News:

Wondering if this will always be free?  See why free is better.

Main Menu

Avast Forum Hack - Results of Analysis

Started by Kindred, June 05, 2014, 07:43:06 PM

Previous topic - Next topic

Shanzer

I have never known Simple Machines to less than completely professional. It seems to me that a company who produces security software should know how to protect their own forum. Apparently they made mistakes and due to embarrassment tried to blame others.  At first they refused help from SM because they knew they were at fault. Gradually they began to communicate when they realized they were unable to understand and fix the problem. Avast should take responsibility for their own mistakes and lack of competence. Turns out, SM was not at fault and was completely honest. This tells us something about Avast as a company and about the skill of their people. It's not a major feat to maintain a secure installation of SMF. I would be embarrassed too if I ran a company who made millions selling security software and couldn't maintain security on a forum, especially with the amount of support that is available with SMF. I have never used an Avast product, and wouldn't consider doing so. In my personal opinion, Avast is the "BigLots" of the security industry.


青山 素子

Quote from: Shanzer on August 28, 2014, 12:02:55 PM
It seems to me that a company who produces security software should know how to protect their own forum.

Skills in one area don't often translate over. I know some people who are good coders but couldn't troubleshoot a hardware issue on their development system at all. That said, a company that deals in computer security should be smart enough to know they need people with the right skills.

So keep in mind that security is a process, not a product nor is it a destination. No matter how well you defend yourself, if you offer access of any kind, you can be attacked. It doesn't matter if it's your own custom code or that of a third party. While you can take steps to make things less likely by picking third-party products that have good records or using extensive testing on custom code, you'll never find every possible issue in anything complex.

The right steps would have been to acknowledge the issue, work to find the cause without offering any kind of public blame, seek to get that issue fixed, and then put out a report detailing as best you can what happened and how you fixed it. Especially as a security company, you live by your reputation. Turning a public failure into a good example for your customers won't win all of them back, but it may get you some new ones.

Could Avast have fully protected themselves? Doubtful. It's just not possible with the complexity of web applications today. Could they have handled the situation better? Certainly.


Quote from: Shanzer on August 28, 2014, 12:02:55 PM
In my personal opinion, Avast is the "BigLots" of the security industry.

Nah, that's more the domain of AVG, or at least has been lately. Avast has always been the slightly more indie product, more of a Tuesday Morning.

(For those not familiar with the brands, Big Lots and Tuesday Morning are both retail liquidators, but Big Lots is considered more down-scale and Tuesday Morning positions itself as an upscale store.)
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Arantor

Without raking over the details too much, there are certain practices that I am surprised were not followed. I would expect better in that particular arena from a security company precisely because the same rules apply in other security contexts and *are* transferrable.

青山 素子

Quote from: ♥ on August 28, 2014, 06:48:54 PM
Without raking over the details too much, there are certain practices that I am surprised were not followed. I would expect better in that particular arena from a security company precisely because the same rules apply in other security contexts and *are* transferrable.

Yes, of course there are steps they could have done to better protect themselves. There are best practices they probably didn't follow. It would be interesting to know why, and they certainly could have turned it into a moment to show their users that even people who should know better can sometimes still fail and how to ensure that their (the customers) systems and websites aren't vulnerable in the same way.

Either way, they wasted the chance to turn a public loss of confidence into a PR win (or at least a wash). As I said, as a security company, they deal in trust. The way they handled the situation really damaged that beyond the hit from the forum issue itself.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Arantor

I would suspect the same reason most other people: convenience.

What really threw me was the PR piece about how they were going to move to a new forum software - and then relaunched with SMF.

butchs

I am surprised this thread is still going.  Has this become a chest pounding extravaganza?  Why continue to throw rocks at a dead horse?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

Because someone decided to bump it and we tried to quell the flames.

No chest pounding here.

Deaks

~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: