality is she's is taking the position that Oracle is going to bludgeon you with the license agreement. If you're one of their customers, you made the mistake of paying them for that privilege. All they're doing here is elaborating on the downstream ramifications of your original mistake. The CSO's now deleted left-field mentions of cheating spouses and murder mystery books doesn't change anything about Oracle's still in place policies or license language.
posted by NoRelationToLea at 5:04 PM on August 11, 2015


I understand the stupid tweet that gets people into trouble, because it's so fast to type out 140 characters and send it off. I understand other stupid spur of the moment posts from senior people that clearly should not have been posted and get quickly withdrawn. But something of this length and this patronizing must have taken quite a time to write, so she clearly thought this one over and still decided to post it. That's baffling. This is the sort of rant that is reserved for one's nearest and dearest who have no choice but to comfort you as you wail about the injustice of your customers finding issues with your code
posted by lesbiassparrow at 5:06 PM on August 11, 2015 [4 favorites]


*** Absolutely not, I loathe Keynes. There are more extant dodos than actual Keynesian multipliers. Although “dodos” and “true believers in Keynesian multipliers” are interchangeable terms as far as I am concerned.

Heh, a libertarian to boot.
posted by ignignokt at 5:07 PM on August 11, 2015 [5 favorites]


This is possibly the most helpful article posted on Oracle's web site in years. I hoped the PostgreSQL and MariaDB folks might be sending out thank-yous, and it looks like one of the Postgres folks sort of has.
posted by Monsieur Caution at 5:08 PM on August 11, 2015 [13 favorites]


Security by don't worry your pretty little head about it.
posted by mhoye at 5:09 PM on August 11, 2015 [17 favorites]


I feel bad after reading that. I'm going to go hug an elephant until I feel better.
posted by benito.strauss at 5:10 PM on August 11, 2015 [2 favorites]


Oh, hi Monsieur Caution.
posted by benito.strauss at 5:10 PM on August 11, 2015 [1 favorite]


Right. These always make me flinch, in that they are a stealth WELCOME ORACLE CUSTOMERS to the rest of us.
posted by mrdaneri at 5:11 PM on August 11, 2015


If you don't have a license with Oracle, you don't have any legal access to the code for reverse engineering. While she does use "license" eighteen times, if we want to count words, she also says "reverse engineering" twenty four times and makes it abundantly clear that her complaint is with "security weenies" who perform any sort of analysis on Oracle's systems.
posted by autopilot at 5:15 PM on August 11, 2015 [4 favorites]


if we want to count words, she also says "reverse engineering" twenty four times

I've never heard of examining software for the purpose of auditing potential vulnerabilities as "reverse engineering". License prohibitions against deconstructing software for various purposes aren't at all uncommon. That's not the issue - what is the issue is : does using this tool constitute "reverse engineering" your firewall software ?

If so, that is an exceedingly bizarre and strange definition of "reverse engineering". I'm very interested to see if she's got actual case law or concern troll case law to support that.
posted by Pogo_Fuzzybutt at 5:22 PM on August 11, 2015 [2 favorites]


Shouldn't "nanny, nanny boo boo" either have three commas or none at all? It looks unprofessional, is what I'm saying.
posted by Joe in Australia at 5:22 PM on August 11, 2015 [18 favorites]




Pogo_Fuzzybutt: "If so, that is an exceedingly bizarre and strange definition of "reverse engineering"."

It took me a bit to figure out, but I think she's using "reverse engineering" as a synonym for "decompiling" (and probably also "disassembling"). Basically, turning their executable into any kind of interpretable (human-readable?) code.
posted by mhum at 5:26 PM on August 11, 2015 [2 favorites]


I think that all too often people forget what license means. It is a document asserting some right you offer to some user who otherwise would not have access to your system.

Now, Oracle might throw some other bullshit in their contract, of various degrees of enforcability. But let's not forget that this license is, before all else, a signed permission slip saying you can use a thing you already paid for.
posted by idiopath at 5:29 PM on August 11, 2015 [1 favorite]


I'm just surprised there's not a click-through EULA just to view the Oracle blog.
posted by indubitable at 5:37 PM on August 11, 2015 [7 favorites]


I've never heard of examining software for the purpose of auditing potential vulnerabilities as "reverse engineering".

Have you read her post? She's talking specifically about tools that decompile Oracle's software to do that analysis. She details what she means at great length! She's quite specific about the quality of vulnerability reports Oracle receives, and the reason they believe most of them are pointless.

