Hacker News new | past | comments | ask | show | jobs | submit login

Not that I agree with the sentiments in the article, but am I the only one who thought this article was reasonably well thought out?

It may have been a bit abrasive, but the points were well made, at least from the perspective of a closed source, enterprise software vendor




>customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem...We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”

Until I read this, I didn't think it was possible for me to hate Oracle more, because I'm forced to work with their software and that makes me already hate them quite a bit.


The problem is they don't.

It's pretty trivial to break orcaleSQL from a security standpoint. If and when you report a major issue, it'll be fixed in 2-3 years, and only the issue you outlined.

For example. I submit a bug concerning parsing, utf-8 backslash not working. Orcle will fix the bug for only that utf-8 code point, and not all other utf-8 points that also cause the bug. It'll also take them 1-2 releases and they may not back port it. 1


This is almost certainly because the engineers in charge of fixing the bugs are judged solely on the number of tickets they clear, and they could give a crap about the quality of the product as a whole or about Oracle generally.


This is the reason that FOSS and being able to change the code yourself is so valuable. Nobody has time to wait 2 years for a fix. By the time the patch comes out, it will break all of the workaround code written to fix Oracle's bug in the first place.


> Oracle will fix the bug for only that utf-8 code point, and not all other utf-8 points that also cause the bug

Heh:

> [...] (and without learning lessons from what you find, it really is “whack a code mole”) [...]


wow, how do they fix _only_ one code point!??! that's gonna take more effort than just properly fixing it no?


    switch (c) {
    case BAD_CODEPOINT1:    //bug 30943
    case BAD_CODEPOINT2:    //bug 32821
    /*....*/
    }


?


How did you get your hands on Oracle code? The blog post made it pretty clear they won't let you read it.


If you're forced to use their software, and you disagree with their strong closed-source stance, you should share your views with whoever is doing the "forcing" (your employer?). If they don't listen, it's on them.

Oracle has a very specific, clear opinion on the matter and it is valid to have that opinion. I don't agree with them, but I respect that we're allowed to disagree. Instead of hating them, I just don't use any of their stuff if I can help it (except Java).

There's no need to be filled with hate over it. Change what you can change and don't worry about the rest.


It's not that simple I don't think.

How much of my private information, as kept by government or private organizations, are stored in Oracle databases that are less secure because of their boneheaded stance on this?

People have all sorts of reasons for choosing Oracle solutions. I am not in a position to influence all those people, even when their choices affect me directly.


Oh yes, I agree. That is why I think it makes sense to tell everyone you can about the issue. However, there is only so much anyone can do about it, and technically it isn't Oracle's fault that people won't listen, only the bugs/vulnerabilities in their products.

A crude example: Imagine you're a janitor. Your company only supplies you with buckets from Leaky Bucket, Inc. Their buckets always leak, creating more messes that you have to clean up. Sure, Leaky Bucket, Inc. needs to fix their bucket processes, but I'd be more angry at the company for continuing to use buckets from a shoddy manufacturer.


I think it's perfectly reasonable to be plenty angry at Leaky Bucket, Inc for forbidding end users from patching their buckets.


Why should you be angry? They are just being stupid. Being stupid is something humans do naturally. Choosing to rely on someone who is verifiably stupid (in your opinion) is significantly worse, I think, than the original stupidity.

edit: And by the way, the very first time you are forbidden from patching a bucket you could patch yourself should be the red flag that tells you to use different buckets. Move on to better things and encourage others to do so too.


I can understand the argument that I shouldn't be upset with my cat because he claws my feet under a blanket; it's his natural instinct.

I can't understand the argument that I shouldn't be upset with a human being because they're stupid, and make stupid decisions. Humans are capable of introspection, education, and change.

I don't think it's unreasonable to expect more of my fellow humans than of my cat.

But I guess I won't be mad at you.


It is totally fine to be frustrated by humans being stupid, but some humans really do have less cognitive abilities than others. In at least some of those cases it isn't their fault necessarily.

So, I'm just making the point that frustration makes sense, but hate probably doesn't. They certainly aren't intending to be stupid, but it is frustrating that we can't show them the error of their reasoning sometimes.


Refusal to introspect is not a lack of cognitive ability, it is a choice that is appropriate to shame.


Legacy systems...

That being said, as a (forced) Oracle customer I have been and will continue to do everything in my power to migrate off of Oracle's eco-system. This ridiculously offensive post by their CSO is just more motivation.


I think that is a very reasonable course of action, and that is my point. Rather than complain about the no-reverse-engineering thing, you really should just move everything you can off of Oracle systems if you disagree with them on this.


The software is the good part of Oracle. You figure out the rest.


"Stop using overzealous static analysis tools" is a fine point.

"Reverse engineering kills babies^Wmarriages and the contract says not to look closely at the software you paid for so you're a bad person" is a terrible point.


Sure, but what else could they say publicly? Of course the most reasonable thing would be not to say anything at all and work together with the credible sources and provide something better than a threatening legal letter.

Lets just hope the black hat hackers read this and comply so we can continue to have "safe" Oracle software.


Since Oracle has made it clear that they do not want to collaborate with third parties on their code, the most reasonable responses would be either 1) trust them and follow their agreement or 2) don't trust them and use a different solution (probably something open source or based on open source)


I thought using Oracle anything was like a doctor prescribing an expensive new drug instead of the trusted, tested and generic version for a free game of golf and lunch for the office.


I really only have experience with the RDBMS product but I'd say it's more like the doctor presribing an expensive but highly effective drug for which there is no generic that is quite as good.

Oracle's database is very good. If you really need it, there is no substitute. But that said, kind of like a F1 race car, you probably don't need it (unless you own an F1 race team).


> If you really need it, there is no substitute.

It is worth checking if this is the case.

e.g. at my workplace, we're going through an Oracle->Postgres migration and it's WONDERFUL. Everything is much better now. Just from being able to have a clustered PG pair per app instead of a centralised expensive monster box.

Oracle's database is very good indeed: it takes data in, it gives it back, it does so very efficiently. But everything else about it is enough reason to look elsewhere.


> the points were well made, at least from the perspective of a closed source, enterprise software vendor

I understand the sarcasm, on the other hand it really confuses me that those points are mostly what makes closed-source unattractive and exactly what a closed source, enterprise software vendor would not want to discuss openly. At least that's what I thought before reading the article. I find it more likely that the blog was (maybe still is) compromised.


>I find it more likely that the blog was (maybe still is) compromised.

That would be my thought too if it were someone else, but it's Oracle so it's most likely real.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: