Re: (ot) Fed Reserve Hack
On Thu, Feb 7, 2013 at 9:02 PM, Maureen mamamaur...@gmail.com wrote: The Fed does use contractors but the background check is extensive, and the access to the banking systems are very closely guarded. Many of the ColdFusion developers at the Fed are full time. Of those who I know personally, they are definitely not dull pencils. -Cameron ... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354402 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
Having worked for the Federal Reserve as a full time CF developer and also currently working as a federal software developer (not using CF), I just wanted to clarify something. The Federal Reserve is not a federal agency, with the exception being the Federal Reserve Board of Governors. All of the individual branches are not federal. The folks that I worked with there in IT were really pretty sharp individuals. They do have quite a huge information security department too as they are are huge target for hackers. They do pay pretty well, but the job security and benefits package (good healthcare, pension, vacation) are the draw. While I have only been on the federal side for a couple years, I think the pay and benefits are really good. Most of the developers are at the GS-13 scale which can run around 86-115k, it depends on your step and location. The GS-14 is around 102-135k. There are far fewer technical GS-15 folks, but they would run about 123-155k. For anyone that is interested, the OPM site lists the various steps and grades. The usajobs.gov site lists any openings for anyone that should be interested. The IRS has a bunch of java and cobol openings right now for those so inclined. From what I have seen, the state openings do tend to pay quite a bit lower, but a lot of the time they have very generous pensions. I don't know about the pay level at the Federal level. I saw a posting for ColdFusion jobs with the State on MN (where I live) a couple years back and it was so far underpaid that I cannot imagine even a fresh newbie wanting to work at that scale. MN does hire it's on coders so thats why I thought he Fed did it that way too. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Feb 7, 2013, at 2:00 PM, Russ Michaels r...@michaels.me.uk wrote: Govt generally don't have their own coders, they outsource everything to agencies, who then outsource to contractors, and nothing is checked by anyone in between. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Feb 7, 2013 6:36 PM, Wil Genovese jugg...@trunkful.com wrote: This goes to show the poor quality of coders in the Government more than weaknesses in ColdFusion. Same for SysAdmins that fail to follow the lock down procedures. Any web application can be poorly written and any server can be poorly administered. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Feb 7, 2013, at 12:33 PM, Russ Michaels r...@michaels.me.uk wrote: some more great publicity for Adobe/CF On Thu, Feb 7, 2013 at 6:24 PM, Che Vilnonis ch...@asitv.com wrote: With all of the talk of CF security I thought I'd pass this along. According to Chris Wysopal of VeraCode, the site was running Coldfusion. https://www.veracode. com/blog/2013/02/stolen-data-headers-from-the-federal-r eserve-hack/ http://www.huffingtonpost. com/2013/02/05/federal-reserve-security-breach_n_2 622698.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354438 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
some more great publicity for Adobe/CF On Thu, Feb 7, 2013 at 6:24 PM, Che Vilnonis ch...@asitv.com wrote: With all of the talk of CF security I thought I'd pass this along. According to Chris Wysopal of VeraCode, the site was running Coldfusion. https://www.veracode.com/blog/2013/02/stolen-data-headers-from-the-federal-r eserve-hack/ http://www.huffingtonpost.com/2013/02/05/federal-reserve-security-breach_n_2 622698.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354351 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
This goes to show the poor quality of coders in the Government more than weaknesses in ColdFusion. Same for SysAdmins that fail to follow the lock down procedures. Any web application can be poorly written and any server can be poorly administered. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Feb 7, 2013, at 12:33 PM, Russ Michaels r...@michaels.me.uk wrote: some more great publicity for Adobe/CF On Thu, Feb 7, 2013 at 6:24 PM, Che Vilnonis ch...@asitv.com wrote: With all of the talk of CF security I thought I'd pass this along. According to Chris Wysopal of VeraCode, the site was running Coldfusion. https://www.veracode.com/blog/2013/02/stolen-data-headers-from-the-federal-r eserve-hack/ http://www.huffingtonpost.com/2013/02/05/federal-reserve-security-breach_n_2 622698.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354352 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
Govt generally don't have their own coders, they outsource everything to agencies, who then outsource to contractors, and nothing is checked by anyone in between. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Feb 7, 2013 6:36 PM, Wil Genovese jugg...@trunkful.com wrote: This goes to show the poor quality of coders in the Government more than weaknesses in ColdFusion. Same for SysAdmins that fail to follow the lock down procedures. Any web application can be poorly written and any server can be poorly administered. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Feb 7, 2013, at 12:33 PM, Russ Michaels r...@michaels.me.uk wrote: some more great publicity for Adobe/CF On Thu, Feb 7, 2013 at 6:24 PM, Che Vilnonis ch...@asitv.com wrote: With all of the talk of CF security I thought I'd pass this along. According to Chris Wysopal of VeraCode, the site was running Coldfusion. https://www.veracode.com/blog/2013/02/stolen-data-headers-from-the-federal-r eserve-hack/ http://www.huffingtonpost.com/2013/02/05/federal-reserve-security-breach_n_2 622698.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354356 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
