[Evangelism] Hack Plone! Win a Mac!

2 views
Skip to first unread message

Jan Ulrich Hasecke

unread,
Nov 18, 2009, 12:52:26 PM11/18/09
to evang...@lists.plone.org
Hi all,

what do you think about a hacking contest? We setup a plain plone site and who ever hacks it first wins a mac or a playstation or whatever.

All exploits must be documented of course so that we can fix them.

We promote Plone as a secure system and can document it with the CVE entries but often people say, yeah, but there are a lot less installations of Plone than there are of PHP-systems, so you cannot compare the figures.

So lets challenge the hackers!

This could be an online event with a great publicity effect may be in the run-up to the World Plone Day.

What do you think?
juh

Jan Ulrich Hasecke
(DZUG e.V.)

--
DZUG e.V. (Deutschsprachige Zope User Group)
www.dzug.org
www.zope.de

Dylan Jay

unread,
Nov 18, 2009, 4:14:45 PM11/18/09
to Jan Ulrich Hasecke, evang...@lists.plone.org

On 19/11/2009, at 4:52 AM, Jan Ulrich Hasecke
<juha...@googlemail.com> wrote:

> Hi all,
>
> what do you think about a hacking contest? We setup a plain plone
> site and who ever hacks it first wins a mac or a playstation or
> whatever.
>
> All exploits must be documented of course so that we can fix them.
>
> We promote Plone as a secure system and can document it with the CVE
> entries but often people say, yeah, but there are a lot less
> installations of Plone than there are of PHP-systems, so you cannot
> compare the figures.
>
> So lets challenge the hackers!
>
> This could be an online event with a great publicity effect may be
> in the run-up to the World Plone Day.
>
> What do you think?

Nice


> juh
>
> Jan Ulrich Hasecke
> (DZUG e.V.)
>
> --
> DZUG e.V. (Deutschsprachige Zope User Group)
> www.dzug.org
> www.zope.de
>

> _______________________________________________
> Evangelism mailing list
> Evang...@lists.plone.org
> http://lists.plone.org/mailman/listinfo/evangelism

_______________________________________________
Evangelism mailing list
Evang...@lists.plone.org
http://lists.plone.org/mailman/listinfo/evangelism

Nate Aune

unread,
Nov 26, 2009, 1:28:58 AM11/26/09
to Jan Ulrich Hasecke, evang...@lists.plone.org
I think it's a great idea. Set up a server (perhaps using the
Hardening Plone howto below) and let the games begin!
http://plone.org/documentation/how-to/securing-plone/

Nate

> _______________________________________________
> Evangelism mailing list
> Evang...@lists.plone.org
> http://lists.plone.org/mailman/listinfo/evangelism
>
>

--
Nate Aune - na...@jazkarta.com
http://www.jazkarta.com
http://card.ly/natea
+1 (617) 517-4953

Norman Fournier

unread,
Nov 26, 2009, 10:09:34 AM11/26/09
to Nate Aune, evang...@lists.plone.org
Hello,

Worst case scenario. What if we are wrong?

Some smart punk hacks the plone and posts the hack or hints somewhere. How many Macs can we afford to give away? How long can we afford to pay lawyers to fight spurious claims in court?

A risk analysis should be air-tight before any contest is publicized. Even the smallest give-aways are fraught with legal complications which is why contest legal copy takes so much space on an entry form.

For me, I am not liking this idea at all. I think there may be more positive ways for plone to get this message across without exposing the software to a million punk hackers with a goad like both Screw Plone and Win a Mac at the same time!

My $.02.

Norman

Jan Ulrich Hasecke

unread,
Nov 26, 2009, 10:24:40 AM11/26/09
to Norman Fournier, evang...@lists.plone.org

Am 26.11.2009 um 16:09 schrieb Norman Fournier:

> think there may be more positive ways for plone to get this message across

For example?

I think we must have clear rules. The first hacker who puts his name on the frontpage wins, if he documents how he'd done it. If we have more macs the first three or four hackers win, if they don't use the same exploit.

And better they find the exploit on a dummy site as if they'd find them on the CIA-site?

juh

Matt Hamilton

unread,
Nov 26, 2009, 10:51:54 AM11/26/09
to Norman Fournier, evang...@lists.plone.org

On 26 Nov 2009, at 15:09, Norman Fournier wrote:

> Hello,
>
> Worst case scenario. What if we are wrong?
>
> Some smart punk hacks the plone and posts the hack or hints
> somewhere. How many Macs can we afford to give away? How long can we
> afford to pay lawyers to fight spurious claims in court?
>
> A risk analysis should be air-tight before any contest is
> publicized. Even the smallest give-aways are fraught with legal
> complications which is why contest legal copy takes so much space on
> an entry form.
>
> For me, I am not liking this idea at all. I think there may be more
> positive ways for plone to get this message across without exposing
> the software to a million punk hackers with a goad like both Screw
> Plone and Win a Mac at the same time!

You also might have difficulty getting the site hosted somewhere. If
you can't get to Plone you then try the OS. If you cant get the OS you
try the network... etc. For instance, probably the easiest way to get
in there would be to do something like a password reset request and
try and intercept the email, so you might then find an attack against
an email server somewhere else as a result. Quite risky.

Hrmm... I wonder what Amazon would say about it? Wonder if you could
host it on EC2? You could easily setup a FreeBSD server with Plone
running on it. Lock everything else down (ssh via keys only etc). I
guess you could privately invite Plone core developers to take a pop
at it first, they are likely to know any 'weak' spots if any in Plone
itself.

-Matt

--
Matt Hamilton ma...@netsight.co.uk
Netsight Internet Solutions, Ltd. Understand. Develop. Deliver
http://www.netsight.co.uk +44 (0)117 9090901
Web Design | Zope/Plone Development & Consulting | Co-location | Hosting

Dylan Jay

unread,
Nov 26, 2009, 4:06:00 PM11/26/09
to Norman Fournier, evang...@lists.plone.org
Worst case is really bad publicity. But then is it?
If it got hacked we'd patch it immediatly and patch most systems out
there and we'd explain how that system works in advance. Basically use
it to explain how open source increases security and speed of patches.
It would also show that we take security seriously.

Dylan Jay
Technical solution manager
PretaWeb 99552830

On 27/11/2009, at 2:09 AM, Norman Fournier <nor...@normanfournier.com>
wrote:

Mark A Corum

unread,
Nov 26, 2009, 5:00:15 PM11/26/09
to Dylan Jay, evang...@lists.plone.org
Actually, it would show we are arrogant and cavalier about security -
which are about the worst things you can be in the eyes of an
enterprise customer.

People who are serious about security TEST the security of their
software in a professional, systematic way. They get experts in the
field and folks who really know what they are doing to make sure
nothing in their code or deployment is opening up websites to attack
or possible compromise of data.

The whole "opening your software to hackers" thing is a stunt - a
stunt with very little if any upside, and a huge potential downside.
If someone brings your server to its knees with a Denial of Service
attack or a weakness in the OS you are running on, you can complain
from now until eternity that it wasn't "fair" but the only coverage
you are going to get is "Plone gets hacked." If no one is able to
hack the site, its not really something worthy of coverage, now is it?
Afterall, we are already well known as having one of the best
security records of any CMS.

If Plone had previously been weak on security, and had gotten its act
together, this might make sense. But in reality -- where Plone is a
VERY secure system with a long-term record of protecting sites and
data -- this kind of circus stunt is not a good idea.

Mark


Mark A Corum
User Interface Designer | Online Marketer | Certified ScrumMaster

markcorum on AOL, Googletalk, MSN, Skype, Meebo, TokBox, Facebook,
Twitter and Yahoo;

"Light up the darkness." - Bob Marley
"Quis custodiet ipsos custodes?" (Who watches the watchmen?) -
Juvenales, Satires
"No matter where you go ... there you are." - Buckaroo Banzai

Dylan Jay

unread,
Nov 26, 2009, 5:53:23 PM11/26/09
to Mark A Corum, evang...@lists.plone.org

On 27/11/2009, at 9:00 AM, Mark A Corum wrote:

> Actually, it would show we are arrogant and cavalier about security -
> which are about the worst things you can be in the eyes of an
> enterprise customer.
>
> People who are serious about security TEST the security of their
> software in a professional, systematic way. They get experts in the
> field and folks who really know what they are doing to make sure
> nothing in their code or deployment is opening up websites to attack
> or possible compromise of data.

I don't disagree with your points below but testing security via
experts is I'm sure what companies like Microsoft do and that hasn't
worked out well for them. FOSS has repeatedly shown that security by
numbers - ie lots of eyes on code rather than "experts" has made for
more secure systems.

>
> The whole "opening your software to hackers" thing is a stunt - a
> stunt with very little if any upside, and a huge potential downside.
> If someone brings your server to its knees with a Denial of Service
> attack or a weakness in the OS you are running on, you can complain
> from now until eternity that it wasn't "fair" but the only coverage
> you are going to get is "Plone gets hacked." If no one is able to
> hack the site, its not really something worthy of coverage, now is it?

maybe.

> Afterall, we are already well known as having one of the best
> security records of any CMS.

I would disagree we are "well known". Plone is general is NOT well
known. It's underwhelmingly unknown given its history and competitive
advantages such as security. When Drurpal can get recommended as an
"enterprise" CMS by Gartner and Alfresco can get away with giving the
their product the label "THE open source enterprise content management
system" I would say we're not well known.
One thing I got out of this years conference is that security is a big
competitive advantage of Plone thats easy to explain and has impact.
We've only just started marketing that to the outside world. Until
Gartner labels us "The secure open source enterprise content
management system" I think we have a lot of work to do.
If stunts aren't the right way to do it at least we're thinking about
it. I'd love to hear some other ideas wouldn't you?

Steve McMahon

unread,
Nov 26, 2009, 6:23:19 PM11/26/09
to Nate Aune, evang...@lists.plone.org
Not sure how I feel about the overall idea, but the exploit documentation condition *must* be expanded to specify that the exploit be documented to the Plone security team, and only the security team. Publicizing of methodology for an attack must be only after a patch is made available, and the award would be made only after those conditions are fulfilled.

The attack would need to be via Plone — not the OS or other parts of the stack like reverse proxy. Open registration must be off in the test install.

Jens W. Klein

unread,
Nov 27, 2009, 3:08:36 AM11/27/09
to evang...@lists.plone.org
Am Thu, 26 Nov 2009 17:00:15 -0500 schrieb Mark A Corum:

> Actually, it would show we are arrogant and cavalier about security -
> which are about the worst things you can be in the eyes of an enterprise
> customer.

Would we do? I do not agree here. Plone is different and even enterprise
customers starts to get the idea.

> People who are serious about security TEST the security of their
> software in a professional, systematic way. They get experts in the
> field and folks who really know what they are doing to make sure nothing
> in their code or deployment is opening up websites to attack or possible
> compromise of data.

Isnt a award like this the way using the free software way of collective
knowledge to test our system? I'am sure people who are trying to hack
Plone are doing it in a systematic way. And I'am sure they are experts,
maybe they arent professionals in security-testing but often those people
have more knowledge and motivation is much higher than for an employee of
some self-called security-testing company.

> The whole "opening your software to hackers" thing is a stunt - a stunt
> with very little if any upside, and a huge potential downside. If
> someone brings your server to its knees with a Denial of Service attack
> or a weakness in the OS you are running on, you can complain from now
> until eternity that it wasn't "fair" but the only coverage you are going

Its for sure a stunt. Its always a stunt to place a server in the
public :-) And an award like this need to follow clear rules. Also we
need to protect the system against (d)dos atacks and similar with a good
firewall etc. so it not done with installing Plone on an almost vanilla
(but secured) OpenBSD. On the other hand: Having it documented how we
secured the system is very valuable. Security by obscurity is the worst
and to be avoided.

> to get is "Plone gets hacked." If no one is able to hack the site, its
> not really something worthy of coverage, now is it?

Well, I think best can happen if we can tell the world: 30 of the best
hackers tried it but theres no way.

> Afterall, we are already well known as having one of the best
> security records of any CMS.

Well, this is neat, but if you need to tell facts the only we have are
stats: PHP vs. Python, Joomla vs. Plone. Ok, NASA, CIA and FBI trust in
Plone. So what? Reputation is perfetc, but all this are soft-facts.



> If Plone had previously been weak on security, and had gotten its act
> together, this might make sense. But in reality -- where Plone is a
> VERY secure system with a long-term record of protecting sites and data
> -- this kind of circus stunt is not a good idea.

So if this thread and your last sentence is read by any Plones security
evaluating person it looks like youre afraid, "something" will be found
and the reputation and stats based security record of Plone will be
polluted.

This may happen, but then we show security is important to us, and we use
the community-way to ensure our system is secure.

Plone is the community and its not a company. We do it different, we are
not Plone the enterprise and do not hire security experts: We _are_
security experts, we the community. And we the community should say we do
now check our system in our way: The same successful path Plone tooks in
requirements and development is needed also for security field-testing.

best regards

Jens W. Klein
(aka jensens)

--
Jens W. Klein - Klein & Partner KEG - BlueDynamics Alliance

Norman Fournier

unread,
Nov 27, 2009, 6:24:39 AM11/27/09
to Jan Ulrich Hasecke, evang...@lists.plone.org

I think plone could continue to boast of enterprise installations as before: "NASA rocket scientists tried and like plone". What more needs to be told?

I had one prospect declare plone security fit for a knitting circle but debate would be moot when someone has their mind made up. Those with their minds made up need to be shown by demonstration and it is much easier to convert the enormous percentage that want to change.

By their nature hackers are all over plone all the time and I see them frequently go so far as to register on a site I built. Never to any avail. I can tell they're mal by their usernames. They poke around because of the anonymous send, mainly, but workflow defeats their purposes. Pffft.

Why issue a "step across this line" challenge to a criminal? The idea is provocative, which I like, but is like saying "go ahead gimme your best shot" to someone who is comfortable swinging baseball bats and broken bottles. haha!

The "hack attack win a mac" costs a mac, which to me, is really a lot of money. I am a mac user.

Here's an alternative. Visitors to plone.org poll on their favourite plonesite. Developers could submit their favourites for consideration. The owner of the site wins the Mac or Macs for a school in one of their less-fortunate neighbourhoods, allowing the kids to learn how beautiful, simple and powerful plone is? Technical support by the plone-users list? Documented on plone.net, YouTube, or ? Smiling children conquering a seemingly insurmountable technical challenge? Build the plone community.

For your comments.

Norman

Karl Horak

unread,
Nov 27, 2009, 10:54:40 AM11/27/09
to evang...@lists.plone.org

Just tossing my 2 cents worth in here -- if there were any Plone sites in the
world that hackers were already targeting, it would be FBI and CIA. I'm
sure we would have heard of any failure there.

Meanwhile, I think the Foundation should sponsor a system of clandestine
honeypots out there and monitor them religiously.

Save the $$ on the Mac and pay Mark to get the msg out to the professional
CMS reviewers.

Karl


Mark A Corum wrote:
>
> If Plone had previously been weak on security, and had gotten its act
> together, this might make sense. But in reality -- where Plone is a
> VERY secure system with a long-term record of protecting sites and
> data -- this kind of circus stunt is not a good idea.
>
> Mark
>

--
View this message in context: http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4076342.html
Sent from the Evangelism mailing list archive at Nabble.com.

ctxlken

unread,
Nov 27, 2009, 4:24:21 PM11/27/09
to evang...@lists.plone.org

I think it's a weak assumption that these two sites would have a 'live'
Plone site. Although, it is possible, I would think that due to some of
the security and performance benefits, and since we see '.htm' or
'.html' URIs and no evidence in the response headers of Zope, that it's
likely these security-conscious organizations are using some sort of
'static deployment' strategy, as we've discussed at:
http://www.coactivate.org/projects/plone-static-publishing/summary .

The Plone Static Publishing project on coactivate that I provided the
link to above has had some discussion recently about a product called
enpraxis.staticsite, although this seems like a young, immature product
and so is less likely to be active on these two sites. Instead, one of
the options that has existed for some time - CMFDeployment or custom
wget scripting - was probably used.

A static deployment strategy such as this would greatly increase
security for a site, since there is no zope/database/dynamic
functionality, open ports between front-end and back-end
servers/services to worry about, and there are fewer moving parts in
general to worry about, besides the web (httpd) server.


As for the hacking contest, here are some thoughts:

a) I'm in favor of having a contest that allows Plone integrators listed
on plone.net to be involved, rather than all script kiddies in the world
- maybe have one that is open to the world at a later date.

b) There would need to be some very specific rules that ensure that the
found vulnerabilities must be in the Zope/Plone code bits and not
Apache, Varnish, lighthttpd, ngnix, Squid, or some of the other
front-end web servers/proxies used to get to Plone site content. While
it's still valuable to know about those types of vulnerabilities, our
contest would need to be focused on code managed by the Plone community
and not others, and the inclusion of web servers/proxies would make the
contest pretty unwieldy to manage (whose favorite front-end do you setup
for the test environment?).

c) I think that Mark's concern over seeming cavalier can be mitigated
through thoughtful communication/messaging. We wouldn't want to put a
banner ad out taunting script kiddies to just hack away - we dare you!
Instead, we could a) do our own internal hacking, document findings,
open tickets, and address them, and then b) advertise the ongoing
efforts by the Plone community in ensuring security of Plone and invite
'white hat' hacker groups to register for the external hacking contest,
assign a limited time period that the environment will be available for
hacking, and give away whatever prize is determined.

d) Plenty of hackers aren't going to want a Mac. Some are just as
suspicious of Apple or Google as they are of Microsoft, so perhaps some
prize options could be listed.

e) Another option we could consider, rather than a wild, wild, west
contest, would be to invite 3-5 professional security assessment firms
to hack and post findings. In return, they'll get some free advertising
on plone.org and anywhere there are press releases done with the contest
and results announcements.


-Ken


Karl Horak [via Plone] wrote:
> Just tossing my 2 cents worth in here -- if there were any Plone sites
> in the world that hackers were already targeting, it would be FBI and
> CIA. I'm sure we would have heard of any failure there.
>
> Meanwhile, I think the Foundation should sponsor a system of
> clandestine honeypots out there and monitor them religiously.
>
> Save the $$ on the Mac and pay Mark to get the msg out to the
> professional CMS reviewers.
>
> Karl
>
> Mark A Corum wrote:
> If Plone had previously been weak on security, and had gotten its act
> together, this might make sense. But in reality -- where Plone is a
> VERY secure system with a long-term record of protecting sites and
> data -- this kind of circus stunt is not a good idea.
>
> Mark
>
>
>

> ------------------------------------------------------------------------
> View message @
> http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4076342.html
> To start a new topic under Evangelism, email
> ml-node+2933...@n2.nabble.com
> To unsubscribe from Evangelism, click here
> < (link removed) =>.
>
>

--
View this message in context: http://n2.nabble.com/Hack-Plone-Win-a-Mac-tp4027160p4077534.html

Reply all
Reply to author
Forward
0 new messages