[Wolves] Scumbags Hack Xoops site

Steve Parkes sparkes at westmids.biz
Fri Oct 21 10:28:25 BST 2005 

Peter Cannon wrote:
> On Friday 21 October 2005 09:45, Steve Parkes wrote:
> 
>> This is where you are wrong on the issue, good security needs to be
>> designed in and not added afterwards
> 
> Hang on winkle nobody's wrong here its about choice and why you should and 
> shouldn't make a choice.

Nope the statment you made was wrong ;-)  I don't begrudge you your own 
ideas on this but you did make an incorrect statment ;-)

> 
> Lets be up front here I agree security or at least some implementation of 
> security should come first but every thing adds security on a regular basis 
> thats why we have Anti-Virus because idiots write new viruses so people like 
> Clam, Amavis etc right fixes (or alerts) after the events and not before.
> 
we have virus' (not virii because somebody (normally ginger ;-) ) points 
out that's incorrect) because of poor implimentations.

> Its not a good enough argument to say "Ah thats crap because you don't get a 
> patch until its been hacked" that can happen to anything.

I didn't say that.  I said hacks are inevitable on such badly designed 
systems.  If I had some time in teh next week (which I don't because 
it's half term and I have just launched a business (check out nerd.ws 
plug plug ;-) ) I would find a whole in the foss cms of your choice to 
prove my point.

> 
>> it's not about being amateur it's about being professional, an amateur
>> should have a professional outlook if they are offering a product like this
> 
> You are an old grumpy git arnt you? We all have to start somewhere and 
> Professionalism is learned  over a period of time. how many times have you 
> seen people spouting off, producing junk initially, but over time their 
> output has got better and better, I don't know when these CMS packages hit 
> the streets but I presume they have been around for a while I have only just 
> come across them in the last three months and they impress me.
> 

then they should develop systems that carry no security risk.  We all 
make mistakes and I released code this week that had a potential SQL 
injection problem.  The system would allow exposure of low level data. 
I fixed and went public on the fix and this is on a closed source 
(because it's so bespoke it's useless to everyone else) application. 
Total Disclosure ;-)

> Maybe I have a low expectation, 

possible ;-)

> maybe I'm talking out my arse 

probable :-P

> but the valid 
> point is I'm impressed which means I'll tell others about them and suggest 
> using them thats how things take off a bit like your T-Shirt venture for all 
> I know they may be made in a sweat shop in Lewisham with badly woven cotten 
> but I still think they look cool probably fit me OK and will make others want 
> one.
> 
> You amateur T-Shirt seller ;)
> (You have to do six months to be professional)
> 

you just have to have a professional outlook and develop professional 
level skills.  You can't go writing applications that require a certain 
level of security savvy from the off.  I have helped any number of 
begineers take their first steps in programming and people fix security 
problems in their apps.

In fact I can think of at least 3 people on this list who I have helped 
patch insecure web code on their own sites after noticing the problem 
some more than once.

sparkes

More information about the Wolves mailing list