Slashdot Mirror
PostNuke Open Source CMS Attacked
ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."
this is offtopic but, why does it seem on this site whenever anyone supports a cause that could be even remotely contensious they are labeled a zealot?
Monstar L
and how can we be sure that closed source software doesn't contain backdoors? open the source!
And M$ software does not contain any backdoors? If M$ and the (rest) of the proprietary/closed-source/hood-welded-shut consortium is going ot make accusations of this nature, they should be able to back up their stance with, at the very least, an opposite and proveable condition in their own software.
They have a very attractive website but this is the first I have ever heard of them, and try as I might I hunted high and low for a short, snappy answer to the questions of who are these people and what do they do? A link saying "about us" or a short paragraph explaining what they do would be a help. If I spent a bit more time there and trawled through the many articles I may have eventually figured it out, but my frustration threshold had already been passed and I had moved along.
Drill baby drill - on Mars
Developers free software content management system PostNuke security announcement vulnerability download management software attacker hacked PostNuke download. Version PostNuke download site Sunday GMT Tuesday GMT. Proprietary software zealots open source contain backdoors.
All I'm asking is can I get a Beowulf cluster of dat.
vicious, untreated political sewage...niche entertainment for the spiritually unattractive...worshipless pap
I prefer the backdoors that I can see and deal with to the ones I cannot.
How can this be to do with proprietry software and open source if it wasn't PhpNuke that was the cause of the vunerability but a poorly written download management tool?
...?
From what I can see paFileDB isn't 'open source' (though it's source is viewable, it's not licensed under a generally recognised Open Source License).
- Sadiq
http://www.syswear.com/ - Geek t-shirts
Wasn't there a company recently that basically had anonymous FTP access to its corporate servers for over a year? I think it might have been Diebold, a security company. Anyway, security is becoming a pissing match between OSS and proprietary software. All software more than two lines of code has security holes. All software has flaws, be it OSS or proprietary. Why is it such a big deal when one type of software has an issue such as this? The only real issue is when a piece of software or a company has a history of producing software with crappy security. Even then, it does not mean their choice of OSS v. proprietary is bad or wrong, just that they suck at security. E.g. Microsoft has a good process, but their products suck at security. BIND is a perfect OSS example of crappy security. Does that make one process better? No, I do not think so.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that?
No, because the same thing could happen with proprietary software. They say that it's too easy for an open-source project's maintainer to inadvertently merge a harmful patch, and to some extent, that is true. There are hundreds if not thousands of piddly little PHP projects knocking about that are done as learning exercises - are the maintainers of those projects always going to notice if a medium-sized patch that added a useful feature also contained an SQL injection vulnerability?
All that missing RDX that "could be used to detonate an atomic bomb"... if the insurgents had 8-10kg of weapons grade plutonium, lithium-6, berylium, a sealed machine shop (so they don't poison themselves making it), and the skill to produce a perfectly semetrical shaped charge.
And while that's not so bad, customers often don't understand its security mechanisms so they leave lots of folders writable as well.
Pretty embarrassing for $25K per CPU...
8 of 13 people found this answer helpful. Did you?
Proprietary software zealots? Huh? I've seen plenty of open source zealots, where zealot is defined (dictionary.com) as "A fanatically committed person." I've never seen anyone be fanatic about proprietary software. I've seen plenty of people say "I make money with proprietary software so that's why I do it," but never someone holding it up as a near-religious institution like the majority of OSS folks. Not that I'm saying it's bad to be an OSS zealot, but like so many things on slashdot, the person who submitted the article is mis-using a buzzword. How can a community that gets so pissed off about people putting i- and e- in front of things, be so accepting of cultivating our own pile of buzzwords and overusing them.
And before you bother with the standard joke, no, I'm not new here
Could anyone post a list of websites which might have downloaded and installed that backdoor so we could avoid posting any sensitive information there until we know for sure that the problem has already been resolved? Just looking on a website it is not always obvious which content management software is being used and whether any such software was installed on that server at all (e.g. there can be lots of virtual servers on any physical host, some of them using that software, while other do not). I wouldn't want to send my credit card number (or even an email address) to any website hosted on a backdored server.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.
It's a short hop to realizing that the problems we're experiencing with exploits, virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.
Many experts believe should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.
It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The beauty is that now that the vulnerability is known, there are already people out there working to fix it.
No software really 100% secure. They may always have some bugs or vulnerabilities. The cool thing about Open Source is that these vulnerabilities are quickly identified and patched, simply because the information is not proprietary. Compared this to Microsoft where some person finds an exploit, or when suddenly computers start getting slammed by a new virus that exploits a new vulnerability. In this case, the vulnerability is known, but it takes them a while to come up with a response.
I don't see how this means that open source software is most likely to have backdoors. {/tinfoil hat on} I'd be more afraid about some corporation has a backdoor in their software that allows them to get my information. What is there to stop them from doing that? Isn't their code proprietary? Who can look at it? They can deny it, but how will the prove it short opening their proprietary source? {/tinfoil hat off}. So saying that Open Source is the most likely to cointain backdoors is a ridiculous proposition. Yes it may, but by its very nature, open source code is open to inspection and it doesn't take someone long to notice a backdoor and make it known to the community.
Vivin Suresh Paliath
http://vivin.net
I like
NSA_KEY
oh no... we never get any patches submitted! an i do mean never.. sorry but it just doesn't happen. that's not even an issue. :)
Even better would be if GNU tar supported such signatures automatically. For example if file extension was "tar.pgp", it could force checking the signature, and if it wasn't found or it was invalid, it wouldn't do anything. That way I wouldn't ever have to think about verifying it - I could see from the file name that it should be valid (of course, getting the trusted pgp keys might require more work..). Oh, and of course the .tar.pgp would be backwards compatible with standard tar, they would just contain some extra "checksum.pgp" file or something.
please stop doing that [using 'M$'], as it was very clearly gay a good 5 years ago.
Wouldn't -any- form of downloadable software be vulnerable to this? It seems to me the issue here isn't that the software is open source so much as that the software is downloadable. Proprietary versions of a product can also be hacked. It's just that distributing the software via shinkwrap (mostly) prevents hackers from inserting a hack into the product, not the fact that the software is proprietary. It's true that open source products tend to be downloadable more often than proprietary products, but it's not their "open sourciness" that makes them vulnerable to this particular problem, just their downloadableness.
I hope that after I die the one word people use to describe me is "resurrected."
hmmm, I have always thought of post nuke, as a big smoking hole in the ground. (/me is scarred for life by knowing what was happening during the Reagan administration)
Now apparently they have discovered a big smoking hole!
Ok, I deserve a troll, or offtopic mod for that crap, but if all else fails just leave it at 1 and it will be just fine.
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
You must be new here.
Or just not yet cynical enough if you have not learned to accept the double standards that abound around here.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
This would not have happend and would have been detected if the packages were signed. Maybe it's time for the open-source comunity to think in a standard way to sign tar files. A standard way that would be checked by the tar program it self.
you get a tar ball, tar verifys that this tar is signed, it checks the signature with either a local or remote public key. If it matches it prints out the name and email for witch the signature is valid. If those match with the developer you're safe (well at least if you trust the developer himself).
Why tar? Because we need a sign for pristine sources, the ones that are used to create the packages (rpm, deb, whatever) that are usualy already signed by the distribuition.
[]'s Victor Bogado da Silva Lins
^[:wq
That's new to me, what I've read has always been the other way around, we have to worry about backdoors in closed source stuff, and that's by design!
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The vulnerability in this case was in the non-free download utility. Woops.
Doesn't Darl fit the bill?
I like using that joke on people with 4 digit or less IDs.
AnimeNEXT anime convention
Wouldn't that be... the whole world, mostly?
If guns kill people, then CmdrTaco's keyboard misspells words.
You must have never gone to a .NET developer meeting. A few people in the CIS dept (the business side of IT, not the engineering folk) had such a club going, which I attended a few times for the free food, tshirts, copy of WinXP, copy of Dev Studio, etc.
These guys would claim Microsoft had invented the Sun, and should be worshipped for such an achievement. It really was interesting to observe.
At one point I won a door prize of my pick between several "writing secure code" books by MS Press. I said if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from... everyone just stared at me slack jawed.
no comment
Or does there seem to be a lot of sites with PHP implementations having security issues? I know that it's not the fault of the tool as much as the fault of the mechanic. But sheesh. To me it seems as if PHP is on par with Visual Basic in being a springboard for insecure code.
As gay as Bill Gate$?
1) Submit story of ObscureProduct(tm) describing "fixed" security breach to Slashdot
2) Wait for millions of Slashdotters to check out website of ObscureProduct(tm)
3) Profit!
Yeah, those people calling free software a "cancer", unAmerican, and free software users "thieves". The people who put up Steve Barkto and continue their efforts with people like you. They are constantly going on about "fairness", "balance" and all that while themselves post the most vile garbage and run shakedowns like the BSA and SCO, which threaten and ruin people and businesses. They have even sued school systems. Not content to look bad in the media, they have purchased NBC! That's some of the most self righteous stuff out there. If that's not fanatically committed, what is?
Yet you would compare greedy jerks like that to people who expect no financial reward for their code or those who notice that free software is generally better than non free software? OK.
Of course, it does not work. People and companies are judged by what they do, not what they say.
Friends don't help friends install M$ junk.
I remember several SQL injection exploits for PHPNuke that seemed to be widely deployed in the script kiddie community. I am not sure if the underlying reason these packages are so vulnerable is pure sloppy programming (which seems to be present in a fair number of random PHP scripts out there - I won't comment on PostNuke in particular since I don't know it), the fact that they try to do so much functionality-wise leading to a lot of under-tested, under-reviewed code, or that they tend to be modular in nature, with lots of third party developers writing modules that end up getting widely deployed by users of the CMS, and thus being of more variable quality than you would expect if every checking was reviewed at least somewhat centrally by the core developers.
So in short, it's more likely a function of there being a lot of crappy code with obvious exploits in it AND that code being Open Source, however you explain that crappy code being there in the first place.
I've never seen anyone be fanatic about proprietary software. [] ...but never someone holding it up as a near-religious institution...
Well then I've got four words for you...
Watch Ballmer be fanatic about his near-religious institution in a way that would put charasmatics and snake-handlers to shame.
Please stop using "gay" to mean passe. That's not what it means.
I dislike the term 'zealot' though. I would say 'enthusiast.' The term 'zealot' is just a blatent piece of invective designed to denounce someone, like a recent Fox News article that refered to groups opposed to sprawl as the 'anti sprawl mob.'
Personally I would be a fan of any well-written software that lets you do cool stuff be it open source or proprietary.
Drill baby drill - on Mars
Anti-Open Source zealots would be more appropriate.
Or just not yet cynical enough if you have not learned to accept the double standards that abound around here.
Ah, but Slashdot's double standards are Open Source!
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
Bill Gate$ may be gay but he is definately not passe!
I contracted for Palm once. They wanted to implement a new bug-tracking system. I pointed out to them Bugzilla, which had all the features they required. Their answer: "sorry it's open source, we can't use it." Instead they spent $100k on a closed source program that did nothing, then spent more $100k's on another closed source program that required an annual maintenance fee of $10k's, and still needed some kludges to implement all the requirements.
I'd call those folks proprietary software zealots.
Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that?
Mr. Matzan, I question why the editors would accept a submission by you that was nothing but copy-and-pasting the first paragraph out of your article on News Forge into the Slashdot submission box.
Regardless, I object to the assertion you've made above. No respected person, zealot or otherwise, has ever said that "open source programs are likely to contain backdoors." The article you cite for this assertion is Steve Lipner of Microsoft making some observations about the difficulty of security, and and contrasting the security process behind open and closed source software. His claims may be questionable, but they are serious and they do deserve a meaningful response. Dismissing those claims by building snarky little strawman through mischaracterization is not the response they deserve.
Think you can post something without bullshit smug comments?
Oh, I see you mistyped "slashdot.org" instead of "zdnet.com" in your address bar.
Slashdot has never pretended to be CNN. If you want "unbiased" news, go elsewhere.
This security flaw was discovered in three days, unlike the security hole found in Microsoft Passport last year. From the article...
Extrortion using information gathered from hacking into corporate sites has been happening for years. I've seen reports that say it actually is rarely reported to the public, and that the situation is much worse than people know. The fact that a site that deals with open source has been targeted would be expected. And because the nature of open source deals with open collaboration means that it would have a disproportionate amount of publicly revealed reports of hacking, in comparison to proprietary sites that would keep things under wraps as much as possible.
A site is responsible for distributing an application based on a platform that's been a script kiddie playground for years now.
The site gets its source code respositories compromised.
The site's maintainers apparently don't verify any MD5 checksums on a regular basis.
The general public knownigly downloads said compromised source code without verifying any MD5 checksums either.
Boy oh boy. I thought Windows "experts" were clueless.
My website in it's original form was done in PostNuke. I had a hack of a time getting the forums stable.
Because of the editorial content that I did there - the accused used the crashing forums [and subsequent deletions of content] as a way to question my credibility as a source of reliable information.
It was also next to impossible to find content within the substrings of data - if you wanted to rebuild the crashed data.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
At one point I won a door prize of my pick between several "writing secure code" books by MS Press.
CIS people are managers who generally learn everything they know about computers from Microsoft-sponsored developer meetings. It's an incestuous little relationship, much like the one between doctors and drug companies. It's not healthy for anyone but Microsoft, believe me.
Regardless, you should have taken one of the "writing secure code" books. Microsoft does employ some very smart people, and the Microsoft Press books are often reasonably good. As a publisher, I personally rank them on about the same level as O'Reilly or Prentice Hall/Sun Microsystems, though not as good as Addison Wesley.
An old friend of mine managed to gain access to quite a prominent open source website a while back and through that into their sourceforge download page. He modified the soucecode to, indirectly, send him install & set-up information once the software had been installed.
Now, the website never found out and to this day believes it was sourceforge that was attacked, so they were running an insecure website for a long time, when they're the makers of very prominent CMS software (they've since changed servers), which doesn't fill me with confidence.
FYI
The extra code was spotted a couple days later.
This brings up 2 things: are the makers of open source software competent enough for you to trust blindly? and, in my experience, it gets found out pretty quickly anyway (wouldn't be surprised if there's geeks that read through sourcecode just in the hope of finding such a backdoor - for which I owe gratitude).
But sure, the problem may be found out, and fixed within a couple of days, but it still begs the question of what true safeguards are in place to ensure the software you download is pure, 100% of the time.
... for a particular CMS system? PHP-Nuke, Xoops, PostNuke? Any others that may not have these exploits? Just wondering what people out there are using/have used.
No
...and all move to slashcode already. :D
Oops, how did this get here?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
"Writing Secure Code" is actually an excellent book. Your prejudices cost you an opportunity to score it for free. That's a shame for you.
You're the zealot he is referring to.
-1, Redundant - started post with "The (beauty/power/other effusive adjective) of Open Source...."
I've been hosting a phpnuke site for a couple years now. I do my best to keep the CMS software updated, but it has been hacked three times already. The modules and the CMS itself fall prey to exploits all the time and there are an army of Brazillian script kiddies who constantly search for susceptible websites.
I would strongly discourage anyone from considering nuke as a CMS. It's just too much of a headache. Especially when you deal with the modules for which the patches are unweildly to apply or go unsupported.
$5 / month hosted VPS on linux = awesome!
I love how the news sites always use the term "attacker". We all know it was Doug, you know it and I know it. And thanks a lot Doug! You jerk!
--I'm not talking about dance lessons. I'm talking about putting a brick through the other guy's windshield.-
Everytime I see something like this I have to laugh. The oldest (read, first fork) fork of PHP Nuke is myPHPNuke, and in all their years, have had only one proven security flaw. In fact myPHPNuke is the most forked nuke based CMS next to PHPNuke itself. One of those forks puts the rest to shame Social MPN which allows for any number of websites to be installed from their multi-site system, truly a unique offering in the Nuke CMS relm.
Jew, Muslim, or, to put it generally: theist.
Truth is like a shining mirror that's been shattered.
Yes, so we can avoid them. There is nothing funny about that. The point is that all of them should be immediately shut down until the backdoors are closed and the issues are resolved.
Do you really think that it was an amateur script kiddie job? Do you think that someone who managed to backdoor that software will be unable to find affected websites?
Let's stop being so naïve. I believe it is more important for people to know that someone might steal their credit card number than the temporary inconvenience of website owners which would be pressed to shut down their websites to quickly resolve the issue.
Keeping vulnerable websites secret is not even a security through obscurity, because attackers can already find those websites without any problems. Meanwhile, normal users are not notified when someone installs a backdoor. Normal users don't run network scanners. Normal users cannot read webserver download logs. And those very normal users are at risk here. They have the right to know who is serious about protecting them from credit card theft and who is not. They have the right to choose who do they prefer doing business with.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
In one breath you say that the internet was better when people had to know how to use makefiles (programming tools) to gain access to foura.
In the next breath you decry VBScript access by poor programmers.
Then you finally propose limiting access to compilers using price or whatever.
This is not logically junct. The whole first-premise of foura-access having been subject to control by having an effective "entrance exam" of getting the code and compiling it, does nothing to support your later position that access to compilation tools would make things better.
How this is "iunteresting" is beyond me.
You don't make better citizens by removing access to society. So you don't make the net better by bemoaning ready access to compilers. IT ISN'T THE COMPILERS FAULT that the net citizens have a certian "wacko" contingent that thinks it is a game of cops and robbers. Limiting access to compilers "via price" isn't goig to stop the theives from stealing the compilers to do the jobs anyway. They're criminals and they know how to do things like copy compiler CDs.
In point of fact, if everybody on the internet had to get, marginally port, and build their own client and server software people wouldn't take the net for granted so easily. That would be interesting, but it isn't even a practical thing to wish for.
Your "thought" is, by direct allegory: When I first learned to drive we didn't even have to lock our cars. Now days anybody with a coat hanger can unlock a car. Coat hangers should be a controled comodity.
HUA?
The facts are simple.
Some small percentage of people will go where they are not wanted and do unpopular things. We don't know why, because it varies from case to case. We lock our cars and we lock our homes, and we have banks and armored cars.
But the internet is made out of screen doors and cardboard walls, mostly because that is the highest standard of construction most of the people on the internet are happy to have, and they are willing to pay good money for someone to hose the cardboard down for them to make it "soft and easy to work with."
Whenever someone gets all surprised that thier unlocked straight-from-the-box system got "hacked" because they didn't even take the minimum required effort to read the manual and follow the required steps, my heart only bleeds so much before I lose interest.
Don't get me wrong. My home firewall (slackware linux plus customized firewall script I found on the net) takes *dozens* of nominal attacks a minute. In particular there is some script that about 40 different addresses have run against my system in the last five days, sending the same series of user-name-and-password sequences to my sshd. (A new exploit in the field or just a new script-kiddy example of some old one? who cares...) That PISSES ME OFF because I could be using that bandwidth to raise my points-per-hour on UT2004, get my email faster, or whatever, but it is soaked up in these litte bursts of tresspass. I've got the IP addresses of these intruders and I wish there was a way to do something about it. But its a cable modem so what are you going to do? You protect yourself and you wait for the novelty to wear off, or for the *default* security on the net to get good enough for this kind of random IP attack to become sufficently unprofitable and uncommon.
Let's face it, if Microsoft was not such a *crappy* software company, most of these port-scan fishing expeditions would never have even come into existence. It didn't require access to a compiler to figure out that IIS could be owned by adding double-dot elements to a valid URL to reach the root folder on Windows based servers. It doesn't take much at all to make a dictionary attack on a site.
Turing the internet into a vast field of X-Box appliances that can only be accessed by "trusted corporations" isn't a viable direction. And any "lets make it expensive and controlled" to any degree short of complete draconian separation w
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
There are plenty of alternatives. A quick search at freshmeat.net for CMS reveals many when sorted by popularity. I'm still using nuke because I have too much content invested in the architecture to easily switch now. But Plone looks good to me. I suppose it mostly depends on what a publisher is looking for in features. I was originally attracted to phpNuke because of all the modules and huge development community. Now I've found that it's the modules that provide most of the security vulnerabilities, so I've had to disable them all.
Running your site on a popular publishing platform is great except that there are hundreds of krackers huntng exploits in the software and when one is found, there are hundreds of attackers searching google for sites running the software with the vulnerability. Although obscurity is no reliable form of security, I would prefer it to being a high-profile target.
$5 / month hosted VPS on linux = awesome!
It's well known to be riddled full of security holes, it's horrible to maintain or extend, it looks and feels unprofessional, and it falls apart under pressure.
Kids, if you want a real content management system like grown-ups use, you should download Plone. It's high quality free open source software, it works great right out of the box, it's secure, and it cooks a lot better than a 60 watt lightbulb.
-Don
Take a look and feel free: http://www.PieMenu.com
OSS critics fail to realize that Open Source refers to the style of lisence that the software has. Open Source is not really a "brand" like Microsoft.
This particular software may not be extremely well written. It just so happens the authors decided to GPL it, making it Open Source. Just sticking a lisence on the software and revealing the source code doesn't magically make it good or bad.
There are plenty of bad programs released under the GPL, just like there are plenty of bad closed-source products out there.
"You spoony bard!" -Tellah
technically its a good book.
but i dont see it as a shame on him, how was he supposed to know.
if i saw a babysitting book by that british nanny that was deported a couple of years ago i would probably pass too.
Go on, you know you want to - respond as AC if you need to. :)
creation science book
It WASN'T designed with security in mind. (not to mention php-nuke, heh).
I wonder if the "nuke" in the name already gave us a hint?
Plone runs on top of the Zope application server. Zope is quite secure, and it scales up reliably to manage huge web sites, like The Boston Globe.
-Don
Take a look and feel free: http://www.PieMenu.com
How many millions has Ballmer made from being "fanatic about his near-religious institution"? If I was snorting coke off a 20 thousand dollar hooker's ass with a rolled up hundred dollar bill, I might become a bit fanatical too. That still doesn't show a trend in "real people."
I thought that BIND 9 was actually pretty good in the security department. At least it seems to be much better than 8 or 4. Or am I wrong?
----- Question authority, but not ours. Hate the man, but we're not him.
I'm getting a kick out of looking at the moderation happening to my post here. I rehash a tired slashdot joke like "Real Ultimate Power" and I almost always get +5, funny, but I post a real opinion on the way people think around here, and I get "overrated" (pussy mod afraid of metamod) and "flamebait". Flamebait? Smoke crack much?
I'm going to rehash an old joke, which, surprise surprise, I got +5'd on. This post is off topic, I'm bitching about the moderators, so I should get modded down. Because I've said I will get modded down, by reverse psychology I will be modded up. And now It's back down again. And up... and down...
I wonder if some mod has smoke coming out of his ears right now.
The scary thing is, I think I'm starting to look like a troll, because I karma whore with jokes once in a while, and then a lot of my other posts bitch about how stupid people around here act. I promise I'm really not trolling or trying to start flamewars, I really think the majority of intelligent people around here must share some of my opinions and be baffled at the way this community acts. It's a fascinating phenomenon. I think a line from Men in Black said it best... "A *person* is smart. People are dumb, panicky, dangerous animals and you know it."
Well, you may not be new here, but I can assure you that I am surrounded by M$ fanatics, who waste millions of (tax) dollars buying M$ crap for public education, when there are far better OSS solutions available. I deal with constant subtle (and sometimes not so subtle) pressure to give up linux and join the Dark Side ;-) at work. Of course, I smile as they spend their lunch hour dealing with M$ network and OS problems, while I actually eat lunch! :-) They refuse to even step inside my lab and look at linux...so I guess, in addition to being closed source fanatics, they are close minded fools as well! :-)
-- "May the Source be with you!"
Zeal means passion. There is nothing wrong with it. Accusing someone of being a "zealot" is like accusing someone of having an opinion.
IMHO, the term has a negative connotation because of religious fanatics.
Next time, smile, take the book, and sell it on ebay, then donate proceeds to an OSS project ;-).
Or just use it for an endless series of jokes..."...my PHB said he was concerned about all these M$ security problems, so I told him: 'No problem, I have the M$ security bible right here...ROTFL'..."
-- "May the Source be with you!"
Fellow I know worked for AT&T back in the day and claims he installed back door on sysV source tapes and it has been in distribution since. He lives high on hog with no visible means of support, so who knows...
so I guess, in addition to being closed source fanatics, they are close minded fools as well!
You've actually spelled out the jist of my whole argument. I don't think they are closed source fanatics at all, but they ARE closed minded fools. Using what you are familiar with because you are scared of change doesn't make you a zealot, it makes you timid. I don't think the hordes of people out there using MS, and even advocating its use, are doing so because they adore closed source software, it's because they don't understand the benefits of open source, and haven't been educated enough to change their closed minds, or even to make an informed decision about the choices and think for themselves. Instead, they are mostly doing what they've always done, because familiarity breeds comfort.
To use a religious analogy, and please don't jump down my throat thinking I'm attacking Christians. I'm not. A closed minded Christian might lobby to have evolution removed from a school curriculum. A zealot Christian might scream at you and call you a blasphemer for even bringing up the subject. Both are difficult to deal with, and even annoying, but a closed minded person has a small chance of having his mind changed if forced to face the facts. A zealot is more likely to lash out at you when cornered.
A zealous persuit of profits is called greed. When you do it at the expense of others it is criminal. Calling people names is also known as Slander, a crime. Lying about the capabilities of something you are selling is a form of fraud. Threatening people you do business with is called extortion, also a crime. Threatening people with lawsuits is judicial extortion, another form of fraud. Manipulating stock prices is also fraud. If these are your heros, you may also be a criminal, extortionist, liar and fraud.
Here's the real nitty-gritty... if you are a strong supporter of open source, you are doing it for intangible reasons.
Like love of truth and fellow man? Maybe, and that's not a bad motive. It might also be a form of reputation protection. You see, people I lie to have a tendency not to trust me anymore. Without trust, I don't have much business. It's in my best interest to honestly evaluate things and faithfully report what I find to friends and business associates.
While stock prices might not exactly be tangible, the new Ferarri sitting in the garage sure as hell is. In the proprietary software world, it all comes down to the Benjamins.
So, what's your motive? I imagine you don't have a Ferarri in the garage and know that you won't get one trying to sell Windoze software these days.
Friends don't help friends install M$ junk.
Why would anyone ever trust a developer release? Seriously, I download something from the developers' site once in a blue moon when I'm working on the code. Any other time, I wait for a system integrator to worry about all of the issues that I don't have time for (does it play nice with the other 750 packages I have installed? is it a substantial change that is going to break compatibility with other systems? Did important bug-fixes get picked up or do they need to be re-integrated with this version? Are there any new security issues? etc...)
Why on earth anyone would want to take on all of that work just to get some features a few months early I can't imagine. I have better things to do with my time.
You have to admit that being gay has lost quite a bit of its cachet. So perhaps gay and passe are in fact synonymous.
I'm guessing it is Microsoft Content Management Server.
Who else but Microsoft could get a PHB to fork over 25 large for a CMS that is no more capable than some of the free ones out there? Also, the phrases "World Readable" and "Word Writable by default" smell of old Microsoftware.
While I appreciate PostNuke and all the PHPNuke spinoffs that have appeared over the years, they all have contributed to making PHP seem like a poor language choice given their failure to enforce standards or even review code, they incorporate, properly. Does it work? Ok let's use it. Did it break anything? Ok distribute it. I have personally designed 3 CMS systems and worked on 2. Never have I failed to review and comment EVERY SINGLE LINE of code nor have I ever incorporated or written any code that has directly resulted in the systems being compromised. I tried installing PHPNuke all of 6 months ago and it was a mess. In my professional opinion, I cannot recommend PHPNuke.
No I am not here to push any other package nor to encourage ppl to "write their own" when I'm sure you can dig up preferable and reliable alternatives from as far as two years back.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
BIND is the market leader, and there is more info out there than for any other DNS. It's security issues are overblown (as they are not issues in the latest version). It is rock-solid stable and consumes relatively few resources.
I'm open to suggestions, save for one perhaps: Microsoft's DNS. The MS implementation is (or long had been) broken in terms of complying with specifications. In my experience it was less reliable as well. BIND9 hasn't caused *me* any real problems anyways--it even does dynamic DNS with my DHCP clients without a hitch (once I figured out how to config it).
So, lemme get this staight.
(1) Microsoft sucks.
(2) Linux rocks.
(3) I must be an ass to the MS people -- by ruining their meetings.
Let's see, if the situation were reversed, and a MS zealot went to your Linux meeting... how would you feel? Your'd probably laugh at them and think of them as stupid for doing such and later on somehow blame it on Microsoft.
Hmm... makes me wonder what they think of you and how much of an idiot you are for doing that.
I see you really gave them a shot... uh huh... right...
PHP-Nuke (which PostNuke is a fork off) has always been know for being hideously insecure, with most of the vulnerabilities either to do with not checking supplied variables (SQL injection) or admin.php (the admin script for adding news/downloads/forums/etc).
downloads.postnuke.com was using a copy of paFileDB modified to be integrated as a PostNuke module, which would shift admin access for the downloads over to PN's admin.php. Could it be possible that the intruder got access to it via an admin.php vulnerability?
"With Microsoft, you get Windows. With Linux, you get the full house" - unknown
"The thing is, it was not the result of a malicious code infection, but a direct addition by the original Borland/Inprise authors done before the program was released as open source"
So, an admin type back door, not a hack.
What is PostNuke (PN)?
c _D ocs&func=view&f=/aboutpn/whatispn.htm
postnuke: an open source content management system
Some may see PN as a weblog or content management system. But PN is more, PostNuke is a community, content, collaborative management system, a C3MS. It's your electronic toolbox, a set of tools allowing you to build a dynamically generated web site in minutes.
http://docs.postnuke.com/index.php?module=Stati
I see that you are fluent in Gibbering Moronese. Unfortunately, I'm not. You generate more waffle than the waffle making machine in a waffle factory. Your post is an orgy of stultifying cacophonous verbal depravity; an exercise in literary impotence, and an offense to all of good taste and decency.
You read like a gimpzoid teenager splashing spit onto the monitor. Don't you ever have a point beyond giving your fingers some exercise by dancing them randomly over the keyboard? You are obviously suffering from Clue Deficit Disorder. However, I'll consider letting you have the last word if you guarantee it will be your last. Oh well, as the late Douglas Adams said: "You live and learn. At any rate, you live."
I'm busy trying to imagine you with a personality. Maybe you'd be less boring once I got to know you, but I don't want to take that chance. Do yourself and everyone else a favor: take a fatal overdose of your medication. Maybe you wouldn't come across as such a jellyfish-sucking mental midget if that pimple on your ass hadn't turned out to be a brain tumor; if your weren't so fat that your local 'All-You-Can-Eat' buffet had to install speed bumps, or if you didn't have a face that makes your dentist treat you by mail-order. Who am I kidding? You would.
In conclusion, why don't you go away and play Russian roulette with all chambers fully-loaded?
Frankly, I'm surprised we don't see more problems like this in widely used open source systems like this.
I look at this infrequency as a testament to the development skills of the community at large.
scott king
PostNuke was split from the PHPNuke code a few years ago and they have gone very different ways. PostNuke is much more secure and better coded. It is also truly open source, unlike PHPNuke's pay-to-get-the-latest-version scheme.
You should meet my professor he is most definitly a proprietary software zealot.
"Linux and all open source stuff is just crap."
"Windows is more secure than Linux out of the box."
"Windows is cheaper than linux."
On his website he claims to be a Linux expert...
Pick a Microsoft ad campaign and this guy will regurgitate them in the middle of class.
Reading the article you may wish to note the fact that the Postnuke software package does not contain the exploit. It was the download management software they use to distribute the package called Postnuke that was exploited.
Simply put what was exploited was not not code contained within postnuke but instead a package called pafiledb.
It would seem everyone is saying its the Postnukes teams fault. If your going to jump someones case you should actually go after the developers of PHPArena.
Could you get over talking about PHPNuke and PostNuke in the same sentence. PostNuke no longer has much in common with PHPNuke other than the history. The code is different, the focus is different and it is usable as opposed to PHPNuke.
The only thing PostNuke has in common with PHPNuke is history. PostNuke's code has gone miles past PHPNuke, if you don't believe me then take a look for yourself.
With respect to PostNuke security, well the issue published on the site has nothing to do with the PN code. The software hacked was a commercial product.
It is frustrating to see all the coding snobs around here denegrading and trashing work created by talented volunteers, distributed freely, and used my millions of people around the world.
While I understand what you are trying to say I disagree with the " if I wanted to learn how to write secure code, I think I could find someone better than MS to learn from" statement.
Don't do!= Don't know how to do.
I am not security guy at MS, but I happen to know a bunch of them. They are, for the most part, VERY good at what they do. However, for better or for worse, there are other factors that dictate a certain course of action. Say, for example, brain dead upper management.
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
I didn't blame the core developers directly in my posts. But yes, they do share the blame. They should have constructed the handles for modules such that no module can touch the database directly. As it is, SQL injections are rampant in the third-party stuff. It shouldn't be a matter of the module developers following guidelines. It should be a matter of what those developers are allowed to do via the code interfaces.
But I was cutting them (the phpNuke core coders) slack because they have worked their asses off building something cool that they believe in. The people who really deserve criticism are the vanity krackers who deface all the phpNuke websites.
I'm glad other posters in this discussion have differentiated post-Nuke from phpNuke. I wasn't aware that the new generation CMS is safer. Still, when I get around to migrating my site to a new CMS, I'm going for something a little lower-profile than Nuke. I'd also like to obfuscate the paths so URL searches won't help krackers find my site on google if a vulnerability is found.
$5 / month hosted VPS on linux = awesome!
of saying something I'd say. Well close enough.
I think this has more to do with PostNuke being ass, and a lot less with any inherent flaw in open source itself.
Game... blouses.
You are actually incorrect - paFileDB is completely seperate to PostNuke in this case, and is simply being used to provide the downloads. There is no integration between the two products
I think a clarification is in order here. A lot of people seem to think that the problems were a direct result of lack of security in PostNuke itself, when in fact the security hole was in a third party file management software paFileDB.
There is no relation between the two softwares, paFileDB is not a PostNuke module, and is not integrated in anyway. _The two programs are completely seperate_.
So, maybe PostNuke made a bad choice of download management software - but it is no reflection on the security of the product itself. No security flaws have been reported in PostNuke since Q2, and before that May 2003, so the project itself is pretty secure (compared to many competing products).
The fact that third party software is at fault in this matter must be stressed.
In the spirit of giving, I'd like to buy this book for you, if you'll add it to your Amazon Wish List.
Post Nuke is a REALLY good CMS system. In fact it is one of the best I have used.
For thoose of you that havent used this system, or who talk negatively about it, I think you should try it out.
Its more complex then many other CMS systems, and requires a degree of website design skills. I wouldnt recommend another system.
PostNuke.com wasnt using the postNuke downloads sections and it suffered. I am sorry to see the bad press.
I would challenge anyone to find a better document management solution then postNuke+pagesetter.
Also the security of postNuke is extremely good.
Lastly People here complain about PHP as beign a poor language to work in. The ignorance of these statements is sad. I really wish these people had a firm grasp of php + smarty, and phpADO.
Sorry, but I fear Java code more then I will ever worry about php. Plus, no other language for the web supports the shear number of open source applications then PHP.
I love Drupal!
In addition... PHPNuke, and PostNuke doesn't even share the same code.
I love Drupal!
Sorry but that's not ironic. You would expect that if any unknown backdoors existed in a closed-source application that they would be found when the source was opened -- that's just common sense. Irony is hard to describe but typically applies when something unexpected happens.
HAHAHAHA! they flamed many people because the security and their own server got hacked on this horrible way... Shame on you! Shame on you! got what you deserved.