-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cluestick advisory #000. June 26, 2002. Denial of service by Novell: The Cluestick Manifesto "I'm pretty annoyed, and would rather not take it anymore." Surreal - - - - - This document started as another futile email to Novell Technical Services. I've decided my time is better spent on an open letter to Novell. I hope to help pursuade them to adopt a modern bug & security issue reporting protocol, thereby improving my quality of life as a Netware administrator. I don't presume to dictate specifics, but note that even Microsoft was eventually flogged into a reasonably effective stance after inadvertently spawning the Full Disclosure movement. Novell's Incident System hasn't changed much, if at all, in the last ten years. I'm planning to deploy Netware 6, but there are issues I feel should be corrected before I put it into production. The more I look, the more issues I find. This bodes ill. My initial issues have closed Novell support incidents associated with them, yet they remain unfixed and undocumented to Netware users. That's rather, well, "lame". There are currently three choices for addressing bugs in Novell products: Option #1 - "Shout at the darkness" Identify and document a bug. Submit a report through the Bug Report form buried deep within the support.novell.com website. Hope that someone reads the report, fixes the bug, and documents the issue. Novell will not acknowledge that the report has been received, or that the bug, or a fix, exists. That method has failed me for three out of three problems over the last five months, and each time I've tried it in the past. It appears to be 100% ineffective. Option #2 - "I beg thee, consider my plight!" This is Novell's Suggested Approach... Document the bug and a method to reproduce it. Call Novell on the phone; wait on hold; open an incident. One might use the on-hold time productively by lobbying the boss for $300.00 "for a little while" to report the bug to Novell, explaining: "if Novell also thinks this is a bug, we'll get the money back!" When the call is answered, try to explain the problem in short, common usage words to a first-tier "technician" who hasn't the vaguest clue what you're talking about. Plan on making a day of it; you'll be on the phone a long time. I really don't know how the option #2 scenario resolves as I've never used it for reporting a bug. It's the Last Resort for when NDS gets hosed. Some BOFH dreamed up that protocol at a drunken office party, right? Recall that we, the customers, have already spent a chunk of cash for Netware, and are providing a service by identifying problems and documenting system defects. Thank you, no. I'll pass on option #2. Option #3 - "Can you hear me now? Good!" Identify the bug and a method to reproduce it. Document the issue, highlighting the immediate and potential risks and send it to public mailing lists in hopes of inspiring a timely fix. This method works, and generally gets quick results. This is most recently evidenced by the speedy resolution and patch of the HTTPSTK.NLM buffer overflow. Cluestick release #001, to follow shortly, will detail an issue reported to Novell in January of this year. It's a server hang or reboot with Netware 5.1 and 6, and still exists at current patch levels. I don't plan to disclose issues more than weekly; it's not my goal to make Netware admins as miserable as their Windows-laden compadres. When Novell wakes up and changes, I'll adopt their (surely awesome) new reporting protocol. Maybe they'll finish running themselves out of business before that happens. Idunno. I'm just saying it's "No more Mr. Patient Geek" on my end. If you have a Novell incident (Netware 5.1 or 6) that you're losing sleep over, send me your notes and perhaps we can get a fire lit under You Know Who. // An actual live human at Novell broke character and wrote: > > The following message was sent from Novell Technical Services as a > response to your incident. > > In order to respond, use your World Wide Web browser to access the > Electronic Incident pages on the Novell Support > Connection(http://support.novell.com/servlet/incident). After entering > your customer information, select the option to update your incident. > > ======================================================= > > Beloved, > > I am closing a bug report on <meat of cluestick 002 deleted>. This is > a known issue and is being looked at. Bug reports are not designed to > give feedback to those who open them. If a customer needs or wants > feedback, a regular incident should be opened and if the issue turns out > to be a bug, the charges or the incident will be reversed. Bug Reports > are for us to catch issues (defects) before they nail us unexpectedly. > We have found that this does work as designed, but the vast amount of > bugs found by customers are caught in regular incidents. > > Joe Helpful <not his real name> > Novell, Inc., A Leading Provider of Net Business Solutions > www.novell.com > 1-800-255-2707 <Dr. Evil> Riiiiight. </Dr. Evil> a Novell Support Connection droid also wrote: > > This e-mail is being sent to notify you that incident #xxxxxxx has been closed. (See Incident Description below.) You can view the incident history by going to http://support.novell.com/servlet/incident and entering your name, e-mail address, and PIN. If you require additional assistance on this issue, you may enter that request at the URL above or contact your local Novell Support Center within 5 working days. > > Novell Customer Services would like to thank you for using our Support Services. > > The Novell Support Connection > http://support.novell.com > 1-800-858-4000 or 1-801-861-4000 > > Note: Replies to this message go to the Novell webmaster, not to technical support personnel. Please use the procedures above to obtain additional technical support. > > Incident Description: > <snip> Unfortunately, I didn't select option #2 and have no PIN. I suspect that if I looked it up, the text would read: "Incident #xxxxxxx has been closed." Since I'm *here*... Greetz to K.O. (ya hippie), all the little people (gotta love leprechauns), Ken Olsen, and GOBBLES, who recently *obliterated* the existing speed record for most rapidly improved written English, held by Vesselin B. lo these many years. Everyone at The Reg, natch, and those rad Ethik4l Cr4ck3rz at ISS. Dosvidanija, y'all. Surreal -- cluestickat_private // -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl4EARECAB4FAj0awjwXHGNsdWVzdGlja0BodXNobWFpbC5jb20ACgkQ5Ecz5W4o0Q3/ PACfa+yGGL0PDy8tSkrKqhpVnZvC1RoAoL9D48nUnj0/BQkw6pfCaZ6NxyQF =Aw4M -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 16:55:14 PDT