Avast Forum Hack - Results of Analysis

[Shanzer]

I have never known Simple Machines to less than completely professional. It seems to me that a company who produces security software should know how to protect their own forum. Apparently they made mistakes and due to embarrassment tried to blame others.  At first they refused help from SM because they knew they were at fault. Gradually they began to communicate when they realized they were unable to understand and fix the problem. Avast should take responsibility for their own mistakes and lack of competence. Turns out, SM was not at fault and was completely honest. This tells us something about Avast as a company and about the skill of their people. It's not a major feat to maintain a secure installation of SMF. I would be embarrassed too if I ran a company who made millions selling security software and couldn't maintain security on a forum, especially with the amount of support that is available with SMF. I have never used an Avast product, and wouldn't consider doing so. In my personal opinion, Avast is the "BigLots" of the security industry.

[青山 素子]

It seems to me that a company who produces security software should know how to protect their own forum.

Skills in one area don't often translate over. I know some people who are good coders but couldn't troubleshoot a hardware issue on their development system at all. That said, a company that deals in computer security should be smart enough to know they need people with the right skills.

So keep in mind that security is a process, not a product nor is it a destination. No matter how well you defend yourself, if you offer access of any kind, you can be attacked. It doesn't matter if it's your own custom code or that of a third party. While you can take steps to make things less likely by picking third-party products that have good records or using extensive testing on custom code, you'll never find every possible issue in anything complex.

The right steps would have been to acknowledge the issue, work to find the cause without offering any kind of public blame, seek to get that issue fixed, and then put out a report detailing as best you can what happened and how you fixed it. Especially as a security company, you live by your reputation. Turning a public failure into a good example for your customers won't win all of them back, but it may get you some new ones.

Could Avast have fully protected themselves? Doubtful. It's just not possible with the complexity of web applications today. Could they have handled the situation better? Certainly.

In my personal opinion, Avast is the "BigLots" of the security industry.

Nah, that's more the domain of AVG, or at least has been lately. Avast has always been the slightly more indie product, more of a Tuesday Morning.

(For those not familiar with the brands, Big Lots and Tuesday Morning are both retail liquidators, but Big Lots is considered more down-scale and Tuesday Morning positions itself as an upscale store.)

[Arantor]

Without raking over the details too much, there are certain practices that I am surprised were not followed. I would expect better in that particular arena from a security company precisely because the same rules apply in other security contexts and *are* transferrable.

[青山 素子]

Without raking over the details too much, there are certain practices that I am surprised were not followed. I would expect better in that particular arena from a security company precisely because the same rules apply in other security contexts and *are* transferrable.

Yes, of course there are steps they could have done to better protect themselves. There are best practices they probably didn't follow. It would be interesting to know why, and they certainly could have turned it into a moment to show their users that even people who should know better can sometimes still fail and how to ensure that their (the customers) systems and websites aren't vulnerable in the same way.

Either way, they wasted the chance to turn a public loss of confidence into a PR win (or at least a wash). As I said, as a security company, they deal in trust. The way they handled the situation really damaged that beyond the hit from the forum issue itself.

[Arantor]

I would suspect the same reason most other people: convenience.

What really threw me was the PR piece about how they were going to move to a new forum software - and then relaunched with SMF.

[butchs]

I am surprised this thread is still going.  Has this become a chest pounding extravaganza?  Why continue to throw rocks at a dead horse?

[Arantor]

Because someone decided to bump it and we tried to quell the flames.

No chest pounding here.

[Deaks]

maybe this should be locked now

[Kindred]

Agreed