[Evangelism] Hack Plone! Win a Mac!

Mark A Corum markcorum at gmail.com
Thu Nov 26 22:00:15 UTC 2009


Actually, it would show we are arrogant and cavalier about security -
which are about the worst things you can be in the eyes of an
enterprise customer.

People who are serious about security TEST the security of their
software in a professional, systematic way.  They get experts in the
field and folks who really know what they are doing to make sure
nothing in their code or deployment is opening up websites to attack
or possible compromise of data.

The whole "opening your software to hackers" thing is a stunt - a
stunt with very little if any upside, and a huge potential downside.
If someone brings your server to its knees with a Denial of Service
attack or a weakness in the OS you are running on, you can complain
from now until eternity that it wasn't "fair" but the only coverage
you are going to get is "Plone gets hacked."  If no one is able to
hack the site, its not really something worthy of coverage, now is it?
 Afterall, we are already well known as having one of  the best
security records of any CMS.

If Plone had previously been weak on security, and had gotten its act
together, this might make sense.  But in reality -- where Plone is a
VERY secure system with a long-term record of protecting sites and
data -- this kind of circus stunt is not a good idea.

Mark




Mark A Corum
User Interface Designer | Online Marketer | Certified ScrumMaster

markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook,
Twitter and Yahoo;

"Light up the darkness." - Bob Marley
"Quis custodiet ipsos custodes?" (Who watches the watchmen?) -
Juvenales, Satires
"No matter where you go ... there you are." - Buckaroo Banzai



On Thu, Nov 26, 2009 at 4:06 PM, Dylan Jay <djay at pretaweb.com> wrote:
> Worst case is really bad publicity.  But then is it?
> If it got hacked we'd patch it immediatly and patch most systems out there
> and we'd explain how that system works in advance. Basically use it to
> explain how open source increases security and speed of patches.
> It would also show that we take security seriously.
>
> Dylan Jay
> Technical solution manager
> PretaWeb 99552830
>
> On 27/11/2009, at 2:09 AM, Norman Fournier <norman at normanfournier.com>
> wrote:
>
>> Hello,
>>
>> Worst case scenario. What if we are wrong?
>>
>> Some smart punk hacks the plone and posts the hack or hints somewhere. How
>> many Macs can we afford to give away? How long can we afford to pay lawyers
>> to fight spurious claims in court?
>>
>> A risk analysis should be air-tight before any contest is publicized. Even
>> the smallest give-aways are fraught with legal complications which is why
>> contest legal copy takes so much space on an entry form.
>>
>> For me, I am not liking this idea at all. I think there may be more
>> positive ways for plone to get this message across without exposing the
>> software to a million punk hackers with a goad like both Screw Plone and Win
>> a Mac at the same time!
>>
>> My $.02.
>>
>> Norman
>>
>> On 2009-11-25, at 10:28 PM, Nate Aune wrote:
>>
>>> I think it's a great idea. Set up a server (perhaps using the
>>> Hardening Plone howto below) and let the games begin!
>>> http://plone.org/documentation/how-to/securing-plone/
>>>
>>> Nate
>>>
>>> On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke
>>> <juhasecke at googlemail.com> wrote:
>>>>
>>>> Hi all,
>>>>
>>>> what do you think about a hacking contest? We setup a plain plone site
>>>> and who ever hacks it first wins a mac or a playstation or whatever.
>>>>
>>>> All exploits must be documented of course so that we can fix them.
>>>>
>>>> We promote Plone as a secure system and can document it with the CVE
>>>> entries but often people say, yeah, but there are a lot less installations
>>>> of Plone than there are of PHP-systems, so you cannot compare the figures.
>>>>
>>>> So lets challenge the hackers!
>>>>
>>>> This could be an online event with a great publicity effect may be in
>>>> the run-up to the World Plone Day.
>>>>
>>>> What do you think?
>>>> juh
>>>>
>>>> Jan Ulrich Hasecke
>>>> (DZUG e.V.)
>>>>
>>>> --
>>>> DZUG e.V. (Deutschsprachige Zope User Group)
>>>> www.dzug.org
>>>> www.zope.de
>>>>
>>>>
>>>> _______________________________________________
>>>> Evangelism mailing list
>>>> Evangelism at lists.plone.org
>>>> http://lists.plone.org/mailman/listinfo/evangelism
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Nate Aune - natea at jazkarta.com
>>> http://www.jazkarta.com
>>> http://card.ly/natea
>>> +1 (617) 517-4953
>>>
>>> _______________________________________________
>>> Evangelism mailing list
>>> Evangelism at lists.plone.org
>>> http://lists.plone.org/mailman/listinfo/evangelism
>>
>>
>> _______________________________________________
>> Evangelism mailing list
>> Evangelism at lists.plone.org
>> http://lists.plone.org/mailman/listinfo/evangelism
>
> _______________________________________________
> Evangelism mailing list
> Evangelism at lists.plone.org
> http://lists.plone.org/mailman/listinfo/evangelism
>




More information about the Evangelism mailing list