“Stop reverse engineering our code”

Wow. Really?<p>This single blog post is strong evidence for why you should never, ever buy an Oracle product, and if you are running anything written by them, why you should plan to migrate away.<p>Now, the culture of consultants in the Oracle sphere of influence is pretty toxic and money-grubbing. I can imagine companies being badgered into paying security weasels big bucks to analyze software with tools that cough up a zillion false positives, whereupon the weasel looks like a hero and is paid a bunch of cash, the customer panics and demands that Oracle fix a pile of non-existent vulns, and some department buried inside Oracle doesn&#x27;t know how to deal. Whereupon the weasel skates off to another company to run the same scam: rinse, repeat, and this blog post.<p>In which case Oracle should simply call it out: &quot;Please don&#x27;t send us crappy automated scanning tool reports from the shitty security weasel consultant you hired because those reports are useless, and the same weasels have been sending identical ones in, monthly, for <i>years</i>, and you are being ripped off.&quot; But Oracle never passes up the opportunity to express contempt for its customers, nor can it admit to being wrong.<p>Better to avoid that whole ecosystem.

So, I disagree with the poster on a bunch of things here (no surprise, really).<p>But: this is authentic. This is what we (i.e. hackers) are always claiming we want. Someone speaking her mind, shooting from the hip, etc. Not an anodyne blob of corporate-speak: this is an opinion, stated pretty clearly, and backed up with fighting words.<p>You&#x27;d expect: &quot;Our legal team has advised us to remind consultants that they are bound by any and all terms and conditions to which their clients have ... etc. etc. etc.&quot;<p>You get: &quot;Otherwise everyone would hire a consultant to say (legal terms follow) “Nanny, nanny boo boo, big bad consultant can do X even if the customer can’t!”&quot;<p>Here we have someone who clearly loves the company and the product with a passion, defending both against what she sees (very wrongly, in my opinion) as criminal misuse and waste of resources.<p>I&#x27;ll take one of these posts and argue its merits any day, over a block of mealy-mouthed corporate crap.

Seems like the original blog post was deleted, here is the archive - <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20150811052336&#x2F;https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;no_you_really_can_t" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20150811052336&#x2F;https:&#x2F;&#x2F;blogs.ora...</a>

&gt; Q. If you don’t let customers reverse engineer code, they won’t buy anything else from you.<p>&gt; A. I actually heard this from a customer. It was ironic because in order for them to buy more products from us (or use a cloud service offering), they’d have to sign – a license agreement! With the same terms that the customer had already admitted violating. “Honey, if you won’t let me cheat on you again, our marriage is through.” “Ah, er, you already violated the ‘forsaking all others’ part of the marriage vow so I think the marriage is already over.”<p>What a thoroughly nasty comment. She is comparing <i>her customer</i> with someone who is cheating on their spouse. Disgusting.

This is a marketing layup for any FLOSS ERP company (or the PostgreSQLs of the world). Basically &quot;by all means check our code for any issue you may find. We&#x27;ll gladly accept any suggestions for code improvements you may have.&quot;<p>This post is an absolute nightmare&#x2F;facepalm. Basically my takeaway is &quot;I guess I don&#x27;t want to buy Oracle software&quot;. It&#x27;s really mind blowing that this is the position of a major software company in this day and age. I mean I guess I shouldn&#x27;t be shocked since it is in the EULA but man I&#x27;m kind of speechless (this clause has to be illegal in some countries, too).<p>Edit: as an aside as a bad guy this would make me very interested in reverse engineering Oracle products. If they disallow it for their customers the reaction times to any security issues will be lower and it will be pretty valuable to find bugs in their products.<p>Edit2: Seems like the blog was cracked. At least the &quot;About&quot; on the side seems to indicate that.

Wow. <i>Someone&#x27;s</i> been hitting the Kool-Aid pretty hard.<p>I&#x27;ve seen this institutional hubris first-hand. The unshakable belief (typically by nontechnical management) that all of the smartest people in the world are employed <i>here</i>, working for <i>me</i>.<p>It always ends badly.

The submitted title (&#x27;Oracle CSO: ~“Only we can do security, trust us and do not reverse engineer”&#x27;) breaks the HN guidelines: it&#x27;s editorialized (whatever one thinks of the article), and it&#x27;s a quote-looking-thing that isn&#x27;t a quote, so misleading.<p>Please don&#x27;t do this. The HN guidelines ask you to use the original title. If that&#x27;s really not suitable, a subtitle or some representative language from the article is ok. But putting your own spin on it is not ok. HN&#x27;s goal is to let readers make up their own minds, and for that we need accurate, neutral titles.<p>We&#x27;ve changed the title to a representative phrase from the article, and can change it again if someone suggests something better.

This is exactly the problem with legality of RE and penetration testing. &quot;You broke the law by wasting our time, violating your license agreement.&quot; I understand author&#x27;s points. Not very good points, disappointingly.<p>No matter how interpersonal she puts it. It makes me not ever want my system to rely on a company that threatens and belittle customers for protecting themselves.<p>If I bought a fridge for my house, I found a listening device and a pinhole camera in the fridge. Just because the company has a clause I am not allowed to open up the fridge, it doesn&#x27;t mean I shouldn&#x27;t.<p>Well, the company might have found the devices. Indeed maybe nothing customers can do until the company fixes it. Keep telling customers they are not allow to look for flaws it just ridiculous. Yes, it&#x27;s your product, but this is my home!

Reverse engineering is legal in France for research and computer security (<a href="http:&#x2F;&#x2F;www.legifrance.gouv.fr&#x2F;affichTexte.do?cidTexte=JORFTEXT000000266350&amp;categorieLien=id" rel="nofollow">http:&#x2F;&#x2F;www.legifrance.gouv.fr&#x2F;affichTexte.do?cidTexte=JORFTE...</a>).

I don&#x27;t really see how a lot of the responses here match with the original blog post. People seem to be airing a lot of long-standing grievances about Oracle rather than responding to the specific post on its own. Viewed on its own, the post can basically be summarized as &quot;Please stop treating our products like they are open source. They&#x27;re not, and it is against the license agreement to reverse engineer our stuff to find the source code.&quot;<p>A <i>lot</i> of people think open source software is a much better methodology than proprietary, highly-protected source code. That&#x27;s fine, there are a lot of good arguments there. However, it doesn&#x27;t make sense to throw a bunch of other, barely related insults at a company when really, all you&#x27;re upset about is that their code is not open source. Criticize <i>that</i>...that is what you&#x27;re upset about (at least so far as this specific blog post is concerned)

The arrogance is titanic. And her legal team apparently forgot to explain to her that certain jurisdictions permit reverse engineering and decompilation under certain circumstances irrespective of what Oracles license agreement says.

I laughed at this line where she tries to prove her point by touting that Oracle already found a bug that a security researcher reported to them (but wasn&#x27;t fixed yet):<p>&quot;(Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)&quot;

There are too many points to discuss... it&#x27;s really quite insane especially on the backs of Java exploit after Java exploit.<p>But what I really don&#x27;t get is this bug bounty hateathon. If it&#x27;s only 3% of bugs (currently WITHOUT incentives like a bug bounty), then that&#x27;s really not that much money... and in return you get more cred, something you might use for recruitment, and the off chance that you might increase that 3% versus something going on the black market. Even more so, how much could this really cost!? And Oracle has how much money?! If you can&#x27;t spend that on a bug bounty when you&#x27;re security is just so awesome as the post contends, then something is really in trouble.

Is it just me, or is the childish, mocking tone in the OP simultaneously baffling and totally befitting of the point they&#x27;re trying to make? I understand that they&#x27;re frustrated by the repeated submission of automated security vulnerability reports, but blanketing it entirely as &quot;reverse engineering&quot; and responding to it like this is... a strange approach.<p>Did someone at Oracle actually think that this was the best way to make this point?

Original has been deleted, cached version available:<p><a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:ntXM0RlghUUJ:https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;no_you_really_can_t+&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=us" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:ntXM0Rl...</a>

&gt; Generally, our code is shipped in compiled (executable) form (yes, I know that some code is interpreted). Customers get code that runs, not the code “as written.” That is for multiple reasons such as users generally only need to run code, not understand how it all gets put together, and the fact that our source code is highly valuable intellectual property (which is why we have a lot of restrictions on who accesses it and protections around it).<p>Your JDBC driver IP isn&#x27;t that valuable, just give me the damned source code so I can figure out why my Postgres copy out stream is blocking when I insert it into your copy in stream.<p>&#x2F;rant

&gt;Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers.<p>They admit more security vulnerabilities are found by customers than security researchers and still they release this smug &quot;fuck off&quot; toned blog.

This is one of the finest pieces of Postgres marketing I can recall seeing in recent times. They&#x27;ve made the case for open source better than anyone in 2015.<p>(We&#x27;re in the midst of an Oracle-&gt;Postgres conversion right now. It&#x27;s going wonderfully. I strongly advise you to look into it, bet you&#x27;ll find it way easier than you think.)<p>(One of the nicest things about it: we give every app its own cluster of two PG boxes, because you can just do that instead of running a centralised monster box with an expensive license. It turns out that just <i>everything not having to play nice with others</i> makes stuff stupendously easier to manage.)

I like it that Oracle openly publishes this kind of blogs. I would personally never work for a company which expects me to develop anything using Oracle gear. It&#x27;s simple. I can always find another company that doesn&#x27;t and that pays the same or better. That is also why I suspect that someone who works in those circumstances really has to, because he has no other options.

To me, this reads like a post explaining the benefits of free software by demonstrating the disadvantages of using proprietary systems. A bit hyperbolic at that, though.<p>RMS would have a field day.

It sounds like they&#x27;ve confused a) users submitting results from static analysis that wastes time, b) users submitting demonstrable vulnerabilities, and c) license agreements.<p>a) is bad, and the users should just be turned away. b) is good and far better than selling them on the black market. c) is... who cares it&#x27;s a license agreement.

Can some infosec person speak to her strongest claim, that static analysis gives &quot;basically 100% false positives&quot; and wastes the team&#x27;s time?

&gt;We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”<p>Well, Apple does (for jailbreak exploits).<p>&gt;I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem<p>Uh ... You don&#x27;t think that percentage will increase if you offer bounties?

The post seems real, by comparison with other articles in the blog: in particular similar silliness and dislike for security advisories in <a href="https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;is_your_shellshocked_poodle_freaked" rel="nofollow">https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;is_your_shell...</a> and similar anti-reverse engineering stance in <a href="https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;mandated_third_party_static_analysis" rel="nofollow">https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;mandated_thir...</a> and <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20140123033110&#x2F;https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;those_who_can_t_do" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20140123033110&#x2F;https:&#x2F;&#x2F;blogs.ora...</a>

Is that post for real? <a href="https:&#x2F;&#x2F;twitter.com&#x2F;dinodaizovi&#x2F;status&#x2F;630972473945817088" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;dinodaizovi&#x2F;status&#x2F;630972473945817088</a>

When I read this, I thought for sure it was just a lower-level engineering manager. I can&#x27;t believe she&#x27;s the <i>Chief Security Officer</i>, and that someone with a Wharton MBA could write something so unprofessional and full of disdain for your customers.

There is just no upside to this kind of response. Surely for any tech company that has reached a certain size, the only workable approach is to recruit an appropriately sized security team and politely welcome and respond to each and every security report received, triage them as quickly as possible and fix the ones that are found to be real vulnerabilities. Even if you aren&#x27;t happy with the motives or the methods they employ, they are potentially finding flaws in your products for you.

Is this woman aware that static analysis is a non-negotiable requirement for filing your 510(k) if you do anything vaguely medical the FDA has to look at? Not that I would willingly choose Oracle for medical device applications, but the cognitive dissonance here is amusing. Pax vobsicum indeed.

Except, uh, in plenty of countries, those anti-reverse engineering clauses are void as a matter of public policy.<p>And in any product that uses LGPL code, for example, it&#x27;s actually a license violation to forbid customer modification and reverse engineering for the purpose of debugging those modifications.<p>(Though, admittedly, everyone always violates this term)

&gt; I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem<p>Aren&#x27;t the issues not found by Oracle the problem? I&#x27;m amazed that stil 23% of the externally found security issues are reported by researchers, the incentive to responsibly disclose security issues to Oracle isn&#x27;t really big. It sounds like a cumbersome process with potential legal consequences.<p>There also are researchers(, maybe after a first bad experience about an EULA,) that sell security issues to the grey&#x2F;black market. Is there any data on how many Java zero days are exploited in the wild before being fixed?<p>Changing your stance and being grateful for responsible disclosures and only using your EULA to threaten and sue the <i></i>bad<i></i> people can potentially save <i></i>everyone with java installed<i></i> from a few zero days at zero cost.

Don&#x27;t worry, if you won&#x27;t let your paying customers check for security holes, there are plenty of people in China who are going to do it for you instead.

Mary Ann Davidson&#x27;s testimony on &quot;cybersecurity&quot; (2009) <a href="https:&#x2F;&#x2F;www.whitehouse.gov&#x2F;files&#x2F;documents&#x2F;cyber&#x2F;Congress%20-%20Davidson-Oracle-SFR_10Mar09.pdf" rel="nofollow">https:&#x2F;&#x2F;www.whitehouse.gov&#x2F;files&#x2F;documents&#x2F;cyber&#x2F;Congress%20...</a>

It seems to have been removed, here&#x27;s a pastebin of the original post: <a href="http:&#x2F;&#x2F;pastebin.com&#x2F;bbMshdU1" rel="nofollow">http:&#x2F;&#x2F;pastebin.com&#x2F;bbMshdU1</a>

Just today I was arguing for not moving something off of Oracle. No one&#x27;s really happy the thing in question is on Oracle, but it is live in production and most of the time does what it needs to. It ain&#x27;t broke. Changing to &quot;something else&quot; carries way too many unknowns for my comfort level.<p>If I&#x27;d read this last night... I still would&#x27;ve argued the same thing, but I would&#x27;ve been really unhappy about it.

I read the blog, but now it&#x27;s returning a 404? Did they take it down?<p>If so, then somebody at Oracle realized that post reflected poorly on their organization. Perhaps there is some hope for Oracle yet.

Whew. I&#x27;ve never read something from a company that was so insulting to it&#x27;s own customers. I&#x27;d wager a bet that they won&#x27;t be keeping their job for long.

While I admit that I didn&#x27;t read the whole post (to me it was a wall of text full of complaints going around the same point, always saying the same without too much variation), I really don&#x27;t get this obsession with reverse engineering. Yes, their license agreement states that it can&#x27;t be done. But you deploy <i>code</i>, executable code, but still code. Code that people can understand, if they go through the process of analyzing it.<p>While I don&#x27;t endorse breaking the agreement (which was properly signed and &quot;celebrated&quot;, as lawyers say), I find it funny in the first place that they&#x27;re selling a glass container and say &quot;you can&#x27;t look into it, just use it&quot;.<p>I prefer the honesty of free software&#x2F;open source projects that sell customer support to this business model (which is also adopted by others, not just Oracle). However, if I were already bound to it, and couldn&#x27;t pay the cost of migration, I understand I&#x27;d have to stick with it.<p>It&#x27;s also amusing that people&#x2F;organizations seriously believe they can reverse engineer something as complex as a database engine and &quot;fix it&quot; without acces to the diagramas, docs, tests, source code, build environment, etc.

Oracle pulled the original post - here it is on pastebin <a href="http:&#x2F;&#x2F;pastebin.com&#x2F;wkk8b7FJ" rel="nofollow">http:&#x2F;&#x2F;pastebin.com&#x2F;wkk8b7FJ</a>

I worked in Oracle SOA product(BPEL) for 2 years. We had to do migration from 10g to 11g because Oracle wasn&#x27;t supporting 10g version anymore. While migrating we came across a lot of issues that worked fine with 10g but failed in 11g. So we raised a lot of service requests with Oracle. Most of those got rejected by Oracle as they were not high priority meaning there were terrible workarounds existing for them. They only bothered fixing those ones without which we can&#x27;t work(I guess they had to or my company would have sued Oracle). We ended up writing a lot of horrible work around just to make existing code work.<p>Yes we did not reverse engineer that code even though I feel it would have done lot of good for us. Not to mention the tool set provided by Oracle is utter crap as in it barely works on its own.<p>So I am not at all surprised that Oracle have that kind of mentality here. In all our communications with Oracle I felt they never really actually cared for what we the customers really want. All they actually care about it protecting their investments.

Link is giving me a 404. Anyone got a mirror?

Not sure if trolling&#x2F;hacked or serious. If later, I guess, many tech savvy (read &#x27;hackers&#x27;) people, will accept this as a challenge.

The article seems to have been taken down from the Oracle site.. I leave this from an unclosed tab for posterity:<p><a href="http:&#x2F;&#x2F;pastebin.com&#x2F;hU1mg1K9" rel="nofollow">http:&#x2F;&#x2F;pastebin.com&#x2F;hU1mg1K9</a>

Noticed that obscure death threat in the beginning? I&#x27;m not surprised to see it in a post about licenses.

This makes me want to reverse engineer Oracle code immediately.

Apart from the legal stuff and a lot off egocentric &#x27;we can do it better&#x27;, she has one point. There are many companies giving a lot of money for security, manually scrubbing all exploits that come out, create their own patches. While some lack the basic security guidelines. I think this money can be better spend upstream, to create tools so they can test patches for exploits better and create a faster security update release pipeline, so that all downstream and customers can rely on the security releases and that it can be released quicker to everyone. (Controversial: Maybe even adding automatic security updates to the package itself, like wordpress did, so that customer cannot be on a release with exploits)<p>Though saying to your client that they cannot reverse engineer to look for security problems, is totally not done! What is next? &quot;Exploits will not be fixed, because the users has signed an agreement that they will not hack?&quot;

If you look back at the author&#x27;s earlier blog posts you&#x27;ll find similarly-minded thoughts: <a href="https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;mandated_third_party_static_analysis" rel="nofollow">https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;mandated_thir...</a>

Oracle JRE is literally one of the more vulnerable pieces of software underpinning the web and computing as a whole.<p>JRE CVEs: <a href="http:&#x2F;&#x2F;www.cvedetails.com&#x2F;vulnerability-list&#x2F;vendor_id-93&#x2F;product_id-19117&#x2F;Oracle-JRE.html" rel="nofollow">http:&#x2F;&#x2F;www.cvedetails.com&#x2F;vulnerability-list&#x2F;vendor_id-93&#x2F;pr...</a><p>It&#x27;s been 5 years since Oracle took over Java, so they can&#x27;t claim it was left over.<p>Oracle&#x27;s security record is terrible by all accounts, so how can their CSO justify anything in this blog post?<p>ORACLE product list CVEs: <a href="http:&#x2F;&#x2F;www.cvedetails.com&#x2F;product-list&#x2F;product_type-&#x2F;firstchar-&#x2F;vendor_id-93&#x2F;page-1&#x2F;products-by-name.html?sha=2a9718c5c6139d3034698d7627abb350713f75e4&amp;order=3&amp;trc=256" rel="nofollow">http:&#x2F;&#x2F;www.cvedetails.com&#x2F;product-list&#x2F;product_type-&#x2F;firstch...</a>

What a bully! Reminds of someone at work, especially with this line: &quot;I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it&quot;.<p>This makes me want to climb the empire state building, beat my chest like a gorrilla, and yell &quot;Let me do what I know best!&quot;

Mirror: <a href="https:&#x2F;&#x2F;archive.is&#x2F;iz4H2" rel="nofollow">https:&#x2F;&#x2F;archive.is&#x2F;iz4H2</a>

In the first paragraph the writer insinuates that she&#x27;d like to kill people who drive too close behind her.<p>Any subsequent valid points she makes - and there aren&#x27;t many - are undermined by this bitterness.<p>Heightened emotion so often enables effective communication, but it doesn&#x27;t do any favors in this post.

No matter how valid her points are, the tone is inexcusable in a public-facing blog, especially when discussing customer behavior. I recognize the strong points of Oracle&#x27;s offerings, but let&#x27;s not pretend that there is not competition from other, open software.

Some media flack must&#x27;ve clapped eyes on that and had a VERY bad morning. The post has since been taken down, but here&#x27;s a copy: <a href="http:&#x2F;&#x2F;pastebin.com&#x2F;RQA90EEb" rel="nofollow">http:&#x2F;&#x2F;pastebin.com&#x2F;RQA90EEb</a>

I&#x27;m not sure what the author&#x27;s argument is here. Is me reversing simply a nuisance and waste of Oracle&#x27;s time? Is Oracle trying to obtain security via contractual obscurity? I see lots of comments here proposing that Oracle is protecting its IP, but I don&#x27;t see evidence for that in the article (maybe its elsewhere, though).<p>I wonder if Oracle would send one of those reminders to a customer who analyzed an attack by an attacker who &quot;broke the license agreement&quot; by reversing the customer&#x27;s copy of some Oracle software.

