Users - Security

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

Yes, details please. On the public list isn't a problem, the more  
people who know about them the more likely they will be fixed...

As for the passwords: this is yet another area where the Basic  
Production Setup Guide can be helpful.

As for pulling "your" site: if you are using an old version and not  
maintaining it yourself or working with others to resolve issues you  
find in it (like with Sequoia/OpEnTaps), and you're not keeping up  
with the latest changes and bug fixes, then pulling the site and  
moving to something that you will maintain is nothing short of an  
_excellent_ way to go.

-David


On Feb 15, 2006, at 11:32 AM, Andrew Dupa wrote:

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

Why are you still here?

Andrew Dupa wrote:
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

Have you got a problem with that?



 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

On Feb 15, 2006, at 11:53 AM, Andrew Dupa wrote:

> Ho hum....here we go again....we've been thru this before!!

Yes, I guess we all must enjoy it!

>  The reality of what your sugesting is laughable. Easy for you to  
> say but in reality very different story. You have no idea about QA,  
> release management or production environments upgrades. If you had  
> any real world experience with product software development you'd  
> provide an upgrade path and releases -

It's not a matter of experience, it's a matter of money. I can only  
afford so much quality control and bug fixing personally, so if other  
people and organizations (ie users of OFBiz) don't get involved, then  
they'll have to wait until I or someone else does it for them...

> Talk to me when you get a real job and learn about real world  
> software development process. I can teach you.
>
> You just sound like another developer form the consultant world  
> who's been stuck in code and fix mode with no responsibility. I  
> interview your type every day and stamp your file with no hire all  
> the time....

Thank the maker I'm not looking for a job!

>  Yeah I should be dealing with  Sequoia. I'm in the wrong place.  
> I'll write a test that reproduces the steps and submit it to them.  
> In the mean time I'll go back to the real world.

I don't, I kind of enjoy these little interruptions from "the real  
world". But yeah, back we go...

-David


 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

Andrew,

No one on this list is buying your self proclaimed superiority. You've
demonstrated to everyone that you're not that skilled - you can't even follow a
simple setup guide.

Please do everyone a favor and use another software product. Your pompous
arrogance is just a waste of bandwidth.


Andrew Dupa wrote:
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

Do we have a blacklist?

Can we have a vote on this.

I'm tired of reading this silliness!


On Wed, 2006-02-15 at 11:02 -0800, Adrian Crum wrote: --
Kind Regards
Andrew Sykes <[hidden email]>
Sykes Development Ltd
http://www.sykesdevelopment.com

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

----- Original Message -----
From: "Andrew Sykes" <[hidden email]>
To: "OFBiz Users / Usage Discussion" <[hidden email]>
Sent: Wednesday, February 15, 2006 8:22 PM
Subject: Re: [OFBiz] Users - Security


> Do we have a blacklist?
>
> Can we have a vote on this.
>
> I'm tired of reading this silliness!

Andrew,

I was thinking like you, but after have read David's answer I found like him
that after all Andrew D' s creative interruptions are indeed hilarious :o)

Now, we have also a PHB here on the OFBiz Users ML :o)))

Jacques


>
> On Wed, 2006-02-15 at 11:02 -0800, Adrian Crum wrote:
> > Andrew,
> >
> > No one on this list is buying your self proclaimed superiority. You've
> > demonstrated to everyone that you're not that skilled - you can't even
follow a
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

and I thought I had an Ego. LOL

Andrew Dupa sent the following on 2/15/06 10:32 AM:  
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

Thanks for that, I would reply, but Bill Gates is on the phone here
asking me if I can project manage his successor to the XBox.

And Amazon are on hold.

And the deadline for the new Google algorithm is tomorrow and I've got
to set Larry straight on a few things.


On Thu, 2006-02-16 at 10:37 -0800, Andrew Dupa wrote: --
Kind Regards
Andrew Sykes <[hidden email]>
Sykes Development Ltd
http://www.sykesdevelopment.com

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

On Feb 16, 2006, at 11:37 AM, Andrew Dupa wrote:

> before you kick me off here....I think some of you should be kicked  
> off for the same reasons...your attitude is as bad if not worse  
> than mine.

It's not attitude, it's the personal attacks that are simply not  
acceptable and that people would rather not have to read. If you  
don't see the difference or the problem with that, then you need a  
shrink to help with your inter-personal interaction, not much can be  
done on a users mailing list of an open source project.
I'm sorry that's all you heard, from my perspective a lot more than  
that, and a lot more detail than that, was given to you, in spite of  
you personal attacks and general complaints.

> I tell you that I have worked out how to crack a password on ofbiz,  
> any basic statistics/maths/computer science knowledge will tell you  
> it's not as hard as it should be.

Yes, it is vulnerable to any common password attack like a dictionary  
attack or brute force attack or whatever. Not as hard as it _should_  
be... interesting.

> So at the end of the day in my day job I'm about the ship a major  
> product build on open source software that most of you probably use  
> everyday (no it's not built on ofbiz, there's no way unless I  
> regression tested the hell out of it would I put my name on it)  
> Dealing with them is amazong, dealing with you guys is a joke.

Wow, I'm really sorry to hear that. You mean that someone you paid to  
help you was more responsive than a large group of users (not service  
or product providers) that were totally unpaid nor offered any such  
thing?

> So although I may have a big ego and be a bit blunt I think you all  
> need to take a good hard look at yourself and how you treat the end  
> users of the system. How you answer questions If you want your  
> clicky little club then you are not going to attract the kind of  
> developer to work on this that can help you out of your mess and  
> become a major open source player. But then again it's amatuer hour  
> here. I think you'll be gone in 2 years. I'd put money on it.

Well, we've been around for about 5 years and things are moving along  
better than ever before. While I personally have only so much  
influence over that, and don't have any power to guarantee that won't  
be the case, I don't see it happening that way, and I know a _lot_ of  
people with a lot more money that are pushing for continuation of,  
and progress in, the project.

BTW, these are not uncommon concerns for those who are not familiar  
with community driven open source projects. I've discussed these  
things with dozens of clients as these are common questions. It is  
more to that audience that I write than to you Andrew, because it  
sounds like your decision is already made. If you think you will  
somehow be able to sway people here through FUD that has been covered  
over and over, then you might want to look a little harder for  
something productive to do.

> Good luck
>
> ...code and fix code and fix code and fix...code and fix...we're so  
> smart....code and fix....check it in...testing is for losers

Just because we don't test the way you do or the way you wish we  
would (and that honestly we wish we could...), it doesn't mean we  
don't test...

-David



 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

First of all I would like to thank Andrew for not only posting the security issues w/ the default admin logins, but for also discretely contacting us to notify us that one our client’s OFBiz instances still had the DEMOADMIN enabled.  I disabled it and checked on all of my other OFBiz production sites.  I really appreciate the heads-up, helping me to avoid a potentially embarrassing incident of a malicious user being able to view and exploit credit card info.

 

As for the benefits/drawbacks to using free open-source apps like OFBiz, my experiences have been quite positive.  You might not get step-by-step instructions in responses to your support requests, but the responses do point you in the right direction.  An example is David’s recent reply to a question I had on volume & performance which directed me to the stats tool.  Through the tool I was able to find the pages that were not optimized.  Eventually, by modifying some of the methods in the CatalogWorker, the page load times were decreased from an average of several seconds to a fraction of a second.

 

So, with the free support you won’t have someone rolling up their sleeves and digging through your OFBiz installation, but you will be given the direction to do it yourself.  Or, I’m sure you could pay an OFBiz consultant to do the digging for you like you would with any commercial support contract.

 

As for OFBiz in production, a client did so well in online sales through a regional website that they’ve recently launched a new nationwide site.  They have been extremely impressed with all of the built-in functionality OFBiz offers, and the flexibility to add and customize whatever we want.  For example they setup dynamic pricing where a job runs each night, checks each product for the total # of sales in the last 7 days, compares it to the weekly quota defined for that product, then increments price up or down if needed until it eventually hits the min or max price for that product.  This has saved them countless man hours and has drastically increased their profitability by allowing them to utilize demand-based pricing.  The beauty is that OFBiz made it so easy to implement this feature.  Just had to add a few fields to the Product entity, add a couple of new services (love the mini-lang), and setup the automated scheduling.  The site often averages over 1000 OFBiz page hits in a 15 minute period, and handles hundreds (soon thousands) of orders a day.  Yes, they’re no Amazon, but for a start-up they have been extremely pleased with OFBiz’s ability to grow with them.

 

I understand your frustrations, I’ve experienced my share of them over the years, but I promise that things get easier and quicker the more familiar you become with OFBiz and how it works.  If you’ve already decided that OFBiz is not for you, best wishes for whatever platform you end up going with.

 

Thank you sir!

sterling

 

 

---

From: Andrew Dupa [mailto:[hidden email]]
Sent: Thursday, February 16, 2006 11:38 AM
To: OFBiz Users / Usage Discussion
Subject: Re: [OFBiz] Users - Security

 

before you kick me off here....I think some of you should be kicked off for the same reasons...your attitude is as bad if not worse than mine.

 

so let's just recap on the two experiences I had with the 'users' list of ofbiz. remember users, those people you belittle

 

I asked about a known problem with the JOB SAndbox table and was told that i could delete records form the database. really wow!!! You guys are so smart, can you be more specific please?. I was then told that my clean up wasn't running, please be as vague as you can. I'm only trying to get a production system back up and running here, it's not costing you money i know but someone has to pay in the end. Clowns. People like you get fired from my company

 

I've read some threads here and all I hear is check out the latest code - wtf - have you lost your mind - do you know how to run a production system?

 

I tell you that I have worked out how to crack a password on ofbiz, any basic statistics/maths/computer science knowledge will tell you it's not as hard as it should be.

So at the end of the day in my day job I'm about the ship a major product build on open source software that most of you probably use everyday (no it's not built on ofbiz, there's no way unless I regression tested the hell out of it would I put my name on it) Dealing with them is amazong, dealing with you guys is a joke.
 

So although I may have a big ego and be a bit blunt I think you all need to take a good hard look at yourself and how you treat the end users of the system. How you answer questions If you want your clicky little club then you are not going to attract the kind of developer to work on this that can help you out of your mess and become a major open source player. But then again it's amatuer hour here. I think you'll be gone in 2 years. I'd put money on it.

 

Good luck

 

...code and fix code and fix code and fix...code and fix...we're so smart....code and fix....check it in...testing is for losers

 

 

 

 

On 2/15/06, BJ Freeman <[hidden email]> wrote:

and I thought I had an Ego. LOL

Andrew Dupa sent the following on 2/15/06 10:32 AM:
> How secure is Ofbiz?
>
> Am I the only one concerned about the security holes? I would happily detail
> those that i found but not publically on the list for those poor soles still
> using it. I'm pulling my site immediately and moving to another platform.
>
> Oh and by the way if you're using a production site make sure you change all
> the admin, demoadmin passwords you wouldn't belive how many I found that
> didn't on your end users list.
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

 

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

----- Original Message -----

From: [hidden email]

To: [hidden email]

Sent: Thursday, February 16, 2006 11:44 PM

Subject: Re: [OFBiz] Users - Security

First of all I would like to thank Andrew for not only posting the security issues w/ the default admin logins, but for also discretely contacting us to notify us that one our client’s OFBiz instances still had the DEMOADMIN enabled.  I disabled it and checked on all of my other OFBiz production sites.  I really appreciate the heads-up, helping me to avoid a potentially embarrassing incident of a malicious user being able to view and exploit credit card info.

 

As for the benefits/drawbacks to using free open-source apps like OFBiz, my experiences have been quite positive.  You might not get step-by-step instructions in responses to your support requests, but the responses do point you in the right direction.  An example is David’s recent reply to a question I had on volume & performance which directed me to the stats tool.  Through the tool I was able to find the pages that were not optimized.  Eventually, by modifying some of the methods in the CatalogWorker, the page load times were decreased from an average of several seconds to a fraction of a second.

 

So, with the free support you won’t have someone rolling up their sleeves and digging through your OFBiz installation, but you will be given the direction to do it yourself.  Or, I’m sure you could pay an OFBiz consultant to do the digging for you like you would with any commercial support contract.

 

As for OFBiz in production, a client did so well in online sales through a regional website that they’ve recently launched a new nationwide site.  They have been extremely impressed with all of the built-in functionality OFBiz offers, and the flexibility to add and customize whatever we want.  For example they setup dynamic pricing where a job runs each night, checks each product for the total # of sales in the last 7 days, compares it to the weekly quota defined for that product, then increments price up or down if needed until it eventually hits the min or max price for that product.  This has saved them countless man hours and has drastically increased their profitability by allowing them to utilize demand-based pricing.  The beauty is that OFBiz made it so easy to implement this feature.  Just had to add a few fields to the Product entity, add a couple of new services (love the mini-lang), and setup the automated scheduling.  The site often averages over 1000 OFBiz page hits in a 15 minute period, and handles hundreds (soon thousands) of orders a day.  Yes, they’re no Amazon, but for a start-up they have been extremely pleased with OFBiz’s ability to grow with them.

 

I understand your frustrations, I’ve experienced my share of them over the years, but I promise that things get easier and quicker the more familiar you become with OFBiz and how it works.  If you’ve already decided that OFBiz is not for you, best wishes for whatever platform you end up going with.

 

Thank you sir!

sterling

 

 

---

From: Andrew Dupa [mailto:[hidden email]]
Sent: Thursday, February 16, 2006 11:38 AM
To: OFBiz Users / Usage Discussion
Subject: Re: [OFBiz] Users - Security

 

before you kick me off here....I think some of you should be kicked off for the same reasons...your attitude is as bad if not worse than mine.

 

so let's just recap on the two experiences I had with the 'users' list of ofbiz. remember users, those people you belittle

 

I asked about a known problem with the JOB SAndbox table and was told that i could delete records form the database. really wow!!! You guys are so smart, can you be more specific please?. I was then told that my clean up wasn't running, please be as vague as you can. I'm only trying to get a production system back up and running here, it's not costing you money i know but someone has to pay in the end. Clowns. People like you get fired from my company

 

I've read some threads here and all I hear is check out the latest code - wtf - have you lost your mind - do you know how to run a production system?

 

I tell you that I have worked out how to crack a password on ofbiz, any basic statistics/maths/computer science knowledge will tell you it's not as hard as it should be.

So at the end of the day in my day job I'm about the ship a major product build on open source software that most of you probably use everyday (no it's not built on ofbiz, there's no way unless I regression tested the hell out of it would I put my name on it) Dealing with them is amazong, dealing with you guys is a joke.
 

So although I may have a big ego and be a bit blunt I think you all need to take a good hard look at yourself and how you treat the end users of the system. How you answer questions If you want your clicky little club then you are not going to attract the kind of developer to work on this that can help you out of your mess and become a major open source player. But then again it's amatuer hour here. I think you'll be gone in 2 years. I'd put money on it.

 

Good luck

 

...code and fix code and fix code and fix...code and fix...we're so smart....code and fix....check it in...testing is for losers

 

 

 

 

On 2/15/06, BJ Freeman <[hidden email]> wrote:

and I thought I had an Ego. LOL

Andrew Dupa sent the following on 2/15/06 10:32 AM:

> How secure is Ofbiz?
>
> Am I the only one concerned about the security holes? I would happily detail
> those that i found but not publically on the list for those poor soles still
> using it. I'm pulling my site immediately and moving to another platform.
>
> Oh and by the way if you're using a production site make sure you change all
> the admin, demoadmin passwords you wouldn't belive how many I found that
> didn't on your end users list.
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

 

---

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

Thanks for the link Jacques.  I completely agree with you.  This OFBiz install is several years old (older than the current guide).  The flexadmin and other logins were disabled, but somehow the demoadmin was still enabled.  Even if you’ve already read the guide, it’s worth another look at your admin logins.  Also doesn’t hurt do to an occasional security check and make sure that you know the users with various high-level permissions.

 

---

From: Jacques Le Roux [mailto:[hidden email]]
Sent: Friday, February 17, 2006 1:12 AM
To: OFBiz Users / Usage Discussion
Subject: Re: [OFBiz] Users - Security

 

A good point for Andrew D. !

So I apologize : he is not a PHB.

Mmm, looks like *everyone* has to read *carefully* the OFBiz Basic Production Setup Guide

 

Jacques

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

----- Original Message -----

From: [hidden email]

To: [hidden email]

Sent: Friday, February 17, 2006 10:42 AM

Subject: Re: [OFBiz] Users - Security

Thanks for the link Jacques.  I completely agree with you.  This OFBiz install is several years old (older than the current guide).  The flexadmin and other logins were disabled, but somehow the demoadmin was still enabled.  Even if you’ve already read the guide, it’s worth another look at your admin logins.  Also doesn’t hurt do to an occasional security check and make sure that you know the users with various high-level permissions.

 

---

From: Jacques Le Roux [mailto:[hidden email]]
Sent: Friday, February 17, 2006 1:12 AM
To: OFBiz Users / Usage Discussion
Subject: Re: [OFBiz] Users - Security

 

A good point for Andrew D. !

So I apologize : he is not a PHB.

Mmm, looks like *everyone* has to read *carefully* the OFBiz Basic Production Setup Guide

 

Jacques

---

_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users