Even more reason, as if more was actually needed, to keep clear of Oracle products in every shape or form.
Oracle pulls CSO's BONKERS anti-bug bounty and infosec rant
While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse. Mary Ann Davidson, Oracle's chief security officer (CSO), expressed corporate dislike …
COMMENTS
-
-
-
-
Wednesday 12th August 2015 11:16 GMT Anonymous Coward
Re: Oracle - the people who brought you Java
@Nolveys: It is worse than that...
Ah, well, we find 87 per cent of security vulnerabilities ourselves, security researchers find about 3 per cent and the rest are found by customers."
"I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem
If they find 87% then they're throwing the money at the 13% they don't find. Personally, I'd prefer it if bugs were found internally, then by bounties, and never by the end customer - it shows they don't give a fuck. I despise the shitbag of a company.
"Oracle, putting the cunt into company"
-
-
-
-
-
Saturday 15th August 2015 06:35 GMT mi1400
Re: Amazing....
Dear Journos at AlReg ... $10-30K/bugbounties maybe the price of most expensive thing u have ever imagined/fantasized or equal to several dozen salaries you could get at once... but the hackers or likes by selling elsewhere can get 10x better than this,, i understand and knew that ur brain froze doing 10x of $10,000 but its understandable as there has to be people (think journos) in lowest layer food and intellect chain. I am no fan of oracle but this new bitchword bugbounty is a new wrapper on same earlier bitchword "opensource" specially in a post NSA world.
-
-
Tuesday 11th August 2015 14:09 GMT Anonymous Coward
I've had somebody bringing me a Nessus security audit...
... and the stuff in it was actual security issues in Oracle Solaris, in FOSS code they used.
But when I called Oracle support, they neither confirmed nor denied the existence of any security vulnerability, since nothing had been Officially Announced, and no, of course they would not give me any workaround, countermeasure, or even an ETA for a fix.
Red Hat had, of course, already provided an update for the same vulnerability, and provided details about it.
So, I still lack any sympathy for *the* person whose management in Oracle made me ditch Solaris completely in favour of RHEL.
-
Tuesday 11th August 2015 14:10 GMT Anonymous Coward
As a bug hunter...
I concur... when you start running in the bug bounties or just independently declaring CVE's, you quickly learn that there are two companies - notably Oracle and Cisco, that are particularly hostile when you present bugs to them (barely veiled legal threats). It has, of course, the logical effect of leaving discovered bugs undeclared because there is no motivation to do so. If anyone wanders the darknet you'll see the session puzzling bugs in Oracle products are all the rage at the moment...... if they don't want to get involved in common sense vulnerability programs, I'm sure infotomb and pastebin will find a way to get the bugs to the public. :)
-
Tuesday 11th August 2015 14:17 GMT Anonymous Coward
Your house belongs to the Oracle
«Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.»
In Oracle's viewpoint, if the lock vendor of your house's doors made them defective, so the doors won't close - well, too bad, you are not allowed to do anything about it, not allowed to call in a locksmith, and of course, not allowed to complain about it.
Just wait until the lock vendor provides you with a fix, which is done on a fixed schedule of once every quarter.
I am amazed by her inability to find a less awful metaphor.
-
Tuesday 11th August 2015 18:19 GMT YetAnotherLocksmith
Re: Your house belongs to the Oracle
«Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.»
Of course it does! If I can go through the open window or unlocked door, why the heck would I try picking the lock?
She clearly doesn't actually know any locksmiths, nor much about the bad guys trying to get in.
-
Wednesday 12th August 2015 10:31 GMT Roo
Re: Your house belongs to the Oracle
"I am amazed by her inability to find a less awful metaphor."
The Oracle Chief Security Offiicer's post illustrated a depth of ignorance and willful stupidity that I would be amazed if they were capable of remembering to breathe by themselves. Mary Ann Muppet really should know better given that she's been dabbling in security biz at Oracle for 22+ years.
-
Wednesday 12th August 2015 11:21 GMT Mark 65
Re: Your house belongs to the Oracle
Mary Ann Muppet really should know better given that she's been dabbling in security biz at Oracle for 22+ years.
Yes, but is she a security person or just some admin mouthpiece that was put into a role nobody wanted to do a long time ago and has been promoted for her rampant sycophancy ever since? Every company has one.
-
-
-
Wednesday 12th August 2015 11:22 GMT Anonymous Coward
Re: why do theese people rise to the top in companies?
Lesson number 1 of large corporations - sycophancy will get you an awfully long way. Nobody in senior management likes hearing the phrases "no" or "you're wrong". If you want to go far just pretend that they're not fucking idiots. Alternatively just pride yourself on having some integrity.
Moral of this tale - integrity comes at a cost.
-
Tuesday 11th August 2015 14:44 GMT theOtherJT
Doesn't surprise me.
Given how awful every Oracle product we're forced to run here is it feels like the entire culture at Oracle is abusive toward their customers.
Honestly, I get the impression that their entire business model revolves around winning contracts on name recognition alone and then once they've got you locked in, doing the exact minimum required to ensure that it's harder to change to another product than live with the problems the thing they sold you has.
-
Tuesday 11th August 2015 15:14 GMT Sir Sham Cad
Re: entire culture at Oracle is abusive
Oracle as a company are just fucking disgusting, to be honest.
Not necessarily to do with anything in the article, either. I just can't stand their corporate practice. This threatening behaviour and ostrich approach to infosec is just one more shit cherry on the turd cake of Corporate Oracle, for me.
In other news: I don't like Oracle very much.
-
Tuesday 11th August 2015 17:47 GMT Anonymous Coward
Re: Doesn't surprise me.
once they've got you locked in, doing the exact minimum required to ensure that it's harder to change to another product than live with the problems the thing they sold you has.
That's not just Oracle, you've just described enterprise software in general. Oracle is one of the worst offenders but they hardly have a monopoly.
-
Wednesday 12th August 2015 11:28 GMT Anonymous Coward
Re: Doesn't surprise me.
Given how awful every Oracle product we're forced to run here is it feels like the entire culture at Oracle is abusive toward their customers.
Try being a developer - it is one of the most confrontational, pain in the arse to use databases I have ever some across. Sure it's powerful, with reams of features the vast majority of clients will never ever use but otherwise it is a shitbag. Beautiful little intricacies like how, in some cases, it can view a date as a timestamp and start table-scanning rather than using a date-based index unlike most other systems.
Overpriced shit.
-
-
Tuesday 11th August 2015 15:02 GMT Destroy All Monsters
I remember "Unbreakable Linux" from this club of gentle(wo)men
An appropriate frenchism: Fart Higher Than One's Arse
Common sense says to move away from official Java as fast as possible.
-
Tuesday 11th August 2015 15:25 GMT Cronus
It's not just about economically finding bugs...
Anybody with access to Oracle's software can discover vulnerabilities and I'm sure there's plenty of security researchers out there who'd be tempted to sell exploits to crimeware developers or worse, imo, to governments. Bug bounties at least offer another paid alternative.
-
-
-
-
-
Tuesday 11th August 2015 18:23 GMT Grikath
Re: Sensational historical revelation!
"Plutarch's Lives states: "The first messenger, that gave notice of Lucullus' coming was so far from pleasing Tigranes that, he had his head cut off for his pains; and no man dared to bring further information. Without any intelligence at all, Tigranes sat while war was already blazing around him, giving ear only to those who flattered him." "
Don't lose your head? ;)
-
-
-
-
-
-
Tuesday 11th August 2015 18:44 GMT Anonymous Coward
Regrettably it will be red from shouting at whoever reported it
and then at the internal staff who permitted the breach - who (extrapolating wildly from the shiny 10% of the shiteberg we can see poking above the water) are probably demoralised and micro-managed
You can be sure it won't be red with embarrassment and a belated recognition of hubris. Those would be nice grown-up characteristics, and so thoroughly helpful for senior management of that sort of firm.
-
-
-
Tuesday 11th August 2015 18:53 GMT Anonymous Coward
You[*] are allowed to check your Oracle license agreement though
where you might well find that in the event of a hack[**] you will compensate Oracle for bringing their good name[***] into disrepute.
[*] that's you only - surely it'll be confidential so you discuss it, post substantive extracts online, and absolutely mustn't disclose pricing. The sheep must be fleeced one at a time.
[**] a legal fiction, since in reality it is unbreakable
[***] also a legal fiction, presuming an audience that has yet to hear of the company. For such an audience you must concede it's a pretty good name, verging on cool.
-
-
Tuesday 11th August 2015 19:42 GMT Henry Wertz 1
I didn't agree to any agreement
""If you don't sympathize with the CSO of Oracle you have never had someone give you a Nessus report and tell you to fix everything in it," said Jerry Gamblin."
This just tells me to not hire Jerry Gamblin for anything important. A) I've run Nessus against my infrastructure (admittedly long long ago), and the report was short, fixing everything on it was no big deal. Because I took security seriously to begin with. B) I don't like having a system that works but it shoddy. Therefore, I don't dread a report where I should fix evertything on it, I welcome it, because it makes the system better. The "stick your head in the sand" technique of just not wanting to know what is wrong is not the right way to go, especially if you're on the open internet, others WILL know and thoroughly pwn your setup if you try this for long.
Regarding this CSO's mad rant.... bzzt, unless *I* checked the box or signed the contract agreeing to your licensing agreement, I didn't agree to any licensing agreement!
-
Tuesday 11th August 2015 20:03 GMT Erik4872
She's not going to win any friends like that...
This was a very unprofessional post from the CSO. You'd expect something like this from a kid who thinks they know everything. I guess Larry likes to hire corporate officers that share his personality.
That said, I do wonder how many of Oracle's incoming reports are submitted by kids running exploit hunting kits they download on the Internet and don't understand the output of. Hiding behind the license agreement isn't an acceptable answer, for the record, but I imagine that reports like this can get tiresome. I know the security research field has grown up slightly, but I often see examples of "researchers" trying to make names for themselves by showing more than a little hubris.
I'm sure Microsoft, Cisco, etc. have boilerplate text somewhere in their agreements preventing reverse engineering as well. That doesn't mean it doesn't happen!
-
Tuesday 11th August 2015 23:07 GMT Anonymous Coward
2 hours into a support call ...
True story of Oracle support.
We're experiencing, since the latest Oracle provided patch, memory leaks in our Oracle Application production instance. This is forcing us to reboot a 20 000 users environment every 24 hours. In the third day, 2 hours into a conference call with our CTO and a few other big wigs, the Oracle representative says the following. This is an exact quote.
"Why should I help you with your problem?"
The CTO, not missing a beat, replied "Because I have a 250 000$ check for our quarterly licence fees on the corner of my desk and I am not signing it until this is fixed"
Yea, awesome service Oracle.
-
Wednesday 12th August 2015 08:22 GMT Naselus
Re: 2 hours into a support call ...
"The CTO, not missing a beat, replied "Because I have a 250 000$ check for our quarterly licence fees on the corner of my desk and I am not signing it until this is fixed""
I get the feeling he didn't miss a beat because he's had this exact conversation with Oracle a few times before.
-
-
Wednesday 12th August 2015 00:20 GMT Mephistro
Numbers, numbers...
"... security researchers find about 3 per cent and the rest are found by customers"
So they think it's OK for their customers to
sufferfind a 30% more vulnerabilities than they would find if a bug bounty program was in place?Corporate cultures can be so-so, bad, terrible, and then there is Oracle.
-
Wednesday 12th August 2015 01:08 GMT Anonymous Coward
We're in the midst of an annual Oracle license audit/anal probe and it's a nightmare. I am continually astonished that they are still in business. Every vendor has their issues with licensing, sometimes really ugly ones, but Oracle goes in dry. They don't even give you a reach-around. They're a cut above in their utter douchebaggery. Reminds me a lot of Sun under Scott McNealy, whose sole operating philosophy in sales was to slam the competition and in a really ugly and mean-spirited way. Ellison seems to rule his team in exactly the same manner. And to boot it's not like their software is even half decent. Their enterprise software in particular utter crap cobbled together from a thousand acquisitions.
-
Wednesday 12th August 2015 12:03 GMT Jeff 11
"I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on."
Maybe because defensive, top-down, bureaucratic corporate culture is only ever an obstacle to security research and bug fixing? Other corporates have recognised that the independence of thought encourages novel approaches to finding those software defects your internal team can't handle.
-
Wednesday 12th August 2015 12:10 GMT cat_mara
I wouldn't wish Oracle on my worst enemy
As a developer, I actually prefer working with Oracle and PL/SQL than, say, Microsoft SQL Server and T-SQL; I think the former is a better-rounded language than the latter. If I land a contract gig maintaining an Oracle app, I'm happy. But if I were working on a greenfield application, I would *never* recommend a customer go with Oracle because of crap like this. Their salespeople are sharks who will pull every underhanded stunt in the book to earn commission, overselling customers on features they don't even need... then send the auditors in every year or so to extract their pound of flesh again. It's not worth the hassle. Now, I must see how the PostgreSQL emulation of PL/SQL is coming along. :-)