Disclaimer: cross-posted from the original post, but the irony is absolutely beautiful and is a stern lesson to everyone who might think the same way as Oracle.
[1]> Oracle has told people to stop using @Veracode to test their AppSec. They already got AppSec covered [picture of JS injection attack in the blog post]
I work at a security company and sometimes reverse engineer systems and/or code to see if it is vulnerable to a plethora of attacks.
Presumably the only reason a closed source vendor would be against someone reversing their source is because they're afraid someone will steal their ideas and/or redistribute their code for free.
That not being my goal I really couldn't care less. I'll just go ahead and reverse whatever I want whenever I want. I value my security, and that of clients, over some legal piece of toilet-paper. Everyone who doesn't agree, should reconsider. Do you truly believe that people should not be allowed to look at code that is running on their systems for their security's sake? I will not redistribute what I learnt, but I will analyse it to see if it is safe.
If you didn't want me looking, you should not have put it out in the open.
I'm pretty sure there are a lot of enterprise software vendors who want their products to be inscrutable so that after you buy it you need to hire their consultants to tune it to perform acceptably for you. If you understand how it works, you might be able to stop being a part of those extra revenue streams.
> against someone reversing their source is because they're afraid someone will steal their ideas
I was once at a startup and another company in Texas released a product with identical typos as found in our object code.
Selling that software was how I got money to pay rent and buy food to put into my food-hole, so I'm going to feel a little more sympathy for people who want to stop others from reverse-engineering their stuff.
Reverse-engineering for personal inspection, and selling software with stolen code are two different things. The company in Texas you talk about was doing the latter.
>customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem...We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”
Until I read this, I didn't think it was possible for me to hate Oracle more, because I'm forced to work with their software and that makes me already hate them quite a bit.
It's pretty trivial to break orcaleSQL from a security standpoint. If and when you report a major issue, it'll be fixed in 2-3 years, and only the issue you outlined.
For example. I submit a bug concerning parsing, utf-8 backslash not working. Orcle will fix the bug for only that utf-8 code point, and not all other utf-8 points that also cause the bug. It'll also take them 1-2 releases and they may not back port it. 1
This is almost certainly because the engineers in charge of fixing the bugs are judged solely on the number of tickets they clear, and they could give a crap about the quality of the product as a whole or about Oracle generally.
This is the reason that FOSS and being able to change the code yourself is so valuable. Nobody has time to wait 2 years for a fix. By the time the patch comes out, it will break all of the workaround code written to fix Oracle's bug in the first place.
If you're forced to use their software, and you disagree with their strong closed-source stance, you should share your views with whoever is doing the "forcing" (your employer?). If they don't listen, it's on them.
Oracle has a very specific, clear opinion on the matter and it is valid to have that opinion. I don't agree with them, but I respect that we're allowed to disagree. Instead of hating them, I just don't use any of their stuff if I can help it (except Java).
There's no need to be filled with hate over it. Change what you can change and don't worry about the rest.
How much of my private information, as kept by government or private organizations, are stored in Oracle databases that are less secure because of their boneheaded stance on this?
People have all sorts of reasons for choosing Oracle solutions. I am not in a position to influence all those people, even when their choices affect me directly.
Oh yes, I agree. That is why I think it makes sense to tell everyone you can about the issue. However, there is only so much anyone can do about it, and technically it isn't Oracle's fault that people won't listen, only the bugs/vulnerabilities in their products.
A crude example: Imagine you're a janitor. Your company only supplies you with buckets from Leaky Bucket, Inc. Their buckets always leak, creating more messes that you have to clean up. Sure, Leaky Bucket, Inc. needs to fix their bucket processes, but I'd be more angry at the company for continuing to use buckets from a shoddy manufacturer.
Why should you be angry? They are just being stupid. Being stupid is something humans do naturally. Choosing to rely on someone who is verifiably stupid (in your opinion) is significantly worse, I think, than the original stupidity.
edit: And by the way, the very first time you are forbidden from patching a bucket you could patch yourself should be the red flag that tells you to use different buckets. Move on to better things and encourage others to do so too.
