According to Oracle’s Chief Security Officer, Mary Ann Davidson, who also happen to write murder mysteries, customers “really can’t” reverse engineer Oracle’s code to find security vulnerabilities in order to protect themselves and their users.
Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it,” She wrote in a company blog. “This is why I’ve been writing a lot of letters to customers that start with ‘hi, howzit, aloha’ but end with ‘please comply with your license agreement and stop reverse engineering our code, already’.
Considering the seemingly daily stories of new cyberattacks and data breaches, any sane customer would be concerned about security holes. Enterprises can’t sit back, trusting companies like Oracle to find every single hole and fix it in timely manner; they have to take matters into their own hands. They have to become proactive.
But Oracle doesn’t want them to. They want customers to sit back, shut up and trust them.
There are two major problems with this approach: First, Oracle’s arrogance that they know best. The second and the greater problem is that their code is proprietary. No one but Oracle has the source code and if someone tries to find flaws, Oracle threatens those customers.
This arrogance and hostile attitude towards researchers and customers, which is also seen in other proprietary companies like Microsoft and Apple, sends out a very strong message that organizations, governments and individuals must stop using proprietary software; they should not be at the mercy of the company. Instead they must move to open source technologies where they have full access to the source code and there is no need to reverse engineer anything. You will actually be praised as a contributor if you look into the code, find bugs and suggest patches.
Users of open source software often file bug reports to companies and they are patched immediately. Many open source friendly companies like Google run special programs to encourage researchers to find security holes in their products and reward them.
In Oracle’s world these contributors receive disdain, not praise. Davidson wrote, “However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement’.”
No thank you for doing they job Oracle was supposed to be doing and making their product safer. Instead of giving such customers rewards Oracle sends them angry letters.
Davidson’s plot continues, “If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, ‘static analysis of Oracle XXXXXX’), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already.”
It doesn’t stop there, Oracle become even more arrogant as the story moves forward:
Now is a good time to reiterate that I’m not beating people up over this merely because of the license agreement. More like, ‘I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.’ I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.
So Oracle believes that it has hired all of the best and the brightest brains on the planet and no one outside the company can do a better job at finding flaws in its products? Really? There are so many cases of third party researchers finding flaws in Oracle’s products that I couldn’t even list them there. Back in 2014 PCWorld reported that “Researchers from Polish security firm Security Explorations, who found many Java vulnerabilities in the past, decided to publicly disclose the Java Cloud Service security weaknesses because they weren’t satisfied with how Oracle handled their private report.”
Oracle’s “we are pretty good at it” team not only failed at finding those flaws, but also, presumably, was incapable of fixing them. Adam Gowdiak, the CEO and founder of Security Explorations told PCWorld, “Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers (US1 and EMEA1 respectively).”
Yes, Davidson is right, “they are pretty good at it.”
The entire tone of the blog is childish, treating customers like idiots. As in this excerpt where Davidson talks about customers hiring consultants to ensure their data is safe: “The customer signed the Oracle license agreement, and the consultant hired by the customer is thus bound by the customer’s signed license agreement. Otherwise everyone would hire a consultant to say (legal terms follow) ‘Nanny, nanny boo boo, big bad consultant can do X even if the customer can’t!’”
There was, as you might expect, a massive backlash against Davidson’s blog post. The company responded in its best ‘we are pretty good at it’ manner: They deleted the post without any explanation. This is not the first time Oracle has silently removed a blog post. Back in the days of the Oracle vs. Google lawsuit the company deleted a post by former Sun CEO Jonathan Schwartz that praised Android.
My takeaway from this blog mystery is that customers should stay away from proprietary code where they get zero control over their own infrastructure, where they can’t take security measures to protect themselves and their customers, where the company calls them ‘sinners’ for finding security holes in their products.
There is a simpler plot line: use a product only if it’s open.