The Packet Scoop

In late February, Digital Defense, an Internet security company, found a minor (certainly not “critical”) vulnerability in an early version of pt360. The vulnerability basically allowed someone with intimate knowledge of TFTP servers, to use our software to access privileged directories on target machines. That is, our software wasn’t the problem per se, but that someone could maliciously use our software to access priviledged directories. We patched the software to prevent the improper use about five hours later in conjunction with Digital Defense, and issued a press release. Not one report surfaced of even one malicious use of our software. That was seven months ago. That was the end of the story….until now.

Promisec is a security company that got some PR from IDG for its online encyclopedia. We were included on their list of “top 5 threats” because they had dated/incorrect information from the February incident. Their warning is factually incorrect on too many levels to describe in a blog, however let me mention just a couple.

First, the problem was solved within five hours. This was not noted by Promisec even though this problem was solved months ago. Second, because Promisec didn’t do their homework, they relayed their incorrect information without checking with us or with Digital Defense to substantiate their position to the good people at IDG, who in turn published the article. Shame on IDG for publishing the article without checking facts and double shame on Promisec for their reckless unsubstantiated allegation that our software is a “critical” threat to the Internet as a whole (or was ever a “critical” threat). Now, I am a huge fan of the work of IDG and remain one of their largest advocates. In fact, their rags provide the most in-depth knowledge of our space (network management) in the industry. But lets be clear, only 106 people downloaded the affected software. As of this writing and the Promisec’s article in IDG, only 4 (that’s right – FOUR) of those users had used the software since March. While we’re honored to be mentioned in the same company as Google, MySpace and Skype (the other companies on the “critical” threat list), we’re baffled how our 106 users (err 4 - and we know them all) of that version of our software are anything more than a minor nuisance to themselves, much less a “critical’ threat to the 4.5 billion people on the Internet.

(by the way, for all of you Ethereal / Wireshark users - they also said that WireShark was a threat to the Internet. So, that does put things is Perspective I guess)

We’ve spoken to the editors of IDG News Service, as well as the online editors of PCWorld and InfoWorld (where the article was published). We expect a correction in the next day or so. Digital Defense may also be quoted in the correction, stating that the issue was resolved months ago. I am sure that Promisec does good work, and I surmise that this was just an oversight on their part.

Steve