Why would you try to stifle people's conversation?
That's not like you.
I'm still getting stuff (read: thought exercises) from all the content on
this thread.
If you personally don't like this thread, maybe take responsibility for your
own situation and filter it out; rather than trying to
Thanx...I was doing a fine job staying out of this, then you had to drag me
in... :P
On Fri, Mar 28, 2014 at 5:12 PM, Justin Scott leviat...@darktech.orgwrote:
OMG You mean ColdFusion 11 is public :P
I'm hearing Stroz in the back of my head... 10.5 10.5 have a
great weekend!
So cost has nothing to do with it. How enlightening, as ever.
-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 28 March 2014 17:52
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
sure something may break by being locked down, but as I said earlier
Dave, I am curious. Have you ever, even once, changed your mind because of
what someone has told you?
-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 28 March 2014 18:07
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
if you think no-one uses Windows
Subject: Re: The long tail of ColdFusion fail
It's Microsoft's approach ... now. But it took them a long time to get
there.
You're probably right. The point here is that it is taking even a longer
time to Adobe.
~|
Order
-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 28 March 2014 18:41
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
I've got bad news for you. Stick this in Google:
[product] default vulnerability
and prepare to be amazed. Some suggestions: PHP, IIS
+1
-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: 28 March 2014 20:42
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
A locked door is useless if you leave the windows open.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
]
Sent: 28 March 2014 18:07
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
if you think no-one uses Windows web servers then you are wrong, very
wrong.
Uh, yeah, I know that. That was my point.
It would seem you also think that Windows is not locked down by
default, that may have
Dave, I am curious. Have you ever, even once, changed your mind because of
what someone has told you?
Since you ask, sure, all the time. I respond to evidence and logic. I
just don't think those two things support your position as strongly as
you think they do.
Dave Watts, CTO, Fig Leaf
I also once had a client who did this, they were Linux heads who thought
that hiding the sucky insecure windows/cf server behind a linux server
and doing a reverse proxy would make it secure.
There is no such thing as make it secure, of course. But it is more
secure. It solves one
I don;t think anyone has said that the Cf installer should magically secure
their applications, this is a whole different issue and no blame can be
laid at Adobe's feet or the installer for poorly written code.
On Sat, Mar 29, 2014 at 2:23 PM, Dave Watts dwa...@figleaf.com wrote:
I also
I've got bad news for you. Stick this in Google:
[product] default vulnerability
and prepare to be amazed. Some suggestions: PHP, IIS, Apache. Not all
allow remote users to execute arbitrary code, but plenty do.
I get it. Because other technologies and applications are bad it's fine
...@figleaf.com]
Sent: 29 March 2014 14:23
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
I also once had a client who did this, they were Linux heads who
thought that hiding the sucky insecure windows/cf server behind
a linux server and doing a reverse proxy would make
Correcting the installer won't solve all problems, but it should not be the
CAUSE of problems
The installer is installing an application server. Again, this is
inherently dangerous, period, end of story. This particular installer
sets up a web application that is needed to configure the
Please send a photo of your world, I'd like to know what colour the sky is?
You are telling ME how a sys admin or IT manager does their job? Well
thanks.
-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 29 March 2014 16:50
To: cf-talk
Subject: Re: The long tail
The bare minimum should at least be as I stated.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 28 Mar 2014 03:16, Raymond Camden raymondcam...@gmail.com wrote:
As has been explained *multiple* times, there is no one solution (in terms
of settings) that will
Except eveyone I know who has tried to follow the lock down guide has ended
up with a broke cfserver.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 28 Mar 2014 02:43, Raymond Camden raymondcam...@gmail.com wrote:
Playing attention to the requirement to
On Thu, Mar 27, 2014 at 8:14 PM, Raymond Camden raymondcam...@gmail.com wrote:
Right - but you said Adobe was ignoring this. Please back your statement
up. I said the CF team could possibly do more. But I do not agree that they
are ignoring the issue.
I did not say Adobe was ignoring the
Sorry, forgot to come back to this.
This is not a false analogy because [etc]
But it *is* a false analogy because it's generally a government requirement for
people to be licensed to drive a car before they can use one, so it's
reasonable to assume from the outset of the sale process that a
After days of cringing as these emails come through, I am going to chime in
briefly.
If there is such a glaring hole in the Coldfusion platform, and there is a
need for it to be filled, is there an obvious business/product opportunity
here?
The Coldfusion ecosystem is large, and as the title
Maureen mamamaur...@gmail.com wrote:
Honestly, if you are selling a software product that requires
additional lock down after installation, you might could get the
attention of those hiding in their cubicle by putting a large notice
of such at the beginning of the installation
I am picturing a 2-fold system. A web-based scan for common
vulnerabilities from outside, and a more detailed scan the system from
inside.
Hi Jerry, you basically just described HackMyCF.com and their security
scanner and monitoring tool.
-Justin
If you let your nephew install a server and don't
bother to double check his work, that is *your* fault, no one else.
What does this matter when the bad juju blows back publicly on the product
itself?
Blaming the customer for problems in other channels typically doesn't tend
to end well for
I can't say I've read every post, but I have read most.
One point I'd like to take up is this business of the CF install and
security. I've seen all sorts of statements made about sys admins and their
duties which as a past sys admin and IT Manager I found interesting.
The idea that any
Dave wrote
But I think there's an important difference in expectations between
providing services and selling tools. My customers expect me to know
how to do things right - to understand how my tools work. When you buy
a tool, you are expected to know how to use the tool, and there is
only
Good Gawd! Some of you are like a dog with a bone.
The facts:
1) Something Happened
2) It Got Publicized
3) There Are A Lot of Ticked Off People
We can debate who is at fault until we are blue in the face. The fact of
the matter is, all of it is in the past. We can not change the past.
Adobe
You have all said your piece here,
in the very public openness of the web, where Google will pick it up and
run, and allow the naysayers to say see, even their own community
^^ +1 ^^
cfhorse beaten=true dead=true /
cfabort
it doesn't take any expertise, this is the whole point, anyone can do it
(badly)
sure something may break by being locked down, but as I said earlier, you
have 2 choices..
1. out of the box install, not secure, but your site works just fine.. So
nothing to learn unless you choose to. User
sure something may break by being locked down, but as I said earlier, you
have 2 choices..
1. out of the box install, not secure, but your site works just fine.. So
nothing to learn unless you choose to. User continues in blissful ignorance.
2. out of the box, locked down and secure, but
Application servers are inherently complex, and it takes a certain
level of expertise to set them up. There's no getting around that.
You're right.
However, there are two approches that can be taken in installation procedures.
One year ago I had to move from a W2003 to a W2008 server and to a
I think you will find many folks already did that years ago, myself
included.
On Fri, Mar 28, 2014 at 5:38 PM, Steve 'Cutter' Blades
cold.fus...@cutterscrossing.com wrote:
Good Gawd! Some of you are like a dog with a bone.
The facts:
1) Something Happened
2) It Got Publicized
3) There
1. out of the box install, not secure, but your site works just fine..
This is the Adobe's approach
2. out of the box, locked down and secure, but site may break, so you have
And this is Microsoft's
You're quite right.
Imagine a family buys a car, and by default the airbags and anti-lock breaks
are not enabled.
Indeed, they are in the trunk, under the spare tire, but it's up to you to go
to the manufacturer's site and download instructions to install them ;-)
If you let your nephew install a server and don't
bother to double check his work, that is *your* fault, no one else.
What does this matter when the bad juju blows back publicly on the product
itself?
Blaming the customer for problems in other channels typically doesn't tend
to end well
but for CF to have a
backdoor entry point as standard in the install is plainly stupid and it has
not helped sell CF as an option.
This is exactly the point.
~|
Order the Adobe Coldfusion Anthology now!
if you think no-one uses Windows web servers then you are wrong, very wrong.
It would seem you also think that Windows is not locked down by default,
that may have been true once upon a time, but is no longer the case and
hasn't been for many years.Certainly since Windows Server 2008, you must
Imagine a family buys a car, and by default the airbags and anti-lock
breaks are not enabled.
Indeed, they are in the trunk, under the spare tire, but it's up to you to go
to the manufacturer's site and download instructions to install them ;-)
Obviously none of you have ever owned a
2. out of the box, locked down and secure, but site may break, so you have
And this is Microsoft's
It's Microsoft's approach ... now. But it took them a long time to get
there. And the sheer weight of legacy code probably had something to
do with that. And I think Microsoft server products
I see lessons in seeing sarcasm are needed
Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com
wilg...@trunkful.com
www.trunkful.com
On Mar 28, 2014, at 1:02 PM, Russ Michaels r...@michaels.me.uk wrote:
if you think no-one uses Windows web
if you think no-one uses Windows web servers then you are wrong, very wrong.
Uh, yeah, I know that. That was my point.
It would seem you also think that Windows is not locked down by default,
that may have been true once upon a time, but is no longer the case and
hasn't been for many
On 03/28/2014 10:52 AM, Dave Watts wrote:
This explains why absolutely no one uses Windows web servers.
Some data on this topic:
http://news.netcraft.com/archives/2014/03/03/march-2014-web-server-survey.html
IIS looks great in the all sites category but is seemingly dead in the
Active sites
It's Microsoft's approach ... now. But it took them a long time to get there.
You're probably right. The point here is that it is taking even a longer time
to Adobe.
~|
Order the Adobe Coldfusion Anthology now!
OMG You mean ColdFusion 11 is public :P
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+: http://plus.google.com/113032480415921517411
On Sat, Mar 29, 2014 at 4:38 AM, Steve 'Cutter' Blades
cold.fus...@cutterscrossing.com wrote:
Good Gawd! Some of you are like a dog
I doubt it would have made any difference as there still would have been
only the same choices, and the reasons for choosing Windows over Linux or
Others would have remained the same, for folks that wanted a simple GUI to
work either vs command line.
On Fri, Mar 28, 2014 at 6:04 PM, Dave Watts
I am particularly amused by the last category where NGINX has more
marketshare then IIS in the top million busiest sites.
I'm not all that surprised. Very busy sites are likely to have better
infrastructure. Nginx makes a very good reverse proxy for internal
servers. I have a customer in the
consider this
Imagine a family buys a car, and by default the airbags and anti-lock
breaks are not enabled.
Somewhere deep in the manual is a mention of following a safety setup
guide and You are expected to follow this guide make changes to your car
to make it safe and secure.
Now imagine
On 03/28/2014 11:13 AM, Dave Watts wrote:
Very busy sites are likely to have better infrastructure.
IIS can function great as a reverse proxy. You'd think these companies
would want to save the cost of training their employees on new web
servers/proxies when they could simply use IIS for this
The idea that any application is installed on a server that is open to the
internet, or even if used internally, should be installed in such a way that
is open to hacking by default is, quite frankly, ridiculous.
I've got bad news for you. Stick this in Google:
[product] default
Jordan and Dave,
Thanks! You just helped me solve a totally unrelated problem on an IIS site
with a lot of static content requests. Ive got several servers using Apache as
a reverse proxy to NGINX but I dont know why it didnt occur to me to look in
to doing the same for IIS...
Jon
On
I also once had a client who did this, they were Linux heads who thought
that hiding the sucky insecure windows/cf server behind a linux server
and doing a reverse proxy would make it secure.
But of course it didn't as everything still works the same way, the SQL
injections still got through, the
I also once had a client who did this, they were Linux heads who thought
that hiding the sucky insecure windows/cf server behind a linux server
and doing a reverse proxy would make it secure.
There is no such thing as make it secure, of course. But it is more
secure. It solves one specific
A locked door is useless if you leave the windows open.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 28 Mar 2014 19:09, Dave Watts dwa...@figleaf.com wrote:
I also once had a client who did this, they were Linux heads who thought
that hiding the sucky
OMG You mean ColdFusion 11 is public :P
I'm hearing Stroz in the back of my head... 10.5 10.5 have a
great weekend!
-Justin
~|
Order the Adobe Coldfusion Anthology now!
Re: The long tail of analogy hell.
On 3/28/14, 4:42 PM, Russ Michaels r...@michaels.me.uk wrote:
A locked door is useless if you leave the windows open.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 28 Mar 2014 19:09, Dave Watts dwa...@figleaf.com wrote:
I
If you pound sand long enough it might turn into glass. Or not.
One of my favorite quotes from a friend I used to work with was: Is the
juice worth the squeeze?.
Southern wisdom at it's finest.
G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg
There are people doing that, and their entries are being closed
without comment, even when they request comment. So what's the point?
Also, QA and debugging are usually paid positions, except for open
source software. If Adobe wants to make CF open source, I will be
happy to volunteer some
For the Love of God
On Fri, Mar 28, 2014 at 8:30 PM, Maureen mamamaur...@gmail.com wrote:
There are people doing that, and their entries are being closed
without comment, even when they request comment. So what's the point?
Also, QA and debugging are usually paid positions, except
Oh, does he work at Adobe now?
On Fri, Mar 28, 2014 at 5:35 PM, Jerry Milo Johnson jmi...@gmail.com wrote:
For the Love of God
On Fri, Mar 28, 2014 at 8:30 PM, Maureen mamamaur...@gmail.com wrote:
There are people doing that, and their entries are being closed
without comment, even
Also, QA and debugging are usually paid positions, except for open
source software. If Adobe wants to make CF open source, I will be
happy to volunteer some time to help fix it. Otherwise, not my job.
Bugs happen... as a developer I'm sure you've had clients bring bugs
to you and you've
Maureen,
This is one of my extreme pet peeves with Adobe, in the last 10+ years, is
the length of time it takes from a bug being reported to being fixed is in
the years, not days or months, but literally years. I have bugs that where
reported in the 2006-2008 days, that are still not fixed in
Justin, yes I reported this too Adobe during the ColdFusion 10 beta. I can
confirm and hope that by the fact that the ticket has been marked fixed,
that this is now in ColdFusion 11 as a fix.
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:
The scenario you describe is vastly different than me telling my
clients if they want the next version of my software to be secure they
have to download and install a beta with known problems, test it,
record flaws, suggest features and solicit votes for those flaws to be
fixed and the features
Development servers don't need a secure setup if
they're not exposed to untrusted networks.
Obviously we are was not talking about development servers in this thread ;-)
~|
Order the Adobe Coldfusion Anthology now!
Exactly.
-Original Message-
From: Adam Cameron [mailto:dacc...@gmail.com]
Sent: 26 March 2014 14:27
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
If it only works on localhost *by default*, then this mitigates most of the
problem just like that.
--
Adam
On 26 March 2014
And that direction on how to secure it more exists where exactly?
Is it in the install instructions, or only in some obscure document
that a person unfamiliar with the need for security might not know
about?
On Wed, Mar 26, 2014 at 9:16 AM, DURETTE, STEVEN J sd1...@att.com wrote:
We can't
On Thu, Mar 27, 2014 at 8:12 PM, Maureen mamamaur...@gmail.com wrote:
And that direction on how to secure it more exists where exactly?
Is it in the install instructions, or only in some obscure document
that a person unfamiliar with the need for security might not know
about?
So to be
Sadly quite common, sysadmins and hosting companies even do it
The reason is because they think it works in the same way as cgi scripts
and is locked down by the same rules that php et al are, which is not the
case because it runs asca service not a process
Russ Michaels
www.michaels.me.uk
Yes Raymond, in the world I live in where I often have to go in and
clean up a mess made by inexperienced developers or the client's nerdy
nephew, there are people who are unaware that extra server lock down
would be necessary. There are also noobs who get hired at web hosting
companies who
Ray,
Yes that is pretty much the case. I spend a lot of my time cleaning up and
securing severs that have been left unsecured. It happens all the time. I do
more server work than code these days.
Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
Playing attention to the requirement to inform these people about the
need for extra lock down early in the process would be more effective
in solving the problem than Adobe employees and evangelists ignoring
the fact that these people exist and doing nothing more than yelling
Um... who
Ray,
Probably not... Other people should also remember that not everyone spends
time online in groups, they are 9 to 5 developers who have a life. These
are the people who set these things up, these are the people that aren't
being reached. Can more be done, don't think so.
Regards,
Andrew
If securing your server is considered extra curricular activity - ie stuff
you would do at a user group - then your priorities are way out of wack.
(I mean you in general, not you specifically Andrew. ;)
On Thu, Mar 27, 2014 at 9:46 PM, Andrew Scott andr...@andyscott.id.auwrote:
Ray,
Honestly if these people are living under their cubicle desk then I have no
clue how to get their attention. Its not as if no one is talking about
ColdFusion security and certainly not as if the main stream news media is
reporting security breaches. If someone chooses to stay uninformed
Yea well I agree Ray, but they are also the people getting cheap VPS's and
not securing there servers too.
What we can do, I am not sure there is any more than what is being done...
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+: http://plus.google.com/113032480415921517411
same...
I have in my years been at job interviews with people who have programmed
CF for as long as I have, but have never heard of them before the interview.
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+: http://plus.google.com/113032480415921517411
On Fri, Mar 28,
Of course users should take responsibility. But corporations have a
responsibility to their users to inform them as well.We are all
aware that those managing servers SHOULD be knowledgeable and
competent, however in the real world, that is not always the case and
never will be. So dealing
Honestly, if you are selling a software product that requires
additional lock down after installation, you might could get the
attention of those hiding in their cubicle by putting a large notice
of such at the beginning of the installation instructions. No one
should have to find out about
On Thu, Mar 27, 2014 at 10:09 PM, Maureen mamamaur...@gmail.com wrote:
Of course users should take responsibility. But corporations have a
responsibility to their users to inform them as well.We are all
aware that those managing servers SHOULD be knowledgeable and
competent, however in
As has been explained *multiple* times, there is no one solution (in terms
of settings) that will work for everyone. Therefore there must be some
position made where the software says, I'll lock down A and B, but I don't
think I can *always* lock C.
I *do* think that at the end of the
Only if it was flashing in huge read letters with the BLINK tag. Then again,
some will still miss that.
:)
On Mar 27, 2014, at 10:16 PM, Raymond Camden raymondcam...@gmail.com wrote:
I *do* think that at the end of the installation, linking to the lock down
guide would be useful.
Wil
Don't get me started on the cheap clients, who want to have full control of
the server, which means their own. But will not pay for anyone to manage it.
Do you know how many jobs I have rejected like that :-)
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:
And how many people have we helped who have updated their CF 10 install,
then start asking for help because their cgi scope is broken... Who have
not read the message to update their connectors!!
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:
CF should install locked down out of the box, there really should be no
need to follow a complex lockdown guide to make it secure.
That sounds great in theory, but I don't think it would work well in reality.
Whenever you install server software, you are responsible for
understanding how it
And why is it such a pain in the rear to keep CF up to date/patched?
What I mean is that Adobe recommands that CFIDE should be moved to a safer
place, but, after several versions, CFIDE is still installed the same way.
~|
What I mean is that Adobe recommands that CFIDE should be moved to a safer
place, but, after several
versions, CFIDE is still installed the same way.
Of course it is. If It were somewhere else, you wouldn't be able to
administer CF after an out-of-the-box install. It's up to you to
Dave is spot on. If ColdFusion were a complete self contained black box then
the suggestion would be valid, but as it relies on an underlying OS, an HTTP
server, DBMSs and more, it is the admin's job to manage and understand all of
those (and more). The fact that CF deployment and development
If it only works on localhost *by default*, then this mitigates most of the
problem just like that.
--
Adam
On 26 March 2014 14:17, Dave Watts dwa...@figleaf.com wrote:
What I mean is that Adobe recommands that CFIDE should be moved to a
safer place, but, after several
versions, CFIDE
On 26 March 2014 13:57, Dave Watts dwa...@figleaf.com wrote:
CF should install locked down out of the box, there really should be no
need to follow a complex lockdown guide to make it secure.
[...]
If you really think Adobe is responsible for your server's security,
and should be
From a system security perspective, the approach is generally the default
is *no access*, and then access has to be specifically granted.
Adobe has taken the opposite approach simply to make life easy, which has
proven to be a foolhardy decision. Repeatedly. For years.
Let me introduce you
If it only works on localhost *by default*, then this mitigates most of the
problem just like that.
By default, it works only on a non-standard port, using the built-in
web server. And if you check the secure profile box, you can specify
allowed IP addresses like localhost at install time.
?
(The media would report an issue with Ford door locks.) :)
Steve
-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: Wednesday, March 26, 2014 9:57 AM
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
CF should install locked down out of the box, there really
In the case where everything's locked down by default, nothing works,
and admins need to learn how to remove security to allow access to a
web application.
I'm not sure I see much difference there. Either way, someone needs to
know how web application security works. If you're in the
It's up to you to understand how web servers and web applications work, and
set it up
My point is that I'm pretty sure everything I've done by hand to move
CFIDE/administrator and declare a virtual directory to some special web site
could be done by the installer.
The doors are locked by default though, aren't they?
Plus it's a bit of a false
analogyhttp://en.wikipedia.org/wiki/False_analogyanyhow.
On 26 March 2014 14:44, DURETTE, STEVEN J sd1...@att.com wrote:
I like this analogy... You buy a new Ford Fusion. Ford tells you about how
closing the
On 26 March 2014 14:54, wrote:
It's up to you to understand how web servers and web applications work,
and set it up
My point is that I'm pretty sure everything I've done by hand to move
CFIDE/administrator and declare a virtual directory to some special web
site could be done by the
Dave Watts dwa...@figleaf.com wrote:
In the case where everything's locked down by default, nothing works,
and admins need to learn how to remove security to allow access to a
web application.
This reminds me of finding a scientific server where everyone in the department
was an
Sure, the installer could make things simpler, and maybe should. But, that's a
double edged sword, make things easier and admins will be even less likely to
learn and manage what they really need to. At the end of the day, whether it is
Windows or Apache or your mail server or CF or Java or
Cameron [mailto:dacc...@gmail.com]
Sent: Wednesday, March 26, 2014 10:55 AM
To: cf-talk
Subject: Re: The long tail of ColdFusion fail
The doors are locked by default though, aren't they?
Plus it's a bit of a false
analogyhttp://en.wikipedia.org/wiki/False_analogyanyhow.
On 26 March 2014 14:44
It's daft to facilitate the [potentially dangerous thing]
And I don't know if everyone knows why is was insecure to have the
Administrator in a conventional place.
I got my server hacked like many of us, and I checked in the logs how the guy
had access to the administrator.
I discovered that
ignore a public facing server, you are asking for trouble
We all have public facing applications, including banks, CIA, FBI, etc, simply
protected by a password, but we usually do not have undocumented backdoors ;-)
If the CF administrator dindn't have this undocumented function allowing to
1 - 100 of 169 matches
Mail list logo
