Wednesday, December 06, 2006

Note to Self

I should probably also post about a bug's (or in Joel's terms "a case's") lifecycle, too. I sent out an email internally at work a while ago but I should probably follow up on that and post it for the intarweb to see, too.

I'll try to cover what fits my work environment and also what is generally true elsewhere.

I can find so many things to talk about to avoid trying to explain how the SRM works in Windows kernel-land, can't I? I've tried a couple of drafts, but it's not easy to just give the basic info instead of trying to explain the whole geeky picture. I obviously don't have the gift of technical writing. :-(

Bug vs Feature

I recently read this and was appalled. Why would any company intentionally seek out testers who enjoyed "a good debate about whether something is a 'feature' or a 'bug'"? (Neverminding that the OP's final quoted remark didn't actually ever have end quotes. And also never mind why I was looking at that - just keeping my options open, but I'm way too stubborn to quit my current job yet.) What a *total* waste of time. I'd rather have someone on my team whose hobby was counting ceiling tiles. At least that's meaninful. To someone. I would guess.

Much to my chagrin (or in the case of the link, Ohio's), I'm in that situation now, though. I sat in a meeting with person X who claimed that to his/her mind a "bug" is something that takes a little time to fix and a "feature request" is something that takes more time. I'm beginning to wonder where American (in this case) software engineers learn to speak English.

If you're playing along at home, please use your own Google-fu to verify these common definitions as they apply to software:

bug - a software defect

feature request - I'm gonna have to break this down a little. It's evidently not immediately obvious. A feature is a prominent aspect of something. Hmm. Not a very solid definition. Google-fo doesn't really get me much in the way of a meaty definition for "feature request" or "software feature". I guess I'll just try to make up a definition. Clearly a feature isn't a bug, right? So a feature request IMO is a request for a design change. Further, it must be not because of a defect in the software or the design. It's a request for extra originally unintended functionality. E.g. "Please make my blender also function as an AM/FM radio so that I can blend tasty smoothies while I listen to my favorite morning shock jocks."

I'm not even going to touch the "is it a bug or a feature" debate. The only important question there is "what's best for the customers?" and if there's enough data there should be no argument.

So I've put off my screed on (the next links mostly suck - don't bother) DACLs/SACLs/MACLs and also MIC (new in Vista, though the idea's been around for a while) until next time. Unless I get sidetracked again.

Actually, I might get sidetracked. I think I might need to explain threat modeling and even more so the terminology used ("threat", "DREAD rating", &c.). I keep running into "define that term" roadblocks at work. Rather than invest in dead trees, I think I might blog it.

Saturday, December 02, 2006

Strongly Considering Resigning . . . (and a bit of swearing)

(No linkies in this one. I'm too pissed off to bother. Next up (really) - a little more on the NT object manager and an intro to security descriptors/ACLs.)


After recent work experiences I'm very strongly considering resigning. (No - really. Very seriously. And wondering where I could go right now.) And wondering why I didn't apply for that Principal QA job at Symantec. Damn. That's right up my alley. And in the bay area no less. I'm such a sucker.

It doesn't seem to matter how many bugs I file. Nobody fixes them. (That's an exaggeration - out of the 100+ bugs open against our last release 2 or maybe 3 were fixed. The rest were punted to our new release. Forgive me please for exaggerating.) Even when I explain in *great* detail how to fix (step by step how to goddamned write the code) the bugs nobody bothers. Why do I do it? I really don't know any more.

It doesn't seem to matter when I find serious security holes in our product. I guess they'll be fixed in version 2.x . . . Maybe. If the customers are lucky. Or if that ever ships. I can only hope that customer X (that I don't think I can mention yet) *demands* a higher quality of crap than the current ESS anus spews. Maybe then quality will matter . . .

It also doesn't even seem to matter when I point out to our IT guy that one of our public-facing servers have *many* known vulnerabilities, at least one of which allows any unauthenticated attacker to shove arbitrary data onto the stack and overflow it. *grumble* That's almost surely exploitable and would give the attacker root on the box in our case. Worse yet, I hear that all of the accounts used to attach to those boxen use same/similar passwords. Our entire extranet is compromised. And maybe our intranet, too. Who's losing sleep over this? Maybe only I am. Goodbye, my sleep!

I'm this far from writing 'sploit code so that someone will listen to me: '-----'

I don't believe in ever writing 'sploit code. Ever. That's not only illegal (unless contractual and even then iffy) but immoral. But I'm at the point that I'm not sure how else anyone would ever listen to me when I say "this is a bug - please fix it ASAP".

Damn. Sometimes it sucks to be a (the only?) security geek at a "security" company. At an alleged "security" company, that is. Working on an alleged "security" product.


Shit! Part of me misses Microsoft . . .

(P.S. For anyone reading this internally at ESS, there are bugs filed. I can provide links if you can't find them.)

(P.P.S. Ray - about that alleged penetration tester who tried to attack us - EVERYONE who wants to take over a box knows about the app I used - it's been around forever. Please please please let me know what he tried. I think whatever it was it's severely lacking. I finally tried the most obvious test and found ways to break into all of out public-facing servers. This is *scary*.)

This page is powered by Blogger. Isn't yours?