Oracle if you scan us for vulnerability we will come after you

[jos]

Oracle's chief security officer Mary Ann Davidson stop scanning Oracle's code for vulnerabilities or we will come after you. Davidson scolded customers who performed their own security analyses of code, calling it reverse engineering and a violation of Oracle's software licensing. If her team at Oracle decides that the report from a customer "could only have come from reverse engineering. Oracle would "send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf—reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already... Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

 

Their software is buggy and they think if no one finds problem no need to fix and no more bad name but what if someone did a serious offence due to the vulnerability because Oracle was just being stubborn

Source: http://arstechnica.com/information-technology/2015/08/oracle-security-chief-to-customers-stop-checking-our-code-for-vulnerabilities/

[Frankie]

Yeah, like that's gonna stop the target group.

[rmac52]

Good luck winning that court battle.

[LucidMew]

Oooh Oracle and it's lawyers. Shame that this is true:

 

source: http://www.bonkersworld.net/organizational-charts/

[qwertywarrior]

they are talking about java ?

 

the thing does work well across many architectures and oses nothing really is like it

but when it comes to security - its just amazing how bad it is

[ChineseChef]

So, basically, they just want all their vulnerabilities immediately released to the wild.  And with no one to ask how it was found.  Good work.

[NumLock21]

[RagnarokDel]

wtf is Oracle?

[LucidMew]

wtf is Oracle?

 

Basically the company that makes the biggest security hole in computers today: Java. Second only to Adobe's Flash.

[mc141]

Welcome to oracle where we rather spend money on lawsuits about the security flaws that were found than fixing them.(insert dilbert comic here)

[Shakaza]

I could understand if they don't want another security flaw announced to the world, like what sometimes happen. I've seen a lot of news posts about that recently. But not wanting people to expose them at all, especially if it's strictly for the benefit of the company and the consumers of their products just sounds dumb. I guess they don't want to have a bad name, but since Java is so widespread anyway, it seems to me that exposing potential flaws is worth it and will, in the long run, reflect positively on Oracle because it shows they want to fix them and have a trustworthy product. 

 

But, what do I know? I'm just a young guy who hasn't even gone to college yet.

[Trik'Stari]

Welcome to oracle where we rather spend money on lawsuits about the security flaws that were found than fixing them.(insert dilbert comic here)

Sounds like normal corporate mentality. Don't fix the problem, beat up anyone who points it out.

[Misanthrope]

Notice how they don't mention anything about fixing or avoiding issues, meaning they're perfectly fine with them existing as long as is not public knowledge so they can claim ignorance during a lawsuit and limit their liability, which is cheaper both in terms of legal defense + price of fixing shit up. 

 

So again, pretty much the fight club analogy: if the cost of the average settlement times the amount of potential vulnerabilities in the wild is less than the cost to code a patch or new version, we won't do a patch.

[Shakaza]

Notice how they don't mention anything about fixing or avoiding issues, meaning they're perfectly fine with them existing as long as is not public knowledge so they can claim ignorance during a lawsuit and limit their liability, which is cheaper both in terms of legal defense + price of fixing shit up. 

 

So again, pretty much the fight club analogy: if the cost of the average settlement times the amount of potential vulnerabilities in the wild is less than the cost to code a patch or new version, we won't do a patch.

I find that to be a shame. Java is used on a lot of devices in many different programs, so this unwillingness to improve security just bugs me. I know this is normal business practice, but I just wish it didn't have to be this way. (I know this isn't exclusively about Java, but it's what people usually think of when they think of Oracle, and I think the most widespread of their products.)

[Lethal Seraph]

Why can't companies be like Tesla?

[Jerakl]

Why can't companies be like Tesla?

 

Because that requires work.

[dragosudeki]

snip

 

snip

I doubt that that is the case. I think the company has just not bothered doing almost anything for Java these past few years. So many other languages are more powerful and more useful than what Java can do. In fact, if Java kept improving, other languages like C# probably would never get more popular. Instead of asking Java to change, I really wish that people would stop using it simply because it hasn't changed.

[dfsdfgfkjsefoiqzemnd]

I know this isn't exclusively about Java, but it's what people think of when they think of Oracle, and I think the most widespread of their products.)

 

Actually when I hear the name "oracle", a lot more than just Java comes to mind. 

 

Remember OpenOffice, OpenSolaris, etc ?  Guess who f***ed that up for us?

[Shakaza]

Actually when I hear the name "oracle", a lot more than just Java comes to mind. 

 

Remember OpenOffice, OpenSolaris, etc ?  Guess who f***ed that up for us?

Okay, fine, it's what people usually think of when they hear "Oracle." I guess I'll change that. Any other quips about my post?

[dfsdfgfkjsefoiqzemnd]

Okay, fine, it's what people usually think of when they hear "Oracle." I guess I'll change that. Any other quips about my post?

 

Nope, I read it again to make sure.  No capitalization errors, all the commas are okay, sentences make sense etc.  10/10

 

[Stuff_]

Yeeeah, this is a really dumb thing to say.

Especially when you look at all the bounty programs offered for bugs and security vulns. 

 

Head up their ass indeed.

[Shakaza]

Nope, I read it again to make sure.  No capitalization errors, all the commas are okay, sentences make sense etc.  10/10

 

Hooray! My post satisfies one of the people I look up to on an internet forum!

[dfsdfgfkjsefoiqzemnd]

Hooray! My post satisfies one of the people I look up to on an internet forum!

lol

 

How can you be looking up to me?  I'm really short (and yes, that's what she said).   Are you lying on the floor?

[deviant88]

Now this raises even more suspicion and more will start doing it, doh.

[RagnarokDel]

Basically the company that makes the biggest security hole in computers today: Java. Second only to Adobe's Flash.

oh yeah now that you said it I think I remember seeing that on Java's site.