What is the matter with ClearBooks? This is beyond stupid. And if that wasn’t enough, when you click the big fat orange Demo Login button, it mysteriously redirects to KashFlow. I contacted Duane Jackson, CEO KashFlow to find out if they hacked ClearBooks. His response:
Must be another of those features only they have. And apparently their now on Yodlee network and want your bank login info. Yeah right.
Actually, it doesn’t matter whether it was hacked or not, this is plain nutty.
UPDATE: the defective link has now been fixed…but it still leaves open the question…what happened? Nothing on the blog…
Comments on this entry are closed.
Get into the conversation
While having unsanitised fields is very poor form for Clearbooks, what Duane did is spectacularly unprofessional. Redirecting through bitly makes this look more sinister than if it was just a straight redirect to kashflow.
Well – I asked the question directly and this is the answer I got. Read into that what you want but it doesn’t actually matter because whoever has done what, it demonstrates really poor security at ClearBooks end – whether internal or external.
I agree wholeheartedly about security but whoever set up the redirection in the first place wasn’t just “spectacularly unprofessional” they have questioned the trust placed in them by their customers whichever company employs them.
What they must also remember is investors (and accountants) don’t approve of this behaviour which is directly related to values.
@stuart – you’re missing the point. See my response to Stuart Lynn. It is a technical discussion that is easy to misunderstand and therefore throw the blame elsewhere.
In my simple way I thought there was only two possible parties involved. I can see that it could be anyone.
Quite why anyone would bother I do not know. Maybe that’s why I’m a member of a profession.
I completely concur with Stuart Jones here… and moreover I feel it does actually matter who has done what. These actions have
completely overstepped the mark of what is acceptable behaviour (maybe even criminal behaviour) and I wouldn’t
be surprised if Clearbooks take some action against the perpetrator.
@stuart- a bunch of us had a discussion on this tonite in San Francisco. It’s easy to point the finger at KF but in truth, anyone who understands cron jobs redirection could have done this, so to point the finger of blame at KF – utterly misses the point. If a vendor has such a poor grasp of security that this can happen then what does that say about the totality of the service? I could for example go do something similar, plus hide my immediate identity via a hidden VPN and, in the process throw the light of ‘blame’ on KF. I published KF’s entire response. If anyone chooses to believe or not is fine but that is NOT the technical issue.
Dennis,
Just to be clear, I deliberately didn’t attempt to identify the idiot who did this… I’ll leave that to Clearbooks to pursue as they so wish. I’m more disgusted by the behaviour rather than the technical knowhow and my assertion was merely that this type of behaviour amongst professional people oversteps the mark IMHO.
What is a cron jobs redirection? Never heard of that before.
Somone is attempting to fix it… when I click on the demo button I get page https://secure.clearbooks.co.uk/static/login_demo/ saying
“Whoops, something unexpected has happened. Please let us know how you ended up here by emailing support.”
This is a bizarre episode alright.
I’ve chipped in my tuppence worth on http://www.SaaSintheUK.com, here - http://saasintheuk.blogspot.com/2011/09/clear-books-spotted-with-foot-in-mouth.html
Cheers
Neil
Disappointed at Duane Jackson and his appalling grammar.
A cron job is a timed program that executes at a specified moment. Redirection is what happened here.
@stuart – I don’t see why. Competitors spend oodles of time pawing at each others’ solutions – and that’s the ‘good’ stuff. have you not seen the antics that vendors get up to in the enterprise space?
The reason people do this is to expose technical weakness. It used to be something much of the industry frowns upon, now it is part of life. Some communities in which I participate are the subject of daily hack attempts. It is another reason why security is a big topic in SaaS/cloud and features in EVERY discussion I have with enterprise buyers.
OK, I fully understand Cron jobs and Redirection as separate items. It seems from your original blog post that they are linked in some way… that’s the part that I don’t get.
I don’t buy that Dennis, I still think this is frowned upon by most ethical players in the industry… Even if some choose to turn a blind eye it still doesn’t make it okay… Last time I looked, not only was this sort of thing in breach of anti competitive laws, it was also a criminal offence.
You may not buy it Stuart but I see it. It is qu. no.1 from every enterprise buyer I’ve spoken with the last year. Only this week I was discussing security audit on electronic document delivery and signing services with a company about to make investments in the UK. Earlier today (my time) I was engaged in a detailed conversation about the security model SAP uses in its mobile applications.
The fact of the matter is that a significant number of SaaS/cloud providers don’t take this topic as seriously as they might. You might recall your own company’s deficiencies in that area.And let’s be clear…I am not condoning anything here but which would you rather – a hack that exposes weakness or wait until someone with REAL malicious intent comes on the scene and blows up your data? Or…was it all an act of rank stupidity by ClearBooks themselves. That company’s silence speaks volumes IMO.
If taking an ethical stance means ignoring fundamental weakness then no, I’m not going to ignore that or point the finger at those responsible for exposing the weakness. It may not meet your criteria for ethical behaviour but I would argue that putting a customer’s data at risk is much worse.
And how is it anti-competitive to point out a massive flaw of this kind?
For the record, I absolutely get what you’re saying about security and I’m 100% aligned with you on this.
I remember a long time ago you made what I thought was an excellent comment that “in the interests of the customer it would be better to tell the vendor if you discover an issue and give them time to fix it, before you tell the world and his wife.”
Seems to be the other way around these days… #justsaying
Get into the conversation