Oracle’s Chief Security Officer, Mary Ann Davidson, made a bit of a FUBAR blog post yesterday which clearly enraged the Infosec community because it’s been hastily deleted. However thanks to Google and others there are plenty captures of the retracted text, one which you can find here – Oracle Blog Webcache
You can read the full blog post via the link but some of the Q&A provided by Davidson borders on arrogance at an industry level towards infosec researchers and consultants.
Q. What is reverse engineering?
A. Generally, our code is shipped in compiled (executable) form (yes, I know that some code is interpreted). Customers get code that runs, not the code “as written.” That is for multiple reasons such as users generally only need to run code, not understand how it all gets put together, and the fact that our source code is highly valuable intellectual property (which is why we have a lot of restrictions on who accesses it and protections around it). The Oracle license agreement limits what you can do with the as-shipped code and that limitation includes the fact that you aren’t allowed to de-compile, dis-assemble, de-obfuscate or otherwise try to get source code back from executable code. There are a few caveats around that prohibition but there isn’t an “out” for “unless you are looking for security vulnerabilities in which case, no problem-o, mon!”
If you are trying to get the code in a different form from the way we shipped it to you…