I think it's a weak assumption that these two sites would have a 'live' Plone site. Although, it is possible, I would think that due to some of the security and performance benefits, and since we see '.htm' or '.html' URIs and no evidence in the response headers of Zope, that it's likely these security-conscious organizations are using some sort of 'static deployment' strategy, as we've discussed at: http://www.coactivate.org/projects/plone-static-publishing/summary .
The Plone Static Publishing project on coactivate that I provided the link to above has had some discussion recently about a product called enpraxis.staticsite, although this seems like a young, immature product and so is less likely to be active on these two sites. Instead, one of the options that has existed for some time - CMFDeployment or custom wget scripting - was probably used. A static deployment strategy such as this would greatly increase security for a site, since there is no zope/database/dynamic functionality, open ports between front-end and back-end servers/services to worry about, and there are fewer moving parts in general to worry about, besides the web (httpd) server. As for the hacking contest, here are some thoughts: a) I'm in favor of having a contest that allows Plone integrators listed on plone.net to be involved, rather than all script kiddies in the world - maybe have one that is open to the world at a later date. b) There would need to be some very specific rules that ensure that the found vulnerabilities must be in the Zope/Plone code bits and not Apache, Varnish, lighthttpd, ngnix, Squid, or some of the other front-end web servers/proxies used to get to Plone site content. While it's still valuable to know about those types of vulnerabilities, our contest would need to be focused on code managed by the Plone community and not others, and the inclusion of web servers/proxies would make the contest pretty unwieldy to manage (whose favorite front-end do you setup for the test environment?). c) I think that Mark's concern over seeming cavalier can be mitigated through thoughtful communication/messaging. We wouldn't want to put a banner ad out taunting script kiddies to just hack away - we dare you! Instead, we could a) do our own internal hacking, document findings, open tickets, and address them, and then b) advertise the ongoing efforts by the Plone community in ensuring security of Plone and invite 'white hat' hacker groups to register for the external hacking contest, assign a limited time period that the environment will be available for hacking, and give away whatever prize is determined. d) Plenty of hackers aren't going to want a Mac. Some are just as suspicious of Apple or Google as they are of Microsoft, so perhaps some prize options could be listed. e) Another option we could consider, rather than a wild, wild, west contest, would be to invite 3-5 professional security assessment firms to hack and post findings. In return, they'll get some free advertising on plone.org and anywhere there are press releases done with the contest and results announcements. -Ken Karl Horak [via Plone] wrote: > Just tossing my 2 cents worth in here -- if there were any Plone sites > in the world that hackers were already targeting, it would be FBI and > CIA. I'm sure we would have heard of any failure there. > > Meanwhile, I think the Foundation should sponsor a system of > clandestine honeypots out there and monitor them religiously. > > Save the $$ on the Mac and pay Mark to get the msg out to the > professional CMS reviewers. > > Karl > > Mark A Corum wrote: > If Plone had previously been weak on security, and had gotten its act > together, this might make sense. But in reality -- where Plone is a > VERY secure system with a long-term record of protecting sites and > data -- this kind of circus stunt is not a good idea. > > Mark > > > > ------------------------------------------------------------------------ > View message @ > http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4076342.html > To start a new topic under Evangelism, email > ml-node+293364-1526811...@n2.nabble.com > To unsubscribe from Evangelism, click here > < (link removed) =>. > > -- View this message in context: http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4077534.html Sent from the Evangelism mailing list archive at Nabble.com. _______________________________________________ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism