Oracle CSO to Customers: Leave the Vulnerabilities to Us

[Mary Ann Davidson], chief security officer of Oracle, is having a bad Tuesday. The internet has been alight these past few hours over a blog post published and quickly taken down from oracle’s servers. (archive) We’re not 100% sure the whole thing isn’t a hack of some sort. Based on [Mary’s] previous writing though, it seems to be legit.

The TL;DR version of Mary’s post is that she’s sick and tired of customers reverse engineering Oracle’s code in an attempt to find security vulnerabilities. Doing so is a clear violation of Oracle’s license agreement. Beyond the message, the tone of the blog says a lot. This is the same sort of policy we’re seeing on the hardware side from companies like John Deere and Sony. Folks like [Cory Doctorow] and the EFF are doing all they can to fight it. We have to say that we do agree with [Mary] on one point: Operators should make sure their systems are locked down with the latest software versions, updates, and patches before doing anything else.

[Mary] states that “Bug bounties are the new boy band”, that they simply don’t make sense from a business standpoint. Only 3% of Oracles vulnerabilities came from security researchers. The rest come from internal company testing. The fact that Oracle doesn’t have a bug bounty program might have something to do with that. [Mary] need not worry. Bug Bounty or not, she’s placed her company squarely in the cross-hairs of plenty of hackers out there – white hat and black alike.

Hacking: a disobedient act that drives change

[Adam Dachis] published an essay a couple of days ago called Why We Hack. In it he discusses the outlook that hacking, on all of its various levels, is a simple form of disobedience. We have to agree with him. Manufacturers would like you to think that voiding the warranty is as good as smashing the product to bits. But we all know that if you can’t crack it open you don’t really own it. [Adam] says we can sit around and complain about it, or we can do better. So crack it open, dump the firmware, and make it do your bidding.

If you haven’t already seen it, you should also go back and watch [Corey Doctorow’s] keynote address from Toorcon 8. He discusses freedom of information and hits especially hard on End User License Agreements (EULA) and the ills they cause. We’ve never seen someone hit the target quite as well as he does in this fantastic speech.

Dell Mini 9 OSX install

dellosx

Installing OSX on commodity PC hardware has advanced a lot since the early days of OSx86 when Apple switched to Intel. With the advent of netbooks, a new target platform has emerged; one that doesn’t have an official Apple equivalent. The small subset of models means that it’s easy to find someone else that has the same machine as you, but it still takes some forum walking to bring all the pieces together. Gizmodo has done this and compiled a comprehensive guide for the Dell Mini 9. The Mini 9 is a very nice machine and according to Boing Boing Gadgets’ chart, one of the most compatible with OSX. Earlier this week you could purchase a new one for just $200.

For Gizmodo’s install, they used a Leopard retail DVD with [Type11]’s bootloader. They’re breaking the EULA, but at least it’s not piracy. They had to use both a DVD drive and a USB hard drive because device recognition was flakey. Despite this, the actual install process doesn’t appear to be too difficult. They say all the hardware works, “The Mini 9 is a beautiful OS X machine.” Check out this Hackit to learn about netbook OSX experiences from other Hack a Day readers.