I can understand the argument that I shouldn't be upset with my cat because he claws my feet under a blanket; it's his natural instinct.
I can't understand the argument that I shouldn't be upset with a human being because they're stupid, and make stupid decisions. Humans are capable of introspection, education, and change.
I don't think it's unreasonable to expect more of my fellow humans than of my cat.
It is totally fine to be frustrated by humans being stupid, but some humans really do have less cognitive abilities than others. In at least some of those cases it isn't their fault necessarily.
So, I'm just making the point that frustration makes sense, but hate probably doesn't. They certainly aren't intending to be stupid, but it is frustrating that we can't show them the error of their reasoning sometimes.
That being said, as a (forced) Oracle customer I have been and will continue to do everything in my power to migrate off of Oracle's eco-system. This ridiculously offensive post by their CSO is just more motivation.
I think that is a very reasonable course of action, and that is my point. Rather than complain about the no-reverse-engineering thing, you really should just move everything you can off of Oracle systems if you disagree with them on this.
"Stop using overzealous static analysis tools" is a fine point.
"Reverse engineering kills babies^Wmarriages and the contract says not to look closely at the software you paid for so you're a bad person" is a terrible point.
Sure, but what else could they say publicly? Of course the most reasonable thing would be not to say anything at all and work together with the credible sources and provide something better than a threatening legal letter.
Lets just hope the black hat hackers read this and comply so we can continue to have "safe" Oracle software.
Since Oracle has made it clear that they do not want to collaborate with third parties on their code, the most reasonable responses would be either 1) trust them and follow their agreement or 2) don't trust them and use a different solution (probably something open source or based on open source)
I thought using Oracle anything was like a doctor prescribing an expensive new drug instead of the trusted, tested and generic version for a free game of golf and lunch for the office.
I really only have experience with the RDBMS product but I'd say it's more like the doctor presribing an expensive but highly effective drug for which there is no generic that is quite as good.
Oracle's database is very good. If you really need it, there is no substitute. But that said, kind of like a F1 race car, you probably don't need it (unless you own an F1 race team).
e.g. at my workplace, we're going through an Oracle->Postgres migration and it's WONDERFUL. Everything is much better now. Just from being able to have a clustered PG pair per app instead of a centralised expensive monster box.
Oracle's database is very good indeed: it takes data in, it gives it back, it does so very efficiently. But everything else about it is enough reason to look elsewhere.
> the points were well made, at least from the perspective of a closed source, enterprise software vendor
I understand the sarcasm, on the other hand it really confuses me that those points are mostly what makes closed-source unattractive and exactly what a closed source, enterprise software vendor would not want to discuss openly. At least that's what I thought before reading the article. I find it more likely that the blog was (maybe still is) compromised.
I'm really confused why everyone's so upset by the blog post, for a number of reasons.
Firstly, it's perfectly aligned with the world of proprietary software. Oracle is probably more protective than the other vendors, because the restricted access to the source code is at the heart of their business model. But none of the vendors I'm aware of is very keen on reverse engineering.
Secondly, the reverse engineering is prohibited for ages - it's not that it was added to the license agreement yesterday. And there are other restrictions (e.g. on publishing benchmark results), so rather that "Oracle is bad" I'd say "people who sign accept license agreements without reading them are morons."
And thirdly, the article is spot-on about usefulness of the reports generated from a reverse-engineered binary. I've seen shitloads of such reports, usually generated by some clueless consultant with the sole competence to run an automated tool and print the result. So it's probably (at least partially) a protection against a flooding the support with bullshit reports.
And it's also true that many of the companies don't have proper security rules (like encryption, identity or password management, network security) yet pay some consultant for reverse engineering one of the components. Because it's easier to spend a large amount of money than evaluating and rebuilding their infrastructure.
So while I dislike Oracle, you can't blame them for everything - the customers are the ones choosing the vendor. If you happily accept their license agreement, you can't later complain "but we want to do reverse-engineering" no matter how many MBA titles you have. If you want such freedoms, ditch Oracle and proprietary vendors in general. That's what open-source is for.
Yeah, I don't think this is really about anyone being surprised by anything they read in that post. It's more... what's a good analogy... like someone wrote a long post about the ethics and social conventions of pay phone use ten years after it became clear there would no longer be any pay phones. It's partly enjoyment of a spectacle, and partly pity, because it's so painfully clear how disconnected they are internally from what is actually happening in the world.
My team and I write custom solutions for energy companies, car companies, municipalities, military, and other big enterprises.
None of them have given a full minute's consideration to using OSS. 90% of them use only Oracle for their data layers. Their market is in no way dead.
"It is not considered infringement of the copyright in a work referred to in Article 10, first paragraph, under 12°, if a copy is made of that work and the code is translated, in the case that these acts are indispensable to obtain the information which is necessary in order to achieve the interoperability of an independently manufactured computer program with other computer programs, provided that:
a. these acts are performed by a person who has gained access to lawfully obtained copy of the computer program or by a third person authorized by him;
b. the data that are necessary in order to achieve the interoperability, are not alreadyquickly and readily available to the persons referred to in point a;
c. these operations are confined to the parts of the original computer program which are necessary to achieve interoperability."
"Unless otherwise agreed, is not considered an infringement of the copyright in a work referred to in Article 10, first paragraph, under 12°, to reproduce the work by a lawful acquirer of aforementioned work with its intended use. The reproduction referred to in the first sentence, which takes place in the context of starting up, visualizing something, or correcting errors, can not be prohibited by contract."
That correcting errors by the customer cannot be prohibited by an EULA is something Oracle probably won't like. :-)
Every programmer (myself included) who has had to discard bullshit reports about vulnerabilities agrees with the main idea -- that these things should be treated carefully, many of them are false positives and they may be borderline illegal, too.
The correct way to treat these reports is to review them (after all, who knows...) and try to educate those customers who send you bogus reports: explain why they're bogus, why reverse engineering doesn't usually provide good leads, explain them what easier steps they can take for additional security, and maybe remind them about that EULA. This can be done on an individual basis, politely, and Oracle, who seems to employ half the salespeople in this world, certainly has the resources to do so. If they can call me every two months to remind me about their great offers, they can write the standard answer that almost every such report warrants.
But no, instead they chose to dump a load of shit in the form of this blogpost:
1. It's written in the kind of condescending tone that makes you want to punch your interlocutor in the face. Such as: " That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down – in short, the usual security hygiene – before they attempt to find zero day vulnerabilities in the products they are using.". Surprise, surprise: a lot of people who start reverse-engineering binaries are either a) extremely security-conscious people, who, yes, already do those things, or b) extremely good programmers who work for people who -- again -- already do those things! There are exceptions, of course, but assuming that everyone who submits such a report is one of those imbeciles who dreams of Matrix hackers but runs a company where no computer has an antivirus installed is naive.
Or: "there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs etc.". This sort of crap belongs on a cocky teenager's blog, not on a serious company's website.
2. It's all the more insulting to whine about it when the subtle message you're trying to convey is that zero-day threats aren't that a big deal: "And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me!". Yes, it's no problem to state this when you're some random blogger. It is a problem to state this when you're CSO of the company famous for producing the one plugin that's recommended to be disabled by default.
3. Because the argument about the license agreement is childish. After explaining in detail how, even if you were right, you're getting a threatening letter about the license agreement, a requirement to destroy all proof of reverse engineering and so on, she goes on to throw this gem:
"The main reason is that, when I see a spike in X, I try to get ahead of it. I don’t want more rounds of “you broke the license agreement,” “no, we didn’t,” yes, you did,” “no, we didn’t.” I’d rather spend my time, and my team’s time, working on helping development improve our code than argue with people about where the license agreement lines are. "
Well how about skipping that debate and fixing your fucking code, eh?
To put it in the same line as her argument, there are a lot of things Oracle can do in order to reduce the amount of false positives they get, such as fixing their disastrous security track record, improving their communication with the security community (no, blog posts like these don't count as communication for the same reason why hanging out a "fuck you" banner outside your office doesn't exactly count as better communicating with your colleagues, either) and so on. If people had better reasons to trust Oracle, there would be a lot less effort of this kind, too.
4. The analogies being used are demeaning to anyone who doesn't work in sales. Like this:
> Q. But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?
> A. Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.
Someone missed their first tech evangelism class, where they use that analogy for exploting, not reporting vulnerabilities.
Is it also wrong to call someone and tell them they left their door unlocked because their dog ran into it and it opened?
The whole things reads like "you guys are like the worst customers ever. We're smarter than you, we have lawyers and we knowz securitiez. Now shut the fuck up."
Sure, carefully reviewing all the reports would be ideal, but it also means you'll need many employees to do that. And I don't really see why Oracle should be responsible for educating customers about basic security practices.
I do agree with you that the blog post seems written in a bit condescending way (it's difficult for me to judge, as I'm not a native speaker).
And I do agree that some of the arguments are misleading - the fact that many breaches are caused by lack of basic security practices does not make zero-days insignificant. And the "assurance programs" guarantee nothing if you fix the issues poorly (nice example from DEFCON 22: https://defcon.org/html/defcon-22/dc-22-speakers.html#Litchf...).
What I perfonally find the funniest about the whole "reverse engineering prohibited" clause is that the bad guys don't give a shit - they'll reverse engineer it anyway, because no one will find out. So the only "victim" is the customer who accepted the licensing agreement, and it does not matter if the purpose was to lower the number of reports or protect the source code.
But I'm still astonished people are surprised by the stupidity of Oracle licensing terms. Bullshit like that blog post is actually one of the main reasons why I stopped working with Oracle products and went full open-source.
> Sure, carefully reviewing all the reports would be ideal, but it also means you'll need many employees to do that. And I don't really see why Oracle should be responsible for educating customers about basic security practices.
Because if they don't, stuff like this happens: they get blamed for any trivial data breach that happened through some of their programs -- even if the problem wasn't that it sucked, it was that the password was admin123.
It's not glamorous and we can all agree that, as long as we're talking about responsible users, it shouldn't be Oracle's job to do this kind of education. However, exploiting users' ignorance is an integral part of their business model; they're consciously targeting them -- it's up to them to deal with all the consequences that brings.
I agree. I think (or at least hope!) that the juvenile style is rubbing a lot of people the wrong way, and thus inspiring them to be less charitable to the content than they otherwise might be.
Until I clicked this link, it didn't occur to me that this blog post was only posted and then deleted in the last couple of hours.
My original thought was: "What an interesting artifact! So much has changed in recent years since open source databases have become a viable alternative to Oracle."
This is quite relevant in other spheres as well (racism, inequality, genocide). It's natural to create a bubble around us to keep the negativity at bay. But reality sometimes pops that bubble. It's always surprising how many have to interact with them for one reason or another.
I believe it was resubmitted because Oracle deleted it, and because it was so mustache-twirlingly out of touch that it could have been from the Hacker News Onion.
We sold you the car but don't you dare look under the hood, 97% of problems that these cars come with may one day be solved by us. Someone else may be trying to build the same car you already purchased from us! Why didn't we obfuscate access to the engine? Well that would have required some of the same effort it would have taken to write more secure software err make better cars in the first place! What do you take us for, competent!
I'm just waiting for the day some physical product manufacturer has the chutzpah to try to apply the "licensed, not sold" paradigm to a tangible product.
You mean like an electric car which you can only "buy" with a rental contract for the batteries? One which comes with DRM that allows the manufacturer to remotely stop you from charging your car as they see fit? [1]
Or perhaps the smartphone you "bought", which tracks everywhere you go and doesn't allow you to install your own software.
As proprietary software with DRM invades deeper into our daily lives by becoming part of all the appliances and tools we use, we will no longer have the freedom to use "our" products as we see fit.
Well, no, not really. I mean, I'm sure some small farmers do care, but they're a vocal minority in the same way people posting on Hacker News about various computer-related ills most people are unconcerned about are a vocal minority.
> Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.
Are they being serious? "Uhm, yeah, sure, Mr. CSO, I deleted the file. Here, I'll show you a screenshot of a terminal where I ran the 'rm' command to delete the results. As you can clearly see, the 'ls' command does not see the files anymore."
Not "prove". "Confirm". If you ask somebody to do something, they might do it, or they might not, whether out of passive malice or carelessness. Saying you have done something which you haven't done requires active malice, which is much less common.
Many large organizations log shell commands for audits. Those logs can be stored offsite by a third party to prevent alteration. See, for instance, the Goldman Sachs programmer arrested for stealing code. If the consulting group is professional, it will take these things seriously.
Why did this article just disappear off of the front page after receiving 318 up-votes in 2 hours?
How does post to drop from position #1 to somewhere below #150 in less than 1 minute, unless it was deleted by HN moderators, and if that's the case, why did it happen?
It means that an HN moderator squashed its appearance on the top list. Why? They felt it wasn't constructive perhaps, considering the other thread against the original article is still live.
Why not squash the other thread, since the link was dead and this one isn't? This appears to be blatant censoring of something that the majority of HN participants wanted to read and comment on.
Disclaimer: cross-posted from the original HN Post, but still relevant.
Apart from the legal stuff and a lot off egocentric 'we can do it better', she has one point. There are many companies giving a lot of money for security, manually scrubbing all exploits that come out, create their own patches. While some lack the basic security guidelines. I think this money can be better spend upstream, to create tools so they can test patches for exploits better and create a faster security update release pipeline, so that all downstream and customers can rely on the security releases and that it can be released quicker to everyone. (Controversial: Maybe even adding automatic security updates to the package itself, like wordpress did, so that customer cannot be on a release with exploits)
Though saying to your client that they cannot reverse engineer to look for security problems, is totally not done! What is next? "Exploits will not be fixed, because the users has signed an agreement that they will not hack?"
Honest question: So I'm hired as a consultant. Someone gives me a database login to an Oracle machine. I haven't been presented with a license agreement for the Oracle database system, nor have I signed anything indicating I agreed to give reverse engineering rights away. How am I bound by the Oracle end user license agreement?
IMHO you are not. People from your company that weren't making you read EULA and promise to comply with it (in writing) will be responsible for your behaviour that breaks the EULA.
Its more like selling someone a meal in a restaurant, and refusing to let them see the kitchen. You can, if you are skilled, infer how the ingredients became your meal, but you won't ever know if it was done in a clean an safe way unless you can look at the environment where it was created. You could hire an investigator to figure this out, but there is a good chance that they know that there is more money in bad news than good. So they take photos of the dirtiest 'chef' who turns out to be the dishwasher, and show you the pictures of deliveries from Walmart, but choose not to show you the pictures of the chef getting up at 4am after finishing at 1am to drive to the fish market to hand pick the best of the catch.
I understand the risks of eating in places with closed kitchens, but ultimately they make better food than I can, that requires less of my time. It may be more expensive for unjustifiable reasons, and maybe I don't want to know how the black pudding is made, I just want to focus on what is important to me: making my wife happy.
Do I prefer to eat in restaurants with open kitchens, where the ingredient list and their source is available on demand? Sure. Am I a zealot about it..? It depends how hungry I am.
> Its more like selling someone a meal in a restaurant, and refusing to let them see the kitchen.
I don't see it that way.
The kitchen is like a development area. By looking at just the program code (not source or anything), I'm not stepping into Oracle's engineering labs or "cubicle land"---their kitchen, so to speak. I'm rather doing the equivalent of cutting into the meat pie on my plate and guessing the ingredients.
If I figure out what is in it and how it was prepared, I'm free to make that at home, or even serve it to the public in my own restaurant.
"Do not reverse engineer" is like "eat this meat loaf with your eyes closed, and do not share any hypotheses about what is in it or how it was made with anyone else".
> open kitchens, where the ingredient list and their source is available on demand?
That sounds like an analogy to open source, which is a different topic from license agreements in proprietary software against reverse engineering.
I'm saying that if you sell me some writing, I have a right to read it. Just because that writing was written for an ARM CPU doesn't mean I'm doing anything wrong by reading it anyway.
If you don't want people to know how a piece of language is interpreted to evoke its meaning, then don't sell it. Use it in-house or run it on a server and have clients to connect to it.
Given that Oracle was literally hiring fresh out of liberal arts college humanities majors with no tech (or management) experience ever and paying them six figures as project managers on Cover Oregon, as late as the integration stage the January before they scrubbed it, I wouldn't be surprised.
The crux of the article is that Oracle is getting so many unsolicited false positive security threat vulnerabilities that it's a distraction to their core business. They don't want "I found a hole in Oracle" to be an achievement like "I have my name on a patent."
Investigating security vulnerabilities takes a lot of time; and it's very easy to quickly get overwhelmed by false positives. I've seen quite a few analyses of code that I write; and most of them are warnings with no context or exploitability.
If every customer expected an engineer to respond to these, my team would spend all of its time in a "PR role," and wouldn't spend any time improving our products.
Well, except that, like most enterprise software customers, these customers pay Oracle huge sums of money in the form of support contracts specifically so they could have access to an engineering team. I could understand the argument if this wasn't the case, but a big part of enterprise agreements is this very thing, so I'm not very sympathetic to the argument that such a support ticket, which these companies paid a lot of money for, essentially is treated like a second class citizen because of the way the company decided to do security testing. If this support agreement weren't in place? Sure. I could easily see this argument.
I don't agree, we are talking luxury software here. oracle systems and contracts are the most expensive on the market, you should not feel any guilt for any contact with their gold plated support, and you could almost expect them to run warning free in most analysers, like you expect a Ferrari comes without any blemish in the paint, albeit it's a freaking car and the paint is not functional.
> I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!
That's like what 5yrs old kids say when they mom ask them something.. "Mooom I was already thinking about it! Hush!"
breaking and entering. v., n. entering a residence or other enclosed property through the slightest amount of force (even pushing open a door), without authorization. If there is intent to commit a crime, this is burglary.
No, breaking refers to the act of crossing the threshold. Some states may not even have breaking and entering on their books. Trespassing is where you violate signage or warning; verbal or written.
"People often confuse "breaking" with some overt act used to gain entry, like kicking in or prying open a door or window. But as Tiger noted, "breaking" refers to the violation of the "plane" which constitutes the natural boundary of things like walls, doorways, or window openings - so even reaching THROUGH a threshold or imaginary "plane", such as an open window where the natural continuation of the wall (or even car door) would constitute the plane broken by the reaching."
Actually it would be quite interesting to read about how the Web Archive accomplishes things like this.. Do they regularly scan news sites for new articles?
There is a self-archive tool on archive.org that allows anyone to immediately archive a specific page of interest. Journalists and watchdogs use it on pages they feel might disappear. It can be considered more legitimate that a screen capture, as archive.org is a third-party.
Someone might have used that here.
You can also request that the Web Archive fetch a URL from their homepage: https://archive.org/web/ ("Save Page Now" in the bottom right). I triggered the 7:09 copy this way; whether or not the other four fetches yesterday were also manual, I don't know.
I know if there's a controversial post that gets a lot of visibility, the IA staff takes a snapshot. They're useful in times like this where content is edited or deleted.
Why put a tonn of whitespace between paragraphs if the text is so small and line spacing so narrow as to make my eyes force-evolve mouths just to let out a scream?
Great, but before people submit they should consider whether or not the page they are submitting is legible. If I handed you a printed manuscript that was hard to read would you persevere or hand it back to me?
