Hacked AGAIN, reallly its getting retarded

[rliskey]

Wow, things have got lively

yep!

@rliskey - thanks for your comments. I agree with some and disagree with others.

Text can make opinions seem more black and white than they are. I feel strongly about some suggestions and have very mixed feelings about others, and in almost every case my ambivalence matched your comments.

While you find this a criticism of the project, the ease of use is actually one thing that sets it apart from others, and hence contributes to why people use it.

This is a misunderstanding. I think Joomla's ease-of-use and interface are awesome. No other project I know comes close. I wasn't criticizing. I meant to point out a sad but unavoidable consequence of that great ease of use, i.e., the naive, foolish, trusting, newbies (pick your label) tend to assume there is security where it seems we all agree there is very little (the Internet).

Ironically most of your points are easy to solve or or being planned or already implemented, so I'm still left wondering if there is a deeper root issue here.

Why ironic? What you say is great news. Remember, I was originally responding to yet another knee-jerk "I've been hacked" post with what was actually a defense of Joomla.

My mistake was in being a little too harsh in blaming "Joomla's marketing program." I apologize for using a phrase that implied a strategic intent to fool users. That was unintended and unfair. I tried to correct that impression in my follow up post.

Deeper issue? No! Don't go there. Something I learned in the trenches of the 80-90's corporate wars: Never assume ill intent when perfectly normal stupidity is a reasonable explanation.

If I didn't make sense, then I was just being stupid. After all, it was 4am on my side of the planet when I wrote that!

Re; "WARNING", Not a bad suggestion, I'll pass it on the JED people.

Cool! Thanks.

RE: 2. Add critical security information
Brilliant! Would you be willing to prepare the patch to the sample content.

Well...Rob Schley proposed adding one of my security posts (Top 10 Stupidest Tricks) to the sample content, but the idea was nixed. I don't know why.



In the end, someone added a direct link to the Admin Checklist, which scared the pants off me as I hadn't written it as an official Joomla document. I didn't even know for sure if it was all accurate!

I immediately spent many long nights fact-checking and making it a more official sounding document. No one asked me to do that, but it seemed the right thing for the project.

Even after focusing on other CMSs, I came back and spent many more days converting the Admin Checklist and every security FAQ I could find to the new wiki docs site. I hope this embarrassing little list of Joomla contributions resolves any worries about my having "deeper issues".

I like Joomla, I just have a few concerns, which began on day 3 of my Joomla career when 7 of my 10 brand new Joomla sites were defaced. Ruined my summer! But taught me how to secure a site (for now).

Re: Super Admin name:
We are refactoring the installation for 1.6 right now. I'll put that feature on the list. If someone wants to do a patch for 1.5 I'm sure the bug squad would seriously consider it for inclusion in 1.5.8.

OK

Re: 4. Make install a little harder:
Here's where I disagree. I think it's complex and daunting enough for the uninitiated.

I can see it both ways. Given the serious pain this causes many of the uninitiated (included myself once) I lean the other way. Oh well...

5.
GPL compliance is an ongoing work but really, while a valid point, it's part of a very different discussion.

You're right. It's outside this discussion. I hesitated to add it, but then realized that it's the other big reason I left Joomla, so in it went.

I was pissed off to see those extension developers whining about how Joomla was clarifying it's GPL position and how that was going to make it harder for them to charge illegal, proprietary fees on top of this clearly GNU/GPL shared resource.

The GNU philosophy may not be perfect, but it has done wonders in freeing up creative developer energy around the world. Just think where we'd be today if "Small-and-Limp" still controlled everything!

6. Make it easier to move critical files and directories outside of public_html.
This work is ongoing.

Great. I was part of an internal discussion in which a core developer showed how to do this in 1.5. I wanted to write up a nice FAQ to share this great information, but the others felt that the user population didn't know enough to be given this kind of information.

I dropped it, as I couldn't judge if that was correct, BUT, that was the PRIME reason I left Joomla. I didn't want to dedicate my best efforts to an 'open source' project that thinks users can't be trusted with basic UNIX file permission/configuration options info--essentially the same information Gallery2 shares in the document I referenced above.

I'm sorry to share that dirty laundry, and don't mind if a mod deletes it. It's probably important to say that it was an isolated experience in an otherwise great time working with the Joomla team, but for me it happened to be the tipping point.

7. Add a more powerful logging system to the core.
More powerful that what? JLog is already there and we have plugins that can fire on various triggers. Maybe your point is add more triggers in "X, Y, Z" locations to be able to log those things?

Here's where my ignorance of J1.5 shows. I haven't done much with J1.5 yet. Glad to know it's in.

8. Develop an extension update system...
That's a good goal. 1.6 will lay some more foundation work that will one day allow that to be a reality.

It's one of the main reasons I went to Drupal. I love being able to quickly review the security/update status of everything on my site, and download every related update with a few clicks. That alone has made a good part of my business model viable again.

9. Refactor the file and directory structure...
I'm actually not a big fan of that. You have to have a certain level of knowledge to detect suspicious changes regardless of the file tree. I see your point but I don't think the effort delivers a significant gain because people still have to know what they are looking at and looking for.

Well, I respectfully disagree. I think there are more issue than security that would benefit from this, but that's another discussion...

10. Adapt Gallery2's security documents...
I'm all for cheating, but going back to my earlier points - some people don't care about the fine print and don't want to read the manual.

Yep! But, that's not a reason to not make the information available.

11. Develop a clear security reporting process to better track trends and to reduce noise in the forums.
JSST

Again, my J1.5 ignorance shining through. I'll figure out what that means 'real soon now.'

12. Add many more sanity checks...
Huh? We deliberately (with extreme prejudice) made 1.5 immune to the server register_globals setting. Did you not know that? See JRequest::clean (I think that's the one). We can't rely on the server settings so we nuke all the globals very early on in the core execution.

Yes, I know. I campaigned hard for it. I mentioned register_globals because it was a prime example of a setting that benefited from this kind of reporting. Remember how much pain leaving that option available caused!? I even remember developers of some pretty key extensions arguing for RG ON. Luckily the PHP team itself disagreed, so that issue will soon be totally moot.

But, there are so many other settings that Joomla could report on. I don't need to list them. I know J1.5 is checking lots of things. I'm saying be really aggressive about this. It could produce a flashy, image-filled report that users who don't check readme files would notice, complete with context-sensitive links to related information on the Joomla sites.

13. Consider adding some of the best security extensions to the core package...
But what you've done is point out that one (or more) is/are available at present. Do all people know about them? No.

Agreed, we don't all know about them, but is that any reason not to merge the best ideas into core? I realize merging a feature into core is a big decision, but only because it's an important decision.

I also think admin based security panels have a limited boundary of effectiveness. Case in point is the one that checks whether things are up to date or not. You have to log in to find out that your Joomla site is out of date - oh wait, I can't log in because it's just been hacked.

True, that's a risk. I don't agree that it's wrong to provide this for users (whom you acknowledge often know little more than how to use a browser). Why not give them the tools they need within the interface that you've done so much to fine tune? I think your argument is logically false and is essentially identical to the following:

1. Account passwords must be set on the Joomla site.
2. If someone does a little packet sniffing, hacks my site, and changes my password, I'll lose access to my site.
3. Therefore I should not bother with password security on a Joomla site.

A much better approach is for a service to exist that pings a site, upgrades it while you are sleeping and sends you an SMS when done.

That sounds great! And in the meantime?

14. Make the JED Site Security section easier to find...
As you will have seen, all the joomla.org family of sites are being reworked. I'm sure this can be taken into account when it's the JED's turn.

OK! :-)

15. Respect the intelligence of the users...
And respect their stupidity and laziness. There is no black and white answer here, just differences of opinion.

Did you really mean to say that? Does the Joomla team really think its users are "stupid and lazy," and make project decisions based on that assumption? I really hope I'm misunderstanding.

A final comment on ease of use...

I agree with all you say about ease-of-use, T3 being tough, Drupal interface being clunky, etc. I agree that Joomla absolutely wins the ease-of-use prize.

I'll be the first to agree that on the post-implementation side of things, we could do a better job. However, to suggest we are deliberately doing nothing because we want to keep it that way is really unwarranted.

I didn't suggest this. Perhaps you're referring to some other post.

We can do better - most certainly (<insert std call for volunteers to make it happen - bla bla bla>) - but if you look over this year you'll see many, many changes, I believe, in the right direction.

I think you're doing a lot! When I get frustrated figuring out some arcane Drupal hook, I'm sometimes tempted to come back to Joomla where all my modern CMS adventures started. I'm kinda sad that this visit to my old community resulted in this thread.

Anyway, once again, thanks for your comments.

Right on.

But when you do find the project that fits like a glove, by heck put your heart and soul into supporting it. That's all any of them would ask.

Absolutely right on!

BTW: I ain't no core coder, but I tried to give a lot to Joomla over the years, in the user forum, the doc sites, and with a shared extension. Don't mean to brag, but it seems like you should know that these points were not from someone who never tried give back.

And absolute last:

Let me just post the link so no one misses it: http://feeds.joomla.org/JoomlaSecurityNews

^^ what Brad said. Get onto the security RSS feed - it could save your site.

Yep. Brad is one of the coolest dudes I ever met on Skype! He also happens to be my preferred hosting provider who delivers incredible technical support, and where over many years no site of mine has ever been compromised.

To respond to a few comments further up: Brad and crew prove every day that correctly configured Joomla sites on shared servers can be safe if the techs involved know what they're doing.

[Anarchyx67]

As for the security checklist, I see things the Joomla DEV staff could be doing that would reduce the load on the end user.

Could you please elaborate on this? You have my attention...

To be honest, after reading RussW's post, I'm not going to say anything else on the topic other than it would be great if, during the Joomla install, the install could do as much as possible as a part of that install to tighten the reigns. I know it's hard to find a good middle point where you make things tight, but still keep things flexible. Again, RussW has enlightened me so I don't feel there's much else to be said from my end. I will say that I too agree that people want things to be "easy to use". They also want it "easy to secure" as well. I believe that as long as Joomla is doing everything IT can to secure the product, and not point fingers at the hosting companies and end users, then that's all that needs to be done.

My comment about wishing Joomla would do more in regards to the security checklist, doing so as a part of the installation and not putting it on users shoulders post-install comes from me being an automation freak. :-)

Best regards to all and thanks for putting up with me!

[RussW]

@Anarchyx67

Thanks for taking the time to read my "rather lengthy" post, I do hope that it was interesting and taken in the vain that it was intended, it certainly not intended to shut you down or rebuke you concerns or roght to voice them.

As I am sure everyone else will agree with, if you do have any specific thoughts or general idea's even, that you would like to present or promote within the Security arena, such as Ron's thoughts, I am absolutely positive that they would be more than welcomed, certainly by myself, Anthony and Andrew and I would assure you that these thoughts would be discussed, and responded to.

I hope that your current concerns have at least been addressed, if not fully irradicated and that your continued use of the Joomla! application is at least still under consideration.

Good luck with your choice and going forward with your websites, look forward to you continued support and participation.

Cheers
RussW

[mbrown]

@Anarchyx67

Thanks for taking the time to read my "rather lengthy" post, I do hope that it was interesting and taken in the vain that it was intended, it certainly not intended to shut you down or rebuke you concerns or roght to voice them.

As I am sure everyone else will agree with, if you do have any specific thoughts or general idea's even, that you would like to present or promote within the Security arena, such as Ron's thoughts, I am absolutely positive that they would be more than welcomed, certainly by myself, Anthony and Andrew and I would assure you that these thoughts would be discussed, and responded to.

I hope that your current concerns have at least been addressed, if not fully irradicated and that your continued use of the Joomla! application is at least still under consideration.

Good luck with your choice and going forward with your websites, look forward to you continued support and participation.

Cheers
RussW

Thank you RussW from a user that has used several different CMS'. I have found one that works, that is Joomla. No matter when the exploits come I know Joomla gets them corrected ASAP, and as Brad said faster than several other CMS' out in the market today.

MBrown

[Anarchyx67]

@Anarchyx67

Thanks for taking the time to read my "rather lengthy" post, I do hope that it was interesting and taken in the vain that it was intended, it certainly not intended to shut you down or rebuke you concerns or roght to voice them.

As I am sure everyone else will agree with, if you do have any specific thoughts or general idea's even, that you would like to present or promote within the Security arena, such as Ron's thoughts, I am absolutely positive that they would be more than welcomed, certainly by myself, Anthony and Andrew and I would assure you that these thoughts would be discussed, and responded to.

I hope that your current concerns have at least been addressed, if not fully irradicated and that your continued use of the Joomla! application is at least still under consideration.

Good luck with your choice and going forward with your websites, look forward to you continued support and participation.

Cheers
RussW

Thank you RussW from a user that has used several different CMS'. I have found one that works, that is Joomla. No matter when the exploits come I know Joomla gets them corrected ASAP, and as Brad said faster than several other CMS' out in the market today.

MBrown

Which is good to know, when there are so many CMS choices out. It can be confusing. Running across Joomla, I was thrilled, but seeing so many "I got hacked" posts in the forum just blew me away and I guess I became a bit too gun shy if you will because of it.

I'd love to see one place on the forum for posts from people that have been hacked on the current version only, and then a separate place for all the other "I got hacked but was too lazy to keep up with the updates so it's really my own fault but regardless I'll post that I got hacked here so Joomla looks like some kind of honeypot application that is just begging to be hacked and all your personal info ripped off leading to identity theft and access to your other server files etc now I am running out of breathe so time to go get hacked again with this older version of Joomla even though I know there are security issues with it" posts. :-) It would really take the "OMG" edge off of the forum.

Thanks!

[TonyV]

as i said for some time....

Joomla is not the problem of all the "I've been hacked!!" posts ...

the source is :

a) joomla, 3rd party tools and so on are not beeing updated for ages
b) no or simple knowledge from the site owner how to setup and secure a website
c) the same as b but for webserver and tools

thats it...


and that are the only reasons WHY joomla pages get hacked...

install a IPS
use htaccess
use fail2ban or similar tools
use regexp
use php.ini

but the most people here dont give a dam for security... and thats why we have so many problems here.

dont blame joomla.. blame yourself for the lack of knowledge...

This is one of the most stupid and inane posts I think I've ever read.

There are some very simple common-sense things that software developers can do to secure their software that don't involve people having to know everything about IPS (whatever that is, intrusion protection system?), low-level Apache configuration, installing yet more third-party tools (that could have yet more unintended consequences or security risks), low-level PHP configuration, or regular expressions.

The whole point of using Joomla! in the first place is that I don't want to have to write all of this stuff myself. If Joomla! can't provide a stable solution that is secure against stupidly simple hacking attempts on the most common platforms and configurations out there, then we'll simply move on to some other CMS that does.

Calling people too stupid to run their web sites because they want to spend their time actually writing content for their site instead of become security experts is not constructive, yet it's the MO of almost all of your posts. You're not helping the community. If anything, what you're doing is driving people away from using Joomla! as their CMS of choice.

I'm sorry to have to burst your bubble, but not wanting to muck around with .htaccess files, regular expressions, installing extra software, and tweaking php.ini files does not mean that we don't give a "dam" about security. It only means that we want a solution with which we don't have to focus on actually using our site instead of worrying about security 24x7.

So be straight, is that what you're saying? That you should only consider running Joomla! if you're a security expert? That it's not the responsibility of Joomla! developers to ensure that their software configures a reasonably secure default setup, and takes into account the most common configurations of hosting platforms? Is that a consensus of the Joomla! developers? (And I'm sorry, but you don't get to speak on their behalf.)

Because I'm only willing tolerate putting in a finite amount of time and effort into security, and I'm only willing tolerate a finite number of successful hacking attempts before I feel that the problem is, in fact, NOT with the things you mentioned, but a fundamental design flaw with Joomla!'s security architecture. Hopefully, though, that's not the impression that the Joomla! community wants to convey, if they want anyone to continue using their software. Hopefully, the developers of Joomla! will take posts like these into serious consideration instead of just continually calling people too stupid to run web sites like you have been.

In the end, all of the nifty features of Joomla! don't mean beans if I don't have time to run my site because I'm too busy worrying about arcane security settings or restoring stuff because it's been hacked yet again. Joomla! is suffering a HUGE black eye because of this, and I assure you, the answer is NOT calling its users stupid.

[willebil]

Because I'm only willing tolerate putting in a finite amount of time and effort into security, and I'm only willing tolerate a finite number of successful hacking attempts before I feel that the problem is, in fact, NOT with the things you mentioned, but a fundamental design flaw with Joomla!'s security architecture. Hopefully, though, that's not the impression that the Joomla! community wants to convey, if they want anyone to continue using their software. Hopefully, the developers of Joomla! will take posts like these into serious consideration instead of just continually calling people too stupid to run web sites like you have been.

If you read this thread carefully, you have seen Joomla! development takes security very seriously. Let me repeat my statement on that posted on October 8

The Joomla! development team (it's almost hard to explain this is a different team then the core team) is not responsible for the security of 3rd party extensions, we can only provide guidance on how to build safe extensions. We also cannot be responsible for the security of you website, again we can only provide guidance. As referred earlier on, visit the documentation site. A final note; if you want to run a professional site, please handle the maintaince and security of that site professionally. If you don't have the time or skills, ask a provider of professional services who can help you.

and

I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No, it is not "safe" on the Internet.

There is no default safe installation off software, this is the case with every piece of software that you make available on the Internet. I understand your statement that you don't want to spend too much energy on making your environment a safe one. All I can advise is to take a professional hoster, there are some that make it darn easy for you.

I can only second you on the phrase calling people stupid, this is not helpfull in any way. As member of the Joomla! development team I can only say we try to explain in our best way what you can do to secure the site and with that we try to listen what we can improve to make things even better from a default install. Maybe you are dissapointed about the level we currently offer, but to be honost I don't know any web content management systems that is superior to Joomla! on the out-of-the-box install security settings...

We're open to suggestions, let's hear what you want to see improved, and we can take it into account.

Regards, Wilco

[TonyV]

If you read this thread carefully, you have seen Joomla! development takes security very seriously.

Just to be clear, I don't have any problem with the development team. In fact, quite the opposite, I really appreciate the work that you guys do, and I think you're doing a wonderful job.

What I do have a problem with, though, is that when someone reports a problem, some users in this forum have a nasty tendency to treat those people like they're stupid. It's not just this forum, lots of open source software in particular suffers from the same attitude, that when things go wrong, it's all the user's fault for not [insert whatever it was they were supposed to do here].

In this particular case, the person posting that message is stating that because a user isn't willing to learn in-depth topics about which literally hundreds of books of hundreds of pages each are written, they're a bad web site administrator. In another thread, he advised someone that they should simply give up hosting a web site altogether. It's just not true, and if Joomla! is to continue being successful, those posts need to stop right now, because it's detracting from seriously addressing users' problems, and compounds the already bad problem of previous versions of Joomla! being hackable.

We're not talking about users doing stupid things here. If someone posted a message saying something like, "I installed Joomla! and set my administrator password to password, changed all of the permissions to 777, set up a back door account to the database without a password so I could access it easily..." I could see suggesting that the person might want to learn some basics about securely administering their site. But the posts I've seen have pretty much been people installing Joomla! using the default settings, taking reasonable steps to secure their site, and still getting it hacked, sometimes repeatedly.

I can (and do) forgive this kind of thing happening, but at the very least, I expect for 1) the issues to be taken up by the development team to prevent future recurrence (which it sounds like it has, and the hacks are being addressed, check!), and 2) other people not to come along, act like Joomla! is perfect, and blame the problems on the users. Hopefully the forum mods can address the second problem, and we can all get on with running our sites again.

[ircmaxell]

What I do have a problem with, though, is that when someone reports a problem, some users in this forum have a nasty tendency to treat those people like they're stupid. It's not just this forum, lots of open source software in particular suffers from the same attitude, that when things go wrong, it's all the user's fault for not [insert whatever it was they were supposed to do here].

I don't like calling people stupid either. HOWEVER, what good does making a post when 10 (or 100, or 1000) already exist on the identical topic? From what I've seen, a lot of users harbor this attitude, because they either don't want to, or don't know how to look for themselves. If it's the latter (that someone doesn't know) then fine, but a lot of what I see are users that don't want to take the time, and would rather have someone else do it for them. I feel extreemly disrespected by these types of people.

In this particular case, the person posting that message is stating that because a user isn't willing to learn in-depth topics about which literally hundreds of books of hundreds of pages each are written, they're a bad web site administrator. In another thread, he advised someone that they should simply give up hosting a web site altogether. It's just not true, and if Joomla! is to continue being successful, those posts need to stop right now, because it's detracting from seriously addressing users' problems, and compounds the already bad problem of previous versions of Joomla! being hackable.

The attitude is wrong, and the message is blunt. But that doesn't make the message wrong. If people want to run high traffic sites, and REALLY secure sites, they MUST know about these topics, or have a host that does (and most really do not. Much more than you would think).

We're not talking about users doing stupid things here. If someone posted a message saying something like, "I installed Joomla! and set my administrator password to password, changed all of the permissions to 777, set up a back door account to the database without a password so I could access it easily..." I could see suggesting that the person might want to learn some basics about securely administering their site. But the posts I've seen have pretty much been people installing Joomla! using the default settings, taking reasonable steps to secure their site, and still getting it hacked, sometimes repeatedly.

Fair enough, but a lot of people are under the impression that there is such a thing as security. There is no such thing as a "secure" server. It's not possible. If someone wants your data bad enough, they'll get it. The whole point to what we do, and what others do for security, is make it difficult enough where someone must REALLY want it to try to get it. Don't forget, that a server is just a computer. Someone can break into the datacenter and steal the physical server if they really wanted to.

I can (and do) forgive this kind of thing happening, but at the very least, I expect for 1) the issues to be taken up by the development team to prevent future recurrence (which it sounds like it has, and the hacks are being addressed, check!), and 2) other people not to come along, act like Joomla! is perfect, and blame the problems on the users. Hopefully the forum mods can address the second problem, and we can all get on with running our sites again.

While I fell you are correct that "acting like Joomla is perfect" is wrong, but we're still getting LOTS of reports of hacked sites from the vector 1.5.6 fixed. That, to me, IS user error. The problem has been fixed for over 2 months, and the users havn't upgraded. How is that OUR error? Now, people said that if we have a auto-updater, that would fix this issue, but there are so many technical and logistical questions there, that I haven't seen answered. Sure, it sounds like a good idea, but what about fundimental issues like what do you do if something happens (and the upgrader fails and dies) mid-upgrade? What happens if a hacker hijacked the auto-update function to auto-inject malware into your site? What happens if you had modified the core, how do we deal with that?

I'm not saying your wrong. I agree with you on one level. But I also see the other side of that coin. Sometimes the only way to get through to people, is to be blunt. What good does it do someone to dance around the larger issues?

[fw116]

What I do have a problem with, though, is that when someone reports a problem, some users in this forum have a nasty tendency to treat those people like they're stupid. It's not just this forum, lots of open source software in particular suffers from the same attitude, that when things go wrong, it's all the user's fault for not [insert whatever it was they were supposed to do here].

the point here is, that most of the toppics are allready disccuesed here in the forum..
but instead of search, most people fire up a new thread, because it's easier to do so.
also most people don't leave ANY relevant information about what they are running
joomla, php , mysql and so on), noor do they ask a relevant question.

so the will to help such people goes to zero.

if you like to have help, provide information so you could get help!

In this particular case, the person posting that message is stating that because a user isn't willing to learn in-depth topics about which literally hundreds of books of hundreds of pages each are written, they're a bad web site administrator. In another thread, he advised someone that they should simply give up hosting a web site altogether. It's just not true, and if Joomla! is to continue being successful, those posts need to stop right now, because it's detracting from seriously addressing users' problems, and compounds the already bad problem of previous versions of Joomla! being hackable.

they are in deed a bad webadmin, because the lack of knowledge and so they are a security risk. simple and the reality.. nothing more nothing less.

the same reason why normal person don't fly aircrafts.. if they would do, they are also a security risk...

IF there are real security risk that would need the attention of people with "the knowlegde" you would get other answers.
the standard "help i am hacked" is answered a dozent times and so there a bunch of solutions for those problems. so a search would solve these problems.

We're not talking about users doing stupid things here. If someone posted a message saying something like, "I installed Joomla! and set my administrator password to password, changed all of the permissions to 777, set up a back door account to the database without a password so I could access it easily..." I could see suggesting that the person might want to learn some basics about securely administering their site. But the posts I've seen have pretty much been people installing Joomla! using the default settings, taking reasonable steps to secure their site, and still getting it hacked, sometimes repeatedly.

then it's maybe a good idea BEFORE i set up a webpage that i put live on the internet,
to get some basic infomation about what to expect.
i must say this should be the NORMAL way of doing things.
before i buy a car, i get some infos about it.
before i build a house, i get information about it.
why does anybody think , internet is different ?
it's not.

I can (and do) forgive this kind of thing happening, but at the very least, I expect for 1) the issues to be taken up by the development team to prevent future recurrence (which it sounds like it has, and the hacks are being addressed, check!), and 2) other people not to come along, act like Joomla! is perfect, and blame the problems on the users. Hopefully the forum mods can address the second problem, and we can all get on with running our sites again.

iam sorry, but do we have luck here ?
unbeliveable from my point of view...

most problems do come from uninformed users 99.9% !

[AmyStephen]

Well...Rob Schley proposed adding one of my security posts (Top 10 Stupidest Tricks) to the sample content, but the idea was nixed. I don't know why.

Ron - the reference to "stupid" was clearly intended to be a play on words referencing your original piece that outlined "stupid is as stupid does" with a top 10 list. It wasn't a commentary on end users who we do try to assist.

Personally, I don't like the word "stupid." But, I have a big problem with the use of the word "retarded" and hope others will also remove it from the subject line when responding. It's offensive. I wonder how anyone could possibly think others would take them seriously when they use that word. I am very much against treating others with disrespect but I will not help anyone who uses the word "retarded" in their Subject line.

Act professionally and people will respond to you in a professional manner. If you are not getting a professional response, consider your approach.

Ron - Drupal is great software and, more importantly, they have a fabulous, hard working, dedicated, and loyal community. We interact with them, learn from them and I hope they learn from us, as well. We have made progress in the time you have been gone because we are working hard. We learned from you and we have learned from one another. We continue to improve.

It is nice to see you, always. Don't be a stranger.
Amy

[Anarchyx67]

{Mod Note removed excessive levels of quoting}

I see the need for three things if Joomla is going to continue to advance, in order for the users to be really happy...

1. An update "button" that will allow users to run through an update process to the latest version. This would of course be MD5 verified or some other checksum process.

2. A consistently updated version of "Joomla Tools" that will check each and every file to make sure it is a legit version. If third party modules/apps/whatever are modifying that info and making the tools worthless, then they need to stop.

3. A very progressive push on increasing the ability to secure the package during the install. You feel certain settings should be set a certain way in the .INI file? Then include one! Include include include! Help your users use the package in a secure manner, not just give them a multitude of steps to complete.

Not saying the Joomla staff are this way as a whole, but far too many times we've seen open source projects come and go because the "staff" invest some time and energy to the project then back pedal to the point of the project losing their user base because of too many "you don't like the way it is? It's open source! What do you expect! Take it or leave it!" comments, attitudes, etc. If you care about the project, about the users and about the usability of the product, you'll do whatever it takes to advance it and make it THE BEST! Anything less <including pointing fingers as the user base> is just laziness. To those that make the comments as I quoted, I simply remind them that they chose to produce the product, open source or not, and with that comes an expectation to perform. If you don't like that, or are just lazy, then give up and get out of the open source arena. You simply don't belong and will never be a key player with that attitude.

I hope this all makes sense and does not come across as harsh, but I feel it's the reality...

[Anarchyx67]

[Removed excessive layers of quotes - again! It makes reading very difficult for other users]

I saw the post by fw116 after submitting the one above. In response to "fw116", whether from Germany or not, your attitude <spelling and grammar included> sucks really bad and you are certainly one I have an issue with. Learn to leave the negativity out of your attempt to help others, or stop posting. I have worked in customer support for many years and know that regardless of how much we get tired of people not being perfect, that's reality. If we don't like helping people like that, then we quit and find other careers. You as well need to shape up or ship out. You do a disservice to each and every person you respond to when you get snide the way you do. Let me clarify something for you. WE ARE NOT ALL WEB ADMINS! Stop expecting us to be! For some this is a learning process, and CAN be learned, but stop expecting every person that chooses to try Joomla, to be a web admin! They just aren't! And even so, they need help, not attitude! Be a solution and not an irritation. It goes a long way in having people listen to you.

IMHO...

[mbrown]

2. A consistently updated version of "Joomla Tools" that will check each and every file to make sure it is a legit version. If third party modules/apps/whatever are modifying that info and making the tools worthless, then they need to stop.

There are third party programs out there that you can use to compare files. I currently use DeltaWalker. Nice program. Now if you install modules that affect a certain file then yes these programs will not help if you test it against a file from the original download.

What you ask I am not sure is possible.

[Anarchyx67]

There are third party programs out there that you can use to compare files. I currently use DeltaWalker. Nice program. Now if you install modules that affect a certain file then yes these programs will not help if you test it against a file from the original download.

What you ask I am not sure is possible.

I'll certainly check DeltaWalker out. And actually, I did find where "Joomla tools" dopes exist and has what I guess used to be a file version checker. But it does not seem current unless I'm missing something. Regardless, this is again something Joomla should provide, so that we don't have to rely upon 3rd party apps.

EDIT: DeltaWalker is pretty slick!! Now if I can just find something likewise in an IDS.

[mic]

Wow, things have got lively

3. Effectively double the security of the initial Super Administrator account by requiring the user to enter an admin name.

We are refactoring the installation for 1.6 right now. I'll put that feature on the list. If someone wants to do a patch for 1.5 I'm sure the bug squad would seriously consider it for inclusion in 1.5.8.

This is already posted by me since a long time (guess the first time was in the J.1.0.x time) here: http://joomlacode.org/gf/project/joomla ... em_id=7337
The 'super' response was: closed at 2007-09-28 10:41:20 by Toby Patterson because it was 'not a bug' which i think more and more it is.

Nevertheless, this is 13 months ago, was added for J.1.5_RC2 .... and now we are short before 1.5.8 ....

Any word more is useless.

And the patch is a work of a few minutes ....

[Anarchyx67]

This is already posted by me since a long time (guess the first time was in the J.1.0.x time) here: http://joomlacode.org/gf/project/joomla ... em_id=7337
The 'super' response was: closed at 2007-09-28 10:41:20 by Toby Patterson because it was 'not a bug' which i think more and more it is.
Nevertheless, this is 13 months ago, was added for J.1.5_RC2 .... and now we are short before 1.5.8
Any word more is useless.
And the patch is a work of a few minutes ....

Being in QA myself, I can say I concur that it's not a bug. However, froma security standpoint, it certainly should be addressed and not just put on a "wishlist". Especially if there is any evidence to suggest that hackers are somehow making use of the "default" info in their efforts.

Some platforms do allow you to choose what username you want to the "God" account to have. Heck, even silly old Microsoft suggests changing out the info on "built-in" accounts. :-)

[AmyStephen]

1. An update "button" that will allow users to run through an update process to the latest version. This would of course be MD5 verified or some other checksum process.

I am eager for this type of update, as well, it's in 1.6. Sam Moffatt has been perfecting these ideas for some time. I have been looking at his code and it's pretty cool stuff.

2. A consistently updated version of "Joomla Tools" that will check each and every file to make sure it is a legit version. If third party modules/apps/whatever are modifying that info and making the tools worthless, then they need to stop.

There are additional tests added to 1.6 to better ensure requirements are met. Russ is part of the Security Team and very involved in the community. We have the right folks moving this in a forward direction.

3. A very progressive push on increasing the ability to secure the package during the install. You feel certain settings should be set a certain way in the .INI file? Then include one! Include include include! Help your users use the package in a secure manner, not just give them a multitude of steps to complete.

It would rock if we could provide php.ini file and Apache configuration files in every download. Unfortunately, that's not an option because Joomla! cannot override your host choices.

