 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Thu, Dec 31, 2009 at 10:39:43AM -0500, Fred at PlanetaryServer.com wrote: > Dan Ritter wrote: > > you should assume that no CMS framework is offering any security at all. > > > > Oh, sure, they all have at least an idea of protecting pages from view or > > edit. But their programmers weren't thinking of your threat model. They're > > thinking "Wow, if a large site gets violated, they might have to restore > > from backup. That could be painful!". > > > > This won't do if you are playing with real money. Worse if you are > > playing with access details for direct deposit systems. > > > > > Of course, if this site is set up so that it can only be access via a > VPN, then the security question is contained to how secure the VPN is, > thus eliminating any potential flaws in the CMS itself. This statement is extremely wrong. A well-implemented VPN provides protection against eavesdropping on the network connection, and perhaps some degree of network access control. It's not a magic security wand. It certainly does not eliminate any flaws in the CMS. Suppose any authorized user can edit any page, through an unintentional hole. Suppose an authorized user can steal the credentials or the effective use of another user. Suppose there is no or little protection against password guessing. Suppose... x1000. -dsr- -- http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference. You can't defend freedom by getting rid of it.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
