Since these are reported, but not necessarily fixed bugs, if someone is interesting in attacking one of your customers, you are giving them a gold mine of potential attack information. I believe in responsible disclosure, but it is one thing to tell your customers. Something else to tell the world, especially before it is fixed.
That is a valid point.
We're quite diligent in making sure nothing which would compromise security of existing customers is visible - I am well aware of the risk, and to use the Australian vernacular - shitscared - of exposing such information.
We do, however, have a few bugs crop up every now and then that support staff annotate the bug with a customer name that flagged the issue, so when they come to test the fix they have a way of notifying them how far it is along the resolution is for them. That is not really directly putting customers at risk - but it's unprofessional and I really hate that. It's like they use Bugzilla as some sort of bastardised CRM - even though we have a pretty capable CRM already.
If they don't like you putting that out there due to branding issue then I'm sure they're going to love you for posting all about the problems with JIWA Financials on Slashdot of all places. What were are you thinking?
I'm here to see if my stance is reasonable or not. Validation, I guess - but also some opposing viewpoints to mine with more substance than what I was getting from our Sales team. They were not articulate or convincing enough for me to be enrolled with their views - so here I am.
I'm not overly concerned about people seeing our issues. I'm rather proud of the fact that we currently are transparent about it and anyone viewing it can see we are active and professional in our conduct.
You mentioned the company I work for - I have no reason to hide that, but chose not to mention it as I didn't want to seem like this was an advertising pitch. I'm not sure what your motivation was for bringing it up, but thanks for the exposure:)
What was I thinking? I was thinking I could engage a community of like minded professionals, with varying degrees of experience to offer their opinion so I could feel more comfortable about making a decision. I don't like making uninformed decisions.
That is certainly on the cards, and after seeing a lot of the comments here I will go down that path - that and having a sanitised list of changes with each public release of what was fixed or introduced and only reported before or in the last public release.
Common sense told me there was *some* merit to what the sales droids were saying, but I needed some outside opinion and I think I certainly have received that opinion now.
Also - sorry about the long summary - I have never submitted to slashdot before and assumed it would be truncated or edited suitably if published. Another day, more knowledge acquired - that's a win for me I guess:)
I saw that a week ago, so I donated $50 USD to the OpenSSL Software Foundation. I figured I would either whine about the problem, or do something. I chose the latter.
You might want to fix your signature. I think you meant "For all intents and purposes", not "For all intensive purposes". If you're going to have a witty quip as a signature about language, you may want to learn the language first.
I'm no aerospace engineer, but I imagine the temperature of the aircraft skin would get hot pretty quick at such speeds. What materials is this craft made of, and how do they combat the problems of heat caused by air rushing so quickly over the aircraft ?
Making an engine work in short bursts is one thing, making an aircraft capable if withstanding that velocity through atmosphere is another.
Slashdot Mirror
Since these are reported, but not necessarily fixed bugs, if someone is interesting in attacking one of your customers, you are giving them a gold mine of potential attack information. I believe in responsible disclosure, but it is one thing to tell your customers. Something else to tell the world, especially before it is fixed.
That is a valid point.
We're quite diligent in making sure nothing which would compromise security of existing customers is visible - I am well aware of the risk, and to use the Australian vernacular - shitscared - of exposing such information.
We do, however, have a few bugs crop up every now and then that support staff annotate the bug with a customer name that flagged the issue, so when they come to test the fix they have a way of notifying them how far it is along the resolution is for them. That is not really directly putting customers at risk - but it's unprofessional and I really hate that. It's like they use Bugzilla as some sort of bastardised CRM - even though we have a pretty capable CRM already.
If they don't like you putting that out there due to branding issue then I'm sure they're going to love you for posting all about the problems with JIWA Financials on Slashdot of all places. What were are you thinking?
I'm here to see if my stance is reasonable or not. Validation, I guess - but also some opposing viewpoints to mine with more substance than what I was getting from our Sales team. They were not articulate or convincing enough for me to be enrolled with their views - so here I am.
:)
I'm not overly concerned about people seeing our issues. I'm rather proud of the fact that we currently are transparent about it and anyone viewing it can see we are active and professional in our conduct.
You mentioned the company I work for - I have no reason to hide that, but chose not to mention it as I didn't want to seem like this was an advertising pitch. I'm not sure what your motivation was for bringing it up, but thanks for the exposure
What was I thinking? I was thinking I could engage a community of like minded professionals, with varying degrees of experience to offer their opinion so I could feel more comfortable about making a decision. I don't like making uninformed decisions.
Why are you here?
OP Here,
:)
That is certainly on the cards, and after seeing a lot of the comments here I will go down that path - that and having a sanitised list of changes with each public release of what was fixed or introduced and only reported before or in the last public release.
Common sense told me there was *some* merit to what the sales droids were saying, but I needed some outside opinion and I think I certainly have received that opinion now.
Also - sorry about the long summary - I have never submitted to slashdot before and assumed it would be truncated or edited suitably if published. Another day, more knowledge acquired - that's a win for me I guess
Mike
I saw that a week ago, so I donated $50 USD to the OpenSSL Software Foundation. I figured I would either whine about the problem, or do something. I chose the latter.
I look forward to the details.
You might want to fix your signature. I think you meant "For all intents and purposes", not "For all intensive purposes". If you're going to have a witty quip as a signature about language, you may want to learn the language first.
I'm no aerospace engineer, but I imagine the temperature of the aircraft skin would get hot pretty quick at such speeds. What materials is this craft made of, and how do they combat the problems of heat caused by air rushing so quickly over the aircraft ? Making an engine work in short bursts is one thing, making an aircraft capable if withstanding that velocity through atmosphere is another.