News

Oracle Wants You to Stop Reverse-Engineering its Software

Or, ‘Stop finding vulnerabilities in our software, because it makes us feel bad.’

Oracle’s Chief Security Officer Mary Ann Davidson launched an astonishing – and now-deleted – attack on customers who deign to reverse-engineer the company’s software to find security holes, warning them that it’s a breach of the licensing agreement.

Davidson ranted:

“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. < Insert big sigh here. > This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

You should let the professionals – y’know, the one’s responsible for the security holes in the first place – deal with it, you naughty children! She continued:

“I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems.

That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down — in short, the usual security hygiene — before they attempt to find zero day vulnerabilities in the products they are using.”

Oracle’s software boasts Common Criteria certifications or FIPS-140 certifications, so it’s safe, Davidson claims. And, if that’s not enough to stop you tinkering, Oracle will censure “sinners” who breach its software’s terms and conditions:

“If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already.”

The meandering rant was later deleted, with Edward Screven, Executive Vice President and Chief Corporate Architect (which must be the best made-up title ever) saying:

“The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”

For those who would like to read Davidson diatribe in its full glory, one helpful “sinner” has posted it to Scribd.

Thank you ZDNet for providing us with this information.

Ashley Allen

Disqus Comments Loading...

Recent Posts

Electronic Arts Titles Played for Over 11 Billion Hours in 2024

Electronic Arts (EA) announced today that its games were played for over 11 billion hours…

2 days ago

Just 15% of Steam Gaming Time in 2024 Was Spent on New Releases

Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…

2 days ago

STALKER 2 Gets Massive 110GB Patch With 1800+ Fixes

GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…

3 days ago

Intel Unveils Core 200H Processors Based on the Previous Raptor Lake Refresh

Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…

3 days ago

Ubisoft Reportedly Developing a New Quadruple A Game

Ubisoft is not having the best of times, but despite recent flops, the company still…

3 days ago

STALKER 2: Heart of Chornobyl Update 1.1 Fixes 1,800 Issues and Revamps A-Life 2.0

If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…

3 days ago