Well, that was a close one: this blogger pointed out to Hossein “Hoder” Derakhshan that there was a security flaw in one of Tucows’ newly-acquired products, Blogrolling.com. Hoder pointed out the flaw and even suggested that people start mucking around with the Blogs for Bush blogroll. Dan Gillmor, Silicon Valley’s best-known journalist, picked up on Hoder’s blog entry and posted a quick blurb about the flaw.
Hoder essentially said “Crackers and electronic maladroits of the
world, here’s a flaw in a piece of software used by thousands of
bloggers, and here’s how you exploit it. Get to work”, and Dan, who’s
got to be one of the most-read guys on the Web, made sure lots of
people found out. But neither of these guys — both of whom are
otherwise generally decent folk — contacted Tucows.
We are lucky that there are a lot of people
with goodwill towards this company (in fact, this goodwill is one of
the reasons I accepted a job here). Brent Ashley and a number of people contacted us,
and we had a fix up in less than an hour.
It irks me that I have to say this, because I thought it would be obvious. Let me put it in large type:
The right thing to do when you discover a security flaw in a product is to contact the vendor.
The wrong thing to do is simply to assume that vendors deserve to get
0wnz0red simply because there’s a flaw in their product. Although we
strive for perfection, no piece of software is perfect; it’s just not
possible this side of paradise. We don’t put security flaws in our
software to “punk” our customers. In this world, you’re always refining
your work to adapt to ever-changing conditions, hence security guru
Bruce Schneier’s famous motto: “Security is a process, not a product.”
We’re all for full disclosure and free speech, but please tell us when our fly is down so we have a chance to pull it back up!
If you ever find a security flaw in any Tucows product, please let us
know. Hey, as the Technical Community Development Coordinator, you can
tell me (my email address is firstname.lastname@example.org),
and I’ll make sure that the appropriate actions are taken and even pull
as many strings as I can to make sure we send an appropriate token of
our gratitude. That’s my job.
As for Hoder and Dan, all I will say is “Shame on you.”
Related reading: Boss Ross’ take.
Sort-of related reading:A lovely lass checks me out at a bar, and my buddy tells everybody at the table…except me.