The bare minimum should at least be as I stated.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 28 Mar 2014 03:16, Raymond Camden raymondcam...@gmail.com wrote:
As has been explained *multiple* times, there is no one solution (in terms
of settings) that will
Except eveyone I know who has tried to follow the lock down guide has ended
up with a broke cfserver.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 28 Mar 2014 02:43, Raymond Camden raymondcam...@gmail.com wrote:
Playing attention to the requirement to
On Thu, Mar 27, 2014 at 8:14 PM, Raymond Camden raymondcam...@gmail.com wrote:
Right - but you said Adobe was ignoring this. Please back your statement
up. I said the CF team could possibly do more. But I do not agree that they
are ignoring the issue.
I did not say Adobe was ignoring the
G'day:
I'm concerned about how Adobe have implemented the list-oriented member
functions in ColdFusion 11. And I was hopeing to capture some community input
as to what other people think, before raising it with Adobe:
Sorry, forgot to come back to this.
This is not a false analogy because [etc]
But it *is* a false analogy because it's generally a government requirement for
people to be licensed to drive a car before they can use one, so it's
reasonable to assume from the outset of the sale process that a
Yes yes yes, I know its been done and done again here.I'd like to know
the opinion of some of you who've been down this road a few times - its
quite a while since I've moved hosts.. here's my issue:
I need to move to a new hosting company from the one I have my small
business sites on.
After days of cringing as these emails come through, I am going to chime in
briefly.
If there is such a glaring hole in the Coldfusion platform, and there is a
need for it to be filled, is there an obvious business/product opportunity
here?
The Coldfusion ecosystem is large, and as the title
On Fri, Mar 28, 2014 at 5:21 AM, Mike K wrote:
I am thinking of a virtual server in the cloud, moving to Linux and Railo
from Windows2003 Server and ColdFusion.
We are working on a similar move with a client right now and here's what
advise I can give based on the decisions we made.
Only
Mike,
Based on what youve outlined below, and what youre already aware of, I would
say the biggest challenge for your migration is going to be in migrating the
databases from SQLServer. That one can tricky but there are a number of good
tools out there to help you do that.
In answer to
Maureen mamamaur...@gmail.com wrote:
Honestly, if you are selling a software product that requires
additional lock down after installation, you might could get the
attention of those hiding in their cubicle by putting a large notice
of such at the beginning of the installation
I will also mention, that running on Windows doe snot need to incur any
license costs
Most VPS hosts will give you Windows Server Web Edition for free, and some
can give ANY edition for FREE, because it doesn't cost them anything on
your SPLA licensing model.
You can also run Railo and CF
I am picturing a 2-fold system. A web-based scan for common
vulnerabilities from outside, and a more detailed scan the system from
inside.
Hi Jerry, you basically just described HackMyCF.com and their security
scanner and monitoring tool.
-Justin
Having been there/done that myself, I would follow Cameron's described
route. You don't want to be debugging so many different issues at once on
an OS you aren't intimately familiar with (and maybe not familiar at all).
You mentioned you are on Win2003. Have you by chance missed out on running
If you let your nephew install a server and don't
bother to double check his work, that is *your* fault, no one else.
What does this matter when the bad juju blows back publicly on the product
itself?
Blaming the customer for problems in other channels typically doesn't tend
to end well for
I can't say I've read every post, but I have read most.
One point I'd like to take up is this business of the CF install and
security. I've seen all sorts of statements made about sys admins and their
duties which as a past sys admin and IT Manager I found interesting.
The idea that any
Dave wrote
But I think there's an important difference in expectations between
providing services and selling tools. My customers expect me to know
how to do things right - to understand how my tools work. When you buy
a tool, you are expected to know how to use the tool, and there is
only
Good Gawd! Some of you are like a dog with a bone.
The facts:
1) Something Happened
2) It Got Publicized
3) There Are A Lot of Ticked Off People
We can debate who is at fault until we are blue in the face. The fact of
the matter is, all of it is in the past. We can not change the past.
Adobe
You have all said your piece here,
in the very public openness of the web, where Google will pick it up and
run, and allow the naysayers to say see, even their own community
^^ +1 ^^
cfhorse beaten=true dead=true /
cfabort
it doesn't take any expertise, this is the whole point, anyone can do it
(badly)
sure something may break by being locked down, but as I said earlier, you
have 2 choices..
1. out of the box install, not secure, but your site works just fine.. So
nothing to learn unless you choose to. User
sure something may break by being locked down, but as I said earlier, you
have 2 choices..
1. out of the box install, not secure, but your site works just fine.. So
nothing to learn unless you choose to. User continues in blissful ignorance.
2. out of the box, locked down and secure, but
Application servers are inherently complex, and it takes a certain
level of expertise to set them up. There's no getting around that.
You're right.
However, there are two approches that can be taken in installation procedures.
One year ago I had to move from a W2003 to a W2008 server and to a
I think you will find many folks already did that years ago, myself
included.
On Fri, Mar 28, 2014 at 5:38 PM, Steve 'Cutter' Blades
cold.fus...@cutterscrossing.com wrote:
Good Gawd! Some of you are like a dog with a bone.
The facts:
1) Something Happened
2) It Got Publicized
3) There
1. out of the box install, not secure, but your site works just fine..
This is the Adobe's approach
2. out of the box, locked down and secure, but site may break, so you have
And this is Microsoft's
You're quite right.
Imagine a family buys a car, and by default the airbags and anti-lock breaks
are not enabled.
Indeed, they are in the trunk, under the spare tire, but it's up to you to go
to the manufacturer's site and download instructions to install them ;-)
If you let your nephew install a server and don't
bother to double check his work, that is *your* fault, no one else.
What does this matter when the bad juju blows back publicly on the product
itself?
Blaming the customer for problems in other channels typically doesn't tend
to end well
but for CF to have a
backdoor entry point as standard in the install is plainly stupid and it has
not helped sell CF as an option.
This is exactly the point.
~|
Order the Adobe Coldfusion Anthology now!
if you think no-one uses Windows web servers then you are wrong, very wrong.
It would seem you also think that Windows is not locked down by default,
that may have been true once upon a time, but is no longer the case and
hasn't been for many years.Certainly since Windows Server 2008, you must
Imagine a family buys a car, and by default the airbags and anti-lock
breaks are not enabled.
Indeed, they are in the trunk, under the spare tire, but it's up to you to go
to the manufacturer's site and download instructions to install them ;-)
Obviously none of you have ever owned a
2. out of the box, locked down and secure, but site may break, so you have
And this is Microsoft's
It's Microsoft's approach ... now. But it took them a long time to get
there. And the sheer weight of legacy code probably had something to
do with that. And I think Microsoft server products
I see lessons in seeing sarcasm are needed
Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com
wilg...@trunkful.com
www.trunkful.com
On Mar 28, 2014, at 1:02 PM, Russ Michaels r...@michaels.me.uk wrote:
if you think no-one uses Windows web
if you think no-one uses Windows web servers then you are wrong, very wrong.
Uh, yeah, I know that. That was my point.
It would seem you also think that Windows is not locked down by default,
that may have been true once upon a time, but is no longer the case and
hasn't been for many
On 03/28/2014 10:52 AM, Dave Watts wrote:
This explains why absolutely no one uses Windows web servers.
Some data on this topic:
http://news.netcraft.com/archives/2014/03/03/march-2014-web-server-survey.html
IIS looks great in the all sites category but is seemingly dead in the
Active sites
It's Microsoft's approach ... now. But it took them a long time to get there.
You're probably right. The point here is that it is taking even a longer time
to Adobe.
~|
Order the Adobe Coldfusion Anthology now!
OMG You mean ColdFusion 11 is public :P
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+: http://plus.google.com/113032480415921517411
On Sat, Mar 29, 2014 at 4:38 AM, Steve 'Cutter' Blades
cold.fus...@cutterscrossing.com wrote:
Good Gawd! Some of you are like a dog
I doubt it would have made any difference as there still would have been
only the same choices, and the reasons for choosing Windows over Linux or
Others would have remained the same, for folks that wanted a simple GUI to
work either vs command line.
On Fri, Mar 28, 2014 at 6:04 PM, Dave Watts
I am particularly amused by the last category where NGINX has more
marketshare then IIS in the top million busiest sites.
I'm not all that surprised. Very busy sites are likely to have better
infrastructure. Nginx makes a very good reverse proxy for internal
servers. I have a customer in the
consider this
Imagine a family buys a car, and by default the airbags and anti-lock
breaks are not enabled.
Somewhere deep in the manual is a mention of following a safety setup
guide and You are expected to follow this guide make changes to your car
to make it safe and secure.
Now imagine
On 03/28/2014 11:13 AM, Dave Watts wrote:
Very busy sites are likely to have better infrastructure.
IIS can function great as a reverse proxy. You'd think these companies
would want to save the cost of training their employees on new web
servers/proxies when they could simply use IIS for this
The idea that any application is installed on a server that is open to the
internet, or even if used internally, should be installed in such a way that
is open to hacking by default is, quite frankly, ridiculous.
I've got bad news for you. Stick this in Google:
[product] default
Jordan and Dave,
Thanks! You just helped me solve a totally unrelated problem on an IIS site
with a lot of static content requests. Ive got several servers using Apache as
a reverse proxy to NGINX but I dont know why it didnt occur to me to look in
to doing the same for IIS...
Jon
On
I also once had a client who did this, they were Linux heads who thought
that hiding the sucky insecure windows/cf server behind a linux server
and doing a reverse proxy would make it secure.
But of course it didn't as everything still works the same way, the SQL
injections still got through, the
I also once had a client who did this, they were Linux heads who thought
that hiding the sucky insecure windows/cf server behind a linux server
and doing a reverse proxy would make it secure.
There is no such thing as make it secure, of course. But it is more
secure. It solves one specific
A locked door is useless if you leave the windows open.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 28 Mar 2014 19:09, Dave Watts dwa...@figleaf.com wrote:
I also once had a client who did this, they were Linux heads who thought
that hiding the sucky
OMG You mean ColdFusion 11 is public :P
I'm hearing Stroz in the back of my head... 10.5 10.5 have a
great weekend!
-Justin
~|
Order the Adobe Coldfusion Anthology now!
Re: The long tail of analogy hell.
On 3/28/14, 4:42 PM, Russ Michaels r...@michaels.me.uk wrote:
A locked door is useless if you leave the windows open.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 28 Mar 2014 19:09, Dave Watts dwa...@figleaf.com wrote:
I
If you pound sand long enough it might turn into glass. Or not.
One of my favorite quotes from a friend I used to work with was: Is the
juice worth the squeeze?.
Southern wisdom at it's finest.
G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg
There are people doing that, and their entries are being closed
without comment, even when they request comment. So what's the point?
Also, QA and debugging are usually paid positions, except for open
source software. If Adobe wants to make CF open source, I will be
happy to volunteer some
For the Love of God
On Fri, Mar 28, 2014 at 8:30 PM, Maureen mamamaur...@gmail.com wrote:
There are people doing that, and their entries are being closed
without comment, even when they request comment. So what's the point?
Also, QA and debugging are usually paid positions, except
Oh, does he work at Adobe now?
On Fri, Mar 28, 2014 at 5:35 PM, Jerry Milo Johnson jmi...@gmail.com wrote:
For the Love of God
On Fri, Mar 28, 2014 at 8:30 PM, Maureen mamamaur...@gmail.com wrote:
There are people doing that, and their entries are being closed
without comment, even
Thank you everybody, I'm glad I asked.I have changed my plan now.
Cameron and others made a good point. I was trying to do too many
thing at once. My plan now is to get a new hosting environment as
similar as possible to my current one, so its gives me the most chance that
I'll be
Also, QA and debugging are usually paid positions, except for open
source software. If Adobe wants to make CF open source, I will be
happy to volunteer some time to help fix it. Otherwise, not my job.
Bugs happen... as a developer I'm sure you've had clients bring bugs
to you and you've
Maureen,
This is one of my extreme pet peeves with Adobe, in the last 10+ years, is
the length of time it takes from a bug being reported to being fixed is in
the years, not days or months, but literally years. I have bugs that where
reported in the 2006-2008 days, that are still not fixed in
Justin, yes I reported this too Adobe during the ColdFusion 10 beta. I can
confirm and hope that by the fact that the ticket has been marked fixed,
that this is now in ColdFusion 11 as a fix.
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:
The scenario you describe is vastly different than me telling my
clients if they want the next version of my software to be secure they
have to download and install a beta with known problems, test it,
record flaws, suggest features and solicit votes for those flaws to be
fixed and the features
54 matches
Mail list logo