As someone who lives in Kansas, I can tell you that the Wizard of Oz is something that none of us can escape. Sure, there is a museum dedicated to the movie up near Liberal, Kansas; but that doesn’t mean that residents of the state don’t get hammered with references to it. Most of the time this only happens when you travel out-of-state. Believe me if you ever meet anyone who lives in Kansas do them a favor and don’t make a reference to the film…there isn’t one we haven’t heard before. I hadn’t even officially moved to the state yet when I got my first experience with this in the Union Train Station in Chicago on the way back to Michigan for the holidays.
Anyway, there is a famous scene in the movie where Dorothy and her traveling companions learn that the all-powerful Wizard of Oz is really just a man, hiding behind technology and magic tricks to intimidate the people into giving him power. Toto, Dorothy’s loyal dog, pulls back the curtain to the side of the room and there is the “All Powerful” Wizard, standing in a cube and frantically turning wheels and pulling levers that release smoke and lightning on the more intimidating image of him being projected at the back of the room.
These moments happen in life as well, and I call them Behind the Curtain moments. It’s the moment when someone does something or exposes something that suddenly makes clear what is really going on, and who is really in charge of a situation. You don’t have to look very far to find these moments, especially within fields like politics. The business world has just suffered one of these moments.
Mary Ann Davidson, Chief Security Officer at Oracle (though one wonders for how long after this), posted a blog several days ago which gave us one of these Behind the Curtain moments. The post has since been taken down, but it lives in infamy on different places on the web that exist to archive things like this, proving that there is no such thing as deleting something from the internet. In the post, Davidson complains that people who have purchased their product are reverse-engineering the product in order to check it for security flaws. She goes on to whine (and it truly was a whine if you read the post) that this is a violation of the licensing agreement for the software, and that if security bugs are found in this way they will fix them, although they “won’t be happy about how it was found” and won’t be giving those who found the bug any credit.
We can all understand that no company likes to have a bug in their software exposed. It is embarrassing and could cost the company money. But many companies, for example Microsoft, have no problem with security experts conducting this kind of work on their software, and even reward those who found and reported bugs with cash prizes through security bug bounty programs. These are forward-thinking companies who understand that it will hurt them far less in the long run to have the bugs exposed and patched before they are exploited, than to have a bug lead to a major security breach and have it reported after the fact.
The issue of licensing for software is a complex one, and there are numerous articles and interviews with experts available to attest that the licensing process within the software industry has negative effects, including suffocating progress. This candid blog post from Davidson demonstrates one of these major effects. Oracle software is expensive…ridiculously so. But it’s one of the only players out there, and from the user side it is not advantageous to be beholden to one provider and trust that they are going to maintain and secure the product. This blog post, which you can read at the bottom of the article, is a prime example of where users can suffer if the company suffers from a lazy or lackadaisical attitude about security in the product they created.
As part of its official response, Oracle removed the blog post, saying that it does not reflect the views of the company. Of course you cannot ever remove anything from the internet, and so the post lives on. But a more interesting question is why the post should have been published in an official blog post for the CSO if it was not an accurate reflection of company values, particularly when the company in question has had numerous bugs exposed by independent researchers using the methods Davidson was decrying. It shall be interesting to see the continued fall-out from this Behind the Curtain moment.