Yesterday, Oracle’s chief security officer Mary Ann Davidson uploaded a scathing blog post titled “No, You Really Can’t.” Oracle soon took the offending blog down, but the Webcache version is still visible at the time of writing.
In the blog, which is really quite extraordinary, Davidson repeatedly lambasts customers who reverse engineer Oracle code in order to find security vulnerabilities. Here are a couple choice sections from the blog:
Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it.
This is why I?ve been writing a lot of letters to customers that start with ?hi, howzit, aloha? but end with ?please comply with your license agreement and stop reverse engineering our code, already.? . . .
If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, ?static analysis of Oracle XXXXXX?), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer?s behalf ? reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. . . .
Now is a good time to reiterate that I?m not beating people up over this merely because of the license agreement. More like, ?I do not need you to analyze the code since we already do that, it?s our job to do that, we are pretty good at it, we can ? unlike a third party or a tool ? actually analyze the code to determine what?s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.? I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.