Risky Business #803 – Oracle's CSO Mary Ann Davidson Quietly Departs

Podcast: Risky Business
Host: Patrick Gray
Guest: Adam Boileau
Date: August 20, 2025
Episode Theme: An eventful week in cybersecurity news, dominated by the abrupt and mysterious departure of Oracle CSO Mary Ann Davidson, with in-depth discussion of associated industry impacts, plus a run through major security incidents, policy controversies, and product updates.

Main Theme & Purpose

This episode covers the surprise exit of Mary Ann Davidson, Oracle’s long-time CSO, speculates about her legacy and the possible reasons for her departure, and pivots into a comprehensive review of the week’s most significant cybersecurity happenings. It blends sharp industry analysis, irreverent humor, and direct commentary on current events.

Key Discussion Points & Insights

1. Mary Ann Davidson’s Departure from Oracle ([00:06]–[07:13])

• Abrupt Departure: Oracle’s CSO Mary Ann Davidson has left the company quietly, right after a major Oracle Cloud incident.
• Speculation on Causes:
  • The timing raises questions about causal links to the recent “legacy cloud” breach.
  • Oracle’s denial, poor communication, and subsequent backpedaling over the incident are lambasted.
  • Quote: “They denied the incident…They were bull—. I’m sorry to production people for having to beep that, but that’s what they were doing.” – Patrick Gray [01:53]
• Davidson's Controversial Legacy:
  • Notorious opposition to full disclosure and bug-hunting in Oracle products.
  • Aggressively threatened legal action against reverse engineers even amidst ongoing product insecurity.
  • Quote: “Don’t go looking for bugs in our products. That’s our job… We will pursue legal action…” – Patrick Gray [03:01]
• Industry Impact:
  • Despite poor researcher relations, Oracle “did fine”, showing big companies can mistreat security researchers without obvious short-term penalty.
  • Davidson’s age, length of tenure (40 years), and the “unbreakable” branding fiasco discussed.
  • Quote: “This counts against the theory that her departure is linked to this incident because it would be the first time Oracle actually took any concrete step…” – Patrick Gray [03:01]

2. Zelle Fraud Lawsuit in the US ([07:13]–[09:47])

• Allegations:
  • NY AG Letitia James sues Zelle over delayed anti-fraud controls.
  • The lawsuit claims controls developed in 2019 weren’t implemented until 2023, costing users millions.
  • Growth prioritized over security until compelled by growing losses.
• Industry Pattern:
  • “Regulatory escape velocity” discussed – platform growth outpacing regulation until entrenched as “too big to fail”.
  • “Security isn’t a thing you can bolt on afterwards and hope.” – Adam Boileau [08:47]

3. China-Based Brokerage Account Fraud ([09:47]–[12:34])

• Krebs’ Write-Up:
  • Large-scale Chinese fraud group pivots from wallet fraud to exploiting brokerage accounts for penny stock manipulation.
  • Industrial scale, rapidly adapting tactics, leveraging account compromise for money laundering.
• Traceability & Repercussions:
  • Tactics are increasingly sophisticated, but not immune to tracing—yet legal recourse is limited.

4. T on Her: Vulnerable Incel App ([12:50]–[15:23])

• Echoing T App’s Flaws:
  • A reactionary “T on Her” app, coded in response to the original women’s “T” review app, is found to be catastrophically insecure.
  • No authentication; exposes sensitive submissions, including ID scans.
  • TechCrunch’s reporting process and the developer’s comically inept response are detailed.
  • “Did you have to enter a password at any point in the development of this thing?” – Adam Boileau [15:02]

5. UK vs. Apple Over Encrypted Data ([15:23]–[19:02])

• Controversy and Uncertainty:
  • Dispute centers on a UK Technical Capability Notice (TCN) requesting access to US Apple user data.
  • Apple disables Advanced Data Protection (ADP) in the UK, possibly mootifying the request.
  • Much reporting based on a single, ambiguously worded official tweet.
  • “It feels like political talky talky and not actual thing happened…” – Adam Boileau [18:15]

6. Workday “CRM Breach” (Likely Salesforce) ([19:02]–[21:47])

• Supply Chain Attack:
  • Attackers compromise staff accounts at Workday’s third-party CRM (strongly suspected to be Salesforce).
  • Use CRM access to harvest customer contact info, attempt extortion.
• Industry Context:
  • As with recent Google and other incidents, similar social engineering and extortion tactics proliferate.

7. Russia’s Messaging Clampdown and Propaganda ([21:49]–[24:06])

• Migration to Max:
  • Russia restricts WhatsApp and Telegram, justifying it with dubious “cybercrime” pretext to propel adoption of state-approved “Max” messenger.
  • Pretexts compared to historical propaganda (e.g., Iraq WMDs).
  • “Absolutely zero crimes happen on Max.” – Adam Boileau [22:58]

8. Canadian Parliament Hack via Microsoft Vulnerability ([24:06]–[25:15])

• Attribution: Assumed Chinese actors, plausible based on previous Five Eyes targeting patterns.
• Details Scarce: Likely SharePoint on-prem exploit; stolen data included job and device info.

9. Norway Dam ICS Hack ([25:15]–[26:30])

• Pro-Russian Hacktivists: Attacked industrial control at a non-hydro dam, but failed to cause meaningful harm due to strong controls.
• Growing Threat: Symbolic indicator of hacktivist reach and ICS resilience.

10. CISA’s OT Asset Inventory Guidance ([26:30]–[29:00])

• Practical Tooling: New, sensible guidance for ICS/OT operators to audit assets—especially beneficial for small/local utilities with limited teams.
• Includes: Sample models, worked examples, taxonomy for asset registers. Seen as a practical regulatory-preparedness measure.

11. Fortinet’s Latest Catastrophic Auth Bypass ([29:00]–[31:04])

• “Fort majeure” Bug: “Auth bypass leading to access in FortiWeb.”
• Criticism: Simple fuzzing would have revealed it; proof that Fortinet failed basic security diligence.
• Emotional Response: “It offends me in that kind of, you know, deep security place…” – Adam Boileau [30:33]

12. International Scandal: Israeli Official at Black Hat ([31:04]–[32:21])

• Controversy Mix: Arrest of senior Israeli cyber official for underage sex crime allegations, wild rumors of US governmental intervention (State Department denies).
• Media Circuses: Story has all ingredients for internet controversy.

13. Southeast Asian Scam Compounds & Sextortion ([32:21]–[36:17])

• Research: International Justice Mission links major scam compounds (Cambodia, Myanmar, Laos) to industrial-scale sextortion, especially targeting children.
• Scope: Thousands, possibly tens of thousands, of cases—worst online crime with real-world tragic impact.
• Business Model Evolution: Financial and sextortion crimes merge; compounding misery since forced “employees” are often trafficked as well.
• Quote: “I wish for the most horrible things imaginable to happen to them because they're the ones doing this, you know, making a business decision to pivot into these types of crimes.” – Patrick Gray [34:29]

14. FRAC’s 40th Anniversary Edition Released ([36:17]–[36:58])

• Significance: Legendary hacking e-zine persists, now 40 years strong, continuing tradition and expanding infosec cultural history.

15. CyberCX Acquisition by Accenture: A Rare Roll-Up Success ([36:58]–[43:46])

• Deal: Accenture acquires CyberCX (Australia’s largest security consultancy roll-up) for ~$1 billion AUD.
• Why It Worked: Broader service integration (pen testing, IR, managed security, cloud). Not just a collection of boutique consultancies; genuinely value-added.
• Founders' Windfall: Participants see significant delayed payouts after multiyear earnouts—model finally demonstrates the roll-up can succeed.
• Industry Implication: Illustrates maturation of security sector: from “beardy hacker dudes” to enterprise-scale integrated operations.
• Quote: “Security is now sufficiently important that you have to get all of those parts together. And that's kind of why I felt like it worked this time as opposed to… ones that didn't work because they were a bit too limited in their ambition and in their scope.” – Adam Boileau [41:28]

Notable Quotes & Moments

• "They were bullshit... They said, ‘Oh no, our cloud was not owned.’ And then later on it turned into, ‘well, our real cloud wasn’t owned, but there was some legacy cloud.’” — Patrick Gray [01:53]
• “Oracle is just to the moon… I think the lesson here could be you can treat security researchers like absolute trash… and nothing bad happens.” — Patrick Gray [05:54]
• “Security isn’t a thing that you can bolt on afterwards and hope. Well, the irony is it is exactly what everybody does.” — Adam Boileau [08:47]
• “It’s not controversial to say… among security researchers… she’s a pretty controversial figure and a lot of people are literally going to be dancing on a professional grave here.” — Patrick Gray [04:32]
• “Did you have to enter a password at any point in the development of this thing?” — Adam Boileau [15:02]
• “Absolutely zero crimes happen on Max.” — Adam Boileau [22:58]
• “Solving these problems takes more serious business than… a bunch of hoodie-wearing Bogan t-shirt wearing nerds who just like computer hacking, you know.” – Adam Boileau [43:07]

Timestamps of Important Segments

| Topic | Timestamps | |---------------------------------------------|-----------------| | Oracle CSO Mary Ann Davidson Departs | 00:06 – 07:13 | | Zelle Lawsuit and Fraud Controls | 07:13 – 09:47 | | China Brokerage Account Fraud | 09:47 – 12:34 | | “T on Her” App (Security Disaster) | 12:50 – 15:23 | | UK-Apple Encryption Controversy | 15:23 – 19:02 | | Workday CRM Account Breach | 19:02 – 21:47 | | Russia Restricts WhatsApp/Telegram | 21:49 – 24:06 | | Canada House of Commons Hack | 24:06 – 25:15 | | Norwegian Dam ICS Attack | 25:15 – 26:30 | | CISA OT Asset Guidance | 26:30 – 29:00 | | Fortinet “Fort majeure” Bug | 29:00 – 31:04 | | Israeli Official Black Hat Scandal | 31:04 – 32:21 | | SE Asian Scam Compounds & Sextortion | 32:21 – 36:17 | | FRAC’s 40th Anniversary | 36:17 – 36:58 | | CyberCX Roll-Up & Accenture Acquisition | 36:58 – 43:46 |

Sponsor Interview: Authentic IDP Feature Progress ([45:04]–[57:46])

Guest: Fletcher Heisler (CEO, Authentic)

• New Feature: Integration of SSO direct login/unlock for Windows workstations (true single sign-on experience).
  • Development was toughest for Windows vs. Linux (Linux PAM integration was a weekend hack; Windows involved months and contractors).
  • “Jens came back with a Linux PAM integration after a weekend. That was a nice, refreshing little jaunt through a hackathon after the challenge of the Windows side.” – Fletcher Heisler [45:32]
• Use Case: Federal air-gapped instances, 911 centers with call-taker logins, biometric and compliance needs.
• Open Source Angle: Most features to remain code-available; Windows-specific integration might be a commercial/enterprise offering.
• Security Assurance: External expert audits/pen tests scheduled, results to be published.
• Back Channel Logout: Implemented per standard for session invalidation, but real-world benefit depends on SaaS and app providers actually integrating the protocol.

Tone & Style

• Language: Direct, conversational, and at times irreverent (“comedy story,” “controversy sandwich,” “hoodie-wearing Bogan t-shirt wearing nerds”).
• Attitude: Critical of corporate failings, regulations, security industry ineptitude; supportive of effective community initiatives and technical excellence.
• Humor: Essential part of the show—often biting, sarcastic, and accessible even when discussing serious failures and crimes.

Conclusion

This episode balances a deep, experience-based breakdown of the Mary Ann Davidson/Oracle saga with a global roundup of urgent infosec stories and industry trends. It offers a rare blend of jaded wisdom, genuine technical critique, pointed humor, and meaningful industry congratulations, making it essential listening for cybersecurity professionals seeking both actionable analysis and the unvarnished reality of security culture.