Oracle CSO Rant Against Security Experts

Oracle's CSO Mary Ann Davidson wrote a blog post ranting against security experts finding vulnerabilities in her company's products. The blog post has been taken down by the company, but was saved for posterity by others. There's been lots of commentary.

It's easy to just mock Davidson's stance, but it's dangerous to our community. Yes, if researchers don't find vulnerabilities in Oracle products, then the company won't look bad and won't have to patch things. But the real attackers -- whether they be governments, criminals, or cyberweapons arms manufacturers who sell to government and criminals -- will continue to find vulnerabilities in her products. And while they won't make a press splash and embarrass her, they will exploit them.

Posted on August 17, 2015 at 6:45 AM • 64 Comments

Comments

RenatoAugust 17, 2015 7:04 AM

The fact that he's the CSO makes me think about their security policy as a whole.

Knowing a bit of Oracle I can say that their infrastructure is frail on purpose, so that only experts (which paid Oracle a lot of money, or work at Oracle) can set it up properly.

I wouldn't be surprised if such designed incongruence didn't completely derailed the security model, if ever there was one. There may be competent security experts working for Oracle, but that doesn't mean they can act in their full capacity with such an incompetent CSO trickling stupidity down the chain.

Seeing what they're doing with Java (ie. killing it) and what they've done with everything else they own (ie. MySQ), I'm surprised they're still in business. But then again, incompetence is not exclusive to Oracle, and other companies rely on Oracle's name and history to transfer liability, just like they do with Windows, cloud services, SAP.

If companies would stop witch hunting every time something bad happened, we wouldn't have such a big problem with liability and problems would solve themselves much quicker and permanently.

But individuals must gain more than their peers, the whole "american dream" that needs to be fulfilled at all costs, and that never was about freedom, but about personal profit above others.

As long as we live by those rules, idiots like Davidson will keep their jobs.

CelosAugust 17, 2015 7:21 AM

The key problem is that security is regarded primarily as a cost factor. This is why we have software with large amounts of exploitable bugs. The whole approach of looking for them and then patching them is fundamentally flawed, because what you find will depend on the search strategy. If an attacker has a different one, different attack vectors will be found from what the white-hats report to Oracle. Sure, all found vulnerabilities should still be patched, but every patch needed should be a huge embarrassment and be cause for an investigation what went wrong and a fix for that as well.

Yet the core problem is the large number of vulnerabilities, and it is mostly dues to coders, designers, architects that do not understand security, and ignorance against a host of known techniques to make software less vulnerable. Add greed-driven cost-pressure to that and things become clear: Software these days is very often not made as cheap as possible, but cheaper than possible, and hence it is fundamentally defective from the beginning. The comments by Mary Ann Davidson fit right here, as any patch that Oracle has to create costs money. Far cheaper to ignore problems, at least to Oracle. And of course, any vulnerability found does increase the risk that Oracle will have to fix their development model, which again increases cost.

Of course, the underlying problem is that customers are willing to accept second-rate quality in software. (Well, often more like third-rate, it is incredible what utter secure-coding beginners mistakes can often been found even in security-critical software made by people that should know better...) If, for example, customers would look at vulnerabilities found and if they are strong indicators of a defective development process or incompetent developers (such as missing input validation, for example) or there are simply too many, would move their business elsewhere, things would likely change. But everybody seems to have accepted that software sucks security-wise and until that changes, things are not going to get better and the trend to use the cheapest possible personnel that can just barely get the software to run will continue.

what-me-worryAugust 17, 2015 7:52 AM

Older readers of this list might recall Oracle's ad campaign circa 2001, claiming that Oracle 9i is “Unhackable.”

Quite a change in attitude...

keinerAugust 17, 2015 7:57 AM

Don't shoot the messenger.

Design better products, put more money into quality control, get the right attitude for solving problems of your customers, not producing new ones. All will be happy except for the fu*ing share holders...

hopperappAugust 17, 2015 8:06 AM

She is right that simply getting a dump of possible vuln from a bindump without knowing the code, or trying to exploit the results to see if they bear fruit is pointless since if you reverse your own software you'll see and recognize false positives all the time.

She's wrong about reversing being illegal, it's explicitly permitted in Europe and the point is to chase down bugs or learn about weird behavior not to disassemble the code.

Oracle's "customers" are mainly city governments and schools who were fooled into signing decade long contracts for inferior software, so her overall condescending tone doesn't matter to Oracle as the prisoners that are forced to pay them have no choice, so they don't care.

I esp liked the part where somebody found critical bugs and they smugly said "oh we already know" lol, fix it then you clownshoes.

alanmAugust 17, 2015 8:13 AM

After actually reading the whole thing, it turns out that Oracle is indeed happy for you to tell them about vulnerabilities (whether found via reverse engineering or not), but require a reported defect and a working POC for every one. Getting 200 page PDF reports from automated tools in the mail is what she's trying to avoid. And they refuse to pay bug bounties.

Sounds pretty reasonable to me.


Clive RobinsonAugust 17, 2015 8:39 AM

@ alanm,

Oracle is ndeed happy for you to tell them about vulnerabilities (whether found via reverse engineering or not), but require a reported defect and a working POC for every one

Whilst Reverse Engineering is not illegal or particularly questionable in many places, developing a Proof Of Concept is frowned upon and the law tends not to distinguish between the "exploit" which the Proof Of Concept is and any "payload" that does damage it might or might not have...

Thus what the CSO is realy saying is "we will only listen to you if you have commited a crime"... not exactly welcoming comment is it?

Hello71August 17, 2015 9:17 AM

conspiracy theory: oracle wants to find the vulns themselves so they can sell them for their own profit

alternative conspiracy theory: oracle just doesn't want you to find the backdoors

DanAugust 17, 2015 9:24 AM


So jump through all sorts of hoops to tell Oracle about a security hole in their software and the best you can hope for is not getting prosecuted in criminal or civil court.

Or you can sell it on the darknet to the scum of the earth, make a lot of money, and retire early.

Decisions, decisions, decisions...

barbed cableAugust 17, 2015 9:42 AM

I work in a different sector (geophysics at a national research institute in a EU country) so this is a honest question: how much a CSO in huge corporations like Oracle is expected to really know and understand their stuff on the technical level. Or is it as for us, where ultimate decision maker is a minister with a degree in law, literature or political 'science'?

BrianAugust 17, 2015 10:08 AM

Challenge: Convince the PCI Standards Council to send a sternly worded letter to Oracle ordering them to apologize for this post and explicitly grant permission for vulnerability reports, on penalty of the PCI industry adding a notice to their compliance documents which explicitly forbids (or at least recommends against) Oracle routers. After all, the PCI industry requires vulnerability scanning and penetration testing.

David LeppikAugust 17, 2015 10:33 AM

@barbed cable:

The CSO (Chief Security Officer) is analogous to a CFO (Chief Financial Officer), though not as well-established or well-regulated. In fact, since CSO is such a new position, you could argue that the analogy is the job description. A CFO is not the person who actually performs a company's internal financial audits, but is legally responsible accurately communicating the financial state of the company, so a corporation would be crazy not to hire someone fully qualified to perform an audit.

Similarly, the CSO is both an executive and technical position. There's no legal requirement to be a security expert--nor is there a security certification similar to a CPA-- but since the CSO is responsible for overall security strategy, it doesn't make sense to not hire a security expert.

At this point, companies that have a CSO do so to communicate to the world that they take security seriously. To have a CSO who doesn't take security seriously implies that they only care about the appearance of security.

rAugust 17, 2015 10:35 AM

@Dan, scum of the earth?

While that might be true, if it wasn't for that scum exploiting the festering puss holes in the nsa-complicit-and-engineered commercial software these holes would never be prioritized for repair.

It's unfortunate, but these companies only care about their image, their income and maximizing the profits gained from monetizing a customer to the fullest.

Dragging their feet, complicity, betrayal of consumer expectations... it should be an easy pill to swallow.

albertAugust 17, 2015 10:47 AM

@Celos,
A nail-head-hit for you!
.
MAD works for the 2nd richest man in the world (USD50B, behind Gates at USD89B). Is it ironic or simply logical that the two worst s/w vendors* have the richest CEOs? I would guess that MAD is very well compensated. Granted, a BSME and MBA person could learn a lot about s/w after 27 years of employment, but a lot depends upon where you work:)
.
Besides, I thought 'security officers' handle, you know, 'security', not 'computer security'. Maybe it was her NAVY background....
.
*remember, MS innovated selling buggy s/w, and the draconian, we're not responsible for anything, EULAs. (Monopolies can do that)
.
. .. . .. o

Frank WilhoitAugust 17, 2015 10:49 AM

Okay, so "the name of this blog is Schneier on ___________", but the larger issue here is how software vendors can get away with selling software that doesn't actually work -- selling it for any price, never mind for the seven-, eight, and even nine-figure annual contracts that Oracle and a few others routinely extract from American corporations in exchange for...what? Certainly not for improved business productivity; certainly not for improved data integrity.

d33tAugust 17, 2015 11:27 AM

I feel for Mary Ann Davidson. It would be embarrassing and extremely difficult to support and defend a giant pile of endless shell scripts, Java (wow) and nearly impossible to manage garbageware like Oracle's db offerings everyday as your job. Like lots of today's legislators, people buying Oracle products to solve critical problems are probably pretty far out of touch with tech and just go for the advertising first (Cover Oregon). Rather than make good products, Oracle has managed to acquire tons of small companies who are also selling piles of shell scripts, gut Java even further in terms of security ( eg. sunpkcs11?)and who knows what with MySQL. There are so many other db's out there, it must just be the successful ad campaigns and classic use of the cult of personality that foists software like theirs onto the public ... instances locked in a deep dark back room, customers just waiting for some kid (or the NSA's kids) to walk through their data like it belongs to them because some one left the door unlocked (they asked for it right?). They have nothing to hide anyway :>)

Big business and bad government drive the perceived need for software companies like Oracle. Rather than *attract* customers the old fashioned way, by making great products, or offering services that matter, companies and governments have opted to aggressively track and target potential customers (voters) by their demographics, online habits and social utterings, email, texts, phone calls etc. Ironically, they spend very little effort to keep their precious data collections safe from the competition (other big companies, or bad governments) or "criminals" (what does this word mean now?) By leaving things wide open to theft, the advantage seems to be that when data just happens to fall into all hands, there is plausible deniability in the notion that "no one can fix the problems fast enough".

I bet there is an advantage to leaving banks open to theft as well. Some "bad" guys steal digital money, credit cards numbers, identities, other .. fund whatever ops they want quietly without the need for congressional approval and the tax payer picks up the bill either way. Everybody in a position to know gets their cut through contracts / campaign contributions, and there's no real investigation. This scenario is far easier to bury and keep quiet than flying tons of coke and guns around, making rock and peddling it in poor neighborhoods. Plus like jailing low level drug dealers, busting a few hackers here and there shifts the blame squarely onto a solid patsy who probably wanted some small fame anyhow. It really is the golden age of propaganda, surveillance, theft and waste.

Anyhow, at least Mary Ann has her creative writing career to fall back on.

Marco SchwierAugust 17, 2015 11:37 AM

Software-companies have no reason to invest money into security. That is as long as they are not held liable for their products.

albertAugust 17, 2015 11:40 AM

@Frank,
CEOs belong to a small, exclusive club, and we aren't members. If you golf with Larry, you probably talk about business, and after all, your kids go to the same private schools, right? Big business likes to deal with big business; "no one ever got fired for buying Microsoft." Or Oracle.
.
Since the introduction of MS-DOS, the fight has been to get the stuff to work; security wasn't an issue. Now, we're still trying to get the stuff to work, but we now have draconian security issues to deal with. Computer security is now where we were with s/w and OSs in the 80's. S/w and OS products are much improved, but security seems to be never-ending whack-a-mole 'game' with very high stakes indeed.
.
There's a mad rush to the cloud, which is the technological equivalent to emigrating to the Ukraine, Fukushima, or Iraq.
.
. .. . .. o

Slime Mold with MustardAugust 17, 2015 11:54 AM

Knowing what I do about the psychology of human honesty (a lot), I believe I just read a screed telling anyone finding an actual exploit to please sell it to someone who will appreciate it. Because Oracle won't.

More of the sameAugust 17, 2015 12:01 PM

If you go to google.com and type
cache:http://www.schneier.com
does anything happen, when you hit Enter?
Should anything happen?
(It says "press Enter to search," but maybe it doesn't really mean this.)

More of the sameAugust 17, 2015 12:04 PM

While the "more of the same" I was referring to could indeed be Mister Slime Mold of the prior comment, I don't know. I don't know who is doing this, or if it's just that I'm not searching right.

A Nonny BunnyAugust 17, 2015 12:37 PM

That was an interesting blogpost to read; she started off a bit wrong-footed, but there are some good comments in it. There probably are better things people could do for their security that reverse engineer oracle products and try to find flaws in them. And bug-reports from customers generally do suck because they don't put the effort in to make them useful.

Of course the whole ban on reverse engineering as protection of intellectual property is a bit silly. Because even if you post the source code, it is _still_ protected by intellectual property rights. And people who do want to breach your intellectual property rights will not care that your license forbids reverse engineering it.

Nick PAugust 17, 2015 12:40 PM

@ Bruce Schneier

I suggest you save a local copy of that blog post as I am. I think it's (and the EULA) is one of the best arguments against using Oracle products I've ever seen. Laypersons might need a good comparison. Mine is that Ford Pinto could only be purchased if people agreed to not inspect it for safety, not allow 3rd party inspection for safety, and would be punished for sending flaws to Ford or informing the general public. That would be ridiculous and literally get people killed. In this situation, the result will be problems covered up while Oracle customers' databases are stolen, sabotaged, or destroyed. Releasing any information on this, instead of a fix, gets the customer threatened by the supplier introducing the problems.

I think it's a decent way to frame it. From there, big names (like you) in security should encourage the big companies to modify their EULA's to allow R.E. for purpose of finding security vulnerabilities. Further, people pushing alternatives in proprietary or FOSS space can use this as a differentiator. A competitor with decent legal team might benefit from citing the Oracle EULA while saying, "Unlike the competition, we don't sue our own customers because they helped us improve the quality of our product. Instead, we thank them, sometimes refund the license partially if it was a truly severe issue, and simply fix the product."

Similarly might be an advantage for the proprietary, open-source models I push where the tech is open-source but licensed. (Or dual licensed w/ proprietary or GPL.) They can point out that their code is open to review, they have an open tracker of security issues, and it's evident that they regularly fix them. You pay for it but you're dollars go further than Oracle, etc.

MaxAugust 17, 2015 1:07 PM

For companies that make money by charging for "support", bug bounties are a reversal of the natural order of things. You're supposed to pay when you find bugs, not get paid.

clamoringAugust 17, 2015 1:48 PM

@A Nonny Bunny,

If researchers aren't reverse engineering software, then it's only the "bad guys" doing reverse engineering.

@Celos,

That solves nothing as you have the priorities backwards. First priority is to make the release schedule. Everything else is not that important.


#######Unrelated
Oracle's EULA is a densely worded document no one reads and signs at the end of a penny stock boiler room sales pitch.

Her post is crazy talk. "Give us money and leave us be until we ask for more money. Thanks." Must be nice. I would not have a job with that attitude.

Alien JerkyAugust 17, 2015 2:38 PM

A little off topic, but it keeps things lively...

From the Windows 10 EULA

Section 7b – or “Updates to the Services or Software, and Changes to These Terms” – of Microsoft’s Services EULA stipulates that it “may automatically check your version of the software and download software update or configuration changes, including those that prevent you from accessing the Services, playing counterfeit games, or using unauthorized hardware peripheral devices.”

Microsoft gets to not only tell me they do not like my hardware , but will disable it so I can do anything about it, without warning. Good thing Microsoft knows best.

I have not upgraded to Windows 10, and it is beginning to look like I never will.

I poked around on OpenBSD website. Looks complicated to install. Lots and lots of files, Dual boot not obvious if it supports it or how to do it. I saw several possible installers to use, but it is confusing. Such is one of the many reasons Linux is not being used by so many. Ubuntu installed easy enough, but read that EULA, most of what you do gets reported back to them. Even Mint does so. The options are under-whelming.

jdgaltAugust 17, 2015 2:59 PM

I believe we'll get decent security when the law imposes strict liability for breaches, including consequential damages, written to trump any EULA or corporate veil. It's that simple.

albertAugust 17, 2015 3:14 PM

@A Nonny Bunny,
"...There probably are better things people could do for their security that reverse engineer oracle products and try to find flaws in them. And bug-reports from customers generally do suck because they don't put the effort in to make them useful...."
.
Wouldn't most customers fix the 'easy' security stuff first? Wouldn't they be more concerned with the stuff they _can't_ fix?
Wouldn't 'reverse engineering' make better bug reports?
.
I'm disappointed that the vague term 'intellectual property' is bandied about. Here in the US, we have copyrights, patents, and trademarks. That's it. Source code is covered by copyright law. Product names, models, and certain phrases are covered by trademarks. Patents cover devices, processes, design, and, alas, software, including mathematical algorithms (which used to be unpatentable, how the times have changed).
.
@Et. al,
What's Oracle to do? Refuse to do business with a customer? Sue the customer? Any other company, I'd say no, but this is Oracle. They should be _glad_ that their customers are eating the cost of doing what they should be doing _at source level_. What are they going to do with that shitty Oracle code? Sell it?
.
Why not a simple NDA?
.
Ellisononian business practices preclude any kind of logical interpretation.
.
I hope they're successful at killing Java. It would be the one good thing they did. I'm going to write to Larry, and suggest they buy Adobe, so they can kill Flash as well.
. .. . .. o

Alien JerkyAugust 17, 2015 3:35 PM

@albert

I hope they're successful at killing Java. It would be the one good thing they did. I'm going to write to Larry, and suggest they buy Adobe, so they can kill Flash as well.

Flash based Java interpreted from Javascript written in Powershell to encrypt your hardware because it is not on Microsoft's list of approved equipment.

DullardAugust 17, 2015 4:03 PM

@Alien Jerky & others

For a reasonable alternative to Ubuntu, Mint and others, you might try Debian. You can do a graphical install on Debian and most of the software you need is there or easily available. Don't have to be a PhD CompSci grad to use it. Not competent to pass judgment on Fedora or some of the more nerdy distros.

albertAugust 17, 2015 4:13 PM

@Alien Jerky,
Ubuntu ain't great, but it's a good one the start on. It's simple to switch to Gnome 3 and lose all the Unity crap. Same for the phone home stuff. Losing the crap is well documented; mostly cut-n-paste to a terminal window. (Linux terminal is light years ahead of Windows). Wireshark is good for monitoring network traffic. You can do most everything in the GUI if you desire. Multi-boot is handled by Grub; I once had a 3-boot system running. I used to have a dual-boot setup to handle upgrades, i.e. I could test 12.04 before switching from 10.04.
.
. .. . .. o

tyrAugust 17, 2015 5:30 PM


@albert

I thought Adobe was doing a good job of putting themselves
out of business with their bad security. Ellison might jump
at the chance to incorporate those into their security model.

The cynic is a man who sees things as they are rather than
as they Ought to be, the Scythians blind them to improve their
vision of society.

Smoked EyelidsAugust 17, 2015 5:35 PM

@Alien Jerky, I'd go for OpenBSD if only to run pf. Much nicer and sturdier than iptables. There's always OS X if you an easy BSD install.

tyrAugust 17, 2015 6:26 PM


The Full D mailing list has an interesting look at the
CSOs numbers.

Not exactly a real good match with the dataset. Time
for a move onward and upward based on her past performance.

If they could just find a way to shut these security
people up the world would be wonderful.

MarkHAugust 17, 2015 6:35 PM

The really interesting part of the rant (for me) was the incidental stuff at the end about her bookshelf, and her loathing (her word) for economist John Maynard Keynes, and her refusal to believe (or indeed to see) the evidence that confirms his theories.

Keynesian economics has a strong track record of successful macroeconomic prediction (much better than its rivals) – in other words, it corresponds to reality.

But conservatives hate Keynesian economics, because they hate any suggestion that government intervention may be beneficial (unless that intervention is military and/or strongly favors the wealthy). But Keynesianism says that government intervention can help an economy in crisis, violating their conservative theology. So, they must deny the validity of it (as with evolution, or AGW).

If reality suggests the helpfulness of courses of action we don't like, then by God, reality must be wrong!
____________________________________________

This is the essence of her rant about reverse engineering. Oracle prohibits reverse engineering, in order to protect its intellectual property.

Reality (amply demonstrated by experience) is that reverse engineering is a vital means to uncover critical security flaws.

If reality suggests the helpfulness of courses of action we don't like, then by God, reality must be wrong!
____________________________________________

Does this "CSO" expect the criminals who attack her customers to abide by Oracle's license terms?

When reverse engineering is outlawed, only outlaws will reverse engineer. TM
____________________________________________

Well done, Mary Ann Davidson!

Your consistency in committing ghastly intellectual errors excites my admiration

Clive RobinsonAugust 17, 2015 7:00 PM

She mentions she writes fiction with her sister.

Has anybody read any of it?

If so what sort of fiction is it?

If it's what gets refered to variously as "bodice ripper" or "gusset gripper", I'll understand if you don't want to post even anonymously.

tzAugust 17, 2015 7:24 PM

There won't be some of the smaller "embarrassments", but criminals that manage to get in and cause a huge news-making data breach will make news, and if it is traced to Oracle, they will not be embarrassed about a vulnerability, they will be embarrassed for costing millions of dollars.

Dirk PraetAugust 17, 2015 9:09 PM

No CSO can be this out of touch without becoming a liability to both the company and its customers.

It's the sort of stuff that happens in companies where the CxO level and the people on the shop floor are no longer talking to each other because they're seperated by too many layers of middle management. I saw similar stuff during my days at Sun Microsystems when at some point a decent golf handicap became a more important prerequisite to climb ranks than actually knowing what the business was about. With quite some folks rising way beyond their level of incompetence.

atkAugust 17, 2015 9:11 PM

@MarkH,

"But conservatives hate Keynesian economics, because they hate any suggestion that government intervention may be beneficial (unless that intervention is military and/or strongly favors the wealthy)."

Way to create a straw man. Must be fun tilting with them instead of dealing with real reasons provided by people with differing interpretations, experiences, and ideas. I'm sure you sole many problems by ignoring them.

AnuraAugust 17, 2015 11:03 PM

@Clive Robinson

I looked it up and they wrote three books under the pen name Maddi Davidson. From the descriptions, they are mystery novels featuring an IT consultant as the protagonist.

KS AugustinAugust 17, 2015 11:19 PM

@Clive Robinson:

She writes murder mysteries. Like Harlan Coben and James Patterson. I'm all for Davidson being fired, but stop being a jerk and turning this into a general anti-woman smear by using the terms "bodice/gusset ripper". They are offensive to all women writers. Got it?

tyrAugust 18, 2015 3:35 AM


@Clive

I love the claims that "all" are offended by something
particularly when I know women writers who are only
offended by stupidity in all its forms.

I bought a hundred of those womans romance paperbacks
once since I had never read one. Took me about a week
to go through them. So I can ID the level of explicit
details by the cover colour, recite the plot variants,
and don't have to read any more of them. They are a
perfect job to automate using case selectors and a
name variant database. They do make money but I can't
say it is well spent. I only paid 5 USD for the 100
I bought at a garage sale.

Clive RobinsonAugust 18, 2015 4:56 AM

@ K S Augustin,

I'm all for Davidson being fired, but stop being a jerk and turning this into a general anti-woman smear by using the terms "bodice/gusset ripper". They are offensive to all women writers. Got it?

Firstly I'm not for Ms Davidson being fired, because if people think about it, it would solve little. Because the person who replaces her would in all likelyhood have the same opinions just not express them. Therefor firing her would probably be the worst of many options for the companies customers.

I have only known a handfull of authors personally, two of whom are now sadly nolonger with us, but most of them don't or did not like the "clasification" used for their work or the work of others. One author in particular had a quite justified dislike of the Mann Booker Prize and the distortive effects it had in book shops and the reading public. As was once observed "There are artists and critics, neither views the other as more than a necessary evil, to their success".

I did not pick the naming of the "clasification" but others such as critics and what we would call marketing / promotions people did. And those names have been around for a half century or more, thus like them or not they are a recognised category under the more general "Romance". I'm told they are as popular as "The Penny Dreadfulls" of the Victorian era.

However the important fact to note is, that even though various clasifications of books sell well, it does not mean that the readers want other people to know that they read them. I suspect primarily for what they think others may think of them. If you go back and read what I wrote, you will see that I did not ascribe any meaning to the classifications other than some one might be embarrassed about admitting to reading them even anonymously.

Now I know that there quite a few authors who read this web site, but it's the first time I remember seeing your name, hopefully you will stick around and post a little more often.

MarkHAugust 18, 2015 5:23 AM

@atk:

Was that a "strawman?"

If someone announces that Earth is 6000 years old and that human beings are not descended from a common ancestor to apes, I can be sure the statement is false.

Note that my conclusion does not depend on the logic that led to the making of these assertions. The person is either ignorant of what civilization has learned from nature in the past couple of centuries, or knows better and is intentionally making a false statement.

In such a case, it is not necessary to know the "real reasons" stemming from the speaker's "interpretations, experiences, and ideas", for me to correctly conclude that the speaker is manifesting ignorance and/or dishonesty.

Now, by dint of observation, it appears to me that the great majority of those who deny natural explanations of human origins do so on a very specific basis: the primacy of their religious belief.

In the case of people who "loathe" Keynes, the uniformity of their reasoning seems to be even greater than among those who deny geology and evolution of species. I can't rule out that Davidson hates this long-dead scholar for some reason other than a right-wing hatred toward "gumint" ... but I'd bet a month's income that she doesn't.

My core observation, is that unless she loathes J M Keynes for some quite exceptional reason, she is practicing "backward reasoning" which starts from a moral conclusion, and then rejects facts that don't support it. This is of a piece with her complaint about people searching for security flaws in Oracle products.

I know too many people who commit the fallacy of backward reasoning (many of whom are liberal, by the way), and those who do so don't seem to just do it once. They make the same mistake over and over. It is an impairment of reasoning.

Clive RobinsonAugust 18, 2015 5:33 AM

@ tyr,

I only paid 5 USD for the 100 I bought at a garage sale.

Ahh "recycling" at it's best. In my "dead tree cave" I have technical books that go back more than a century, the paper is sadly old yellowed and almost as fragile as a butterflies wings, and I suspect would be home to moths if given a chance. Other non technical books I have include first imprints from 1937/8 of "More than Somewhat" and "Furthermore" which are collections of Damon Runyon's "Tales of Broadway" stories, set at the time of "prohibition" both of which I found in a secondhand book shop when I was around ten. I've had to stop lending them out to friends as they have proved quiet difficult to get back, as with most books that raise more than a smile. But importantly they give detail that is of use to a security mindset "Butch minds the baby" being one of many, one or two provided the basis of film scripts "Little Miss Marker" being one.

Good books can inform or entertain, some do both, but most importantly a book shared or passed along does both for many years.

Wesley ParishAugust 18, 2015 5:48 AM

@Clive Robinson et alii

Speaking as a bit of a writer myself, one thought struck me as I finished reading Mary Ann Davidson's rant. It is, as a writer, you are supposed to give the reader a reasonably coherent world, with reasonably consistent characters. And you are expected to use discontinuities in the characters' "lives" to display character development.

And one of the best ways to develop this is to get feedback from readers of the early drafts and incorporate them into more mature drafts. There are very few writers (fiction and music) who can work like either Michael Moorcock or Wolfgang Amadeus Mozart, who were in the habit of dashing off complete full works of fiction or music without needing feedback.

So her advice that Oracle doesn't need feedback on vulnerabilities, potential and actual, is in contradiction to established practice in writing.

No wonder I've never come across any of her and her sister's fiction.

@all

concerning the legal guff, the license, the law, etc.

I would have thought that preserving one's reputation outweighed the minutae of analyzing binaries for vulnerabilities. And we've seen Microsoft's reputation take a nose-dive with very many vulnerabilities in the Microsoft stack over the years, resulting in the (prolonged) death of Internet Exploitee aka Explorer.

If the law (and software license) as interpreted by Mary Ann Davidson results in the loss of Oracle's reputation, leading to the loss of Oracle's business, leading to the loss of Oracle's liquidity, then the law (and software license) itself is broken and needs to be fixed.

There's a good solid reason why "goodwill" is regarded as one of a business' assets.

zAugust 18, 2015 8:06 AM

The most concerning thing in her rant is not her attitude towards researchers; it's her beliefs about security. Reading the following excerpt, I am pretty sure she thinks security consists of getting a list of certifications rather than by actually writing secure code.

"Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products – and there is so much more to assurance than running a scanning tool - there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or “good code” seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors – at least, most of the large-ish ones I know – have fairly robust assurance programs now (we know this because we all compare notes at conferences). That’s all well and good, is appropriate customer due diligence and stops well short of 'hey, I think I will do the vendor’s job for him/her/it and look for problems in source code myself...'"


I am convinced that she understands very little about security or programming in general if she thinks she can buy security and have its label stamped on the package.

zedAugust 18, 2015 9:37 AM

z,

You aren't thinking like a c-level bot.

She doesn't want to BUY a security label, she wants to make the label herself, and then charge extra for the label and charge the customer from asking about the label.

albertAugust 18, 2015 10:34 AM

@z,
At the risk of repeating myself, MAD has a BSME and an MBA, and has been at Oracle for 27 years!
.
From wiki:
"...In January 2005, Davidson was criticized by David Litchfield, who called on Oracle to replace Davidson, pointing to a series of delayed or ineffective security patches in Oracle's database server as evidence of "categorical failure".[4]...".
.
This is the Microsoft Mindset(tm) pioneered by MS since its inception. "If it tests OK, then it must be OK."
.
The leopards will never change their spots; the world belongs to the new, unspotted leopards.
.
This episode is merely a glimpse into the tomb of the Pharisees of Big Software. (Matthew 23:27)
. .. . .. o

albertAugust 18, 2015 1:35 PM

@Rob,
Simple solution, don't buy Volkswagens. Vote with your wallet; they'll listen. It's the only way to reach Big Corporations. $$$$$$$$$$
. .. . .. o

Remy MaratheAugust 18, 2015 2:54 PM

I think the most worrisome issue here is that the CSO of Oracle is apparently fifteen years old.

JainAugust 18, 2015 9:06 PM

"I am convinced that she understands very little about security or programming in general if she thinks she can buy security and have its label stamped on the package."

The post of CSO was created partially attributed to that. She is the stamp figuratively. Hopefully the backlash will change her mind.

Clive RobinsonAugust 19, 2015 2:34 AM

@ Jain,

The post of CSO was created partially attributed to that. She is the stamp figuratively. Hopefully the backlash will change her mind.

And it's for that reasoning, I don't want her fired/sacked.

It's generaly better to "work with the devil you know" than having to get to know a devil you don't have a clue about. It further alows you to apply reason / leverage to bring about a change in outlook. Importantly as they build up a list of "known transgressions" against accepted industry norms and best practice, it can be used as leverage against other CxOs and share holders to modify the organisational behaviour to bring them into line with those norms and best practices. Or atleast drag them out of "last centuries" badly outdated norms.

After all part of a tech companies image is that they are "leading edge" and striving to be the best in any given field. That is they want people to think they are "chasing the stars" not "shoveling coal in steam engines".

DuffAugust 19, 2015 7:16 PM

Before going on a rant, you should have a look at the rest of her blog and read this entry in context.

She has a real hard-on for security scanner outputs that consultants in customer sites generate. She rants about this often. And she has a point. Whenever our infosec guys show up with some consultant doing a security scan, we get an opportunity to waste a lot of time discovering nonsense vulnerabilities.

That said, the blog entry was tone deaf and a great exhibition of the institutional arrogance of Oracle.

Dirk PraetAugust 20, 2015 5:39 AM

@ Duff

Whenever our infosec guys show up with some consultant doing a security scan, we get an opportunity to waste a lot of time discovering nonsense vulnerabilities.

We all know our paper MCSE's and greenhorn infosec consultants producing reports generated by automated utilities they hardly understand themselves and hence are unable to interpret. It's a valid point. Throwing out the baby with the bathwater, however, isn't. From someone in her position, one might expect a slightly more nuanced take on the issue, like in proposing a formal procedure/methodology for reporting suspected vulnerabilities to the company, perhaps even a bug bounty program. That's ultimately a win-win for everyone. Including their customers.

MarkHAugust 20, 2015 11:06 AM

@Duff, Dirk, et al:

It's easy to understand Ms. Davidson's irritation about receiving an ongoing stream of reports about vulnerabilities that actually aren't vulnerabilities. If she had left it there, then I imagine that the security community would have understood and sympathized.

However, she went on to say what a lot of us heard as:

1. "you have no right to reverse engineer our code, STFU!"

and

2. "we wise experts know what we're doing, you ignorant slobs need to STFU!"

That's a problem.

vgorAugust 20, 2015 9:34 PM

>Before going on a rant, you should have a look at the rest of her blog and read this entry in context.

I prefer what I call indirect reading. Her blog is a bit too far. Thus its usually more interesting to learn from learning other peoples perspectives because you learn more that way.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.