Slashdot Mirror
Oracle Exec: Stop Sending Vulnerability Reports
florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."
Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
Not to mention you have to do business with a company that is well known for fucking over its customers.
And the irony is ...
https://twitter.com/addelindh/status/631040188010131456
Oracle has been reportedly working hard in Washington trying to make security research illegal.
Of course, malicious hackers will always be finding exploits, and using them.
"First they came for the slanderers and i said nothing."
CEO (on phone): Hey, I want to promote Mary Ann Davidson for her years of excellent service in our accounting department. We're going to make her CFO!
HR Director: Wow, you're making Mary Ann CSO?
CEO: Yes, CFO! Congratulate her for me.
HR Director: Are you sure, sir? I mean... Mary Ann... CSO?
CEO: Yes, of course! She'll make a great CFO!
HR Director: Do you think she's qualified to be CSO?
CEO: What do you mean? Of course she's more than qualified to be CFO!
HR Director: Wait, you're saying CSO, right?
CEO: Yeah, CFO!
HR Director: CSO?
CEO: CFO.
HR Director: CSO?
CEO: CFO!
HR Director: Okay, I think we're on the same page here.
I know many security professionals may be alarmed at this practice but i can assure you other examples exist where this tactic proves effective. For example, by ignoring or forbidding climate change discussion we actually prevent it from ever happening (clapping your hands helps too.) prior to abstinence only education, teenage pregnancy was ridiculously prevalent in the US. now that most sex-education courses in america are unstandardized and avoid covering things like condoms, birth control even simple intercourse, kids are a model of puritanical living.
im also told that the nuanced and layered complexity of immigration reform and homeless war veterans can be tackled by a large wall, and simply not looking at homeless people.
Good people go to bed earlier.
While the tone of the piece is more than a little condescending, there's an actual issue here, and she's not wrong about it.
Most customers would only reach out to a vendor with a bug report when they've actually found a real problem. Those bug reports are always welcome by any reputable vendor. They might be performance, or integrity bugs, or security bugs. Real bugs are good. They're welcome.
However, there's a second category of people (and she's write that bug bounty programs have somewhat encouraged them) that are the security equivalent of script kiddies - they downloaded a "sploits!" kit off the the internet (in this case, often a combination of a decomplier and static analyzer). They don't really understand how the kit works or what it does, but ZOMG I ran it against your code and it found issues! Your software is insecure! See? It says so right here! Now pay me something for all my hard work! I may not understand exactly what it's telling me, but it's telling me you have a bug! This group of people adds very little in the way of new bug discovery (again, most of their output really is known or false positive).
That second category of people (especially the ones who demand to be welcomed as liberating heroes) can in many cases get annoying. Because vendors really do run these kits against their code, so most of the time anything that isn't a false positive is a known issue. The back and forth with the customer really can sap time and energy (especially for customers who get strident and demand a "patch" right away or they'll go to the press and tell everyone how bad your code is).
I don't really blame someone who works in security for feeling frustrated that this small subgroup of customers continues to flood inboxes with "bug reports" that often they themselves don't understand, and which are often not useful.
That said, this is an absolutely idiotic tone to take in a blogpost directed at your customers. The problem can certainly be expressed in a way that doesn't sound childish, or scolding. This is a seriously dumb way for a company to semi-officially communicate with its customers.
Disclaimer: I do not and have never worked for Oracle. I don't even particularly like Oracle after the SSO suit against Google.
In Oracle's defense, if you're still using their cash cow database it's fair to say that it will do more financial damage to your company than most hackers could ever do.
If I remember correctly, reverse-engineering to fix bugs that prevent software from working as intended and to secure systems is always legal in Europe, no matter what the contract says. But it is nice that Oracle confirmed that they do not care about their customers at all except as cash-cows. Not that this is a surprises to anybody.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This policy is long-standing. Probably over 10 years ago at this point we found and fixed a connection leak in Oracle's own JDBC driver by decompiling, fixing, and recompiling the affected class. To say they were displeased would be polite.
It was a production-down issue, we fixed it after their support flailed on it for several days, and they still had the nerve to send us a nastygram for it.