One thing that did not make news on its own merit was the recent blog post from the Chief Security Officer at Oracle titled, "No, You Really Can't". What DID make news was the fact that the blog post was a nearly 3,000 word diatribe, pissing and moaning about people (customers, security researchers, consultants, etc.) using tools to discover and report vulnerabilities in Oracle's code to Oracle. As a security professional myself, I definitely sympathize with Mary Davidson on the frustrations of endless bug-fixing - particularly when these bugs aren't even the ones you already knew about and were actively trying to fix.
I get that.
That tact that she chooses to go down is to hide behind the Oracle license agreement. She boils the entire problem - and her primary point of contention - down to: "A customer is almost certainly violating the license agreement by using a tool [to analyze Oracle's code]." She repeats this statement about 20 times throughout the post. The readers of Oracle's official blog are probably not your typical Reader's Digest audience, so I am certain that anyone who intentionally has the official Oracle blog on their reading list, can grasp points without this level of repetition.
She then draws correlation between this activity and violating the sanctity of marriage. Seems like a bit of a stretch to me. In particular because those people who are discovering these vulnerabilities and reporting them to Oracle without requesting compensation in return are not reporting them to state-funded criminal organizations or hacktivist groups. In fact, the people not reporting these discoveries to Oracle are probably making tens of thousands of dollars per vulnerability.
Perhaps instead of ranting incessantly against people who are (possibly?) trying to help, a better angle to take is demonstrate a bit of appreciation first, and then gently remind them (once) that unlike open-source software, performing this sort of analysis with Oracle's code is a violation of their agreement. If she wanted to be especially progressive about it, she could even establish a program whereby people can register to participate in bug detection in an Oracle-provided and controlled manner.
Companies should remember that a little bit of goodwill is all it sometimes takes to keep customers happy - and happy customers don't report bugs to criminal organizations.
Oracle has since rescinded the post because it "does not reflect our beliefs or our relationship with our customer." Maybe Ms. Davidson is just overdue for a relaxing vacation.
Link to a copy of the original blog post before it was removed:
http://www.scribd.com/doc/274176394/No-You-Really-Can-t-Mary-Ann-Davidson-Blog
No comments:
Post a Comment