I don't know about the pay level at the Federal level. I saw a posting for ColdFusion jobs with the State on MN (where I live) a couple years back and it was so far underpaid that I cannot imagine even a fresh newbie wanting to work at that scale. MN does hire it's on coders so thats why I thought he Fed did it that way too. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Feb 7, 2013, at 2:00 PM, Russ Michaels r...@michaels.me.uk wrote: Govt generally don't have their own coders, they outsource everything to agencies, who then outsource to contractors, and nothing is checked by anyone in between. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Feb 7, 2013 6:36 PM, Wil Genovese jugg...@trunkful.com wrote: This goes to show the poor quality of coders in the Government more than weaknesses in ColdFusion. Same for SysAdmins that fail to follow the lock down procedures. Any web application can be poorly written and any server can be poorly administered. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Feb 7, 2013, at 12:33 PM, Russ Michaels r...@michaels.me.uk wrote: some more great publicity for Adobe/CF On Thu, Feb 7, 2013 at 6:24 PM, Che Vilnonis ch...@asitv.com wrote: With all of the talk of CF security I thought I'd pass this along. According to Chris Wysopal of VeraCode, the site was running Coldfusion. https://www.veracode.com/blog/2013/02/stolen-data-headers-from-the-federal-r eserve-hack/ http://www.huffingtonpost.com/2013/02/05/federal-reserve-security-breach_n_2 622698.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354357 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
Wow, that's a really scarey thought! On 2/7/2013 1:00 PM, Russ Michaels wrote: Govt generally don't have their own coders, they outsource everything to agencies, who then outsource to contractors, and nothing is checked by anyone in between. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Feb 7, 2013 6:36 PM, Wil Genovese jugg...@trunkful.com wrote: This goes to show the poor quality of coders in the Government more than weaknesses in ColdFusion. Same for SysAdmins that fail to follow the lock down procedures. Any web application can be poorly written and any server can be poorly administered. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Feb 7, 2013, at 12:33 PM, Russ Michaels r...@michaels.me.uk wrote: some more great publicity for Adobe/CF On Thu, Feb 7, 2013 at 6:24 PM, Che Vilnonis ch...@asitv.com wrote: With all of the talk of CF security I thought I'd pass this along. According to Chris Wysopal of VeraCode, the site was running Coldfusion. https://www.veracode.com/blog/2013/02/stolen-data-headers-from-the-federal-r eserve-hack/ http://www.huffingtonpost.com/2013/02/05/federal-reserve-security-breach_n_2 622698.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354358 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
Most of the Fed I've worked with, the coders are pretty exclusively contractors on the CF side. From talk of those that have been here a fairly long time, this started when the vast majority of the Fed were turned private way back in the day in order to save money. But, like many ideas in that vein, it hardly ever works out that way. So the handlers are Fed, but the people doing day to day operations are pretty much all contractors. That's the branch that I've worked with, other branches of the Fed may be different however. -- Matthew Williams Geodesic GraFX www.geodesicgrafx.com/blog twitter.com/ophbalance ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354359 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
And people wonder why hackers keep getting in and stealing data lol. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Feb 7, 2013 8:13 PM, Matthew Williams mai...@geodesicgrafx.com wrote: Most of the Fed I've worked with, the coders are pretty exclusively contractors on the CF side. From talk of those that have been here a fairly long time, this started when the vast majority of the Fed were turned private way back in the day in order to save money. But, like many ideas in that vein, it hardly ever works out that way. So the handlers are Fed, but the people doing day to day operations are pretty much all contractors. That's the branch that I've worked with, other branches of the Fed may be different however. -- Matthew Williams Geodesic GraFX www.geodesicgrafx.com/blog twitter.com/ophbalance ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354364 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
I think it is sometimes unfair to blame ColdFusion 100% of the time, some of these administrators may have other technologies that are installed and never patched, which can expose ColdFusion and other languages running on the server. But if it was ColdFusion that was hacked or an exploit in ColdFusion was used, is also another reason I maintain ColdFusion or more to the point CFML needs to adopt an MVC framework, it doesn't need to be full blown but it needs to be enough to give a bases that other framework authors can hook into. The more ColdFusion is locked down to single entry points rather than every single file the better, and would make it harder for these hackers to get and run files uploaded to the server. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354366 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
I think that is what was being implied anyway in previous replies, that it isn't just cf that is to blame. Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Feb 7, 2013 10:31 PM, Andrew Scott andr...@andyscott.id.au wrote: I think it is sometimes unfair to blame ColdFusion 100% of the time, some of these administrators may have other technologies that are installed and never patched, which can expose ColdFusion and other languages running on the server. But if it was ColdFusion that was hacked or an exploit in ColdFusion was used, is also another reason I maintain ColdFusion or more to the point CFML needs to adopt an MVC framework, it doesn't need to be full blown but it needs to be enough to give a bases that other framework authors can hook into. The more ColdFusion is locked down to single entry points rather than every single file the better, and would make it harder for these hackers to get and run files uploaded to the server. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354369 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Fed Reserve Hack
The Fed does use contractors but the background check is extensive, and the access to the banking systems are very closely guarded. They do have some Coldfusion sites, mostly forward facing and not connected to secure areas of the bank. This hack looks like it hit an email alert system for disasters rather than secure banking area. The money handling portion of the Fed is locked down very tight. They don't even let humans touch it til it gets to the banks. On Thu, Feb 7, 2013 at 12:00 PM, Russ Michaels r...@michaels.me.uk wrote: Govt generally don't have their own coders, they outsource everything to agencies, who then outsource to contractors, and nothing is checked by anyone in between. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354398 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm