Oh wonderful. So that means John Deere can drop all the lawsuits against farmers who try to repair their own tractors since farmers didn't break any law. Right?
JD doesn't necessarily need to open their source code, it just has to be legal for others to disassemble and analyse their software and publish the results --- just like you can do with practically every physical object you own.
heh, did anyone else have a flashback to Mary Ann Davidson, the CSO at Oracle, railing against customers who independently audit the security of products they purchase? Fun times.
I just read the article (shamefacedly seeking confirmation bias - I wanted to say "Oracle bad") - but I ended up agreeing with her main points:
1) most of the "third party security researchers" customers were hiring were blindly running tooling and the FP rate was near 100%
2) They had found and were working on 87% of genuine issues
3) (and I don't 100% agree here) - the license agreement forbids decompiling the source code because IP. OK fair point (grudgingly admitted) but I take issue with "a contract freely entered into" - you have to accept the tos/eula if you want to use the product. Not entirely freely entered into...
All in all, I thought it was a balanced and well written post - much better than the usual corporate effluent (
"We are thrilled to announce that we delight our customers in achieving their dreams of democratising toothbrushing")
Huh, I guess we are truly screwed if that blog post seemed in any way reasonable to you. It makes me think of that time in the late 90s when there was a serious push to make "hacking tools" like disassemblers illegal... dunno if the present crowd would have the sense to combat that like the oldtimers did.
"...that limitation includes the fact that you aren’t allowed to de-compile, dis-assemble, de-obfuscate..."
I genuinely don't care if a company wants to trapdoor their support contract with something like that. But it would make more sense for them to properly structure things so that they'd be able to look forward to nuisance tickets, instead of being driven to trying to convince the infosec world that they should just trust you - and feel bad for not doing so in the first place. In any case, the thrust of the argument she is making isn't about support contracts - it is framed much more broadly, which is why this post made so much noise at the time.