There's a lot to critique about what she wrote and how she wrote it, but the degree to which the tech community has gone out of its way to put words in her mouth (including this post) is pretty nasty, although unsurprising.
posted by grahamparks at 5:47 PM on August 11, 2015 [6 favorites]


My amateur psych take: She's going through an identity crisis. She'd rather be a full-time writer and finds her CSO job so frustrating and unsatifying her heart is now in open-revolt against her brain and is compelling her to commit career-suicide by blog. That's what I couldn't help thinking as I was reading that anyway.
posted by saulgoodman at 5:47 PM on August 11, 2015 [2 favorites]


(But there's always the possibility I'm projecting.)
posted by saulgoodman at 5:49 PM on August 11, 2015 [5 favorites]


It's pretty well known in the research community that static analysis tools have a high false positive rate, and that industry practitioners avoid & ignore them for that very reason. What I gathered from the article is that people were decompiling the code and then finding flaws in the derived code. This seems like false positive squared.

But I find it pretty funny that Oracle wants to claim their bugs as intellectual property that must be protected.
posted by pwnguin at 5:54 PM on August 11, 2015 [3 favorites]


It is possible to write Javascript in the URL field of the Oracle blog

Ah, ha ha ha. And yes, before they even ask, my son's last name is in fact ); DROP TABLE Students; --
posted by Joey Buttafoucault at 6:00 PM on August 11, 2015 [10 favorites]


Fiery the reverse engineers fell; deep thunder rolled around their code; burning with the fires of EULA.
posted by Brocktoon at 6:21 PM on August 11, 2015 [2 favorites]


grahamparks: "Have you read her post? She's talking specifically about tools that decompile Oracle's software to do that analysis."

Part of the problem is that she keeps using the term "reverse engineering" when she really means "decompilation". "Reverse engineering" is generally a much broader term that includes things like black box testing which couldn't realistically be prohibited, even by Oracle's formidable army of lawyers. And yet, she goes so far as to straight-up define reverse engineering as decompilation in the first question of her Q&A section.

grahamparks: "She's quite specific about the quality of vulnerability reports Oracle receives, and the reason they believe most of them are pointless."

There's a kernel of an actual good blog post in there (namely, "Quit sending us your useless static traces") but it's wrapped up in multiple layers of badness. So many layers. There's unnecessarily alienating sarcasm ("Bug bounties are the new boy band"), logical fallacies (we don't pay for bug bounties because only 3% of our vulnerabilities are found by external researchers), questionable assertions ("the key to whether a suspected vulnerability is an actual vulnerability is the capability to analyze the actual source code"), hubris in their own bug-finding abilities, self-righteousness about their shitty license terms, the overall paternalistic "we know best so don't you worry your pretty little heads about security" attitude, a hilariously gratuitous and uniformed dig at Keynesian multipliers (WTF?), and so on...

If you dare, you can dive into her blog archives and see that this article was not a one-time slip-up. Her writing is basically like this all the time on that blog. In particular, she seems to have a real grudge (going back years) against third party analysis of Oracle's stuff.
posted by mhum at 6:39 PM on August 11, 2015 [26 favorites]


Huh, I'd assumed the User701213-Oracle byline on the blog post was a bug associated with the archive. I had no idea her entire blog is authored by that mellifluous name. I'm trying to imagine the conversation in Oracle HQ:

Sir! That custom blog engine you ordered is almost ready. There's just one bug.
What's that, peon? This project took too long already!
Well, instead of normal human names the author's name is basically the database primary key.
Who cares, ship it! We're a database company, not WordPress!

I mean seriously, good on Oracle for having a blog where some senior executive writes unfiltered. I'll even forgive the weird informal style as an attempt to be one of the fellow kids. But to not even bother getting the bylines correct?

Maybe it's some sort of weird joke? Some of the other blog posts have proper bylines. Although then there's "Bertrand Mattheli�-Oracle", complete with Unicode error, so Oracle's corpcomms can't be assed to get that right either.
posted by Nelson at 7:04 PM on August 11, 2015 [11 favorites]


I think the User701213-Oracle byline is a secret message from a developer lost deep in the bowels of the corporation trying to tell us, for the love of God, don't use Oracle software because it's crap.

Is their customer support ticket system still Flash-based?
posted by cosmic.osmo at 7:13 PM on August 11, 2015 [3 favorites]


Oh and hey, here she is giving a very odd talk [YT] at an evangelical IT security (yes really) conference:

My takeaway from it is that hackers need to submit to the biblical authority of deciders. Or something?
posted by xthlc at 7:23 PM on August 11, 2015 [3 favorites]


That just kept getting more and more entertaining.

Oracle customers should tell her that they've put in place an assurance program for preventing "reverse-engineering" of Oracle software and good news, 99.9̅% of uses of the software do not result in it being reverse-engineered, so they're actually far better at complying with that section of the license agreement than Oracle's assurance program is at finding bugs.
posted by XMLicious at 7:42 PM on August 11, 2015 [3 favorites]


xthic: thanks for the great find. Perhaps she should've remembered her slides which read:

On security by obscurity: “Nothing is covered up that will not be revealed or hidden that will not be known.” Luke 12:2
posted by whisk(e)y neat at 8:05 PM on August 11, 2015 [2 favorites]


Would be terribly ironic if the press release insider trading hacks were made against Oracle databases.
posted by destro at 8:54 PM on August 11, 2015


I think the most toxic environment I encountered online before the emergence of the schmamergate assholes was the Oracle message boards. "Fuck you, read the documentation, it's so obvious" must have been a good 65% of their content.

