Tuesday, December 11, 2007

Vendors trying to hide or ignore vulnerabilities

I agree with this article regarding vendors trying to sweep vulnerabilities under the rug:

Vendors trying to hide vulnerabilities

My beef in this whole blog lately is not that vendors have problems with their software - because hackers and foreign governments and organized crime rings are at war with us - but I do have a beef when vendors do not take responsibilities for problems and fix them.

I think the same applies to bugs, which may be nothing - or may be a shadow of a clue that a system is compromised in some way. Vendors should get to the bottom of bugs and in a technical, engineering approach, resolve or at least explain why a problem occurred if it is possible.

Recently I get the feeling that email hosting providers would rather kick a "whiny" customer off the system - who finds a flaw in their software - rather than take the time to get to the bottom of exactly what is causing the problem. In fact some of them turn around and blame the customer and tell them it was something they did that caused the problem even if they cannot prove it (and it is not true).

I had some employees like this in the past. A customer was complaining that her web site was failing randomly and they blamed the customer's computer and didn't really bother to ever truly research and pin down the problem. I finally had to let them go. The problem was a database server that was overloaded. An engineered approach to resolving the problem would have enlightened us all much sooner. I never blame a customer for the problem without the facts to provide a customer to show them that it looks like something they did caused the problem. If the customer denies they did that thing...maybe something else is still going on even if it looks like the customer did something to cause it.

My customer with a mac has nailed down the problem with USA.net's webmail program. The problem happens when she's using her mac - or any mac in the office - with a particular mail account (and no others). USA.net claims it is not their problem and that a system administrator changed something - no one on our end has touched anything. The Internet Service Provider came out and tested the modem - they claim there is nothing wrong with the network or the modem. All other web sites are operating just fine on these machines for this customer. USA.net has finally said they would escalate the problem. I doubt this will do any good however. This is probably all smoke to placate the customer until we move to a new email hosting provider. I'll let you know if it gets fixed before then.

What could be causing this problem? If someone is in the path between my customer and the email hosting vendor, perhaps they could do something to the request. Perhaps there is something in one of the emails in that account that is causing the problem. Perhaps there is some software glitch in Safari on a mac for that particular web site. The only way to pin this down is for the makers of the web site to check their logs and maybe add additional logging and perform some network traces to pin this down. If they won't do it, as far as I can tell we are out of luck.