
Oracle’s license agreement as it pertains to reverse engineering - shin_lao
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
======
sctb
The original post discussed here:
[https://news.ycombinator.com/item?id=10039202](https://news.ycombinator.com/item?id=10039202)

------
zamalek
_Disclaimer: cross-posted from the original post, but the irony is absolutely
beautiful and is a stern lesson to everyone who might think the same way as
Oracle._

[1]> Oracle has told people to stop using @Veracode to test their AppSec. They
already got AppSec covered [picture of JS injection attack in the blog post]

[1]:
[https://twitter.com/thegrugq/status/631056841670135808](https://twitter.com/thegrugq/status/631056841670135808)

~~~
usaphp
As Mary Ann said: "Nanny, nanny boo boo..."

------
werber
I'm pretty surprised Oracle deleted the post, it feels like a great
representation of the company and their values.

~~~
rcarmo
This is why I sometimes wish HN had an ::irony:: tag. :)

~~~
benihana
Only the first part is ironic

~~~
werber
I thought Oracle was out of the - we care about money and nothing else -
closet. Did I miss something?

------
SCHiM
I work at a security company and sometimes reverse engineer systems and/or
code to see if it is vulnerable to a plethora of attacks.

Presumably the only reason a closed source vendor would be against someone
reversing their source is because they're afraid someone will steal their
ideas and/or redistribute their code for free.

That not being my goal I really couldn't care less. I'll just go ahead and
reverse whatever I want whenever I want. I value my security, and that of
clients, over some legal piece of toilet-paper. Everyone who doesn't agree,
should reconsider. Do you truly believe that people should not be allowed to
look at code that is running on their systems for their security's sake? I
will not redistribute what I learnt, but I will analyse it to see if it is
safe.

If you didn't want me looking, you should not have put it out in the open.

~~~
danielweber
> against someone reversing their source is because they're afraid someone
> will steal their ideas

I was once at a startup and another company in Texas released a product with
identical typos as found in our object code.

Selling that software was how I got money to pay rent and buy food to put into
my food-hole, so I'm going to feel a little more sympathy for people who want
to stop others from reverse-engineering their stuff.

~~~
pritambaral
Reverse-engineering for personal inspection, and selling software with stolen
code are two different things. The company in Texas you talk about was doing
the latter.

------
fortytw2
Not that I agree with the sentiments in the article, but am I the only one who
thought this article was reasonably well thought out?

It may have been a bit abrasive, but the points were well made, at least from
the perspective of a closed source, enterprise software vendor

~~~
panfist
>customers Should Not and Must Not reverse engineer our code. However, if
there is an actual security vulnerability, we will fix it. We may not like how
it was found but we aren’t going to ignore a real problem...We will also not
provide credit in any advisories we might issue. You can’t really expect us to
say “thank you for breaking the license agreement.”

Until I read this, I didn't think it was possible for me to hate Oracle more,
because I'm forced to work with their software and that makes me already hate
them quite a bit.

~~~
valarauca1
The problem is they don't.

It's pretty trivial to break orcaleSQL from a security standpoint. If and when
you report a major issue, it'll be fixed in 2-3 years, and only the issue you
outlined.

For example. I submit a bug concerning parsing, utf-8 backslash not working.
Orcle will fix the bug for only that utf-8 code point, and not all other utf-8
points that also cause the bug. It'll also take them 1-2 releases and they may
not back port it. 1

~~~
chii
wow, how do they fix _only_ one code point!??! that's gonna take more effort
than just properly fixing it no?

~~~
detaro

        switch (c) {
        case BAD_CODEPOINT1:    //bug 30943
        case BAD_CODEPOINT2:    //bug 32821
        /*....*/
        }
    
    
    ?

~~~
scrollaway
How did you get your hands on Oracle code? The blog post made it pretty clear
they won't let you read it.

------
pgaddict
I'm really confused why everyone's so upset by the blog post, for a number of
reasons.

Firstly, it's perfectly aligned with the world of proprietary software. Oracle
is probably more protective than the other vendors, because the restricted
access to the source code is at the heart of their business model. But none of
the vendors I'm aware of is very keen on reverse engineering.

Secondly, the reverse engineering is prohibited for ages - it's not that it
was added to the license agreement yesterday. And there are other restrictions
(e.g. on publishing benchmark results), so rather that "Oracle is bad" I'd say
"people who sign accept license agreements without reading them are morons."

And thirdly, the article is spot-on about usefulness of the reports generated
from a reverse-engineered binary. I've seen shitloads of such reports, usually
generated by some clueless consultant with the sole competence to run an
automated tool and print the result. So it's probably (at least partially) a
protection against a flooding the support with bullshit reports.

And it's also true that many of the companies don't have proper security rules
(like encryption, identity or password management, network security) yet pay
some consultant for reverse engineering one of the components. Because it's
easier to spend a large amount of money than evaluating and rebuilding their
infrastructure.

So while I dislike Oracle, you can't blame them for everything - the customers
are the ones choosing the vendor. If you happily accept their license
agreement, you can't later complain "but we want to do reverse-engineering" no
matter how many MBA titles you have. If you want such freedoms, ditch Oracle
and proprietary vendors in general. That's what open-source is for.

~~~
markbnj
Yeah, I don't think this is really about anyone being surprised by anything
they read in that post. It's more... what's a good analogy... like someone
wrote a long post about the ethics and social conventions of pay phone use ten
years after it became clear there would no longer be any pay phones. It's
partly enjoyment of a spectacle, and partly pity, because it's so painfully
clear how disconnected they are internally from what is actually happening in
the world.

~~~
MyNameIsFred
My team and I write custom solutions for energy companies, car companies,
municipalities, military, and other big enterprises. None of them have given a
full minute's consideration to using OSS. 90% of them use only Oracle for
their data layers. Their market is in no way dead.

------
uptown
This is a deleted blog post by ORACLE's Chief Security Officer.

edit: corrected my error

~~~
smcl
So the original popped up earlier on HN - was it resubmitted because Oracle
have decided to delete it?

~~~
rincebrain
I believe it was resubmitted because Oracle deleted it, and because it was so
mustache-twirlingly out of touch that it could have been from the Hacker News
Onion.

~~~
justthistime_
[...] it was so mustache-twirlingly out of touch that it could have been from
the Hacker News.

FTFY :-P

------
someguy342432
We sold you the car but don't you dare look under the hood, 97% of problems
that these cars come with may one day be solved by us. Someone else may be
trying to build the same car you already purchased from us! Why didn't we
obfuscate access to the engine? Well that would have required some of the same
effort it would have taken to write more secure software err make better cars
in the first place! What do you take us for, competent!

~~~
vonmoltke
I'm just waiting for the day some physical product manufacturer has the
chutzpah to try to apply the "licensed, not sold" paradigm to a tangible
product.

~~~
emodendroket
John Deere is already doing this and nobody really cares.

~~~
vonmoltke
You mean nobody outside of farming. From what I have read, the smaller farmers
who have to deal with that shit certainly care.

~~~
emodendroket
Well, no, not really. I mean, I'm sure some small farmers do care, but they're
a vocal minority in the same way people posting on Hacker News about various
computer-related ills most people are unconcerned about are a vocal minority.

------
jezclaremurugan
Perhaps an apology/clarification would have been better than sheepishly
deleting the entry. They seem to be only digging the hole deeper.

~~~
rcarmo
Let's wait and see if the Streisand Effect takes hold.

~~~
kephra
lets wait, if Oracle does a DCMA on Archive.org

I guess some more people did screenshots, or pdf prints of that page, just for
the case Oracle wants a Streisand Effect.

------
wereHamster
> Oh, and we require customers/consultants to destroy the results of such
> reverse engineering and confirm they have done so.

