Oracle's CSO demands an end to customers checking Oracle products for defects


Oracle Chief Security Officer Mary Ann Davidson's deleted post on the company blog was called "No, You Really Can't," and it demanded that Oracle's customers respect the company's outlandish license-agreement terms, and stop checking to see whether the products Oracle sold them were defective.

Davidson has a long history of belittling security research (she calls security researchers "security weenies"). As an alternative to independently testing Oracle's products before trusting them, Davidson recommends that Oracle's customers should simply ask the company to reassure them that they've got "Good Housekeeping seals for (or 'good code' seals)" and FIPS-140 certifications.

She called the bug reports that customers generate "a pile of steaming…FUD." Continuing, she wrote "the Oracle license agreement … preclude[s] reverse engineering, So Please Stop It Already… Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so."

The post was up for less than a day before it was unceremoniously deleted. But there are still other missives about meddling customers and those pesky security researchers from Davidson on Oracle's blog, including "Those Who Can't Do, Audit" and "Is Your Shellshocked Poodle Freaked Over Heartbleed?", in which she refers to security professionals as "security weenies" and describes the security research process thusly:

Here's how it works. A researcher first finds vulnerability in a widely-used library: the more widely-used, the better, since nobody cares about a vulnerability in Digital Buggy Whip version 1.0 that is, like, so two decades ago and hardly anybody uses. OpenSSL has been a popular target, because it is very widely used so you get researcher bragging rights and lots of free PR for finding another problem in it. Next, the researcher comes up with a catchy name. You get extra points for it being an acronym for the nature of the vulnerability, such as SUCKS—Security Undermining of Critical Key Systems. Then, you put up a website (more points for cute animated creature dancing around and singing the SUCKS song). Add links so visitors can Order the T-shirt, Download the App, and Get a Free Bumper Sticker! Get a hash tag. Develop a Facebook page and ask your friends to Like your vulnerability. (I might be exaggerating, but not by much.) Now, sit back and wait for the uninformed public to regurgitate the headlines about "New Vulnerability SUCKS!" If you are a security researcher who dreamed up all the above, start planning your speaking engagements on how the world as we know it will end, because (wait for it), "Everything SUCKS."

Oracle security chief to customers: Stop checking our code for vulnerabilities [Sean Gallagher/Ars Technica]

In the event that any attorneys at Oracle are reading this post, please let me remind them:

READ CAREFULLY. By reading this blog post, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.