Slashdot Mirror
Oracle Exec: Stop Sending Vulnerability Reports
florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."
Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
We and the blackhat hacker network can find our own vulnerabilities. We will protect you on our own schedule. If you are stabbed, control the bleeding as best you can; if you are shot, try to walk it off.
Support my political activism on Patreon.
I did not realise that this was available for free use to Oracle executives to help them reduce the stress induced by pesky customers who are trying to obtain a good service.
As it's been taken down: http://www.scribd.com/doc/2741...
"Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
The masses are so much more compliant when you convince them that crime is a sin.
Fuck you, Oracle.
Problem solved.
Buck Feta. You know what to do.
It's interesting that Mary Ann Davidson was an accountant and then became the CSO at Oracle.
Mod me down, my New Earth Global Warmingist friends!
Not to defend the Devil but:
She basically acknowledge their product is highly bugged.
She says they prefer to deal with it internally and are doing quite well. (fair)
Given the base Flash code was not their own in the first place, and given their very uncomfortable posture:
I'd say, She is doing pretty well as an Executive. Not the brightest possible communication but still decent.
No need to beat a dead horse. It will not go any faster.
Léa Gris
Aside from Java (which has it's own issues), Oracle's products are imo, craptastic. Horrid UIs, constantly crashing, slow, design decisions that make no sense, not modernizing, barely follow modern standards if at all, insanely overpriced (the least of the problems).
There. Fixed that for you.
Where are we going and why are we in a handbasket?
ORACLE is in the news they confirm yet again that quitting was the single best career decision I ever made.
The greatest thing about being an ex-oracle engineer is not working for Oracle anymore. I very much doubt anybody who has ever resigned from Oracle regrets it.
Worst company I've ever had the misery to work for.
Unicode killed the ASCII-art *
I would have thought they would be abusing the DMCA. Is Oracle too good for DRM?
And if I can read the target machine code without disassembling it, what then?
And the irony is ...
https://twitter.com/addelindh/status/631040188010131456
It just shows that Oracle is really more bark than bite. They *WARN* the researchers that they may take legal action.... but they never do. It's probably just as well anyway. Oracle probably has more lawyers than engineers now.
Oracle has been reportedly working hard in Washington trying to make security research illegal.
Of course, malicious hackers will always be finding exploits, and using them.
"First they came for the slanderers and i said nothing."
If I find myself in the position to report a flaw in Oracle products, do so through a responsible disclosure site (e.g. cert.org) and request anonymity.
You are all cows. Cows say moo. MOOOOOO! MOOOOOOOOO! Moo cows MOOOOOOO! Moo say the cows. YOU COWS!!
CEO (on phone): Hey, I want to promote Mary Ann Davidson for her years of excellent service in our accounting department. We're going to make her CFO!
HR Director: Wow, you're making Mary Ann CSO?
CEO: Yes, CFO! Congratulate her for me.
HR Director: Are you sure, sir? I mean... Mary Ann... CSO?
CEO: Yes, of course! She'll make a great CFO!
HR Director: Do you think she's qualified to be CSO?
CEO: What do you mean? Of course she's more than qualified to be CFO!
HR Director: Wait, you're saying CSO, right?
CEO: Yeah, CFO!
HR Director: CSO?
CEO: CFO.
HR Director: CSO?
CEO: CFO!
HR Director: Okay, I think we're on the same page here.
I know many security professionals may be alarmed at this practice but i can assure you other examples exist where this tactic proves effective. For example, by ignoring or forbidding climate change discussion we actually prevent it from ever happening (clapping your hands helps too.) prior to abstinence only education, teenage pregnancy was ridiculously prevalent in the US. now that most sex-education courses in america are unstandardized and avoid covering things like condoms, birth control even simple intercourse, kids are a model of puritanical living.
im also told that the nuanced and layered complexity of immigration reform and homeless war veterans can be tackled by a large wall, and simply not looking at homeless people.
Good people go to bed earlier.
While the tone of the piece is more than a little condescending, there's an actual issue here, and she's not wrong about it.
Most customers would only reach out to a vendor with a bug report when they've actually found a real problem. Those bug reports are always welcome by any reputable vendor. They might be performance, or integrity bugs, or security bugs. Real bugs are good. They're welcome.
However, there's a second category of people (and she's write that bug bounty programs have somewhat encouraged them) that are the security equivalent of script kiddies - they downloaded a "sploits!" kit off the the internet (in this case, often a combination of a decomplier and static analyzer). They don't really understand how the kit works or what it does, but ZOMG I ran it against your code and it found issues! Your software is insecure! See? It says so right here! Now pay me something for all my hard work! I may not understand exactly what it's telling me, but it's telling me you have a bug! This group of people adds very little in the way of new bug discovery (again, most of their output really is known or false positive).
That second category of people (especially the ones who demand to be welcomed as liberating heroes) can in many cases get annoying. Because vendors really do run these kits against their code, so most of the time anything that isn't a false positive is a known issue. The back and forth with the customer really can sap time and energy (especially for customers who get strident and demand a "patch" right away or they'll go to the press and tell everyone how bad your code is).
I don't really blame someone who works in security for feeling frustrated that this small subgroup of customers continues to flood inboxes with "bug reports" that often they themselves don't understand, and which are often not useful.
That said, this is an absolutely idiotic tone to take in a blogpost directed at your customers. The problem can certainly be expressed in a way that doesn't sound childish, or scolding. This is a seriously dumb way for a company to semi-officially communicate with its customers.
Disclaimer: I do not and have never worked for Oracle. I don't even particularly like Oracle after the SSO suit against Google.
Mary Ann Davidson Blog
 Is Your Shellshocked... | Main
No, You Really Canâ(TM)t
By User701213-Oracle on Aug 10, 2015
I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, weâ(TM)ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me).
Writing mysteries is a lot more fun than the other type of writing Iâ(TM)ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why Iâ(TM)ve been writing a lot of letters to customers that start with âoehi, howzit, alohaâ but end with âoeplease comply with your license agreement and stop reverse engineering our code, already.â
I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems. That said, you would think that before gearing up to run that extra mile, customers would already have ensured theyâ(TM)ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down â" in short, the usual security hygiene â" before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.
Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products â" and there is so much more to assurance than running a scanning tool - there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or âoegood codeâ seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors â" at least, most of the large-ish ones I know â" have fairly robust assurance programs now (we know this because we all compare notes at conferences). Thatâ(TM)s all well and good, is appropriate customer due diligence and stops well short of âoehey, I think I will do the vendorâ(TM)s job for him/her/it and look for problems in source code myself,â even though:
A customer canâ(TM)t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)
A customer canâ(TM)t produce a patch for the problem â" only the vendor can do that
A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)
I should state at the outset that in some cases I think the customers doing reverse engineering are not always aware of what is happening because the actual work is being done by a consultant, who runs a tool that reverse engineers the code, gets a big fat printout, drops it on the customer, who then sends it to us. Now, I should note that we donâ(TM)t just accept scan reports as âoeproof that there is a there, there,â in part because whether you are talking static or dynamic analysis, a scan report is not proof of an actual vulnerability. Often, they are not much more than a pile of steaming ⦠FUD. (That is what
In my own humble experience...
Oracle software installation: 15 minutes to 2 hours
Activating Oracle license management: 2 days to 2 weeks
Can we submit the license manager as a total overall bug?
In Oracle's defense, if you're still using their cash cow database it's fair to say that it will do more financial damage to your company than most hackers could ever do.
I imagine what the conversation with their CSO went down b4 they removed the post.
probably something along the lines of "Did you seriously just tell our customer to fuck off?"
I'm surprised Oracle is still a thing.
Not sending reports to Oracle is a good idea: use open source alternatives and submit the reports there.
That is among the worst C-level communication I've ever read from a large corporation. Is "CSO" not a real C-level executive position with staff that edits (or just writes) their execs communication? Whether or not she's a good security exec, she is a truly horrific corporate communicator.
Did you just say ... cow?
If it weren't for deadlines, nothing would be late.
She might have a point that there's no need for customers to do static code analysis or reverse engineering to look for vulnerabilities *if* the black hat hackers weren't able to do so with impunity since they have no moral qualms about violating license agreements.
I can believe that she's tired of vetting customer reported security bugs, especially when they are dupes of known bugs that Oracle is working on, but a bug is a bug and if they don't want to expose their bug tracker to customers to let them see what's being worked on, then they'll have to deal with duplicate reports. It's part of being a major software vendor.
Seriously, I have never been impressed by any DB other than postgresql. At work, we recently started migrating our app to oracle from another big name DB. I was truly floored at how crappy the oracle installer was. Totally 1995 feeling. Oh and the install it self took our ops team 3 weeks to do. They constantly kept screwing it up and having to start over again.
I'd love to, but Python is kind of slow. Has some implementation of the Python language recently become remotely comparable to Oracle HotSpot JVM in execution speed of equivalent programs? If so, which?
the fact that the interface to store, retrieve, update data is SQL doesn't make MariaDB a database...
Oracle has sued the company that I work for, because of licensing disagreements. We have HUGE accounts. They are not good to their customers.
If I remember correctly, reverse-engineering to fix bugs that prevent software from working as intended and to secure systems is always legal in Europe, no matter what the contract says. But it is nice that Oracle confirmed that they do not care about their customers at all except as cash-cows. Not that this is a surprises to anybody.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
She was probably getting too many emails from Bennet. I would have tried to make him stop as well.
Would the CSO be happier if, instead of reporting the vulns, the customers published exploits for the vulns they found
How cute that they think they can prevent people from finding flaws in their product with a licensing agreement. Why didn't I think of securing out network via legal agreements? The Bad Guys would never dream of doing something I told them not to do.
... and I'll say it again... Oracle is in trouble. They charge too much for their products, they treat customers badly, and now apparently they are admitting that they think they can plug security holes with legal crap.
If that worked you could dispense with bank vaults, put the millions of dollars in gold bars in box on someone's desk... and then just put a sticker on it that said "don't steal me."
Why do we go to the trouble of having steel plated concrete reinforced walls? Why are we putting 2~3 foot bank vault doors on with timed locks? Why do we have redundant security alarms where the two alarms talk to each other and either one goes dark the other flips out? Why are we staffing the place with men carrying guns that are trained to shoot people?
Apparently all we need is a sticker that says "don't steal me."
The juxtaposition of being told endlessly that we don't have enough women in tech... and then reading dumb comments from this women... kids, if you're the security officer of Oracle then you had better be an iron for blood security MONSTER. And this chick... comical.
Customers are doing her job for her? Finding bugs in her software? For free? And she complains? Fired. Get the fuck out of the building. We'll have security clean your desk out and UPS your crap to your mailing address.
Good fucking day, sir.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
So, she's saying no heads up on zero-day vulnerabilities?
Let's hope everyone hears that loud and clear.
There are two types of people in the world: Those who crave closure
Oracle to customer base, we don't gave a f**k about your security concerns.
'I think my response was, ‘What idiot dreamed this up?’ " — Mary Ann Davidson, Oracle’s chief security officer, in typically blunt manner, remembering her reaction to the company’s scheme to brand its databases as "unbreakable."'
'we need to build on a solid infrastructure platform, take an engineering approach - build secure software'
If Oracle does not like being informed up front through the kindness of our hearts, the alternative is to develop an exploit and release it to the Internet.
Wow, it really does read like a drunk post.
Or: "Our code is shitty but our contract precludes you pointing that fact out publicly."
*groan* Okay, I guess we'll just put up with the shittiness and keep buying your stuff. Sorry. How much money would you like?
At this point I think we can safely say Oracle is a defacto monopoly. Nothing but a monopoly could get away with selling stuff on the premise that you don't complain about it being bad. They're also demonstrating contempt for their customers and basically stating that they will make no effort to improve their product.
"So just buy our shit and shaddap. Okay?"
That actually sounds pretty sensible. It seems like much of her frustration is from people blindly running static analysis tools on their code, finding false-positive vulns, and wasting Oracle's time and making it more difficult to identify legitimate security vulnerabilities.
Much more reasonable than the summary made it out to be, thanks.
Basically , it boils down to this:
If you stop looking for security vulnerabilities, they will be be found, hence they do not exist!
By that approach:
-Stop crash testing cars, the car designs are perfect!
-Stop testing for drug interactions, they don't exist!
-Stop testing for Cancer, if we don't look. it doesn't exist!
I'm OK with this, under a few caveats:
-Stop checking license compliance, it is compliant!
-Stop checking payment compliance, it is compliant!
-Stop checking license agreement compliance, we are compliant!
-Stop checking for competition, there is none!
Errm is simply looking at the Oracle binaries and observing their vulnerabilities considered reverse engineering? I thought that term was to do with creating work alikes.
Oh, Oracle doesn't want them? I'm sure that there are lots of "businesses" like Hacking Team (and a bunch of other names that came up in the HBGary case) that are willing to pay top dollar for interesting exploits.
When the copyright term is "forever minus a day", live every day like it's the last.
So (un)reliable they won't even let you look for bugs...
John_Chalisque
What is really interesting is the blog post she posted in 2012, titled 'Put up or shut up' (https://blogs.oracle.com/maryanndavidson/entry/put_up_or_shut_up) about information sharing!
Oracle is run by people who alienate best office developers working for free, waste a technology like Java down to bundling crap toolbars and now seriously blogging like this.
We got used to it but these guys are seriously number 2 or 3 software company on the planet. There isn't any alternative to their software and there is no escape. One way or another, you are in some Oracle database.
Someone commented and/or tweeted that having no sympathy for her stance means that you've never been handed a 400 page Nessus report and been told to "Fix it all." So, yeah, I have some sympathy from that angle. However, one can't deny the value of outside research and analysis when she writes herself that 10% of the vulnerabilities found come from either the customer base or researchers.
END OF LINE.
So, she's saying no heads up on zero-day vulnerabilities?
Let's hope everyone hears that loud and clear.
Every single company deserves a change to be notified about zero day bugs in order to release a patch.
So how much liability does her company pay when a fully up to date system all secure as she assures is the case?
Please correct me if I'm wrong.... that would be zero.
The leasing model that has become the norm is not a good thing.
What exactly can be owned? I believe there was a good debate about land ownership and freedom in the federalist papers. I see now one side was incredibly right and the other precisely wrong.
Due to Mary Ann Davidson's statements I'll post this here.
If you manage to get a Solaris clock set before 1970 the loader doesn't work. It means that anything running will keep running but you can't start any new programs (including init and shutdown). Talk about a great way to keep a sysadm out of a system.
There is also no way to wipe sensitive data from ZFS file systems. You need an option to say "this pool overwrites blocks" so that scrubbing works correctly. The reasons for this will come to light when the flaw in your ZFS encryption hits the press. Maybe you can put this in Solaris 11.3 since that is still in beta.
Thanks for taking security seriously.
-tim
While there are some experimental techniques to deal with binaries, mature auditing tools exist only source level (TFA specifically mentions reverse engineering, ie no source code).
It's probably more about mundane DoS bugs. Overeager pentesters find trivial DoS bug and blow it out of proportion (get paid only if you find something), customer unable to asses severity then bugs oracle with trivial low severity bugs which can be solved by proper compartmentalization of systems.
If you need a large scale database, MariaDB is not a reasonable choice. Look into PostGreSQL. MariaDB is a near clone of MySQL, and not a large scale database.
(I don't guarantee that PostGreSQL would suit your needs, but it has a much better chance.)
OTOH, if you're using Oracle because that's what your CSO knew, then MariaDB might well suit you.
I think we've pushed this "anyone can grow up to be president" thing too far.
No. I think it's quite fair in this case to publish zero days for Oracle products directly on the internet, without telling them at all. If they're so smart, they already know about it and must have decided not to fix it already. Fair is fair.
Mary Ann Davidson's post shows that she does not know about how the computer security world works. She really is a Chief InSecurity Officer.
She's not happy about the true positives either - don't look at our stuff if it bugs out is the message she is sending here.
If the vendors I buy stupidly expensive stuff from starting acting that way I would inform them where they could put their lawyers and go looking for another vendor. I've had to reverse engineer some buggy commercial software on several occasions to find workarounds so that users can get stuff done, and have informed the vendor, who then informed their other customers (known problems list), fixed it or both.
They need to know enough about a topic to be able to know what questions to ask their experts otherwise they are not fit to be anything other than an administrative assistant to someone who does. Not having enough background leads to stupid and expensive mistakes.
One in a company I worked for, who "knew about management", was put in charge of a non-destructive testing division. He failed to consider that industrial radiography requires clearing people from the immediate area so on busy work sites it is typically done at night, or at least at times when a clear area can be scheduled. He cost tens of thousands of dollars on a single quote due to that and refused ongoing work, losing customers with decades on the books, just because a lack of any background in the field resulted in scheduling errors. He could have asked for help but that "only need to know about management" thing can also mean a desire not to show weakness. The company was too small to support his long list of mistakes and the previously profitable NDT section was gone, the manager with it, in less than six months. He was actually a nice guy, a good "salesman", and could manage things he could understand (apart from getting rid of established clients instead of finding a way to keep the long revenue stream going - I've got no idea why he couldn't understand that they would go elsewhere) - but way out of his depth meant that he was just shark bait.
So in a technical environment your manager without the basics is just hoping that there are no sharks going past before they learn how to see them.
If vendors promptly fixed stuff, the IPS would never have been invented. If the EULA prevents reverse engineering, then don't agree to it... buy something other than an Oracle database as soon as you can. It's your responsibility to secure your own stuff, and they won't allow you to do your job.
No, it does not. A question "What does Oracle do if there is an actual security vulnerability?" is answered with "you found this because you reverse-engineered our code". That does not have to be true. On the other hand if I perform operation X and the product crashes, then they won't accept a submission unless you "provide a test case to verify that the alleged vulnerability is exploitable"
I read that clearly as "we do not want you to report any problems" and that makes their vulnerability reporting system just a PR thing.
... these tools *do* often have a ridiculous false positive rate.
That actually sounds pretty sensible.
Most of it is, except for the, paraphrasing, "How dare you reverse engineer our code to look for vulnerabilities, violating your license agreement, you naughty customer!"
static analysis of Oracle XXXXXX
Somebody should explain the idiot that the advanced tools for the code analysis are capable of checking (and instrumenting) the binary compiled code already for at least a decade.
When in the past I used the Rational Purify on the applications linked against the Oracle client, there were more that 200 Purify warnings coming from the Oracle libraries, and that before the main() was even reached. Draw conclusions yourself.
P.S. A global public variable - by all indications `int count;` - in the Oracle client libraries for Linux was just topping on the cake.
All hope abandon ye who enter here.
Right... and in the EU there is a law that overrides the eula that explicitly allows reverse engineering as long as you're not building a competing product.
Except for the ones that tell their customers to piss off with their security bugs that they've found. If only I could think of the name of a company like that....
There are two types of people in the world: Those who crave closure
> "Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs..."
But they are not trying to derive the source code.
They are debugging their own problem and they are happy to work directly with Java bytecode and CPU assembly language to do this. They are not trying to reconstruct Java lanaguage of C/C++ language code from machine optimized code.
Now my debugger automatically goes into this detail for me, I can see Java bytecode (by opening a *.class file) and I can see CPU assembly language (when using 'gdb'). So while I do not work with Oracle products I find it hard to see how there is a breach of this clause in the terms, for this to be the case Oracle need proof in the form of a copy of my attempt (or success) to derive source code.
So the problem is the debuggers used against Oracle systems are already performing the operations to "disassemble" and "decompile" the machine optimized representation (that you supplied) of the original source coed. But they are not doing this for the purpose of trying to derive the source code, but to explain a set of circumstance that are a genuine problem to the customer.
Chief security officer? Our current chief is real dumbass.
10 + 3 = 13
I knew you were french
Summary: if a manager doesn't have any domain knowlege at all of the thing that they are managing only luck or interference from above in the tree is going to prevent truly spectacular fuckups before they get enough of a handle on the situation to see the massive fuckups before they happen.
Is that obvious enough?
It was a polite refutation, with obvious example, of the utterly stupid myth you are spreading of "they don't need to know anything".
Well, in fairness, you have a contract with your customers and don't have one with random Bad Guys in the internet. You can sue your customers, but good luck suing the bad guys.
I realize I didn't write the sarcasm tag explicitly but I would have thought that one would be obvious. Bad guys obviously don't have a contract and suing your customers is almost always a bad idea. If anyone points out a flaw in your product you say thank you and get to fixing it without further fuss. Any other response is simply unacceptable particularly if the person pointing out the flaw is a paying customer.
Yes.
So what is the use of a manager that can not even begin to do so and does not yet know what questions to ask to find out?
Your examples are two people who did have enough understanding to be able to communicate with their experts so do not support your very silly suggestion of not having to know anything about the field you are managing. Such a myth is nothing but a stupid excuse for why the wrong person is appointed to a job.
Thus you have enough of the understanding of the field you are working in to know your limits and to get advice from people that you know are effective instead of at random - but the clueless newbie doesn't know enough to be able to do that are they? Managing a soda company is not the same as managing a computer company - thus Jobs versus Sculley. Sculley did not know enough to be able to seek out good advice, and the choice that got Jobs fired and Sculley originally disagreed with (the Apple Macintosh) was the only thing that kept Apple alive over those years.
Was supporting Solaris, but we all know what happened to -that-.
Didn't realize how miserable I was and how much I hated working for them
until I no longer had to show up. Sure, I'm out of work but no longer
have to deal with the crappy tools, impossible 105 step work processes
and endless obsession with metrics and numbers, even when shown that
90% of that is GIGO.
Sculley is the man who took over from Steve Jobs as should be very obvious from what I've written.
With all that supposed experience in so many fields you still push the myth of a manager being able to go in blind and manage anything? When did you go in blind? I doesn't appear that you were stupid enough to do so in any of the things you listed - so why push the stupid myth?