[Wolves] Scumbags Hack Xoops site

Steve Parkes sparkes at westmids.biz
Fri Oct 21 07:38:09 BST 2005 

Dick Turpin wrote:
> On Thursday 20 October 2005 20:05, Steve Parkes wrote:

>> No open source CMS comes configured out of the box with a unique look
>> and your business solution installed.  Jobs for people with skills.
> 
> Them days are going going gone. true there are still some juicy consultancy 
> jobs around but remember my favourite (needs to be said in a strangled voice) 
> "Oh na mate I can get it cheaper on ebay" these days everyone's a web expert 
> or MS expert, plug and play has killed us all so has the ubiquitous wizard.
> 

There is more web work around now than during the internet boom.

>
>> It's an application written in a client server style using an SQL
>> database.  The problem comes that what looks like a content oriented
>> management tool to you looks like a pile of wet shite held together with
>> selotape to a developer and a playground with free beer, crack cocaine
>> and whores to a cracker.
> 
> But you're not the one using it! it'll be Mr business owner who see the dollar 
> as the bottom line, why pay Mr S Parkes £1000.00 to make us a site when that 
> Joomla thing is free plus it must be good it won an award didn't it? and 
> Betty the tea lady can look after it.
> 
but it's not secure and that was the point!

> I believe you when you say its crap coding, I know you know you're onions plus 
> I wouldn't have the foggiest if the code was bad or not. All I do know is;
>
> And thats what everyone wants an easy life :)
see point above

> 
>> If you are telling someone you have a cool client server application
>> that anyone can edit your front page or get at your clients credit card
>> numbers and passwords.
> 
> Be fair thats not strictly true is it? 

if one database query is insecure anything on the site is insecure.  All 
your data can be read or even dropped in many cases.  It doesn't matter 
if it's not credit card numbers you should treat all data with th same 
respect.


>> I don't care what age people are as long as they have a fucking clue
>> about what they are doing.  Spend ten mins around a foss cms with nuke
>> dna and you will soon get to see the people pulling the shots are 100%
>> clueless about all parts about what they are developing apart from
>> submitting lines upon lines of code into the cvs.
> 
> Hang on, I'm not baiting you I can sense the famous Sparkes wrath rising. 
> Due to that tirade you lost me a bit, we started this off in respect of the 
> product, we seem to have moved on to slagging off the developers now I know 
> what you'll say "Shite developers = shite app" But thats not true is it? and 
> to be honest if its just about cleaning up the code maybe you could help?
> 
Not a chance.  Been there, done that, got the t-shirt shop ;-)  My 
experience with helping these teams is already in the public domain.


>> it's not the same for all software.  Software with developers with a
>> clue have special teams for security auditing and tracking.
> 
> Behave, you're talking about an org that has some money who can afford to pay 
> for that sort of setup.

Debian spend close to zero, ubuntu have one paid staff member and many 
others are done by volunteers.  You don't need money to read a mailing 
list and respond when your rep is in danger.

> 
>> Within a hour or two of a linux (for example) exploit being found it's
>> obvious which companies and teams have their fingers on the button
>> because they release details to their communities listing the effected
>> products and recommendations.
> 
> Nothing new here, that goes for most products a reactive response when an end 
> user notifies the vendor if you look on the Joomla forum they released a 
> security update the other day. True you need to be either on a mailing list 
> or visit the forum regularly to be aware of the issue but its just the same 
> so I don't think that argument (as far as Joomla's concerned) is fair.
> 

My point is historically these fixes have been late and the developers 
haven't been open about any problems why should I trust a developer that 
sweeps the security of my data under the rug?

>> For example this message about enigmail dropped into my box today
>>
>> ===========================================================
>> Ubuntu Security Notice USN-211-1	   October 20, 2005
>> enigmail vulnerability
>> CVE-2005-3256
>> ===========================================================
>>
>> followed by the problem and the fix.
> 
> I bet you get lots of them :P

Only for products I use.

> 
>> MS do things there own way, it's not my problem I'm not one of their
>> customers ;-)
> 
> Um whats MS got to do with it? although having said that you can run a VM 
> Mambo server on Windows ;)
> 

you brought MS into in the previous email.

sparkes

More information about the Wolves mailing list