Home page logo
/

bugtraq logo Bugtraq mailing list archives

Cluestick Advisory #000
From: cluestick () hushmail com
Date: Thu, 27 Jun 2002 00:43:56 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cluestick advisory #000.  June 26, 2002.

Denial of service by Novell: The Cluestick Manifesto

"I'm pretty annoyed, and would rather not take it anymore."
Surreal
- - - - -
This document started as another futile email to Novell Technical
Services. I've decided my time is better spent on an open letter
to Novell.  I hope to help pursuade them to adopt a modern bug &
security issue reporting protocol, thereby improving my quality of
life as a Netware administrator.  I don't presume  to dictate specifics,
but note that even Microsoft was eventually flogged into a reasonably
effective stance after inadvertently spawning the Full Disclosure
movement.

Novell's Incident System hasn't changed much, if at all, in the last ten
years. I'm planning to deploy Netware 6, but there are issues I feel
should be corrected before I put it into production.  The more I look,
the more issues I find.  This bodes ill.  My initial issues have closed
Novell support incidents associated with them, yet they remain unfixed
and undocumented to Netware users.  That's rather, well, "lame".

There are currently three choices for addressing bugs in Novell
products:

Option #1 - "Shout at the darkness"
Identify and document a bug. Submit a report through the Bug Report form
buried deep within the support.novell.com website.  Hope that someone
reads the report, fixes the bug, and documents the issue.

Novell will not acknowledge that the report has been received, or that
the bug, or a fix, exists.  That method has failed me for three out of
three problems over the last five months, and each time I've tried it in
the past.  It appears to be 100% ineffective.

Option #2 - "I beg thee, consider my plight!"
This is Novell's Suggested Approach... Document the bug and a method to
reproduce it.  Call Novell on the phone; wait on hold; open an incident.

One might use the on-hold time productively by lobbying the boss for
$300.00 "for a little while" to report the bug to Novell, explaining:
"if Novell also thinks this is a bug, we'll get the money back!"  When the
call is answered, try to explain the problem in short, common usage words
to a first-tier "technician" who hasn't the vaguest clue what you're
talking about.  Plan on making a day of it; you'll be on the phone a long
time.

I really don't know how the option #2 scenario resolves as I've never
used it for reporting a bug.  It's the Last Resort for when NDS gets hosed.

Some BOFH dreamed up that protocol at a drunken office party, right?
Recall that we, the customers, have already spent a chunk of cash for
Netware, and are providing a service by identifying problems and documenting
system defects.  Thank you, no.  I'll pass on option #2.

Option #3 - "Can you hear me now? Good!"
Identify the bug and a method to reproduce it.  Document the issue,
highlighting the immediate and potential risks and send it to public
mailing lists in hopes of inspiring a timely fix.  This method works, and
generally gets quick results. This is most recently evidenced by the speedy
resolution and patch of the HTTPSTK.NLM buffer overflow.

Cluestick release #001, to follow shortly, will detail an issue reported
to Novell in January of this year.  It's a server hang or reboot with Netware
5.1 and 6, and still exists at current patch levels.

I don't plan to disclose issues more than weekly; it's not my goal to make
Netware admins as miserable as their Windows-laden compadres.  When Novell
wakes up and changes, I'll adopt their (surely awesome) new reporting
protocol.

Maybe they'll finish running themselves out of business before that happens.
Idunno.  I'm just saying it's "No more Mr. Patient Geek" on my end.

If you have a Novell incident (Netware 5.1 or 6) that you're losing
sleep over, send me your notes and perhaps we can get a fire lit under You
Know Who.
//

An actual live human at Novell broke character and wrote:

The following message was sent from Novell Technical Services as a
response to your incident.

In order to respond, use your World Wide Web browser to access the
Electronic Incident pages on the Novell Support
Connection(http://support.novell.com/servlet/incident).  After entering
your customer information, select the option to update your incident.

=======================================================

Beloved,

I am closing a bug report on <meat of cluestick 002 deleted>.  This is
a known issue and is being looked at.  Bug reports are not designed to
give feedback to those who open them.  If a customer needs or wants
feedback, a regular incident should be opened and if the issue turns out
to be a bug, the charges or the incident will be reversed.  Bug Reports
are for us to catch issues (defects) before they nail us unexpectedly.
We have found that this does work as designed, but the vast amount of
bugs found by customers are caught in regular incidents.

Joe Helpful <not his real name>
Novell, Inc., A Leading Provider of Net Business Solutions
www.novell.com
1-800-255-2707

<Dr. Evil> Riiiiight. </Dr. Evil>

a Novell Support Connection droid also wrote:

This e-mail is being sent to notify you that incident #xxxxxxx has been
closed.  (See Incident Description below.)  You can view the incident
history
by going to  http://support.novell.com/servlet/incident and entering
your
name, e-mail address, and PIN.  If you require additional assistance on
this
issue, you may enter that request at the URL above or contact your local
Novell Support Center within 5 working days.

Novell Customer Services would like to thank you for using our Support
Services.

The Novell Support Connection
http://support.novell.com
1-800-858-4000 or 1-801-861-4000

Note: Replies to this message go to the Novell webmaster, not to technical
support personnel.  Please use the procedures above to obtain additional
technical support.

Incident Description:
<snip>

Unfortunately, I didn't select option #2 and have no PIN.  I suspect
that if I looked it up, the text would read: "Incident #xxxxxxx has been
closed."

Since I'm *here*... Greetz to K.O. (ya hippie), all the little people
(gotta love leprechauns), Ken Olsen, and GOBBLES, who recently *obliterated*
the existing speed record for most rapidly improved written English, held by
Vesselin B. lo these many years.  Everyone at The Reg, natch, and those rad
Ethik4l Cr4ck3rz at ISS.

Dosvidanija, y'all.
Surreal -- cluestick () hushmail com
//

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl4EARECAB4FAj0awjwXHGNsdWVzdGlja0BodXNobWFpbC5jb20ACgkQ5Ecz5W4o0Q3/
PACfa+yGGL0PDy8tSkrKqhpVnZvC1RoAoL9D48nUnj0/BQkw6pfCaZ6NxyQF
=Aw4M
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople


  By Date           By Thread  

Current thread:
  • Cluestick Advisory #000 cluestick (Jun 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]