Re: "The long tail of ColdFusion fail"

[Matt Quackenbush]

On Wed, Mar 26, 2014 at 5:21 PM, Raymond Camden wrote:

>
> On Wed, Mar 26, 2014 at 3:58 PM, Dave Watts  wrote:
>
> >
> > > Except that in your analogy, it is obvious that one need to open the
> > doors from time to time in order to
> > > be able to use the car.
> > > With CF, there is never a good reason to leave the server unlocked.
> >
> > Sure there is. Development servers don't need a secure setup if
> > they're not exposed to untrusted networks. And it's not as if this is
> > a binary thing: locked vs unlocked. There are different levels of
> > "locked" that are appropriate for different use-cases and
> > environments.
>
>
> Dave, you seem to be implying that there isn't one solution that works for
> everyone magically. Insane.
>


^ in honor of deadpanners everywhere

:D


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358141
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Raymond Camden]

On Wed, Mar 26, 2014 at 3:58 PM, Dave Watts  wrote:

>
> > Except that in your analogy, it is obvious that one need to open the
> doors from time to time in order to
> > be able to use the car.
> > With CF, there is never a good reason to leave the server unlocked.
>
> Sure there is. Development servers don't need a secure setup if
> they're not exposed to untrusted networks. And it's not as if this is
> a binary thing: locked vs unlocked. There are different levels of
> "locked" that are appropriate for different use-cases and
> environments.


Dave, you seem to be implying that there isn't one solution that works for
everyone magically. Insane.


-- 
===
Raymond Camden, Web Developer for Adobe

Email : raymondcam...@gmail.com
Blog : www.raymondcamden.com
Twitter: raymondcamden


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358140
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Dave Watts]

> Except that in your analogy, it is obvious that one need to open the doors 
> from time to time in order to
> be able to use the car.
> With CF, there is never a good reason to leave the server unlocked.

Sure there is. Development servers don't need a secure setup if
they're not exposed to untrusted networks. And it's not as if this is
a binary thing: locked vs unlocked. There are different levels of
"locked" that are appropriate for different use-cases and
environments.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358139
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Claude Schnéegans]

 >>I like this analogy... You buy a new Ford Fusion. Ford tells you about how 
 >>closing the doors and locking it is a security feature.
Then, you go park in a high crime area with the car running, keys in the 
ignition and the doors wide open.

Except that in your analogy, it is obvious that one need to open the doors from 
time to time in order to be able to use the car.
With CF, there is never a good reason to leave the server unlocked.


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358138
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Money Pit]

I won't try to re-hash the entirely valid points Dave, Ben and others make
regarding the needed skill set that a server admin should have, nor where
the blame lies if a server is left unprotected/unpatched etc.

Consider this counterpoint:  When a situation like the current one
arises... what do the headlines read?  is it along the lines of

"Idiots Get What They Deserve"

or is it

"Big Company Screws Up"

Like it or not, ColdFusion's reputation and marketability suffers when such
easy targets of opportunity exist.  The media will never pin the blame
where it belongs, and that oh-so-public blame will hound CF and Adobe for a
long time to come.

Wil's post above looks like a good start with respect to a feature set.
And I would further add that a good feature that may help sales would be
an upgrade installer that tries to harden an existing site along the lines
of the lockdown guide.  Imagine all of the server admins out there that
would buy a CF upgrade they otherwise wouldn't if it let them click
'Continue' to secure their servers.

--m@Robertson--
Janitor, The Robertson Team


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358137
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: CF session management suddenly not sticking ...

[Money Pit]

I recently found the reason we were seeing two sets of cfid and cftoken
cookies.  We had code similar to this running:








Should be a familiar bit of code to everyone - it converts the browser
cookies to session cookies so closing the browser kills the session.  Once
I flipped the setting to shut this off I stopped seeing the second set of
cfid/cftokens (If I had named the domain in the cfcookie statement this may
also have served the same purpose).  However, overall the 'rotating'
sessions no longer seem to be occurring based on user reports etc. so this
was causing no problems currently, and it certainly never caused problems
for many years before the rollover described earlier in this thread.



On Wed, Mar 19, 2014 at 1:58 PM, Nick Gleason wrote:

>
> We finally resolved this issue.
> First, a big thanks as always to everyone who commented and helped us along
> on this thread.
> Second, here is the resolution.  In our case, the problem was some enhanced
> security filters that we put place recently.  One of the scopes being
> scanned was the cookie scope.  This was working for the most part but would
> result in these sporadic failures which were hard to pinpoint.  The key
> clue was that we realized that the cookie.jsessionid was remaining
> persistent but the session.sessionid variable was not "sticking" - those
> two should be the same.  Once we started focusing more on the cookies, we
> eventually realized what the problem was.
> This issue may not be applicable to others, but if your sessions are
> resetting with every request, you may want to take a closer look at your
> cookies and how they are tied to your sessionid.
> I still don't truly understand how a sessionid could change without a
> change to the underlying cookie, but that appears to be what happened.
> Nick
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358136
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: "The long tail of ColdFusion fail"

[DURETTE, STEVEN J]

+ 1

-Original Message-
From: Wil Genovese [mailto:jugg...@trunkful.com] 
Sent: Wednesday, March 26, 2014 12:56 PM
To: cf-talk
Subject: Re: "The long tail of ColdFusion fail"


I'll weigh in on this for a few reasons. One of the servers in the Krebs 
article is one that I was called in to fix. I've had to investigate/fix several 
other breached servers over the past year. All were new to us clients that came 
to us with a breached server. Another reason is that I maintain a large number 
of ColdFusion servers at CF Webtools. Another is that other hosting companies 
contact CF Webtools and myself to assist with ColdFusion server issues.

I am not all that concerned about the exploit. All software has bugs. Adobe 
fixed it pretty quick once it was noticed. Reading David Epler's blog post 
(http://www.dcepler.net/post.cfm/how-patching-coldfusion-8-0-x-made-you-more-vulnerable-in-some-cases-or-fun-with-cve-2013-0632-from-apsb13-03)
 may lead you to think that Adobe didn't do proper testing. But that's not the 
concern here. I know of many properly locked down servers that didn't get 
hacked even though it was attempted.

The concern here is "Who should be responsible for setting up, maintaining and 
securing a public facing server?" 
(http://www.trunkful.com/index.cfm/2014/3/7/Who-Patches-Your-ColdFusion-Servers)
 The short answer is "A qualified systems administrator" and that should be the 
end of the discussion. I don't care if you're installing ColdFusion, Railo, 
PHP, .NET, Ruby, MySQL or any other system. If you are not a systems 
administrator you should not be working on the server. There are no excuses and 
the costs of making a mistake are growing very quickly.

Should the ColdFusion installer do all the things in the lockdown guide for me? 
The answer is mixed. I'd love to see CFIDE split apart so that CFAdmin is 
standalone from the scripts. How Adobe does it is up to them.  Another change 
I'd like to see is during the install is to have the option to pick the user 
account that ColdFusion will run under. This has been an option for the Linux 
installer, but not on Windows. (At least not that I can remember.) The last 
item I'd like to see is during the Secure Profile install is that CFAdmin is 
locked down to localhost by default and the option to add an IP address if 
needed. 

I think these changes would be a huge step in persuading the sysadmin into 
properly securing ColdFusion installations. I know these have been mentioned 
before and during the ColdFusion 10 beta cycle many new security and 
installation changes where made. These were deferred. I'd like to see these 
added this time.

I know some people are going to take issue with requiring systems 
administrators to install and maintain ColdFusion servers. Too bad. I think it 
is obvious now that the costs of not having a qualified systems administrator 
are too high. 

Regards,
Wil



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358135
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Wil Genovese]

I’ll weigh in on this for a few reasons. One of the servers in the Krebs 
article is one that I was called in to fix. I’ve had to investigate/fix several 
other breached servers over the past year. All were new to us clients that came 
to us with a breached server. Another reason is that I maintain a large number 
of ColdFusion servers at CF Webtools. Another is that other hosting companies 
contact CF Webtools and myself to assist with ColdFusion server issues.

I am not all that concerned about the exploit. All software has bugs. Adobe 
fixed it pretty quick once it was noticed. Reading David Epler’s blog post 
(http://www.dcepler.net/post.cfm/how-patching-coldfusion-8-0-x-made-you-more-vulnerable-in-some-cases-or-fun-with-cve-2013-0632-from-apsb13-03)
 may lead you to think that Adobe didn’t do proper testing. But that’s not the 
concern here. I know of many properly locked down servers that didn’t get 
hacked even though it was attempted.

The concern here is “Who should be responsible for setting up, maintaining and 
securing a public facing server?” 
(http://www.trunkful.com/index.cfm/2014/3/7/Who-Patches-Your-ColdFusion-Servers)
 The short answer is “A qualified systems administrator" and that should be the 
end of the discussion. I don’t care if you’re installing ColdFusion, Railo, 
PHP, .NET, Ruby, MySQL or any other system. If you are not a systems 
administrator you should not be working on the server. There are no excuses and 
the costs of making a mistake are growing very quickly.

Should the ColdFusion installer do all the things in the lockdown guide for me? 
The answer is mixed. I’d love to see CFIDE split apart so that CFAdmin is 
standalone from the scripts. How Adobe does it is up to them.  Another change 
I’d like to see is during the install is to have the option to pick the user 
account that ColdFusion will run under. This has been an option for the Linux 
installer, but not on Windows. (At least not that I can remember.) The last 
item I’d like to see is during the Secure Profile install is that CFAdmin is 
locked down to localhost by default and the option to add an IP address if 
needed. 

I think these changes would be a huge step in persuading the sysadmin into 
properly securing ColdFusion installations. I know these have been mentioned 
before and during the ColdFusion 10 beta cycle many new security and 
installation changes where made. These were deferred. I’d like to see these 
added this time.

I know some people are going to take issue with requiring systems 
administrators to install and maintain ColdFusion servers. Too bad. I think it 
is obvious now that the costs of not having a qualified systems administrator 
are too high. 

Regards,
Wil



Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Mar 26, 2014, at 10:45 AM, Andrew Scott  wrote:

> 
> I agree with Ben and Dave
> 
> There was a point, where I was siding with Adam on this. But Ben you make a
> good point, which I think Dave was trying to get at. SysAdmins by default
> are the type that want to do everything, they need to know what it is they
> have control over. Therefore, if Adobe in this case locked it down, they
> would become too complacent with the product.
> 
> But
> 
> 
> Where Adam is coming from, is that there are a lot more people out there
> developing and maintaining cheap VPS servers for clients, which has been a
> huge push by the Community to some degree when hosting ever pops up. You
> know I feel safer having someone who manages the SysAdmin side of it, than
> rely on my knowledge as a developer.
> 
> The problem is the perception of the younger developers coming up, is just
> that, they expect things to be done for them, in cases like what Adam is
> describing is that it is locked down 100%. Which I think would force these
> younger, newer developers to ColdFusion, to then learn the security of
> ColdFusion if they are forced to begin unlocking what they need.
> 
> Now the question is how would Adobe then begin to cater for both those
> worlds?
> 
> 
> Regards,
> Andrew Scott
> WebSite: http://www.andyscott.id.au/
> Google+:  http://plus.google.com/113032480415921517411
> 
> 
> 
> On Thu, Mar 27, 2014 at 2:12 AM, Ben Forta  wrote:
> 
>> 
>> Sure, the installer could make things simpler, and maybe should. But,
>> that's a double edged sword, make things easier and admins will be even
>> less likely to learn and manage what they really need to. At the end of the
>> day, whether it is Windows or Apache or your mail server or CF or Java or
>> Oracle or anything else, if you think you can run install and click Next a
>> few times and then ignore a public facing server, you are asking for
>> trouble, and have no one to blame but yourself when it happens.
>> 
>> --- Ben
>> 
>> (Sent from a handheld device)
>> 
> 
> 
> 

~|
Order the Ad

Re: "The long tail of ColdFusion fail"

[Andrew Scott]

Well that goes without saying

Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411



On Thu, Mar 27, 2014 at 3:16 AM, DURETTE, STEVEN J  wrote:

>
> How about this issue. You lock down ColdFusion to the max and CFFile is
> completely disabled. The person who did the install now uploads a legacy
> site that uses a lot of cffile tags. Now you have a user who is complaining
> "Adobe broke my code".
>
> We can't please everyone and I believe the standard pretty much everywhere
> is install open with lockdown options and give direction on how to secure
> it more.
>
>


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358133
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Russ Michaels]

I think it is that simple, CF can be installed secure or not secure
regardless of someone's understand of the server or how it works.

that is no different than saying, it is impossible for windows or Linux to
be installed securely by default, of course they can, and are.

Some of the most basic problems are nothing at all to do with systems
admin, but the way CF itself works. You really only need read the lock down
guide to see this.
making something insecure by default is simply lazy, not to mention this
attitude has given CF a very bad reputation as a result.
Making an app secure by default, also forces admins to then learn about how
it works if they want to loosen or customize that security, this is a good
thing.

Bare minimum...
cf should be installed using a customer user account and not system, and
that user should only be given permissions on the folders CF requires to
work. During the install it could easily ask you to specify your doc root
where your websites are stored and giver permissions on that.
The CFIDE should be secure by default, so it doesn't contain the CFADMIN
and is not mapped to every site by the Web config tool. Cfadmin should only
ever be accessible via a single point.
Each context should be restricted to accessing its own webroot by default
The most dangerous tags/functions (cfregistry, cfexecute) should be
disabled by default.

Sorry but this has always seemed like basic common sense stuff to me since
day 1, even before there was a lock down guide or cf got hacked.






On Wed, Mar 26, 2014 at 1:57 PM, Dave Watts  wrote:

>
> > CF should install locked down out of the box, there really should be no
> > need to follow a complex lockdown guide to make it secure.
>
> That sounds great in theory, but I don't think it would work well in
> reality.
>
> Whenever you install server software, you are responsible for
> understanding how it works, and for making tradeoffs between security
> and functionality. Adobe doesn't know how exactly you're going to use
> CF, and what tradeoffs you're willing to accept. Those are going to be
> radically different between various developers and administrators, and
> even radically different from one project to the next. There's no
> substitute for basic knowledge here - it's just that simple.
>
> If you really think Adobe is responsible for your server's security,
> and should be installed "locked down out of the box", you must have a
> different idea of what locked down means than I do.
>
> Adobe is responsible for vulnerabilities in the CF Administrator, but
> you are responsible for ensuring that the CF Administrator isn't
> exposed to untrusted networks. It's a web application, just like any
> other.
>
> Dave Watts, CTO, Fig Leaf Software
> 1-202-527-9569
> http://www.figleaf.com/
> http://training.figleaf.com/
>
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> GSA Schedule, and provides the highest caliber vendor-authorized
> instruction at our training centers, online, or onsite.
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358132
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Strange Error

[Michael van Leest]

Might there be a redirect triggered somewhere in your application.cfc?
Sounds to me there is some sort of redirect is going on.


2014-03-26 17:26 GMT+01:00 Donnie Carvajal 
:

>
> I have a ColdFusion template that is used for a form action using post
> method.  The page loads correctly except for my confirmation output and
> displays POST as the CGI.request_method and displays all of the Form fields
> in the debug info and displays all of the queries that are supposed to run;
> however, an error is thrown in the CF error logs indicating that a form
> field is missing.  I turned on my site wide error handler and the email
> message I get for the error is showing the page loaded via GET and there
> are no Form fields.
>
> Has anyone ever experienced this before?
>
> One more oddity that may help solve this, there is a blank template in the
> execution time table and by blank I mean there is nothing in the template
> column for this entry, but it does indicate the count=1 and the total time
> also has a value.
>
> Thanks,
>
> Donnie
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358131
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Strange Error

[Donnie Carvajal]

I have a ColdFusion template that is used for a form action using post method.  
The page loads correctly except for my confirmation output and displays POST as 
the CGI.request_method and displays all of the Form fields in the debug info 
and displays all of the queries that are supposed to run; however, an error is 
thrown in the CF error logs indicating that a form field is missing.  I turned 
on my site wide error handler and the email message I get for the error is 
showing the page loaded via GET and there are no Form fields.

Has anyone ever experienced this before?

One more oddity that may help solve this, there is a blank template in the 
execution time table and by blank I mean there is nothing in the template 
column for this entry, but it does indicate the count=1 and the total time also 
has a value.

Thanks,

Donnie 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358130
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: "The long tail of ColdFusion fail"

[DURETTE, STEVEN J]

How about this issue. You lock down ColdFusion to the max and CFFile is 
completely disabled. The person who did the install now uploads a legacy site 
that uses a lot of cffile tags. Now you have a user who is complaining "Adobe 
broke my code".

We can't please everyone and I believe the standard pretty much everywhere is 
install open with lockdown options and give direction on how to secure it more.


-Original Message-
From: Andrew Scott [mailto:andr...@andyscott.id.au] 
Sent: Wednesday, March 26, 2014 11:46 AM
To: cf-talk
Subject: Re: "The long tail of ColdFusion fail"


I agree with Ben and Dave

There was a point, where I was siding with Adam on this. But Ben you make a
good point, which I think Dave was trying to get at. SysAdmins by default
are the type that want to do everything, they need to know what it is they
have control over. Therefore, if Adobe in this case locked it down, they
would become too complacent with the product.

But


Where Adam is coming from, is that there are a lot more people out there
developing and maintaining cheap VPS servers for clients, which has been a
huge push by the Community to some degree when hosting ever pops up. You
know I feel safer having someone who manages the SysAdmin side of it, than
rely on my knowledge as a developer.

The problem is the perception of the younger developers coming up, is just
that, they expect things to be done for them, in cases like what Adam is
describing is that it is locked down 100%. Which I think would force these
younger, newer developers to ColdFusion, to then learn the security of
ColdFusion if they are forced to begin unlocking what they need.

Now the question is how would Adobe then begin to cater for both those
worlds?


Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358129
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Andrew Scott]

I agree with Ben and Dave

There was a point, where I was siding with Adam on this. But Ben you make a
good point, which I think Dave was trying to get at. SysAdmins by default
are the type that want to do everything, they need to know what it is they
have control over. Therefore, if Adobe in this case locked it down, they
would become too complacent with the product.

But


Where Adam is coming from, is that there are a lot more people out there
developing and maintaining cheap VPS servers for clients, which has been a
huge push by the Community to some degree when hosting ever pops up. You
know I feel safer having someone who manages the SysAdmin side of it, than
rely on my knowledge as a developer.

The problem is the perception of the younger developers coming up, is just
that, they expect things to be done for them, in cases like what Adam is
describing is that it is locked down 100%. Which I think would force these
younger, newer developers to ColdFusion, to then learn the security of
ColdFusion if they are forced to begin unlocking what they need.

Now the question is how would Adobe then begin to cater for both those
worlds?


Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411



On Thu, Mar 27, 2014 at 2:12 AM, Ben Forta  wrote:

>
> Sure, the installer could make things simpler, and maybe should. But,
> that's a double edged sword, make things easier and admins will be even
> less likely to learn and manage what they really need to. At the end of the
> day, whether it is Windows or Apache or your mail server or CF or Java or
> Oracle or anything else, if you think you can run install and click Next a
> few times and then ignore a public facing server, you are asking for
> trouble, and have no one to blame but yourself when it happens.
>
> --- Ben
>
> (Sent from a handheld device)
>


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358128
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[Bobby]

*Throws keyboard in the air and gives Œprogramming¹ the finger while
walking away*


On 3/26/14, 9:20 AM, "Phillip Vector"  wrote:

>
>To show how things can be twisted...
>
>"poll does not count / quantify people who're choosing not to learn a new
>language at this time."
>
>So it doesn't count people who are giving up programing altogether. :)
>
>
>On Wed, Mar 26, 2014 at 5:55 AM, Robert Harrison
>> wrote:
>
>>
>> > @Robert Did you looked into Railo? If clients don't want to use Adobe
>> Coldfusion due to the recent bad news, I've been recently able to sell
>> Railo to them instead.
>>
>> It's not recent bad news that caused this.  It's been a long slow
>>decline
>> that Adobe has failed to address with any marketing or rebranding
>> initiatives.  The perception of the technology, the limitations and
>>costs
>> of available hosts, the limited number of developers, and the facts
>>that no
>> IT departments (that I know of) teach ColdFusion as part of their
>> curriculum is the issue. Adobe could has long since addressed all of
>>these
>> issues.
>>
>>
>> Robert Harrison
>> Director of Interactive Services
>>
>> Austin & Williams
>> Advertising I Branding I Digital I Direct
>> 125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
>> T 631.231.6600 X 119   F 631.434.7022
>> http://www.austin-williams.com
>>
>> Blog:  http://www.austin-williams.com/blog
>> Twitter:  http://www.twitter.com/austin_wi
>>
>> 
>
>

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358127
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Claude Schnéegans]

 >> ignore a public facing server, you are asking for trouble

We all have public facing applications, including banks, CIA, FBI, etc, simply 
protected by a password, but we usually do not have undocumented backdoors ;-)
If the CF administrator dindn't have this undocumented function allowing to 
bypass the password, it would have been secure enough the way it was in CFIDE 
and there would have been no need for the installer to install it anywhere else.


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358126
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Claude Schnéegans]

>>It's daft to facilitate the [potentially dangerous thing]

And I don't know if everyone knows why is was insecure to have the 
Administrator in a conventional place.
I got my server hacked like many of us, and I checked in the logs how the guy 
had access to the administrator.
I discovered that there used to be in the administrator an undocumented 
function allowing to enter in it BYPASSING the password protection. Apparently 
the hacker has discovered this function.
Very clever indeed from the developpers! ;-)

Note: I know it is not a good idea to reveal hacking techniques, but this one 
is about 4 years old and if there still exist servers unprotected against it, 
they must have been haked a long time ago.



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358125
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: "The long tail of ColdFusion fail"

[DURETTE, STEVEN J]

Actually not really. 

On the lot you are shown the car they unlock and open the doors and start the 
engine. Then you are told you should lock the doors for security. You don't 
follow the suggestion and your car can be stolen.

When you install CF it is installed in a base format with the equivalent of the 
doors unlocked and open and the engine running.  Adobe then suggests that you 
use the lockdown guide to secure your server. You don't follow the suggestion 
and your server can be stolen.

This is not a false analogy because it is comparing the direct actions of the 
person, the product is not relevant and the actions compared are directly 
related to the results. It does not state that the car will always be stolen, 
nor does it state that the server will always be stolen.  There is no inference 
(a person is lazy because their sibling is lazy), it is a direct comparison of 
the results that occur when the same event happens with two different products 
and who is really to blame. You can't blame Ford for your direct inaction to 
what they said and you can't blame Adobe for your inaction when it comes to the 
lockdown guide.



-Original Message-
From: Adam Cameron [mailto:dacc...@gmail.com] 
Sent: Wednesday, March 26, 2014 10:55 AM
To: cf-talk
Subject: Re: "The long tail of ColdFusion fail"


The doors are locked by default though, aren't they?

Plus it's a bit of a false
analogyanyhow.


