Please stop poking holes in our cardboard security!
-
Bonus points for the CSO calling security researchers "security weenies".
-
and she is the Chief Security Officer at Oracle?or does CSO mean something different these days?
-
Now the 4chan idiots are going to step-up attacks against Oracle. For a "security" officer, she seems to be pretty ignorant as to how those weenies work.
(She is, however, correct that they are weenies.)
-
So basically, their stance on people reporting security flaws in their software is to say:
-
The funny thing is Raymond Chen sometimes complains about customers who panic and report non-issues as high priority security problems, too. The difference is:
-
Microsoft actually investigates every issue, just in case there's something to it, and
-
Microsoft doesn't send threatening letters to people trying to help them out.
Yes, it costs a lot of money they could otherwise be spending on improving the product. But no, there's no way getting around it if you're a maker of widely-used software. Suck it up, Oracle, and get your guys investigating this shit.
(Also, as someone in the Ars article comments points out: it's pretty pathetic that Oracle has enough potential vulnerabilities that can be found using cheap off-the-shelf static analysis tools in the first place for this to even be an issue.)
-
-
Yes, it costs a lot of money they could otherwise be spending on improving the product. But no, there's no way getting around it if you're a maker of widely-used software. Suck it up, Oracle, and get your guys investigating this shit.
Pretty much. The worst thing you can do when someone who purchases your software comes to you with what they think is a vulnerability (whether it is or not), is to tell them to fuck off and then threaten to sue them and the person that they perceive as trying to help them.
They need to put a leash on this fucking woman.
-
They need to put a leash on this fucking woman.
Is anyone under the impression that's not what the deleting of her post was? (or at least, step one of that process)
-
Maybe that's what she's trying to do. "Hmm, how could we make those nerds on the internet check our products for free? Oh, I know!"
-
Is anyone under the impression that's not what the deleting of her post was? (or at least, step one of that process)
Well, they are a little late on the leash. For making that post, openly criticizing and mocking paying customers, she should be shitcanned.
-
here in Google's Web cache; it's also been reproduced on SecLists.org in the event that Oracle gets Google to remove the cached copy
Why do people believe that Google cache lasts forever? Do they not know what a cache is?
-
The funny thing is Raymond Chen sometimes complains about customers who panic and report non-issues as high priority security problems, too. The difference is:
-
Microsoft actually investigates every issue, just in case there's something to it, and
-
Microsoft doesn't send threatening letters to people trying to help them out.
I am going to guess that #3 would also be, "He does not mock them, because they are the people who pay his indirectly pay his salary".
-
-
Well, they are a little late on the leash.
Well, it is Oracle. It's not as if they move fast.
paying customers
Or, as she thinks of them, "potential pirates".
-
Why do people believe that Google cache lasts forever?
Nobody's going to care in a week (or so), probably, so as long as it lasts that long, that's good enough.
Plus, since it's mirrored, ... .
-
Or, as she thinks of them, "potential pirates".
They don't have anything worth stealing. They are the Entourage movie of software.
-
I am going to guess that #3 would also be, "He does not mock them, because they are the people who pay his indirectly pay his salary".
No, he mocks them. Just anonymously.
-
Is anyone under the impression that's not what the deleting of her post was?
how did the post get past their PR department anyway? they should have one of those looking over their blogs just to prevent stuff like this!
-
No, he mocks them. Just anonymously.
Fair enough.
I am going to guess that #3 would also be, "He does not openly mock them on his blog, because they are the people who pay his indirectly pay his salary. But they are probably still a running joke in MS corporate".
-
I am going to guess that #3 would also be, "He does not mock them, because they are the people who pay his indirectly pay his salary"
exactly that.
he's not exactly the nicest in some of the more hysterical cases, but they are all investigated and he does show why its not a vunerability in every case he's posted to his site. (i love how often "it rather relied on being on the other side of this airtight hatchway" shows up in his blog)
-
they should have one of those looking over their blogs
What, and have power and/or oversight over a C-level exec? Pfft.
-
Obviously they need to hire a better CPROOCLE
damn, so close to fitting ORACLE into that acronym
-
..... right. forgot about that.
well they should have the brass monkies to do that anyway! C*Os have way too much unregulated power as it is!
-
What, and have power and/or oversight over a C-level exec? Pfft.
If they had good C-levels, yes. Hell, my wife has say over the C-Levels of the corporation that she works for. "C-Level" does not mean "unaccountable", not in a sane corporation.
-
If they had good C-levels, yes. Hell, my wife has say over the C-Levels of the corporation that she works for. "C-Level" does not mean "unaccountable", not in a sane corporation.
lucky...
well maybe not. i guess it could be that it's just the ones we hear about in the news that aren't sane corps.
-
-
To play devil's advocate, I have the feeling that what she was trying to say is "reverse engineering our code results in too many false positives to be worth it, so stop doing it because it's a waste of time for both of us". Which is still debatable, but more reasonable than "stop checking our code for vulnerabilities".
