[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: policies on compromised sites

Hi Dan,

On Mon, Mar 24, 2008 at 03:47:01PM -0400, Dan MacNeil wrote:
> One of our customers has a compromised Joomla install.


> They want access to the original installation in a .htaccess 
> protected directory so their "security expert" can find and fix 
> problems.


> There without exaggeration more than 11,000 php files to review. 
> I am doubtful that this can be done.
> Am I a power mad rules ninny or a stalwart defender of the 
> internet here ?

I assume you are actually trying to be a fair businessman rather
than either of those other things :)

If you aren't happy with the security of what they are doing, and
the revenue does not give you enough wiggle room to make yourself
satisfied, then I would terminate the service.

The most demanding customers are often the ones that pay the least,
and are the least technically clueful.  The more you get involved
beyond the letter of the contract on a low-rent service, the more
you have wasted your own time and money and risked becoming the
de-facto supplier of the custom service.

That is, if you spend time supplying them with bespoke fixes and
templates and whatnot for free then you risk them getting an
expectation that you can support that and do so repeatedly.  If you
*can* support that, if they *are* a good customer and if it *is*
worth it then great!  Everyone is happy.  But it sounds like they
aren't any of those things and you aren't happy.

It is not wrong to ditch a customer for the right reasons; it's
sometimes the best thing for both parties.  This does not mean you
have to be inflexible all the time or ever uncooperative, but there
has to be a line drawn.  The minimum is the terms of the contract
and that goes for everyone, but to me if the goal is to be a fair,
flexible and cooperative supplier then that means it will end up
being drawn in a different place for different customers and there's
no logical conflict in that.


http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB

Attachment: signature.asc
Description: Digital signature

Reply to: