To techies, “marketing" has always been a four-letter word. My own first exposure was in the Browser Wars of the Nineties, when Microsoft was widely held to have won by “marketing" (pronounced with extreme scorn). That attitude is alive and well today:
☑ register http://t.co/ZGfyHkwhcr domain— keyist (@keyist) April 8, 2014
☑ get custom graphic designed
☐ disclose to distros in advance
☑ disclose to public
Luckily, this time around there are people calling out that attitude as misguided: What Heartbleed Can Teach The OSS Community About Marketing:
Remember CVE-2013-0156? Man, those were dark days, right?
Of course you don’t remember CVE-2013-0156.
Compare “Heartbleed" to CVE-2014-0160, which is apparently the official classification for the bug. (I say “apparently" because I cannot bring myself to care enough to spend a minute verifying that.) Crikey, what a great name that is.
The open-source community has always had a bit of a hair-shirt attitude to it: if you can’t hand-code your own YAML config files at the command-line and recompile your entire toolchain at least once a month, you are not worthy. That’s all well and good, but at some point you have to be able to talk to other people, especially when what you do has become critical infrastructure. This may - shock, horror - require you to engage with marketing.
Guess what? It’s not that bad. The sort of “marketing" that offends OSS purists is generally bad marketing. It’s mis-targeted, content-free, and exaggerated - and none of those things are goals of good marketing. I can say that, since I have the word “marketing" right there on my business card, and also patched my home Linux server against Heartbleed.
Better marketing, and communications in general, is the only way we are going to solve the problem of poorly-funded and -managed open-source software becoming critical infrastructure. From the WSJ (emphasis mine):
Matthew Green, an encryption expert at Johns Hopkins University, said OpenSSL Project is relatively neglected, given how critical of a role it plays in the Internet. Last year, the foundation took in less than $1 million from donations and consulting contracts.
Donations have picked up since Monday, Mr. Marquess said. This week, it had raised $841.70 as of Wednesday afternoon.
Guess what? Eight hundred bucks doesn’t buy much code review. “I think I’m going to audit some code for buffer overflows this Saturday night", said no-one ever. The way to get more attention to the problem… is marketing.
tl;dr version: CISO pays for pen-test, receives ridiculous report. In addition to involving legal, he shares it with a prominent security blogger. Hilarity (and viral hashtag #ScumbagPenTester) ensue.
My favourite bit of the report is probably this:
MySQL configured to allow connections from 127.0.0.1. Recommend configuration change to not allow remote connections.
used to put stuff like this in pen tests to see if my boss was paying attention.
This sort of thing happens
in every industry, but what shocks me is that someone would try it on in an area like security. If you know you need a pen-test, surely you know enough to recognise 127.0.0.1?