This is an ... amazing piece. This Oracle executive (read: someone who is high up enough that their words won't be edited) seriously thought this made Oracle look competent and trustworthy:
https://blogs.oracle.com/maryanndavidson/entry/those_who_can_t_do
It's one of the finest marketing posts for Postgres, and for free software in general, that I can recall this year. It really makes the point, and I suggest circulating it widely.
(My day job is in the midst of an Oracle->Postgres migration. It's going *really well*. If you're stuck somewhere that's on Oracle, show them this post, explain the serious security and competence concerns it raises, and get moving to Postgres. One of the nicest things about it: we give every app its own cluster of two PG boxes, because you have the freedom to just do that instead of running a centralised monster box with an expensive license. It turns out that just everything not having to play nice with others makes stuff stupendously easier to manage. And that's entirely before the benefits of approachable developers and viewable code.)
- d.
It's apparently 404ing for at least some people. Archive copy: https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryannd...
On 11 August 2015 at 10:51, David Gerard dgerard@gmail.com wrote:
This is an ... amazing piece. This Oracle executive (read: someone who is high up enough that their words won't be edited) seriously thought this made Oracle look competent and trustworthy:
https://blogs.oracle.com/maryanndavidson/entry/those_who_can_t_do
It's one of the finest marketing posts for Postgres, and for free software in general, that I can recall this year. It really makes the point, and I suggest circulating it widely.
(My day job is in the midst of an Oracle->Postgres migration. It's going *really well*. If you're stuck somewhere that's on Oracle, show them this post, explain the serious security and competence concerns it raises, and get moving to Postgres. One of the nicest things about it: we give every app its own cluster of two PG boxes, because you have the freedom to just do that instead of running a centralised monster box with an expensive license. It turns out that just everything not having to play nice with others makes stuff stupendously easier to manage. And that's entirely before the benefits of approachable developers and viewable code.)
- d.
On Tuesday 11. August 2015 14.27.16 David Gerard wrote:
It's apparently 404ing for at least some people. Archive copy:
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryannd...
Great stuff: damage limitation in action; damage already done!
On 11 August 2015 at 10:51, David Gerard dgerard@gmail.com wrote:
This is an ... amazing piece. This Oracle executive (read: someone who is high up enough that their words won't be edited) seriously thought this made Oracle look competent and trustworthy:
https://blogs.oracle.com/maryanndavidson/entry/those_who_can_t_do
It's one of the finest marketing posts for Postgres, and for free software in general, that I can recall this year. It really makes the point, and I suggest circulating it widely.
It certainly is one of the finest marketing posts for Free Software: the proprietary vendor keeping its customers powerless and even threatening them with lawsuits for doing things on their own computers.
It doesn't help that this comes from someone at the company who brought you scott/tiger and a variety of unsecured services well into the modern Internet age.
(My day job is in the midst of an Oracle->Postgres migration. It's going *really well*. If you're stuck somewhere that's on Oracle, show them this post, explain the serious security and competence concerns it raises, and get moving to Postgres. One of the nicest things about it: we give every app its own cluster of two PG boxes, because you have the freedom to just do that instead of running a centralised monster box with an expensive license. It turns out that just everything not having to play nice with others makes stuff stupendously easier to manage. And that's entirely before the benefits of approachable developers and viewable code.)
It saddens me that even today people talk about how many licences they have acquired and the exciting things that they intend to do with them - maybe set up a virtual machine or two! - when all that per-machine, per-CPU, per- whatever licensing are just the strings on the puppet, where the puppet is the customer who gladly dances to the vendor's tune.
(And I agree with you about PostgreSQL. I've done reasonably big data and it did the job just fine. I've used Oracle in the thankfully increasingly distant past, and all the time it was "don't hit the database" which even in read-only form could not somehow be replicated (probably because of the licence fee situation) and where the database administrator could frequently be heard cursing Oracle and smashing his keyboard against his desk. I've worked on a project where Oracle offered something but where the local representative admitted that you wouldn't want to build a product on that feature because it could easily go away (which I believe it did), and on another where the success of that project was predicated on some feature that may still exist today, but where the project struggled to make it work (perhaps because it didn't throw enough hardware at the problem, as Oracle seems to demand). Oracle should be to database systems what Sun was to hardware once the dot-com bubble burst and people realised that the equipment they needed to buy didn't have to be an expensive aspirational statement about what their enterprise was supposedly going to achieve.)
Paul
This is an ... amazing piece. This Oracle executive (read: someone who is high up enough that their words won't be edited) seriously thought this made Oracle look competent and trustworthy:
https://blogs.oracle.com/maryanndavidson/entry/those_who_can_t_do
I'm sorry, I don't get the point of it. And your point, either.
It's one of the finest marketing posts for Postgres, and for free software in general,
Really? If security experts can lough and claim they are incompetent (with no audience following), other people will just stop reading aftre 2 paragraphs. If it wasn't *you* suggesting the read, I would have done the same.
The thing is so long, boring and pointless that I don't think anybody will read it completely. And those who do will soon repent and forget it all with no effort.
And yes, "This Oracle executive seriously thought this made Oracle look competent and trustworthy". Just like when microsoft was the only monopoly and they claimed: "yes we care about security: 5000 of our programmers are going to attend security courses". They *did* look competent and trustworthy (unlike this time). We laughed. The three of us. And that's it.
But most likely I didn't get the point about this post. Can you please expand?
I suggest circulating it widely.
I sent it to the oracle slaves I know (the ones that want to get free), but with the caveat that I didn't know why I forwarded the link.
thanks /alessandro
On 11 August 2015 at 20:00, Alessandro Rubini rubini@gnudd.com wrote:
But most likely I didn't get the point about this post. Can you please expand?
Hmm, you're the only person so far I know of who hasn't reacted in shock.
* The attitude of security by obscurity, as if telling your customers "don't look!" stops the black hats for a second. * Don't look for security holes in Oracle, it's a violation of your license. * If you find security holes, don't tell us, it's a violation of your license to have looked and we will send a legal notice telling you to throw away the information. * It is true that someone found a pile of actual security holes, but we were totally going to fix them, honest! Some time or other. * The tone of contempt for the customer, daring to look and ascertain their own security risk.
This is precisely why we need software freedom.
As a sysadmin, I was shocked that a vendor with a high-quality free software alternative would write something like this that makes them look *utterly incompetent* in the field of security.
Reactions on Hacker News:
https://news.ycombinator.com/item?id=10039202 https://news.ycombinator.com/item?id=10040428
Someone immediately found an XSS on Oracle's site: https://twitter.com/thegrugq/status/631056841670135808
Oracle's database software is very good indeed - it gives your data back reliably and with fantastic performance. The problem is literally every other aspect of dealing with Oracle ...
- d.
On 11 August 2015 at 20:10, David Gerard dgerard@gmail.com wrote:
As a sysadmin, I was shocked that a vendor with a high-quality free software alternative would write something like this that makes them look *utterly incompetent* in the field of security.
I mean "a vendor to whom there is a high-quality free software alternative".
- d.
Hmm, you're the only person so far I know of who hasn't reacted in shock.
Then you are lucky, because your aquaintance is smart and competence.
- The attitude of security by obscurity, as if telling your customers
"don't look!" stops the black hats for a second.
This I noted. Do you think normal people will? As I said, security experts can lough at their incompetence. But this is perfectly normal for normal users. I agree this is not a good advertisement for them (unlike the "we'll send people to learn" I referred to), but it's not hitting back either. Who knows better is already not an Oracle fan.
- Don't look for security holes in Oracle, it's a violation of your license.
- If you find security holes, don't tell us, it's a violation of your
license to have looked and we will send a legal notice telling you to throw away the information.
These I didn't notice (too long a post to read carefully). Thanks for noting.
- It is true that someone found a pile of actual security holes, but
we were totally going to fix them, honest! Some time or other.
I noticed. It's like above.
- The tone of contempt for the customer, daring to look and ascertain
their own security risk.
Again, my fault I didn't notice.
