.oracle showing its true colors
In case you missed it, Oracle CSO Mary Ann Davidson provided those of us in the InfoSec world yet another reminder that Security is not a priority – not even for the person to whom it should matter above all else. That evidence was provided by way of a meandering, condescending, and frankly (as an Oracle customer) disturbing rant published on Oracle’s corporate blog. It has since been removed. At least somebody there is thinking.
The text of her rant goes from her apparently lamenting her career choice (interestingly, writing appears to be her passion) to expressing her disdain for security researchers (and chastising them for violating the End User License Agreement), to a mock-FAQ expressing her endless frustration with those pesky customers, to a bizarre discussion about her bookshelf complete with not-at-all-witty stabs at innuendo.
I mean, she actually refers to people who report security flaws (which Oracle determines couldn’t have been found through means other than reverse engineering) as sinners. Seriously?
.let he who is without sin cast the first stone
Anyone who writes in a public forum understands that not everything you write is taken in the way it is intended. And I am not one of those people who calls for someone to be fired when they make a mistake, but this is not about a mistake. It’s about a Chief Security Officer who has provided ample evidence that she has no business being any kind of “Security” anything.
Hopefully Oracle sees this, and Davidson will be able to pursue writing novels full-time; today’s environment has no room for a security officer who leans on EULAs as a security measure and treats people who work to research (driving improvements in security) with utter disgust.
I won’t say too much about this situation. There’s a fantastic breakdown over at ZDNet. If you’re interested — in a train wreck kind of way — the text of the rant has been preserved on scribd. (Because the internet is forever, kids.)