RE: [Evangelism] Hack Plone! Win a Mac!
Should become something like "Entworfen fur sicherheit"? Translations will be no problem. I don't know in what countries translations are a must (never guessed Germany would be one), but the main goal is to get a clear message across. Kind regards, bc. Bas Roijen Technisch Applicatiebeheerder COFELY EXPERTS BV Information & Communication Technology GDF SUEZ ENERGY SERVICES Amerikalaan 35, 6199 AE Maastricht-Airport - THE NETHERLANDS PO Box 304, 6199 ZN Maastricht-Airport - THE NETHERLANDS Tel. : +31 (0)43 367 52 09 Fax. : +31 (0)43 367 59 90 Mob. : +31 (0)6 388 260 15 bas.roi...@cofely-gdfsuez.nl www.cofely-gdfsuez.nl -Oorspronkelijk bericht- Van: evangelism-boun...@lists.plone.org [mailto:evangelism-boun...@lists.plone.org] Namens Jan Ulrich Hasecke Verzonden: zondag 29 november 2009 10:31 Aan: Mark A Corum CC: evangelism@lists.plone.org Onderwerp: Re: [Evangelism] Hack Plone! Win a Mac! Am 28.11.2009 um 20:38 schrieb Mark A Corum: > +1 on a legitimate slogan like "Secure by Design" or something else > that reflects the fact. Although I'd like such a claim, please keep in mind that we need it translated. English claims are often misunderstood in Germany as recent studies showed. juh De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
On 29 Nov 2009, at 09:31, Jan Ulrich Hasecke wrote: Am 28.11.2009 um 20:38 schrieb Mark A Corum: +1 on a legitimate slogan like "Secure by Design" or something else that reflects the fact. Although I'd like such a claim, please keep in mind that we need it translated. English claims are often misunderstood in Germany as recent studies showed. OK, well I'm not sure what the appropriate German translation of something like that would be, but like I said the intention is to get across that Plone has a number of specific architectural and design choices that make it very secure. -Matt -- Matt Hamilton ma...@netsight.co.uk Netsight Internet Solutions, Ltd. Understand. Develop. Deliver http://www.netsight.co.uk +44 (0)117 9090901 Web Design | Zope/Plone Development & Consulting | Co-location | Hosting ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
Am 28.11.2009 um 20:38 schrieb Mark A Corum: > +1 on a legitimate slogan like "Secure by Design" or something else > that reflects the fact. Although I'd like such a claim, please keep in mind that we need it translated. English claims are often misunderstood in Germany as recent studies showed. juh smime.p7s Description: S/MIME cryptographic signature ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
How about 'Military Grade Security'? It has possibly negative military connotations, but I don't think most CMS reviewers will read too much into that. Regardless of ones politics, I think the fact that Zope is on the published approved OSS list of packages at DoD, and Plone specifically is on the list for NASA speaks volumes. Since it's used at other related sites that have been mentioned (intelligence agencies, Navy, etc.), I think that using the term 'Military Grade' is fair and clear. Not something we'd have to explain to would-be adopters of Plone. -Ken Mark A Corum wrote: +1 on a legitimate slogan like "Secure by Design" or something else that reflects the fact. -1,000,000 on creating our own term to describe something which everyone else already knows by another name. "Trucolor" and "Speedboost" are just recent examples of an obnoxious tactic problem first known by the candy "Certs" advertising itself with "Retsyn for Freshness" (Retsyn was their trademarked name for vegetable oil.) Most folks recognize these for what they are now. Believe it or not, as audiences become more knowledgeable, the best tactics for selling your product are clarity and accuracy. You can package that in an interesting, engaging way - you can make it entertaining and fun - and you can give it personality - but for something like a CMS a straightforward approach makes sense. BTW - creating, popularizing and supporting a made-up term is one of the most expensive things you can do for a product or company. Most research shows that the same money put into R&D or customer support will always yield 3-5 x the return on investment vs this approach unless you have serious cash to dump in from the outset. Mark Mark A Corum User Interface Designer | Online Marketer | Certified ScrumMaster markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook, Twitter and Yahoo; "Light up the darkness." - Bob Marley "Quis custodiet ipsos custodes?" (Who watches the watchmen?) - Juvenales, Satires "No matter where you go ... there you are." - Buckaroo Banzai On Sat, Nov 28, 2009 at 2:26 PM, Matt Hamilton wrote: Forgot to reply all... Begin forwarded message: From: Matt Hamilton Date: 28 November 2009 02:55:36 PM GMT To: ctxlken Subject: Re: [Evangelism] Hack Plone! Win a Mac! Mark A Corum wrote: If Plone had previously been weak on security, and had gotten its act together, this might make sense. But in reality -- where Plone is a VERY secure system with a long-term record of protecting sites and data -- this kind of circus stunt is not a good idea. A random idea (whilst I'm trying to write some why Plone is good for enterprise copy)... How about we come up with some kind of slogan or something like that 'Secure by Design' or similar. Something that we can then explain relates to the use of a language with good security track record (python) a battle tested platform (Zope) and the use of an OODB rather than a SQL DB. You know the way many products have some kind of marketing made up name for something ie. 'Now with TruColor', or 'Built in SpeedBoost technology' etc... that is what I'm thinking. -Matt -- Matt Hamilton ma...@netsight.co.uk Netsight Internet Solutions, Ltd. Understand. Develop. Deliver http://www.netsight.co.uk +44 (0)117 9090901 Web Design | Zope/Plone Development & Consulting | Co-location | Hosting ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
