Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
Why would you try to stifle people's conversation? That's not like you. I'm still getting stuff (read: thought exercises) from all the content on this thread. If you personally don't like this thread, maybe take responsibility for your own situation and filter it out; rather than trying to force your will on other people. -- Adam Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: Good Gawd! Some of you are like a dog with a bone. The facts: 1) Something Happened 2) It Got Publicized 3) There Are A Lot of Ticked Off People We can debate who is at fault until we are blue in the face. The fact of the matter is, all of it is in the past. We can not change the past. Adobe (the CF product team) is aware of everyone's concerns, and are evaluating strategy *for the future*. You have all said your piece here, in the very public openness of the web, where Google will pick it up and run, and allow the naysayers to say see, even their own community... Review the install of the now public beta. Write down a list of faults/suggestions. Go file it in the bug report tool. Let everyone know that it's there for vote and comment. Everyone then go vote and comment. If you do it right, and you give it full court press, maybe we can get at least partial response before they take the server to full product. I promise you that it is a much more valuable use of your time, and your valid, constructive criticism might actually get met with an official response and/or action. Now, you are welcome to flame me here, but *I* promise *you*, you will just be wasting keystrokes. Spend 'em in the bug tracker. Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358238 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
Thanx...I was doing a fine job staying out of this, then you had to drag me in... :P On Fri, Mar 28, 2014 at 5:12 PM, Justin Scott leviat...@darktech.orgwrote: OMG You mean ColdFusion 11 is public :P I'm hearing Stroz in the back of my head... 10.5 10.5 have a great weekend! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358239 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
So cost has nothing to do with it. How enlightening, as ever. -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 28 March 2014 17:52 To: cf-talk Subject: Re: The long tail of ColdFusion fail sure something may break by being locked down, but as I said earlier, you have 2 choices.. 1. out of the box install, not secure, but your site works just fine.. So nothing to learn unless you choose to. User continues in blissful ignorance. 2. out of the box, locked down and secure, but site may break, so you have to learn something about CF security to get it working. Learning is required and not optional, user has now learnt something new and has a secure system. surely this is a no brainier. This explains why absolutely no one uses Windows web servers. After all, that's how Unix web servers always worked, pretty much. You had to know what you were doing to get them working. I can see now why Windows never got any market share. (note: this is not an endorsement of one or the other, just an observation) Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358222 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
Dave, I am curious. Have you ever, even once, changed your mind because of what someone has told you? -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 28 March 2014 18:07 To: cf-talk Subject: Re: The long tail of ColdFusion fail if you think no-one uses Windows web servers then you are wrong, very wrong. Uh, yeah, I know that. That was my point. It would seem you also think that Windows is not locked down by default, that may have been true once upon a time, but is no longer the case and hasn't been for many years.Certainly since Windows Server 2008, you must specifically choose which roles to install, everything is not installed by default, the firewall is also installed and enabled by default with only the basic required services allowed through and networking is also disabled. I guess you can interpret many years however you like, but the simple fact is, from the beginning and through the majority of the lifespan of Windows servers, this was not the default. And I don't think Windows would have been nearly as popular for servers if it had started out that way. The fact that things worked by default gave Windows market share. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358223 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
From what I have learnt from this thread so far, Adobe has actually got worse. -Original Message- From: Claude Schnéegans schneeg...@internetique.com [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans schneegans@interneti=71?= =?ISO-8859-1?Q?ue.com=3E?=] Sent: 28 March 2014 18:10 To: cf-talk Subject: Re: The long tail of ColdFusion fail It's Microsoft's approach ... now. But it took them a long time to get there. You're probably right. The point here is that it is taking even a longer time to Adobe. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358224 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
-Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 28 March 2014 18:41 To: cf-talk Subject: Re: The long tail of ColdFusion fail I've got bad news for you. Stick this in Google: [product] default vulnerability and prepare to be amazed. Some suggestions: PHP, IIS, Apache. Not all allow remote users to execute arbitrary code, but plenty do. I get it. Because other technologies and applications are bad it's fine for CF to be bad, too. Regardless of how much we have to pay for it. I submit to you that it should not be surprising that products explicitly designed for security purposes, like firewalls and VPNs, will be expected to be secure by default. I submit to you, LOL. Awesome. So, a business invests in all of the security available, such as firewalls, only to have CF open the gates What a brilliant piece of logic. I submit to you, that's screwed up. The notion that it's the sys admins fault if a product installs in an unsecure way beggers belief. No, that's not the sysadmins' fault. But leaving a product at the default install state on an untrusted network - that IS the sysadmins' fault. How is a sysadmin going to make sure that the developers' applications are secured properly, if he doesn't know enough to secure the one web application that's packaged with the product? The long list of security measures that have to take place after a standard CF install are ridiculous. Believe it or not, sys admins have better things to do with their time. Dave, I suggest you wander down to your corporate IT department and offer to help them out for a few days so you get a taste of reality. -- I am using the free version of SPAMfighter. SPAMfighter has removed 10680 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len Do you have a slow PC? Try a Free scan http://www.spamfighter.com/SLOW-PCfighter?cid=sigen ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358225 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
+1 -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: 28 March 2014 20:42 To: cf-talk Subject: Re: The long tail of ColdFusion fail A locked door is useless if you leave the windows open. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 19:09, Dave Watts dwa...@figleaf.com wrote: I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. There is no such thing as make it secure, of course. But it is more secure. It solves one specific security problem - preventing executable code from being directly accessed from an untrusted network. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. So what you're saying is that, despite the fact that the environment was (more) secure by default, developers accidentally wrote exploitable code? I have the feeling there's some lesson to be drawn from this. I wonder what it is? Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358226 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Yeah, Dave Haven¹t you ³learnt² anything? On 3/29/14, 8:38 AM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Dave, I am curious. Have you ever, even once, changed your mind because of what someone has told you? -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 28 March 2014 18:07 To: cf-talk Subject: Re: The long tail of ColdFusion fail if you think no-one uses Windows web servers then you are wrong, very wrong. Uh, yeah, I know that. That was my point. It would seem you also think that Windows is not locked down by default, that may have been true once upon a time, but is no longer the case and hasn't been for many years.Certainly since Windows Server 2008, you must specifically choose which roles to install, everything is not installed by default, the firewall is also installed and enabled by default with only the basic required services allowed through and networking is also disabled. I guess you can interpret many years however you like, but the simple fact is, from the beginning and through the majority of the lifespan of Windows servers, this was not the default. And I don't think Windows would have been nearly as popular for servers if it had started out that way. The fact that things worked by default gave Windows market share. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358227 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Dave, I am curious. Have you ever, even once, changed your mind because of what someone has told you? Since you ask, sure, all the time. I respond to evidence and logic. I just don't think those two things support your position as strongly as you think they do. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358228 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. There is no such thing as make it secure, of course. But it is more secure. It solves one specific security problem - preventing executable code from being directly accessed from an untrusted network. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. So what you're saying is that, despite the fact that the environment was (more) secure by default, developers accidentally wrote exploitable code? I have the feeling there's some lesson to be drawn from this. I wonder what it is? A locked door is useless if you leave the windows open. I think we might be in agreement! But maybe for different reasons. Setting up application servers to be secure is hard. Ensuring that application code doesn't contain vulnerabilities is hard. And you're not going to be able to solve security problems with an installer. People need to know what they're doing. They need to have a base level of competence at their jobs. No installer in the world is going to idiot-proof web applications. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I don;t think anyone has said that the Cf installer should magically secure their applications, this is a whole different issue and no blame can be laid at Adobe's feet or the installer for poorly written code. On Sat, Mar 29, 2014 at 2:23 PM, Dave Watts dwa...@figleaf.com wrote: I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. There is no such thing as make it secure, of course. But it is more secure. It solves one specific security problem - preventing executable code from being directly accessed from an untrusted network. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. So what you're saying is that, despite the fact that the environment was (more) secure by default, developers accidentally wrote exploitable code? I have the feeling there's some lesson to be drawn from this. I wonder what it is? A locked door is useless if you leave the windows open. I think we might be in agreement! But maybe for different reasons. Setting up application servers to be secure is hard. Ensuring that application code doesn't contain vulnerabilities is hard. And you're not going to be able to solve security problems with an installer. People need to know what they're doing. They need to have a base level of competence at their jobs. No installer in the world is going to idiot-proof web applications. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358233 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I've got bad news for you. Stick this in Google: [product] default vulnerability and prepare to be amazed. Some suggestions: PHP, IIS, Apache. Not all allow remote users to execute arbitrary code, but plenty do. I get it. Because other technologies and applications are bad it's fine for CF to be bad, too. Regardless of how much we have to pay for it. I don't think those other technologies and applications are bad. I do think that the very act of exposing a service that lets anybody in the world execute code on my server is inherently dangerous - because it is. Let's assume, for the sake of argument, that CF 11 comes out with absolutely no vulnerabilities in the CF Administrator. Would you then think it's ok to expose it to the public? Because it's not. It's a management console. You don't expose management consoles to the public. But it's also a web application - it has to be deployed on your web server. I trust myself to configure that web server. I don't trust Adobe to have the magical install settings to do that for me, while not interfering with other things I'm using that web server for. I submit to you that it should not be surprising that products explicitly designed for security purposes, like firewalls and VPNs, will be expected to be secure by default. I submit to you, LOL. Awesome. So, a business invests in all of the security available, such as firewalls, only to have CF open the gates What a brilliant piece of logic. I submit to you, that's screwed up. If you think that just buying products without learning how to use them is equal to invests in all the security available, you are wrong. Security is people and processes, not just products. If you could just buy security as a product, there would be at least one very rich company selling that product. The notion that it's the sys admins fault if a product installs in an unsecure way beggers belief. No, that's not the sysadmins' fault. But leaving a product at the default install state on an untrusted network - that IS the sysadmins' fault. How is a sysadmin going to make sure that the developers' applications are secured properly, if he doesn't know enough to secure the one web application that's packaged with the product? The long list of security measures that have to take place after a standard CF install are ridiculous. Believe it or not, sys admins have better things to do with their time. The long list of security measures is a list rather than an automated script because not everything in that list applies to every install. If your job is to administer a given system, you do not have anything better to do with your time than to learn how that system works. That is your job. Dave, I suggest you wander down to your corporate IT department and offer to help them out for a few days so you get a taste of reality. Reality, like good ale, is often bitter. My reality is that I work with corporate IT departments around the world helping them to deploy their systems - some CF, and many others as well. And deploying these systems is often difficult and complicated. Security is difficult. That's the way it is. If you're exposing an application server to an untrusted network, that should scare the living shit out of you. It scares me every time. An application server is explicitly designed to allow remote code execution on your system. This is inherently dangerous. If you honestly think it should be point and click and walk away, you are in the wrong business. If you can't be bothered to learn how to secure the one web application that ships with CF - the one that is used to manage CF, and by default requires a simple password for access - how are you going to secure the applications your developers build? It's not like securing this web application is very hard, either - but there are enough variations in how you might do it that it's unreasonable to expect Adobe to do it for you. For example, I typically do it by following a simple four-step process: 1. install using the built-in web server on the non-standard port it uses by default 2. connect the real web server after the install using wsconfig 3. configure that web server to disallow requests to URLs containing /CFIDE/administrator/ 4. limit access to the non-standard port (maybe using network access controls, maybe by configuring the built-in web server to only allow connections from specific IP addresses, maybe both) But that approach isn't going to work for all installs. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now!
RE: The long tail of ColdFusion fail
Correcting the installer won't solve all problems, but it should not be the CAUSE of problems. Hey sys admin, I'm going to make your day! Here's an app which we KNOW has security issues and requires a lot of maintenance. You're going to have to become an expert in this new technology, invest even more time patching it and discover security leaks you won't even be informed about, it'll be your job to tell the app vendor about that, too! In addition, the company that produces the application got hacked recently and the hackers got a lot of user data. But we developers, we're not worried about this because if our server gets hacked (through widely published methods well known by the hacker community), it's all YOUR fault! I mean, it's not like you've got anything better to do, is it? *sound of running feet and screaming* -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 29 March 2014 14:23 To: cf-talk Subject: Re: The long tail of ColdFusion fail I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. There is no such thing as make it secure, of course. But it is more secure. It solves one specific security problem - preventing executable code from being directly accessed from an untrusted network. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. So what you're saying is that, despite the fact that the environment was (more) secure by default, developers accidentally wrote exploitable code? I have the feeling there's some lesson to be drawn from this. I wonder what it is? A locked door is useless if you leave the windows open. I think we might be in agreement! But maybe for different reasons. Setting up application servers to be secure is hard. Ensuring that application code doesn't contain vulnerabilities is hard. And you're not going to be able to solve security problems with an installer. People need to know what they're doing. They need to have a base level of competence at their jobs. No installer in the world is going to idiot-proof web applications. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Correcting the installer won't solve all problems, but it should not be the CAUSE of problems The installer is installing an application server. Again, this is inherently dangerous, period, end of story. This particular installer sets up a web application that is needed to configure the server, and has to immediately function in order to complete the installation process. The web application is the source of nearly every CF vulnerability, and has been for many years. In addition, it's very easy to install that web application securely with just a little bit of knowledge, as I outlined previously. And hey! if you install CF 10 today, it gives you a little checkbox called Secure Profile which does exactly what you want! (Assuming that what you want is to limit access to the CF Administrator, disable RDS, require a complex password, disable debugging and detailed error messages, etc, etc.) I'm still not going to rely on that to secure access to CF Administrator, because I prefer to simply block access to it entirely from untrusted networks. But it seems to solve the specific problem you're complaining about. So, honestly, I'm not really sure what you're going on about, other than administrators shouldn't be bothered to learn what they're doing. Hey sys admin, I'm going to make your day! Here's an app which we KNOW has security issues and requires a lot of maintenance. You're going to have to become an expert in this new technology, invest even more time patching it and discover security leaks you won't even be informed about, it'll be your job to tell the app vendor about that, too! Well, honestly, if you set it up correctly in the first place and followed the instructions in the lockdown guide where appropriate, you actually wouldn't have to worry nearly as much about patches. Given that the vast majority of CF vulnerabilities are in the CF Administrator specifically, if you configure access to that correctly you don't have to become an expert, spend a lot of time patching, or discovering security leaks. The same is true for EVERY PIECE OF SOFTWARE YOU EXPOSE TO UNTRUSTED NETWORKS. People used to expose database servers to the public. Whether a database server has known vulnerabilities or not, that's just a bad idea, and anyone who's installing a database server should know better. In addition, the company that produces the application got hacked recently and the hackers got a lot of user data. I'm not sure how that's all that important here. Adobe was not hacked through a CF vulnerability. If you want to find people using CF, you don't need to hack Adobe to get that. There are lots of people who have that data. Admittedly, if you want to find people who bought older versions of CF, that would be easier to get from Adobe, but that wouldn't tell you whether those people are still using CF or whether their servers were set up properly. In addition, that would have nothing to do with what you want Adobe to do now. To the best of my knowledge, Adobe does not possess a time machine, so they can't go back in time to fix problems in old installed systems other than by providing patches. I guess that it's a good thing that administrators don't have to worry about patching anything else. But we developers, we're not worried about this because if our server gets hacked (through widely published methods well known by the hacker community), it's all YOUR fault! I mean, it's not like you've got anything better to do, is it? *sound of running feet and screaming* I'd be interested to hear how security audits work in your organization. On second though, maybe not. If you think vulnerabilities don't exist for other products, through widely published methods well known by the hacker community, I don't know what to tell you. If you install any application that will be exposed to untrusted networks, you are expected to apply basic due diligence. If you cannot do that, you should not be administering that system. And for CF, at least, it's easy to block the widely published methods well known by the hacker community. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358236 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
Please send a photo of your world, I'd like to know what colour the sky is? You are telling ME how a sys admin or IT manager does their job? Well thanks. -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 29 March 2014 16:50 To: cf-talk Subject: Re: The long tail of ColdFusion fail Correcting the installer won't solve all problems, but it should not be the CAUSE of problems The installer is installing an application server. Again, this is inherently dangerous, period, end of story. This particular installer sets up a web application that is needed to configure the server, and has to immediately function in order to complete the installation process. The web application is the source of nearly every CF vulnerability, and has been for many years. In addition, it's very easy to install that web application securely with just a little bit of knowledge, as I outlined previously. And hey! if you install CF 10 today, it gives you a little checkbox called Secure Profile which does exactly what you want! (Assuming that what you want is to limit access to the CF Administrator, disable RDS, require a complex password, disable debugging and detailed error messages, etc, etc.) I'm still not going to rely on that to secure access to CF Administrator, because I prefer to simply block access to it entirely from untrusted networks. But it seems to solve the specific problem you're complaining about. So, honestly, I'm not really sure what you're going on about, other than administrators shouldn't be bothered to learn what they're doing. Hey sys admin, I'm going to make your day! Here's an app which we KNOW has security issues and requires a lot of maintenance. You're going to have to become an expert in this new technology, invest even more time patching it and discover security leaks you won't even be informed about, it'll be your job to tell the app vendor about that, too! Well, honestly, if you set it up correctly in the first place and followed the instructions in the lockdown guide where appropriate, you actually wouldn't have to worry nearly as much about patches. Given that the vast majority of CF vulnerabilities are in the CF Administrator specifically, if you configure access to that correctly you don't have to become an expert, spend a lot of time patching, or discovering security leaks. The same is true for EVERY PIECE OF SOFTWARE YOU EXPOSE TO UNTRUSTED NETWORKS. People used to expose database servers to the public. Whether a database server has known vulnerabilities or not, that's just a bad idea, and anyone who's installing a database server should know better. In addition, the company that produces the application got hacked recently and the hackers got a lot of user data. I'm not sure how that's all that important here. Adobe was not hacked through a CF vulnerability. If you want to find people using CF, you don't need to hack Adobe to get that. There are lots of people who have that data. Admittedly, if you want to find people who bought older versions of CF, that would be easier to get from Adobe, but that wouldn't tell you whether those people are still using CF or whether their servers were set up properly. In addition, that would have nothing to do with what you want Adobe to do now. To the best of my knowledge, Adobe does not possess a time machine, so they can't go back in time to fix problems in old installed systems other than by providing patches. I guess that it's a good thing that administrators don't have to worry about patching anything else. But we developers, we're not worried about this because if our server gets hacked (through widely published methods well known by the hacker community), it's all YOUR fault! I mean, it's not like you've got anything better to do, is it? *sound of running feet and screaming* I'd be interested to hear how security audits work in your organization. On second though, maybe not. If you think vulnerabilities don't exist for other products, through widely published methods well known by the hacker community, I don't know what to tell you. If you install any application that will be exposed to untrusted networks, you are expected to apply basic due diligence. If you cannot do that, you should not be administering that system. And for CF, at least, it's easy to block the widely published methods well known by the hacker community. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358237
Re: The long tail of ColdFusion fail
The bare minimum should at least be as I stated. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 03:16, Raymond Camden raymondcam...@gmail.com wrote: As has been explained *multiple* times, there is no one solution (in terms of settings) that will work for everyone. Therefore there must be some position made where the software says, I'll lock down A and B, but I don't think I can *always* lock C. I *do* think that at the end of the installation, linking to the lock down guide would be useful. On Thu, Mar 27, 2014 at 10:12 PM, Maureen mamamaur...@gmail.com wrote: Honestly, if you are selling a software product that requires additional lock down after installation, you might could get the attention of those hiding in their cubicle by putting a large notice of such at the beginning of the installation instructions. No one should have to find out about software security issues from CNN. On Thu, Mar 27, 2014 at 7:57 PM, Wil Genovese jugg...@trunkful.com wrote: Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. It's not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isn't much anyone can do to wake them up. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358166 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Except eveyone I know who has tried to follow the lock down guide has ended up with a broke cfserver. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 02:43, Raymond Camden raymondcam...@gmail.com wrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358167 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On Thu, Mar 27, 2014 at 8:14 PM, Raymond Camden raymondcam...@gmail.com wrote: Right - but you said Adobe was ignoring this. Please back your statement up. I said the CF team could possibly do more. But I do not agree that they are ignoring the issue. I did not say Adobe was ignoring the issue, I said that some employees and evangelists were ignoring that people existed who were not aware of the issue. And I meant mostly in this thread because of the three or so people who seem to think the current method of installing would be fine if the users would do their job with little acknowledgement of the company's role in the problem. A position that does not agree with you is not one of attack. Tone is everything. You can state a position that does not agree without getting snarky about it. Also - I do not blindly defend Adobe. I've got a *huge* history of reporting bugs, making suggestions, and generally trying to make CF a better product. If I thought the CF team was perfect then I wouldn't be trying to help improve it. That may be the case when you are at work, but I haven't seen it here much. You do a lot of good work for the CF community and I appreciate it greatly. But on this list, anytime I have posted a criticism of Abode products or procedures, I've gotten a face full of what feels like shut up and go away. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358168 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Sorry, forgot to come back to this. This is not a false analogy because [etc] But it *is* a false analogy because it's generally a government requirement for people to be licensed to drive a car before they can use one, so it's reasonable to assume from the outset of the sale process that a minimum level of education is already in place regarding how a car works. This is not the case with CFML. I think, on the whole, physical object analogies made in the context of IT considerations have a lovely superficial warmth to them, but generally end up being pretty specious. -- Adam ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358170 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
After days of cringing as these emails come through, I am going to chime in briefly. If there is such a glaring hole in the Coldfusion platform, and there is a need for it to be filled, is there an obvious business/product opportunity here? The Coldfusion ecosystem is large, and as the title suggests, has a really, really long tail. (Says someone who finally shut down his last Coldfusion 5 system last calendar year) Would you people that think it needs work be willing to define the require functionality you think is missing? As in specific vulnerabilities, and suggestions for how to test it? I am sure there are solid developers here who, if they saw a compelling reachable product, might jump on this. And if it turns out to be doable and cost effective, i would also bet that Adobe (or one of their competitors, or both) might purchase that technology and bundle it in future versions. I am picturing a 2-fold system. A web-based scan for common vulnerabilities from outside, and a more detailed scan the system from inside. (There are a number of comparable systems out there. WordPress security scanners being a recently-in-mind example) Thoughts? I think a little more on-topic, a little less on-people would be nice. Jerry Milo Johnson ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358172 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Maureen mamamaur...@gmail.com wrote: Honestly, if you are selling a software product that requires additional lock down after installation, you might could get the attention of those hiding in their cubicle by putting a large notice of such at the beginning of the installation instructions. No one should have to find out about software security issues from CNN. I would change the argument over to what happens when installing competing middleware. Are the alternatives to ACF any safer to install? What sorts of things do they do to minimize security issues on installation? How can ACF modify the installation process to maximize the security profiles up front? The ACF installation security profile doesn't matter if massive breach publicity makes large datacenters, government agencies, and ISPs to abandon the product. In public relations, logic isn't the primary driver. -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Blog: http://RogerTheGeek.wordpress.com/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358173 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I am picturing a 2-fold system. A web-based scan for common vulnerabilities from outside, and a more detailed scan the system from inside. Hi Jerry, you basically just described HackMyCF.com and their security scanner and monitoring tool. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358177 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. What does this matter when the bad juju blows back publicly on the product itself? Blaming the customer for problems in other channels typically doesn't tend to end well for the seller. Thats what I am seeing here. I know you're right... but is that relevant to long term sales growth? I'm no longer a full-time CF developer. I run a company whose focus has to be on customer service. I cannot imagine an approach like that surviving in my marketplace for long. So I'm not looking at this from a technical perspective. At its root this is not a tech problem at all. Its a problem with consumer perception of the product. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358178 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
I can't say I've read every post, but I have read most. One point I'd like to take up is this business of the CF install and security. I've seen all sorts of statements made about sys admins and their duties which as a past sys admin and IT Manager I found interesting. The idea that any application is installed on a server that is open to the internet, or even if used internally, should be installed in such a way that is open to hacking by default is, quite frankly, ridiculous. I have been responsible for corporate level global infrastructures including the use of firewalls, VPNs, etc. If you have ever worked with any high standard product you will be aware that features remained closed by default. You don't install a firewall and find all the ports are open and you have to select which to close, quite the reverse. The notion that it's the sys admins fault if a product installs in an unsecure way beggers belief. I recognise that PHP and .Net aren't exactly perfect, but for CF to have a backdoor entry point as standard in the install is plainly stupid and it has not helped sell CF as an option. Sure, not all sys admins have the sort of skill set one would expect, I have certainly come across a few of these in my 30 years in IT. However, a sys admin has plenty enough to deal with without being having intrinsically bad application installs thrown at him or her. My tuppenth. -- I am using the free version of SPAMfighter. SPAMfighter has removed 10670 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len Do you have a slow PC? Try a Free scan http://www.spamfighter.com/SLOW-PCfighter?cid=sigen ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358183 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Dave wrote But I think there's an important difference in expectations between providing services and selling tools. My customers expect me to know how to do things right - to understand how my tools work. When you buy a tool, you are expected to know how to use the tool, and there is only so much the tool vendor can do to prevent you from misusing the tool. Dave as usual you are right ;-). BUT my counterpoint is your rightness in this point doesn't matter to the overall outcome: CF is still getting sucker-punched. And you cannot stop it from happening by pointing out - to the media who is delivering the blows - that someone else deserves that fist to the face. You further cannot stop it by insisting that only grownups buy and use the product. I had a retail product that needed a default url and a default path hand-input into Application.cfm, along with a couple other settings that decided how the app behaved. How tough can it be to type in a path on your own server? That you know already? And I wrote tons of comments into the file's code so it had a complete instruction manual inside, with examples, options... the works. All the 'developer' had to do was spend two minutes in that file and poof they had a fully working app. 3 how that went... I have to type whut? Where? Why? A path you say? What line is that on? The fact is to BE a developer in the first place they needed the skill to edit a CF file. It didn't matter. I sucked it up, acknowledged reality, wrote the installer and ... problem solved.. CF is in that boat now. --m@-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358184 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
Good Gawd! Some of you are like a dog with a bone. The facts: 1) Something Happened 2) It Got Publicized 3) There Are A Lot of Ticked Off People We can debate who is at fault until we are blue in the face. The fact of the matter is, all of it is in the past. We can not change the past. Adobe (the CF product team) is aware of everyone's concerns, and are evaluating strategy *for the future*. You have all said your piece here, in the very public openness of the web, where Google will pick it up and run, and allow the naysayers to say see, even their own community... Review the install of the now public beta. Write down a list of faults/suggestions. Go file it in the bug report tool. Let everyone know that it's there for vote and comment. Everyone then go vote and comment. If you do it right, and you give it full court press, maybe we can get at least partial response before they take the server to full product. I promise you that it is a much more valuable use of your time, and your valid, constructive criticism might actually get met with an official response and/or action. Now, you are welcome to flame me here, but *I* promise *you*, you will just be wasting keystrokes. Spend 'em in the bug tracker. Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358185 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
You have all said your piece here, in the very public openness of the web, where Google will pick it up and run, and allow the naysayers to say see, even their own community ^^ +1 ^^ cfhorse beaten=true dead=true / cfabort ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358186 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
it doesn't take any expertise, this is the whole point, anyone can do it (badly) sure something may break by being locked down, but as I said earlier, you have 2 choices.. 1. out of the box install, not secure, but your site works just fine.. So nothing to learn unless you choose to. User continues in blissful ignorance. 2. out of the box, locked down and secure, but site may break, so you have to learn something about CF security to get it working. Learning is required and not optional, user has now learnt something new and has a secure system. surely this is a no brainier. On Fri, Mar 28, 2014 at 4:01 PM, Dave Watts dwa...@figleaf.com wrote: If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. What does this matter when the bad juju blows back publicly on the product itself? Blaming the customer for problems in other channels typically doesn't tend to end well for the seller. Thats what I am seeing here. I know you're right... but is that relevant to long term sales growth? I'm no longer a full-time CF developer. I run a company whose focus has to be on customer service. I cannot imagine an approach like that surviving in my marketplace for long. So I'm not looking at this from a technical perspective. At its root this is not a tech problem at all. Its a problem with consumer perception of the product. Like you, I'm in a business that has to focus on customer service. But I think there's an important difference in expectations between providing services and selling tools. My customers expect me to know how to do things right - to understand how my tools work. When you buy a tool, you are expected to know how to use the tool, and there is only so much the tool vendor can do to prevent you from misusing the tool. Application servers are inherently complex, and it takes a certain level of expertise to set them up. There's no getting around that. I agree that Adobe might be able to do a couple of things to make the process easier, but I think those things might also have unintended consequences - breaking existing applications, etc. In the end, security is going to rely on the knowledge of the administrator and developers. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358182 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
sure something may break by being locked down, but as I said earlier, you have 2 choices.. 1. out of the box install, not secure, but your site works just fine.. So nothing to learn unless you choose to. User continues in blissful ignorance. 2. out of the box, locked down and secure, but site may break, so you have to learn something about CF security to get it working. Learning is required and not optional, user has now learnt something new and has a secure system. surely this is a no brainier. This explains why absolutely no one uses Windows web servers. After all, that's how Unix web servers always worked, pretty much. You had to know what you were doing to get them working. I can see now why Windows never got any market share. (note: this is not an endorsement of one or the other, just an observation) Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358187 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Application servers are inherently complex, and it takes a certain level of expertise to set them up. There's no getting around that. You're right. However, there are two approches that can be taken in installation procedures. One year ago I had to move from a W2003 to a W2008 server and to a new version of IIS. I discovered that in Windows and IIS every thing was locked and blocked and nothing was working out of the box. I had to learn every thing since IIS 7 is completely different. So I had to unlock, give permissions etc. until I could have a site operational. On the other hand, the CF server was operational right away, but then I had to secure it. So you're right when you say that it takes a certain level of expertise, but this level can be used in two different directions. The first is secure by default, the second more like usecure by default The first may be more frustrating, but the second is kind of more dangereous. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358188 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
I think you will find many folks already did that years ago, myself included. On Fri, Mar 28, 2014 at 5:38 PM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: Good Gawd! Some of you are like a dog with a bone. The facts: 1) Something Happened 2) It Got Publicized 3) There Are A Lot of Ticked Off People We can debate who is at fault until we are blue in the face. The fact of the matter is, all of it is in the past. We can not change the past. Adobe (the CF product team) is aware of everyone's concerns, and are evaluating strategy *for the future*. You have all said your piece here, in the very public openness of the web, where Google will pick it up and run, and allow the naysayers to say see, even their own community... Review the install of the now public beta. Write down a list of faults/suggestions. Go file it in the bug report tool. Let everyone know that it's there for vote and comment. Everyone then go vote and comment. If you do it right, and you give it full court press, maybe we can get at least partial response before they take the server to full product. I promise you that it is a much more valuable use of your time, and your valid, constructive criticism might actually get met with an official response and/or action. Now, you are welcome to flame me here, but *I* promise *you*, you will just be wasting keystrokes. Spend 'em in the bug tracker. Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358189 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
1. out of the box install, not secure, but your site works just fine.. This is the Adobe's approach 2. out of the box, locked down and secure, but site may break, so you have And this is Microsoft's You're quite right. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358190 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Imagine a family buys a car, and by default the airbags and anti-lock breaks are not enabled. Indeed, they are in the trunk, under the spare tire, but it's up to you to go to the manufacturer's site and download instructions to install them ;-) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358191 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. What does this matter when the bad juju blows back publicly on the product itself? Blaming the customer for problems in other channels typically doesn't tend to end well for the seller. Thats what I am seeing here. I know you're right... but is that relevant to long term sales growth? I'm no longer a full-time CF developer. I run a company whose focus has to be on customer service. I cannot imagine an approach like that surviving in my marketplace for long. So I'm not looking at this from a technical perspective. At its root this is not a tech problem at all. Its a problem with consumer perception of the product. Like you, I'm in a business that has to focus on customer service. But I think there's an important difference in expectations between providing services and selling tools. My customers expect me to know how to do things right - to understand how my tools work. When you buy a tool, you are expected to know how to use the tool, and there is only so much the tool vendor can do to prevent you from misusing the tool. Application servers are inherently complex, and it takes a certain level of expertise to set them up. There's no getting around that. I agree that Adobe might be able to do a couple of things to make the process easier, but I think those things might also have unintended consequences - breaking existing applications, etc. In the end, security is going to rely on the knowledge of the administrator and developers. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358181 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
but for CF to have a backdoor entry point as standard in the install is plainly stupid and it has not helped sell CF as an option. This is exactly the point. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358192 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
if you think no-one uses Windows web servers then you are wrong, very wrong. It would seem you also think that Windows is not locked down by default, that may have been true once upon a time, but is no longer the case and hasn't been for many years.Certainly since Windows Server 2008, you must specifically choose which roles to install, everything is not installed by default, the firewall is also installed and enabled by default with only the basic required services allowed through and networking is also disabled. On Fri, Mar 28, 2014 at 5:52 PM, Dave Watts dwa...@figleaf.com wrote: sure something may break by being locked down, but as I said earlier, you have 2 choices.. 1. out of the box install, not secure, but your site works just fine.. So nothing to learn unless you choose to. User continues in blissful ignorance. 2. out of the box, locked down and secure, but site may break, so you have to learn something about CF security to get it working. Learning is required and not optional, user has now learnt something new and has a secure system. surely this is a no brainier. This explains why absolutely no one uses Windows web servers. After all, that's how Unix web servers always worked, pretty much. You had to know what you were doing to get them working. I can see now why Windows never got any market share. (note: this is not an endorsement of one or the other, just an observation) Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358193 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Imagine a family buys a car, and by default the airbags and anti-lock breaks are not enabled. Indeed, they are in the trunk, under the spare tire, but it's up to you to go to the manufacturer's site and download instructions to install them ;-) Obviously none of you have ever owned a Jeep :D When Im not hacking on servers - http://www.jeepforum.com/forum/f96/bug-out-build-1568531/ Just Empty Every Pocket Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 28, 2014, at 12:58 PM, Claude Schnéegans schneegans@internetiq.trunkful.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358194 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
2. out of the box, locked down and secure, but site may break, so you have And this is Microsoft's It's Microsoft's approach ... now. But it took them a long time to get there. And the sheer weight of legacy code probably had something to do with that. And I think Microsoft server products got quite a bit of market share for just working out of the box. I don't know how successful they'd have been if they'd originally been more like Unix servers. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358195 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I see lessons in seeing sarcasm are needed Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 28, 2014, at 1:02 PM, Russ Michaels r...@michaels.me.uk wrote: if you think no-one uses Windows web servers then you are wrong, very wrong. It would seem you also think that Windows is not locked down by default, that may have been true once upon a time, but is no longer the case and hasn't been for many years.Certainly since Windows Server 2008, you must specifically choose which roles to install, everything is not installed by default, the firewall is also installed and enabled by default with only the basic required services allowed through and networking is also disabled. On Fri, Mar 28, 2014 at 5:52 PM, Dave Watts dwa...@figleaf.com wrote: sure something may break by being locked down, but as I said earlier, you have 2 choices.. 1. out of the box install, not secure, but your site works just fine.. So nothing to learn unless you choose to. User continues in blissful ignorance. 2. out of the box, locked down and secure, but site may break, so you have to learn something about CF security to get it working. Learning is required and not optional, user has now learnt something new and has a secure system. surely this is a no brainier. This explains why absolutely no one uses Windows web servers. After all, that's how Unix web servers always worked, pretty much. You had to know what you were doing to get them working. I can see now why Windows never got any market share. (note: this is not an endorsement of one or the other, just an observation) Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358196 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
if you think no-one uses Windows web servers then you are wrong, very wrong. Uh, yeah, I know that. That was my point. It would seem you also think that Windows is not locked down by default, that may have been true once upon a time, but is no longer the case and hasn't been for many years.Certainly since Windows Server 2008, you must specifically choose which roles to install, everything is not installed by default, the firewall is also installed and enabled by default with only the basic required services allowed through and networking is also disabled. I guess you can interpret many years however you like, but the simple fact is, from the beginning and through the majority of the lifespan of Windows servers, this was not the default. And I don't think Windows would have been nearly as popular for servers if it had started out that way. The fact that things worked by default gave Windows market share. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358197 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On 03/28/2014 10:52 AM, Dave Watts wrote: This explains why absolutely no one uses Windows web servers. Some data on this topic: http://news.netcraft.com/archives/2014/03/03/march-2014-web-server-survey.html IIS looks great in the all sites category but is seemingly dead in the Active sites category. I am particularly amused by the last category where NGINX has more marketshare then IIS in the top million busiest sites. Warm Regards, Jordan Michaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
It's Microsoft's approach ... now. But it took them a long time to get there. You're probably right. The point here is that it is taking even a longer time to Adobe. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358199 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
OMG You mean ColdFusion 11 is public :P Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Sat, Mar 29, 2014 at 4:38 AM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: Good Gawd! Some of you are like a dog with a bone. The facts: 1) Something Happened 2) It Got Publicized 3) There Are A Lot of Ticked Off People We can debate who is at fault until we are blue in the face. The fact of the matter is, all of it is in the past. We can not change the past. Adobe (the CF product team) is aware of everyone's concerns, and are evaluating strategy *for the future*. You have all said your piece here, in the very public openness of the web, where Google will pick it up and run, and allow the naysayers to say see, even their own community... Review the install of the now public beta. Write down a list of faults/suggestions. Go file it in the bug report tool. Let everyone know that it's there for vote and comment. Everyone then go vote and comment. If you do it right, and you give it full court press, maybe we can get at least partial response before they take the server to full product. I promise you that it is a much more valuable use of your time, and your valid, constructive criticism might actually get met with an official response and/or action. Now, you are welcome to flame me here, but *I* promise *you*, you will just be wasting keystrokes. Spend 'em in the bug tracker. Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358200 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I doubt it would have made any difference as there still would have been only the same choices, and the reasons for choosing Windows over Linux or Others would have remained the same, for folks that wanted a simple GUI to work either vs command line. On Fri, Mar 28, 2014 at 6:04 PM, Dave Watts dwa...@figleaf.com wrote: 2. out of the box, locked down and secure, but site may break, so you have And this is Microsoft's It's Microsoft's approach ... now. But it took them a long time to get there. And the sheer weight of legacy code probably had something to do with that. And I think Microsoft server products got quite a bit of market share for just working out of the box. I don't know how successful they'd have been if they'd originally been more like Unix servers. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358201 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I am particularly amused by the last category where NGINX has more marketshare then IIS in the top million busiest sites. I'm not all that surprised. Very busy sites are likely to have better infrastructure. Nginx makes a very good reverse proxy for internal servers. I have a customer in the top 10k Netcraft ranking doing exactly that, using IIS and CF internally, and exposing them to public access only through reverse proxies. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358202 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
consider this Imagine a family buys a car, and by default the airbags and anti-lock breaks are not enabled. Somewhere deep in the manual is a mention of following a safety setup guide and You are expected to follow this guide make changes to your car to make it safe and secure. Now imagine there is a family out in that car one day, they crash and every dies because they did not read that guide and did not setup their anti locking breaks and airbags. would you say serves them right, they should have done the safety setup procedures, anyone who doesn't know that shouldn't be driving a car or is it more likely that you will blame the manufacturer for for not making the car safe to begin with. moral: most people who drive a car knows how they work, most people who run a server (VPS) is a security expert or even a sysadmin. Cloud/VPS hosting is so common these days, that every tom dick and harry has one, and they no barely anything about running a server. they either installed CF themselves, or asked their host to do it, who also knows nothing about CF. I expect anything I buy to be safe and secure by default, whether it be a car, a lawnmower or ColdFusion, even if I do have the common sense to check it beforehand. On Fri, Mar 28, 2014 at 2:49 PM, Money Pit websitema...@gmail.com wrote: If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. What does this matter when the bad juju blows back publicly on the product itself? Blaming the customer for problems in other channels typically doesn't tend to end well for the seller. Thats what I am seeing here. I know you're right... but is that relevant to long term sales growth? I'm no longer a full-time CF developer. I run a company whose focus has to be on customer service. I cannot imagine an approach like that surviving in my marketplace for long. So I'm not looking at this from a technical perspective. At its root this is not a tech problem at all. Its a problem with consumer perception of the product. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358180 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On 03/28/2014 11:13 AM, Dave Watts wrote: Very busy sites are likely to have better infrastructure. IIS can function great as a reverse proxy. You'd think these companies would want to save the cost of training their employees on new web servers/proxies when they could simply use IIS for this task. Warm Regards, Jordan Michaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
The idea that any application is installed on a server that is open to the internet, or even if used internally, should be installed in such a way that is open to hacking by default is, quite frankly, ridiculous. I've got bad news for you. Stick this in Google: [product] default vulnerability and prepare to be amazed. Some suggestions: PHP, IIS, Apache. Not all allow remote users to execute arbitrary code, but plenty do. I have been responsible for corporate level global infrastructures including the use of firewalls, VPNs, etc. If you have ever worked with any high standard product you will be aware that features remained closed by default. You don't install a firewall and find all the ports are open and you have to select which to close, quite the reverse. I submit to you that it should not be surprising that products explicitly designed for security purposes, like firewalls and VPNs, will be expected to be secure by default. The notion that it's the sys admins fault if a product installs in an unsecure way beggers belief. No, that's not the sysadmins' fault. But leaving a product at the default install state on an untrusted network - that IS the sysadmins' fault. How is a sysadmin going to make sure that the developers' applications are secured properly, if he doesn't know enough to secure the one web application that's packaged with the product? Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358204 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Jordan and Dave, Thanks! You just helped me solve a totally unrelated problem on an IIS site with a lot of static content requests. Ive got several servers using Apache as a reverse proxy to NGINX but I dont know why it didnt occur to me to look in to doing the same for IIS... Jon On Mar 28, 2014, at 2:31 PM, Jordan Michaels jor...@viviotech.net wrote: On 03/28/2014 11:13 AM, Dave Watts wrote: Very busy sites are likely to have better infrastructure. IIS can function great as a reverse proxy. You'd think these companies would want to save the cost of training their employees on new web servers/proxies when they could simply use IIS for this task. Warm Regards, Jordan Michaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358205 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. the worse thing is this was the governments hosting dept :-) On Fri, Mar 28, 2014 at 6:13 PM, Dave Watts dwa...@figleaf.com wrote: I am particularly amused by the last category where NGINX has more marketshare then IIS in the top million busiest sites. I'm not all that surprised. Very busy sites are likely to have better infrastructure. Nginx makes a very good reverse proxy for internal servers. I have a customer in the top 10k Netcraft ranking doing exactly that, using IIS and CF internally, and exposing them to public access only through reverse proxies. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358206 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. There is no such thing as make it secure, of course. But it is more secure. It solves one specific security problem - preventing executable code from being directly accessed from an untrusted network. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. So what you're saying is that, despite the fact that the environment was (more) secure by default, developers accidentally wrote exploitable code? I have the feeling there's some lesson to be drawn from this. I wonder what it is? Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358207 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
A locked door is useless if you leave the windows open. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 19:09, Dave Watts dwa...@figleaf.com wrote: I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. There is no such thing as make it secure, of course. But it is more secure. It solves one specific security problem - preventing executable code from being directly accessed from an untrusted network. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. So what you're saying is that, despite the fact that the environment was (more) secure by default, developers accidentally wrote exploitable code? I have the feeling there's some lesson to be drawn from this. I wonder what it is? Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358208 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
OMG You mean ColdFusion 11 is public :P I'm hearing Stroz in the back of my head... 10.5 10.5 have a great weekend! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Re: The long tail of analogy hell. On 3/28/14, 4:42 PM, Russ Michaels r...@michaels.me.uk wrote: A locked door is useless if you leave the windows open. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 19:09, Dave Watts dwa...@figleaf.com wrote: I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. There is no such thing as make it secure, of course. But it is more secure. It solves one specific security problem - preventing executable code from being directly accessed from an untrusted network. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. So what you're saying is that, despite the fact that the environment was (more) secure by default, developers accidentally wrote exploitable code? I have the feeling there's some lesson to be drawn from this. I wonder what it is? Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358210 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
If you pound sand long enough it might turn into glass. Or not. One of my favorite quotes from a friend I used to work with was: Is the juice worth the squeeze?. Southern wisdom at it's finest. G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Fri, Mar 28, 2014 at 7:21 PM, Bobby bo...@acoderslife.com wrote: Re: The long tail of analogy hell. On 3/28/14, 4:42 PM, Russ Michaels r...@michaels.me.uk wrote: A locked door is useless if you leave the windows open. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 19:09, Dave Watts dwa...@figleaf.com wrote: I also once had a client who did this, they were Linux heads who thought that hiding the sucky insecure windows/cf server behind a linux server and doing a reverse proxy would make it secure. There is no such thing as make it secure, of course. But it is more secure. It solves one specific security problem - preventing executable code from being directly accessed from an untrusted network. But of course it didn't as everything still works the same way, the SQL injections still got through, the insecure file upload forms still allowed files to be uploaded, which could then be executed as they had cfexecute and cfregistry enabled. So what you're saying is that, despite the fact that the environment was (more) secure by default, developers accidentally wrote exploitable code? I have the feeling there's some lesson to be drawn from this. I wonder what it is? Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358211 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
There are people doing that, and their entries are being closed without comment, even when they request comment. So what's the point? Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time to help fix it. Otherwise, not my job. On Fri, Mar 28, 2014 at 10:38 AM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: Review the install of the now public beta. Write down a list of faults/suggestions. Go file it in the bug report tool. Let everyone know that it's there for vote and comment. Everyone then go vote and comment. If you do it right, and you give it full court press, maybe we can get at least partial response before they take the server to full product. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358212 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
For the Love of God On Fri, Mar 28, 2014 at 8:30 PM, Maureen mamamaur...@gmail.com wrote: There are people doing that, and their entries are being closed without comment, even when they request comment. So what's the point? Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time to help fix it. Otherwise, not my job. On Fri, Mar 28, 2014 at 10:38 AM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: Review the install of the now public beta. Write down a list of faults/suggestions. Go file it in the bug report tool. Let everyone know that it's there for vote and comment. Everyone then go vote and comment. If you do it right, and you give it full court press, maybe we can get at least partial response before they take the server to full product. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358213 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
