But which do I pick? There's this, from CCP Sreegs, either completely misunderstanding or completely misstating the role of a competent security professional in today's Internet:
My job is response, not reviewing every single line of code that gets written.Note to CCP Sreegs: you can't afford to be reactive in today's Internet. Only proactive will do. Or there's this, from CCP Wrangler, the first real apology for a CCP screw-up that I can recall... well... ever:
You have my sincere and personal apology and I also apologize on behalf of CCP.Well said. Or there's this, from Helicity Boson, who states in a very few words some core truths about today's Internet and what CCP Sreegs should have been doing:
And no matter what, that you didn't even see the error in your login design for forum posting and the documented injection holes in the forum you gutted to serve as a base for "your" 72,000 man hour project is pretty damning.
You need peer reviews of code, you need penetration tests.
So, pick whichever of the three quotes you personally like best. ;-)
You'll note I left specific technical details out of my own blog post on Saturday because I didn't want to further spread the word about the vulnerability or specifically how it works. But CCP seems to be doing what they can to down-play the issue, which is the wrong response. Take it from me, guys: you don't down-play security issues. You treat them as serious, business-breaking issues, no matter how minor they appear to be. You take them seriously. Your customers expect nothing less.
So, here's some of the details, as posted on Helicity Boson's blog. Go give them a read.
CCP Sreegs has promised a devblog about this issue, and I'm sure I'm going to have more to say about it once that's posted.