+1 on a legitimate slogan like "Secure by Design" or something else that reflects the fact. -1,000,000 on creating our own term to describe something which everyone else already knows by another name. "Trucolor" and "Speedboost" are just recent examples of an obnoxious tactic problem first known by the candy "Certs" advertising itself with "Retsyn for Freshness" (Retsyn was their trademarked name for vegetable oil.) Most folks recognize these for what they are now. Believe it or not, as audiences become more knowledgeable, the best tactics for selling your product are clarity and accuracy. You can package that in an interesting, engaging way - you can make it entertaining and fun - and you can give it personality - but for something like a CMS a straightforward approach makes sense. BTW - creating, popularizing and supporting a made-up term is one of the most expensive things you can do for a product or company. Most research shows that the same money put into R&D or customer support will always yield 3-5 x the return on investment vs this approach unless you have serious cash to dump in from the outset. Mark Mark A Corum User Interface Designer | Online Marketer | Certified ScrumMaster markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook, Twitter and Yahoo; "Light up the darkness." - Bob Marley "Quis custodiet ipsos custodes?" (Who watches the watchmen?) - Juvenales, Satires "No matter where you go ... there you are." - Buckaroo Banzai On Sat, Nov 28, 2009 at 2:26 PM, Matt Hamilton wrote: > > Forgot to reply all... > > > Begin forwarded message: > > From: Matt Hamilton > Date: 28 November 2009 02:55:36 PM GMT > To: ctxlken > Subject: Re: [Evangelism] Hack Plone! Win a Mac! > > > Mark A Corum wrote: > > If Plone had previously been weak on security, and had gotten its act > > together, this might make sense. But in reality -- where Plone is a > > VERY secure system with a long-term record of protecting sites and > > data -- this kind of circus stunt is not a good idea. > > A random idea (whilst I'm trying to write some why Plone is good for > enterprise copy)... > > How about we come up with some kind of slogan or something like that 'Secure > by Design' or similar. Something that we can then explain relates to the use > of a language with good security track record (python) a battle tested > platform (Zope) and the use of an OODB rather than a SQL DB. > > You know the way many products have some kind of marketing made up name for > something ie. 'Now with TruColor', or 'Built in SpeedBoost technology' > etc... that is what I'm thinking. > > -Matt > > -- > Matt Hamilton ma...@netsight.co.uk > Netsight Internet Solutions, Ltd. Understand. Develop. Deliver > http://www.netsight.co.uk +44 (0)117 9090901 > Web Design | Zope/Plone Development & Consulting | Co-location | Hosting > > > ___ > Evangelism mailing list > Evangelism@lists.plone.org > http://lists.plone.org/mailman/listinfo/evangelism > > ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
I think it's a weak assumption that these two sites would have a 'live' Plone site. Although, it is possible, I would think that due to some of the security and performance benefits, and since we see '.htm' or '.html' URIs and no evidence in the response headers of Zope, that it's likely these security-conscious organizations are using some sort of 'static deployment' strategy, as we've discussed at: http://www.coactivate.org/projects/plone-static-publishing/summary . The Plone Static Publishing project on coactivate that I provided the link to above has had some discussion recently about a product called enpraxis.staticsite, although this seems like a young, immature product and so is less likely to be active on these two sites. Instead, one of the options that has existed for some time - CMFDeployment or custom wget scripting - was probably used. A static deployment strategy such as this would greatly increase security for a site, since there is no zope/database/dynamic functionality, open ports between front-end and back-end servers/services to worry about, and there are fewer moving parts in general to worry about, besides the web (httpd) server. As for the hacking contest, here are some thoughts: a) I'm in favor of having a contest that allows Plone integrators listed on plone.net to be involved, rather than all script kiddies in the world - maybe have one that is open to the world at a later date. b) There would need to be some very specific rules that ensure that the found vulnerabilities must be in the Zope/Plone code bits and not Apache, Varnish, lighthttpd, ngnix, Squid, or some of the other front-end web servers/proxies used to get to Plone site content. While it's still valuable to know about those types of vulnerabilities, our contest would need to be focused on code managed by the Plone community and not others, and the inclusion of web servers/proxies would make the contest pretty unwieldy to manage (whose favorite front-end do you setup for the test environment?). c) I think that Mark's concern over seeming cavalier can be mitigated through thoughtful communication/messaging. We wouldn't want to put a banner ad out taunting script kiddies to just hack away - we dare you! Instead, we could a) do our own internal hacking, document findings, open tickets, and address them, and then b) advertise the ongoing efforts by the Plone community in ensuring security of Plone and invite 'white hat' hacker groups to register for the external hacking contest, assign a limited time period that the environment will be available for hacking, and give away whatever prize is determined. d) Plenty of hackers aren't going to want a Mac. Some are just as suspicious of Apple or Google as they are of Microsoft, so perhaps some prize options could be listed. e) Another option we could consider, rather than a wild, wild, west contest, would be to invite 3-5 professional security assessment firms to hack and post findings. In return, they'll get some free advertising on plone.org and anywhere there are press releases done with the contest and results announcements. -Ken Karl Horak [via Plone] wrote: > Just tossing my 2 cents worth in here -- if there were any Plone sites > in the world that hackers were already targeting, it would be FBI and > CIA. I'm sure we would have heard of any failure there. > > Meanwhile, I think the Foundation should sponsor a system of > clandestine honeypots out there and monitor them religiously. > > Save the $$ on the Mac and pay Mark to get the msg out to the > professional CMS reviewers. > > Karl > > Mark A Corum wrote: > If Plone had previously been weak on security, and had gotten its act > together, this might make sense. But in reality -- where Plone is a > VERY secure system with a long-term record of protecting sites and > data -- this kind of circus stunt is not a good idea. > > Mark > > > > > View message @ > http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4076342.html > To start a new topic under Evangelism, email > ml-node+293364-1526811...@n2.nabble.com > To unsubscribe from Evangelism, click here > < (link removed) =>. > > -- View this message in context: http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4077534.html Sent from the Evangelism mailing list archive at Nabble.com. ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
Just tossing my 2 cents worth in here -- if there were any Plone sites in the world that hackers were already targeting, it would be FBI and CIA. I'm sure we would have heard of any failure there. Meanwhile, I think the Foundation should sponsor a system of clandestine honeypots out there and monitor them religiously. Save the $$ on the Mac and pay Mark to get the msg out to the professional CMS reviewers. Karl Mark A Corum wrote: > > If Plone had previously been weak on security, and had gotten its act > together, this might make sense. But in reality -- where Plone is a > VERY secure system with a long-term record of protecting sites and > data -- this kind of circus stunt is not a good idea. > > Mark > -- View this message in context: http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4076342.html Sent from the Evangelism mailing list archive at Nabble.com. ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
On 2009-11-26, at 7:24 AM, Jan Ulrich Hasecke wrote: > Am 26.11.2009 um 16:09 schrieb Norman Fournier: > >> think there may be more positive ways for plone to get this message across > > For example? > > I think we must have clear rules. The first hacker who puts his name on the > frontpage wins, if he documents how he'd done it. If we have more macs the > first three or four hackers win, if they don't use the same exploit. > > And better they find the exploit on a dummy site as if they'd find them on > the CIA-site? > > juh I think plone could continue to boast of enterprise installations as before: "NASA rocket scientists tried and like plone". What more needs to be told? I had one prospect declare plone security fit for a knitting circle but debate would be moot when someone has their mind made up. Those with their minds made up need to be shown by demonstration and it is much easier to convert the enormous percentage that want to change. By their nature hackers are all over plone all the time and I see them frequently go so far as to register on a site I built. Never to any avail. I can tell they're mal by their usernames. They poke around because of the anonymous send, mainly, but workflow defeats their purposes. Pffft. Why issue a "step across this line" challenge to a criminal? The idea is provocative, which I like, but is like saying "go ahead gimme your best shot" to someone who is comfortable swinging baseball bats and broken bottles. haha! The "hack attack win a mac" costs a mac, which to me, is really a lot of money. I am a mac user. Here's an alternative. Visitors to plone.org poll on their favourite plonesite. Developers could submit their favourites for consideration. The owner of the site wins the Mac or Macs for a school in one of their less-fortunate neighbourhoods, allowing the kids to learn how beautiful, simple and powerful plone is? Technical support by the plone-users list? Documented on plone.net, YouTube, or ? Smiling children conquering a seemingly insurmountable technical challenge? Build the plone community. For your comments. Norman ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
