I don't really see how a lot of the responses here match with the original blog post. People seem to be airing a lot of long-standing grievances about Oracle rather than responding to the specific post on its own. Viewed on its own, the post can basically be summarized as "Please stop treating our products like they are open source. They're not, and it is against the license agreement to reverse engineer our stuff to find the source code."
A lot of people think open source software is a much better methodology than proprietary, highly-protected source code. That's fine, there are a lot of good arguments there. However, it doesn't make sense to throw a bunch of other, barely related insults at a company when really, all you're upset about is that their code is not open source. Criticize that...that is what you're upset about (at least so far as this specific blog post is concerned)
I don't think it's the lack of open-source code that is causing the grievances but rather the tone of the blog post and the overall theme of "Our IP is more important then your security concerns, no we don't care if you are a core bank".
Microsoft, SAP, VMware all have closed source software that is very prevalent in enterprise, often in entrenched positions just like Oracle. Sure they aren't exactly all peaches either but atleast they have a decent way of responding to security problems or plain bugs.
They also don't wield their license agreement as a weapon against their customers, they only use it to make sure they get paid.
The blog post doesn't make me think of license-agreements-as-a-weapon. Oracle's position is probably the strictest I've seen anyone be in favor of software IP protection. They are not adversarial, they are supremely protectionist (presumably because they think their software is so great that other people want to copy it). That protection (possibly over-protection) is the core of the disagreement, and the source of the article's tone and inherent frustration on both sides.
Oracle thinks it is self-evident that protection of their source code is paramount (i.e. as closed source as possible), other people disagree both with their priorities and the very idea of absolutely forbidding any deep analysis of any kind outside of Oracle itself. It still seems like a debate about the degree to which the source code is "closed." For Oracle, it is absolutely closed, while many of their competitors are more lenient (i.e. slightly less "closed".)
To be clear, I think Oracle is being silly with their over-sanitized and idealistic views regarding their intellectual property. The other companies you mentioned (Microsoft et al) have much more reasonable approaches and agreements.
> Our IP is more important then your security concerns, no we don't care if you are a core bank
But that isn't what it says, at all. It even explicitly says that if you do find a security flaw this way they will still fix it.
But the main point is that you can't do anything by reverse engineering the source code that they aren't already doing, and doing better than you because they have the actual source code.
What was most astonishing to me about the post was the tone, which I found extremely condescending and unprofessional. The content was more or less par for the course, though I of course disagree (as do most tech folk).
That's a fair point, but it is a blog post, which implies that the tone will be more personal and informal. The author stated a few times that these were her personal views. I took it more as frustrated rather than condescending. I don't agree with what she said, but I recognize that the disagreement stems from one fundamental thing: open source vs. closed source.
> be summarized as "Please stop treating our products like they are open source. They're not, and it is against the license agreement to reverse engineer our stuff to find the source code."
and it's not helpful because of the near 100% false positive rate.
No, it got nothing to do with open source. Reverse engineering and pen testing the binary, closed source software is a standard practice and in many countries it is illegal not to allow doing it.
Reverse engineering software is completely different from penetration testing, and it is the reverse engineering bit that Oracle has an issue with. They mostly just don't want anyone/everyone trying to recreate their source code because of copyright/intellectual property concerns (note: I do not agree with those, but that is Oracle's stance).
It doesn't make sense for it to be illegal to forbid reverse engineering in a license agreement, where is that the case? If that is the legal environment anywhere, it would make more sense to just forbid closed source software. It would save a ton of time and effort and achieve the same goal.
And by the way, it has everything to do with open source. If the code was open, you wouldn't need to reverse engineer it. Every security analyst could just review the code directly and search for vulnerabilities. The whole disagreement stems from Oracle (and the author) deciding that they want protected, closed source because they view it as intellectual property, while some of their customers feel they can't depend on that software unless they verify it themselves. Well...you can't fully verify closed source software yourself.
It is really a very simple and fundamental disagreement on this one topic that creates the whole issue. It is completely valid to disagree with Oracle on this, and to tell Oracle you disagree with them. However, rather than violating their agreement, it would make more sense to decide to use an open source solution instead.
> Reverse engineering software is completely different from penetration testing
How is it so? You cannot find funny vulnerabilities without reverse engineering the binaries.
> It doesn't make sense for it to be illegal to forbid reverse engineering in a license agreement, where is that the case?
France, Switzerland, Russia and many more.
> it would make more sense to just forbid closed source software
How did you make this leap from reverse engineering to closed vs. open source?
> If the code was open, you wouldn't need to reverse engineer it.
Even with the full source available you still have to analyse (read: reverse-engineer) the binaries, especially those widely shipped.
> rather than violating their agreement
Their agreement is void in many countries where reverse engineering is explicitly allowed (when done for the reasons of security and interoperability).
I think there may be a language barrier here. So, this should clear it up:
The only definition of "reverse engineering software" that I use is this -- "Using tools and deep binary analysis to take a compiled binary, and convert it back to source code as close to the original as possible".
It is a very specific definition. I do not mean general "analysis" or vulnerability testing or input manipulation, etc... only attempting to discover source code.
> The only definition of "reverse engineering software" that I use
Uhm, no, that's far too narrow. Reverse engineering is any kind of introspection into a device in question, designed for obtaining any degree of understanding of its inner functioning.
What you're talking about is called "decompilation", and it's not even among the most useful reverse engineering techniques.
People have different understandings of words, so I'm not claiming there is one, universal meaning of "software reverse engineering." However, here is the definition some researchers came up with: "Reverse engineering is the process of analyzing a subject system to create representations of the system at a higher level of abstraction. It can also be seen as "going backwards through the development cycle." (from https://en.wikipedia.org/wiki/Reverse_engineering#Reverse_en... , original publication: http://win.ua.ac.be/~lore/Research/Chikofsky1990-Taxonomy.pd... )
edit: I just wanted to explain to you which definition I was using earlier, so that you could understand what I meant better.
That quote is quite different from the definition you're using.
Your definition is not what anyone else uses, from what I've seen. You don't have to use the same definition, of course, but be aware that unless you clarify what you mean, you're going to be creating a ton of confusion.
I don't see how it is different. A "higher level of abstraction" means progressively higher-level versions of source code. Binary->machine/assembly code->C++ code for example. Each step involves reverse engineering. Simply disassembling/decompiling a binary is not really sufficient to be considered "reverse engineered". Someone needs to analyze the output of these tools to create reverse-engineered output which is ready to be modified/extended/investigated.
It does not really matter how we are interpreting the term "reverse engineering". What matters is how it was used in the OP article, in the EULAs and the national laws. In the article it was clearly applied to a binary analysis part of pen testing efforts by the Oracle customers, so this is what we should be discussing here.
I disagree. The author implies several times that the main issue, and the reason for the ban on reverse engineering in the agreement, is protection of intellectual property (source code). People may do other types of vulnerability testing, but the piece that Oracle is concerned about is trying to discover their source code (for example, by using static analysis tools...which analyze some version of source code).
I would consider that "some version of the source code".
However, this is one of the reasons I disagree with Oracle on the matter. There are tools which actually can and do find issues at this low level (even if there are false positives), and running those tools can be part of many reasonable verification efforts. I think static analysis at the bytecode or assembly code level still counts as analyzing the source code, but I think it makes sense to do that in many scenarios.
> The only definition of "reverse engineering software" that I use is this
That's the definition of decompiling not reverse engineering. The original IBM BIOS was reverse engineered by two teams: one which read the disassembled binary and wrote a written specification and a second team that took that specification and wrote code.
What you just described agrees with my definition. The ultimate goal of both teams was to end up with usable source code that is likely to be close or identical to the original used to create the binary. There is a slight difference in the IBM BIOS project in that, I think the goal was to create code which could not be claimed to infringe on the patents/copyrights of IBM. That last bit is an extension of reverse engineering, i.e. they reverse-engineered the binary (which took both decompilation and analysis) in order to create code which matched the same specification and wasn't outright "copied".
See the previous reply I made for links to discussion of what is usually meant by (software) "reverse engineering." But, like I said before, there probably is no "universally correct" definition, I am only describing it so that my previous comments can be understood fully.
You are right, that does agree with your definition. But, in my opinion, the reverse engineering was done only by the first team. They took the binary and constructed an understanding of the code. The second team just did basic software engineering from a spec. Your definition requires both teams and that's where your definition is too narrow.
Under EU law it is illegal to forbid someone to convert a binary back into source code.
Even further, if I buy a software, and it does not run on my system, I can turn it back into source, modify it, recompile it, and use it as much as I want.
If the original company tries to prevent me from doing this, they commit a crime that can be punished with multiple months of jail for their CEO or 10% of their profit as long as they have that practice.
This isn't entirely accurate. There are restrictions on the legality of decompilation in Europe. The main one being that "...decompilation must be necessary to achieve interoperability with the target program or other programs. Interoperability information should therefore not be readily available, such as through manuals or API documentation."
So, decompilation in order to check for security vulnerabilities or to modify the function of the software for non-interoperability reasons do not appear to be covered.
> if I buy a software, and it does not run on my system,
This would be one example case. As I posted in my comment.
Integration can also just mean for future possible integration – for example, if someone writes a tool that can read a file format, I may decompile it to implement a tool to read the same file format.
A lot of people think open source software is a much better methodology than proprietary, highly-protected source code. That's fine, there are a lot of good arguments there. However, it doesn't make sense to throw a bunch of other, barely related insults at a company when really, all you're upset about is that their code is not open source. Criticize that...that is what you're upset about (at least so far as this specific blog post is concerned)