Cluestick Advisory #000

From: cluestickat_private
Date: Thu Jun 27 2002 - 00:43:56 PDT

  • Next message: Dave Aitel: "Re: Java and buffer overflows"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Cluestick advisory #000.  June 26, 2002.
    
    Denial of service by Novell: The Cluestick Manifesto
    
    "I'm pretty annoyed, and would rather not take it anymore."
    Surreal
    - - - - -
    This document started as another futile email to Novell Technical
    Services. I've decided my time is better spent on an open letter
    to Novell.  I hope to help pursuade them to adopt a modern bug &
    security issue reporting protocol, thereby improving my quality of
    life as a Netware administrator.  I don't presume  to dictate specifics,
    but note that even Microsoft was eventually flogged into a reasonably
    effective stance after inadvertently spawning the Full Disclosure
    movement.
    
    Novell's Incident System hasn't changed much, if at all, in the last ten
    years. I'm planning to deploy Netware 6, but there are issues I feel
    should be corrected before I put it into production.  The more I look,
    the more issues I find.  This bodes ill.  My initial issues have closed
    Novell support incidents associated with them, yet they remain unfixed
    and undocumented to Netware users.  That's rather, well, "lame".
    
    There are currently three choices for addressing bugs in Novell
    products:
    
    Option #1 - "Shout at the darkness"
    Identify and document a bug. Submit a report through the Bug Report form
    buried deep within the support.novell.com website.  Hope that someone
    reads the report, fixes the bug, and documents the issue.
    
    Novell will not acknowledge that the report has been received, or that
    the bug, or a fix, exists.  That method has failed me for three out of
    three problems over the last five months, and each time I've tried it in
    the past.  It appears to be 100% ineffective.
    
    Option #2 - "I beg thee, consider my plight!"
    This is Novell's Suggested Approach... Document the bug and a method to
    reproduce it.  Call Novell on the phone; wait on hold; open an incident.
    
    One might use the on-hold time productively by lobbying the boss for
    $300.00 "for a little while" to report the bug to Novell, explaining:
    "if Novell also thinks this is a bug, we'll get the money back!"  When the
    call is answered, try to explain the problem in short, common usage words
    to a first-tier "technician" who hasn't the vaguest clue what you're
    talking about.  Plan on making a day of it; you'll be on the phone a long
    time.
    
    I really don't know how the option #2 scenario resolves as I've never
    used it for reporting a bug.  It's the Last Resort for when NDS gets hosed.
    
    Some BOFH dreamed up that protocol at a drunken office party, right?
    Recall that we, the customers, have already spent a chunk of cash for
    Netware, and are providing a service by identifying problems and documenting
    system defects.  Thank you, no.  I'll pass on option #2.
    
    Option #3 - "Can you hear me now? Good!"
    Identify the bug and a method to reproduce it.  Document the issue,
    highlighting the immediate and potential risks and send it to public
    mailing lists in hopes of inspiring a timely fix.  This method works, and
    generally gets quick results. This is most recently evidenced by the speedy
    resolution and patch of the HTTPSTK.NLM buffer overflow.
    
    Cluestick release #001, to follow shortly, will detail an issue reported
    to Novell in January of this year.  It's a server hang or reboot with Netware
    5.1 and 6, and still exists at current patch levels.
    
    I don't plan to disclose issues more than weekly; it's not my goal to make
    Netware admins as miserable as their Windows-laden compadres.  When Novell
    wakes up and changes, I'll adopt their (surely awesome) new reporting
    protocol.
    
    Maybe they'll finish running themselves out of business before that happens.
    Idunno.  I'm just saying it's "No more Mr. Patient Geek" on my end.
    
    If you have a Novell incident (Netware 5.1 or 6) that you're losing
    sleep over, send me your notes and perhaps we can get a fire lit under You
    Know Who.
    //
    
    An actual live human at Novell broke character and wrote:
    >
    > The following message was sent from Novell Technical Services as a
    > response to your incident.
    >
    > In order to respond, use your World Wide Web browser to access the
    > Electronic Incident pages on the Novell Support
    > Connection(http://support.novell.com/servlet/incident).  After entering
    > your customer information, select the option to update your incident.
    >
    > =======================================================
    >
    > Beloved,
    >
    > I am closing a bug report on <meat of cluestick 002 deleted>.  This is
    > a known issue and is being looked at.  Bug reports are not designed to
    > give feedback to those who open them.  If a customer needs or wants
    > feedback, a regular incident should be opened and if the issue turns out
    > to be a bug, the charges or the incident will be reversed.  Bug Reports
    > are for us to catch issues (defects) before they nail us unexpectedly.
    > We have found that this does work as designed, but the vast amount of
    > bugs found by customers are caught in regular incidents.
    >
    > Joe Helpful <not his real name>
    > Novell, Inc., A Leading Provider of Net Business Solutions
    > www.novell.com
    > 1-800-255-2707
    
    <Dr. Evil> Riiiiight. </Dr. Evil>
    
    a Novell Support Connection droid also wrote:
    >
    > This e-mail is being sent to notify you that incident #xxxxxxx has been
    closed.  (See Incident Description below.)  You can view the incident
    history
    by going to  http://support.novell.com/servlet/incident and entering
    your
    name, e-mail address, and PIN.  If you require additional assistance on
    this
    issue, you may enter that request at the URL above or contact your local
    Novell Support Center within 5 working days.
    >
    > Novell Customer Services would like to thank you for using our Support
    Services.
    >
    > The Novell Support Connection
    > http://support.novell.com
    > 1-800-858-4000 or 1-801-861-4000
    >
    > Note: Replies to this message go to the Novell webmaster, not to technical
    support personnel.  Please use the procedures above to obtain additional
    technical support.
    >
    > Incident Description:
    > <snip>
    
    Unfortunately, I didn't select option #2 and have no PIN.  I suspect
    that if I looked it up, the text would read: "Incident #xxxxxxx has been
    closed."
    
    Since I'm *here*... Greetz to K.O. (ya hippie), all the little people
    (gotta love leprechauns), Ken Olsen, and GOBBLES, who recently *obliterated*
    the existing speed record for most rapidly improved written English, held by
    Vesselin B. lo these many years.  Everyone at The Reg, natch, and those rad
    Ethik4l Cr4ck3rz at ISS.
    
    Dosvidanija, y'all.
    Surreal -- cluestickat_private
    //
    
    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com
    
    wl4EARECAB4FAj0awjwXHGNsdWVzdGlja0BodXNobWFpbC5jb20ACgkQ5Ecz5W4o0Q3/
    PACfa+yGGL0PDy8tSkrKqhpVnZvC1RoAoL9D48nUnj0/BQkw6pfCaZ6NxyQF
    =Aw4M
    -----END PGP SIGNATURE-----
    
    
    Communicate in total privacy.
    Get your free encrypted email at https://www.hushmail.com/?l=2
    
    Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
    



    This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 11:46:04 PDT