Oracle's chief security officer, Mary Ann Davidson would like to get rid of all the reverse-engineering security 'weenies.' She wants you to know that static analysis is Oracle's job, not yours, and that looking for security vulnerabilities in this way breaks the license agreement.
At which point, the Internet exploded. The blog post in which she gave Oracle's position on this point got variously called "arrogant," "holier-than-thou," "petty," "condescending," "idiotic," "childish," "scolding," "dumb," and "whining." Soon after, it was deleted.
I actually feel sorry for Mary Ann -- there was in fact an interesting point in her blog post, but unfortunately, it was buried inside paragraphs of vitriol.
In IT Blogwatch, bloggers break out the popcorn. Not to mention: You were working as a waitress in a cocktail bar...
Your humble blogwatcher curated these bloggy bits for your entertainment.
Sean Gallagher can't believe his eyes:
Mary Ann Davidson...is tired of customers performing their own security tests on Oracle software. [She] scolded customers who performed their own security analyses of code, calling it...a violation of Oracle's software licensing.
Reverse engineering [is] explicitly verboten by Oracle's world-famous software licensing terms.
The post was up for less than a day before it was unceremoniously deleted. But there are still other missives about meddling customers...from Davidson on Oracle's blog...in which she refers to security professionals as "security weenies." MORE
And Charlie Osborne realizes she's not alone:
I do not appear to be the only one this afternoon absorbing [Davidson's] words of wisdom while switching between copious amounts of eye-rolling and outrage and laughter.
Perhaps [it was] wine-fuelled [but] the executive isn't happy. Looking at vulnerability reports and chasing after customers who break licensing agreements...is wasting the security team's time. ... Well, security researchers could always just sell on zero-day vulnerabilities over the black market or release them online instead, would that be a better alternative? The Oracle security chief isn't a fan of "boy band" bug bounty systems either.
The essay goes on, increasing the tempo in arrogance and a holier-than-thou attitude. But, ad nauseam, Oracle appears to want to make it quite clear the company knows best. MORE
But Oracle CSO Mary Ann Davidson does actually have a point. However, it's buried in some seriously bad comms-karma:
Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.>
There is so much more to assurance than running a scanning tool. ... Why am I bringing this up? ... I don’t want more rounds of “you broke the license agreement,” “no, we didn’t,” yes, you did,” “no, we didn’t.” I’d rather spend my time, and my team’s time, working on helping development improve our code.
I’m not beating people up over this merely because of the license agreement. ... I do not need you to analyze the code since we already do that...we are pretty good at it. ... If there is an actual security vulnerability, we will fix it. ... Running a tool is nothing, the ability to analyze results is everything. ... The key to whether a suspected vulnerability is an actual vulnerability is the capability to analyze the actual source code.
We will allow for different religious traditions and do it OUR way – and others can do it THEIR way. ... We ask that customers not reverse engineer our code to find suspected security issues: we have source code, we run tools against the source code (as well as against executable code), it’s actually our job. MORE
So Thomas Shaddack isn't sure whether to laugh or cry:
And we...are expected to do what? Obey? Does she really think that anybody will listen to her petty demands, at least without laughing afterwards?
How did somebody with such attitudes about security make it to a CSO position? MORE
And Rob Graham sees a pattern here:
Yet again Oracle proves you'd have to be an idiot to trust their products
Oracle is...in Washington DC...pushing for the harsh punishments of security researchers.
Oracle's legal threats for security researchers who "reverse engineer" their products is just part of a larger war on researchers.
C-level officers have no personal opinions. MORE
Then an Oracle EVP, Edward Screven, said sorry:
We removed the post as it does not reflect our beliefs or our relationship with our customers. MORE
Meanwhile, this /.er feels the need to choose anonymity:
While the tone of the piece is more than a little condescending, there's an actual issue here. [Some] people...are the security equivalent of script kiddies. ... ZOMG I ran it against your code and it found issues! ... Vendors really do run these kits against their code, so most of the time anything that isn't a false positive is a known issue.
I don't really blame someone who works in security for feeling frustrated that this small subgroup of customers continues to flood inboxes with "bug reports" that often they themselves don't understand.
That said, this is an absolutely idiotic tone to take:..childish...scolding...a seriously dumb way for a company to...communicate. MORE
As does this one:
Yes, in reading it I found there was a reasonable point in there somewhere.
Too bad it was buried under a ton of condescension and whining. MORE
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or email@example.com. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.