Hi Dan, On Mon, Mar 24, 2008 at 03:47:01PM -0400, Dan MacNeil wrote: > One of our customers has a compromised Joomla install. [...] > They want access to the original installation in a .htaccess > protected directory so their "security expert" can find and fix > problems. [...] > There without exaggeration more than 11,000 php files to review. > I am doubtful that this can be done. > > Am I a power mad rules ninny or a stalwart defender of the > internet here ? I assume you are actually trying to be a fair businessman rather than either of those other things :) <imho> If you aren't happy with the security of what they are doing, and the revenue does not give you enough wiggle room to make yourself satisfied, then I would terminate the service. The most demanding customers are often the ones that pay the least, and are the least technically clueful. The more you get involved beyond the letter of the contract on a low-rent service, the more you have wasted your own time and money and risked becoming the de-facto supplier of the custom service. That is, if you spend time supplying them with bespoke fixes and templates and whatnot for free then you risk them getting an expectation that you can support that and do so repeatedly. If you *can* support that, if they *are* a good customer and if it *is* worth it then great! Everyone is happy. But it sounds like they aren't any of those things and you aren't happy. It is not wrong to ditch a customer for the right reasons; it's sometimes the best thing for both parties. This does not mean you have to be inflexible all the time or ever uncooperative, but there has to be a line drawn. The minimum is the terms of the contract and that goes for everyone, but to me if the goal is to be a fair, flexible and cooperative supplier then that means it will end up being drawn in a different place for different customers and there's no logical conflict in that. </imho> Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting Encrypted mail welcome - keyid 0x604DE5DB
Attachment:
signature.asc
Description: Digital signature