back to article Kaseya delays SaaS restore to Sunday, CEO says ‘this sucks’ but decision was his alone

Beleaguered IT management software vendor Kaseya has delayed the restoration of its SaaS services until Sunday, July 11. An update to the company’s incident guidance report includes a video message from CEO Fred Voccola, who took personal responsibility for the delay. “It is my decision to do this to pull the release from …

  1. Velv
    Terminator

    I assume Fred Voccola is aware of the history of the three envelopes, and has already progressed to retrieving envelope three from the Company safe.

  2. Pascal Monett Silver badge

    “This was the hardest decision of my career,”

    I'm pretty sure that there will be harder ones in the future.

    That said, I have come to believe that Kaseya should have the benefit of the doubt. White hats have pointed out that Kaseya reacted swiftly and properly to vulnerability alerts, and did everything it could to plug the holes as swiftly as possible.

    Unfortunately, the criminals got in first. You cannot guard against bad luck.

    I'm now convinced Kaseya is doing what it can to pick up the pieces and put everything back together again. All the noises being made point to a team that is working its ass off and trying its best to recover from the situation.

    I no longer think that Kaseya was asleep at the wheel. I feel sorry for everyone involved, and I really wish someone could stop those despicable criminals.

    Good luck, Voccola.

    1. Anonymous Coward
      Anonymous Coward

      Re: “This was the hardest decision of my career,”

      "You cannot guard against bad luck."

      Yes and no. You cannot prevent criminals exploiting aspects of your product where they don't comprise part of the threat model, and you cannot entirely prevent bugs exploited by the people who find them. However, you can move more quickly than taking 3 months to fix a bug someone told you about, especially one that has obvious customer security implications. Move faster. It's worth taking some risk when stuff like this happens: you should have a good regression test suite already, and if the fix passes, you probably want to publish the patch, not after the 90 days the reporter gave you but NOW! Always assume that criminals and states (same thing really) are actively exploiting the bug. Quick quick quick! If you aren't sure the fix is right, tell your customers anyway and give them some other mitigation. The bad guys are always way ahead of you; don't convince yourself otherwise.

      It's not just bad luck; it's hopeful assumptions. If you are a vendor and someone reports a security-relevant bug, you must assume that someone somewhere is already exploiting it against *YOUR CUSTOMERS*. If you love your customers, if you respect and care for them, you must move as fast as humanly possible or faster. 3 months is a crime. They could have done better, and should have. Assuming that the reporter was the first or only discoverer, or that the knowledge won't leak, is just naive optimism. MOVE FASTER.

  3. sitta_europea

    When this company approached my company about providing a service, I said "Over my dead body."

    I will continue to say that to all these "me too" outsourcing suppliers as long as this body has life left in it.

    We don't let engineers audit the accounts, and with good reason.

    For the life of me I cannot understand why we let accountants make engineering decisions.

    It's fucking crazy.

  4. Doctor Syntax Silver badge

    “exponentially more secure”

    In that context what does "exponentially" mean and what is it more secure than?

    1. Claptrap314 Silver badge

      His career, hopefully.

    2. HildyJ Silver badge
      Angel

      Exponentially - explanation

      Since security was zero, “exponentially more secure” is a true statement.

      Zero raised to any power is still zero.

      1. Anonymous Coward
        Anonymous Coward

        Re: Exponentially - explanation

        Not true. Zero raised to the zeroth power is usually held to be 1, though admittedly in some branches of mathematics it's considered to be undefined. It's almost certainly not 0. The unreliable source's article on it is moderately informative. Also, zero to any negative power would be infinite (of whatever cardinality any other division by zero is).

        Going from level 0 security to 1 would be a very significant improvement!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022