Advertisement:

Author Topic: Avast Forum Hack - Results of Analysis  (Read 913860 times)

Offline Shanzer

  • Newbie
  • *
  • Posts: 1
Re: Avast Forum Hack - Results of Analysis
« Reply #60 on: August 28, 2014, 12:02:55 PM »
I have never known Simple Machines to less than completely professional. It seems to me that a company who produces security software should know how to protect their own forum. Apparently they made mistakes and due to embarrassment tried to blame others.  At first they refused help from SM because they knew they were at fault. Gradually they began to communicate when they realized they were unable to understand and fix the problem. Avast should take responsibility for their own mistakes and lack of competence. Turns out, SM was not at fault and was completely honest. This tells us something about Avast as a company and about the skill of their people. It's not a major feat to maintain a secure installation of SMF. I would be embarrassed too if I ran a company who made millions selling security software and couldn't maintain security on a forum, especially with the amount of support that is available with SMF. I have never used an Avast product, and wouldn't consider doing so. In my personal opinion, Avast is the "BigLots" of the security industry.

 

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,020
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Avast Forum Hack - Results of Analysis
« Reply #61 on: August 28, 2014, 06:40:16 PM »
It seems to me that a company who produces security software should know how to protect their own forum.

Skills in one area don't often translate over. I know some people who are good coders but couldn't troubleshoot a hardware issue on their development system at all. That said, a company that deals in computer security should be smart enough to know they need people with the right skills.

So keep in mind that security is a process, not a product nor is it a destination. No matter how well you defend yourself, if you offer access of any kind, you can be attacked. It doesn't matter if it's your own custom code or that of a third party. While you can take steps to make things less likely by picking third-party products that have good records or using extensive testing on custom code, you'll never find every possible issue in anything complex.

The right steps would have been to acknowledge the issue, work to find the cause without offering any kind of public blame, seek to get that issue fixed, and then put out a report detailing as best you can what happened and how you fixed it. Especially as a security company, you live by your reputation. Turning a public failure into a good example for your customers won't win all of them back, but it may get you some new ones.

Could Avast have fully protected themselves? Doubtful. It's just not possible with the complexity of web applications today. Could they have handled the situation better? Certainly.


In my personal opinion, Avast is the "BigLots" of the security industry.

Nah, that's more the domain of AVG, or at least has been lately. Avast has always been the slightly more indie product, more of a Tuesday Morning.

(For those not familiar with the brands, Big Lots and Tuesday Morning are both retail liquidators, but Big Lots is considered more down-scale and Tuesday Morning positions itself as an upscale store.)
Motoko-chan
Director, Simple Machines

Just because it's pouring down doesn't mean we're gonna drown. There's a time when all you can say is let it rain - Mat Kearney (Let It Rain)

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,037
    • Arantor on GitHub
Re: Avast Forum Hack - Results of Analysis
« Reply #62 on: August 28, 2014, 06:48:54 PM »
Without raking over the details too much, there are certain practices that I am surprised were not followed. I would expect better in that particular arena from a security company precisely because the same rules apply in other security contexts and *are* transferrable.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,020
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Avast Forum Hack - Results of Analysis
« Reply #63 on: August 28, 2014, 08:00:01 PM »
Without raking over the details too much, there are certain practices that I am surprised were not followed. I would expect better in that particular arena from a security company precisely because the same rules apply in other security contexts and *are* transferrable.

Yes, of course there are steps they could have done to better protect themselves. There are best practices they probably didn't follow. It would be interesting to know why, and they certainly could have turned it into a moment to show their users that even people who should know better can sometimes still fail and how to ensure that their (the customers) systems and websites aren't vulnerable in the same way.

Either way, they wasted the chance to turn a public loss of confidence into a PR win (or at least a wash). As I said, as a security company, they deal in trust. The way they handled the situation really damaged that beyond the hit from the forum issue itself.
Motoko-chan
Director, Simple Machines

Just because it's pouring down doesn't mean we're gonna drown. There's a time when all you can say is let it rain - Mat Kearney (Let It Rain)

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,037
    • Arantor on GitHub
Re: Avast Forum Hack - Results of Analysis
« Reply #64 on: August 28, 2014, 08:11:38 PM »
I would suspect the same reason most other people: convenience.

What really threw me was the PR piece about how they were going to move to a new forum software - and then relaunched with SMF.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline butchs

  • SMF Hero
  • ******
  • Posts: 1,712
  • Lost 7GB bandwidth!
    • EastCoastRollingThunder
Re: Avast Forum Hack - Results of Analysis
« Reply #65 on: August 28, 2014, 08:29:52 PM »
I am surprised this thread is still going.  Has this become a chest pounding extravaganza?  Why continue to throw rocks at a dead horse?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,037
    • Arantor on GitHub
Re: Avast Forum Hack - Results of Analysis
« Reply #66 on: August 28, 2014, 08:32:13 PM »
Because someone decided to bump it and we tried to quell the flames.

No chest pounding here.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline BryanD

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 22,019
  • Gender: Male
    • BryanRunicDeakin on Facebook
    • @bryandeakin on Twitter
    • Bryan Deakin dot Com
Re: Avast Forum Hack - Results of Analysis
« Reply #67 on: August 28, 2014, 08:45:53 PM »
maybe this should be locked now

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,102
  • Gender: Male
    • Kindred-999 on GitHub
Re: Avast Forum Hack - Results of Analysis
« Reply #68 on: August 28, 2014, 09:12:20 PM »
Agreed
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.