Re: Users - Security
Posted by David E. Jones on Feb 16, 2006; 6:54pm
URL: http://ofbiz.116.s1.nabble.com/Users-Security-tp137421p137428.html
On Feb 16, 2006, at 11:37 AM, Andrew Dupa wrote:
> before you kick me off here....I think some of you should be kicked
> off for the same reasons...your attitude is as bad if not worse
> than mine.
It's not attitude, it's the personal attacks that are simply not
acceptable and that people would rather not have to read. If you
don't see the difference or the problem with that, then you need a
shrink to help with your inter-personal interaction, not much can be
done on a users mailing list of an open source project.
> so let's just recap on the two experiences I had with the 'users'
> list of ofbiz. remember users, those people you belittle
>
> I asked about a known problem with the JOB SAndbox table and was
> told that i could delete records form the database. really wow!!!
> You guys are so smart, can you be more specific please?. I was then
> told that my clean up wasn't running, please be as vague as you
> can. I'm only trying to get a production system back up and running
> here, it's not costing you money i know but someone has to pay in
> the end. Clowns. People like you get fired from my company
>
> I've read some threads here and all I hear is check out the latest
> code - wtf - have you lost your mind - do you know how to run a
> production system?I'm sorry that's all you heard, from my perspective a lot more than
that, and a lot more detail than that, was given to you, in spite of
you personal attacks and general complaints.
> I tell you that I have worked out how to crack a password on ofbiz,
> any basic statistics/maths/computer science knowledge will tell you
> it's not as hard as it should be.
Yes, it is vulnerable to any common password attack like a dictionary
attack or brute force attack or whatever. Not as hard as it _should_
be... interesting.
> So at the end of the day in my day job I'm about the ship a major
> product build on open source software that most of you probably use
> everyday (no it's not built on ofbiz, there's no way unless I
> regression tested the hell out of it would I put my name on it)
> Dealing with them is amazong, dealing with you guys is a joke.
Wow, I'm really sorry to hear that. You mean that someone you paid to
help you was more responsive than a large group of users (not service
or product providers) that were totally unpaid nor offered any such
thing?
> So although I may have a big ego and be a bit blunt I think you all
> need to take a good hard look at yourself and how you treat the end
> users of the system. How you answer questions If you want your
> clicky little club then you are not going to attract the kind of
> developer to work on this that can help you out of your mess and
> become a major open source player. But then again it's amatuer hour
> here. I think you'll be gone in 2 years. I'd put money on it.
Well, we've been around for about 5 years and things are moving along
better than ever before. While I personally have only so much
influence over that, and don't have any power to guarantee that won't
be the case, I don't see it happening that way, and I know a _lot_ of
people with a lot more money that are pushing for continuation of,
and progress in, the project.
BTW, these are not uncommon concerns for those who are not familiar
with community driven open source projects. I've discussed these
things with dozens of clients as these are common questions. It is
more to that audience that I write than to you Andrew, because it
sounds like your decision is already made. If you think you will
somehow be able to sway people here through FUD that has been covered
over and over, then you might want to look a little harder for
something productive to do.
> Good luck
>
> ...code and fix code and fix code and fix...code and fix...we're so
> smart....code and fix....check it in...testing is for losers
Just because we don't test the way you do or the way you wish we
would (and that honestly we wish we could...), it doesn't mean we
don't test...
-David
>
>
>
>
> On 2/15/06, BJ Freeman <[hidden email]> wrote: and I thought I
> had an Ego. LOL
>
> Andrew Dupa sent the following on 2/15/06 10:32 AM:
> > How secure is Ofbiz?
> >
> > Am I the only one concerned about the security holes? I would
> happily detail
> > those that i found but not publically on the list for those poor
> soles still
> > using it. I'm pulling my site immediately and moving to another
> platform.
> >
> > Oh and by the way if you're using a production site make sure you
> change all
> > the admin, demoadmin passwords you wouldn't belive how many I
> found that
> > didn't on your end users list.
> >
> >
> >
> >
> ----------------------------------------------------------------------
> --
> >
> >
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.ofbiz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
URL: http://ofbiz.116.s1.nabble.com/Users-Security-tp137421p137428.html
On Feb 16, 2006, at 11:37 AM, Andrew Dupa wrote:
> before you kick me off here....I think some of you should be kicked
> off for the same reasons...your attitude is as bad if not worse
> than mine.
It's not attitude, it's the personal attacks that are simply not
acceptable and that people would rather not have to read. If you
don't see the difference or the problem with that, then you need a
shrink to help with your inter-personal interaction, not much can be
done on a users mailing list of an open source project.
> so let's just recap on the two experiences I had with the 'users'
> list of ofbiz. remember users, those people you belittle
>
> I asked about a known problem with the JOB SAndbox table and was
> told that i could delete records form the database. really wow!!!
> You guys are so smart, can you be more specific please?. I was then
> told that my clean up wasn't running, please be as vague as you
> can. I'm only trying to get a production system back up and running
> here, it's not costing you money i know but someone has to pay in
> the end. Clowns. People like you get fired from my company
>
> I've read some threads here and all I hear is check out the latest
> code - wtf - have you lost your mind - do you know how to run a
> production system?
that, and a lot more detail than that, was given to you, in spite of
you personal attacks and general complaints.
> I tell you that I have worked out how to crack a password on ofbiz,
> any basic statistics/maths/computer science knowledge will tell you
> it's not as hard as it should be.
Yes, it is vulnerable to any common password attack like a dictionary
attack or brute force attack or whatever. Not as hard as it _should_
be... interesting.
> So at the end of the day in my day job I'm about the ship a major
> product build on open source software that most of you probably use
> everyday (no it's not built on ofbiz, there's no way unless I
> regression tested the hell out of it would I put my name on it)
> Dealing with them is amazong, dealing with you guys is a joke.
Wow, I'm really sorry to hear that. You mean that someone you paid to
help you was more responsive than a large group of users (not service
or product providers) that were totally unpaid nor offered any such
thing?
> So although I may have a big ego and be a bit blunt I think you all
> need to take a good hard look at yourself and how you treat the end
> users of the system. How you answer questions If you want your
> clicky little club then you are not going to attract the kind of
> developer to work on this that can help you out of your mess and
> become a major open source player. But then again it's amatuer hour
> here. I think you'll be gone in 2 years. I'd put money on it.
Well, we've been around for about 5 years and things are moving along
better than ever before. While I personally have only so much
influence over that, and don't have any power to guarantee that won't
be the case, I don't see it happening that way, and I know a _lot_ of
people with a lot more money that are pushing for continuation of,
and progress in, the project.
BTW, these are not uncommon concerns for those who are not familiar
with community driven open source projects. I've discussed these
things with dozens of clients as these are common questions. It is
more to that audience that I write than to you Andrew, because it
sounds like your decision is already made. If you think you will
somehow be able to sway people here through FUD that has been covered
over and over, then you might want to look a little harder for
something productive to do.
> Good luck
>
> ...code and fix code and fix code and fix...code and fix...we're so
> smart....code and fix....check it in...testing is for losers
Just because we don't test the way you do or the way you wish we
would (and that honestly we wish we could...), it doesn't mean we
don't test...
-David
>
>
>
>
> On 2/15/06, BJ Freeman <[hidden email]> wrote: and I thought I
> had an Ego. LOL
>
> Andrew Dupa sent the following on 2/15/06 10:32 AM:
> > How secure is Ofbiz?
> >
> > Am I the only one concerned about the security holes? I would
> happily detail
> > those that i found but not publically on the list for those poor
> soles still
> > using it. I'm pulling my site immediately and moving to another
> platform.
> >
> > Oh and by the way if you're using a production site make sure you
> change all
> > the admin, demoadmin passwords you wouldn't belive how many I
> found that
> > didn't on your end users list.
> >
> >
> >
> >
> ----------------------------------------------------------------------
> --
> >
> >
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.ofbiz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
smime.p7s (3K) | Free forum by Nabble | Edit this page |