From Oracle's Chief Security Officer: one of the finest marketing posts for free software I've seen in 2015
dgerard at gmail.com
Sun Aug 23 11:39:59 UTC 2015
On 23 August 2015 at 12:32, Florian Weimer <fw at deneb.enyo.de> wrote:
> The blog post is pretty reasonable if you combine the Oracle mindset
> with the things that some people report as vulnerabilities. I totally
> get why she just wants to Make It Stop (because of those reports), and
> the way she picks contracts/licenses (because of Oracle).
"Don't send us automated vulnerability reports, they're not at all
helpful" is the one sensible bit of the post, yes.
The license argument, however, is abject stupidity as security advice,
and an excellent argument for software freedom.
The response from Postgres is perfect: "Please, security test our code!"
> That being said, it's a bit odd that Oracle (of all companies)
> apparently allows blog posts without review. I can't believe
> something like that wouldn't have been caught during a review process.
C-level executives are people who are empowered to do as they wish.
Who could tell her no before the fact? No-one, evidently.
> Regarding the contracts/licenses thing, I am pretty much fed up with
> the blatant disregard of applicable laws and regulations by much of
> the security industry. Some of the law-breaking is unavoidable. For
> example, as an antivirus vendor, you pretty much have to make
> unauthorized copies of copyrighted malware binaries, or circumvent
> software protection mechanisms. But there are is a lot of
> questionable stuff going on that seems rather avoidable. For a while
> now, it's been socially acceptable to exploit production services, to
> use vulnerabilities to exfiltrate user data and post the results
> publicly, allegedly to encourage better security through transparency.
> That can't be right.
It's a balance, though. The reason for full disclosure of 0-day
vulnerabilities is a long history of vendors lying, covering up and
legally suppressing serious problems against their customers'
We're seeing this repeat itself in the Internet of Things, by the way.
(The correct answer: free software, with a good coordinated disclosure
policy and quick action!)
More information about the Discussion