On 26 March 2014 14:44, DURETTE, STEVEN J  wrote:

>
> I like this analogy... You buy a new Ford Fusion. Ford tells you about how
> closing the doors and locking it is a security feature.
> Then, you go park in a high crime area with the car running, keys in the
> ignition and the doors wide open.
>
> So who is responsible when the car gets stolen?
>
> (The media would report an issue with Ford door locks.)  :)
>
> Steve
>




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358124
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Ben Forta]

Sure, the installer could make things simpler, and maybe should. But, that's a 
double edged sword, make things easier and admins will be even less likely to 
learn and manage what they really need to. At the end of the day, whether it is 
Windows or Apache or your mail server or CF or Java or Oracle or anything else, 
if you think you can run install and click Next a few times and then ignore a 
public facing server, you are asking for trouble, and have no one to blame but 
yourself when it happens.

--- Ben

(Sent from a handheld device)

> On Mar 26, 2014, at 10:54 AM, Claude Schnéegans  
> wrote:
> 
> 
>>> It's up to you to understand how web servers and web applications work, and 
>>> set it up
> 
> My point is that I'm pretty sure everything I've done by hand to move 
> CFIDE/administrator and declare a virtual directory to some special web site 
> could be done by the installer.
> 
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358123
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Roger Austin]

 Dave Watts  wrote: 
> In the case where everything's locked down by default, nothing works,
> and admins need to learn how to remove security to allow access to a
> web application.

This reminds me of finding a scientific server where everyone in the department 
was an administrator. When I asked about why the heck everyone was in the 
administrators group, the people told me the specialized software wouldn't work 
if a user wasn't in the administrators group. My assumption was all they needed 
was access to a temp folder, but I wasn't in the position to go all crazy on 
them. Hey, but it worked! Academic software developers aren't always concerned 
with security.

So, I'm not sure locking down initially would help that much since many unaware 
installers would just undo all the security to make it work. How do other 
enterprise middleware systems do it?

-- 
LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 
Twitter:  http://twitter.com/RogerTheGeek 
Blog:  http://RogerTheGeek.wordpress.com/


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358122
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Adam Cameron]

On 26 March 2014 14:54, <> wrote:

>
>  >>It's up to you to understand how web servers and web applications work,
> and set it up
>
> My point is that I'm pretty sure everything I've done by hand to move
> CFIDE/administrator and declare a virtual directory to some special web
> site could be done by the installer.
>

Well quite. And if it's so bloody insecure a thing to do, then *don't do it*
.

It's daft to facilitate the [potentially dangerous thing], then advise
people to not do that. Simply don't bloody do it in the first place!

-- 
Adam


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358121
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Adam Cameron]

The doors are locked by default though, aren't they?

Plus it's a bit of a false
analogyanyhow.


On 26 March 2014 14:44, DURETTE, STEVEN J  wrote:

>
> I like this analogy... You buy a new Ford Fusion. Ford tells you about how
> closing the doors and locking it is a security feature.
> Then, you go park in a high crime area with the car running, keys in the
> ignition and the doors wide open.
>
> So who is responsible when the car gets stolen?
>
> (The media would report an issue with Ford door locks.)  :)
>
> Steve
>


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358120
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Claude Schnéegans]

 >>It's up to you to understand how web servers and web applications work, and 
 >>set it up

My point is that I'm pretty sure everything I've done by hand to move 
CFIDE/administrator and declare a virtual directory to some special web site 
could be done by the installer.


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358119
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Adam Cameron]

>
>
> In the case where everything's locked down by default, nothing works,
> and admins need to learn how to remove security to allow access to a
> web application.
>
> I'm not sure I see much difference there. Either way, someone needs to
> know how web application security works. If you're in the business of
> building web applications, this is a fundamental part of your job.
>

The difference is that - via the current way - the admin *doesn't* need to
know about web security. That's the difference.

-- 
Adam


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358118
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: "The long tail of ColdFusion fail"

[DURETTE, STEVEN J]

I like this analogy... You buy a new Ford Fusion. Ford tells you about how 
closing the doors and locking it is a security feature. 
Then, you go park in a high crime area with the car running, keys in the 
ignition and the doors wide open. 

So who is responsible when the car gets stolen?

(The media would report an issue with Ford door locks.)  :)

Steve


-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com] 
Sent: Wednesday, March 26, 2014 9:57 AM
To: cf-talk
Subject: Re: "The long tail of ColdFusion fail"


> CF should install locked down out of the box, there really should be no
> need to follow a complex lockdown guide to make it secure.

That sounds great in theory, but I don't think it would work well in reality.

Whenever you install server software, you are responsible for
understanding how it works, and for making tradeoffs between security
and functionality. Adobe doesn't know how exactly you're going to use
CF, and what tradeoffs you're willing to accept. Those are going to be
radically different between various developers and administrators, and
even radically different from one project to the next. There's no
substitute for basic knowledge here - it's just that simple.

If you really think Adobe is responsible for your server's security,
and should be installed "locked down out of the box", you must have a
different idea of what locked down means than I do.

Adobe is responsible for vulnerabilities in the CF Administrator, but
you are responsible for ensuring that the CF Administrator isn't
exposed to untrusted networks. It's a web application, just like any
other.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358117
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[John M Bliss]

Correct.


On Wed, Mar 26, 2014 at 9:20 AM, Phillip Vector
wrote:

>
> To show how things can be twisted...
>
> "poll does not count / quantify people who're choosing not to learn a new
> language at this time."
>
> So it doesn't count people who are giving up programing altogether. :)
>
>
> On Wed, Mar 26, 2014 at 5:55 AM, Robert Harrison <
> rob...@austin-williams.com
> > wrote:
>
> >
> > > @Robert Did you looked into Railo? If clients don't want to use Adobe
> > Coldfusion due to the recent bad news, I've been recently able to sell
> > Railo to them instead.
> >
> > It's not recent bad news that caused this.  It's been a long slow decline
> > that Adobe has failed to address with any marketing or rebranding
> > initiatives.  The perception of the technology, the limitations and costs
> > of available hosts, the limited number of developers, and the facts that
> no
> > IT departments (that I know of) teach ColdFusion as part of their
> > curriculum is the issue. Adobe could has long since addressed all of
> these
> > issues.
> >
> >
> > Robert Harrison
> > Director of Interactive Services
> >
> > Austin & Williams
> > Advertising I Branding I Digital I Direct
> > 125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
> > T 631.231.6600 X 119   F 631.434.7022
> > http://www.austin-williams.com
> >
> > Blog:  http://www.austin-williams.com/blog
> > Twitter:  http://www.twitter.com/austin_wi
> >
> >
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358116
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Dave Watts]

> If it only works on localhost *by default*, then this mitigates most of the
> problem just like that.

By default, it works only on a non-standard port, using the built-in
web server. And if you check the "secure profile" box, you can specify
allowed IP addresses like localhost at install time.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358115
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Dave Watts]

> From a system security perspective, the approach is generally the default
> is *no access*, and then access has to be specifically granted.
>
> Adobe has taken the opposite approach simply to make life easy, which has
> proven to be a foolhardy decision. Repeatedly. For years.

Let me introduce you to my old friend Windows ...

> You (and Adobe both) are labouring under some "perfect world" scenario in
> which admins actually *do* know what they're doing by default. This simply
> isn't true. Adobe need to accept reality and deal with it, rather than
> going "well in the perfect world then [this]". But we actually no it's not
> a perfect world, so why start the position from there?

The reality is that, either way, admins need to know what they're
doing. In the current case, they need to learn how to secure a web
application. Since people use CF to build other web applications, it
doesn't seem like a stretch to me to expect them to learn how to
secure web applications.

In the case where everything's locked down by default, nothing works,
and admins need to learn how to remove security to allow access to a
web application.

I'm not sure I see much difference there. Either way, someone needs to
know how web application security works. If you're in the business of
building web applications, this is a fundamental part of your job.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358114
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Adam Cameron]

On 26 March 2014 13:57, Dave Watts  wrote:

>
> > CF should install locked down out of the box, there really should be no
> > need to follow a complex lockdown guide to make it secure.
>
> [...]
>
> If you really think Adobe is responsible for your server's security,
> and should be installed "locked down out of the box", you must have a
> different idea of what locked down means than I do.
>
> Adobe is responsible for vulnerabilities in the CF Administrator, but
> you are responsible for ensuring that the CF Administrator isn't
> exposed to untrusted networks. It's a web application, just like any
> other.
>

>From a system security perspective, the approach is generally the default
is *no access*, and then access has to be specifically granted.

Adobe has taken the opposite approach simply to make life easy, which has
proven to be a foolhardy decision. Repeatedly. For years.

You (and Adobe both) are labouring under some "perfect world" scenario in
which admins actually *do* know what they're doing by default. This simply
isn't true. Adobe need to accept reality and deal with it, rather than
going "well in the perfect world then [this]". But we actually no it's not
a perfect world, so why start the position from there?

-- 
Adam


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358113
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Adam Cameron]

If it only works on localhost *by default*, then this mitigates most of the
problem just like that.

-- 
Adam


On 26 March 2014 14:17, Dave Watts  wrote:

>
> > What I mean is that Adobe recommands that CFIDE should be moved to a
> safer place, but, after several
> > versions, CFIDE is still installed the same way.
>
> Of course it is. If It were somewhere else, you wouldn't be able to
> administer CF after an out-of-the-box install. It's up to you to
> understand how web servers and web applications work, and set it up
> properly after it's installed.
>
> Dave Watts, CTO, Fig Leaf Software
> 1-202-527-9569
> http://www.figleaf.com/
> http://training.figleaf.com/
>
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> GSA Schedule, and provides the highest caliber vendor-authorized
> instruction at our training centers, online, or onsite.
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358112
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Ben Forta]

Dave is spot on. If ColdFusion were a complete self contained black box then 
the suggestion would be valid, but as it relies on an underlying OS, an HTTP 
server, DBMSs and more, it is the admin's job to manage and understand all of 
those (and more). The fact that CF deployment and development is easily 
achieved by less experienced individuals does not mean that less experienced 
admins should be trusted to keep the server secure.

--- Ben

(Sent from a handheld device)

> On Mar 26, 2014, at 10:17 AM, Dave Watts  wrote:
> 
> 
>> What I mean is that Adobe recommands that CFIDE should be moved to a safer 
>> place, but, after several
>> versions, CFIDE is still installed the same way.
> 
> Of course it is. If It were somewhere else, you wouldn't be able to
> administer CF after an out-of-the-box install. It's up to you to
> understand how web servers and web applications work, and set it up
> properly after it's installed.
> 
> Dave Watts, CTO, Fig Leaf Software
> 1-202-527-9569
> http://www.figleaf.com/
> http://training.figleaf.com/
> 
> Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
> GSA Schedule, and provides the highest caliber vendor-authorized
> instruction at our training centers, online, or onsite.
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358111
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Dave Watts]

> What I mean is that Adobe recommands that CFIDE should be moved to a safer 
> place, but, after several
> versions, CFIDE is still installed the same way.

Of course it is. If It were somewhere else, you wouldn't be able to
administer CF after an out-of-the-box install. It's up to you to
understand how web servers and web applications work, and set it up
properly after it's installed.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358110
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: returnformat

[Raymond Camden]

Both URL and Form args sent to a CFC method are passed to the arguments
scope. Have you tried simply checking arguments.returnformat?

Also, if your method is meant to export JSON only, you could just force it -

url.returnformat="json";



On Wed, Mar 26, 2014 at 8:45 AM, Byron Mann  wrote:

>
> Your jQuery plugin is exactly what I want to do.  Thanks for that.
>
> Still would be neat to know if there is another way to access the runtime
> value of returnformat other than the url scope.  Just a curiosity thing at
> this point.
>
> Byron Mann
> Lead Engineer & Architect
> HostMySite.com
>
>
> On Wed, Mar 26, 2014 at 9:20 AM, Steve 'Cutter' Blades <
> cold.fus...@cutterscrossing.com> wrote:
>
> >
> > Byron,
> >
> > What is it, exactly, that you're trying to do? CF Splendor (in beta now)
> > allows for custom serializers, as well as the more "standard" name/value
> > record pairings many client side apps need. I'm doing these conversions
> > client-side now, with my serializeCFJSON jQuery plugin
> > (https://github.com/cutterbl/serializeCFJSON).
> >
> > Steve 'Cutter' Blades
> > Adobe Community Professional
> > Adobe Certified Expert
> > Advanced Macromedia ColdFusion MX 7 Developer
> > 
> > http://cutterscrossing.com
> >
> >
> > Co-Author "Learning Ext JS 3.2" Packt Publishing 2010
> >
> >
> https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book
> >
> > "The best way to predict the future is to help create it"
> >
> > On 3/26/2014 8:12 AM, Byron Mann wrote:
> > > Is there a better way to determine the return format inside an
> executing
> > > CFC method?
> > >
> > > Right now, I'm checking for url.returnformat exists and that == to
> > "json".
> > >
> > > Basically I want to overload an existing method that currently returns
> a
> > > query and return a different json format for the query than just
> > > serializing the result set.
> > >
> > > Byron Mann
> > > Lead Engineer & Architect
> > > HostMySite.com
> > >
> > >
> > >
> >
> >
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358109
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Claude Schnéegans]

 >>And why is it such a pain in the rear to keep CF up to date/patched?

What I mean is that Adobe recommands that CFIDE should be moved to a safer 
place, but, after several versions, CFIDE is still installed the same way.



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358108
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: "The long tail of ColdFusion fail"

[Dave Watts]

> CF should install locked down out of the box, there really should be no
> need to follow a complex lockdown guide to make it secure.

That sounds great in theory, but I don't think it would work well in reality.

Whenever you install server software, you are responsible for
understanding how it works, and for making tradeoffs between security
and functionality. Adobe doesn't know how exactly you're going to use
CF, and what tradeoffs you're willing to accept. Those are going to be
radically different between various developers and administrators, and
even radically different from one project to the next. There's no
substitute for basic knowledge here - it's just that simple.

If you really think Adobe is responsible for your server's security,
and should be installed "locked down out of the box", you must have a
different idea of what locked down means than I do.

Adobe is responsible for vulnerabilities in the CF Administrator, but
you are responsible for ensuring that the CF Administrator isn't
exposed to untrusted networks. It's a web application, just like any
other.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358107
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: returnformat

[Byron Mann]

Your jQuery plugin is exactly what I want to do.  Thanks for that.

Still would be neat to know if there is another way to access the runtime
value of returnformat other than the url scope.  Just a curiosity thing at
this point.

Byron Mann
Lead Engineer & Architect
HostMySite.com


On Wed, Mar 26, 2014 at 9:20 AM, Steve 'Cutter' Blades <
cold.fus...@cutterscrossing.com> wrote:

>
> Byron,
>
> What is it, exactly, that you're trying to do? CF Splendor (in beta now)
> allows for custom serializers, as well as the more "standard" name/value
> record pairings many client side apps need. I'm doing these conversions
> client-side now, with my serializeCFJSON jQuery plugin
> (https://github.com/cutterbl/serializeCFJSON).
>
> Steve 'Cutter' Blades
> Adobe Community Professional
> Adobe Certified Expert
> Advanced Macromedia ColdFusion MX 7 Developer
> 
> http://cutterscrossing.com
>
>
> Co-Author "Learning Ext JS 3.2" Packt Publishing 2010
>
> https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book
>
> "The best way to predict the future is to help create it"
>
> On 3/26/2014 8:12 AM, Byron Mann wrote:
> > Is there a better way to determine the return format inside an executing
> > CFC method?
> >
> > Right now, I'm checking for url.returnformat exists and that == to
> "json".
> >
> > Basically I want to overload an existing method that currently returns a
> > query and return a different json format for the query than just
> > serializing the result set.
> >
> > Byron Mann
> > Lead Engineer & Architect
> > HostMySite.com
> >
> >
> >
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358106
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: returnformat

[Steve 'Cutter' Blades]

Byron,

What is it, exactly, that you're trying to do? CF Splendor (in beta now) 
allows for custom serializers, as well as the more "standard" name/value 
record pairings many client side apps need. I'm doing these conversions 
client-side now, with my serializeCFJSON jQuery plugin 
(https://github.com/cutterbl/serializeCFJSON).

Steve 'Cutter' Blades
Adobe Community Professional
Adobe Certified Expert
Advanced Macromedia ColdFusion MX 7 Developer

http://cutterscrossing.com


Co-Author "Learning Ext JS 3.2" Packt Publishing 2010
https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book

"The best way to predict the future is to help create it"

On 3/26/2014 8:12 AM, Byron Mann wrote:
> Is there a better way to determine the return format inside an executing
> CFC method?
>
> Right now, I'm checking for url.returnformat exists and that == to "json".
>
> Basically I want to overload an existing method that currently returns a
> query and return a different json format for the query than just
> serializing the result set.
>
> Byron Mann
> Lead Engineer & Architect
> HostMySite.com
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358105
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[Phillip Vector]

To show how things can be twisted...

"poll does not count / quantify people who're choosing not to learn a new
language at this time."

So it doesn't count people who are giving up programing altogether. :)


On Wed, Mar 26, 2014 at 5:55 AM, Robert Harrison  wrote:

>
> > @Robert Did you looked into Railo? If clients don't want to use Adobe
> Coldfusion due to the recent bad news, I've been recently able to sell
> Railo to them instead.
>
> It's not recent bad news that caused this.  It's been a long slow decline
> that Adobe has failed to address with any marketing or rebranding
> initiatives.  The perception of the technology, the limitations and costs
> of available hosts, the limited number of developers, and the facts that no
> IT departments (that I know of) teach ColdFusion as part of their
> curriculum is the issue. Adobe could has long since addressed all of these
> issues.
>
>
> Robert Harrison
> Director of Interactive Services
>
> Austin & Williams
> Advertising I Branding I Digital I Direct
> 125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
> T 631.231.6600 X 119   F 631.434.7022
> http://www.austin-williams.com
>
> Blog:  http://www.austin-williams.com/blog
> Twitter:  http://www.twitter.com/austin_wi
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358104
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

returnformat

[Byron Mann]

Is there a better way to determine the return format inside an executing
CFC method?

Right now, I'm checking for url.returnformat exists and that == to "json".

Basically I want to overload an existing method that currently returns a
query and return a different json format for the query than just
serializing the result set.

Byron Mann
Lead Engineer & Architect
HostMySite.com


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358103
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: Quick Survey

[Robert Harrison]

> @Robert Did you looked into Railo? If clients don't want to use Adobe 
> Coldfusion due to the recent bad news, I've been recently able to sell Railo 
> to them instead.

It's not recent bad news that caused this.  It's been a long slow decline that 
Adobe has failed to address with any marketing or rebranding initiatives.  The 
perception of the technology, the limitations and costs of available hosts, the 
limited number of developers, and the facts that no IT departments (that I know 
of) teach ColdFusion as part of their curriculum is the issue. Adobe could has 
long since addressed all of these issues.  


Robert Harrison 
Director of Interactive Services

Austin & Williams
Advertising I Branding I Digital I Direct  
125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
T 631.231.6600 X 119   F 631.434.7022   
http://www.austin-williams.com

Blog:  http://www.austin-williams.com/blog
Twitter:  http://www.twitter.com/austin_wi

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358102
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[Michael van Leest]

@Robert Did you looked into Railo? If clients don't want to use Adobe
Coldfusion due to the recent bad news, I've been recently able to sell
Railo to them instead.


2014-03-26 13:40 GMT+01:00 Robert Harrison :

>
> I'd love to stick with CF as I've used to it successfully to solve almost
> every client request that's ever been asked... and some of them have been
> very complex and convoluted. However, with Adobe's lack of support and
> marketing CF has become too hard of a sell...  we're moving to PHP now.
>
>
> Robert Harrison
> Director of Interactive Services
>
> Austin & Williams
> Advertising I Branding I Digital I Direct
> 125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
> T 631.231.6600 X 119   F 631.434.7022
> http://www.austin-williams.com
>
> Blog:  http://www.austin-williams.com/blog
> Twitter:  http://www.twitter.com/austin_williams
>
> -Original Message-
> From: John M Bliss [mailto:bliss.j...@gmail.com]
> Sent: Tuesday, March 25, 2014 10:51 PM
> To: cf-talk
> Subject: Re: Quick
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358101
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: Quick Survey

[Robert Harrison]

> It wasn't - but the frustration wasn't towards you at all - just the general 
> tiredness of it happening here so often.

If others are like me they don't want to see CF die.  For me, responding to 
these posts has always been in the hopes Adobe monitors this list and would 
hear the cries of their loyal fans... but alas, Adobe has been mute and has 
fallen short. 

Robert Harrison 
Director of Interactive Services

Austin & Williams
Advertising I Branding I Digital I Direct  
125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
T 631.231.6600 X 119   F 631.434.7022   
http://www.austin-williams.com

Blog:  http://www.austin-williams.com/blog
Twitter:  http://www.twitter.com/austin_

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358100
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: Quick Survey

[Robert Harrison]

I'd love to stick with CF as I've used to it successfully to solve almost every 
client request that's ever been asked... and some of them have been very 
complex and convoluted. However, with Adobe's lack of support and marketing CF 
has become too hard of a sell...  we're moving to PHP now.


Robert Harrison 
Director of Interactive Services

Austin & Williams
Advertising I Branding I Digital I Direct  
125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
T 631.231.6600 X 119   F 631.434.7022   
http://www.austin-williams.com

Blog:  http://www.austin-williams.com/blog
Twitter:  http://www.twitter.com/austin_williams 

-Original Message-
From: John M Bliss [mailto:bliss.j...@gmail.com] 
Sent: Tuesday, March 25, 2014 10:51 PM
To: cf-talk
Subject: Re: Quick

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358099
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[John M Bliss]

Survey allows for picking multiple answers.


On Wed, Mar 26, 2014 at 8:36 AM, Roger Austin  wrote:

> Surveys are interesting, but caution must be used in looking at the
> results. A lot of the analysis on what to learn depends on the developer's
> background, location, industry, age, etc. For example, someone nearing
> retirement would look at it differently than a 30 year old person. Someone
> in RTP, SV, NYC, Austin, or Boston would look at it differently than
> someone in Montana or Tulsa. If all you know is web development the answer
> might be different than someone with a deep CS education.
>
> I guess if I had to pick one, I would move to Python or some functional
> language like Clojure. (Wait, that's not just one.) If all I was after is
> money, I might look at moving to a job as a DBA or moving into the MS space
> as those are advertised a lot. While I plan on staying with CF, I'm also
> learning a lot of other things since that is what developers do.
>
>  John M Bliss  wrote:
> >
> > P.S. "None / sticking with CFML for now" people need not take survey.
>  :-)
> >
> > This is just for people who're specifically learning a new, non-CFML
> > language for income reasons. For those people only, I'm wondering, "which
> > one(s)?"
> >
> >
> > On Tue, Mar 25, 2014 at 10:43 PM, John M Bliss 
> wrote:
> >
> > > https://www.surveymonkey.com/s/5XYDGRG
> > >
> > > One question, "You've used CFML as your primary source of income for
> one
> > > or more years. Now / soon you are learning / will learn which of the
> > > following because you believe it may be / become a better source of
> income?"
> > >
> > > Please let me know if this survey (or similar) has already been done in
> > > the last six months or so.
> > >
> > > I will share results next week.
> > >
> > > https://www.surveymonkey.com/s/5XYDGRG
> > >
> > > --
> > > John Bliss - http://www.linkedin.com/in/jbliss
> > >
> >
> >
> >
> > --
> > John Bliss - http://www.linkedin.com/in/jbliss
> >
> >
> > 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358098
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[Roger Austin]

Surveys are interesting, but caution must be used in looking at the results. A 
lot of the analysis on what to learn depends on the developer's background, 
location, industry, age, etc. For example, someone nearing retirement would 
look at it differently than a 30 year old person. Someone in RTP, SV, NYC, 
Austin, or Boston would look at it differently than someone in Montana or 
Tulsa. If all you know is web development the answer might be different than 
someone with a deep CS education.

