Thursday, July 28, 2016

Ideara / Embaracdero is flushing away user trust in their ability to do secure computing.

In today's computing society you have to think of security first in the design of everything you do.

It's costly to retrofit security. In my job I have think about security every day. The costs of sensitive data escaping is too big to ignore. Trust is a huge word in security.    I have to trust the vendors we use, that they will act quickly to resolve security issues.   So we are not left vulnerable.    A good vendor realizes there will be security problems and has a way to publicly communicate that has does so in an open and transparent method.

Over 10 months ago I sent Embarcadero management several problems with Embarcadero's websites. I finally saw a bit of action after the main website was hacked quickly after it went live.   I even talked with Atanas Popov the General Manager of Embarcadero.   But after that they went dark and have not communicated with me regarding security since.      It's clear they have no plans to create a place on where we can go learn about security issues and the fixes that may have occurred in the product.  

I also called for them to hire a CSIO and empower them, which clearly has not happened.  Even if they did not have a CSIO, they need security to be monitored and prioritized.

Today I received a plaintext password in email for an Idera Community website.   Have they not heard about hashing passwords?   A hashed password can not be sent in clear text.    In email they claimed it was stored securely, and they did it this way to prevent spam.    But what they did was give passwords out  insecurely which could enable more spam instead of reduce it.   They defended this action and clearly thought the practice was ok.     They offered to delete my account.   I did not request the account so I took them up on the offer.   Regardless maybe they should watch the password portion of my session I did for them at CodeRageX.    

Idera and Embarcadero are clueless when it comes to website security.    Maybe just websites in general since Embarcadero's website is now serving content to me in Portuguese even when I select English.

I have NO TRUST in SECURITY from Idera or Embarcadero at this point.

Moving too slowly on a security vulnerability is like using and flushing a clogged toilet, bad things will happen.    Being vulgar and swearing is not in my character, however, it was very very hard not to be that way in this post.   I have invested decades in a company and product that I can see clogged in their own toilet water.

6 comments:

  1. I have to agree.

    Embarcadero, please take this seriously. Hire the expertise you need to fix this quickly and properly and for the love of God, keep us posted.

    ReplyDelete
  2. The results from SSL Labs are also interesting
    https://www.ssllabs.com/ssltest/analyze.html?d=www.idera.com
    https://www.ssllabs.com/ssltest/analyze.html?d=www.embarcadero.com

    ReplyDelete
    Replies
    1. Well that is better than I first reported to them 10 months ago.

      Delete
    2. Indeed. October 2015 they were grade F: https://www.dropbox.com/s/2y57wo1pnuh3ev8/Screenshot%202015-10-11%2013.47.50.png?dl=0

      The quality site is still grade F: https://www.dropbox.com/s/wf0trsowhftyisn/Screenshot%202016-07-31%2013.05.24.png?dl=0

      Delete
  3. "(...)Maybe just websites in general since Embarcadero's website is now serving content to me in Portuguese even when I select English.(...)"

    Weird... When I selected Portuguese I got an Spanish translated site.

    ReplyDelete
  4. You assume they have any staff left....

    ReplyDelete