On 27/11/2009, at 9:00 AM, Mark A Corum wrote:

Actually, it would show we are arrogant and cavalier about security -
which are about the worst things you can be in the eyes of an
enterprise customer.

People who are serious about security TEST the security of their
software in a professional, systematic way.  They get experts in the
field and folks who really know what they are doing to make sure
nothing in their code or deployment is opening up websites to attack
or possible compromise of data.

I don't disagree with your points below but testing security via experts is I'm sure what companies like Microsoft do and that hasn't worked out well for them. FOSS has repeatedly shown that security by numbers - ie lots of eyes on code rather than "experts" has made for more secure systems.


The whole "opening your software to hackers" thing is a stunt - a
stunt with very little if any upside, and a huge potential downside.
If someone brings your server to its knees with a Denial of Service
attack or a weakness in the OS you are running on, you can complain
from now until eternity that it wasn't "fair" but the only coverage
you are going to get is "Plone gets hacked."  If no one is able to
hack the site, its not really something worthy of coverage, now is it?

maybe.

Afterall, we are already well known as having one of  the best
security records of any CMS.

I would disagree we are "well known". Plone is general is NOT well known. It's underwhelmingly unknown given its history and competitive advantages such as security. When Drurpal can get recommended as an "enterprise" CMS by Gartner and Alfresco can get away with giving the their product the label "THE open source enterprise content management system" I would say we're not well known. One thing I got out of this years conference is that security is a big competitive advantage of Plone thats easy to explain and has impact. We've only just started marketing that to the outside world. Until Gartner labels us "The secure open source enterprise content management system" I think we have a lot of work to do. If stunts aren't the right way to do it at least we're thinking about it. I'd love to hear some other ideas wouldn't you?


If Plone had previously been weak on security, and had gotten its act
together, this might make sense.  But in reality -- where Plone is a
VERY secure system with a long-term record of protecting sites and
data -- this kind of circus stunt is not a good idea.

Mark




Mark A Corum
User Interface Designer | Online Marketer | Certified ScrumMaster

markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook,
Twitter and Yahoo;

"Light up the darkness." - Bob Marley
"Quis custodiet ipsos custodes?" (Who watches the watchmen?) -
Juvenales, Satires
"No matter where you go ... there you are." - Buckaroo Banzai



On Thu, Nov 26, 2009 at 4:06 PM, Dylan Jay <d...@pretaweb.com> wrote:
Worst case is really bad publicity.  But then is it?
If it got hacked we'd patch it immediatly and patch most systems out there and we'd explain how that system works in advance. Basically use it to
explain how open source increases security and speed of patches.
It would also show that we take security seriously.

Dylan Jay
Technical solution manager
PretaWeb 99552830

On 27/11/2009, at 2:09 AM, Norman Fournier <nor...@normanfournier.com>
wrote:

Hello,

Worst case scenario. What if we are wrong?

Some smart punk hacks the plone and posts the hack or hints somewhere. How many Macs can we afford to give away? How long can we afford to pay lawyers
to fight spurious claims in court?

A risk analysis should be air-tight before any contest is publicized. Even the smallest give-aways are fraught with legal complications which is why
contest legal copy takes so much space on an entry form.

For me, I am not liking this idea at all. I think there may be more
positive ways for plone to get this message across without exposing the software to a million punk hackers with a goad like both Screw Plone and Win
a Mac at the same time!

My $.02.

Norman

On 2009-11-25, at 10:28 PM, Nate Aune wrote:

I think it's a great idea. Set up a server (perhaps using the
Hardening Plone howto below) and let the games begin!
http://plone.org/documentation/how-to/securing-plone/

Nate

On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke
<juhase...@googlemail.com> wrote:

Hi all,

what do you think about a hacking contest? We setup a plain plone site and who ever hacks it first wins a mac or a playstation or whatever.

All exploits must be documented of course so that we can fix them.

We promote Plone as a secure system and can document it with the CVE entries but often people say, yeah, but there are a lot less installations of Plone than there are of PHP-systems, so you cannot compare the figures.

So lets challenge the hackers!

This could be an online event with a great publicity effect may be in
the run-up to the World Plone Day.

What do you think?
juh

Jan Ulrich Hasecke
(DZUG e.V.)

--
DZUG e.V. (Deutschsprachige Zope User Group)
www.dzug.org
www.zope.de


_______________________________________________
Evangelism mailing list
Evangelism@lists.plone.org
http://lists.plone.org/mailman/listinfo/evangelism





--
Nate Aune - na...@jazkarta.com
http://www.jazkarta.com
http://card.ly/natea
+1 (617) 517-4953

_______________________________________________
Evangelism mailing list
Evangelism@lists.plone.org
http://lists.plone.org/mailman/listinfo/evangelism


_______________________________________________
Evangelism mailing list
Evangelism@lists.plone.org
http://lists.plone.org/mailman/listinfo/evangelism

_______________________________________________
Evangelism mailing list
Evangelism@lists.plone.org
http://lists.plone.org/mailman/listinfo/evangelism



_______________________________________________
Evangelism mailing list
Evangelism@lists.plone.org
http://lists.plone.org/mailman/listinfo/evangelism

Reply via email to