[Evangelism] Hack Plone! Win a Mac!
ctxlken
ken.wasetis at contextualcorp.com
Fri Nov 27 21:24:21 UTC 2009
I think it's a weak assumption that these two sites would have a 'live'
Plone site. Although, it is possible, I would think that due to some of
the security and performance benefits, and since we see '.htm' or
'.html' URIs and no evidence in the response headers of Zope, that it's
likely these security-conscious organizations are using some sort of
'static deployment' strategy, as we've discussed at:
http://www.coactivate.org/projects/plone-static-publishing/summary .
The Plone Static Publishing project on coactivate that I provided the
link to above has had some discussion recently about a product called
enpraxis.staticsite, although this seems like a young, immature product
and so is less likely to be active on these two sites. Instead, one of
the options that has existed for some time - CMFDeployment or custom
wget scripting - was probably used.
A static deployment strategy such as this would greatly increase
security for a site, since there is no zope/database/dynamic
functionality, open ports between front-end and back-end
servers/services to worry about, and there are fewer moving parts in
general to worry about, besides the web (httpd) server.
As for the hacking contest, here are some thoughts:
a) I'm in favor of having a contest that allows Plone integrators listed
on plone.net to be involved, rather than all script kiddies in the world
- maybe have one that is open to the world at a later date.
b) There would need to be some very specific rules that ensure that the
found vulnerabilities must be in the Zope/Plone code bits and not
Apache, Varnish, lighthttpd, ngnix, Squid, or some of the other
front-end web servers/proxies used to get to Plone site content. While
it's still valuable to know about those types of vulnerabilities, our
contest would need to be focused on code managed by the Plone community
and not others, and the inclusion of web servers/proxies would make the
contest pretty unwieldy to manage (whose favorite front-end do you setup
for the test environment?).
c) I think that Mark's concern over seeming cavalier can be mitigated
through thoughtful communication/messaging. We wouldn't want to put a
banner ad out taunting script kiddies to just hack away - we dare you!
Instead, we could a) do our own internal hacking, document findings,
open tickets, and address them, and then b) advertise the ongoing
efforts by the Plone community in ensuring security of Plone and invite
'white hat' hacker groups to register for the external hacking contest,
assign a limited time period that the environment will be available for
hacking, and give away whatever prize is determined.
d) Plenty of hackers aren't going to want a Mac. Some are just as
suspicious of Apple or Google as they are of Microsoft, so perhaps some
prize options could be listed.
e) Another option we could consider, rather than a wild, wild, west
contest, would be to invite 3-5 professional security assessment firms
to hack and post findings. In return, they'll get some free advertising
on plone.org and anywhere there are press releases done with the contest
and results announcements.
-Ken
Karl Horak [via Plone] wrote:
> Just tossing my 2 cents worth in here -- if there were any Plone sites
> in the world that hackers were already targeting, it would be FBI and
> CIA. I'm sure we would have heard of any failure there.
>
> Meanwhile, I think the Foundation should sponsor a system of
> clandestine honeypots out there and monitor them religiously.
>
> Save the $$ on the Mac and pay Mark to get the msg out to the
> professional CMS reviewers.
>
> Karl
>
> Mark A Corum wrote:
> If Plone had previously been weak on security, and had gotten its act
> together, this might make sense. But in reality -- where Plone is a
> VERY secure system with a long-term record of protecting sites and
> data -- this kind of circus stunt is not a good idea.
>
> Mark
>
>
>
> ------------------------------------------------------------------------
> View message @
> http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4076342.html
> To start a new topic under Evangelism, email
> ml-node+293364-1526811418 at n2.nabble.com
> To unsubscribe from Evangelism, click here
> < (link removed) =>.
>
>
--
View this message in context: http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4077534.html
Sent from the Evangelism mailing list archive at Nabble.com.
More information about the Evangelism
mailing list