Am Thu, 26 Nov 2009 17:00:15 -0500 schrieb Mark A Corum: > Actually, it would show we are arrogant and cavalier about security - > which are about the worst things you can be in the eyes of an enterprise > customer.
Would we do? I do not agree here. Plone is different and even enterprise customers starts to get the idea. > People who are serious about security TEST the security of their > software in a professional, systematic way. They get experts in the > field and folks who really know what they are doing to make sure nothing > in their code or deployment is opening up websites to attack or possible > compromise of data. Isnt a award like this the way using the free software way of collective knowledge to test our system? I'am sure people who are trying to hack Plone are doing it in a systematic way. And I'am sure they are experts, maybe they arent professionals in security-testing but often those people have more knowledge and motivation is much higher than for an employee of some self-called security-testing company. > The whole "opening your software to hackers" thing is a stunt - a stunt > with very little if any upside, and a huge potential downside. If > someone brings your server to its knees with a Denial of Service attack > or a weakness in the OS you are running on, you can complain from now > until eternity that it wasn't "fair" but the only coverage you are going Its for sure a stunt. Its always a stunt to place a server in the public :-) And an award like this need to follow clear rules. Also we need to protect the system against (d)dos atacks and similar with a good firewall etc. so it not done with installing Plone on an almost vanilla (but secured) OpenBSD. On the other hand: Having it documented how we secured the system is very valuable. Security by obscurity is the worst and to be avoided. > to get is "Plone gets hacked." If no one is able to hack the site, its > not really something worthy of coverage, now is it? Well, I think best can happen if we can tell the world: 30 of the best hackers tried it but theres no way. > Afterall, we are already well known as having one of the best > security records of any CMS. Well, this is neat, but if you need to tell facts the only we have are stats: PHP vs. Python, Joomla vs. Plone. Ok, NASA, CIA and FBI trust in Plone. So what? Reputation is perfetc, but all this are soft-facts. > If Plone had previously been weak on security, and had gotten its act > together, this might make sense. But in reality -- where Plone is a > VERY secure system with a long-term record of protecting sites and data > -- this kind of circus stunt is not a good idea. So if this thread and your last sentence is read by any Plones security evaluating person it looks like youre afraid, "something" will be found and the reputation and stats based security record of Plone will be polluted. This may happen, but then we show security is important to us, and we use the community-way to ensure our system is secure. Plone is the community and its not a company. We do it different, we are not Plone the enterprise and do not hire security experts: We _are_ security experts, we the community. And we the community should say we do now check our system in our way: The same successful path Plone tooks in requirements and development is needed also for security field-testing. best regards Jens W. Klein (aka jensens) > > > Mark A Corum > User Interface Designer | Online Marketer | Certified ScrumMaster > > markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook, > Twitter and Yahoo; > > "Light up the darkness." - Bob Marley "Quis custodiet ipsos custodes?" > (Who watches the watchmen?) - Juvenales, Satires > "No matter where you go ... there you are." - Buckaroo Banzai > > > > On Thu, Nov 26, 2009 at 4:06 PM, Dylan Jay > <d...@pretaweb.com> wrote: >> Worst case is really bad publicity. But then is it? If it got hacked >> we'd patch it immediatly and patch most systems out there and we'd >> explain how that system works in advance. Basically use it to explain >> how open source increases security and speed of patches. It would also >> show that we take security seriously. >> >> Dylan Jay >> Technical solution manager >> PretaWeb 99552830 >> >> On 27/11/2009, at 2:09 AM, Norman Fournier >> <nor...@normanfournier.com> wrote: >> >>> Hello, >>> >>> Worst case scenario. What if we are wrong? >>> >>> Some smart punk hacks the plone and posts the hack or hints somewhere. >>> How many Macs can we afford to give away? How long can we afford to >>> pay lawyers to fight spurious claims in court? >>> >>> A risk analysis should be air-tight before any contest is publicized. >>> Even the smallest give-aways are fraught with legal complications >>> which is why contest legal copy takes so much space on an entry form. >>> >>> For me, I am not liking this idea at all. I think there may be more >>> positive ways for plone to get this message across without exposing >>> the software to a million punk hackers with a goad like both Screw >>> Plone and Win a Mac at the same time! >>> >>> My $.02. >>> >>> Norman >>> >>> On 2009-11-25, at 10:28 PM, Nate Aune wrote: >>> >>>> I think it's a great idea. Set up a server (perhaps using the >>>> Hardening Plone howto below) and let the games begin! >>>> http://plone.org/documentation/how-to/securing-plone/ >>>> >>>> Nate >>>> >>>> On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke >>>> <juhase...@googlemail.com> wrote: >>>>> >>>>> Hi all, >>>>> >>>>> what do you think about a hacking contest? We setup a plain plone >>>>> site and who ever hacks it first wins a mac or a playstation or >>>>> whatever. >>>>> >>>>> All exploits must be documented of course so that we can fix them. >>>>> >>>>> We promote Plone as a secure system and can document it with the CVE >>>>> entries but often people say, yeah, but there are a lot less >>>>> installations of Plone than there are of PHP-systems, so you cannot >>>>> compare the figures. >>>>> >>>>> So lets challenge the hackers! >>>>> >>>>> This could be an online event with a great publicity effect may be >>>>> in the run-up to the World Plone Day. >>>>> >>>>> What do you think? >>>>> juh >>>>> >>>>> Jan Ulrich Hasecke >>>>> (DZUG e.V.) >>>>> >>>>> -- >>>>> DZUG e.V. (Deutschsprachige Zope User Group) www.dzug.org >>>>> www.zope.de >>>>> >>>>> >>>>> _______________________________________________ Evangelism mailing >>>>> list >>>>> Evangelism@lists.plone.org >>>>> http://lists.plone.org/mailman/listinfo/evangelism >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Nate Aune - na...@jazkarta.com >>>> http://www.jazkarta.com >>>> http://card.ly/natea >>>> +1 (617) 517-4953 >>>> >>>> _______________________________________________ Evangelism mailing >>>> list >>>> Evangelism@lists.plone.org >>>> http://lists.plone.org/mailman/listinfo/evangelism >>> >>> >>> _______________________________________________ Evangelism mailing >>> list >>> Evangelism@lists.plone.org >>> http://lists.plone.org/mailman/listinfo/evangelism >> >> _______________________________________________ Evangelism mailing list >> Evangelism@lists.plone.org >> http://lists.plone.org/mailman/listinfo/evangelism >> -- Jens W. Klein - Klein & Partner KEG - BlueDynamics Alliance _______________________________________________ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
