I wrote this in my Novell NetWare Tips newsletter back in August, 2001,  joking (I think) about the NSA and CIA. But, perhaps, it was prophetic - or I'd stumbled onto the truth!

*************************************************

What has been truly amazing during the recent flap about Novell’s “Padlock” patch for GroupWise (see “GroupWise Users Fight Mystery Bug”, http://www.nwfusion.com/news/2001/0820gwbug.html) is the large number of network managers who appear to trust Novell implicitly.

Let’s say some other software company, perhaps one with headquarters in the far northwestern part of the US, had done the following:

1)     Send email – often multiple emails – to people requesting they immediately download and install a so-called patch file.

2)    When asked what the patch is for, reply “We’re not giving out details of the problem or the fix”.

3)    Told you to patch all systems within hours, if possible – even though no system had ever been compromised by the so-called “security issue”.

4)    Refused, categorically, to discuss – even in general terms – the area of the security issue (server access, file access, denial or service attacks, etc.).

The outcry from users would be intense! Just look at the endless wrangling now going on over the new Windows Product Activation (WPA) scheme – which could require new activation codes should you modify hardware. Or Microsoft’s plan to require Microsoft Passport (its proprietary “wallet” technology for storing identity information) as part of the “Hailstorm” initiative for the new .NET technologies (and aren’t those a lot of weasel words!). Millions would be convinced that the “patch” was just a way for Microsoft to gain control of your computers, perhaps monitor all of your email! Conspiracy theorists might have them in league with the CIA or the NSA to create dossiers on everyone with an email client. [emphasis added]

Yet Novell does this, and most managers say “OK, we’ll apply the patch.” Even knowing Novell’s bad track record with patch files (think of how many patches or support packs you’ve downloaded, then had to go back to get the “a” revision), network managers and email administrators broke all records for downloads from the Novell web site to acquire and install the Padlock patch.

That’s a large amount of trust in a software vendor. Its been built up over almost 20 years of providing some of the finest products and services available, and it’s a wonder to behold. But just one word of warning, Novell – it only takes one or two small violations of that trust to undo everything you’ve built up over the years.