Tag Archives: search throws

A Patch in Time?

Further to my earlier post about what I felt was Symantec’s somewhat tardy and insubstantial public response to the discovery of a serious vulnerability in its own Antivirus software, I don’t feel much more at ease after an email exchange with their PR folk. First off, Symantec has, by midday in the Asian day, come up with a fix which can be downloaded here.  “Symantec product and security teams,” the media statement says, “have worked around the clock since being notified of this issue to ensure its customers have the best protection available.”

That’s good. And quick. But not, I fear, good enough in PR terms. Why has Symantec worked around the clock to find a solution but not made the same effort to let interested people know of the problem in the first place? There’s been no press release on the web site, for example, only a media statement emailed to those journalists who enquire. When I asked Symantec’s PR about this. and requesting a comment to my original post, all I got was a copy of the media statement and a link to the original security advisory. So I where I could find the “media statement” online, where customers, readers, users and the media could find it? Their response: “Symantec posts security advisories [here]. Please contact Symantec Public Relations for any information you need.”

Sorry, but I don’t think this is sufficient. Security advisories are for specialists. This is not a specialist problem. It’s a vulnerability that affects everyone who uses the software, and people need to know about it. (A Google search throws up more than 130 stories on the topic.) Symantec, I feel, needs to be upfront about the problem and blanket everyone with information, not bury it. Symantec occupies a hallowed position in the Internet world, since journalists, users and others turn to it for supposedly objective views on the state of Internet security. Symantec makes the most of this position, straddling telling us about the problem and selling us the solution for it.

Perhaps I’m overstating things here, but I feel Symantec has let us down. I need to know that if I’m entrusting Symantec with defending my valuable data and office network, it’s going to tell me if there’s a problem with that defence. It’s no good hiding, as Symantec PR does in its response to my email that “There are no exploits of this vulnerability. Symantec strongly recommends customers to follow best practices and apply the patches as soon as they become available from Symantec.” First off, there are no known exploits. I don’t see how Symantec can be 100% sure of this. One has to assume that if there’s a hole in your defensive wall, someone is going to see it. Especially if it’s been publicised. Now the world has known there is a problem with Symantec’s software since Thursday. It’s now Monday. I’m assuming the bad guys too read these websites and news agencies.

So while the argument that you should throw all your effort into plugging the hole and then telling your customers you’ve built a plug might work if the vulnerability wasn’t publicised, this wasn’t the case. It was splashed all over the shop. Symantec’s position on this process is “that we are responsible for disclosing product vulnerabilities to our customers, but in general, no vulnerability should be announced until we have developed and thoroughly tested a patch and made it available to licensed customers.” (For a list of all Symantec product vulnerabilities, look here.) This clearly wasn’t going to happen here, because the vulnerability was already made public, for better or worse. And the process of “disclosing product vulnerabilities to our customers” seems to be somewhat weak here; if the vulnerability is an obscure one, perhaps an advisory might work. But more people than just a sysadmin needed to know what was happening and yet no one, unless they really looked on Symantec’s site, was any the wiser. Still aren’t, actually, since no press release is available.

Some lessons in here. Sometimes just keeping readers, journalists, bloggers, customers in the loop helps, even when it’s bad news.

Why Does Apple Take So Long to Bite?

Apple is again protecting itself, as Wired News reports: E-Tailers Get Apple Nastygrams

Apple is ordering several online iPod accessory vendors to stop using the word “iPod” in their names or URLs. Apple has sent legal notices to accessory vendors everythingipod.co.uk and iPodlife. “I’m very nervous that this whole affair will hurt our business financially,” said Barry Mann, director of everythingipod.

In August, Apple threatened legal action against iPod Essentials, which changed its name to mp3Essentials and handed ownership of the iPodEssentials.co.uk domain name to Apple.

Apple has my sympathy for this, and it makes sense to protect consumers from rubbish products that might to the untutored eye look like an Apple creation. But a couple of things confuse me. First off, why does it take them so long to get around to warning these guys? Everythingipod.com as a domain was first registered in December 2001: It takes Apple lawyers four years to track them down? What were they using? Snow shoes?

The cynic might be forgiven for thinking that Apple waits for these accessory businesses to get successful and then dumps on them. After all, as Wired News points out, Apple has its own Made for iPod program, which requires manufacturers to comply with set standards, use certain manufacturers for some components and pay a percentage of wholesale earnings to Apple.

So, the cynic would argue, there’s no point in crushing these third party web sites until they’re up and running. Wait until they’re successful and then start milking them. After all, these third party vendors and manufacturers are useful since they enhance the product, encourage retailers to give over more space to the whole iPod thing, and keep users interested. I’m sure there’s no truth to such a cynical view but it does leave some questions unanswered.

For instance: You might argue it’s hard for Apple to keep tabs on these third party websites. But I find that hard to believe. One short DNS search throws up literally hundreds of websites registered with ipod somewhere in the name, many of them more than a year old. (Just out of interest, what is planned at www.ipod-dating.com and http://www.ipod-porn.co.uk/?) This is easy stuff to keep an eye on. Either Apple’s lawyers are not doing their job or else there’s something else afoot here.