But this line of the original post made me a bit angry:
"please comply with your license agreement and stop reverse engineering our code, already"
Look, lady, you have exactly zero moral right to stop me from reverse engineering any code I want. It doesn't hurt you or anyone. Sure you have legal right to demand that, which is why I'd never admit to doing so in the first place, but that's it.
-
I am going to guess that #3 would also be, "He does not mock them, because they are the people who pay his indirectly pay his salary".
He actually does kind of mock them, at least the ones that are obviously "wrong side of the airtight hatchway". (An admin can hex-edit an EXE!)
He doesn't do it by name of course because he's not an asshole.
-
lucky...
well maybe not. i guess it could be that it's just the ones we hear about in the news that aren't sane corps.
Her technical title is "Executive Director of Talent Management and Recruiting". What is that? E-Level? Fuck if I know, but it is hard to fit on a business card.
A few months ago they had an HR issue where a key talent really fucked them. He was also a person that the CEO made in to the talent that he is today. CEO was furious and went on a small tirade about all of the things he was going to do. She listened, let him finish, and then told him why they weren't going to do any of those things (because the media would have had a heyday with it, and it might have ended up a blurb on here) and they intentionally kept him away from media for a little while.
So yeah, the insane ones are the ones you hear about. There are some good ones out there though. Hell, he visited us after our son was born and brought flowers and a stuffed animal for the new little fella.
-
Sure you have legal right to demand that, which is why I'd never admit to doing so in the first place, but that's it.
I'm not sure if that even would hold in court if challenged...
-
It's Civil Court, and even then only contract law.
Oracle doesn't want these going to court, because they risk a bad precedent. ("Your EULA is ass, and nothing in it makes sense, get the fuck out of here.")
It would have to represent a severe financial penalty to Oracle before they'd be stupid enough to take any of these customers to court over it. They could cancel software licenses, though.
-
(i love how often "it rather
relied oninvolved being on the other side of this airtight hatchway" shows up in his blog)
FTFY
-
It probably will not hold. This is not reverse-engineering to steal intellectual property, rather to find defects.
More like car manufacturers with a clause that restricts your right to check the safety of your vehicle by an independent contractor. That clause itself could be in violation of any limited liability statement in the same license.
-
TIL static analysis gives you access to the source code.
-
FTFY
I am shamed by my misrecollection of that classic quote.
I shall forthwith perform the only rite that can restore my honour.
... now where did i put that seppuku* knife?
* Seriously chrome? you think that is Giuseppe?!
-
If they had good C-levels, yes. Hell, my wife has say over the C-Levels of the corporation that she works for. "C-Level" does not mean "unaccountable", not in a sane corporation.
Corporate culture often reflects the top executives. With a psychotic micro-manager like Larry at the helm, how could Oracle possible be sane?
Seriously, he's more reviled than every other IT CEO combined, and for good reason. Just because a nut with an Ayn Rand fetish hates the company doesn't mean the company doesn't deserve the ire of saner folks. Hopefully things will change for the better now that he's stepping down, but I won't hold my breath.
-
Obviously they need to hire a better CPROOCLE
damn, so close to fitting ORACLE into that acronym
Outside Relations Adviser to Chief Level Executives.
-
More criticism of Mary Ann Davidson, from 2005.
-
(i love how often "it rather relied on being on the other side of this airtight hatchway" shows up in his blog)
BTW, you did know he has a couple of articles here, right?
-
Obviously they need to hire a better CPROOCLE
Woulda been more fitting if you could've spelled COPROCLE.
-
TIL static analysis gives you access to the source code.
Nonsense--she said right in the post people see the result, not the source.
-
-
OTOH, I've seen a pretty good Java decompiler somewhere.
-
OTOH, I've seen a pretty good Java decompiler somewhere.
The one that comes with the JDK is cromulent if you have any real experience with assembly language of any kind. Simple, unobfuscated bytecode isn't actually all that hard to translate back into Java, either.
I would expect Oracle's code to be obfuscated, though.
-
That's not a surprise. You might lose variable names and some of the Java 5+ niceties like for-each loops and generics, but otherwise bytecode should be a one-to-one mapping with the Java source.
-
No optimizations before byte code, really?
-
The real WTF is this wikipedia entry she had before this started
"had" because shes being purged from the internets.
-
It seems likely that if one were to look at the edit history, one would discover the hagiographic portions of that page came from the oracle.com domain.
I don't think wp moderates articles until people complain.
-
It seems likely that if one were to look at the edit history, one would discover the hagiographic portions of that page came from the oracle.com domain.
I don't think wp moderates articles until people complain.
Its obvious she wrote her own ass kissing article. It was just hilariously delusional.
Going back in time...the user https://en.wikipedia.org/wiki/User:Tqbf created the majority of the article sneakily. He copied and pasted it from his namespace.
-
Its obvious she wrote her own ass kissing article.
That's what I meant (or she had a PR flack write it for her, which is close enough to the same thing for our purposes).
-
BTW, you did know he has a couple of articles here, right?
how do you think i found him? i may only have joined forums last year but i've been reading for much longer.
-
how do you think i found him?
That's kind of funny. I found this site via Raymond. (IIRC.)