I guess if I had to pick one, I would move to Python or some functional 
language like Clojure. (Wait, that's not just one.) If all I was after is 
money, I might look at moving to a job as a DBA or moving into the MS space as 
those are advertised a lot. While I plan on staying with CF, I'm also learning 
a lot of other things since that is what developers do.

 John M Bliss  wrote: 
> 
> P.S. "None / sticking with CFML for now" people need not take survey.  :-)
> 
> This is just for people who're specifically learning a new, non-CFML
> language for income reasons. For those people only, I'm wondering, "which
> one(s)?"
> 
> 
> On Tue, Mar 25, 2014 at 10:43 PM, John M Bliss  wrote:
> 
> > https://www.surveymonkey.com/s/5XYDGRG
> >
> > One question, "You've used CFML as your primary source of income for one
> > or more years. Now / soon you are learning / will learn which of the
> > following because you believe it may be / become a better source of income?"
> >
> > Please let me know if this survey (or similar) has already been done in
> > the last six months or so.
> >
> > I will share results next week.
> >
> > https://www.surveymonkey.com/s/5XYDGRG
> >
> > --
> > John Bliss - http://www.linkedin.com/in/jbliss
> >
> 
> 
> 
> -- 
> John Bliss - http://www.linkedin.com/in/jbliss
> 
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358097
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[John M Bliss]

:-)


On Wed, Mar 26, 2014 at 8:25 AM, Matt Quackenbush wrote:

>
> On Wed, Mar 26, 2014 at 8:21 AM, John M Bliss 
> wrote:
>
> >
> > I'll blissfully assume that 2/3 - 3/4 of the people on this list are not
> > going to take this survey because they're not moving away from CFML.
> >
>
>
> That's the wrong assumption. It should be:
>
> I'll blissfully assume that 2/3 - 3/4 of the people on this list are not
> > going to take this survey because the subject line isn't "CF is dead".
> >
>
> :-)
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358096
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[Matt Quackenbush]

On Wed, Mar 26, 2014 at 8:21 AM, John M Bliss  wrote:

>
> I'll blissfully assume that 2/3 - 3/4 of the people on this list are not
> going to take this survey because they're not moving away from CFML.
>


That's the wrong assumption. It should be:

I'll blissfully assume that 2/3 - 3/4 of the people on this list are not
> going to take this survey because the subject line isn't "CF is dead".
>

:-)


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358095
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[John M Bliss]

I'm also tired of it.

So, I'll reiterate one more time: this is not a count of people (likely)
moving away from CFML versus people (likely) not moving away from CFML.
This is: for people (likely) moving away from CFML, to what?

I'll blissfully assume that 2/3 - 3/4 of the people on this list are not
going to take this survey because they're not moving away from CFML.


On Wed, Mar 26, 2014 at 8:14 AM, Raymond Camden wrote:

>
> It wasn't - but the frustration wasn't towards you at all - just the
> general tiredness of it happening here so often.
>
>
> On Wed, Mar 26, 2014 at 7:12 AM, John M Bliss 
> wrote:
>
> >
> > I hope that was written with a :-) Jedi.
> >
> > :-)
> >
> > I understand. I've been here for years. I honestly did not intend this to
> > be another of those threads.
> >
> >
> > On Wed, Mar 26, 2014 at 8:07 AM, Raymond Camden  > >wrote:
> >
> > >
> > > It doesn't matter - it is a Rule of CF-Talk that once every 6 months
> that
> > > thread must be reborn.
> > >
> > >
> > > On Wed, Mar 26, 2014 at 6:29 AM, DURETTE, STEVEN J 
> > wrote:
> > >
> > > >
> > > > H. Limiting the pool of respondents. Releasing a poll like that
> can
> > > > easily be twisted. I wouldn't be surprised to see your poll quoted in
> > six
> > > > months as CF is dying because all of its developers are jumping ship.
> > Not
> > > > even one decided to stick with CF!
> > > >
> > > > While polls are good for information, they can be twisted easily.
> > > >
> > > > Steve
> > > >
> > > >
> > > > -Original Message-
> > > > From: John M Bliss [mailto:bliss.j...@gmail.com]
> > > > Sent: Tuesday, March 25, 2014 10:51 PM
> > > > To: cf-talk
> > > > Subject: Re: Quick Survey
> > > >
> > > >
> > > > P.S. "None / sticking with CFML for now" people need not take survey.
> > >  :-)
> > > >
> > > > This is just for people who're specifically learning a new, non-CFML
> > > > language for income reasons. For those people only, I'm wondering,
> > "which
> > > > one(s)?"
> > > >
> > > >
> > > > On Tue, Mar 25, 2014 at 10:43 PM, John M Bliss  >
> > > > wrote:
> > > >
> > > > > https://www.surveymonkey.com/s/5XYDGRG
> > > > >
> > > > > One question, "You've used CFML as your primary source of income
> for
> > > one
> > > > > or more years. Now / soon you are learning / will learn which of
> the
> > > > > following because you believe it may be / become a better source of
> > > > income?"
> > > > >
> > > > > Please let me know if this survey (or similar) has already been
> done
> > in
> > > > > the last six months or so.
> > > > >
> > > > > I will share results next week.
> > > > >
> > > > > https://www.surveymonkey.com/s/5XYDGRG
> > > > >
> > > > > --
> > > > > John Bliss - http://www.linkedin.com/in/jbliss
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > John Bliss - http://www.linkedin.com/in/jbliss
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358094
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[Raymond Camden]

It wasn't - but the frustration wasn't towards you at all - just the
general tiredness of it happening here so often.


On Wed, Mar 26, 2014 at 7:12 AM, John M Bliss  wrote:

>
> I hope that was written with a :-) Jedi.
>
> :-)
>
> I understand. I've been here for years. I honestly did not intend this to
> be another of those threads.
>
>
> On Wed, Mar 26, 2014 at 8:07 AM, Raymond Camden  >wrote:
>
> >
> > It doesn't matter - it is a Rule of CF-Talk that once every 6 months that
> > thread must be reborn.
> >
> >
> > On Wed, Mar 26, 2014 at 6:29 AM, DURETTE, STEVEN J 
> wrote:
> >
> > >
> > > H. Limiting the pool of respondents. Releasing a poll like that can
> > > easily be twisted. I wouldn't be surprised to see your poll quoted in
> six
> > > months as CF is dying because all of its developers are jumping ship.
> Not
> > > even one decided to stick with CF!
> > >
> > > While polls are good for information, they can be twisted easily.
> > >
> > > Steve
> > >
> > >
> > > -Original Message-
> > > From: John M Bliss [mailto:bliss.j...@gmail.com]
> > > Sent: Tuesday, March 25, 2014 10:51 PM
> > > To: cf-talk
> > > Subject: Re: Quick Survey
> > >
> > >
> > > P.S. "None / sticking with CFML for now" people need not take survey.
> >  :-)
> > >
> > > This is just for people who're specifically learning a new, non-CFML
> > > language for income reasons. For those people only, I'm wondering,
> "which
> > > one(s)?"
> > >
> > >
> > > On Tue, Mar 25, 2014 at 10:43 PM, John M Bliss 
> > > wrote:
> > >
> > > > https://www.surveymonkey.com/s/5XYDGRG
> > > >
> > > > One question, "You've used CFML as your primary source of income for
> > one
> > > > or more years. Now / soon you are learning / will learn which of the
> > > > following because you believe it may be / become a better source of
> > > income?"
> > > >
> > > > Please let me know if this survey (or similar) has already been done
> in
> > > > the last six months or so.
> > > >
> > > > I will share results next week.
> > > >
> > > > https://www.surveymonkey.com/s/5XYDGRG
> > > >
> > > > --
> > > > John Bliss - http://www.linkedin.com/in/jbliss
> > > >
> > >
> > >
> > >
> > > --
> > > John Bliss - http://www.linkedin.com/in/jbliss
> > >
> > >
> > >
> > >
> > >
> >
> >
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358093
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[John M Bliss]

I hope that was written with a :-) Jedi.

:-)

I understand. I've been here for years. I honestly did not intend this to
be another of those threads.


On Wed, Mar 26, 2014 at 8:07 AM, Raymond Camden wrote:

>
> It doesn't matter - it is a Rule of CF-Talk that once every 6 months that
> thread must be reborn.
>
>
> On Wed, Mar 26, 2014 at 6:29 AM, DURETTE, STEVEN J  wrote:
>
> >
> > H. Limiting the pool of respondents. Releasing a poll like that can
> > easily be twisted. I wouldn't be surprised to see your poll quoted in six
> > months as CF is dying because all of its developers are jumping ship. Not
> > even one decided to stick with CF!
> >
> > While polls are good for information, they can be twisted easily.
> >
> > Steve
> >
> >
> > -Original Message-
> > From: John M Bliss [mailto:bliss.j...@gmail.com]
> > Sent: Tuesday, March 25, 2014 10:51 PM
> > To: cf-talk
> > Subject: Re: Quick Survey
> >
> >
> > P.S. "None / sticking with CFML for now" people need not take survey.
>  :-)
> >
> > This is just for people who're specifically learning a new, non-CFML
> > language for income reasons. For those people only, I'm wondering, "which
> > one(s)?"
> >
> >
> > On Tue, Mar 25, 2014 at 10:43 PM, John M Bliss 
> > wrote:
> >
> > > https://www.surveymonkey.com/s/5XYDGRG
> > >
> > > One question, "You've used CFML as your primary source of income for
> one
> > > or more years. Now / soon you are learning / will learn which of the
> > > following because you believe it may be / become a better source of
> > income?"
> > >
> > > Please let me know if this survey (or similar) has already been done in
> > > the last six months or so.
> > >
> > > I will share results next week.
> > >
> > > https://www.surveymonkey.com/s/5XYDGRG
> > >
> > > --
> > > John Bliss - http://www.linkedin.com/in/jbliss
> > >
> >
> >
> >
> > --
> > John Bliss - http://www.linkedin.com/in/jbliss
> >
> >
> >
> >
> >
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358092
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[Raymond Camden]

It doesn't matter - it is a Rule of CF-Talk that once every 6 months that
thread must be reborn.


On Wed, Mar 26, 2014 at 6:29 AM, DURETTE, STEVEN J  wrote:

>
> H. Limiting the pool of respondents. Releasing a poll like that can
> easily be twisted. I wouldn't be surprised to see your poll quoted in six
> months as CF is dying because all of its developers are jumping ship. Not
> even one decided to stick with CF!
>
> While polls are good for information, they can be twisted easily.
>
> Steve
>
>
> -Original Message-
> From: John M Bliss [mailto:bliss.j...@gmail.com]
> Sent: Tuesday, March 25, 2014 10:51 PM
> To: cf-talk
> Subject: Re: Quick Survey
>
>
> P.S. "None / sticking with CFML for now" people need not take survey.  :-)
>
> This is just for people who're specifically learning a new, non-CFML
> language for income reasons. For those people only, I'm wondering, "which
> one(s)?"
>
>
> On Tue, Mar 25, 2014 at 10:43 PM, John M Bliss 
> wrote:
>
> > https://www.surveymonkey.com/s/5XYDGRG
> >
> > One question, "You've used CFML as your primary source of income for one
> > or more years. Now / soon you are learning / will learn which of the
> > following because you believe it may be / become a better source of
> income?"
> >
> > Please let me know if this survey (or similar) has already been done in
> > the last six months or so.
> >
> > I will share results next week.
> >
> > https://www.surveymonkey.com/s/5XYDGRG
> >
> > --
> > John Bliss - http://www.linkedin.com/in/jbliss
> >
>
>
>
> --
> John Bliss - http://www.linkedin.com/in/jbliss
>
>
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358091
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Quick Survey

[John M Bliss]

I think I'm being pretty open about what I'm researching. But, in case I'm
not, I'll say it here and when I publish the results: poll does not count /
quantify people who're choosing not to learn a new language at this time. I
only care about, for people who are, which one?


On Wed, Mar 26, 2014 at 7:29 AM, DURETTE, STEVEN J  wrote:

>
> H. Limiting the pool of respondents. Releasing a poll like that can
> easily be twisted. I wouldn't be surprised to see your poll quoted in six
> months as CF is dying because all of its developers are jumping ship. Not
> even one decided to stick with CF!
>
> While polls are good for information, they can be twisted easily.
>
> Steve
>
>
> -Original Message-
> From: John M Bliss [mailto:bliss.j...@gmail.com]
> Sent: Tuesday, March 25, 2014 10:51 PM
> To: cf-talk
> Subject: Re: Quick Survey
>
>
> P.S. "None / sticking with CFML for now" people need not take survey.  :-)
>
> This is just for people who're specifically learning a new, non-CFML
> language for income reasons. For those people only, I'm wondering, "which
> one(s)?"
>
>
> On Tue, Mar 25, 2014 at 10:43 PM, John M Bliss 
> wrote:
>
> > https://www.surveymonkey.com/s/5XYDGRG
> >
> > One question, "You've used CFML as your primary source of income for one
> > or more years. Now / soon you are learning / will learn which of the
> > following because you believe it may be / become a better source of
> income?"
> >
> > Please let me know if this survey (or similar) has already been done in
> > the last six months or so.
> >
> > I will share results next week.
> >
> > https://www.surveymonkey.com/s/5XYDGRG
> >
> > --
> > John Bliss - http://www.linkedin.com/in/jbliss
> >
>
>
>
> --
> John Bliss - http://www.linkedin.com/in/jbliss
>
>
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358090
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: Quick Survey

[DURETTE, STEVEN J]

H. Limiting the pool of respondents. Releasing a poll like that can easily 
be twisted. I wouldn't be surprised to see your poll quoted in six months as CF 
is dying because all of its developers are jumping ship. Not even one decided 
to stick with CF!

While polls are good for information, they can be twisted easily.

Steve


-Original Message-
From: John M Bliss [mailto:bliss.j...@gmail.com] 
Sent: Tuesday, March 25, 2014 10:51 PM
To: cf-talk
Subject: Re: Quick Survey


P.S. "None / sticking with CFML for now" people need not take survey.  :-)

This is just for people who're specifically learning a new, non-CFML
language for income reasons. For those people only, I'm wondering, "which
one(s)?"


On Tue, Mar 25, 2014 at 10:43 PM, John M Bliss  wrote:

> https://www.surveymonkey.com/s/5XYDGRG
>
> One question, "You've used CFML as your primary source of income for one
> or more years. Now / soon you are learning / will learn which of the
> following because you believe it may be / become a better source of income?"
>
> Please let me know if this survey (or similar) has already been done in
> the last six months or so.
>
> I will share results next week.
>
> https://www.surveymonkey.com/s/5XYDGRG
>
> --
> John Bliss - http://www.linkedin.com/in/jbliss
>



-- 
John Bliss - http://www.linkedin.com/in/jbliss




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358089
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm