Re: The long tail of ColdFusion fail
Development servers don't need a secure setup if they're not exposed to untrusted networks. Obviously we are was not talking about development servers in this thread ;-) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358142 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
DevEdit
I'm working on an old CMS and it's using DevEdit as its WYSIWYG. I need to figure out a way to change the configuration but the site is dead, there's no reference of it on the main company's website and Google is being particularly un-helpful. Does anyone have a copy of the DevEdit Setup guide for version 4 that they could send me? Yes, I know it's old and abandoned but it's kinda like that ugly dresser you inherited... you just can't stand to get rid of it! Thanks! Until Later! C. Hatton Humphrey Every cloud does have a silver lining. Sometimes you just have to do some smelting to find it. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358143 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: DevEdit
http://hesab.net/book/asp.net/devedit_aspnet_demo/DevEditSetupGuideNET.pdf On Mar 27, 2014, at 10:06 AM, C. Hatton Humphrey chumph...@gmail.com wrote: I'm working on an old CMS and it's using DevEdit as its WYSIWYG. I need to figure out a way to change the configuration but the site is dead, there's no reference of it on the main company's website and Google is being particularly un-helpful. Does anyone have a copy of the DevEdit Setup guide for version 4 that they could send me? Yes, I know it's old and abandoned but it's kinda like that ugly dresser you inherited... you just can't stand to get rid of it! Thanks! Until Later! C. Hatton Humphrey Every cloud does have a silver lining. Sometimes you just have to do some smelting to find it. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358144 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: DevEdit
http://web.archive.org/web/20060112162442/http://www.interspire.com/devedit/documentation.php On Thu, Mar 27, 2014 at 10:12 AM, Jon Clausen jon_clau...@silowebworks.comwrote: http://hesab.net/book/asp.net/devedit_aspnet_demo/DevEditSetupGuideNET.pdf On Mar 27, 2014, at 10:06 AM, C. Hatton Humphrey chumph...@gmail.com wrote: I'm working on an old CMS and it's using DevEdit as its WYSIWYG. I need to figure out a way to change the configuration but the site is dead, there's no reference of it on the main company's website and Google is being particularly un-helpful. Does anyone have a copy of the DevEdit Setup guide for version 4 that they could send me? Yes, I know it's old and abandoned but it's kinda like that ugly dresser you inherited... you just can't stand to get rid of it! Thanks! Until Later! C. Hatton Humphrey Every cloud does have a silver lining. Sometimes you just have to do some smelting to find it. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358145 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: DevEdit
Sheesh, thanks! I spent more time than I care to admit prying in different ways... I even included archive.org but was using the devedit.com site. What's sad is that I'm specifically trying to break the rules; I need to add a meta refresh into a content block and this CMS was built with such obscure logic that I figured it would be easier to slip it into a content block. When I try it though, DevEdit is replacing META with InvalidTag. Thanks again! Until Later! C. Hatton Humphrey http://www.eastcoastconservative.com Every cloud does have a silver lining. Sometimes you just have to do some smelting to find it. On Thu, Mar 27, 2014 at 10:14 AM, John M Bliss bliss.j...@gmail.com wrote: http://web.archive.org/web/20060112162442/http://www.interspire.com/devedit/documentation.php On Thu, Mar 27, 2014 at 10:12 AM, Jon Clausen jon_clau...@silowebworks.comwrote: http://hesab.net/book/asp.net/devedit_aspnet_demo/DevEditSetupGuideNET.pdf On Mar 27, 2014, at 10:06 AM, C. Hatton Humphrey chumph...@gmail.com wrote: I'm working on an old CMS and it's using DevEdit as its WYSIWYG. I need to figure out a way to change the configuration but the site is dead, there's no reference of it on the main company's website and Google is being particularly un-helpful. Does anyone have a copy of the DevEdit Setup guide for version 4 that they could send me? Yes, I know it's old and abandoned but it's kinda like that ugly dresser you inherited... you just can't stand to get rid of it! Thanks! Until Later! C. Hatton Humphrey Every cloud does have a silver lining. Sometimes you just have to do some smelting to find it. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358146 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
Exactly. -Original Message- From: Adam Cameron [mailto:dacc...@gmail.com] Sent: 26 March 2014 14:27 To: cf-talk Subject: Re: The long tail of ColdFusion fail If it only works on localhost *by default*, then this mitigates most of the problem just like that. -- Adam On 26 March 2014 14:17, Dave Watts dwa...@figleaf.com wrote: What I mean is that Adobe recommands that CFIDE should be moved to a safer place, but, after several versions, CFIDE is still installed the same way. Of course it is. If It were somewhere else, you wouldn't be able to administer CF after an out-of-the-box install. It's up to you to understand how web servers and web applications work, and set it up properly after it's installed. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358147 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? On Wed, Mar 26, 2014 at 9:16 AM, DURETTE, STEVEN J sd1...@att.com wrote: We can't please everyone and I believe the standard pretty much everywhere is install open with lockdown options and give direction on how to secure it more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358148 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote: And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? So to be clear - there are people installing servers who don't know that security is important? Nothing can help them. I don't know about you - but pretty much *any* tech I use, I know to google foo security to see what resources exist for securing the app, install, etc. Number one result for coldfusion security was http://www.adobe.com/devnet/coldfusion/security.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358149 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Sadly quite common, sysadmins and hosting companies even do it The reason is because they think it works in the same way as cgi scripts and is locked down by the same rules that php et al are, which is not the case because it runs asca service not a process Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 01:52, Raymond Camden raymondcam...@gmail.com wrote: On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote: And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? So to be clear - there are people installing servers who don't know that security is important? Nothing can help them. I don't know about you - but pretty much *any* tech I use, I know to google foo security to see what resources exist for securing the app, install, etc. Number one result for coldfusion security was http://www.adobe.com/devnet/coldfusion/security.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358150 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Yes Raymond, in the world I live in where I often have to go in and clean up a mess made by inexperienced developers or the client's nerdy nephew, there are people who are unaware that extra server lock down would be necessary. There are also noobs who get hired at web hosting companies who don't know that servers need to be hardened, and install anything that looks shiny without understanding what they are doing. The existence of so many website vulnerabilities due to people who don't know what they are doing installing or supporting servers is proof positive of this, Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Rah, Rah, Adobe as if the company had no place in the solution. On Thu, Mar 27, 2014 at 6:52 PM, Raymond Camden raymondcam...@gmail.com wrote: On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote: And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? So to be clear - there are people installing servers who don't know that security is important? Nothing can help them. I don't know about you - but pretty much *any* tech I use, I know to google foo security to see what resources exist for securing the app, install, etc. Number one result for coldfusion security was http://www.adobe.com/devnet/coldfusion/security.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358151 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Ray, Yes that is pretty much the case. I spend a lot of my time cleaning up and securing severs that have been left unsecured. It happens all the time. I do more server work than code these days. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 27, 2014, at 8:52 PM, Raymond Camden raymondcam...@gmail.com wrote: On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote: And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? So to be clear - there are people installing servers who don't know that security is important? Nothing can help them. I don't know about you - but pretty much *any* tech I use, I know to google foo security to see what resources exist for securing the app, install, etc. Number one result for coldfusion security was http://www.adobe.com/devnet/coldfusion/security.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358152 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358153 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:43 PM, Raymond Camden raymondcam...@gmail.comwrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358154 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
If securing your server is considered extra curricular activity - ie stuff you would do at a user group - then your priorities are way out of wack. (I mean you in general, not you specifically Andrew. ;) On Thu, Mar 27, 2014 at 9:46 PM, Andrew Scott andr...@andyscott.id.auwrote: Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358155 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. Its not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isnt much anyone can do to wake them up. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 27, 2014, at 9:46 PM, Andrew Scott andr...@andyscott.id.au wrote: Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:43 PM, Raymond Camden raymondcam...@gmail.comwrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358156 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Yea well I agree Ray, but they are also the people getting cheap VPS's and not securing there servers too. What we can do, I am not sure there is any more than what is being done... Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:54 PM, Raymond Camden raymondcam...@gmail.comwrote: If securing your server is considered extra curricular activity - ie stuff you would do at a user group - then your priorities are way out of wack. (I mean you in general, not you specifically Andrew. ;) On Thu, Mar 27, 2014 at 9:46 PM, Andrew Scott andr...@andyscott.id.au wrote: Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358157 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
same... I have in my years been at job interviews with people who have programmed CF for as long as I have, but have never heard of them before the interview. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:57 PM, Wil Genovese jugg...@trunkful.com wrote: Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. Itâs not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isnât much anyone can do to wake them up. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358158 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Of course users should take responsibility. But corporations have a responsibility to their users to inform them as well.We are all aware that those managing servers SHOULD be knowledgeable and competent, however in the real world, that is not always the case and never will be. So dealing with the worse case scenario is necessary for most of us because ignoring reality doesn't get the job done. If your mission is to present a good image of the company you work for, you might want to reconsider the attack posture you present here each time someone says anything negative or questions the procedures that Abode uses. It is not helpful. A much better tactic might be to consider the suggestions for improvement as valuable instead of constantly dismissing them out of hand. On Thu, Mar 27, 2014 at 7:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358159 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Honestly, if you are selling a software product that requires additional lock down after installation, you might could get the attention of those hiding in their cubicle by putting a large notice of such at the beginning of the installation instructions. No one should have to find out about software security issues from CNN. On Thu, Mar 27, 2014 at 7:57 PM, Wil Genovese jugg...@trunkful.com wrote: Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. It's not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isn't much anyone can do to wake them up. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358160 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On Thu, Mar 27, 2014 at 10:09 PM, Maureen mamamaur...@gmail.com wrote: Of course users should take responsibility. But corporations have a responsibility to their users to inform them as well.We are all aware that those managing servers SHOULD be knowledgeable and competent, however in the real world, that is not always the case and never will be. So dealing with the worse case scenario is necessary for most of us because ignoring reality doesn't get the job done. Right - but you said Adobe was ignoring this. Please back your statement up. I said the CF team could possibly do more. But I do not agree that they are ignoring the issue. If your mission is to present a good image of the company you work for, you might want to reconsider the attack posture you present here each time someone says anything negative or questions the procedures that Abode uses. It is not helpful. A much better tactic might be to consider the suggestions for improvement as valuable instead of constantly dismissing them out of hand. A position that does not agree with you is not one of attack. Also - I do not blindly defend Adobe. I've got a *huge* history of reporting bugs, making suggestions, and generally trying to make CF a better product. If I thought the CF team was perfect then I wouldn't be trying to help improve it. On Thu, Mar 27, 2014 at 7:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358161 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
As has been explained *multiple* times, there is no one solution (in terms of settings) that will work for everyone. Therefore there must be some position made where the software says, I'll lock down A and B, but I don't think I can *always* lock C. I *do* think that at the end of the installation, linking to the lock down guide would be useful. On Thu, Mar 27, 2014 at 10:12 PM, Maureen mamamaur...@gmail.com wrote: Honestly, if you are selling a software product that requires additional lock down after installation, you might could get the attention of those hiding in their cubicle by putting a large notice of such at the beginning of the installation instructions. No one should have to find out about software security issues from CNN. On Thu, Mar 27, 2014 at 7:57 PM, Wil Genovese jugg...@trunkful.com wrote: Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. It's not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isn't much anyone can do to wake them up. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358162 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Only if it was flashing in huge read letters with the BLINK tag. Then again, some will still miss that. :) On Mar 27, 2014, at 10:16 PM, Raymond Camden raymondcam...@gmail.com wrote: I *do* think that at the end of the installation, linking to the lock down guide would be useful. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358163 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Don't get me started on the cheap clients, who want to have full control of the server, which means their own. But will not pay for anyone to manage it. Do you know how many jobs I have rejected like that :-) Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 2:09 PM, Maureen mamamaur...@gmail.com wrote: Of course users should take responsibility. But corporations have a responsibility to their users to inform them as well.We are all aware that those managing servers SHOULD be knowledgeable and competent, however in the real world, that is not always the case and never will be. So dealing with the worse case scenario is necessary for most of us because ignoring reality doesn't get the job done. If your mission is to present a good image of the company you work for, you might want to reconsider the attack posture you present here each time someone says anything negative or questions the procedures that Abode uses. It is not helpful. A much better tactic might be to consider the suggestions for improvement as valuable instead of constantly dismissing them out of hand. On Thu, Mar 27, 2014 at 7:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358164 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
And how many people have we helped who have updated their CF 10 install, then start asking for help because their cgi scope is broken... Who have not read the message to update their connectors!! Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 2:18 PM, Wil Genovese jugg...@trunkful.com wrote: Only if it was flashing in huge read letters with the BLINK tag. Then again, some will still miss that. :) On Mar 27, 2014, at 10:16 PM, Raymond Camden raymondcam...@gmail.com wrote: I *do* think that at the end of the installation, linking to the lock down guide would be useful. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358165 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm