[Evangelism] Hack Plone! Win a Mac!

Dylan Jay djay at pretaweb.com
Thu Nov 26 22:53:23 UTC 2009 

On 27/11/2009, at 9:00 AM, Mark A Corum wrote:

> Actually, it would show we are arrogant and cavalier about security -
> which are about the worst things you can be in the eyes of an
> enterprise customer.
>
> People who are serious about security TEST the security of their
> software in a professional, systematic way.  They get experts in the
> field and folks who really know what they are doing to make sure
> nothing in their code or deployment is opening up websites to attack
> or possible compromise of data.

I don't disagree with your points below but testing security via  
experts is I'm sure what companies like Microsoft do and that hasn't  
worked out well for them. FOSS has repeatedly shown that security by  
numbers - ie lots of eyes on code rather than "experts" has made for  
more secure systems.

>
> The whole "opening your software to hackers" thing is a stunt - a
> stunt with very little if any upside, and a huge potential downside.
> If someone brings your server to its knees with a Denial of Service
> attack or a weakness in the OS you are running on, you can complain
> from now until eternity that it wasn't "fair" but the only coverage
> you are going to get is "Plone gets hacked."  If no one is able to
> hack the site, its not really something worthy of coverage, now is it?

maybe.

> Afterall, we are already well known as having one of  the best
> security records of any CMS.

I would disagree we are "well known". Plone is general is NOT well  
known. It's underwhelmingly unknown given its history and competitive  
advantages such as security. When Drurpal can get recommended as an  
"enterprise" CMS by Gartner and Alfresco can get away with giving the  
their product the label "THE open source enterprise content management  
system" I would say we're not well known.
One thing I got out of this years conference is that security is a big  
competitive advantage of Plone thats easy to explain and has impact.  
We've only just started marketing that to the outside world. Until  
Gartner labels us "The secure open source enterprise content  
management system" I think we have a lot of work to do.
If stunts aren't the right way to do it at least we're thinking about  
it. I'd love to hear some other ideas wouldn't you?

>
> If Plone had previously been weak on security, and had gotten its act
> together, this might make sense.  But in reality -- where Plone is a
> VERY secure system with a long-term record of protecting sites and
> data -- this kind of circus stunt is not a good idea.
>
> Mark
>
>
>
>
> Mark A Corum
> User Interface Designer | Online Marketer | Certified ScrumMaster
>
> markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook,
> Twitter and Yahoo;
>
> "Light up the darkness." - Bob Marley
> "Quis custodiet ipsos custodes?" (Who watches the watchmen?) -
> Juvenales, Satires
> "No matter where you go ... there you are." - Buckaroo Banzai
>
>
>
> On Thu, Nov 26, 2009 at 4:06 PM, Dylan Jay <djay at pretaweb.com> wrote:
>> Worst case is really bad publicity.  But then is it?
>> If it got hacked we'd patch it immediatly and patch most systems  
>> out there
>> and we'd explain how that system works in advance. Basically use it  
>> to
>> explain how open source increases security and speed of patches.
>> It would also show that we take security seriously.
>>
>> Dylan Jay
>> Technical solution manager
>> PretaWeb 99552830
>>
>> On 27/11/2009, at 2:09 AM, Norman Fournier  
>> <norman at normanfournier.com>
>> wrote:
>>
>>> Hello,
>>>
>>> Worst case scenario. What if we are wrong?
>>>
>>> Some smart punk hacks the plone and posts the hack or hints  
>>> somewhere. How
>>> many Macs can we afford to give away? How long can we afford to  
>>> pay lawyers
>>> to fight spurious claims in court?
>>>
>>> A risk analysis should be air-tight before any contest is  
>>> publicized. Even
>>> the smallest give-aways are fraught with legal complications which  
>>> is why
>>> contest legal copy takes so much space on an entry form.
>>>
>>> For me, I am not liking this idea at all. I think there may be more
>>> positive ways for plone to get this message across without  
>>> exposing the
>>> software to a million punk hackers with a goad like both Screw  
>>> Plone and Win
>>> a Mac at the same time!
>>>
>>> My $.02.
>>>
>>> Norman
>>>
>>> On 2009-11-25, at 10:28 PM, Nate Aune wrote:
>>>
>>>> I think it's a great idea. Set up a server (perhaps using the
>>>> Hardening Plone howto below) and let the games begin!
>>>> http://plone.org/documentation/how-to/securing-plone/
>>>>
>>>> Nate
>>>>
>>>> On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke
>>>> <juhasecke at googlemail.com> wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> what do you think about a hacking contest? We setup a plain  
>>>>> plone site
>>>>> and who ever hacks it first wins a mac or a playstation or  
>>>>> whatever.
>>>>>
>>>>> All exploits must be documented of course so that we can fix them.
>>>>>
>>>>> We promote Plone as a secure system and can document it with the  
>>>>> CVE
>>>>> entries but often people say, yeah, but there are a lot less  
>>>>> installations
>>>>> of Plone than there are of PHP-systems, so you cannot compare  
>>>>> the figures.
>>>>>
>>>>> So lets challenge the hackers!
>>>>>
>>>>> This could be an online event with a great publicity effect may  
>>>>> be in
>>>>> the run-up to the World Plone Day.
>>>>>
>>>>> What do you think?
>>>>> juh
>>>>>
>>>>> Jan Ulrich Hasecke
>>>>> (DZUG e.V.)
>>>>>
>>>>> --
>>>>> DZUG e.V. (Deutschsprachige Zope User Group)
>>>>> www.dzug.org
>>>>> www.zope.de
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Evangelism mailing list
>>>>> Evangelism at lists.plone.org
>>>>> http://lists.plone.org/mailman/listinfo/evangelism
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Nate Aune - natea at jazkarta.com
>>>> http://www.jazkarta.com
>>>> http://card.ly/natea
>>>> +1 (617) 517-4953
>>>>
>>>> _______________________________________________
>>>> Evangelism mailing list
>>>> Evangelism at lists.plone.org
>>>> http://lists.plone.org/mailman/listinfo/evangelism
>>>
>>>
>>> _______________________________________________
>>> Evangelism mailing list
>>> Evangelism at lists.plone.org
>>> http://lists.plone.org/mailman/listinfo/evangelism
>>
>> _______________________________________________
>> Evangelism mailing list
>> Evangelism at lists.plone.org
>> http://lists.plone.org/mailman/listinfo/evangelism
>>

More information about the Evangelism mailing list