Comment by nerdjon
5 days ago
This is honestly wild.
Whether we like it or not security incidents have become such common place in the last several years that if they just admitted to it this entire story would have likely been shrugged off and mostly forgotten about in a couple days but instead it is turning into an entire thing that just seems to be getting deeper and deeper. (Not downplaying the security incident, but that is the unfortunate reality).
Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
Are they somehow really confident that this didn't happen, maybe they don't have the logs to confirm it? Trying to think about how this is anything except them just straight up lying.
I can't remember the last time we saw a company this strongly try to deny that something like this happened. Especially when according to Ars Technica:
> On Friday, when I asked Oracle for comment, a spokesperson asked if they could provide a statement that couldn’t be attributed to Oracle in any way. After I declined, the spokesperson said Oracle would have no comment.
I'm guessing nobody chooses to work with Oracle anymore for reasons or in situations that we would consider reasonable. It's probably either governments contracts, with or without corruption, companies already locked in, contracts made by executives that don't really understand technology, that sort of thing.
I worked as a contractor for the Wisconsin state government and they had hundreds of Oracle databases that they were consolidating on the Oracle EXADATA11 servers. Insane having hardware that can only run Oracle but the Oracle DBA said that the Exadata was dozens of times faster than Oracle on VMware VMs.
Lies. Fucking lies. We were a three environment shop until we moved to Exa and the compute/$ ratio is so bad that we had to cut it down to two.
But we're talking about Oracle here so that's par for the course.
3 replies →
Actually, it is mostly companies who are too reluctant to change. If it works, keep it as is, even if better technologies are the norm nowadays. Maybe this will help them move away from this obsolete Larry Ellison crapshot
If it works, keep it as is
That's a good principle though. It doesn't make the initial choice good today or even back then. But change is always a risk that may not be worth it, cause you have to make sure that the inevitable semi-chaos coming with it is at all times lower than what you have. And analyzing that may be hard.
Maybe this will help them move away from this obsolete Larry Ellison crapshot
This creates positive incentives, so yes.
Iow, everything probably goes as it should, really.
2 replies →
> Seriously if I can't trust that I am going to actually be told and not lied too when there is a security incident at the bare minimum, why would I chose to work with a company? What is Oracle's end goal here?
I think you're coming at this from the wrong point of view. Oracle couldn't care in the slightest about what regular people think of them. Remember, they are the company that sent lawyers after the employers of folks who downloaded non-free but bundled by default extensions to VirtualBox, and the company that declared that you need to license every core their software could _potentially_ run on in your virtualisation estate (so if you have a 8 vCPU VM for some Oracle software, you need licenses for however many physical cores you have on your cluster). They've variously been described as a law firm with an engineering side business, and One Rich Asshole Called Larry Ellisson. Speaking of whom, he multiple times flat out lied on stage to make his shitty "cloud" nobody cares about seem relevant compared to AWS.
Nobody buys Oracle because they like them or their good reputation. You buy them because you have legacy stuff that depends on them and you have no choice (even Amazon took many years to get off Oracle databases, and they wrote a gloating success story one they were done with it because they were that happy to be rid of the leeches), or because your bosses' boss was convinced at a golf course they're getting a good deal. Or because their bandwidth is very cheap and you accept the risk of dealing with the devil incarnate with zero morals. (cf. Zoom).
Oracle is like Broadcom. Everyone hates their guts, everyone who worked there has a black mark on their CV. Yet they persist, continue leeching off companies too scared to make the jump elsewhere.
> everyone who worked there has a black mark on their CV. Yet they persist, continue leeching off companies too scared to make the jump elsewhere.
This is just your opinion. Most people I know who work there feel just fine if not very happy. Pay/benefits are good. Work is about same everywhere. In fact depending on group there maybe good, challenging technical work there.
As far as CV is concerned working there is mostly positive or at best neutral in term of job change.
> Nobody buys Oracle because they like them or their good reputation.
Oracle is quite expensive but they have reputation of solid database for enterprise workloads.
Also their cloud business is doing fine and growing and not irrelevant. One can see that from their quarterly results.
> Work is about same everywhere
Well, no. When a customer at my job makes a mistake, we don't send lawyers chasing after them because we're assholes. And when someone proposes something that will hurt those customers, people speak up and voice their disagreement.
1 reply →
I wonder if the senior engineering talent OCI poached from AWS (including the guy who introduced formal methods to AWS) is still there?
1 reply →
My wife is a hospital pharmacist. Cerner is a poular EMR system, is ~#2 in the market (behind Epic). These systems are ridiculously difficult to change between (everyone from your front-check-in desk to every surgeon who has privileges needs to be trained on how the new system works in addition to the technical problems with ETL'ing all your data over, and each hospital has an enormous amount of customization done to their workflows that has to be ported over to the new system)- she's done that twice at two different places and it was a huge, process, 18 months minimum. So these EMR's have an enormous amount of lock-in.
The punchline is, in 2022 Oracle purchased Cerner, renamed it Oracle Health, and started accelerating the process of enshittifying it. I have to tip my hat to them, it's like their BizDev team found a market segment that had as much lock-in as SQL databases do, and are now trying to replicate all the evil tricks they learned from that in another market segment. Because what are hospitals but giant bags of money to be drained so Larry Ellison can buy another yacht?
True, but with one exception that I saw (Memorial Sloan Kettering), every EMR that isn’t Epic is a steaming pile. And I think MSK is switching.
2 replies →
> everyone who worked there has a black mark on their CV
I hope this is hyperbole. Rank and file employees are not responsible for corporate policy or direction, especially in places like Oracle.
It really isn't. Oracle has had a terrible reputation since forever, and every ex-Sun engineer I've met has taken great pains to explain they did not join Oracle voluntarily.
It's kind of like working for a tobacco company or arms manufacturer in payroll or something: you're not directly responsible for killing millions of people, but by choosing to work there you're still kind of condoning it.
8 replies →
Coincidentally, I posted an Ask HN on that same question (actually prompted by a post on a different company today), but it hasn't gotten upvoted yet:
Ask HN: Do you penalize hiring candidates from companies that do shady things? | 1 point by neilv 1 hour ago| 3 comments | https://news.ycombinator.com/item?id=43538530
They're not responsible for the policy, but typically when you're thinking of a job at Oracle, you likely can have other options. At least if we're taking about software engineers and similar people. I was being recommended for a position by friends who moved there and I refused, because it's a shit company. The money is not worth it. It's the whole "contractors on Death Star" thing from Clerks.
Security incidents have become so common place that the fact that they happen is not the newsworthy event; rather, its how a company responds to them that is the newsworthy event. And Oracle flunked this test
Note that it was an almost 4 year old already disclosed CVE which was used. Oracle messed up, big time. That's why they're trying to get rid of all incriminating evidence for potential lawsuits.
https://nvd.nist.gov/vuln/detail/cve-2021-35587
My guess is that admitting a security incident triggers lots of contractual clauses.
They have probably decided it's cheaper to simply deny the event (therefore not triggering those clauses).
If it gets to court, Oracle will find some expert who says there was no incident, and the other side will present clear evidence there was an incident, but the non-technical judge will probably still not be sure.
That's why in Europe there are strict laws regarding lax security of customer data and companies can be fined with a percentage of their turnover - which in the case of Oracle could hurt a bit.