How Not To Respond To A Security Problem
from the it-probably-helps-to-actually-fix-things dept
If you’re an online merchant and some nice person calls you up and explains that you’ve made a silly mistake in setting up your order tracking system – so silly that anyone with half a brain can get all sorts of information about every one of your customers – what would you do? ComputerHQ shut everything down, but then came back online with the same security hole. Probably not the best solution. So, they were called again. They did the same thing again. Wired News went and contacted a bunch of people who had ordered from ComputerHQ (they got the info through the security hole) and those people are now pretty pissed. One of them called ComputerHQ – who said the problem had been fixed, even though it hadn’t. It would seem that the smartest thing to do would be to take down the site until you knew the problem was fixed – and not to lie when confronted with the problem. Also, many of the customers are pissed that no one from ComputerHQ contacted them since finding out about the hole.