When you select a hosting environment, you are purchasing specifics that translate into better - or worse - security consequences. As with anything else you purchase, either personal knowledge or professional assistance is required. There is no getting around it. That's why hosting matters so much. In a community, it's best to ask around and find out where the reputable hosting sites are.

Not saying the Joomla staff are this way as a whole, but far too many times we've seen open source projects come and go because the "staff" invest some time and energy to the project then back pedal to the point of the project losing their user base because of too many "you don't like the way it is? It's open source! What do you expect! Take it or leave it!" comments, attitudes, etc. If you care about the project, about the users and about the usability of the product, you'll do whatever it takes to advance it and make it THE BEST! Anything less <including pointing fingers as the user base> is just laziness. To those that make the comments as I quoted, I simply remind them that they chose to produce the product, open source or not, and with that comes an expectation to perform. If you don't like that, or are just lazy, then give up and get out of the open source arena. You simply don't belong and will never be a key player with that attitude.

I hope this all makes sense and does not come across as harsh, but I feel it's the reality...

In that portion of your response, it becomes a bit more obvious you might not understand how Joomla! is organized. For example, there is no "staff." Joomla! is 100% volunteer based.

Now, why do people volunteer (as in contribute code, documentation, forum support, and the like?) I think we can rule "lazy" out right away. No one has to volunteer. Everyone is entitled to take what is available without lifting a finger (and even those people who do not help I would not call "lazy" - that word is as harsh as "stupid" and "retarded" - not good words.)

I would venture to guess that most contributors are trying to make Joomla! better - in order to have a better Joomla! to use for our own needs. So, we do want THE BEST software - and that is why we work so hard at it. We welcome your involvement, too, and encourage you to focus on those things you find most important.

It's kind of cool how it works out - we all have different areas of need and interest - and if we do something about that, collectively, we wind up with more.

I don't hear anyone here saying "take it or leave it." But, in the end, we don't try to force Joomla! on anyone, and as Ron pointed out the importance of earlier, we don't try to "trick people" into using Joomla! either. We are realistic and don't expect Joomla! to meet everyone's needs. So, we make Joomla! available to anyone in the world to download for free (freedom and charge.) If they like it, cool! If they don't, we understand.

Now, please keep passion at bay. I think your next post to FW116 got into "personal attack" areas, and I am certain you did not intend that to happen. Remember, this is just a little forum exchange and, in the end, mostly a waste of everyone's time. Those still coding - and not posting - are actually the ones moving J! forward. This is just a little exercise in mental gymnastics.

OK. Take care.
Amy

[Anarchyx67]

It would rock if we could provide php.ini file and Apache configuration files in every download. Unfortunately, that's not an option because Joomla! cannot override your host choices.

On the contrary Amy, that is an option, and this website does refer users to modify the settings using PHP.INI, .htaccess or otherwise. And depending on the hosts configurations, it certainly is a possibility to have a local .INI or .htaccess file override the hosts settings. Depends upon the host. So with all due respect, I disagree.

I don't hear anyone here saying "take it or leave it." But, in the end, we don't try to force Joomla! on anyone, and as Ron pointed out the importance of earlier, we don't try to "trick people" into using Joomla! either. We are realistic and don't expect Joomla! to meet everyone's needs. So, we make Joomla! available to anyone in the world to download for free (freedom and charge.) If they like it, cool! If they don't, we understand.

I was actually referring to the entire open source community, not just Joomla. But having just looked up several other posts even here, yes, there are comments made by people in the "volunteer pool" <I call them staff, paid or not, it's what they do so they should get the title!> that have made comments relating to "take it or leave it". Hence some of the other posts mentioning similar comments, both in this thread and in others. I would invite you to really dig deep on the forum and become familiar with the responses given.

Now, please keep passion at bay. I think your next post to FW116 got into "personal attack" areas, and I am certain you did not intend that to happen. Remember, this is just a little forum exchange and, in the end, mostly a waste of everyone's time. Those still coding - and not posting - are actually the ones moving J! forward. This is just a little exercise in mental gymnastics.

OK. Take care.
Amy

With all due respect, my reply to FW116 was well warranted. I've even begun reporting his posts because they are just plain uncalled for. So let's point fingers where they should be pointed, if we are going to point them at all. I do apologize for any harshness in my response. I do however find it odd you'd feel that forum discussions are a "Waste of time". I hope you don't feel the same towards others posts.

Cordially posted...

[brad]

Seriously, can we keep this thread on topic, or it will be closed. In fact I wonder if it is far enough off topic to be closed now.

[dallen]

Personally I would like to see more articles about security from the Joomla Security Strike Team. Maybe an article about what joomla.org does to protect it's own site. Don't leave out any details(I know that this is dangerous to the joomla.org security, but it would be nice to learn from the masters). There is a security checklist and preventing a SQL injection article(which are great), but that's it. There hasn't been anything new in quite a while. I'm sure that Anthony Ferrara is a busy person, so can we the joomla users submit articles about securing a website and have them published there? I would like to see some articles that take a real hard look at specific tactics covering the pros and cons. Articles for the beginners, some for the pros, and some for the paranoid! I know that RussW has written a few well written post about file permissions that I believe would be great to have published there. To me it seems like there should be more information there instead of 5 security news bits and 2 articles. After all this hacking, maybe an article about why one should change the default "admin" name to another name would be beneficial. And I believe that the articles should have the date that they were written as things change. I also remember seeing a security video a while back that from a joomla users group where someone from the joomla team had a PowerPoint discussing security and explaining things like why the hackers do what they do and had a Q&A section afterwards. Maybe I'm misunderstanding what the JSST is for, but it seems like that would be something great to have available there and is already done... it just needs to be found again.

What about an RSS feed built into the administration that would deliver security updates so when we log in it would say "Joomla 1.5.7 security release"? Plus have a link right below that says "click here to sign up and receive e-mail security updates". That might have helped some people that noticed that their frontpage was hacked and they log into the backend using a second administrator login. That way the website would already be subscribed to the security feed-and everyone would know that there was a security feed to subscribe to. How many people knew about that feed before all the hacked sites? Maybe even make the link to subscribe available on the last step of a joomla install.

[RussW]

@Dallen

You wish is our command.... <grin> Last month in the Community Magazine it was announced that there will be a series of articles on these types of topics, unfotunately for you guys it will be me writing them, but rest assured the 'brains' (instead of the good-looks, as in 'me') behind the scenes will also be involved and contributing to these articles also. If you have specific articles or content of that you feel might be of use or interest, then please feel free to PM me and we will certainly take a look at them and co-opt you to the cause also

http://community.joomla.org/magazine/ar ... ected.html

[masterchief]

What about an RSS feed built into the administration that would deliver security updates so when we log in it would say "Joomla 1.5.7 security release"? Plus have a link right below that says "click here to sign up and receive e-mail security updates".

We'll look into adding a mod_feed for the admin (so you can add one to the Control Panel). However, there is already a security note in the default "Welcome" message. Maybe is could be a little more obvious (and it needs to be updated) but we get to the point where we've led the horse to water - whether it drinks is another matter. That said, lots of good ideas here and we'll be processing them over time.

[RussW]

OK, for those that are interested......

How to add the Joomla! Security Announcements Feed to the Admin Control Panel

• Login to your Joomla! sites Administration site
• From the menu, select Extensions -> Module Manager
• From within the Module Manager, select Administrator
• From the Icon Menu (top right), select New
• From the choices available, select Feeds Display
• At the Feed Module configuration page, enter the appropriate details (Title (EG: Security Announcements) and Feed as a minimum)
• Enter http://feeds.joomla.org/JoomlaSecurityNews in the Feed URL
• Select cpanel as the position
• Optional Select Apply from the Icon Menu (top right) and place the feed in the order where you want to see it in the Admin Control Panel
• Select Save from the Icon Menu (top right)

You're done.....
Go back to your Admin Site main page (Site -> Control Panel) and you should now see your newly built Security Feed (Security Announcements)

AdminSecurityFeed.png

P.S: As an aside to using this for the technique Security Announcements from Joomla!....
I hav been using this method to deliver my own "Customer Updates" to sites that I build for customers for some time now, it's a great way to communicate with your customers after handing over the site to them. Everytime thy log in to the Admin site, they get to see your latest news right in-front of them...!! A simple marketing and communications tip, brought to you by the JSST

[RussW]

Oooops, apologies for the double posting, but to follow up on Dallens post regarding the Security PPT he had heard about, if it's the one I am thinking of, it was presented at the Melbourne Joomla! Day earlier this year (2008)

Here's the link to the video, for those interested http://video.google.com/videoplay?docid ... 0163520172

[brad]

Maybe an article about what joomla.org does to protect it's own site.

I have posted a number of articles as well as delivered presentations at each JoomlaDay I attend. The setup on joomla.org is not anything special. Good host, secure file permissions, regular backups as well as keeping Joomla up to date.



I really don't know what more to say. What more do you want? A car that never needs an oil change? An Operating system that never needs updating?
Security is very important, but seriously it's not that hard. Far too many people over complicate it, have shocking hosting setups and waste far too much time on things that don't really matter or make much difference.

In most cases, hacked sites usually include one or both of two things: 1. Poor hosting setup 2. User error - ie not keeping Joomla or it's components up to date.

I mean, not bothering with those two steps above is like leaving your laptop on display as you lock your car, and wondering why someone broke in. Think people!!






I'm sorry.. I am just so tired of people ranting about their sites being hacked when 99.9% of the problem is within their control, and they still refuse to think, or do anything, but post threads asking for free help to clean up their broken glass and beg for money to buy a new laptop.

How will hosts improve if users don't speak with their feet (ie move) or raise hosting issues with their hosts instead of just accepting the poor setups from the Slowdaddy's, 3&3's, and the long line of poorly configured oversellers. php4 anyone?
As for point number 2, why don't people who want to make a difference spend their energy trying to educate users that like a car, or a PC operating system, Joomla does require SIMPLE patches at times.

Do you read the little sticker on the windscreen, or notice your cars message about taking it in for a service? Do you install your operating system updates when prompted? Or do you rant and rave about your car breaking down because YOU never changed the oil or ever took it in for a service?

Seriously people.. think! The trough of water is about a foot below your mouth. Open your mouth, lower you head.. and drink! We're just can't push you heads down for you, or open your month for you.. but apart from that.. we've done everything else.




I'm sorry.. it's been boiling up inside me for weeks... I can't keep it in.

[masterchief]

Ok, I need my eyes tested . I'm sure the last time I looked we had no backend mod_feed ... goes to show how much I use admin modules

[rliskey]

I added Russ' great writeup on how to add Security Feeds to the Joomla Security FAQs.
http://docs.joomla.org/Security_and_Performance_FAQs

[rliskey]

Also added a reference to this information in the Admin Security Checklist.
http://docs.joomla.org/Joomla_Administr ... trol_Panel

[dallen]

Also added a reference to this information in the Admin Security Checklist.
http://docs.joomla.org/Joomla_Administr ... trol_Panel

What about a reference to this information also in the JSST area?