[Infowarrior] - Oracle Deletes CSO’s Screed Against Hackers Who Report Bugs
Richard Forno
rforno at infowarrior.org
Tue Aug 11 12:22:18 CDT 2015
(Oh, MAD, what *will* you say next? ---rick)
Oracle Deletes CSO’s Screed Against Hackers Who Report Bugs
http://www.wired.com/2015/08/oracle-deletes-csos-screed-hackers-report-bugs/
If you take apart Oracle’s software and find a hackable vulnerability, don’t tell the company. Or at least not its chief security officer.
“If you are trying to get the code in a different form from the way we shipped it to you…you are probably reverse engineering,” writes Oracle CSO Mary Ann Davidson. “Don’t. Just – don’t. ”
That, in short, is the message of a nearly 3,000-word rant Oracle Chief Security Officer Mary Ann Davidson wrote on her company blog yesterday. The post was deleted sometime before Tuesday morning, but is still visible on the Internet Archive. Davidson rails against customers who report bugs to the company, and complains that she’s increasingly having to write responses to them telling them to stop violating their license agreement, which forbids the reverse engineering of their software.
“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. ” she writes. “This is why I’ve been writing a lot of letters to customers that start with ‘hi, howzit, aloha’ but end with ‘please comply with your license agreement and stop reverse engineering our code, already.'”
The post set off an immediate firestorm in the security industry, which—aside from Oracle—has increasingly adopted a friendly attitude toward reverse engineers and benign hackers. Standard practice for a company that receives a report of a new vulnerability in their software, a so-called “zero-day” bug, is to credit the researcher or even pay a “bug bounty” monetary reward. Practically every major tech company from Google to Microsoft, and increasingly other companies from United Airlines to Tesla, now run some version of those reward programs.
Davidson, who has a long history of adversarial relationships with security researchers, took a harshly opposite tone. “We will also not provide credit in any advisories we might issue,” she wrote. “You can’t really expect us to say ‘thank you for breaking the license agreement.'”
Oracle didn’t immediately respond to WIRED’s request for comment.
In the meantime here are a few of the response tweets from the security community, many of which excoriate Oracle for rejecting free security advice and make the undeniable point that the company’s real enemies—nation-state hackers and cybercriminals—won’t abide by Oracle’s draconian prohibition on reverse engineering.
< -- >
http://www.wired.com/2015/08/oracle-deletes-csos-screed-hackers-report-bugs/
--
It's better to burn out than fade away.
More information about the Infowarrior
mailing list