Oh, does he work at Adobe now? On Fri, Mar 28, 2014 at 5:35 PM, Jerry Milo Johnson jmi...@gmail.com wrote: For the Love of God On Fri, Mar 28, 2014 at 8:30 PM, Maureen mamamaur...@gmail.com wrote: There are people doing that, and their entries are being closed without comment, even when they request comment. So what's the point? Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time to help fix it. Otherwise, not my job. On Fri, Mar 28, 2014 at 10:38 AM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: Review the install of the now public beta. Write down a list of faults/suggestions. Go file it in the bug report tool. Let everyone know that it's there for vote and comment. Everyone then go vote and comment. If you do it right, and you give it full court press, maybe we can get at least partial response before they take the server to full product. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358214 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time to help fix it. Otherwise, not my job. Bugs happen... as a developer I'm sure you've had clients bring bugs to you and you've asked them to provide additional information so they could be reproduced and fixed. It wasn't their job per se, but it happens to all of us. One of the companies I work with was all geared up to move a fairly large e-commerce network from CF8 to CF10 when we ran into an issue with the 404 handler (see https://bugbase.adobe.com/index.cfm?event=bugid=3488063) which had been previously reported to Adobe, but they were having trouble reproducing it internally. I spent a lot of time setting up test cases and bolting on debugging tools, gathering packet captures, getting traces from IIS, and digging way deeper than I ever thought I would. After lots of rounds of back and forth with Adobe engineering, they will soon be releasing* an update to the Tomcat connector for CF10 and I'm sure it'll make its way into CF11 as well. Anyone who's run into the connection reset issue when using a CF-based 404 handler will soon have a fix for that problem. It wasn't my job to help them troubleshoot this and create a reproduction scenario and work with them to test potential solutions (heck, we even paid for the privilege through a platinum support contract), but we needed that feature to work properly, so we did what was needed to help them fix it. Sorry, I get annoyed whenever I hear people say not my job. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358216 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
Maureen, This is one of my extreme pet peeves with Adobe, in the last 10+ years, is the length of time it takes from a bug being reported to being fixed is in the years, not days or months, but literally years. I have bugs that where reported in the 2006-2008 days, that are still not fixed in ColdFusion 11. As a developer how does that give me any confidence in the product? Yes it is a perception, but it is a much too common perception I come across by other developers I talk too when it comes to ColdFusion. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Sat, Mar 29, 2014 at 11:30 AM, Maureen mamamaur...@gmail.com wrote: There are people doing that, and their entries are being closed without comment, even when they request comment. So what's the point? Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time to help fix it. Otherwise, not my job. On Fri, Mar 28, 2014 at 10:38 AM, Steve 'Cutter' Blades cold.fus...@cutterscrossing.com wrote: Review the install of the now public beta. Write down a list of faults/suggestions. Go file it in the bug report tool. Let everyone know that it's there for vote and comment. Everyone then go vote and comment. If you do it right, and you give it full court press, maybe we can get at least partial response before they take the server to full product. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358217 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
Justin, yes I reported this too Adobe during the ColdFusion 10 beta. I can confirm and hope that by the fact that the ticket has been marked fixed, that this is now in ColdFusion 11 as a fix. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Sat, Mar 29, 2014 at 2:58 PM, Justin Scott leviat...@darktech.orgwrote: Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time to help fix it. Otherwise, not my job. Bugs happen... as a developer I'm sure you've had clients bring bugs to you and you've asked them to provide additional information so they could be reproduced and fixed. It wasn't their job per se, but it happens to all of us. One of the companies I work with was all geared up to move a fairly large e-commerce network from CF8 to CF10 when we ran into an issue with the 404 handler (see https://bugbase.adobe.com/index.cfm?event=bugid=3488063) which had been previously reported to Adobe, but they were having trouble reproducing it internally. I spent a lot of time setting up test cases and bolting on debugging tools, gathering packet captures, getting traces from IIS, and digging way deeper than I ever thought I would. After lots of rounds of back and forth with Adobe engineering, they will soon be releasing* an update to the Tomcat connector for CF10 and I'm sure it'll make its way into CF11 as well. Anyone who's run into the connection reset issue when using a CF-based 404 handler will soon have a fix for that problem. It wasn't my job to help them troubleshoot this and create a reproduction scenario and work with them to test potential solutions (heck, we even paid for the privilege through a platinum support contract), but we needed that feature to work properly, so we did what was needed to help them fix it. Sorry, I get annoyed whenever I hear people say not my job. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358218 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
The scenario you describe is vastly different than me telling my clients if they want the next version of my software to be secure they have to download and install a beta with known problems, test it, record flaws, suggest features and solicit votes for those flaws to be fixed and the features to be added. And then when they do that, I give them no feedback on their submissions. Not gonna play. This is my last post on this topic. On Fri, Mar 28, 2014 at 8:58 PM, Justin Scott leviat...@darktech.org wrote: Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time to help fix it. Otherwise, not my job. Bugs happen... as a developer I'm sure you've had clients bring bugs to you and you've asked them to provide additional information so they could be reproduced and fixed. It wasn't their job per se, but it happens to all of us. One of the companies I work with was all geared up to move a fairly large e-commerce network from CF8 to CF10 when we ran into an issue with the 404 handler (see https://bugbase.adobe.com/index.cfm?event=bugid=3488063) which had been previously reported to Adobe, but they were having trouble reproducing it internally. I spent a lot of time setting up test cases and bolting on debugging tools, gathering packet captures, getting traces from IIS, and digging way deeper than I ever thought I would. After lots of rounds of back and forth with Adobe engineering, they will soon be releasing* an update to the Tomcat connector for CF10 and I'm sure it'll make its way into CF11 as well. Anyone who's run into the connection reset issue when using a CF-based 404 handler will soon have a fix for that problem. It wasn't my job to help them troubleshoot this and create a reproduction scenario and work with them to test potential solutions (heck, we even paid for the privilege through a platinum support contract), but we needed that feature to work properly, so we did what was needed to help them fix it. Sorry, I get annoyed whenever I hear people say not my job. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358219 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Development servers don't need a secure setup if they're not exposed to untrusted networks. Obviously we are was not talking about development servers in this thread ;-) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358142 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
Exactly. -Original Message- From: Adam Cameron [mailto:dacc...@gmail.com] Sent: 26 March 2014 14:27 To: cf-talk Subject: Re: The long tail of ColdFusion fail If it only works on localhost *by default*, then this mitigates most of the problem just like that. -- Adam On 26 March 2014 14:17, Dave Watts dwa...@figleaf.com wrote: What I mean is that Adobe recommands that CFIDE should be moved to a safer place, but, after several versions, CFIDE is still installed the same way. Of course it is. If It were somewhere else, you wouldn't be able to administer CF after an out-of-the-box install. It's up to you to understand how web servers and web applications work, and set it up properly after it's installed. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358147 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? On Wed, Mar 26, 2014 at 9:16 AM, DURETTE, STEVEN J sd1...@att.com wrote: We can't please everyone and I believe the standard pretty much everywhere is install open with lockdown options and give direction on how to secure it more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358148 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote: And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? So to be clear - there are people installing servers who don't know that security is important? Nothing can help them. I don't know about you - but pretty much *any* tech I use, I know to google foo security to see what resources exist for securing the app, install, etc. Number one result for coldfusion security was http://www.adobe.com/devnet/coldfusion/security.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358149 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Sadly quite common, sysadmins and hosting companies even do it The reason is because they think it works in the same way as cgi scripts and is locked down by the same rules that php et al are, which is not the case because it runs asca service not a process Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 01:52, Raymond Camden raymondcam...@gmail.com wrote: On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote: And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? So to be clear - there are people installing servers who don't know that security is important? Nothing can help them. I don't know about you - but pretty much *any* tech I use, I know to google foo security to see what resources exist for securing the app, install, etc. Number one result for coldfusion security was http://www.adobe.com/devnet/coldfusion/security.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358150 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Yes Raymond, in the world I live in where I often have to go in and clean up a mess made by inexperienced developers or the client's nerdy nephew, there are people who are unaware that extra server lock down would be necessary. There are also noobs who get hired at web hosting companies who don't know that servers need to be hardened, and install anything that looks shiny without understanding what they are doing. The existence of so many website vulnerabilities due to people who don't know what they are doing installing or supporting servers is proof positive of this, Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Rah, Rah, Adobe as if the company had no place in the solution. On Thu, Mar 27, 2014 at 6:52 PM, Raymond Camden raymondcam...@gmail.com wrote: On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote: And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? So to be clear - there are people installing servers who don't know that security is important? Nothing can help them. I don't know about you - but pretty much *any* tech I use, I know to google foo security to see what resources exist for securing the app, install, etc. Number one result for coldfusion security was http://www.adobe.com/devnet/coldfusion/security.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358151 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Ray, Yes that is pretty much the case. I spend a lot of my time cleaning up and securing severs that have been left unsecured. It happens all the time. I do more server work than code these days. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 27, 2014, at 8:52 PM, Raymond Camden raymondcam...@gmail.com wrote: On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote: And that direction on how to secure it more exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? So to be clear - there are people installing servers who don't know that security is important? Nothing can help them. I don't know about you - but pretty much *any* tech I use, I know to google foo security to see what resources exist for securing the app, install, etc. Number one result for coldfusion security was http://www.adobe.com/devnet/coldfusion/security.html ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358152 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358153 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:43 PM, Raymond Camden raymondcam...@gmail.comwrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358154 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
If securing your server is considered extra curricular activity - ie stuff you would do at a user group - then your priorities are way out of wack. (I mean you in general, not you specifically Andrew. ;) On Thu, Mar 27, 2014 at 9:46 PM, Andrew Scott andr...@andyscott.id.auwrote: Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358155 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. Its not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isnt much anyone can do to wake them up. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 27, 2014, at 9:46 PM, Andrew Scott andr...@andyscott.id.au wrote: Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:43 PM, Raymond Camden raymondcam...@gmail.comwrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358156 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Yea well I agree Ray, but they are also the people getting cheap VPS's and not securing there servers too. What we can do, I am not sure there is any more than what is being done... Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:54 PM, Raymond Camden raymondcam...@gmail.comwrote: If securing your server is considered extra curricular activity - ie stuff you would do at a user group - then your priorities are way out of wack. (I mean you in general, not you specifically Andrew. ;) On Thu, Mar 27, 2014 at 9:46 PM, Andrew Scott andr...@andyscott.id.au wrote: Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Playing attention to the requirement to inform these people about the need for extra lock down early in the process would be more effective in solving the problem than Adobe employees and evangelists ignoring the fact that these people exist and doing nothing more than yelling Um... who exactly is ignoring these people? You may argue the CF team should do *more*, but they are not *ignoring* anyone. The Secure Profile was a *big* step to try to help lock things down out of the box. Hiring Pete to write a guide, and hosting it, on *additional* steps was a good too imo. Can even more be done - maybe so. I'd like the installer to point to the lock down guide so folks know it exist. Rah, Rah, Adobe as if the company had no place in the solution. As if Adobe hasn't at least made an effort - oh wait - they did. Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358157 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
same... I have in my years been at job interviews with people who have programmed CF for as long as I have, but have never heard of them before the interview. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 1:57 PM, Wil Genovese jugg...@trunkful.com wrote: Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. Itâs not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isnât much anyone can do to wake them up. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358158 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Of course users should take responsibility. But corporations have a responsibility to their users to inform them as well.We are all aware that those managing servers SHOULD be knowledgeable and competent, however in the real world, that is not always the case and never will be. So dealing with the worse case scenario is necessary for most of us because ignoring reality doesn't get the job done. If your mission is to present a good image of the company you work for, you might want to reconsider the attack posture you present here each time someone says anything negative or questions the procedures that Abode uses. It is not helpful. A much better tactic might be to consider the suggestions for improvement as valuable instead of constantly dismissing them out of hand. On Thu, Mar 27, 2014 at 7:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358159 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Honestly, if you are selling a software product that requires additional lock down after installation, you might could get the attention of those hiding in their cubicle by putting a large notice of such at the beginning of the installation instructions. No one should have to find out about software security issues from CNN. On Thu, Mar 27, 2014 at 7:57 PM, Wil Genovese jugg...@trunkful.com wrote: Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. It's not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isn't much anyone can do to wake them up. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358160 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On Thu, Mar 27, 2014 at 10:09 PM, Maureen mamamaur...@gmail.com wrote: Of course users should take responsibility. But corporations have a responsibility to their users to inform them as well.We are all aware that those managing servers SHOULD be knowledgeable and competent, however in the real world, that is not always the case and never will be. So dealing with the worse case scenario is necessary for most of us because ignoring reality doesn't get the job done. Right - but you said Adobe was ignoring this. Please back your statement up. I said the CF team could possibly do more. But I do not agree that they are ignoring the issue. If your mission is to present a good image of the company you work for, you might want to reconsider the attack posture you present here each time someone says anything negative or questions the procedures that Abode uses. It is not helpful. A much better tactic might be to consider the suggestions for improvement as valuable instead of constantly dismissing them out of hand. A position that does not agree with you is not one of attack. Also - I do not blindly defend Adobe. I've got a *huge* history of reporting bugs, making suggestions, and generally trying to make CF a better product. If I thought the CF team was perfect then I wouldn't be trying to help improve it. On Thu, Mar 27, 2014 at 7:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358161 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
As has been explained *multiple* times, there is no one solution (in terms of settings) that will work for everyone. Therefore there must be some position made where the software says, I'll lock down A and B, but I don't think I can *always* lock C. I *do* think that at the end of the installation, linking to the lock down guide would be useful. On Thu, Mar 27, 2014 at 10:12 PM, Maureen mamamaur...@gmail.com wrote: Honestly, if you are selling a software product that requires additional lock down after installation, you might could get the attention of those hiding in their cubicle by putting a large notice of such at the beginning of the installation instructions. No one should have to find out about software security issues from CNN. On Thu, Mar 27, 2014 at 7:57 PM, Wil Genovese jugg...@trunkful.com wrote: Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. It's not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there isn't much anyone can do to wake them up. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358162 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Only if it was flashing in huge read letters with the BLINK tag. Then again, some will still miss that. :) On Mar 27, 2014, at 10:16 PM, Raymond Camden raymondcam...@gmail.com wrote: I *do* think that at the end of the installation, linking to the lock down guide would be useful. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358163 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Don't get me started on the cheap clients, who want to have full control of the server, which means their own. But will not pay for anyone to manage it. Do you know how many jobs I have rejected like that :-) Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 2:09 PM, Maureen mamamaur...@gmail.com wrote: Of course users should take responsibility. But corporations have a responsibility to their users to inform them as well.We are all aware that those managing servers SHOULD be knowledgeable and competent, however in the real world, that is not always the case and never will be. So dealing with the worse case scenario is necessary for most of us because ignoring reality doesn't get the job done. If your mission is to present a good image of the company you work for, you might want to reconsider the attack posture you present here each time someone says anything negative or questions the procedures that Abode uses. It is not helpful. A much better tactic might be to consider the suggestions for improvement as valuable instead of constantly dismissing them out of hand. On Thu, Mar 27, 2014 at 7:43 PM, Raymond Camden raymondcam...@gmail.com wrote: Users must take some responsibility too, Maureen. You can't put it all on Adobe's shoulders here. If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358164 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
And how many people have we helped who have updated their CF 10 install, then start asking for help because their cgi scope is broken... Who have not read the message to update their connectors!! Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 2014 at 2:18 PM, Wil Genovese jugg...@trunkful.com wrote: Only if it was flashing in huge read letters with the BLINK tag. Then again, some will still miss that. :) On Mar 27, 2014, at 10:16 PM, Raymond Camden raymondcam...@gmail.com wrote: I *do* think that at the end of the installation, linking to the lock down guide would be useful. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358165 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
CF should install locked down out of the box, there really should be no need to follow a complex lockdown guide to make it secure. That sounds great in theory, but I don't think it would work well in reality. Whenever you install server software, you are responsible for understanding how it works, and for making tradeoffs between security and functionality. Adobe doesn't know how exactly you're going to use CF, and what tradeoffs you're willing to accept. Those are going to be radically different between various developers and administrators, and even radically different from one project to the next. There's no substitute for basic knowledge here - it's just that simple. If you really think Adobe is responsible for your server's security, and should be installed locked down out of the box, you must have a different idea of what locked down means than I do. Adobe is responsible for vulnerabilities in the CF Administrator, but you are responsible for ensuring that the CF Administrator isn't exposed to untrusted networks. It's a web application, just like any other. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
And why is it such a pain in the rear to keep CF up to date/patched? What I mean is that Adobe recommands that CFIDE should be moved to a safer place, but, after several versions, CFIDE is still installed the same way. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358108 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
What I mean is that Adobe recommands that CFIDE should be moved to a safer place, but, after several versions, CFIDE is still installed the same way. Of course it is. If It were somewhere else, you wouldn't be able to administer CF after an out-of-the-box install. It's up to you to understand how web servers and web applications work, and set it up properly after it's installed. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358110 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Dave is spot on. If ColdFusion were a complete self contained black box then the suggestion would be valid, but as it relies on an underlying OS, an HTTP server, DBMSs and more, it is the admin's job to manage and understand all of those (and more). The fact that CF deployment and development is easily achieved by less experienced individuals does not mean that less experienced admins should be trusted to keep the server secure. --- Ben (Sent from a handheld device) On Mar 26, 2014, at 10:17 AM, Dave Watts dwa...@figleaf.com wrote: What I mean is that Adobe recommands that CFIDE should be moved to a safer place, but, after several versions, CFIDE is still installed the same way. Of course it is. If It were somewhere else, you wouldn't be able to administer CF after an out-of-the-box install. It's up to you to understand how web servers and web applications work, and set it up properly after it's installed. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358111 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
If it only works on localhost *by default*, then this mitigates most of the problem just like that. -- Adam On 26 March 2014 14:17, Dave Watts dwa...@figleaf.com wrote: What I mean is that Adobe recommands that CFIDE should be moved to a safer place, but, after several versions, CFIDE is still installed the same way. Of course it is. If It were somewhere else, you wouldn't be able to administer CF after an out-of-the-box install. It's up to you to understand how web servers and web applications work, and set it up properly after it's installed. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358112 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On 26 March 2014 13:57, Dave Watts dwa...@figleaf.com wrote: CF should install locked down out of the box, there really should be no need to follow a complex lockdown guide to make it secure. [...] If you really think Adobe is responsible for your server's security, and should be installed locked down out of the box, you must have a different idea of what locked down means than I do. Adobe is responsible for vulnerabilities in the CF Administrator, but you are responsible for ensuring that the CF Administrator isn't exposed to untrusted networks. It's a web application, just like any other. From a system security perspective, the approach is generally the default is *no access*, and then access has to be specifically granted. Adobe has taken the opposite approach simply to make life easy, which has proven to be a foolhardy decision. Repeatedly. For years. You (and Adobe both) are labouring under some perfect world scenario in which admins actually *do* know what they're doing by default. This simply isn't true. Adobe need to accept reality and deal with it, rather than going well in the perfect world then [this]. But we actually no it's not a perfect world, so why start the position from there? -- Adam ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358113 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
From a system security perspective, the approach is generally the default is *no access*, and then access has to be specifically granted. Adobe has taken the opposite approach simply to make life easy, which has proven to be a foolhardy decision. Repeatedly. For years. Let me introduce you to my old friend Windows ... You (and Adobe both) are labouring under some perfect world scenario in which admins actually *do* know what they're doing by default. This simply isn't true. Adobe need to accept reality and deal with it, rather than going well in the perfect world then [this]. But we actually no it's not a perfect world, so why start the position from there? The reality is that, either way, admins need to know what they're doing. In the current case, they need to learn how to secure a web application. Since people use CF to build other web applications, it doesn't seem like a stretch to me to expect them to learn how to secure web applications. In the case where everything's locked down by default, nothing works, and admins need to learn how to remove security to allow access to a web application. I'm not sure I see much difference there. Either way, someone needs to know how web application security works. If you're in the business of building web applications, this is a fundamental part of your job. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358114 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
If it only works on localhost *by default*, then this mitigates most of the problem just like that. By default, it works only on a non-standard port, using the built-in web server. And if you check the secure profile box, you can specify allowed IP addresses like localhost at install time. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358115 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
I like this analogy... You buy a new Ford Fusion. Ford tells you about how closing the doors and locking it is a security feature. Then, you go park in a high crime area with the car running, keys in the ignition and the doors wide open. So who is responsible when the car gets stolen? (The media would report an issue with Ford door locks.) :) Steve -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Wednesday, March 26, 2014 9:57 AM To: cf-talk Subject: Re: The long tail of ColdFusion fail CF should install locked down out of the box, there really should be no need to follow a complex lockdown guide to make it secure. That sounds great in theory, but I don't think it would work well in reality. Whenever you install server software, you are responsible for understanding how it works, and for making tradeoffs between security and functionality. Adobe doesn't know how exactly you're going to use CF, and what tradeoffs you're willing to accept. Those are going to be radically different between various developers and administrators, and even radically different from one project to the next. There's no substitute for basic knowledge here - it's just that simple. If you really think Adobe is responsible for your server's security, and should be installed locked down out of the box, you must have a different idea of what locked down means than I do. Adobe is responsible for vulnerabilities in the CF Administrator, but you are responsible for ensuring that the CF Administrator isn't exposed to untrusted networks. It's a web application, just like any other. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358117 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
In the case where everything's locked down by default, nothing works, and admins need to learn how to remove security to allow access to a web application. I'm not sure I see much difference there. Either way, someone needs to know how web application security works. If you're in the business of building web applications, this is a fundamental part of your job. The difference is that - via the current way - the admin *doesn't* need to know about web security. That's the difference. -- Adam ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358118 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
It's up to you to understand how web servers and web applications work, and set it up My point is that I'm pretty sure everything I've done by hand to move CFIDE/administrator and declare a virtual directory to some special web site could be done by the installer. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358119 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
The doors are locked by default though, aren't they? Plus it's a bit of a false analogyhttp://en.wikipedia.org/wiki/False_analogyanyhow. On 26 March 2014 14:44, DURETTE, STEVEN J sd1...@att.com wrote: I like this analogy... You buy a new Ford Fusion. Ford tells you about how closing the doors and locking it is a security feature. Then, you go park in a high crime area with the car running, keys in the ignition and the doors wide open. So who is responsible when the car gets stolen? (The media would report an issue with Ford door locks.) :) Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On 26 March 2014 14:54, wrote: It's up to you to understand how web servers and web applications work, and set it up My point is that I'm pretty sure everything I've done by hand to move CFIDE/administrator and declare a virtual directory to some special web site could be done by the installer. Well quite. And if it's so bloody insecure a thing to do, then *don't do it* . It's daft to facilitate the [potentially dangerous thing], then advise people to not do that. Simply don't bloody do it in the first place! -- Adam ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358121 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Dave Watts dwa...@figleaf.com wrote: In the case where everything's locked down by default, nothing works, and admins need to learn how to remove security to allow access to a web application. This reminds me of finding a scientific server where everyone in the department was an administrator. When I asked about why the heck everyone was in the administrators group, the people told me the specialized software wouldn't work if a user wasn't in the administrators group. My assumption was all they needed was access to a temp folder, but I wasn't in the position to go all crazy on them. Hey, but it worked! Academic software developers aren't always concerned with security. So, I'm not sure locking down initially would help that much since many unaware installers would just undo all the security to make it work. How do other enterprise middleware systems do it? -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Blog: http://RogerTheGeek.wordpress.com/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358122 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Sure, the installer could make things simpler, and maybe should. But, that's a double edged sword, make things easier and admins will be even less likely to learn and manage what they really need to. At the end of the day, whether it is Windows or Apache or your mail server or CF or Java or Oracle or anything else, if you think you can run install and click Next a few times and then ignore a public facing server, you are asking for trouble, and have no one to blame but yourself when it happens. --- Ben (Sent from a handheld device) On Mar 26, 2014, at 10:54 AM, Claude Schnéegans schneeg...@internetique.com wrote: It's up to you to understand how web servers and web applications work, and set it up My point is that I'm pretty sure everything I've done by hand to move CFIDE/administrator and declare a virtual directory to some special web site could be done by the installer. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358123 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: The long tail of ColdFusion fail
Actually not really. On the lot you are shown the car they unlock and open the doors and start the engine. Then you are told you should lock the doors for security. You don't follow the suggestion and your car can be stolen. When you install CF it is installed in a base format with the equivalent of the doors unlocked and open and the engine running. Adobe then suggests that you use the lockdown guide to secure your server. You don't follow the suggestion and your server can be stolen. This is not a false analogy because it is comparing the direct actions of the person, the product is not relevant and the actions compared are directly related to the results. It does not state that the car will always be stolen, nor does it state that the server will always be stolen. There is no inference (a person is lazy because their sibling is lazy), it is a direct comparison of the results that occur when the same event happens with two different products and who is really to blame. You can't blame Ford for your direct inaction to what they said and you can't blame Adobe for your inaction when it comes to the lockdown guide. -Original Message- From: Adam Cameron [mailto:dacc...@gmail.com] Sent: Wednesday, March 26, 2014 10:55 AM To: cf-talk Subject: Re: The long tail of ColdFusion fail The doors are locked by default though, aren't they? Plus it's a bit of a false analogyhttp://en.wikipedia.org/wiki/False_analogyanyhow. On 26 March 2014 14:44, DURETTE, STEVEN J sd1...@att.com wrote: I like this analogy... You buy a new Ford Fusion. Ford tells you about how closing the doors and locking it is a security feature. Then, you go park in a high crime area with the car running, keys in the ignition and the doors wide open. So who is responsible when the car gets stolen? (The media would report an issue with Ford door locks.) :) Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358124 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
It's daft to facilitate the [potentially dangerous thing] And I don't know if everyone knows why is was insecure to have the Administrator in a conventional place. I got my server hacked like many of us, and I checked in the logs how the guy had access to the administrator. I discovered that there used to be in the administrator an undocumented function allowing to enter in it BYPASSING the password protection. Apparently the hacker has discovered this function. Very clever indeed from the developpers! ;-) Note: I know it is not a good idea to reveal hacking techniques, but this one is about 4 years old and if there still exist servers unprotected against it, they must have been haked a long time ago. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358125 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
ignore a public facing server, you are asking for trouble We all have public facing applications, including banks, CIA, FBI, etc, simply protected by a password, but we usually do not have undocumented backdoors ;-) If the CF administrator dindn't have this undocumented function allowing to bypass the password, it would have been secure enough the way it was in CFIDE and there would have been no need for the installer to install it anywhere else. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358126 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm