Posts: 1,526Member, Administrator, Sourcefabric Team
you should understand that demo allows you full administrative rights. It allows to try template in live mode. May be we should restrict template write access? Then you can not play with newscoop template language. Well, if some dummy will try again I think we'll decline a write access.
Thanks for letting us know akhter. As Andrey says, we want to allow
people to test full functionality, and the only way to do this is with
an open account and password...
This of course isn't a Newscoop security issue per se, but rather a good
reminder to employ good password policy on your own site with strong
passwords that are changed often. From our point of view, we're
favouring openness and trust for now on the demo, but we'll keep this
under constant review.
firstly, thanks akhter for catching this and posting it here. on our servers there is a regular schedule (i think one hour? possibly we might shorten this?) by which our demo sites are being reinstalled automatically. andrey is very good at planning and implementing such strategies. we have this set-up, because we expect vandalism on the demo site. what else would you expect when you leave your car alone with open doors in a busy street at night?
also - my personal opinion - hackers have often helped to improve newscoop or airtime. we frequently get security alerts and we get them by amateur or professional hackers and security experts who find vulnerabilities. this is not only the case for our products, this is the case for all software development. especially open source developments benefit from these inputs. closed and commercial projects usually find it more difficult to admit that they benefit from it. if you go through the backlog of our newsletters you will find a series of security warnings and fixes we implemented. this is the daily bread of software development like ours.
hacking is a creative job. being a hacker requires skill, talent, training, instinct and creative thinking. you need to "find a way or make one" (to quote our own slogan from last years sourcecamp). when you get people to put their skill to challenge your product, you can only benefit. and we have.
vandalism ... not so helpful. MYk logged into our demo site and changed the templates to put up his or her MYk-picture, well, this is why we have a demo site: test our stuff. i feel like replying: "thanks for trying our software. if you want to stay informed, please subscribe to our newsletter".
to cut a long story short: we get security alerts and react to them like any professional in the business. and this makes our software better. this is a fundamental paradigm of open source development which is called linus' law : "given enough eyeballs, all bugs are shallow".
thanks for listening, back to business. all the best,
micz