I wonder if people think they get points for complaining about open source software? There was a book I read recently that spent a good chunk of one chapter bitching about it, I think that might have been right after the one that made it obvious they had no idea how TCP/IP worked as they proposed a new and magical internet. I finished the book but only out of spite.
posted by fifteen schnitzengruben is my limit at 9:26 PM on August 11, 2015 [3 favorites]


you don't have to buy shit to download and run under a developer license, which includes:
Further, You may not:

...cause or permit reverse engineering (unless required by law for interoperability), disassembly or decompilation of the Programs; and

disclose results of any Program benchmark tests without Oracle’s prior consent.
this language is in all the licensing options. so whatever your preference about how things should be, this is the agreement.

(I'm a fan of third-party penetration testing - not advocating for Oracle's POV at all. also, yes, she is a clueless, tactless, idiot.)
posted by j_curiouser at 9:33 PM on August 11, 2015


This is anti-intellectual in an interesting way. First the author discounts theoretical vulnerabilities, everything needs a complete test case. Second, the author essentially writes off theoretical economics because its difficult to point out instances of .

Oracle's claim to poverty that low quality reports of security flaws would force miss allocation of resources to handle them is absurd. What really shines through is that Oracle is confident that the security vulnerabilities in its products are more of risk for its customers than they are for Oracle.

I feel like its too facile to write this off as "faith based security." There's a lot going on here to allow you be that sanguine about other people's risk. I don't think this can really be understood without the larger context of intellectual property madness which oracle seethes with. Customers don't deserve to know about security vulnerabilities, because they don't deserve to know how Oracle's products work.
posted by ethansr at 9:57 PM on August 11, 2015 [1 favorite]


There's a kernel of an actual good blog post in there (namely, "Quit sending us your useless static traces") but it's wrapped up in multiple layers of badness.

Absolutely. If large numbers of companies are truly hiring overpaid security consultants to run some static analysis tool against Oracle software, produce a 400 page report of whatever nonsense the tool spat out without reading it, and are submitting that to Oracle screaming "omg security risk! security risk!", then that's not particularly helpful behavior and would get annoying for a CSO.

But this blog post goes so far beyond that into the land of the insane. It basically insists over and over again that nobody outside the company has any business thinking critically about Oracle's security practices because they are so good, they know about all the vulnerabilities already anyway, a preposterous statement when made by the person responsible for Java's security.
posted by zachlipton at 10:23 PM on August 11, 2015 [2 favorites]


ThreatButt's take is, as usual, on point.
posted by idiopath at 10:26 PM on August 11, 2015


I kind of get where she's coming from. Microsoft has a policy of always fully investigating every bug report, because even if it's very low quality, unreproducible, incomprehensively written, etc., if they do nothing and it turns out to be legitimate, the security researcher who originally filed the low quality report is going to be marching straight to the media to claim credit and blast Microsoft for ignoring the report from years ago that hinted that there might be an issue in this general area. And they get tons of low quality reports that end up pointing to no vulnerability at all (most of the time, "exploits" that only work if you have admin access to the machine already and don't escalate your effective permissions whatsoever).

I would be very sympathetic if the CSO had written a blog post bemoaning the crappy security reports that Oracle no doubt has to deal with all the time. But, unfortunately, as much of a pain in the ass it is, Microsoft's approach is the correct one. You have to welcome security reports and take them all seriously. You're just not going to find all the vulnerabilities on your own, and I question the judgement of a C-level executive who isn't working with the code daily that thinks that you can.
posted by zixyer at 10:30 PM on August 11, 2015 [5 favorites]


Oops. Checking that twitter link now shows me writing pseudo-pr0n about a virtual machine. Apologies if I've just made that link NSFW for anyone... :/
posted by sodium lights the horizon at 2:29 AM on August 12, 2015


There are a few caveats around that prohibition but there isn’t an “out” for “unless you are looking for security vulnerabilities in which case, no problem-o, mon!”
Oof.
posted by We had a deal, Kyle at 8:30 AM on August 12, 2015


so whatever your preference about how things should be, this is the agreement.

Just because Oracle slapped a legalistic clickwrap license on a download doesn't mean it's enforceable. The real reason this blog post got so much mockery is that she claims way more intellectual property rights for Oracle than actually exist in the law. The details of what kinds of reverse engineering are legal where and when are extremely complicated and unsettled. User701213-Oracle doesn't get to make up her own interpretation of copyright law.

(See also: Javascript files for public spec protocols that contain a few constants. And yet are marked TRADE SECRET CONFIDENTIAL right in the download that their website sends to your browser.)
posted by Nelson at 9:20 AM on August 12, 2015 [4 favorites]


« Older Cosmic Call   |   JK Rowling: "[he] has sat in a darkened room and... Newer »


This thread has been archived and is closed to new comments