This is precisely why we need software freedom.
Yes. But these arguments are hard to make, and hard to convey to the public.
Reactions on Hacker News:
https://news.ycombinator.com/item?id=10039202 https://news.ycombinator.com/item?id=10040428
Hacker chats. I can't show these pages around and make people consider my point about software freedom.
So this is a good blog post to keep referencing when we talk to technical people, although even there I fear it will only convert the converted. We may make a press release (I know somebody who might), but it risks acting as an advertisement for them.
I fear we need stronger arguments to escape the oracle trap.
thank you, david, I appreciate your quote and explanation, but my feeling is always like "we have all the arguments to win at large, but we miss a way to reach the general public".
How can we exploit the awful naivness and misbehaving of the proprietary world?
A mate making pcb designs was complaining about my choice of using kicad and nothing proprietary, because I'm slower in doing this and that... but today he was lamenting his finances, disclosing how much he's mandated to pay for the pcb tool *each year* even if it's a bad period, work-wise -- and most likely he'd loose all of this own work as soon as he stops paying. But he didn't get the point (not yet, let me work on him, but I've very few chances I fear).
Now, how can we make kicad (or geda) better and free these inventive and proficient people from the risk of bankrupting? Not by showing a security-naiveness in their tool's vendor, I'm sure.
And, dear proprietary vendor: I know you read me, I'm not that naive. *We* all know you read us, as we are not naive. We just refrain from posting when it makes sense to, and we use GPG, even.
On 11 August 2015 at 20:41, Alessandro Rubini rubini@gnudd.com wrote:
Yes. But these arguments are hard to make, and hard to convey to the public. Hacker chats. I can't show these pages around and make people consider my point about software freedom.
You're right, we need a helpful response.
It's started hitting the news. Page two of the Register story details the problem in a manner that may be helpful: http://www.theregister.co.uk/2015/08/11/oracle_anti_security_research_rant/?...
These stories comment on the blog post and the problems with it: http://www.zdnet.com/article/oracle-to-sinner-customers-reverse-engineering-... http://thenextweb.com/opinion/2015/08/11/oracle-drinking-the-kool-aid/ http://www.channelweb.co.uk/crn-uk/news/2421524/oracle-blasted-over-reverse-...
There was also a lot of other coverage, mostly just noting with amazement that the post exists and is real.
Hope this is useful :-)
- d.
On Tue, 2015-08-11 at 21:41 +0200, Alessandro Rubini wrote:
Hmm, you're the only person so far I know of who hasn't reacted in shock.
Then you are lucky, because your aquaintance is smart and competence.
- The attitude of security by obscurity, as if telling your
customers "don't look!" stops the black hats for a second.
This I noted. Do you think normal people will?
The target customer of Oracle is not "normal" people, it is sysadmins and in general IT folks. Sure there are various levels of competence there too, but I would think that most competent admins will balk at such a post. I do not think many will find it really surprising, but may be eyeopening for some.
As I said, security experts can lough at their incompetence. But this is perfectly normal for normal users. I agree this is not a good advertisement for them (unlike the "we'll send people to learn" I referred to), but it's not hitting back either. Who knows better is already not an Oracle fan.
Not being a fan is not enough, you also need some silver bullets to kill the beast in some companies where sysadmins/security officers can't call the shots.
Simo.
* David Gerard:
Hmm, you're the only person so far I know of who hasn't reacted in shock.
The blog post is pretty reasonable if you combine the Oracle mindset with the things that some people report as vulnerabilities. I totally get why she just wants to Make It Stop (because of those reports), and the way she picks contracts/licenses (because of Oracle).
That being said, it's a bit odd that Oracle (of all companies) apparently allows blog posts without review. I can't believe something like that wouldn't have been caught during a review process.
Regarding the contracts/licenses thing, I am pretty much fed up with the blatant disregard of applicable laws and regulations by much of the security industry. Some of the law-breaking is unavoidable. For example, as an antivirus vendor, you pretty much have to make unauthorized copies of copyrighted malware binaries, or circumvent software protection mechanisms. But there are is a lot of questionable stuff going on that seems rather avoidable. For a while now, it's been socially acceptable to exploit production services, to use vulnerabilities to exfiltrate user data and post the results publicly, allegedly to encourage better security through transparency. That can't be right.
