On 27/11/2009, at 9:00 AM, Mark A Corum wrote:
Actually, it would show we are arrogant and cavalier about security -
which are about the worst things you can be in the eyes of an
enterprise customer.
People who are serious about security TEST the security of their
software in a professional, systematic way. They get experts in the
field and folks who really know what they are doing to make sure
nothing in their code or deployment is opening up websites to attack
or possible compromise of data.
I don't disagree with your points below but testing security via
experts is I'm sure what companies like Microsoft do and that hasn't
worked out well for them. FOSS has repeatedly shown that security by
numbers - ie lots of eyes on code rather than "experts" has made for
more secure systems.
The whole "opening your software to hackers" thing is a stunt - a
stunt with very little if any upside, and a huge potential downside.
If someone brings your server to its knees with a Denial of Service
attack or a weakness in the OS you are running on, you can complain
from now until eternity that it wasn't "fair" but the only coverage
you are going to get is "Plone gets hacked." If no one is able to
hack the site, its not really something worthy of coverage, now is it?
maybe.
Afterall, we are already well known as having one of the best
security records of any CMS.
I would disagree we are "well known". Plone is general is NOT well
known. It's underwhelmingly unknown given its history and competitive
advantages such as security. When Drurpal can get recommended as an
"enterprise" CMS by Gartner and Alfresco can get away with giving the
their product the label "THE open source enterprise content management
system" I would say we're not well known.
One thing I got out of this years conference is that security is a big
competitive advantage of Plone thats easy to explain and has impact.
We've only just started marketing that to the outside world. Until
Gartner labels us "The secure open source enterprise content
management system" I think we have a lot of work to do.
If stunts aren't the right way to do it at least we're thinking about
it. I'd love to hear some other ideas wouldn't you?
If Plone had previously been weak on security, and had gotten its act
together, this might make sense. But in reality -- where Plone is a
VERY secure system with a long-term record of protecting sites and
data -- this kind of circus stunt is not a good idea.
Mark
Mark A Corum
User Interface Designer | Online Marketer | Certified ScrumMaster
markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook,
Twitter and Yahoo;
"Light up the darkness." - Bob Marley
"Quis custodiet ipsos custodes?" (Who watches the watchmen?) -
Juvenales, Satires
"No matter where you go ... there you are." - Buckaroo Banzai
On Thu, Nov 26, 2009 at 4:06 PM, Dylan Jay <[email protected]> wrote:
Worst case is really bad publicity. But then is it?
If it got hacked we'd patch it immediatly and patch most systems
out there
and we'd explain how that system works in advance. Basically use it
to
explain how open source increases security and speed of patches.
It would also show that we take security seriously.
Dylan Jay
Technical solution manager
PretaWeb 99552830
On 27/11/2009, at 2:09 AM, Norman Fournier
<[email protected]>
wrote:
Hello,
Worst case scenario. What if we are wrong?
Some smart punk hacks the plone and posts the hack or hints
somewhere. How
many Macs can we afford to give away? How long can we afford to
pay lawyers
to fight spurious claims in court?
A risk analysis should be air-tight before any contest is
publicized. Even
the smallest give-aways are fraught with legal complications which
is why
contest legal copy takes so much space on an entry form.
For me, I am not liking this idea at all. I think there may be more
positive ways for plone to get this message across without
exposing the
software to a million punk hackers with a goad like both Screw
Plone and Win
a Mac at the same time!
My $.02.
Norman
On 2009-11-25, at 10:28 PM, Nate Aune wrote:
I think it's a great idea. Set up a server (perhaps using the
Hardening Plone howto below) and let the games begin!
http://plone.org/documentation/how-to/securing-plone/
Nate
On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke
<[email protected]> wrote:
Hi all,
what do you think about a hacking contest? We setup a plain
plone site
and who ever hacks it first wins a mac or a playstation or
whatever.
All exploits must be documented of course so that we can fix them.
We promote Plone as a secure system and can document it with the
CVE
entries but often people say, yeah, but there are a lot less
installations
of Plone than there are of PHP-systems, so you cannot compare
the figures.
So lets challenge the hackers!
This could be an online event with a great publicity effect may
be in
the run-up to the World Plone Day.
What do you think?
juh
Jan Ulrich Hasecke
(DZUG e.V.)
--
DZUG e.V. (Deutschsprachige Zope User Group)
www.dzug.org
www.zope.de
_______________________________________________
Evangelism mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/evangelism
--
Nate Aune - [email protected]
http://www.jazkarta.com
http://card.ly/natea
+1 (617) 517-4953
_______________________________________________
Evangelism mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/evangelism
_______________________________________________
Evangelism mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/evangelism
_______________________________________________
Evangelism mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/evangelism
_______________________________________________
Evangelism mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/evangelism
