Re: we were attacked
On Sat, 2006-04-08 at 00:15, Joe Emenaker wrote:
> If it were my company, I'd have more of a zero-tolerance policy.
> Unfortunately, my business partner was the "business" part of the
> partnership. He was the guy who insisted that we turn "register_globals"
> on in PHP because having it off (as was the new default when a new
> release of PHP came out) broke several of our client scripts.
> Personally, my reaction was: "Then their script is broken. They should
> fix it.". My business partner's reaction was "If their script doesn't
> start working again, they'll take it somewhere where it does". Now,
> you're probably thinking "If they take it somewhere else, then *that*
> ISP will get compromized and they'll get either get booted from that
> ISP... and, eventually, they'll fix their broken script.". And you're
> right. But, once they've figured out that their script was broken and is
> fixed, they're not going to call us up and ask to be our customer again.
> Once they leave, they aren't coming back. It's one of those business
> realities that drives me insane... but there it is.
That's less than half of the business reality.
We recently lost the GotMilk and related websites because we
wouldn't let them activate some insecure scripts. Sure, we
lost a few dollars a month. What if we had ignored the
problem? In the case of GotMilk the scripts could have been
used as an open spam relay, we would have been black-listed,
and a whole bunch of decent customers would have walked. In
a more serious case such as yours, a security compromise
could result in loss of credit card numbers, loss of all
customers, and loss of lawsuits.
It's not worth it. You've gotta do what's right, even if it
means dumping a clueless partner.
--Mike Bird
Reply to: