Now the discussion is getting interesting. :)
Allow me to add my 2 pieces to the ever increasing stack of pennies.
Aren't those hacking episodes an attack on our collective pride at CLUG?
Are we going to crawl back into the "safety" of straight HTML, because we think it's too much work to secure open source software? I hope not, since I would find it rather embarrassing, if we'd admit defeat so easily.
So if we want to have the added sophistication and capability of a dynamic website (i.e. software), then the process is a rather common one for IT software projects.
Question 1: What do we want/need? Features, specs, etc... -basic cms - polls? - what else - if anything?
Question 2: Build or buy or outsource (or in the case of free - as in beer - software, "buy" becomes "acquire").?
- building is a ton of fun and learning, if there are interested people
- but building doesn't happen overnight, and there are no guarantees, that a volunteer effort will ever be finished, or it will run out of steam
- so one needs at least a temporary solution for the short term and as a fallback if the building takes longer or never finishes
- outsourcing could be to something like Yahoo groups, which have quite a bit of the required functionality - for any other group maybe the most reasonable choice, but probably a bit wimpy for a group of Linux and OSS enthusiasts!
Question 3: So if, we're acquiring software (at least for the short term) and since security has clearly become an overriding concern, the acquisition question comes down to a which approach to security do we take?
- do we get something a bit more secure by design and by mentality and track record of the creators (this approach would eliminate PHPNuke), or
- do we deal with the security issues as an add-on (Like Roy has for LLUG), then a widely popular and vulnerable system probably has rather useful security add-ons (like much of the software originating in certain parts of the north western U.S.!)
Question 4: "Project" resourcing and leadership?
- does the executive feel they have enough time, desire and qualifications to handle this amongst themselves, or
- is additional volunteer help from other members needed / desired? A new mailing list for this project maybe? A meeting or two with experienced and interested members? Both?
Question 5: Integrated or "best of breed" approach?
- integrated typically provides single login, consistent GUI, and security administration metaphor, but has more bloat (unneeded features).
- "best of breed" allows more liberty in choice of components, but tends to require more integration effort for the different pieces to provide at least a single login, or it requires more ongoing maintenance effort to manage the different logins. May not be a big problem, if the number of site maintainers is small and the rest of the site is public.
Anyway, just some thoughts from someone who has done quite a few of these kinds of software projects.
...Niels
p.s. Let me know, if you need any help.
bogi wrote:
I will agree with you here. Nuke has had a history of security mishaps, and that flow of steady faults being found every now and then would suggest to me there is something not good the way the site was designed. <paranoia> every time a bug is published, we are consequently defaced with it even before a patch would be available, it does seem that clug is very high on someone's list of to-do list </paranoia> And from here stems the suggestion, that we should create our own cms, with only the functionality we actually need, and with security in the top-most position in our minds. I think, this could be a good task for prog-sig, but this is a question to be decided yet.
And i would also agree with Shawn, that yes we are able to create a functional and secure active website with adequate and secure content management without the need for pre-fabricated.
The other option , is to go completely static, with a decent server, that should be next-to-impossible to deface, bar a few very difficult tricks. The drawback is, no active content, and maintenance would be cumbersome at best. Naturally, if the admin password is lost or guessed, the site would be open.
I would also look at what Roy is saying. The Monoculture is an issue, only made worse by the poor security model of Nuke.
my $0.02 CAD Cheers Szemir
On September 6, 2004 10:46, Curtis Sloan wrote:
On Mon September 6 2004 10:24, Roy Souther wrote: <snip>
many more steps then I have listed here. I would like to point out that,
yes PHP-Nuke is near the top of the list of most frequent sites
compromised but that I believe is more do to the fact that it is the
number one most popular Open Source CMS.
I'm in no position to compare (I don't even know what the other offerings are, let alone have data to back any conclusions) but I would like to point out, as food for thought, two fundamental issues central to security in general:
1) Design with security in mind. I can't analyze PHP-Nuke because I'm not familiar with it's code or development process, but the feeling I've gotten from others over the years is that its poor security history stems at least partly from poor design. Feel free to refute.
2) Monoculture. Yes, ubiquity makes for more prominent targets and increased activity. But it is only part of any explanation behind rampant security breaches. That being said, if one's site experiences multiple breaches in only a few months time, moving away from that monoculture is a wisely added layer of security. No breach is ever acceptable, no matter what product is being used.
<snip>
running PHP-Nuke. Does that make them anymore secure? The fact that the
PHP-Nuke security holes are exposed faster then other CMS's is not a
comfort but a benefit.
Not if you're being hacked in the wild. :-P
I have stopped upgrading PHP-Nuke in favor of adding my own security
changes and watching what new changes become available. The author of
PHP-Nuke tends to be less interested in security with his changes and
more reliant on others to fix his mistakes. Only human.
On the other hand, if security is important to you and not the vendor, why use their product?
Just my $0.02. I am no expert in security. I am learning as I go.
I'll second that for myself. :-)
I will take this opportunity to voice my appreciation for the Executive's continued dedication to protecting current investments in CLUG and improving beyond what we have. I am also sympathetic to the additional effort it takes to act on that as opposed to maintaining status quo, and the work required to rectify this particular situation. Thank you very much for working on our behalf!
Sincerely, Curtis
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
_______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
_______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
