
“Stop reverse engineering our code” - hughstephens
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
======
kabdib
Wow. Really?

This single blog post is strong evidence for why you should never, ever buy an
Oracle product, and if you are running anything written by them, why you
should plan to migrate away.

Now, the culture of consultants in the Oracle sphere of influence is pretty
toxic and money-grubbing. I can imagine companies being badgered into paying
security weasels big bucks to analyze software with tools that cough up a
zillion false positives, whereupon the weasel looks like a hero and is paid a
bunch of cash, the customer panics and demands that Oracle fix a pile of non-
existent vulns, and some department buried inside Oracle doesn't know how to
deal. Whereupon the weasel skates off to another company to run the same scam:
rinse, repeat, and this blog post.

In which case Oracle should simply call it out: "Please don't send us crappy
automated scanning tool reports from the shitty security weasel consultant you
hired because those reports are useless, and the same weasels have been
sending identical ones in, monthly, for _years_ , and you are being ripped
off." But Oracle never passes up the opportunity to express contempt for its
customers, nor can it admit to being wrong.

Better to avoid that whole ecosystem.

~~~
bmir-alum-007
Stanford was taken to the cleaners to the tune of $1.5 x 10^8 USD in the
deployment of Oracle Financials and related products via endless "consultant
implementation" charges that didn't really deliver much value, were rarely on
schedule or on budget. Oracle's enterprise calendaring program was totally
inadequate and had UX that made most point-of-sale systems look effortless by
contrast. Also, the assets managing app, Sunflower, was another dud. The only
thing Oracle Database had going for it was no crippling license activation
(license scofflaws are/were sued or fined into oblivion worse than M$FT),
which one could say was equivalent to MS SQL. Unlike MS MSQL, Oracle DBMS
has/had bazillions of support patches to apply to run a real production box,
analogous to the previously separate Sun's Solaris patchsets.

Btw: For smaller enterprisey shops, either MS SQL or Postgres are the way to
go. Often multiple similar components are needed because different apps have
firm requirements that only support one or another; but generally try to avoid
this because supporting too many heterogenous components is expensive
(laborious)... hence the prevalence of local "standards." Deploying everything
with cfengine3 or puppet can help reduce the manualness and nudge vendors into
repeatable, idempotent deployments rather than clicking on inane GUI
installers like an animal.

ProTip: Don't let consultants "provide" oversight / free-reign for their own
projects, budgets, etc., that's like the wolf guarding the henhouse. The
client must hire their own project managers, have clear
accountability/authority paths to their management and know exactly what they
need (avoid endless upselling). Or lots of money will be transferred from
idiots to crooks (enterprise caveat emptor).

Edit: fixed grammar

~~~
jtreminio
> to the tune of $1.5 x 10^8 USD

Was it really necessary to type it like that?

~~~
DarkIye
For general sanity: $150,000,000

~~~
victorNicollet
To be pedantic, 1.5e8 carries additional information about accuracy:
$150,000,000 ± $5,000,000. By contrast, 1.50e8 would be ten times as accurate,
and so on.

Of course, accuracy is hardly relevant here.

~~~
moron4hire
s/accuracy/precision

Sorry, I don't usually try to be pedantic, but when the conversation is
already about nitpicking, I think it's necessary.

Significant figures are precision, not accuracy. Accuracy is "being in the
ballpark". Precision is "tight groups".

~~~
victorNicollet
I'm sorry for the confusion. English is not my first language, and I resorted
to
[https://en.wikipedia.org/wiki/Accuracy_and_precision](https://en.wikipedia.org/wiki/Accuracy_and_precision)
to pick between "accuracy" and "precision".

~~~
mikeash
To put it another way: "pi is exactly 3" is extremely precise, but not very
accurate.

~~~
tankenmate
The very next task of mine

is a new value of pi to define.

I think I'll use 3

it's much simpler you see;

than 3.14159

~~~
dredmorbius
You've simpified pi, that's fo' shore.

But rivalry says "level-up score".

With competitive drive,

It's yet higher I strive.

The value I'll use shall be four.

~~~
keithblaha
Well played

------
duncan_bayne
So, I disagree with the poster on a bunch of things here (no surprise,
really).

But: this is authentic. This is what we (i.e. hackers) are always claiming we
want. Someone speaking her mind, shooting from the hip, etc. Not an anodyne
blob of corporate-speak: this is an opinion, stated pretty clearly, and backed
up with fighting words.

You'd expect: "Our legal team has advised us to remind consultants that they
are bound by any and all terms and conditions to which their clients have ...
etc. etc. etc."

You get: "Otherwise everyone would hire a consultant to say (legal terms
follow) “Nanny, nanny boo boo, big bad consultant can do X even if the
customer can’t!”"

Here we have someone who clearly loves the company and the product with a
passion, defending both against what she sees (very wrongly, in my opinion) as
criminal misuse and waste of resources.

I'll take one of these posts and argue its merits any day, over a block of
mealy-mouthed corporate crap.

~~~
platinum1
You can be authentic and speak your mind without being arrogant, insulting,
and condescending.

In terms of tone, I wouldn't hold this up as a good example - it distracts
from any legitimate argument the writer may or may not have.

~~~
Udo
I think a lot of blog posts like these get triggered by some acute event which
pushed the writer over the edge, and it's expected this will shine through in
the text. The rest is probably due to living in an employer-typical bubble.

If I was an Oracle customer (which I will never, ever be) I would appreciate
the honesty. This honesty enables me to make purchase decisions as well,
better than megabytes of legalese would have. In this case it's not a really
surprising attitude given the company, but I really wish more vendors would be
as open about the nature of their intended relationship with their customers.

~~~
klean92
You cannot swear you will never be an Oracle customer. You buy a service from
a third party, the company get bought by Oracle, you are a customer now. In
many instances in B2B systems, it is a lot more pain to migrate away than
sending a check...

