I spent some time looking into this and have determined that today is only Tuesday. Can’t be right, going back to re-check…

3 Replies

Cart66 Vulnerability Follow-up

Cart66 released a new version this morning, addressing the vulnerability I posted about yesterday. A one-day turn-around to address a security issue is excellent (even if the stink from 9 months of inattention hasn’t fully dissipated yet). I’m disappointed I had to resort to a public warning to get action but glad that action was taken (and glad to see the Cart66 folks making the right general noises about the importance of security).

While I’m glad a new version is out to address the vulnerability, I think it was a mistake to release any information about the nature of the exploit today (the same day that the fix is available). I would have favored:

  1. Release the new version with the explanation that this fixes a security vulnerability and everyone should upgrade right away.
  2. Wait for a week to allow your customers time to upgrade.
  3. Then release the details of the exploit.

As a customer, I’m surprised I haven’t (as of this writing) received a notification warning me of the vulnerability and urging me to upgrade.1 I believe it’s the responsibility of a software provider to reach out to their customers to warn them about security issues before disclosing the details of them publicly.

Cart66 has already generally disclosed what the vulnerability is, but they didn’t go into much detail about how it could be exploited. The “black hat” folks will likely figure it out anyway, but I’m going to hold off sharing any details of it until next week. I think it is appropriate to outline how this can be exploited to help provide some context to Cart66 customers, but I don’t want to be the one making it more likely that people will exploit the vulnerability on their sites.

While I am generally willing to take the explanation of how this vulnerability was allowed to remain unaddressed for such a long time at face value, I also believe this shows a fundamental lack of emphasis on security throughout the Cart66 organization. Someone received my email, replied that this was already a known problem, then nothing happend. Who knows, perhaps the people involved with that response aren’t even with the company anymore, but I’m pretty darn sure that this wouldn’t happen in my shop. A security vulnerability is a “Drop everything, get it patched and get a new release out. NOW!” situation. I will take them at their word that they are working to address this internally, but I’m still not comfortable with what their response (or lack thereof) says about their culture.

If I were advising the Cart66 team, I would tell them they need to take additional steps to make it clear to their customers that they are taking security seriously. I would recommend hiring Mark Jaquith (or another reputable consultant or firm) to do a full security audit of their code and product architecture.

I would also create and publish a process by which developers can responsibly submit security concerns, patches, etc. This should be easy to find on the Cart66 website.

Lastly, I would establish the process by which security issues are communicated to customers (a mailing list, or similar). In the case of responsibly disclosed vulnerabilities, this should include giving customers reasonable time to upgrade before publishing any details of an exploit.

All software has bugs, and some of these bugs have security ramifications. How you deal with them (and how you work with your customers when they are found) is what builds or destroys your reputation.

  1. I did receive an email response to my ticket about the new release, but that didn’t go to all customers 

When I’m actively #hiring or acting as lead dev on a project, I fall behind. When I’m doing both at once, I fall *way* behind.

3 Replies

Path Finder 6 →

The new version of Path Finder looks great (as does the new website). In particular I’m expecting to make good use of the Git integration and the batch rename feature. I’ve been using Path Finder since version three and can’t imagine using my Mac without it.

Warning: Cart66 Vulnerability

UPDATE: Please see this follow-up post.

Last summer we were working on an e-commerce site that integrated Cart66 with WordPress. As part of the development effort there, my team at Crowd Favorite discovered a vulnerability in Cart66.

We reported this to the Cart 66 team on July 11, 2011 and received the following response on July 12, 2011:

Alex,
We are aware of this issue and are working on a solution. I dont have a date for the fix but we’ll keep you posted.

Last week (on April 10, 2012) I received the following email:

Hello Alex,

We haven’t heard from you in 3 or more weeks so we are going to go ahead and solve this ticket. Do not hesitate to reply if you have any further questions.

My guess is that this is an automated email generated by their ticket system, but it reminded me I’d never properly followed up on the issue. We tested the current version of Cart66 (version 1.4.5) and the vulnerability is still present.

At WordCamp San Francisco last summer I posed a question during the Q&A session to get input from others on the best way to handle this situation. The agreed on course of action was to:

  1. Responsibly disclose the issue privately to the developer.
  2. Give the developer time to address the issue.
  3. Go public with the information if the issue is not addressed (it’s more important to let the users of the software know about the issue than it is to extend any “security by obscurity”).

As such, we plan to release the details of this vulnerability in two weeks (on April 30th).

We sincerely hope that the Cart66 team will address the vulnerability with a release that fixes the issue before this time (and responsibly notify their customers of the issue and the importance of upgrading). However, given the overall lack of response we’ve seen from the Cart66 team on this issue, my recommendation would be to evaluate other e-commerce solutions.

Mac Window Positions

I started the following post back in August of 2011; Sean’s comment on my previous post prompted me to dig it up.

Now that I’m back to using a laptop full time, I’m right back to the old hassle of having my windows scatter all over the place when I connect and disconnect an external display. It looks like this is an annoyance I share with others, as there are a bunch of utilities out there that hope to solve this problem:

I evaluated a variety of options:

I can’t remember the details of each at this point, but I tried a couple of them for a week or so each (pretty sure I did both Stay and Display Maid, can’t recall on Size-Up or Optimal Layout).

After evaluating a few options, I saw the same problems consistently:

  1. While windows would be restored most of the time, they wouldn’t be restored all of the time. The difference here was better than default OS X window handling, but not that much better.
  2. There was no option to pull all apps to one desktop when plugged in to a monitor, then distribute them again when unplugged. I’m assuming this is an API/SDK limitation as this seems like a pretty obvious feature idea.

The solution I ended up with is less than ideal: let OS X handle the window distribution and learn to work on a laptop with only a single desktop. I still go back to multiple desktops if I’m going to be unplugged for a long stretch of time, but moving things back and forth between desktops is way too fiddly.

I’m certainly open to better solutions (or new ones that have come out in the last six months) – suggest away in the comments.

I see three reasons for the Instagram acquisition:

1. Talent
2. Idea
3. Product

If 1 or 2 are the primary reason, the product dies.

17 Replies

70% of the Problem

There was a pretty good tempest in a teacup regarding Readability over the last few weeks. While I’m sure I didn’t exhaust the available material, I did read the articles I linked above as well as a few others. I link to these because they were written by folks I’ve known well by reputation/production (and…

1 Reply