On 23 August 2015 at 12:32, Florian Weimer fw@deneb.enyo.de wrote:
The blog post is pretty reasonable if you combine the Oracle mindset with the things that some people report as vulnerabilities. I totally get why she just wants to Make It Stop (because of those reports), and the way she picks contracts/licenses (because of Oracle).
"Don't send us automated vulnerability reports, they're not at all helpful" is the one sensible bit of the post, yes.
The license argument, however, is abject stupidity as security advice, and an excellent argument for software freedom.
The response from Postgres is perfect: "Please, security test our code!" http://www.databasesoup.com/2015/08/please-security-test-our-code.html
That being said, it's a bit odd that Oracle (of all companies) apparently allows blog posts without review. I can't believe something like that wouldn't have been caught during a review process.
C-level executives are people who are empowered to do as they wish. Who could tell her no before the fact? No-one, evidently.
Regarding the contracts/licenses thing, I am pretty much fed up with the blatant disregard of applicable laws and regulations by much of the security industry. Some of the law-breaking is unavoidable. For example, as an antivirus vendor, you pretty much have to make unauthorized copies of copyrighted malware binaries, or circumvent software protection mechanisms. But there are is a lot of questionable stuff going on that seems rather avoidable. For a while now, it's been socially acceptable to exploit production services, to use vulnerabilities to exfiltrate user data and post the results publicly, allegedly to encourage better security through transparency. That can't be right.
It's a balance, though. The reason for full disclosure of 0-day vulnerabilities is a long history of vendors lying, covering up and legally suppressing serious problems against their customers' interests.
We're seeing this repeat itself in the Internet of Things, by the way.
(The correct answer: free software, with a good coordinated disclosure policy and quick action!)
- d.
* David Gerard:
On 23 August 2015 at 12:32, Florian Weimer fw@deneb.enyo.de wrote:
The blog post is pretty reasonable if you combine the Oracle mindset with the things that some people report as vulnerabilities. I totally get why she just wants to Make It Stop (because of those reports), and the way she picks contracts/licenses (because of Oracle).
"Don't send us automated vulnerability reports, they're not at all helpful" is the one sensible bit of the post, yes.
The license argument, however, is abject stupidity as security advice, and an excellent argument for software freedom.
It's probably still true. I don't think there is a reverse engineering exception for security research. Whether you have to publicly rub it into the face of your customers is a different story, of course.
C-level executives are people who are empowered to do as they wish. Who could tell her no before the fact? No-one, evidently.
At most organizations, the blog software does. Usually, before anything gets out, it is proofread for typos and legal issues.
This does not mean that the executive does not have the final say when it comes to publication, but one can hope that along the process, someone points out the potential backlash, especially if it is as obvious as in this case.
It's a balance, though. The reason for full disclosure of 0-day vulnerabilities is a long history of vendors lying, covering up and legally suppressing serious problems against their customers' interests.
My own experience is that it does not matter how transparent you are, or what your past track record was. When reporters feel like it, they will throw in front of the next-best bus. They even disregard their *own* policies.
These people are really smart and creative, and they often behave in ways such people generally do.
↪ 2015-08-23 Sun 14:48, Florian Weimer fw@deneb.enyo.de:
The license argument, however, is abject stupidity as security advice, and an excellent argument for software freedom.
It's probably still true. I don't think there is a reverse engineering exception for security research. Whether you have to publicly rub it into the face of your customers is a different story, of course.
Depending on what you do (because “reverse engineering” includes a lot of different kinds of methods), you are covered in Europe by an exception to copyright law (Directive 91/250/EEC) and any terms trying to negate you this possibility are void. The French translation of this directive even explcitly mentions security purposes since 2010.
Note that in the US, the situation is different regarding what you can enforce or can't enforce in a contract regarding reverse engineering.