Are they being serious? "Uhm, yeah, sure, Mr. CSO, I deleted the file. Here,
I'll show you a screenshot of a terminal where I ran the 'rm' command to
delete the results. As you can clearly see, the 'ls' command does not see the
files anymore."

~~~
taejo
Not "prove". "Confirm". If you ask somebody to do something, they might do it,
or they might not, whether out of passive malice or carelessness. _Saying_ you
have done something which you haven't done requires _active_ malice, which is
much less common.

------
mangeletti
What in the world is going on?

Why did this article just disappear off of the front page after receiving 318
up-votes in 2 hours?

How does post to drop from position #1 to somewhere below #150 in less than 1
minute, unless it was deleted by HN moderators, and if that's the case, why
did it happen?

~~~
parasubvert
It means that an HN moderator squashed its appearance on the top list. Why?
They felt it wasn't constructive perhaps, considering the other thread against
the original article is still live.

~~~
mangeletti
Why not squash the other thread, since the link was dead and this one isn't?
This appears to be blatant censoring of something that the majority of HN
participants wanted to read and comment on.

------
dolfje
Disclaimer: cross-posted from the original HN Post, but still relevant.

Apart from the legal stuff and a lot off egocentric 'we can do it better', she
has one point. There are many companies giving a lot of money for security,
manually scrubbing all exploits that come out, create their own patches. While
some lack the basic security guidelines. I think this money can be better
spend upstream, to create tools so they can test patches for exploits better
and create a faster security update release pipeline, so that all downstream
and customers can rely on the security releases and that it can be released
quicker to everyone. (Controversial: Maybe even adding automatic security
updates to the package itself, like wordpress did, so that customer cannot be
on a release with exploits)

Though saying to your client that they cannot reverse engineer to look for
security problems, is totally not done! What is next? "Exploits will not be
fixed, because the users has signed an agreement that they will not hack?"

------
facetube
Honest question: So I'm hired as a consultant. Someone gives me a database
login to an Oracle machine. I haven't been presented with a license agreement
for the Oracle database system, nor have I signed anything indicating I agreed
to give reverse engineering rights away. How am I bound by the Oracle end user
license agreement?

~~~
ajuc
IMHO you are not. People from your company that weren't making you read EULA
and promise to comply with it (in writing) will be responsible for your
behaviour that breaks the EULA.

------
kazinator
Selling machine language code and asking people not to understand it is like
selling books and asking people not to read them.

"This cookbook is to be read by your personal chef only; if you read it and
understand it yourself, you're breaking the book's license agreement."

If you pay for some string of bits, you have a right to look at them. Period.

~~~
tsmarsh
Its more like selling someone a meal in a restaurant, and refusing to let them
see the kitchen. You can, if you are skilled, infer how the ingredients became
your meal, but you won't ever know if it was done in a clean an safe way
unless you can look at the environment where it was created. You could hire an
investigator to figure this out, but there is a good chance that they know
that there is more money in bad news than good. So they take photos of the
dirtiest 'chef' who turns out to be the dishwasher, and show you the pictures
of deliveries from Walmart, but choose not to show you the pictures of the
chef getting up at 4am after finishing at 1am to drive to the fish market to
hand pick the best of the catch.

I understand the risks of eating in places with closed kitchens, but
ultimately they make better food than I can, that requires less of my time. It
may be more expensive for unjustifiable reasons, and maybe I don't want to
know how the black pudding is made, I just want to focus on what is important
to me: making my wife happy.

Do I prefer to eat in restaurants with open kitchens, where the ingredient
list and their source is available on demand? Sure. Am I a zealot about it..?
It depends how hungry I am.

~~~
kazinator
> _Its more like selling someone a meal in a restaurant, and refusing to let
> them see the kitchen._

I don't see it that way.

The kitchen is like a development area. By looking at just the program code
(not source or anything), I'm not stepping into Oracle's engineering labs or
"cubicle land"\---their kitchen, so to speak. I'm rather doing the equivalent
of cutting into the meat pie on my plate and guessing the ingredients.

If I figure out what is in it and how it was prepared, I'm free to make that
at home, or even serve it to the public in my own restaurant.

"Do not reverse engineer" is like "eat this meat loaf with your eyes closed,
and do not share any hypotheses about what is in it or how it was made with
anyone else".

> _open kitchens, where the ingredient list and their source is available on
> demand?_

That sounds like an analogy to open source, which is a different topic from
license agreements in proprietary software against reverse engineering.

I'm saying that if you sell me some writing, I have a right to read it. Just
because that writing was written for an ARM CPU doesn't mean I'm doing
anything wrong by reading it anyway.

If you don't want people to know how a piece of language is interpreted to
evoke its meaning, then don't sell it. Use it in-house or run it on a server
and have clients to connect to it.

------
bkeroack
Oracle appears to be Microsoft circa ~1999/2000\. Some of us remember when all
the big software companies had this type of attitude.

------
gambiting
" We will also not provide credit in any advisories we might issue. You can’t
really expect us to say “thank you for breaking the license agreement.”"

This is so pretentious I am completely baffled. Are people at Oracle so full
of themselves?

~~~
gwbas1c
The crux of the article is that Oracle is getting so many unsolicited false
positive security threat vulnerabilities that it's a distraction to their core
business. They don't want "I found a hole in Oracle" to be an achievement like
"I have my name on a patent."

Investigating security vulnerabilities takes a lot of time; and it's very easy
to quickly get overwhelmed by false positives. I've seen quite a few analyses
of code that I write; and most of them are warnings with no context or
exploitability.

If every customer expected an engineer to respond to these, my team would
spend all of its time in a "PR role," and wouldn't spend any time improving
our products.

~~~
mynameisvlad
Well, except that, like most enterprise software customers, these customers
pay Oracle huge sums of money in the form of support contracts specifically
_so_ they could have access to an engineering team. I could understand the
argument if this wasn't the case, but a big part of enterprise agreements is
this very thing, so I'm not very sympathetic to the argument that such a
support ticket, which these companies paid a lot of money for, essentially is
treated like a second class citizen because of the way the company decided to
do security testing. If this support agreement weren't in place? Sure. I could
easily see this argument.

------
parasubvert
The bit about loathing Keynes at the end makes for comedy gold.

------
marcosdumay
Life would be a lot better if it wasn't for those annoying clients. Oracle
should just refuse to deliver software to anybody, that'd fix it all.

Anyway, I've never read a better article supporting the use of free software.

------
PaulHoule
It sounds like Oracle doesn't want to have any customers.

------
scyllax
It's funny and scary how it's the opposite of what Free Software stands for.

------
zzleeper
> I was busting my buttons today when I found out that a well-known security
> researcher in a particular area of technology reported a bunch of alleged
> security issues to us except – we had already found all of them and we were
> already working on or had fixes. Woo hoo!

That's like what 5yrs old kids say when they mom ask them something.. "Mooom I
was already thinking about it! Hush!"

------
0xdeadbeefbabe
Do they light sparklers and throw rice when you enter into an Oracle license
agreement?

For all Mary's entertaining points, I think likening the license agreement to
marriage is a civil offense.

------
jongraehl
We've just been Oraclesplained.

------
jacknews
Was the post a joke? She kind of resembles The Joker on her bio page:
[http://www.oracle.com/us/corporate/press/executives/016331.h...](http://www.oracle.com/us/corporate/press/executives/016331.htm)

------
dimman
Afternoon laughter, thanks :D

------
tux
Love how fast HN'rs mirror articles ^_^

~~~
fs111
That is the web archive. It has nothing to do with HN.

~~~
asgard1024
Actually it would be quite interesting to read about how the Web Archive
accomplishes things like this.. Do they regularly scan news sites for new
articles?

~~~
juliendorra
There is a self-archive tool on archive.org that allows anyone to immediately
archive a specific page of interest. Journalists and watchdogs use it on pages
they feel might disappear. It can be considered more legitimate that a screen
capture, as archive.org is a third-party. Someone might have used that here.

------
kagamine
Why put a tonn of whitespace between paragraphs if the text is so small and
line spacing so narrow as to make my eyes force-evolve mouths just to let out
a scream?

~~~
frou_dh
[https://news.ycombinator.com/item?id=9238739](https://news.ycombinator.com/item?id=9238739)

~~~
kagamine
Great, but before people submit they should consider whether or not the page
they are submitting is legible. If I handed you a printed manuscript that was
hard to read would you persevere or hand it back to me?

