- casino online slots

There’s a Whole Lot of Shakin’ Going On

by Administrator on December 20, 2006

Responding to the email notification from Decru (see a couple of posts back:  Predatory Practices…) regarding alledged “holes” in the NeoScale storage security offerings attributed to CERT, NeoScale CEO Barbara Nelson, someone I happen to like, responded today.


Yes. Sorry I didn’t get to you sooner – we’re having a blow out end of quarter/year so it’s really busy.

So on the NetApp/Decru deal. They sent a barrage of different emails to customers, partners, analysts and press. In the piece to customers and partners, they completely fabricated information describing a serious security problem that flat out doesn’t exist, and then cut and pasted the CERT doc to look like that was what the CERT was about.

We did have a very low level vulnerability reported in a CERT — although it was an issue with legacy product and it is not an issue in our product shipping. Obviously this information is conveniently omitted.

All in all, surprising lack of ethics given they are now part of NetApp. I’m flattered they are resorting to desperate tactics – perhaps it’s an indication of the competitive pressure we are applying to win deals…..

I’m attaching our official response — but here’s a quick overview for you:

1. NetApp/Decru created a targeted marketing campaign misrepresenting the CERT report

Decru used some pivotal language in their communication that was simply incorrect: ‘An attacker who obtains a user password can “gain access to the System Key” without presenting a smartcard.’

This statement is completely false, is not included anywhere in the CERT advisory, and has nothing whatsoever to do with the CERT advisory.

2. NetApp/Decru said this is a “significant vulnerability”

CERT categorizes reported vulnerabilities according to a ‘Severity Metric’ that ranges from 0 to 180 (180 being the most severe) . This particular vulnerability is rated “Not Critical” at 0.64 (zero point six four). In CERT terminology, a significant vulnerability is one that would be handled with a CERT Technical Alert (as opposed to an advisory like this) and is indicated by a Severity Metric of over 40.

3. CERT advisory contains three sections: Description, Impact, and Solution.

In the screenshot that NetApp/Decru emailed, they conveniently omitted the third section giving the impression this was an unfixed problem.

The third section contained the fact that a software upgrade would address the problem, details of exactly how NeoScale has fixed the problem and the fact that it was already fixed in v2.6

Thanks for sending this on to us. Have a great holiday.


Our response:  Thanks for the quick clarification, Barbara.

Sounds like Decru is being naughty.  Maybe Santa will leave them coal in their stockings this year.


Previous post:

Next post: