So was that oracle blog post authentic or did some people at defcon decide it would be funny to write a MAD satire?
Stefan EsserAugust 11, 2015
Oracle CSO's blog hacked and the attackers post a hilarious trolling blog post: Dino A. Dai ZoviAugust 11, 2015
A few hours after the post started making the rounds,Oracle confirmed that the company deleted it because it did not "reflect our beliefs or our relationship with our customers."My first assumption after reading this was that Oracle's web server was hacked and this article is a parody. matt blazeAugust 11, 2015
It's really sad that The Onion is printing what should be infosec news, and Oracle's CSO is printing what should be infosec satire.
K. Reid WightmanAugust 11, 2015
That awkward moment when, in deriding reverse engineering, you confirm your customers a) do it, b) find problems, c) reject your complaints
Dan KaminskyAugust 11, 2015
Maybe some Oracle customer should open a support case to let them know someone has defaced their website with a crazy parody.
matt blazeAugust 11, 2015
Oracle meeting:
PinboardAugust 11, 2015
Don't look for vulns. Fuck bug bounties. We won't even credit you. Morgan Marquis-BoireAugust 11, 2015
Jokes aside, Chris Wysopal, co-founder and chief technology officer of Veracode, tweeted that Davidson's post isn't really funny, since he is among those who has gotten a letter from Oracle, warning him not to break its license agreement.Oracle undoes the problems created by their CSO's rant by deleting her blog post. Done. PS: Mikko HypponenAugust 11, 2015
As someone noted, this is not the first time Davidson rambled against reverse engineering. In a perhaps less wordy 2011 post, Davidson seemed to take aim at the software auditing security company Veracode (without naming it), complaining about their model of offering static analysis of code (or reverse engineering) as a service.This time, however, she also took aim at the "sinners" who use reverse engineering to file bug reports, which are often "not much more than a pile of steaming… FUD." In other words, don't even bother looking into Oracle's code because you won't find any bugs there.And she also took a swipe at bug bounty programs, which have quickly become a very popular way for companies to reward researchers who find vulnerabilities and report them to the companies that make the software."Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code," Davidson wrote, explaining that Oracle doesn't do bounties because it finds 87 percent of bugs itself, so it wouldn't make economic sense.Some in the community had a creative way of responding to her claims."We now rely on software for everything—health, safety and well-being—and crafting a policy of 'see something, say nothing' puts us all at risk."
This post has been updated to include Chris Wysopal's comments, as well as Oracle's statement.