[Evangelism] Re: Hack Plone! Win a Mac!

Jens W. Klein jens at bluedynamics.com
Fri Nov 27 08:08:36 UTC 2009

Am Thu, 26 Nov 2009 17:00:15 -0500 schrieb Mark A Corum:

> Actually, it would show we are arrogant and cavalier about security -
> which are about the worst things you can be in the eyes of an enterprise
> customer.

Would we do? I do not agree here. Plone is different and even enterprise 
customers starts to get the idea.

> People who are serious about security TEST the security of their
> software in a professional, systematic way.  They get experts in the
> field and folks who really know what they are doing to make sure nothing
> in their code or deployment is opening up websites to attack or possible
> compromise of data.

Isnt a award like this the way using the free software way of collective 
knowledge to test our system? I'am sure people who are trying to hack 
Plone are doing it in a systematic way. And I'am sure they are experts, 
maybe they arent professionals in security-testing but often those people 
have more knowledge and motivation is much higher than for an employee of 
some self-called security-testing company.

> The whole "opening your software to hackers" thing is a stunt - a stunt
> with very little if any upside, and a huge potential downside. If
> someone brings your server to its knees with a Denial of Service attack
> or a weakness in the OS you are running on, you can complain from now
> until eternity that it wasn't "fair" but the only coverage you are going

Its for sure a stunt. Its always a stunt to place a server in the 
public :-) And an award like this need to follow clear rules. Also we 
need to protect the system against (d)dos atacks and similar with a good 
firewall etc. so it not done with installing Plone on an almost vanilla 
(but secured) OpenBSD. On the other hand: Having it documented how we 
secured the system is very valuable. Security by obscurity is the worst 
and to be avoided.

> to get is "Plone gets hacked."  If no one is able to hack the site, its
> not really something worthy of coverage, now is it?

Well, I think best can happen if we can tell the world: 30 of the best 
hackers tried it but theres no way.

>  Afterall, we are already well known as having one of  the best
> security records of any CMS.

Well, this is neat, but if you need to tell facts the only we have are 
stats: PHP vs. Python, Joomla vs. Plone. Ok, NASA, CIA and FBI trust in 
Plone. So what? Reputation is perfetc, but all this are soft-facts.
> If Plone had previously been weak on security, and had gotten its act
> together, this might make sense.  But in reality -- where Plone is a
> VERY secure system with a long-term record of protecting sites and data
> -- this kind of circus stunt is not a good idea.

So if this thread and your last sentence is read by any Plones security 
evaluating person it looks like youre afraid, "something" will be found 
and the reputation and stats based security record of Plone will be 

This may happen, but then we show security is important to us, and we use 
the community-way to ensure our system is secure. 

Plone is the community and its not a company. We do it different, we are 
not Plone the enterprise and do not hire security experts: We _are_ 
security experts, we the community. And we the community should say we do 
now check our system in our way: The same successful path Plone tooks in 
requirements and development is needed also for security field-testing.

best regards

Jens W. Klein
(aka jensens)

> Mark A Corum
> User Interface Designer | Online Marketer | Certified ScrumMaster
> markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook,
> Twitter and Yahoo;
> "Light up the darkness." - Bob Marley "Quis custodiet ipsos custodes?"
> (Who watches the watchmen?) - Juvenales, Satires
> "No matter where you go ... there you are." - Buckaroo Banzai
> On Thu, Nov 26, 2009 at 4:06 PM, Dylan Jay
> <djay at pretaweb.com> wrote:
>> Worst case is really bad publicity.  But then is it? If it got hacked
>> we'd patch it immediatly and patch most systems out there and we'd
>> explain how that system works in advance. Basically use it to explain
>> how open source increases security and speed of patches. It would also
>> show that we take security seriously.
>> Dylan Jay
>> Technical solution manager
>> PretaWeb 99552830
>> On 27/11/2009, at 2:09 AM, Norman Fournier
>> <norman at normanfournier.com> wrote:
>>> Hello,
>>> Worst case scenario. What if we are wrong?
>>> Some smart punk hacks the plone and posts the hack or hints somewhere.
>>> How many Macs can we afford to give away? How long can we afford to
>>> pay lawyers to fight spurious claims in court?
>>> A risk analysis should be air-tight before any contest is publicized.
>>> Even the smallest give-aways are fraught with legal complications
>>> which is why contest legal copy takes so much space on an entry form.
>>> For me, I am not liking this idea at all. I think there may be more
>>> positive ways for plone to get this message across without exposing
>>> the software to a million punk hackers with a goad like both Screw
>>> Plone and Win a Mac at the same time!
>>> My $.02.
>>> Norman
>>> On 2009-11-25, at 10:28 PM, Nate Aune wrote:
>>>> I think it's a great idea. Set up a server (perhaps using the
>>>> Hardening Plone howto below) and let the games begin!
>>>> http://plone.org/documentation/how-to/securing-plone/
>>>> Nate
>>>> On Wed, Nov 18, 2009 at 11:52 AM, Jan Ulrich Hasecke
>>>> <juhasecke at googlemail.com> wrote:
>>>>> Hi all,
>>>>> what do you think about a hacking contest? We setup a plain plone
>>>>> site and who ever hacks it first wins a mac or a playstation or
>>>>> whatever.
>>>>> All exploits must be documented of course so that we can fix them.
>>>>> We promote Plone as a secure system and can document it with the CVE
>>>>> entries but often people say, yeah, but there are a lot less
>>>>> installations of Plone than there are of PHP-systems, so you cannot
>>>>> compare the figures.
>>>>> So lets challenge the hackers!
>>>>> This could be an online event with a great publicity effect may be
>>>>> in the run-up to the World Plone Day.
>>>>> What do you think?
>>>>> juh
>>>>> Jan Ulrich Hasecke
>>>>> (DZUG e.V.)
>>>>> --
>>>>> DZUG e.V. (Deutschsprachige Zope User Group) www.dzug.org
>>>>> www.zope.de
>>>>> _______________________________________________ Evangelism mailing
>>>>> list
>>>>> Evangelism at lists.plone.org
>>>>> http://lists.plone.org/mailman/listinfo/evangelism
>>>> --
>>>> Nate Aune - natea at jazkarta.com
>>>> http://www.jazkarta.com
>>>> http://card.ly/natea
>>>> +1 (617) 517-4953
>>>> _______________________________________________ Evangelism mailing
>>>> list
>>>> Evangelism at lists.plone.org
>>>> http://lists.plone.org/mailman/listinfo/evangelism
>>> _______________________________________________ Evangelism mailing
>>> list
>>> Evangelism at lists.plone.org
>>> http://lists.plone.org/mailman/listinfo/evangelism
>> _______________________________________________ Evangelism mailing list
>> Evangelism at lists.plone.org
>> http://lists.plone.org/mailman/listinfo/evangelism

Jens W. Klein - Klein & Partner KEG - BlueDynamics Alliance

More information about the Evangelism mailing list