Saturday, December 02, 2006
Strongly Considering Resigning . . . (and a bit of swearing)
After recent work experiences I'm very strongly considering resigning. (No - really. Very seriously. And wondering where I could go right now.) And wondering why I didn't apply for that Principal QA job at Symantec. Damn. That's right up my alley. And in the bay area no less. I'm such a sucker.
It doesn't seem to matter how many bugs I file. Nobody fixes them. (That's an exaggeration - out of the 100+ bugs open against our last release 2 or maybe 3 were fixed. The rest were punted to our new release. Forgive me please for exaggerating.) Even when I explain in *great* detail how to fix (step by step how to goddamned write the code) the bugs nobody bothers. Why do I do it? I really don't know any more.
It doesn't seem to matter when I find serious security holes in our product. I guess they'll be fixed in version 2.x . . . Maybe. If the customers are lucky. Or if that ever ships. I can only hope that customer X (that I don't think I can mention yet) *demands* a higher quality of crap than the current ESS anus spews. Maybe then quality will matter . . .
It also doesn't even seem to matter when I point out to our IT guy that one of our public-facing servers have *many* known vulnerabilities, at least one of which allows any unauthenticated attacker to shove arbitrary data onto the stack and overflow it. *grumble* That's almost surely exploitable and would give the attacker root on the box in our case. Worse yet, I hear that all of the accounts used to attach to those boxen use same/similar passwords. Our entire extranet is compromised. And maybe our intranet, too. Who's losing sleep over this? Maybe only I am. Goodbye, my sleep!
I'm this far from writing 'sploit code so that someone will listen to me: '-----'
I don't believe in ever writing 'sploit code. Ever. That's not only illegal (unless contractual and even then iffy) but immoral. But I'm at the point that I'm not sure how else anyone would ever listen to me when I say "this is a bug - please fix it ASAP".
Damn. Sometimes it sucks to be a (the only?) security geek at a "security" company. At an alleged "security" company, that is. Working on an alleged "security" product.
Shit! Part of me misses Microsoft . . .
(P.S. For anyone reading this internally at ESS, there are bugs filed. I can provide links if you can't find them.)
(P.P.S. Ray - about that alleged penetration tester who tried to attack us - EVERYONE who wants to take over a box knows about the app I used - it's been around forever. Please please please let me know what he tried. I think whatever it was it's severely lacking. I finally tried the most obvious test and found ways to break into all of out public-facing servers. This is *scary*.)