Not sure how I feel about the overall idea, but the exploit documentation condition *must* be expanded to specify that the exploit be documented to the Plone security team, and only the security team. Publicizing of methodology for an attack must be only after a patch is made available, and the award would be made only after those conditions are fulfilled. The attack would need to be via Plone — not the OS or other parts of the stack like reverse proxy. Open registration must be off in the test install. On Wed, Nov 25, 2009 at 10:28 PM, Nate Aune wrote: > > > > All exploits must be documented of course so that we can fix them. > > > ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
On 27/11/2009, at 9:00 AM, Mark A Corum wrote: Actually, it would show we are arrogant and cavalier about security - which are about the worst things you can be in the eyes of an enterprise customer. People who are serious about security TEST the security of their software in a professional, systematic way. They get experts in the field and folks who really know what they are doing to make sure nothing in their code or deployment is opening up websites to attack or possible compromise of data. I don't disagree with your points below but testing security via experts is I'm sure what companies like Microsoft do and that hasn't worked out well for them. FOSS has repeatedly shown that security by numbers - ie lots of eyes on code rather than "experts" has made for more secure systems. The whole "opening your software to hackers" thing is a stunt - a stunt with very little if any upside, and a huge potential downside. If someone brings your server to its knees with a Denial of Service attack or a weakness in the OS you are running on, you can complain from now until eternity that it wasn't "fair" but the only coverage you are going to get is "Plone gets hacked." If no one is able to hack the site, its not really something worthy of coverage, now is it? maybe. Afterall, we are already well known as having one of the best security records of any CMS. I would disagree we are "well known". Plone is general is NOT well known. It's underwhelmingly unknown given its history and competitive advantages such as security. When Drurpal can get recommended as an "enterprise" CMS by Gartner and Alfresco can get away with giving the their product the label "THE open source enterprise content management system" I would say we're not well known. One thing I got out of this years conference is that security is a big competitive advantage of Plone thats easy to explain and has impact. We've only just started marketing that to the outside world. Until Gartner labels us "The secure open source enterprise content management system" I think we have a lot of work to do. If stunts aren't the right way to do it at least we're thinking about it. I'd love to hear some other ideas wouldn't you? If Plone had previously been weak on security, and had gotten its act together, this might make sense. But in reality -- where Plone is a VERY secure system with a long-term record of protecting sites and data -- this kind of circus stunt is not a good idea. Mark Mark A Corum User Interface Designer | Online Marketer | Certified ScrumMaster markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook, Twitter and Yahoo; "Light up the darkness." - Bob Marley "Quis custodiet ipsos custodes?" (Who watches the watchmen?) - Juvenales, Satires "No matter where you go ... there you are." - Buckaroo Banzai On Thu, Nov 26, 2009 at 4:06 PM, Dylan Jay wrote: Worst case is really bad publicity. But then is it? If it got hacked we'd patch it immediatly and patch most systems out there and we'd explain how that system works in advance. Basically use it to explain how open source increases security and speed of patches. It would also show that we take security seriously. Dylan Jay Technical solution manager PretaWeb 99552830 On 27/11/2009, at 2:09 AM, Norman Fournier wrote: Hello, Worst case scenario. What if we are wrong? Some smart punk hacks the plone and posts the hack or hints somewhere. How many Macs can we afford to give away? How long can we afford to pay lawyers to fight spurious claims in court? A risk analysis should be air-tight before any contest is publicized. Even the smallest give-aways are fraught with legal complications which is why contest legal copy takes so much space on an entry form. For me, I am not liking this idea at all. I think there may be more positive ways for plone to get this message across without exposing the software to a million punk hackers with a goad like both Screw Plone and Win a Mac at the same time! My $.02. Norman On 2009-11-25, at 10:28 PM, Nate Aune wrote: I think it's a great idea. Set up a server (perhaps using the Hardening Plone howto below) and let the games begin! http://plone.org/documentation/how-to/securing-plone/ Nate On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke wrote: Hi all, what do you think about a hacking contest? We setup a plain plone site and who ever hacks it first wins a mac or a playstation or whatever. All exploits must be documented of course so that we can fix them. We promote Plone as a secure system and can document it with the CVE entries but often people say, yeah, but there are a lot less installations of Plone than there are of PHP-systems, so you cannot compare the figures. So lets challenge the hackers! This could be an online event with a great publicity effect may be in the run-up to the World Plone Day. What do you think? juh Jan Ulrich Hasec
Re: [Evangelism] Hack Plone! Win a Mac!
Actually, it would show we are arrogant and cavalier about security - which are about the worst things you can be in the eyes of an enterprise customer. People who are serious about security TEST the security of their software in a professional, systematic way. They get experts in the field and folks who really know what they are doing to make sure nothing in their code or deployment is opening up websites to attack or possible compromise of data. The whole "opening your software to hackers" thing is a stunt - a stunt with very little if any upside, and a huge potential downside. If someone brings your server to its knees with a Denial of Service attack or a weakness in the OS you are running on, you can complain from now until eternity that it wasn't "fair" but the only coverage you are going to get is "Plone gets hacked." If no one is able to hack the site, its not really something worthy of coverage, now is it? Afterall, we are already well known as having one of the best security records of any CMS. If Plone had previously been weak on security, and had gotten its act together, this might make sense. But in reality -- where Plone is a VERY secure system with a long-term record of protecting sites and data -- this kind of circus stunt is not a good idea. Mark Mark A Corum User Interface Designer | Online Marketer | Certified ScrumMaster markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook, Twitter and Yahoo; "Light up the darkness." - Bob Marley "Quis custodiet ipsos custodes?" (Who watches the watchmen?) - Juvenales, Satires "No matter where you go ... there you are." - Buckaroo Banzai On Thu, Nov 26, 2009 at 4:06 PM, Dylan Jay wrote: > Worst case is really bad publicity. But then is it? > If it got hacked we'd patch it immediatly and patch most systems out there > and we'd explain how that system works in advance. Basically use it to > explain how open source increases security and speed of patches. > It would also show that we take security seriously. > > Dylan Jay > Technical solution manager > PretaWeb 99552830 > > On 27/11/2009, at 2:09 AM, Norman Fournier > wrote: > >> Hello, >> >> Worst case scenario. What if we are wrong? >> >> Some smart punk hacks the plone and posts the hack or hints somewhere. How >> many Macs can we afford to give away? How long can we afford to pay lawyers >> to fight spurious claims in court? >> >> A risk analysis should be air-tight before any contest is publicized. Even >> the smallest give-aways are fraught with legal complications which is why >> contest legal copy takes so much space on an entry form. >> >> For me, I am not liking this idea at all. I think there may be more >> positive ways for plone to get this message across without exposing the >> software to a million punk hackers with a goad like both Screw Plone and Win >> a Mac at the same time! >> >> My $.02. >> >> Norman >> >> On 2009-11-25, at 10:28 PM, Nate Aune wrote: >> >>> I think it's a great idea. Set up a server (perhaps using the >>> Hardening Plone howto below) and let the games begin! >>> http://plone.org/documentation/how-to/securing-plone/ >>> >>> Nate >>> >>> On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke >>> wrote: Hi all, what do you think about a hacking contest? We setup a plain plone site and who ever hacks it first wins a mac or a playstation or whatever. All exploits must be documented of course so that we can fix them. We promote Plone as a secure system and can document it with the CVE entries but often people say, yeah, but there are a lot less installations of Plone than there are of PHP-systems, so you cannot compare the figures. So lets challenge the hackers! This could be an online event with a great publicity effect may be in the run-up to the World Plone Day. What do you think? juh Jan Ulrich Hasecke (DZUG e.V.) -- DZUG e.V. (Deutschsprachige Zope User Group) www.dzug.org www.zope.de ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism >>> >>> >>> >>> -- >>> Nate Aune - na...@jazkarta.com >>> http://www.jazkarta.com >>> http://card.ly/natea >>> +1 (617) 517-4953 >>> >>> ___ >>> Evangelism mailing list >>> Evangelism@lists.plone.org >>> http://lists.plone.org/mailman/listinfo/evangelism >> >> >> ___ >> Evangelism mailing list >> Evangelism@lists.plone.org >> http://lists.plone.org/mailman/listinfo/evangelism > > ___ > Evangelism mailing list > Evangelism@lists.plone.org > http://lists.plone.org/mailman/listinfo/evangelism > ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.o
Re: [Evangelism] Hack Plone! Win a Mac!
Worst case is really bad publicity. But then is it? If it got hacked we'd patch it immediatly and patch most systems out there and we'd explain how that system works in advance. Basically use it to explain how open source increases security and speed of patches. It would also show that we take security seriously. Dylan Jay Technical solution manager PretaWeb 99552830 On 27/11/2009, at 2:09 AM, Norman Fournier wrote: Hello, Worst case scenario. What if we are wrong? Some smart punk hacks the plone and posts the hack or hints somewhere. How many Macs can we afford to give away? How long can we afford to pay lawyers to fight spurious claims in court? A risk analysis should be air-tight before any contest is publicized. Even the smallest give-aways are fraught with legal complications which is why contest legal copy takes so much space on an entry form. For me, I am not liking this idea at all. I think there may be more positive ways for plone to get this message across without exposing the software to a million punk hackers with a goad like both Screw Plone and Win a Mac at the same time! My $.02. Norman On 2009-11-25, at 10:28 PM, Nate Aune wrote: I think it's a great idea. Set up a server (perhaps using the Hardening Plone howto below) and let the games begin! http://plone.org/documentation/how-to/securing-plone/ Nate On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke wrote: Hi all, what do you think about a hacking contest? We setup a plain plone site and who ever hacks it first wins a mac or a playstation or whatever. All exploits must be documented of course so that we can fix them. We promote Plone as a secure system and can document it with the CVE entries but often people say, yeah, but there are a lot less installations of Plone than there are of PHP-systems, so you cannot compare the figures. So lets challenge the hackers! This could be an online event with a great publicity effect may be in the run-up to the World Plone Day. What do you think? juh Jan Ulrich Hasecke (DZUG e.V.) -- DZUG e.V. (Deutschsprachige Zope User Group) www.dzug.org www.zope.de ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism -- Nate Aune - na...@jazkarta.com http://www.jazkarta.com http://card.ly/natea +1 (617) 517-4953 ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
On 26 Nov 2009, at 15:09, Norman Fournier wrote: Hello, Worst case scenario. What if we are wrong? Some smart punk hacks the plone and posts the hack or hints somewhere. How many Macs can we afford to give away? How long can we afford to pay lawyers to fight spurious claims in court? A risk analysis should be air-tight before any contest is publicized. Even the smallest give-aways are fraught with legal complications which is why contest legal copy takes so much space on an entry form. For me, I am not liking this idea at all. I think there may be more positive ways for plone to get this message across without exposing the software to a million punk hackers with a goad like both Screw Plone and Win a Mac at the same time! You also might have difficulty getting the site hosted somewhere. If you can't get to Plone you then try the OS. If you cant get the OS you try the network... etc. For instance, probably the easiest way to get in there would be to do something like a password reset request and try and intercept the email, so you might then find an attack against an email server somewhere else as a result. Quite risky. Hrmm... I wonder what Amazon would say about it? Wonder if you could host it on EC2? You could easily setup a FreeBSD server with Plone running on it. Lock everything else down (ssh via keys only etc). I guess you could privately invite Plone core developers to take a pop at it first, they are likely to know any 'weak' spots if any in Plone itself. -Matt -- Matt Hamilton ma...@netsight.co.uk Netsight Internet Solutions, Ltd. Understand. Develop. Deliver http://www.netsight.co.uk +44 (0)117 9090901 Web Design | Zope/Plone Development & Consulting | Co-location | Hosting ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
Am 26.11.2009 um 16:09 schrieb Norman Fournier: > think there may be more positive ways for plone to get this message across For example? I think we must have clear rules. The first hacker who puts his name on the frontpage wins, if he documents how he'd done it. If we have more macs the first three or four hackers win, if they don't use the same exploit. And better they find the exploit on a dummy site as if they'd find them on the CIA-site? juh smime.p7s Description: S/MIME cryptographic signature ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
Hello, Worst case scenario. What if we are wrong? Some smart punk hacks the plone and posts the hack or hints somewhere. How many Macs can we afford to give away? How long can we afford to pay lawyers to fight spurious claims in court? A risk analysis should be air-tight before any contest is publicized. Even the smallest give-aways are fraught with legal complications which is why contest legal copy takes so much space on an entry form. For me, I am not liking this idea at all. I think there may be more positive ways for plone to get this message across without exposing the software to a million punk hackers with a goad like both Screw Plone and Win a Mac at the same time! My $.02. Norman On 2009-11-25, at 10:28 PM, Nate Aune wrote: > I think it's a great idea. Set up a server (perhaps using the > Hardening Plone howto below) and let the games begin! > http://plone.org/documentation/how-to/securing-plone/ > > Nate > > On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke > wrote: >> Hi all, >> >> what do you think about a hacking contest? We setup a plain plone site and >> who ever hacks it first wins a mac or a playstation or whatever. >> >> All exploits must be documented of course so that we can fix them. >> >> We promote Plone as a secure system and can document it with the CVE entries >> but often people say, yeah, but there are a lot less installations of Plone >> than there are of PHP-systems, so you cannot compare the figures. >> >> So lets challenge the hackers! >> >> This could be an online event with a great publicity effect may be in the >> run-up to the World Plone Day. >> >> What do you think? >> juh >> >> Jan Ulrich Hasecke >> (DZUG e.V.) >> >> -- >> DZUG e.V. (Deutschsprachige Zope User Group) >> www.dzug.org >> www.zope.de >> >> >> ___ >> Evangelism mailing list >> Evangelism@lists.plone.org >> http://lists.plone.org/mailman/listinfo/evangelism >> >> > > > > -- > Nate Aune - na...@jazkarta.com > http://www.jazkarta.com > http://card.ly/natea > +1 (617) 517-4953 > > ___ > Evangelism mailing list > Evangelism@lists.plone.org > http://lists.plone.org/mailman/listinfo/evangelism ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
I think it's a great idea. Set up a server (perhaps using the Hardening Plone howto below) and let the games begin! http://plone.org/documentation/how-to/securing-plone/ Nate On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke wrote: > Hi all, > > what do you think about a hacking contest? We setup a plain plone site and > who ever hacks it first wins a mac or a playstation or whatever. > > All exploits must be documented of course so that we can fix them. > > We promote Plone as a secure system and can document it with the CVE entries > but often people say, yeah, but there are a lot less installations of Plone > than there are of PHP-systems, so you cannot compare the figures. > > So lets challenge the hackers! > > This could be an online event with a great publicity effect may be in the > run-up to the World Plone Day. > > What do you think? > juh > > Jan Ulrich Hasecke > (DZUG e.V.) > > -- > DZUG e.V. (Deutschsprachige Zope User Group) > www.dzug.org > www.zope.de > > > ___ > Evangelism mailing list > Evangelism@lists.plone.org > http://lists.plone.org/mailman/listinfo/evangelism > > -- Nate Aune - na...@jazkarta.com http://www.jazkarta.com http://card.ly/natea +1 (617) 517-4953 ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism
Re: [Evangelism] Hack Plone! Win a Mac!
On 19/11/2009, at 4:52 AM, Jan Ulrich Hasecke wrote: Hi all, what do you think about a hacking contest? We setup a plain plone site and who ever hacks it first wins a mac or a playstation or whatever. All exploits must be documented of course so that we can fix them. We promote Plone as a secure system and can document it with the CVE entries but often people say, yeah, but there are a lot less installations of Plone than there are of PHP-systems, so you cannot compare the figures. So lets challenge the hackers! This could be an online event with a great publicity effect may be in the run-up to the World Plone Day. What do you think? Nice juh Jan Ulrich Hasecke (DZUG e.V.) -- DZUG e.V. (Deutschsprachige Zope User Group) www.dzug.org www.zope.de ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism ___ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism