Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

Thanx...I was doing a fine job staying out of this, then you had to drag me in... :P On Fri, Mar 28, 2014 at 5:12 PM, Justin Scott wrote: > > > OMG You mean ColdFusion 11 is public :P > > I'm hearing Stroz in the back of my head... 10.5 10.5 have a > great weekend! > > > -Justin > >

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

Why would you try to stifle people's conversation? That's not like you. I'm still getting "stuff" (read: "thought exercises") from all the content on this thread. If you personally don't like this thread, maybe take responsibility for your own situation and filter it out; rather than trying t

RE: "The long tail of ColdFusion fail"

Please send a photo of your world, I'd like to know what colour the sky is? You are telling ME how a sys admin or IT manager does their job? Well thanks. -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 29 March 2014 16:50 To: cf-talk Subject: Re: "The

Re: "The long tail of ColdFusion fail"

> Correcting the installer won't solve all problems, but it should not be the > CAUSE of problems The installer is installing an application server. Again, this is inherently dangerous, period, end of story. This particular installer sets up a web application that is needed to configure the serve

RE: "The long tail of ColdFusion fail"

ng* -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 29 March 2014 14:23 To: cf-talk Subject: Re: "The long tail of ColdFusion fail" > > > I also once had a client who did this, they were Linux heads who > > > thought that hiding the &

Re: "The long tail of ColdFusion fail"

> > I've got bad news for you. Stick this in Google: > > [product] default vulnerability > > and prepare to be amazed. Some suggestions: PHP, IIS, Apache. Not all > > allow remote users to execute arbitrary code, but plenty do. > > I get it. Because other technologies and applications are bad it'

Re: "The long tail of ColdFusion fail"

I don;t think anyone has said that the Cf installer should magically secure their applications, this is a whole different issue and no blame can be laid at Adobe's feet or the installer for poorly written code. On Sat, Mar 29, 2014 at 2:23 PM, Dave Watts wrote: > > > > > I also once had a clie

Re: "The long tail of ColdFusion fail"

> > > I also once had a client who did this, they were Linux heads who thought > > > that hiding the "sucky insecure windows/cf server" behind a linux server > > > and doing a reverse proxy would make it secure. > > > > There is no such thing as "make it secure", of course. But it is more > > secu

Re: "The long tail of ColdFusion fail"

> Dave, I am curious. Have you ever, even once, changed your mind because of > what someone has told you? Since you ask, sure, all the time. I respond to evidence and logic. I just don't think those two things support your position as strongly as you think they do. Dave Watts, CTO, Fig Leaf Sof

Re: "The long tail of ColdFusion fail"

wa...@figleaf.com] >Sent: 28 March 2014 18:07 >To: cf-talk >Subject: Re: "The long tail of ColdFusion fail" > > >> if you think no-one uses Windows web servers then you are wrong, very >wrong. > >Uh, yeah, I know that. That was my point. > >> It wou

RE: "The long tail of ColdFusion fail"

+1 -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: 28 March 2014 20:42 To: cf-talk Subject: Re: "The long tail of ColdFusion fail" A locked door is useless if you leave the windows open. Russ Michaels www.michaels.me.uk cfmldeveloper.com

RE: "The long tail of ColdFusion fail"

-Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 28 March 2014 18:41 To: cf-talk Subject: Re: "The long tail of ColdFusion fail" >>I've got bad news for you. Stick this in Google: >>[product] default vulnerability >>and prepare to

RE: "The long tail of ColdFusion fail"

>From what I have learnt from this thread so far, Adobe has actually got worse. -Original Message- From: Claude Schnéegans [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans >It's Microsoft's approach ... now. But it took them a long time to get there. You're probably right. The point here is t

RE: "The long tail of ColdFusion fail"

Dave, I am curious. Have you ever, even once, changed your mind because of what someone has told you? -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 28 March 2014 18:07 To: cf-talk Subject: Re: "The long tail of ColdFusion fail" > if you thin

RE: "The long tail of ColdFusion fail"

So cost has nothing to do with it. How enlightening, as ever. -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 28 March 2014 17:52 To: cf-talk Subject: Re: "The long tail of ColdFusion fail" > sure something may break by being locked down, but as I

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

The scenario you describe is vastly different than me telling my clients if they want the next version of my software to be secure they have to download and install a beta with known problems, test it, record flaws, suggest features and solicit votes for those flaws to be fixed and the features to

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

Justin, yes I reported this too Adobe during the ColdFusion 10 beta. I can confirm and hope that by the fact that the ticket has been marked fixed, that this is now in ColdFusion 11 as a fix. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/1130324804159

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

Maureen, This is one of my extreme pet peeves with Adobe, in the last 10+ years, is the length of time it takes from a bug being reported to being fixed is in the years, not days or months, but literally years. I have bugs that where reported in the 2006-2008 days, that are still not fixed in Col

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

> Also, QA and debugging are usually paid positions, except for open > source software. If Adobe wants to make CF open source, I will be > happy to volunteer some time to help fix it. Otherwise, not my job. Bugs happen... as a developer I'm sure you've had clients bring bugs to you and you've a

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

Oh, does he work at Adobe now? On Fri, Mar 28, 2014 at 5:35 PM, Jerry Milo Johnson wrote: > > For the Love of God > > > On Fri, Mar 28, 2014 at 8:30 PM, Maureen wrote: > >> >> There are people doing that, and their entries are being closed >> without comment, even when they request comment.

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

For the Love of God On Fri, Mar 28, 2014 at 8:30 PM, Maureen wrote: > > There are people doing that, and their entries are being closed > without comment, even when they request comment. So what's the point? > > Also, QA and debugging are usually paid positions, except for open > source s

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

There are people doing that, and their entries are being closed without comment, even when they request comment. So what's the point? Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time

Re: "The long tail of ColdFusion fail"

If you pound sand long enough it might turn into glass. Or not. One of my favorite quotes from a friend I used to work with was: "Is the juice worth the squeeze?". Southern wisdom at it's finest. G! -- Gerald Guido Twitter Blarg

Re: "The long tail of ColdFusion fail"

Re: The long tail of analogy hell. On 3/28/14, 4:42 PM, "Russ Michaels" wrote: > >A locked door is useless if you leave the windows open. > >Russ Michaels >www.michaels.me.uk >cfmldeveloper.com >cflive.net >cfsearch.com >On 28 Mar 2014 19:09, "Dave Watts" wrote: > >> >> > I also once had a cl

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

> OMG You mean ColdFusion 11 is public :P I'm hearing Stroz in the back of my head... 10.5 10.5 have a great weekend! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthol

Re: "The long tail of ColdFusion fail"

A locked door is useless if you leave the windows open. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 19:09, "Dave Watts" wrote: > > > I also once had a client who did this, they were Linux heads who thought > > that hiding the "sucky insecure windows

Re: "The long tail of ColdFusion fail"

> I also once had a client who did this, they were Linux heads who thought > that hiding the "sucky insecure windows/cf server" behind a linux server > and doing a reverse proxy would make it secure. There is no such thing as "make it secure", of course. But it is more secure. It solves one speci

Re: "The long tail of ColdFusion fail"

I also once had a client who did this, they were Linux heads who thought that hiding the "sucky insecure windows/cf server" behind a linux server and doing a reverse proxy would make it secure. But of course it didn't as everything still works the same way, the SQL injections still got through, th

Re: "The long tail of ColdFusion fail"

Jordan and Dave, Thanks! You just helped me solve a totally unrelated problem on an IIS site with a lot of static content requests. I’ve got several servers using Apache as a reverse proxy to NGINX but I don’t know why it didn’t occur to me to look in to doing the same for IIS... Jon On M

Re: "The long tail of ColdFusion fail"

> The idea that any application is installed on a server that is open to the > internet, or even if used internally, should be installed in such a way that > is open to hacking by default is, quite frankly, ridiculous. I've got bad news for you. Stick this in Google: [product] default vulnerabil

Re: "The long tail of ColdFusion fail"

On 03/28/2014 11:13 AM, Dave Watts wrote: > Very busy sites are likely to have better infrastructure. IIS can function great as a reverse proxy. You'd think these companies would want to save the cost of training their employees on new web servers/proxies when they could simply use IIS for this

Re: "The long tail of ColdFusion fail"

> I am particularly amused by the last category where NGINX has more > marketshare then IIS in the top million busiest sites. I'm not all that surprised. Very busy sites are likely to have better infrastructure. Nginx makes a very good reverse proxy for internal servers. I have a customer in the

Re: "The long tail of ColdFusion fail"

I doubt it would have made any difference as there still would have been only the same choices, and the reasons for choosing Windows over Linux or Others would have remained the same, for folks that wanted a simple GUI to work either vs command line. On Fri, Mar 28, 2014 at 6:04 PM, Dave Watts

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

OMG You mean ColdFusion 11 is public :P Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Sat, Mar 29, 2014 at 4:38 AM, Steve 'Cutter' Blades < cold.fus...@cutterscrossing.com> wrote: > > Good Gawd! Some of you are like a dog

Re: "The long tail of ColdFusion fail"

>>It's Microsoft's approach ... now. But it took them a long time to get there. You're probably right. The point here is that it is taking even a longer time to Adobe. ~| Order the Adobe Coldfusion Anthology now! http://www.a

Re: "The long tail of ColdFusion fail"

On 03/28/2014 10:52 AM, Dave Watts wrote: > This explains why absolutely no one uses Windows web servers. Some data on this topic: http://news.netcraft.com/archives/2014/03/03/march-2014-web-server-survey.html IIS looks great in the "all sites" category but is seemingly dead in the "Active" si

Re: "The long tail of ColdFusion fail"

> if you think no-one uses Windows web servers then you are wrong, very wrong. Uh, yeah, I know that. That was my point. > It would seem you also think that Windows is not locked down by default, > that may have been true once upon a time, but is no longer the case and > hasn't been for many yea

Re: "The long tail of ColdFusion fail"

I see lessons in seeing sarcasm are needed…… Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 28, 2014, at 1:02 PM, Russ Michaels wrote: > > if you think no-one uses Windows web servers then you ar

Re: "The long tail of ColdFusion fail"

> >>2. out of the box, locked down and secure, but site may break, so you have > > And this is Microsoft's It's Microsoft's approach ... now. But it took them a long time to get there. And the sheer weight of legacy code probably had something to do with that. And I think Microsoft server produc

Re: "The long tail of ColdFusion fail"

>>> >>> Imagine a family buys a car, and by default the airbags and anti-lock >>> breaks are not enabled. > > Indeed, they are in the trunk, under the spare tire, but it's up to you to go > to the manufacturer's site and download instructions to install them ;-) Obviously none of you have ev

Re: "The long tail of ColdFusion fail"

if you think no-one uses Windows web servers then you are wrong, very wrong. It would seem you also think that Windows is not locked down by default, that may have been true once upon a time, but is no longer the case and hasn't been for many years.Certainly since Windows Server 2008, you must spe

Re: "The long tail of ColdFusion fail"

consider this Imagine a family buys a car, and by default the airbags and anti-lock breaks are not enabled. Somewhere deep in the manual is a mention of following a "safety setup guide" and You are expected to follow this guide make changes to your car to make it safe and secure. Now imagine th

Re: "The long tail of ColdFusion fail"

>>but for CF to have a backdoor entry point as standard in the install is plainly stupid and it has not helped sell CF as an option. This is exactly the point. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com

Re: "The long tail of ColdFusion fail"

> > If you let your nephew install a server and don't > > bother to double check his work, that is *your* fault, no one else. > > What does this matter when the bad juju blows back publicly on the product > itself? > > Blaming the customer for problems in other channels typically doesn't tend > to

