|
|
|
|
|
|
by fadesibert
1799 days ago
|
|
|
I just read the article (shamefacedly seeking confirmation bias - I wanted to say "Oracle bad") - but I ended up agreeing with her main points:
1) most of the "third party security researchers" customers were hiring were blindly running tooling and the FP rate was near 100%
2) They had found and were working on 87% of genuine issues
3) (and I don't 100% agree here) - the license agreement forbids decompiling the source code because IP. OK fair point (grudgingly admitted) but I take issue with "a contract freely entered into" - you have to accept the tos/eula if you want to use the product. Not entirely freely entered into... All in all, I thought it was a balanced and well written post - much better than the usual corporate effluent (
"We are thrilled to announce that we delight our customers in achieving their dreams of democratising toothbrushing") |
|
|
"...that limitation includes the fact that you aren’t allowed to de-compile, dis-assemble, de-obfuscate..."
I genuinely don't care if a company wants to trapdoor their support contract with something like that. But it would make more sense for them to properly structure things so that they'd be able to look forward to nuisance tickets, instead of being driven to trying to convince the infosec world that they should just trust you - and feel bad for not doing so in the first place. In any case, the thrust of the argument she is making isn't about support contracts - it is framed much more broadly, which is why this post made so much noise at the time.