[Evangelism] Hack Plone! Win a Mac!

ctxlken ken.wasetis at contextualcorp.com
Fri Nov 27 21:24:21 UTC 2009 

I think it's a weak assumption that these two sites would have a 'live' 
Plone site.  Although, it is possible, I would think that due to some of 
the security and performance benefits,  and since we see '.htm' or 
'.html' URIs and no evidence in the response headers of Zope, that it's 
likely these security-conscious organizations are using some sort of 
'static deployment' strategy, as we've discussed at: 
http://www.coactivate.org/projects/plone-static-publishing/summary .

The Plone Static Publishing project on coactivate that I provided the 
link to above has had some discussion recently about a product called 
enpraxis.staticsite, although this seems like a young, immature product 
and so is less likely to be active on these two sites.  Instead, one of 
the options that has existed for some time - CMFDeployment or custom 
wget scripting - was probably used.

A static deployment strategy such as this would greatly increase 
security for a site, since there is no zope/database/dynamic 
functionality, open ports between front-end and back-end 
servers/services to worry about, and there are fewer moving parts in 
general to worry about, besides the web (httpd) server.


As for the hacking contest, here are some thoughts:

a) I'm in favor of having a contest that allows Plone integrators listed 
on plone.net to be involved, rather than all script kiddies in the world 
- maybe have one that is open to the world at a later date.

b) There would need to be some very specific rules that ensure that the 
found vulnerabilities must be in the Zope/Plone code bits and not 
Apache, Varnish, lighthttpd, ngnix, Squid, or some of the other 
front-end web servers/proxies used to get to Plone site content.  While 
it's still valuable to know about those types of vulnerabilities, our 
contest would need to be focused on code managed by the Plone community 
and not others, and the inclusion of web servers/proxies would make the 
contest pretty unwieldy to manage (whose favorite front-end do you setup 
for the test environment?).

c) I think that Mark's concern over seeming cavalier can be mitigated 
through thoughtful communication/messaging.  We wouldn't want to put a 
banner ad out taunting script kiddies to just hack away - we dare you!  
Instead, we could a) do our own internal hacking, document findings, 
open tickets, and address them, and then b) advertise the ongoing 
efforts by the Plone community in ensuring security of Plone and invite 
'white hat' hacker groups to register for the external hacking contest, 
assign a limited time period that the environment will be available for 
hacking, and give away whatever prize is determined. 

d) Plenty of hackers aren't going to want a Mac.  Some are just as 
suspicious of Apple or Google as they are of Microsoft, so perhaps some 
prize options could be listed.

e) Another option we could consider, rather than a wild, wild, west 
contest, would be to invite 3-5 professional security assessment firms 
to hack and post findings.  In return, they'll get some free advertising 
on plone.org and anywhere there are press releases done with the contest 
and results announcements.


-Ken


Karl Horak [via Plone] wrote:
> Just tossing my 2 cents worth in here -- if there were any Plone sites 
> in the world that hackers were already targeting, it would be FBI and 
> CIA.  I'm sure we would have heard of any failure there.  
>
> Meanwhile, I think the Foundation should sponsor a system of 
> clandestine honeypots out there and monitor them religiously.  
>
> Save the $$ on the Mac and pay Mark to get the msg out to the 
> professional CMS reviewers.
>
> Karl
>
>     Mark A Corum wrote:
>     If Plone had previously been weak on security, and had gotten its act
>     together, this might make sense.  But in reality -- where Plone is a
>     VERY secure system with a long-term record of protecting sites and
>     data -- this kind of circus stunt is not a good idea.
>
>     Mark
>
>
>
> ------------------------------------------------------------------------
> View message @ 
> http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4076342.html
> To start a new topic under Evangelism, email 
> ml-node+293364-1526811418 at n2.nabble.com
> To unsubscribe from Evangelism, click here 
> < (link removed) =>. 
>
>

-- 
View this message in context: http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4077534.html
Sent from the Evangelism mailing list archive at Nabble.com.

More information about the Evangelism mailing list