Re: "The long tail of ColdFusion fail"

>>Imagine a family buys a car, and by default the airbags and anti-lock breaks >>are not enabled. Indeed, they are in the trunk, under the spare tire, but it's up to you to go to the manufacturer's site and download instructions to install them ;-) ~~

Re: "The long tail of ColdFusion fail"

>>1. out of the box install, not secure, but your site works just fine.. This is the Adobe's approach >>2. out of the box, locked down and secure, but site may break, so you have And this is Microsoft's You're quite right. ~

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

I think you will find many folks already did that years ago, myself included. On Fri, Mar 28, 2014 at 5:38 PM, Steve 'Cutter' Blades < cold.fus...@cutterscrossing.com> wrote: > > Good Gawd! Some of you are like a dog with a bone. > > The facts: > 1) Something Happened > 2) It Got Publicized > 3

Re: "The long tail of ColdFusion fail"

>>Application servers are inherently complex, and it takes a certain level of expertise to set them up. There's no getting around that. You're right. However, there are two approches that can be taken in installation procedures. One year ago I had to move from a W2003 to a W2008 server and to a

Re: "The long tail of ColdFusion fail"

> sure something may break by being locked down, but as I said earlier, you > have 2 choices.. > > 1. out of the box install, not secure, but your site works just fine.. So > nothing to learn unless you choose to. User continues in blissful ignorance. > 2. out of the box, locked down and secure,

Re: "The long tail of ColdFusion fail"

it doesn't take any expertise, this is the whole point, anyone can do it (badly) sure something may break by being locked down, but as I said earlier, you have 2 choices.. 1. out of the box install, not secure, but your site works just fine.. So nothing to learn unless you choose to. User conti

Re: CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

> You have all said your piece here, > in the very public openness of the web, where Google will pick it up and > run, and allow the naysayers to say "see, even their own community…” ^^ +1 ^^ ~| Order the Adobe Coldfusi

CAN THIS PLEASE BE THE END? Re: "The long tail of ColdFusion fail"

Good Gawd! Some of you are like a dog with a bone. The facts: 1) Something Happened 2) It Got Publicized 3) There Are A Lot of Ticked Off People We can debate who is at fault until we are blue in the face. The fact of the matter is, all of it is in the past. We can not change the past. Adobe (

Re: "The long tail of ColdFusion fail"

Dave wrote > But I think there's an important difference in expectations between > providing services and selling tools. My customers expect me to know > how to do things right - to understand how my tools work. When you buy > a tool, you are expected to know how to use the tool, and there is > on

RE: "The long tail of ColdFusion fail"

I can't say I've read every post, but I have read most. One point I'd like to take up is this business of the CF install and security. I've seen all sorts of statements made about sys admins and their duties which as a past sys admin and IT Manager I found interesting. The idea that any applica

Re: "The long tail of ColdFusion fail"

> If you let your nephew install a server and don't > bother to double check his work, that is *your* fault, no one else. What does this matter when the bad juju blows back publicly on the product itself? Blaming the customer for problems in other channels typically doesn't tend to end well for

Re: "The long tail of ColdFusion fail"

> I am picturing a 2-fold system. A web-based "scan for common > vulnerabilities from outside", and a more detailed "scan the system from > inside". Hi Jerry, you basically just described HackMyCF.com and their security scanner and monitoring tool. -Justin ~

Re: "The long tail of ColdFusion fail"

Maureen wrote: > > Honestly, if you are selling a software product that requires > additional lock down after installation, you might could get the > attention of those hiding in their cubicle by putting a large notice > of such at the beginning of the installation instructions. No one >

Re: "The long tail of ColdFusion fail"

After days of cringing as these emails come through, I am going to chime in briefly. If there is such a glaring hole in the Coldfusion platform, and there is a need for it to be filled, is there an obvious business/product opportunity here? The Coldfusion ecosystem is large, and as the title sug

Re: "The long tail of ColdFusion fail"

Sorry, forgot to come back to this. > This is not a false analogy because [etc] But it *is* a false analogy because it's generally a government requirement for people to be licensed to drive a car before they can use one, so it's reasonable to assume from the outset of the sale process that a

Re: "The long tail of ColdFusion fail"

On Thu, Mar 27, 2014 at 8:14 PM, Raymond Camden wrote: > > Right - but you said Adobe was ignoring this. Please back your statement > up. I said the CF team could possibly do more. But I do not agree that they > are ignoring the issue. I did not say Adobe was ignoring the issue, I said that som

Re: "The long tail of ColdFusion fail"

Except eveyone I know who has tried to follow the lock down guide has ended up with a broke cfserver. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 02:43, "Raymond Camden" wrote: > > > > > > > Playing attention to the requirement to inform these peopl

Re: "The long tail of ColdFusion fail"

The bare minimum should at least be as I stated. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 28 Mar 2014 03:16, "Raymond Camden" wrote: > > As has been explained *multiple* times, there is no one solution (in terms > of settings) that will work for everyone. Th

Re: "The long tail of ColdFusion fail"

And how many people have we helped who have updated their CF 10 install, then start asking for help because their cgi scope is broken... Who have not read the message to update their connectors!! Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480

Re: "The long tail of ColdFusion fail"

Don't get me started on the cheap clients, who want to have full control of the server, which means their own. But will not pay for anyone to manage it. Do you know how many jobs I have rejected like that :-) Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google

Re: "The long tail of ColdFusion fail"

Only if it was flashing in huge read letters with the BLINK tag. Then again, some will still miss that. :) On Mar 27, 2014, at 10:16 PM, Raymond Camden wrote: > > I *do* think that at the end of the installation, linking to the lock down > guide would be useful. Wil Genovese Sr. Web Applic

Re: "The long tail of ColdFusion fail"

As has been explained *multiple* times, there is no one solution (in terms of settings) that will work for everyone. Therefore there must be some position made where the software says, I'll lock down A and B, but I don't think I can *always* lock C. I *do* think that at the end of the installatio

Re: "The long tail of ColdFusion fail"

On Thu, Mar 27, 2014 at 10:09 PM, Maureen wrote: > > Of course users should take responsibility. But corporations have a > responsibility to their users to inform them as well.We are all > aware that those managing servers SHOULD be knowledgeable and > competent, however in the real world,

Re: "The long tail of ColdFusion fail"

Honestly, if you are selling a software product that requires additional lock down after installation, you might could get the attention of those hiding in their cubicle by putting a large notice of such at the beginning of the installation instructions. No one should have to find out about softw

Re: "The long tail of ColdFusion fail"

Of course users should take responsibility. But corporations have a responsibility to their users to inform them as well.We are all aware that those managing servers SHOULD be knowledgeable and competent, however in the real world, that is not always the case and never will be. So dealing wi

Re: "The long tail of ColdFusion fail"

same... I have in my years been at job interviews with people who have programmed CF for as long as I have, but have never heard of them before the interview. Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Fri, Mar 28, 20

Re: "The long tail of ColdFusion fail"

Yea well I agree Ray, but they are also the people getting cheap VPS's and not securing there servers too. What we can do, I am not sure there is any more than what is being done... Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411

Re: "The long tail of ColdFusion fail"

Honestly if these people are living under their cubicle desk then I have no clue how to get their attention. It’s not as if no one is talking about ColdFusion security and certainly not as if the main stream news media is reporting security breaches. If someone chooses to stay uninformed there

Re: "The long tail of ColdFusion fail"

If securing your server is considered extra curricular activity - ie stuff you would do at a user group - then your priorities are way out of wack. (I mean you in general, not you specifically Andrew. ;) On Thu, Mar 27, 2014 at 9:46 PM, Andrew Scott wrote: > > Ray, > > Probably not... Other pe

Re: "The long tail of ColdFusion fail"

Ray, Probably not... Other people should also remember that not everyone spends time online in groups, they are 9 to 5 developers who have a life. These are the people who set these things up, these are the people that aren't being reached. Can more be done, don't think so. Regards, Andrew Scott

Re: "The long tail of ColdFusion fail"

> > > Playing attention to the requirement to inform these people about the > need for extra lock down early in the process would be more effective > in solving the problem than Adobe employees and evangelists ignoring > the fact that these people exist and doing nothing more than yelling > Um...

Re: "The long tail of ColdFusion fail"

Ray, Yes that is pretty much the case. I spend a lot of my time cleaning up and securing severs that have been left unsecured. It happens all the time. I do more server work than code these days. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com

Re: "The long tail of ColdFusion fail"

Yes Raymond, in the world I live in where I often have to go in and clean up a mess made by inexperienced developers or the client's nerdy nephew, there are people who are unaware that extra server lock down would be necessary. There are also noobs who get hired at web hosting companies who don't

Re: "The long tail of ColdFusion fail"

Sadly quite common, sysadmins and hosting companies even do it The reason is because they think it works in the same way as cgi scripts and is locked down by the same rules that php et al are, which is not the case because it runs asca service not a process Russ Michaels www.michaels.me.uk cfmld

Re: "The long tail of ColdFusion fail"

On Thu, Mar 27, 2014 at 8:12 PM, Maureen wrote: > > And that "direction on how to secure it more" exists where exactly? > Is it in the install instructions, or only in some obscure document > that a person unfamiliar with the need for security might not know > about? > > So to be clear - there a

Re: "The long tail of ColdFusion fail"

And that "direction on how to secure it more" exists where exactly? Is it in the install instructions, or only in some obscure document that a person unfamiliar with the need for security might not know about? On Wed, Mar 26, 2014 at 9:16 AM, DURETTE, STEVEN J wrote: > > > We can't please everyo

RE: "The long tail of ColdFusion fail"

Exactly. -Original Message- From: Adam Cameron [mailto:dacc...@gmail.com] Sent: 26 March 2014 14:27 To: cf-talk Subject: Re: "The long tail of ColdFusion fail" If it only works on localhost *by default*, then this mitigates most of the problem just like that. -- Adam O

Re: "The long tail of ColdFusion fail"

>>Development servers don't need a secure setup if they're not exposed to untrusted networks. Obviously we are was not talking about development servers in this thread ;-) ~| Order the Adobe Coldfusion Anthology now! http://ww

Re: "The long tail of ColdFusion fail"

On Wed, Mar 26, 2014 at 5:21 PM, Raymond Camden wrote: > > On Wed, Mar 26, 2014 at 3:58 PM, Dave Watts wrote: > > > > > > Except that in your analogy, it is obvious that one need to open the > > doors from time to time in order to > > > be able to use the car. > > > With CF, there is never a goo

Re: "The long tail of ColdFusion fail"

On Wed, Mar 26, 2014 at 3:58 PM, Dave Watts wrote: > > > Except that in your analogy, it is obvious that one need to open the > doors from time to time in order to > > be able to use the car. > > With CF, there is never a good reason to leave the server unlocked. > > Sure there is. Development s

Re: "The long tail of ColdFusion fail"

> Except that in your analogy, it is obvious that one need to open the doors > from time to time in order to > be able to use the car. > With CF, there is never a good reason to leave the server unlocked. Sure there is. Development servers don't need a secure setup if they're not exposed to untr

Re: "The long tail of ColdFusion fail"

>>I like this analogy... You buy a new Ford Fusion. Ford tells you about how >>closing the doors and locking it is a security feature. Then, you go park in a high crime area with the car running, keys in the ignition and the doors wide open. Except that in your analogy, it is obvious that one

Re: "The long tail of ColdFusion fail"

I won't try to re-hash the entirely valid points Dave, Ben and others make regarding the needed skill set that a server admin should have, nor where the blame lies if a server is left unprotected/unpatched etc. Consider this counterpoint: When a situation like the current one arises... what do t

RE: "The long tail of ColdFusion fail"

+ 1 -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Wednesday, March 26, 2014 12:56 PM To: cf-talk Subject: Re: "The long tail of ColdFusion fail" I'll weigh in on this for a few reasons. One of the servers in the Krebs article is one that I w

Re: "The long tail of ColdFusion fail"

I’ll weigh in on this for a few reasons. One of the servers in the Krebs article is one that I was called in to fix. I’ve had to investigate/fix several other breached servers over the past year. All were new to us clients that came to us with a breached server. Another reason is that I maintai

Re: "The long tail of ColdFusion fail"

Well that goes without saying Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Thu, Mar 27, 2014 at 3:16 AM, DURETTE, STEVEN J wrote: > > How about this issue. You lock down ColdFusion to the max and CFFile is > complete

Re: "The long tail of ColdFusion fail"

I think it is that simple, CF can be installed secure or not secure regardless of someone's understand of the server or how it works. that is no different than saying, it is impossible for windows or Linux to be installed securely by default, of course they can, and are. Some of the most basic p

RE: "The long tail of ColdFusion fail"

d I believe the standard pretty much everywhere is install open with lockdown options and give direction on how to secure it more. -Original Message- From: Andrew Scott [mailto:andr...@andyscott.id.au] Sent: Wednesday, March 26, 2014 11:46 AM To: cf-talk Subject: Re: "The long tail of

Re: "The long tail of ColdFusion fail"

I agree with Ben and Dave There was a point, where I was siding with Adam on this. But Ben you make a good point, which I think Dave was trying to get at. SysAdmins by default are the type that want to do everything, they need to know what it is they have control over. Therefore, if Adobe in

Re: "The long tail of ColdFusion fail"

>> ignore a public facing server, you are asking for trouble We all have public facing applications, including banks, CIA, FBI, etc, simply protected by a password, but we usually do not have undocumented backdoors ;-) If the CF administrator dindn't have this undocumented function allowing to

Re: "The long tail of ColdFusion fail"

>>It's daft to facilitate the [potentially dangerous thing] And I don't know if everyone knows why is was insecure to have the Administrator in a conventional place. I got my server hacked like many of us, and I checked in the logs how the guy had access to the administrator. I discovered that

RE: "The long tail of ColdFusion fail"

sage- From: Adam Cameron [mailto:dacc...@gmail.com] Sent: Wednesday, March 26, 2014 10:55 AM To: cf-talk Subject: Re: "The long tail of ColdFusion fail" The doors are locked by default though, aren't they? Plus it's a bit of a false analogy<http://en.wikipedia.org/wiki/Fal

Re: "The long tail of ColdFusion fail"

Sure, the installer could make things simpler, and maybe should. But, that's a double edged sword, make things easier and admins will be even less likely to learn and manage what they really need to. At the end of the day, whether it is Windows or Apache or your mail server or CF or Java or Ora

Re: "The long tail of ColdFusion fail"

Dave Watts wrote: > In the case where everything's locked down by default, nothing works, > and admins need to learn how to remove security to allow access to a > web application. This reminds me of finding a scientific server where everyone in the department was an administrator. When I

Re: "The long tail of ColdFusion fail"

On 26 March 2014 14:54, <> wrote: > > >>It's up to you to understand how web servers and web applications work, > and set it up > > My point is that I'm pretty sure everything I've done by hand to move > CFIDE/administrator and declare a virtual directory to some special web > site could be done

Re: "The long tail of ColdFusion fail"

The doors are locked by default though, aren't they? Plus it's a bit of a false analogyanyhow. On 26 March 2014 14:44, DURETTE, STEVEN J wrote: > > I like this analogy... You buy a new Ford Fusion. Ford tells you about how > closing the doors and lo

  1   2   >