~~~
Udo
Not sure jumping on such a _minor point_ is a productive use of our time, but
just for the sake of clarification: sure I can, personally. You have no basis
for disputing my intention. I have never in my life made a decision to
purchase a service that could only ever be provided by a single company, and
with good reason I believe. Over my contracting years, I have also gained
enough insight into the dynamics customers have with providers such as Oracle,
enough to avoid this kind of lock-in at all costs in my own decisions.

------
crypt1d
Seems like the original blog post was deleted, here is the archive -
[https://web.archive.org/web/20150811052336/https://blogs.ora...](https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t)

~~~
bradleyankrom
Glorious. Somewhat surprised it was taken down, though.

~~~
OJFord
I'm more surprised it was posted!

(at least in ~current~ as-it-was form)

~~~
vetrom
I am not at all surprised that oracle would memory hole something that escapes
PR control.

~~~
DonHopkins
"Stop reverse engineering our blogs!"

------
Stratoscope
> Q. If you don’t let customers reverse engineer code, they won’t buy anything
> else from you.

> A. I actually heard this from a customer. It was ironic because in order for
> them to buy more products from us (or use a cloud service offering), they’d
> have to sign – a license agreement! With the same terms that the customer
> had already admitted violating. “Honey, if you won’t let me cheat on you
> again, our marriage is through.” “Ah, er, you already violated the
> ‘forsaking all others’ part of the marriage vow so I think the marriage is
> already over.”

What a thoroughly nasty comment. She is comparing _her customer_ with someone
who is cheating on their spouse. Disgusting.

~~~
juliangregorian
The scorn for customers in general is palpable. Why is Oracle even allowing
this person to be a voice for their brand?

~~~
wolfgke
> Why is Oracle even allowing this person to be a voice for their brand?

Because her text will probably only infuriate people that will arguably never
be Oracle customers?

~~~
throwaway7767
> Because her text will probably only infuriate people that will arguably
> never be Oracle customers?

As a sysadmin with customers who run oracle, and who put some stock in what I
say, I can say I am more likely to warn people away from oracle in the future.
While in some companies, tech purchasing decisions are made by suits with
little or no input from techies, that's not universal.

~~~
mhurron
If Oracle won't sick the sales people on your upper managers if they even get
wind that someone at the company want's to move away, you're just not a large
enough customer and Oracle doesn't give a shit if you move.

------
kriro
This is a marketing layup for any FLOSS ERP company (or the PostgreSQLs of the
world). Basically "by all means check our code for any issue you may find.
We'll gladly accept any suggestions for code improvements you may have."

This post is an absolute nightmare/facepalm. Basically my takeaway is "I guess
I don't want to buy Oracle software". It's really mind blowing that this is
the position of a major software company in this day and age. I mean I guess I
shouldn't be shocked since it is in the EULA but man I'm kind of speechless
(this clause has to be illegal in some countries, too).

Edit: as an aside as a bad guy this would make me very interested in reverse
engineering Oracle products. If they disallow it for their customers the
reaction times to any security issues will be lower and it will be pretty
valuable to find bugs in their products.

Edit2: Seems like the blog was cracked. At least the "About" on the side seems
to indicate that.

~~~
qznc
If you dump a 400 page output dump of some static analysis tool on a FOSS
project, not much will happen either. They will probably challenge you to find
the actual issues yourself and enter bug reports.

~~~
anarazel
Yes, agreed. Especially if, after checking out the first 100 or so, all of
them are false positives.

But the big difference is that it's realistic, allowed and in many cases
warmly welcomed if you submit actual problems.

------
quesera
Wow. _Someone 's_ been hitting the Kool-Aid pretty hard.

I've seen this institutional hubris first-hand. The unshakable belief
(typically by nontechnical management) that all of the smartest people in the
world are employed _here_ , working for _me_.

It always ends badly.

~~~
notacoward
Indeed, it does tend to end badly, and the best example is a company that
ended up being bought by Oracle. The arrogant tone of this post reminds me
_very much_ of the flurry of blog posts that came out when ZFS and DTrace were
first introduced. Remember "The Last Word in File Systems"? That kind of
arrogance, complacency, and impatience with interlocutors is mildly annoying
to developers elsewhere. It's more than annoying to customers, and to sales
people who feel unsafe pushing products whose developers continually undermine
them. That's why Sun is no more. Oracle might want to consider that before
they start relying on this kind of astroturf to convince anyone of anything.

~~~
dasil003
I don't think the particular kind of arrogance that Oracle has goes away
except by being killed. Heck even once the former sales guys are homeless
under a bridge I doubt they would see the connection, they'd still be spinning
yarns about when they worked for the greatest tech company ever.

~~~
notacoward
Ditto for the engineers. The kind of engineer who contributes to a culture
like that in the first place will also be constitutionally incapable of
accepting that their _own_ behavior contributed in any way to the demise.

------
dang
The submitted title ('Oracle CSO: ~“Only we can do security, trust us and do
not reverse engineer”') breaks the HN guidelines: it's editorialized (whatever
one thinks of the article), and it's a quote-looking-thing that isn't a quote,
so misleading.

Please don't do this. The HN guidelines ask you to use the original title. If
that's really not suitable, a subtitle or some representative language from
the article is ok. But putting your own spin on it is not ok. HN's goal is to
let readers make up their own minds, and for that we need accurate, neutral
titles.

We've changed the title to a representative phrase from the article, and can
change it again if someone suggests something better.

~~~
hughstephens
apologies, my fault.

------
dferlemann
This is exactly the problem with legality of RE and penetration testing. "You
broke the law by wasting our time, violating your license agreement." I
understand author's points. Not very good points, disappointingly.

No matter how interpersonal she puts it. It makes me not ever want my system
to rely on a company that threatens and belittle customers for protecting
themselves.

If I bought a fridge for my house, I found a listening device and a pinhole
camera in the fridge. Just because the company has a clause I am not allowed
to open up the fridge, it doesn't mean I shouldn't.

Well, the company might have found the devices. Indeed maybe nothing customers
can do until the company fixes it. Keep telling customers they are not allow
to look for flaws it just ridiculous. Yes, it's your product, but this is my
home!

~~~
Thriptic
> Yes, it's your product, but this is my home!

My stance is that EULAs are bullshit, period. If you purchase a product, it is
yours, and no one should be able to dictate how you use it.

~~~
mhuffman
Unfortunately courts seem to not share your stance, it seems.

~~~
zyM7A6bQzJKBHnS
Courts of which country? There are a lot of countries out there, some of them
allowing reverse engineering (especially in Europe for example).

~~~
dferlemann
I read up on some of DCMA stuff, it does seem to allow some degree of reverse
engineering in U.S..

------
reacweb
Reverse engineering is legal in France for research and computer security
([http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTE...](http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000266350&categorieLien=id)).

~~~
dagw
Sure, but this is a contract matter between two private entities. Oracle can
still revoke your license for doing it.

~~~
lorenzhs
I'm pretty certain that national law takes precedence over what someone put in
a contract.

Example: It works like this for tenancy agreements in Germany. Your landlord
can say that you're not allowed to change the locks all they want, and even if
it's in the tenancy and you signed it, it's still null and void.

~~~
rhino369
>I'm pretty certain that national law takes precedence over what someone put
in a contract.

Yes but only if the law says that you can't create a contact that signs away
that right.

For example, in the USA you can reverse engineer. Totally legal. But you can
also sign away your right to reverse engineer. That is what a contract is,
signing away your rights.

But the US could also pass a law saying it's illegal for a EULA to prevent
reverse engineering.

So just finding a law that says reverse engineering is legal, doesn't mean a
court won't hold you to a contract that prevents reverse engineering.

That said, it's probable that some countries have banned contracts that
prevent reverse engineering.

------
jaawn
I don't really see how a lot of the responses here match with the original
blog post. People seem to be airing a lot of long-standing grievances about
Oracle rather than responding to the specific post on its own. Viewed on its
own, the post can basically be summarized as "Please stop treating our
products like they are open source. They're not, and it is against the license
agreement to reverse engineer our stuff to find the source code."

A _lot_ of people think open source software is a much better methodology than
proprietary, highly-protected source code. That's fine, there are a lot of
good arguments there. However, it doesn't make sense to throw a bunch of
other, barely related insults at a company when really, all you're upset about
is that their code is not open source. Criticize _that_...that is what you're
upset about (at least so far as this specific blog post is concerned)

~~~
jpgvm
I don't think it's the lack of open-source code that is causing the grievances
but rather the tone of the blog post and the overall theme of "Our IP is more
important then your security concerns, no we don't care if you are a core
bank".

Microsoft, SAP, VMware all have closed source software that is very prevalent
in enterprise, often in entrenched positions just like Oracle. Sure they
aren't exactly all peaches either but atleast they have a decent way of
responding to security problems or plain bugs.

They also don't wield their license agreement as a weapon against their
customers, they only use it to make sure they get paid.

~~~
jaawn
The blog post doesn't make me think of license-agreements-as-a-weapon.
Oracle's position is probably the strictest I've seen anyone be in favor of
software IP protection. They are not adversarial, they are supremely
protectionist (presumably because they think their software is so great that
other people want to copy it). That protection (possibly over-protection) is
the core of the disagreement, and the source of the article's tone and
inherent frustration on both sides.

Oracle thinks it is self-evident that protection of their source code is
paramount (i.e. as closed source as possible), other people disagree both with
their priorities and the very idea of absolutely forbidding any deep analysis
of any kind outside of Oracle itself. It still seems like a debate about the
degree to which the source code is "closed." For Oracle, it is absolutely
closed, while many of their competitors are more lenient (i.e. slightly less
"closed".)

To be clear, I think Oracle is being silly with their over-sanitized and
idealistic views regarding their intellectual property. The other companies
you mentioned (Microsoft et al) have much more reasonable approaches and
agreements.

------
macmac
The arrogance is titanic. And her legal team apparently forgot to explain to
her that certain jurisdictions permit reverse engineering and decompilation
under certain circumstances irrespective of what Oracles license agreement
says.

------
owenwil
I laughed at this line where she tries to prove her point by touting that
Oracle already found a bug that a security researcher reported to them (but
wasn't fixed yet):

"(Small digression: I was busting my buttons today when I found out that a
well-known security researcher in a particular area of technology reported a
bunch of alleged security issues to us except – we had already found all of
them and we were already working on or had fixes. Woo hoo!)"

~~~
vacri
heh, 'alleged'...

~~~
ceejayoz
"They weren't real vulnerabilities, because we knew about them!"

------
azinman2
There are too many points to discuss... it's really quite insane especially on
the backs of Java exploit after Java exploit.

But what I really don't get is this bug bounty hateathon. If it's only 3% of
bugs (currently WITHOUT incentives like a bug bounty), then that's really not
that much money... and in return you get more cred, something you might use
for recruitment, and the off chance that you might increase that 3% versus
something going on the black market. Even more so, how much could this really
cost!? And Oracle has how much money?! If you can't spend that on a bug bounty
when you're security is just so awesome as the post contends, then something
is really in trouble.

~~~
smoyer
The repeated Java exploits You're referring to are exposed when using Applets
in a browser ... This was conventionally recognized as a bed idea in about
2006. You simply shouldn't allow Applets to run - no matter what. I think
you'll find the rest of the Java platform more secure than most, especially
since the OpenJDK foundation was formed. I'm not here to defend Oracle in any
other way but they've done a reasonable job of advancing the Java platform
since it was acquired.

~~~
lsd5you
There is nothing wrong with signed java applets. There is no difference
between that and downloading and running (a signed) application.

~~~
mikeash
That's only true if Java's signature validation isn't vulnerable (or at least
is no more vulnerable than the signature verification for a normal OS).

Searching around, it looks like there was at least one vulnerability like
this, in which Java failed to check certificates for revocation, and at least
one exploit was found in the wild signed with a stolen, revoked certificate
that Java still accepted.

This is especially fun because Java at least _tries_ to sandbox unsigned
applets, but signed applets get a lot more privileges.

------
pkkp
Is it just me, or is the childish, mocking tone in the OP simultaneously
baffling and totally befitting of the point they're trying to make? I
understand that they're frustrated by the repeated submission of automated
security vulnerability reports, but blanketing it entirely as "reverse
engineering" and responding to it like this is... a strange approach.

Did someone at Oracle actually think that this was the best way to make this
point?

~~~
dantiberian
The previous post on the blog has a similar tone too
[https://blogs.oracle.com/maryanndavidson/entry/is_your_shell...](https://blogs.oracle.com/maryanndavidson/entry/is_your_shellshocked_poodle_freaked)

~~~
syncsynchalt
The formatting in that post is... interesting.

I'd blame the CMS before the author on that point though.

------
hgears
Original has been deleted, cached version available:

[http://webcache.googleusercontent.com/search?q=cache:ntXM0Rl...](http://webcache.googleusercontent.com/search?q=cache:ntXM0RlghUUJ:https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t+&cd=1&hl=en&ct=clnk&gl=us)

~~~
extc
And just in case:
[http://pastebin.com/raw.php?i=fAh2fcfn](http://pastebin.com/raw.php?i=fAh2fcfn)

------
EdwardDiego
> Generally, our code is shipped in compiled (executable) form (yes, I know
> that some code is interpreted). Customers get code that runs, not the code
> “as written.” That is for multiple reasons such as users generally only need
> to run code, not understand how it all gets put together, and the fact that
> our source code is highly valuable intellectual property (which is why we
> have a lot of restrictions on who accesses it and protections around it).

Your JDBC driver IP isn't that valuable, just give me the damned source code
so I can figure out why my Postgres copy out stream is blocking when I insert
it into your copy in stream.

/rant

------
WormyMcSquirmy
>Ah, well, we find 87% of security vulnerabilities ourselves, security
researchers find about 3% and the rest are found by customers.

They admit more security vulnerabilities are found by customers than security
researchers and still they release this smug "fuck off" toned blog.

------
davidgerard
This is one of the finest pieces of Postgres marketing I can recall seeing in
recent times. They've made the case for open source better than anyone in
2015.

(We're in the midst of an Oracle->Postgres conversion right now. It's going
wonderfully. I strongly advise you to look into it, bet you'll find it way
easier than you think.)

(One of the nicest things about it: we give every app its own cluster of two
PG boxes, because you can just do that instead of running a centralised
monster box with an expensive license. It turns out that just _everything not
having to play nice with others_ makes stuff stupendously easier to manage.)

~~~
konradb
How do you arrange your PG clusters, are you using streaming replication?

~~~
davidgerard
Failover pair with a primary and standby. The primary streams write-ahead log
records to standby as they're generated. Some script gaffer-tape to watch for
primary failure and fail over. I think we haven't ever yet actually had to
invoke this though :-)

This was all cobbled together following the docs. There are almost certainly
better ways to do everything we've done so far.

The Postgres is just 9.3 out of the Ubuntu 14.04 repo. Oracle was STUPENDOUS
overkill for what it was actually being used for, but MySQL wasn't up to the
job.

The heavy lifting for the conversion is done using ora2pg
[http://ora2pg.darold.net/](http://ora2pg.darold.net/) Then there's a pile of
faff and twiddling and unit tests and so forth. See also
[https://wiki.postgresql.org/wiki/Oracle_to_Postgres_Conversi...](https://wiki.postgresql.org/wiki/Oracle_to_Postgres_Conversion)

~~~
konradb
Sorry for late reply, thanks for the info! Interesting to see what others are
doing.

------
gizi
I like it that Oracle openly publishes this kind of blogs. I would personally
never work for a company which expects me to develop anything using Oracle
gear. It's simple. I can always find another company that doesn't and that
pays the same or better. That is also why I suspect that someone who works in
those circumstances really has to, because he has no other options.

------
lorenzhs
To me, this reads like a post explaining the benefits of free software by
demonstrating the disadvantages of using proprietary systems. A bit hyperbolic
at that, though.

RMS would have a field day.

------
sqldba
It sounds like they've confused a) users submitting results from static
analysis that wastes time, b) users submitting demonstrable vulnerabilities,
and c) license agreements.

a) is bad, and the users should just be turned away. b) is good and far better
than selling them on the black market. c) is... who cares it's a license
agreement.

~~~
madaxe_again
She's mostly focussed on (a), it seems, and I can understand the frustration -
all too often we get lengthy missives from client consultants along the lines
of "Ran scanning tool. Suggests that the version of PHP.net you are using is
vulnerable to LSASS and STUXNET vulnerabilities, our client is terrified, pay
me off to make the pain go away." We get a genuine vulnerability reported once
in a blue moon.

(b) is good, but her point that them spending their time doing static analysis
of oracle's software is a monumental waste of time is perfectly valid, if
their root password is password and the firewall is just some sheetrock in the
basement.

------
idlewords
Can some infosec person speak to her strongest claim, that static analysis
gives "basically 100% false positives" and wastes the team's time?

~~~
notacoward
The statement itself is basically 98% false. I've been a Coverity user since
very early days, and have used a few other static-analysis tools as well.
Every such tool that I've seen runs multiple separate kinds of checks. Yes,
the false positive rate for some of those checks can be alarmingly/annoyingly
high. OTOH, any software developer with half a brain can see that other checks
are much more accurate. Some are darn near impossible to fool. If you focus on
those, you can find and fix a whole bunch of real bugs without too much
distraction from false positives.

Her statement gains 1% truth because Oracle might already have picked the low-
hanging fruit, and any more reports they get really are full of chaff. I find
this unlikely, but it's _possible_. She gets another 1% for this.

> A customer can’t analyze the code to see whether there is a control that
> prevents the attack

That's actually a pretty decent point. Anyone who has actually studied static-
analysis reports for any length of time has probably encountered this
phenomenon. For example, you might find a potential buffer overflow that's
real _in the context of the code you analyzed_ , but the index involved can't
actually be produced because of other code that you didn't. Or maybe a certain
combination of conditions is impossible for reasons related to a mathematical
property that has been thoroughly vetted but that the analysis software
couldn't reasonably be expected to "know" about. Ironically, these kinds of
"reasonable false positives" tend to show up more in _good_ programmers' code,
because they're diligent about adding defensive code handling every condition
- including conditions that aren't (currently) possible. In any case, while
it's a good point, it's applicable rarely enough that it doesn't really
support the author's broader position.

~~~
tptacek
This is diametrically the opposite of my experience with source code scanners.

I think the impedance mismatch here might be that you're a software developer,
and we're talking about security teams.

I don't know that anyone is arguing that static analysis is useless for
developers. If you're intimately familiar with the code you're working on,
there are probably a lot of ways to make static analysis results both valuable
in every edit/compile/debug cycle, _and_ an important part of your team's
release process.

But when you're close to the code, it's easy to forget how much of the tool's
output you're ignoring (either literally, by just skimming past findings you
know don't matter, or implicitly, by configuring the tool to match your
environment or subtly changing your coding style to conform to Coverity's
expectations).

Security teams can't generally do this. They're stuck with the raw output of
the barely-configured tool. The results of static analysis in these
circumstances is nonsensical: memory leaks, uninitialized variables, race
conditions, tainted inputs reaching SQL queries, improper cleanup of sensitive
variables, 99.9% of which aren't valid findings, but all of which look super
important, especially if you're consultant with 6 months of experience
charging $150/hr to run Fortify on someone else's code, then petulantly
demanding a response for every fucking issue the scanner generates.

They're fine dev tools, but they are _terrible_ tools for adversarial
inspection, which is what Davidson is talking about.

~~~
notacoward
If somebody's paying a consultant hundreds of dollars an hour to run a static
analysis tool and forward the output, without applying a developer's skills in
between, they've been defrauded. Static analyzers are coding tools, much like
compilers. Their input is code. Their output is pointers to code. True
adversarial analysis, or any other endeavor involving static analysis,
requires something extremely close to a coder's skill set. I guess if I
believed otherwise then I might be tempted to take Davidson's side too, but
that's not the case.

~~~
tptacek
Now you see where she's coming from.

------
ikeboy
>We will also not provide credit in any advisories we might issue. You can’t
really expect us to say “thank you for breaking the license agreement.”

Well, Apple does (for jailbreak exploits).

>I am not dissing bug bounties, just noting that on a strictly economic basis,
why would I throw a lot of money at 3% of the problem

Uh ... You don't think that percentage will increase if you offer bounties?

~~~
XMPPwocky
>>I am not dissing bug bounties, just noting that on a strictly economic
basis, why would I throw a lot of money at 3% of the problem >Uh ... You don't
think that percentage will increase if you offer bounties?

And if it doesn't, well, they don't pay out much. It's not like bug bounties
consist of just throwing money at random people and hoping they find vulns;
you pay for results. That's sort of the point.

------
HelloNurse
The post seems real, by comparison with other articles in the blog: in
particular similar silliness and dislike for security advisories in
[https://blogs.oracle.com/maryanndavidson/entry/is_your_shell...](https://blogs.oracle.com/maryanndavidson/entry/is_your_shellshocked_poodle_freaked)
and similar anti-reverse engineering stance in
[https://blogs.oracle.com/maryanndavidson/entry/mandated_thir...](https://blogs.oracle.com/maryanndavidson/entry/mandated_third_party_static_analysis)
and
[https://web.archive.org/web/20140123033110/https://blogs.ora...](https://web.archive.org/web/20140123033110/https://blogs.oracle.com/maryanndavidson/entry/those_who_can_t_do)

------
denwer
Is that post for real?
[https://twitter.com/dinodaizovi/status/630972473945817088](https://twitter.com/dinodaizovi/status/630972473945817088)

~~~
idlewords
If you read her previous posts you'll see it's the exact same tone and writing
style. I think the claims of hacking are a way for people to express their
incredulity and not meant seriously.

~~~
nvader
I hope you didn't "reverse engineer" her blog post. She's going to call up a
judge and say "Nanny Nanny, Boo boo." (her own words).

But in all seriousness, if the Chief Security Officer of Oracle sounds like
the letters to the editor of my University Paper, why doesn't a company that
big have someone from PR edit or co-write her posts?

~~~
idlewords
One terrifying possibility is that this is the edited, watered-down version of
something even worse.

My guess is that she's senior enough to veto attempts to salvage her prose.

------
eastbayjake
When I read this, I thought for sure it was just a lower-level engineering
manager. I can't believe she's the _Chief Security Officer_ , and that someone
with a Wharton MBA could write something so unprofessional and full of disdain
for your customers.

------
charltones
There is just no upside to this kind of response. Surely for any tech company
that has reached a certain size, the only workable approach is to recruit an
appropriately sized security team and politely welcome and respond to each and
every security report received, triage them as quickly as possible and fix the
ones that are found to be real vulnerabilities. Even if you aren't happy with
the motives or the methods they employ, they are potentially finding flaws in
your products for you.

------
selimthegrim
Is this woman aware that static analysis is a non-negotiable requirement for
filing your 510(k) if you do anything vaguely medical the FDA has to look at?
Not that I would willingly choose Oracle for medical device applications, but
the cognitive dissonance here is amusing. Pax vobsicum indeed.

~~~
Sanddancer
They do use static analysis. However, they do not let third parties analyze
their source code. Which shows even more hubris, because they're all but
saying, "only we're smart enough to analyze our code."

------
DannyBee
Except, uh, in plenty of countries, those anti-reverse engineering clauses are
void as a matter of public policy.

And in any product that uses LGPL code, for example, it's actually a license
violation to forbid customer modification and reverse engineering for the
purpose of debugging those modifications.

(Though, admittedly, everyone always violates this term)

------
jjoos
> I am not dissing bug bounties, just noting that on a strictly economic
> basis, why would I throw a lot of money at 3% of the problem

Aren't the issues not found by Oracle the problem? I'm amazed that stil 23% of
the externally found security issues are reported by researchers, the
incentive to responsibly disclose security issues to Oracle isn't really big.
It sounds like a cumbersome process with potential legal consequences.

There also are researchers(, maybe after a first bad experience about an
EULA,) that sell security issues to the grey/black market. Is there any data
on how many Java zero days are exploited in the wild before being fixed?

Changing your stance and being grateful for responsible disclosures and only
using your EULA to threaten and sue the __bad __people can potentially save
__everyone with java installed __from a few zero days at zero cost.

~~~
jackweirdy
I agree with that point, and think it hits at something bigger. Having a bug
bounty doesn't just say 'we give out money for bugs'. It also says 'we have a
thought-out programme for handling serious user-reported problems, and we
won't reprimand or dismiss you for sharing them'.

------
ck2
Don't worry, if you won't let your paying customers check for security holes,
there are plenty of people in China who are going to do it for you instead.

------
hownottowrite
Mary Ann Davidson's testimony on "cybersecurity" (2009)
[https://www.whitehouse.gov/files/documents/cyber/Congress%20...](https://www.whitehouse.gov/files/documents/cyber/Congress%20-%20Davidson-
Oracle-SFR_10Mar09.pdf)

------
jurre
It seems to have been removed, here's a pastebin of the original post:
[http://pastebin.com/bbMshdU1](http://pastebin.com/bbMshdU1)

------
Ogre
Just today I was arguing for not moving something off of Oracle. No one's
really happy the thing in question is on Oracle, but it is live in production
and most of the time does what it needs to. It ain't broke. Changing to
"something else" carries way too many unknowns for my comfort level.

If I'd read this last night... I still would've argued the same thing, but I
would've been really unhappy about it.

------
16bytes
I read the blog, but now it's returning a 404? Did they take it down?

If so, then somebody at Oracle realized that post reflected poorly on their
organization. Perhaps there is some hope for Oracle yet.

~~~
fluidcruft
Their IT probably have an automatic preemptive policy of 404'ing any pages
that become "popular"\--any such content is is pretty much guaranteed to
reflect poorly on their organization. False positives can always be waved away
by a euphemism for a transient technical error ex post facto.

------
lawnchair_larry
This explains so much about the sorry state of Oracle security. I hope
Litchfield lets loose on them again.

------
vlunkr
Whew. I've never read something from a company that was so insulting to it's
own customers. I'd wager a bet that they won't be keeping their job for long.

------
Ben0xA
Oracle pulled the original post - here it is on pastebin
[http://pastebin.com/wkk8b7FJ](http://pastebin.com/wkk8b7FJ)

------
dr_zoidberg
While I admit that I didn't read the whole post (to me it was a wall of text
full of complaints going around the same point, always saying the same without
too much variation), I really don't get this obsession with reverse
engineering. Yes, their license agreement states that it can't be done. But
you deploy _code_ , executable code, but still code. Code that people can
understand, if they go through the process of analyzing it.

While I don't endorse breaking the agreement (which was properly signed and
"celebrated", as lawyers say), I find it funny in the first place that they're
selling a glass container and say "you can't look into it, just use it".

I prefer the honesty of free software/open source projects that sell customer
support to this business model (which is also adopted by others, not just
Oracle). However, if I were already bound to it, and couldn't pay the cost of
migration, I understand I'd have to stick with it.

It's also amusing that people/organizations seriously believe they can reverse
engineer something as complex as a database engine and "fix it" without acces
to the diagramas, docs, tests, source code, build environment, etc.

------
minusSeven
I worked in Oracle SOA product(BPEL) for 2 years. We had to do migration from
10g to 11g because Oracle wasn't supporting 10g version anymore. While
migrating we came across a lot of issues that worked fine with 10g but failed
in 11g. So we raised a lot of service requests with Oracle. Most of those got
rejected by Oracle as they were not high priority meaning there were terrible
workarounds existing for them. They only bothered fixing those ones without
which we can't work(I guess they had to or my company would have sued Oracle).
We ended up writing a lot of horrible work around just to make existing code
work.

Yes we did not reverse engineer that code even though I feel it would have
done lot of good for us. Not to mention the tool set provided by Oracle is
utter crap as in it barely works on its own.

So I am not at all surprised that Oracle have that kind of mentality here. In
all our communications with Oracle I felt they never really actually cared for
what we the customers really want. All they actually care about it protecting
their investments.

------
discreditable
Link is giving me a 404. Anyone got a mirror?

~~~
anglebracket
[https://web.archive.org/web/20150811052336/https://blogs.ora...](https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t)

~~~
opless
Just in case a robot.txt kills that

[http://pastebin.com/rcPSyRnR](http://pastebin.com/rcPSyRnR)

~~~
hughw
Would archive.org typically honor a robots.txt for a resource it already
retrieved? I never understood the intent of a robots.txt to be retroactive.

~~~
mikeash
Apparently yes, it would:
[https://archive.org/about/exclude.php](https://archive.org/about/exclude.php)

------
trymas
Not sure if trolling/hacked or serious. If later, I guess, many tech savvy
(read 'hackers') people, will accept this as a challenge.

------
Orinocco
The article seems to have been taken down from the Oracle site.. I leave this
from an unclosed tab for posterity:

[http://pastebin.com/hU1mg1K9](http://pastebin.com/hU1mg1K9)

------
muhuk
Noticed that obscure death threat in the beginning? I'm not surprised to see
it in a post about licenses.

------
Simulacra
This makes me want to reverse engineer Oracle code immediately.

------
dolfje
Apart from the legal stuff and a lot off egocentric 'we can do it better', she
has one point. There are many companies giving a lot of money for security,
manually scrubbing all exploits that come out, create their own patches. While
some lack the basic security guidelines. I think this money can be better
spend upstream, to create tools so they can test patches for exploits better
and create a faster security update release pipeline, so that all downstream
and customers can rely on the security releases and that it can be released
quicker to everyone. (Controversial: Maybe even adding automatic security
updates to the package itself, like wordpress did, so that customer cannot be
on a release with exploits)

Though saying to your client that they cannot reverse engineer to look for
security problems, is totally not done! What is next? "Exploits will not be
fixed, because the users has signed an agreement that they will not hack?"

~~~
josch
_She_ has that point (Mary Ann).

------
anonu
If you look back at the author's earlier blog posts you'll find similarly-
minded thoughts:
[https://blogs.oracle.com/maryanndavidson/entry/mandated_thir...](https://blogs.oracle.com/maryanndavidson/entry/mandated_third_party_static_analysis)

------
khaki54
Oracle JRE is literally one of the more vulnerable pieces of software
underpinning the web and computing as a whole.

JRE CVEs: [http://www.cvedetails.com/vulnerability-
list/vendor_id-93/pr...](http://www.cvedetails.com/vulnerability-
list/vendor_id-93/product_id-19117/Oracle-JRE.html)

It's been 5 years since Oracle took over Java, so they can't claim it was left
over.

Oracle's security record is terrible by all accounts, so how can their CSO
justify anything in this blog post?

ORACLE product list CVEs: [http://www.cvedetails.com/product-
list/product_type-/firstch...](http://www.cvedetails.com/product-
list/product_type-/firstchar-/vendor_id-93/page-1/products-by-
name.html?sha=2a9718c5c6139d3034698d7627abb350713f75e4&order=3&trc=256)

------
nashashmi
What a bully! Reminds of someone at work, especially with this line: "I do not
need you to analyze the code since we already do that, it’s our job to do
that, we are pretty good at it".

This makes me want to climb the empire state building, beat my chest like a
gorrilla, and yell "Let me do what I know best!"

------
tux
Mirror: [https://archive.is/iz4H2](https://archive.is/iz4H2)

------
hyperdunc
In the first paragraph the writer insinuates that she'd like to kill people
who drive too close behind her.

Any subsequent valid points she makes - and there aren't many - are undermined
by this bitterness.

Heightened emotion so often enables effective communication, but it doesn't do
any favors in this post.

------
bradleyankrom
No matter how valid her points are, the tone is inexcusable in a public-facing
blog, especially when discussing customer behavior. I recognize the strong
points of Oracle's offerings, but let's not pretend that there is not
competition from other, open software.

------
lwhalen
Some media flack must've clapped eyes on that and had a VERY bad morning. The
post has since been taken down, but here's a copy:
[http://pastebin.com/RQA90EEb](http://pastebin.com/RQA90EEb)

------
sprayk
I'm not sure what the author's argument is here. Is me reversing simply a
nuisance and waste of Oracle's time? Is Oracle trying to obtain security via
contractual obscurity? I see lots of comments here proposing that Oracle is
protecting its IP, but I don't see evidence for that in the article (maybe its
elsewhere, though).

I wonder if Oracle would send one of those reminders to a customer who
analyzed an attack by an attacker who "broke the license agreement" by
reversing the customer's copy of some Oracle software.

------
kuschku
Did anyone notice that the post contains Microsoft Office Word metadata?

[http://hastebin.com/daxiyaguma.html](http://hastebin.com/daxiyaguma.html)

------
ilaksh
Reason #78,429 to join the I-hate-Oracle-club
[http://forums.thedailywtf.com/forums/17.aspx](http://forums.thedailywtf.com/forums/17.aspx)
[https://what.thedailywtf.com/t/please-stop-poking-holes-
in-o...](https://what.thedailywtf.com/t/please-stop-poking-holes-in-our-
cardboard-security/50505)

------
golemotron
> A. The customer signed the Oracle license agreement, and the consultant
> hired by the customer is thus bound by the customer’s signed license
> agreement. Otherwise everyone would hire a consultant to say (legal terms
> follow) “Nanny, nanny boo boo, big bad consultant can do X even if the
> customer can’t!”

Really? What if no money changes hands?

------
sada123
That's why everybody sane should avoid using Oracle or Microsoft for the sake
of mental health.

------
baseballmerpeak
404 Error now

[http://webcache.googleusercontent.com/search?q=cache:https:/...](http://webcache.googleusercontent.com/search?q=cache:https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t)

------
alediaferia
The author must have been undergoing some bad moments so far. The post seems
just the outcome of a more complex series of inputs. Most points are not valid
from my own personal point of view but still may have been good points if
written in a more objective way.

BTW, the post is gone.

------
patmcguire
If you read what else she's written, static analysis is kind of her Moby Dick.

------
digi_owl
Oracle seems to be like MS in that their reason for existing is that they came
to be at the right time at the right place, and has pulled every trick in the
book to pull up ladders behind themselves.

------
nosnos
They took it down. Mirror?

~~~
khaki54
Wayback machine:
[https://web.archive.org/web/20150811052336/https://blogs.ora...](https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t)

~~~
akshatpradhan
Who's the author?

~~~
khaki54
Chief Security Officer for Oracle, Mary Ann Davidson

------
hharnisch
This appears to have been taken down, I'm directed to a 404 page

------
dgarbvt
Oracle took down the blog post. Link is now returning a 404.

------
joeyespo
Doesn't antivirus software do static analysis?

------
mathiasrw
Love security by obscurity

------
anentropic
Also, she loathes Keynes :(

~~~
tat45
That was her one redeeming statement in that blog post. :)

------
pronoiac
It's been deleted. Here's a mirror:
[https://web.archive.org/web/20150811052336/https://blogs.ora...](https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t)
\- and while it's full of cringeworthy analogies, such as breaking a contract
is _just like_ cheating on your spouse, there's also, well, "logic" that
defies conventional wisdom:

Q. But one of the issues I found was an actual security vulnerability so that
justifies reverse engineering, right?

A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t
break into a house because someone left a window or door unlocked. I’d like to
tell you that we run every tool ever developed against every line of code we
ever wrote, but that’s not true. We do require development teams (on premises,
cloud and internal development organizations) to use security vulnerability-
finding tools, we’ve had a significant uptick in tools usage over the last few
years (our metrics show this) and we do track tools usage as part of Oracle
Software Security Assurance program. We beat up – I mean, “require” –
development teams to use tools because it is very much in our interests (and
customers’ interests) to find and fix problems earlier rather than later.

That said, no tool finds everything. No two tools find everything. We don’t
claim to find everything. That fact still doesn’t justify a customer reverse
engineering our code to attempt to find vulnerabilities, especially when the
key to whether a suspected vulnerability is an actual vulnerability is the
capability to analyze the actual source code, which – frankly – hardly any
third party will be able to do, another reason not to accept random scan
reports that resulted from reverse engineering at face value, as if we needed
one.

Q. Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find
this stuff!

A. <Bigger sigh.> Bug bounties are the new boy band (nicely alliterative, no?)
Many companies are screaming, fainting, and throwing underwear at security
researchers __ __to find problems in their code and insisting that This Is The
Way, Walk In It: if you are not doing bug bounties, your code isn’t secure.
Ah, well, we find 87% of security vulnerabilities ourselves, security
researchers find about 3% and the rest are found by customers. (Small
digression: I was busting my buttons today when I found out that a well-known
security researcher in a particular area of technology reported a bunch of
alleged security issues to us except – we had already found all of them and we
were already working on or had fixes. Woo hoo!)

I am not dissing bug bounties, just noting that on a strictly economic basis,
why would I throw a lot of money at 3% of the problem (and without learning
lessons from what you find, it really is “whack a code mole”) when I could
spend that money on better prevention like, oh, hiring another employee to do
ethical hacking, who could develop a really good tool we use to automate
finding certain types of issues, and so on. This is one of those “full
immersion baptism” or “sprinkle water over the forehead” issues – we will
allow for different religious traditions and do it OUR way – and others can do
it THEIR way. Pax vobiscum.

------
faragon
Why? Is Oracle "sacred" or something?

~~~
vlunkr
The author did refer to the act of reverse engineering their code as
"sinning". So yes.

------
imadfy
[http://ismaryanndavidsonfiredyet.com/](http://ismaryanndavidsonfiredyet.com/)

------
beedogs
404 now... looks like somebody's gotten word of it...

------
f00644
FOUR OH FOUR, Guess it's over....

------
agounaris
I don't understand why everybody is mad about this post, oracle has
proprietary software that is bound with a license.

In that sense I don't see why people do not moan about having to pay a rent
because your tenancy contract that you signed says so...

Long story short, its a right of a SOFTWARE mostly company to protect its
software, open source is not always the solution and reverse engineering
something, consumes way more energy for the problems it actually solves.

~~~
jnbiche
> open source is not always the solution and reverse engineering something,
> consumes way more energy for the problems it actually solves.

You think customers are reverse engineering Oracle products _for fun_? They're
doing it because there's a problem somewhere, they've filed a bug report and
not got a satisfactory result, and so they have to go pay an expensive
consultant to try and track down the problem for them with no source code.

Even if none of the other arguments for open source were persuasive, this
situation with Oracle alone would be enough to convince many people of the
wisdom of choosing an open source vendor.

~~~
TeMPOraL
What's wrong with reversing for fun? It's how progress of technology happens.

~~~
jnbiche
I think reversing for fun is great! But it's pretty unlikely that Oracle
customers are doing it for this reason. Instead, I suspect their reversing is
borne of desperation.

