Hacker News new | comments | ask | show | jobs | submit login

> Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

Are they being serious? "Uhm, yeah, sure, Mr. CSO, I deleted the file. Here, I'll show you a screenshot of a terminal where I ran the 'rm' command to delete the results. As you can clearly see, the 'ls' command does not see the files anymore."




Not "prove". "Confirm". If you ask somebody to do something, they might do it, or they might not, whether out of passive malice or carelessness. Saying you have done something which you haven't done requires active malice, which is much less common.


If it's a legal requirement, they can just sue you for breach of contract whenever they eventually find out that you didn't delete it.


Many large organizations log shell commands for audits. Those logs can be stored offsite by a third party to prevent alteration. See, for instance, the Goldman Sachs programmer arrested for stealing code. If the consulting group is professional, it will take these things seriously.


That's pretty much the level of advice in the blog.

Astounding the author considers themselves a security professional.

Nice rant about Keynes at the end as well. I always find ranting about Keynes is an excellent way to keep hackers out.

I wonder how many customers Oracle is going to lose because of that piece?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: