Oracle pulls CSO's BONKERS anti-bug bounty and infosec rant

Exec opens fire on reverse-engineering and more


Updated While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse.

Mary Ann Davidson, Oracle's chief security officer (CSO), expressed corporate dislike from the software giant for both reverse engineers and bug bounties in a long blog post on Monday. The post was pulled on Tuesday lunchtime, but its contents remain available via the Internet Archive here.

The tone of the post as a whole is reflected in Davidson's dismissive approach to bug bounties as a waste of money, at best, and naked hostility towards any attempt to reverse engineer Oracle's code.

"Bug bounties are the new boy band (nicely alliterative, no?)," Davidson wrote. "Many companies are screaming, fainting and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87 per cent of security vulnerabilities ourselves, security researchers find about 3 per cent and the rest are found by customers."

"I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on."

This attitude is in marked contrast to the likes of Google, Microsoft and Facebook, who have all thrown their weight behind their corporate bug bounty programmes.

Davidson goes on to bemoan users looking for vulnerabilities in its code, arguing that they are breaking licensing agreements and that third-party consultants are also bound by them by extension.

It doesn't matter that criminal hackers and intel agencies do reverse engineer Oracle’s code to look for vulnerabilities, according to Oracle. Customers and their suppliers still need to toe the line, whatever their motives, and stick by licensing agreements.

"Oracle’s licence agreement exists to protect our intellectual property," Davidson wrote. "'Good motives' – and given the errata of third-party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than 'but everybody else is cheating on his or her spouse' is an acceptable excuse for violating 'forsaking all others' if you said it in front of witnesses."

Oracle's essential line is that everyone should stop reversing its code, respect its licensing agreement and trust its infosec assurance programme to fix problems that crop up rather than kicking the wheels and looking underneath the bonnet themselves.

Next page: Unbreakable

Similar topics

Broader topics


Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022