Oracle Wants You to Stop Reverse-Engineering its Software




/ 9 years ago

oracle

Or, ‘Stop finding vulnerabilities in our software, because it makes us feel bad.’

Oracle’s Chief Security Officer Mary Ann Davidson launched an astonishing – and now-deleted – attack on customers who deign to reverse-engineer the company’s software to find security holes, warning them that it’s a breach of the licensing agreement.

Davidson ranted:

“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. < Insert big sigh here. > This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

You should let the professionals – y’know, the one’s responsible for the security holes in the first place – deal with it, you naughty children! She continued:

“I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems.

That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down — in short, the usual security hygiene — before they attempt to find zero day vulnerabilities in the products they are using.”

Oracle’s software boasts Common Criteria certifications or FIPS-140 certifications, so it’s safe, Davidson claims. And, if that’s not enough to stop you tinkering, Oracle will censure “sinners” who breach its software’s terms and conditions:

“If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already.”

The meandering rant was later deleted, with Edward Screven, Executive Vice President and Chief Corporate Architect (which must be the best made-up title ever) saying:

“The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”

For those who would like to read Davidson diatribe in its full glory, one helpful “sinner” has posted it to Scribd.

Thank you ZDNet for providing us with this information.


Topics: ,

Support eTeknix.com

By supporting eTeknix, you help us grow and continue to bring you the latest newsreviews, and competitions. Follow us on FacebookTwitter and Instagram to keep up with the latest technology news, reviews and more. Share your favourite articles, chat with the team and more. Also check out eTeknix YouTube, where you'll find our latest video reviews, event coverage and features in 4K!

Looking for more exciting features on the latest technology? Check out our What We Know So Far section or our Fun Reads for some interesting original features.

eTeknix Facebook eTeknix Twitter eTeknix Instagram eTeknix Instagram
  • Be Social With eTeknix

    Facebook Twitter YouTube Instagram Reddit RSS Discord Patreon TikTok Twitch
  • Features


Send this to a friend
})