Did anyone notice that the post contains Microsoft Office Word metadata?<p><a href="http:&#x2F;&#x2F;hastebin.com&#x2F;daxiyaguma.html" rel="nofollow">http:&#x2F;&#x2F;hastebin.com&#x2F;daxiyaguma.html</a>

Reason #78,429 to join the I-hate-Oracle-club <a href="http:&#x2F;&#x2F;forums.thedailywtf.com&#x2F;forums&#x2F;17.aspx" rel="nofollow">http:&#x2F;&#x2F;forums.thedailywtf.com&#x2F;forums&#x2F;17.aspx</a> <a href="https:&#x2F;&#x2F;what.thedailywtf.com&#x2F;t&#x2F;please-stop-poking-holes-in-our-cardboard-security&#x2F;50505" rel="nofollow">https:&#x2F;&#x2F;what.thedailywtf.com&#x2F;t&#x2F;please-stop-poking-holes-in-o...</a>

&gt; A. The customer signed the Oracle license agreement, and the consultant hired by the customer is thus bound by the customer’s signed license agreement. Otherwise everyone would hire a consultant to say (legal terms follow) “Nanny, nanny boo boo, big bad consultant can do X even if the customer can’t!”<p>Really? What if no money changes hands?

That&#x27;s why everybody sane should avoid using Oracle or Microsoft for the sake of mental health.

404 Error now<p><a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;no_you_really_can_t" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:https:&#x2F;...</a>

The author must have been undergoing some bad moments so far. The post seems just the outcome of a more complex series of inputs. Most points are not valid from my own personal point of view but still may have been good points if written in a more objective way.<p>BTW, the post is gone.

If you read what else she&#x27;s written, static analysis is kind of her Moby Dick.

Oracle seems to be like MS in that their reason for existing is that they came to be at the right time at the right place, and has pulled every trick in the book to pull up ladders behind themselves.

They took it down. Mirror?

This appears to have been taken down, I&#x27;m directed to a 404 page

Oracle took down the blog post. Link is now returning a 404.

Doesn&#x27;t antivirus software do static analysis?

Love security by obscurity

Also, she loathes Keynes :(

It&#x27;s been deleted. Here&#x27;s a mirror: <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20150811052336&#x2F;https:&#x2F;&#x2F;blogs.oracle.com&#x2F;maryanndavidson&#x2F;entry&#x2F;no_you_really_can_t" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20150811052336&#x2F;https:&#x2F;&#x2F;blogs.ora...</a> - and while it&#x27;s full of cringeworthy analogies, such as breaking a contract is <i>just like</i> cheating on your spouse, there&#x27;s also, well, &quot;logic&quot; that defies conventional wisdom:<p>Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?<p>A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked. I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true. We do require development teams (on premises, cloud and internal development organizations) to use security vulnerability-finding tools, we’ve had a significant uptick in tools usage over the last few years (our metrics show this) and we do track tools usage as part of Oracle Software Security Assurance program. We beat up – I mean, “require” – development teams to use tools because it is very much in our interests (and customers’ interests) to find and fix problems earlier rather than later.<p>That said, no tool finds everything. No two tools find everything. We don’t claim to find everything. That fact still doesn’t justify a customer reverse engineering our code to attempt to find vulnerabilities, especially when the key to whether a suspected vulnerability is an actual vulnerability is the capability to analyze the actual source code, which – frankly – hardly any third party will be able to do, another reason not to accept random scan reports that resulted from reverse engineering at face value, as if we needed one.<p>Q. Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!<p>A. &lt;Bigger sigh.&gt; Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers<i></i><i></i> to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)<p>I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.

Why? Is Oracle &quot;sacred&quot; or something?

<a href="http:&#x2F;&#x2F;ismaryanndavidsonfiredyet.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;ismaryanndavidsonfiredyet.com&#x2F;</a>

This explains so much about the sorry state of Oracle security. I hope Litchfield lets loose on them again.

404 now... looks like somebody&#x27;s gotten word of it...

FOUR OH FOUR, Guess it&#x27;s over....

I don&#x27;t understand why everybody is mad about this post, oracle has proprietary software that is bound with a license.<p>In that sense I don&#x27;t see why people do not moan about having to pay a rent because your tenancy contract that you signed says so...<p>Long story short, its a right of a SOFTWARE mostly company to protect its software, open source is not always the solution and reverse engineering something, consumes way more energy for the problems it actually solves.