And now they've done it.... what will it take to get a positive response...

Not aimed at you RS, just clicked reply.

Occaisionally good comes out of bad....

QA was something that has concerned me with the rapid rollout of these changes, not so much the password issue, but some of the larger changes. But if you've found more streamlined and efficient ways to do things and are confident stuffs been done at least as well as it was in the past, then great. Just add in some ongoing checking and hopefully you want be caught out again (Or at least if you are it will be a lot harder for anyone to accuse the company of complacency).

Yes - We get asked to do lots of things all of the time though!

The work had been scheduled, but not above some of the other stuff we had promised to deliver, and a couple of things, such as the frontpage / hosting system upgrade were seen as dependencies initially. We were going to bundle this into the 'one portal' project iirc, which was going to enter development quite soon (It is on hold for the moment). Once we have that in place, it will actually make all other work we have to do on our portal a lot easier, because we won't need to make every change 4 times. As such it was seen as more urgent than making changes on code we were going to replace anyway.

I can explain the our thinking behind all of this, but please don't think I'm trying to defend what in hindsight we have been proven to have got it wrong!

Ian

It's a fair concern - We didn't QA the new webmail platform as much as we would have liked, and we didn't do as much work on skinning and bug fixing as I would have liked (Squirrel does have a few functionality flaws), but a lot of us spent our own time working on the solution and even I got nominated as a sign off point for part of the server builds (It's been 4 years since I was a network bod, but it all came back quite quickly thankfully!)...

We'd have had the new webmail platform out even sooner if it weren't for deciding the encrypt a load of the squirrelmail databases and take some other non standard security precautions, just in case!

Ian

Ian, if it had been a simple matter of hindsight being infinitely wiser than the present I wouldn't have even brought it up. The fact is that you ignored security on a number of occasions at the expense of developing something tangible for the customers. PN might pay the price, but usually it is the customer. That PN don't think it is a priority to protect their valuable customer database is quite amusing, but customers suffering because of ongoing problems with security isn't.

>Yes - We get asked to do lots of things all of the time though!
Maybe, but this wasn't a fancy toy being requested. These requests were of paramount importance, ones where everything else could and should have waited until these had been implemented (almost 2 years and counting?). Your email report tomorrow is something even I look forward to reading.

>Sadly there are a number of unanswered questions over passwords, but chris is probably just toeing the party line. this approach unfortunately sometimes causes more problems than good, especially on these forums.

I think you have it spot on. The sooner PN staff learn not to spin the story the better everyone will be for it.

As per SS announcement earlier, the incident report won't be ready for tomorrow - It has taken us longer to understand the nature of all of the issues than we first expected. Wednesday seems realistic now...

I don't think we ignored security, especially not of our customer database (The thing we know as workplace, which has not been compromised in anyway here), but I do agree that we were caught out on this one and I don't see any disagreement between us about that at all.

Ian

Oh Squirrelmail is far form perfect, but at least you're running something a bit more up to date and lightweight. It's suffered it's fair share of vulnerabilities and I'm sure it will continue to do so in the future. But hopefully this experience had taught PlusNet more about how to deal with them.

It's always best to go that extra mile I hope you can build on this experience and ocntinue to polish things with whatever solutions are decided upon for the future of the webmail platform.

If workplace had been compromised I don't think PlusNet would exist for much longer. It is after all the crown jewels of the company.. or has been said to be so in the past. Security may not have been ignored but it has certainly been lax in certain areas, including reporting of security issues to customers. For instance, if a customer facing system is compromised, bite the bullet and tell them what they need to know immediately. They'll thank you later. I could suggest that auditing of systems needs to be looked at too, but maybe it's better to wait until the report drops.

Shame that the report has been delayed yet again. I'm not fan of rushing things out, but setting realistic expectations may be another lesson some people can learn from this. So many things get delayed with PlusNet, then people have to come us with excuses, then people get annoyed. Hmm.. I'm sure I've said this before.

Anyhow, I've said it a couple of times, but I'll say it again. Thanks for the password fix!

"You will not be forced into changing your existing details so anyone with a
password not meeting this criteria can continue using their current
credentials."

Is it just me or does that statement fly in the face of "taking security seriously" What is the point of having a strong password policy if you are not going to enforce it?