Oracle attempt to hide cybersecurity incident from customers?
131 comments
·March 31, 2025legitster
redleggedfrog
As my buddy from Oracle likes to say, "No one cares what we do as long as the flow of streak, coke, and strippers doesn't stop."
He's a big Zed Shaw fan.
legitster
Anytime Oracle is brought up is a great time to repost the famous Lawnmower quote:
> "As you know people, as you learn about things, you realize that these generalizations we have are, virtually to a generalization, false. Well, except for this one, as it turns out. What you think of Oracle, is even truer than you think it is. There has been no entity in human history with less complexity or nuance to it than Oracle. And I gotta say, as someone who has seen that complexity for my entire life, it's very hard to get used to that idea. It's like, 'surely this is more complicated!' but it's like: Wow, this is really simple! This company is very straightforward, in its defense. This company is about one man, his alter-ego, and what he wants to inflict upon humanity -- that's it! ...Ship mediocrity, inflict misery, lie our asses off, screw our customers, and make a whole shitload of money. Yeah... you talk to Oracle, it's like, 'no, we don't fucking make dreams happen -- we make money!' ...You need to think of Larry Ellison the way you think of a lawnmower. You don't anthropomorphize your lawnmower, the lawnmower just mows the lawn, you stick your hand in there and it'll chop it off, the end. You don't think 'oh, the lawnmower hates me' -- lawnmower doesn't give a shit about you, lawnmower can't hate you. Don't anthropomorphize the lawnmower. Don't fall into that trap about Oracle." - Bryan Cantril
pedrocr
You elided the most famous quote from that diatribe. The lawnmower comparison is the expansion on:
"Do not fall into the trap of anthropomorphizing Larry Ellison"
A4ET8a8uTh0_v2
To be fair to Oracle: the lawnmower doesn't hate people... yet. This millennium is still young. And we keep adding connectivity and llms into everything.
ibejoeb
"Everyone Else Must Fail" is a good read.
xdavidliu
what's "streak"? do you mean steak?
bityard
I thought it was some kind of trendy alcohol that I hadn't heard of, that probably comes in a brown bottle
null
marcosdumay
You can search for that word definition.
rr808
The problem is the people who have to use Oracle aren't the ones getting the steak or strippers.
Aeolun
Isn’t that a feature?
keyle
"Oracle, where the Sun don't shine no more."
null
FlyingSnake
I’m sorry but I don’t get this Zed Shaw reference, what did I miss?
decompiled_dev
He's a popular blogger: https://zedshaw.com/
bigiain
Weapons grade infinte snark, probably.
He seems to have stopped blogging a few years back. I kinda miss his epic rants and Learning $whatever The Hard Way stuff. Part of me hopes them and whoever used to run n-gate moved to Portland and are now running a bespoke hand made piano business together or something.
BoppreH
I use Oracle Cloud for my personal projects because of their generous free tier[1] which includes 4x Ampere A1 cores, 24 GB of RAM, and 10 TB of outbound data transfer per month.
I was ready to jump ship if they changed the terms, but I was not expecting a security incident.
protocolture
I was talking to a customer in a construction company that had its entire internal project management platform sold to Oracle. < This was why they couldnt manage their end of a large project.
Oracle futzed it, and after a complete roll of the construction firms board of directors, they were in negotiations to buy their own program back for twice the price.
_fat_santa
I've started seeing ads for Oracle OCI in some podcasts I listen to so I think they are starting to see if they can attract customers outside of their "enterprise sales process".
I'm not sure who those ads are supposed to appeal to besides the podcasts hosts raking in the ad dollars.
brirec
I haven’t seen the ads, but Oracle Cloud is definitely the public cloud provider with the most generous free tier. That’s not to say you should use and trust them, but I can see why many would.
999900000999
You pay in other ways.
I understand if you have absolutely no money, but even then repeatedly trying to provision a server and getting a error- something like no capacity available - isn't a fun time.
Whatever, I'll pay 7$ a month to not deal with that.
bigfatkitten
My personal multicloud strategy for many years was to make full use of the free tier on as many providers as necessary.
LPisGood
>”enterprise sales process”
I’m sorry, is Oracle known to be some super sleazy sales org that plys enterprise decision makers with strippers and cocktails, and drugs?
bigiain
I have absolutely no idea if you are being facetious or naive there.
Yes. Oracle is absolutely the tech vendor that's going to be dropped on the engineering team with zero input and no consideration for whether it fits the problems they have, after your CTO spends a a few days on the golf course and high end steak restaurants and, depending on how much money their enterprise sales team thinks they have, either high class escorts or sleazy strip joints. Given how common that story (or one very like it) is, I'm close to 100% certain those trips also include discreet photographers and hotel rooms wired with 4k video recording.
sidewndr46
I imagine Larry Ellison gave this exact speech right after this incident became public.
noja
If the tables were turned, Oracle would be taking advantage of the situation.
Take note.
nerdjon
This is honestly wild.
Whether we like it or not security incidents have become such common place in the last several years that if they just admitted to it this entire story would have likely been shrugged off and mostly forgotten about in a couple days but instead it is turning into an entire thing that just seems to be getting deeper and deeper. (Not downplaying the security incident, but that is the unfortunate reality).
Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
Are they somehow really confident that this didn't happen, maybe they don't have the logs to confirm it? Trying to think about how this is anything except them just straight up lying.
I can't remember the last time we saw a company this strongly try to deny that something like this happened. Especially when according to Ars Technica:
> On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.
lucianbr
I'm guessing nobody chooses to work with Oracle anymore for reasons or in situations that we would consider reasonable. It's probably either governments contracts, with or without corruption, companies already locked in, contracts made by executives that don't really understand technology, that sort of thing.
UltraSane
I worked as a contractor for the Wisconsin state government and they had hundreds of Oracle databases that they were consolidating on the Oracle EXADATA11 servers. Insane having hardware that can only run Oracle but the Oracle DBA said that the Exadata was dozens of times faster than Oracle on VMware VMs.
3acctforcom
Lies. Fucking lies. We were a three environment shop until we moved to Exa and the compute/$ ratio is so bad that we had to cut it down to two.
But we're talking about Oracle here so that's par for the course.
MPSFounder
Actually, it is mostly companies who are too reluctant to change. If it works, keep it as is, even if better technologies are the norm nowadays. Maybe this will help them move away from this obsolete Larry Ellison crapshot
wruza
If it works, keep it as is
That's a good principle though. It doesn't make the initial choice good today or even back then. But change is always a risk that may not be worth it, cause you have to make sure that the inevitable semi-chaos coming with it is at all times lower than what you have. And analyzing that may be hard.
Maybe this will help them move away from this obsolete Larry Ellison crapshot
This creates positive incentives, so yes.
Iow, everything probably goes as it should, really.
sylens
Security incidents have become so common place that the fact that they happen is not the newsworthy event; rather, its how a company responds to them that is the newsworthy event. And Oracle flunked this test
cookiengineer
Note that it was an almost 4 year old already disclosed CVE which was used. Oracle messed up, big time. That's why they're trying to get rid of all incriminating evidence for potential lawsuits.
londons_explore
My guess is that admitting a security incident triggers lots of contractual clauses.
They have probably decided it's cheaper to simply deny the event (therefore not triggering those clauses).
If it gets to court, Oracle will find some expert who says there was no incident, and the other side will present clear evidence there was an incident, but the non-technical judge will probably still not be sure.
sofixa
> Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
I think you're coming at this from the wrong point of view. Oracle couldn't care in the slightest about what regular people think of them. Remember, they are the company that sent lawyers after the employers of folks who downloaded non-free but bundled by default extensions to VirtualBox, and the company that declared that you need to license every core their software could _potentially_ run on in your virtualisation estate (so if you have a 8 vCPU VM for some Oracle software, you need licenses for however many physical cores you have on your cluster). They've variously been described as a law firm with an engineering side business, and One Rich Asshole Called Larry Ellisson. Speaking of whom, he multiple times flat out lied on stage to make his shitty "cloud" nobody cares about seem relevant compared to AWS.
Nobody buys Oracle because they like them or their good reputation. You buy them because you have legacy stuff that depends on them and you have no choice (even Amazon took many years to get off Oracle databases, and they wrote a gloating success story one they were done with it because they were that happy to be rid of the leeches), or because your bosses' boss was convinced at a golf course they're getting a good deal. Or because their bandwidth is very cheap and you accept the risk of dealing with the devil incarnate with zero morals. (cf. Zoom).
Oracle is like Broadcom. Everyone hates their guts, everyone who worked there has a black mark on their CV. Yet they persist, continue leeching off companies too scared to make the jump elsewhere.
geodel
> everyone who worked there has a black mark on their CV. Yet they persist, continue leeching off companies too scared to make the jump elsewhere.
This is just your opinion. Most people I know who work there feel just fine if not very happy. Pay/benefits are good. Work is about same everywhere. In fact depending on group there maybe good, challenging technical work there.
As far as CV is concerned working there is mostly positive or at best neutral in term of job change.
> Nobody buys Oracle because they like them or their good reputation.
Oracle is quite expensive but they have reputation of solid database for enterprise workloads.
Also their cloud business is doing fine and growing and not irrelevant. One can see that from their quarterly results.
sofixa
> Work is about same everywhere
Well, no. When a customer at my job makes a mistake, we don't send lawyers chasing after them because we're assholes. And when someone proposes something that will hurt those customers, people speak up and voice their disagreement.
senderista
I wonder if the senior engineering talent OCI poached from AWS (including the guy who introduced formal methods to AWS) is still there?
mandevil
My wife is a hospital pharmacist. Cerner is a poular EMR system, is ~#2 in the market (behind Epic). These systems are ridiculously difficult to change between (everyone from your front-check-in desk to every surgeon who has privileges needs to be trained on how the new system works in addition to the technical problems with ETL'ing all your data over, and each hospital has an enormous amount of customization done to their workflows that has to be ported over to the new system)- she's done that twice at two different places and it was a huge, process, 18 months minimum. So these EMR's have an enormous amount of lock-in.
The punchline is, in 2022 Oracle purchased Cerner, renamed it Oracle Health, and started accelerating the process of enshittifying it. I have to tip my hat to them, it's like their BizDev team found a market segment that had as much lock-in as SQL databases do, and are now trying to replicate all the evil tricks they learned from that in another market segment. Because what are hospitals but giant bags of money to be drained so Larry Ellison can buy another yacht?
Spooky23
True, but with one exception that I saw (Memorial Sloan Kettering), every EMR that isn’t Epic is a steaming pile. And I think MSK is switching.
devsda
> everyone who worked there has a black mark on their CV
I hope this is hyperbole. Rank and file employees are not responsible for corporate policy or direction, especially in places like Oracle.
decimalenough
It really isn't. Oracle has had a terrible reputation since forever, and every ex-Sun engineer I've met has taken great pains to explain they did not join Oracle voluntarily.
It's kind of like working for a tobacco company or arms manufacturer in payroll or something: you're not directly responsible for killing millions of people, but by choosing to work there you're still kind of condoning it.
neilv
Coincidentally, I posted an Ask HN on that same question (actually prompted by a post on a different company today), but it hasn't gotten upvoted yet:
Ask HN: Do you penalize hiring candidates from companies that do shady things? | 1 point by neilv 1 hour ago| 3 comments | https://news.ycombinator.com/item?id=43538530
viraptor
They're not responsible for the policy, but typically when you're thinking of a job at Oracle, you likely can have other options. At least if we're taking about software engineers and similar people. I was being recommended for a position by friends who moved there and I refused, because it's a shit company. The money is not worth it. It's the whole "contractors on Death Star" thing from Clerks.
hdjjhhvvhga
That's why in Europe there are strict laws regarding lax security of customer data and companies can be fined with a percentage of their turnover - which in the case of Oracle could hurt a bit.
autoexec
There are various state laws that require companies to notify their customers of security breaches, but they lack enforcement/teeth so they're routinely ignored. It'll never happen in our current environment but we really need a federal law that causes violators enough pain that companies will actually bother to follow the law.
TrueDuality
While that's true, many enterprise customers are going to have MSAs with notification requirements that have contractual punishments for failure to notify of material security incidents. Those are probably what Oracle is trying to avoid.
asciii
I believe enterprise customers are not going to care much unless it helps with lowering existing costs.
OTOH, Oracle as part of BSA can demand an audit so they will inflict / make up reason to also punish (i.e. licensing or pull support). The business could invoke an MSA punishment clause and win temporarily but it will cause a headache going forward (further demands from Oracle, higher costs etc.)
Either way, Oracle gets what they want.
praptak
Unless the customer already wants to ditch Oracle.
eru
I don't get your argument.
Wouldn't adding teeth to the state laws be the right thing to do?
prdonahue
We're primarily an AWS shop but some Oracle BDR assigned to cover us recently reached out on LinkedIn.
I asked for an incident report and received this terse response:
> There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.
decimalenough
Per article, Oracle has hastily rebranded the breached service as "Oracle Classic", for the sole purpose of being able to claim with a straight face that "Oracle Cloud" was not impacted.
smithkl42
FWIW, that doesn't appear to be a "hasty rebrand" - Oracle has had this distinction for a long time.
https://docs.oracle.com/en/cloud/saas/enterprise-performance...
decimalenough
The hacker has demonstrated that they have/had write access to URLs under login.us2.oraclecloud.com. It's incredibly disingenuous on Oracle's part to claim that this is not "Oracle Cloud".
mrbluecoat
> NetSuite will indemnify Customer up to an amount equal to five (5) times the equivalent of 12 months of license fees applicable at the time of the event, from and against any Losses incurred by Customer
https://www.sec.gov/Archives/edgar/data/1428669/000119312508...
mentalgear
Ah, another notch in the belt for Larry Elison's Oracle data security scandals.
Matches Larry's other political and societal scandals.
jjice
Tangential, but there’s an old interview with Ellison where he said that Amazon would never be able to get off of Oracle DB because it’s too critical a piece of software. This was in response to Amazon announcing it was something they had planned.
Amazon got it done ahead of schedule and there’s a video of them popping champagne to celebrate when they shut the last server down.
I’m not a big Amazon fan, but the enemy of my enemy is my friend.
islanderfun
Post-truth era is wild. But this seems like standard Oracle behavior for a while now.
homiedk
The troubling aspect is (besides the denials of course) is the absence of controls that should have sniffed this out ASAP. Apparently: - no passive network monitors showing an unknown IP/Mac/Location - no SOAR to kill off the attempts to gain a foothold/move laterally - no alerts on above or anything else in the SOC
tmpz22
Its times like this Oracle needs to lean on its good reputation and ask for forgiveness from the customers they've been loyal to for so long.
cptskippy
> Oracle needs to lean on its good reputation
It's what now?
noodlesUK
Something tells me parent implied the /s.
null
edgineer
> the customers they've been loyal to
...who?
layman51
The scary thing is that Oracle is able to take down items from Archive.org.
If you are already a customer of Oracle, I can't imagine this matters to you. You did not choose Oracle because it was a good product and they are a good company. You are a customer of Oracle because there was a backroom executive deal with the Devil. No one is surprised or outraged or even has any choices.