UPDATE:\u00a0What once was a story of corporate hubris is now a story of how to handle a mistake. Read what follows -- my original report on this -- and then look to the end to see how Sophos took fast action to atone.\n\tConsidering what the IEEE (Institute of Electrical and Electronics Engineers) represents, it is pretty damn amusing that the group left 100,000 usernames\u00a0and\u00a0plaintext passwords\u00a0out in the open for at least a month. However, it astounds me that Sophos\u2013whichrecently issued an upgrade to its antivirus software that identified its own security program as malware\u2013is making fun of IEEE.\n\tThe IEEE botch was discovered by a Denmark-based, Romanian computer scientist named Radu Dragusin, who reported it to the organization and then wrote about it on the company's blog.\n\tHere\u2019s a quote from Paul Ducklin\u2019s post on the (usually excellent) Sophos Naked Security blog:\n\t\n\t\tDragusin stumbled across publicly readable uploads on the IEEE's FTP server. Bad enough on its own, but a veritable security disaster for the IEEE.\n\t\n\t\tSeems the organisation was using its upload server as a drop location for log files from the websites\u00a0ieee.org\u00a0and\u00a0spectrum.ieee.org(its online magazine). Ouch.\n\t\n\t\tAccording to Dragusin, the logs recorded the details of nearly 400,000,000 HTTP requests.\n\t\n\t\tThese 400,000 log entries included the usernames and plaintext passwords of nearly 100,000 unique users.\n\t\n\t\tHow is this bad? Let me count the ways:\n\t\n\t\t\n\t\t\tA world writable upload server? Maybe.\u00a0But\u00a0never\u00a0world readable.\n\t\t\n\t\t\tLog all your web traffic? Maybe.\u00a0But\u00a0never\u00a0log plaintext passwords.\n\t\t\n\t\t\tAllow vanilla FTP for uploads? Don't do that.\u00a0Use SFTP or scp instead.\n\t\n\n\tLet\u2019s get one thing straight: I respect Sophos. It makes good products and, as noted, its blog is a good source of information. And Lord knows I like schadenfreude a lot; probably more than the next person.\n\tBut it takes some pretty big transistors to make fun of an organization\u2019s security problem when a week ago an update to the Sophos antivirus program detected parts of its own software as malicious code. Once detected the software then disabled and\/or deleted parts that included its ability to auto-update and thus repair itself.\n\tHow is this bad? I\u2019ll let Sophos customers count the ways.\n\tThe company's blog post on this\u00a0was terse to the point of practically being a haiku. All customers got was a cursory "we apologizes for the inconvenience."\u00a0\u00a0(CEO's apology is here)\n\tDo unto others as you do unto yourself, folks. When (not if) I make a mistake I identify it clearly and make fun of myself, too. A few of the words I\u2019ve used about me when acknowledging my own failings: Idiot, moron \u2026 there\u2019s more.\n\tSo Sophos, I\u2019m sorry to get all John 8:7 on you but you\u2019ve been humbled and apparently decided to ignore that.\n\tLeave the sarcasm to the pros.\n\t------------------------------------------------------------------------------------------------------\n\tTHE REST OF THE UPDATE:\u00a0My experience is that few companies ever, ever, ever admit to making a mistake. When they do it's a long time later and covered in verbal gobbledy-goo; it wasn't a "retreat," it was a "tactical reallignment" sort of thing.\n\tWell, not so for Sophos.\n\tThis post went up Friday afternoon, I think around 2.\n\tHere's what landed in my email at 3:28 that day.\n\t\n\t\tYou make a valid point about the Naked Security's article. The tone was inappropriate, especially in light of recent events. We have amended it based on your feedback.\u00a0\n\t\t\n\t\tThank you for alerting us to it.\u00a0\n\t\t\n\t\tCarole Theriault\n\t\tHead of Naked Security\n\n\tThat, ladies and gentlemen, is how you should respond when you mess up. As my mother always told me, "Don't argue with people when they are right."