This site may earn affiliate commissions from the links on this page. Terms of use.

Boracle

Oracle'southward main security officer, Mary Ann Davidson, would really, really similar it if the company's customers and contained security researchers would stop performing any kind of analysis on the visitor's lawmaking base of operations. And she probably has a new mystery novel coming out soon!

In a now-deleted web log postal service, Davidson proper name-dropped her not-de-feather as a mystery writer (she works in collaboration with her sister), before getting to the eye of the matter — she's just plain sick and tired of pesky customers who hire independent contractors or analysts to perform a lawmaking analysis of Oracle software, so accept the gall to send those analyses to Oracle and claim there might be a problem. Thank you to the magic of Google and some annoyed researchers, her post remains available in various corners of the spider web.

In the post, Davidson acknowledges that the current state of Net security is enough to make anyone paranoid, but then states that consumers should take every possible step to lock down every possible flaw before even considering performing a lawmaking analysis. She'd besides like you to know that nether the terms of the Oracle license agreement, you lot are explicitly forbidden from performing that analysis anyway, regardless of how of import y'all retrieve information technology is.

Oracle

Oracle's arrangement.

The entire post is a masterful practise in condescension to the same customers that pay her company huge licensing fees. Customer business concern nearly zero-day exploits is dismissed as hyperventilating. According to Davidson, customers should be "talking to suppliers virtually their assurance programs or checking certifications for products for which there are Skillful Housekeeping seals for (or 'adept code' seals) like Common Criteria certifications or FIPS-140 certifications." Actual inquiry is for chumps and license violators — real customers know that security is provided by a logo, a sticker, and a bit of glue.

The title on the slide really makes this work.

Mary Ann Davidson. The championship on the slide actually makes this piece of work.

The worst customers are the ones who use tools (or hire analysts to use tools) and then submit those reports to Oracle and enquire for clarification over whether or not a detected flaw is actually real. Davidson correctly notes that scan reports aren't actually proof of a real problem, but if Oracle detects that a report was generated by reverse-engineering their code, "we ship a letter to the sinning client, and a dissimilar alphabetic character to the sinning consultant-acting-on-customer'due south behalf – reminding them of the terms of the Oracle license agreement that foreclose reverse engineering science, So Please Stop It Already."

Sinning. A word generally defined as an immoral act considered to be a transgression against divine law. I'm no religious scholar, just I don't recall the Gospel According to EULA, in which Christ track against security consultants and declares "Blessed are the naively trusting, for they shall not exist hacked." Davidson hates lawmaking analysis, as she makes articulate in other weblog posts.

I'd just like to take a moment to remind everyone that Oracle — the company screaming "No, seriously, TRUST US," also maintains and continues to ship Java.

That is all.