Juha Saarinen is a tech blogger for nzherald.co.nz.

Juha Saarinen: Learn how to care and share and you will profit

Photo / iStock
Photo / iStock

The company you and your friends set up has fantastic products and services, and some superbly clever staffers who really know the ins and out of the technology they work with.

Things are going well, but you'd like to raise the company profile in the wider community, for whatever reason. How would you do that? A boring old marketing campaign? Doing something weird and viral?

How about taking a leaf out of local point of sales systems geeks' Vend's book, and do something good for the community instead?

This week, four Vend staffers and a security researcher from United States enterprise Linux distributor Red Hat published a great advisory on a potentially very serious security flaw in web applications.

It's a flaw that's been known for the last fifteen (yes, 15) years and which is patched in some software, but not in others that are commonly used on the Internet.

Not the most obvious one to spot either.

The bug is easy to exploit and do bad things with, so if your organisation runs web servers with vulnerable apps, make sure the proposed fixes (also easy) are applied to stop any potential abuse.

Now, the Vend developers who discovered and researched the flaw learnt a thing or two from the Heartbleed security scare two years' ago which saw a really rather obscure security bug hit mainstream media because they had something to hang their stories on, a central theme that crystalised what the problem was.

That means the Vend people thought up a cool name - httpoxy - for the flaw, and a snazzy logo and an advisory website with its own domain (httpoxy.org).

The site contains the research and advice needed to fix your systems, credits to those who worked on it, and no tacky plugs for Vend as a company. It's done totally right in that respect and really, it's public relations gold. Money couldn't buy it.

Keep the easy to remember names for the really serious bugs in other words.

Allowing staff to work on side projects that benefit the larger community is also a great way to bolster morale, and potentially to attract talent to the company, not to mention learning new stuff (building up a security knowledge base is never wrong).

There are some ground rules here though: since Heartbleed, we've had all sorts of hip names for security scares, both serious and insignificant. And that's a shame - having a name instead of for instance a numeric identifier helps everyone keep track of security issues, but there's a limit to how many any sane person can process.

If the NUKEMFROMORBIT flaws is hard to abuse and affects only a tiny amount of systems, it'll just irritate people if you go over the top with it, no matter how cool the logo might be.

Keep the easy to remember names for the really serious bugs in other words.

Working with the distributors and vendors of the affected products is a must too.

Responsible disclosure so that software patches (if needed) can be developed to fix the bugs benefits everyone.

Dropping news of a huge security hole suddenly and without giving people a chance to fix them first might be tempting as an attention seeking device, but it's not cool and will undo all the karma your company might have otherwise earnt from the disclosure.

Looking at the bigger picture, the above would be difficult to achieve without open source software. Proprietary code is not something you can rip into and write about in the public, especially if it contains defects. Big vendors tend to get grumpy if you do and sic the lawyers after you.

If you ever have to write a business case to help decide whether to select an open or proprietary code strategy, not being constrained when it comes to caring, sharing and earning important kudos from the community should go into it.

- NZ Herald

Get the news delivered straight to your inbox

Receive the day’s news, sport and entertainment in our daily email newsletter

SIGN UP NOW
Juha Saarinen is a tech blogger for nzherald.co.nz.

Juha Saarinen is a technology journalist and writer living in Auckland. Apart from contributing to the New Zealand Herald over the years, he has written for the Guardian, Wired, PC World, Computerworld and ITnews Australia, covering networking, hardware, software, enterprise IT as well as the business and social aspects of computing. A firm believer in the principle that trying stuff out makes you understand things better, he spends way too much time wondering why things just don’t work.

Read more by Juha Saarinen

© Copyright 2016, NZME. Publishing Limited

Assembled by: (static) on production apcf04 at 08 Dec 2016 19:33:00 Processing Time: 978ms