� Kingdom of Heaven | Main | Sony DRM gone astray �

November 12, 2005

Public facing calendars

I manage websites for two non-profit organizations as well as my own. It is customary for any relatively large organization to inform users and staff members of events via a calendaring system. As most of you know I am a fervent supporter of Open Source tools, especially the LAMP variety. However, I've not had very much success with obtaining a solution that is impervious to malicious bandits. Although, I fancy myself as a fairly competent sys-admin, I must trust that the developers of these useful scripts have taken every effort to close holes in their products. People have told me that I'll always have problems of this sort, if I continue to use open source tools. However, I disagree. I know that the community has and can do better. Hell, if an operating system kernel has thousands of lines of code (ie Linux), and does an excellent job of patching security vulnerabilities. I would imagine the same could be done with relatively simple calendar scripts. Perhaps there is a dearth of eyesballs on the code. Who knows?? Bottom line is we must do better.

I submit that I'm not the best Perl or PHP guy, but I'm clear that in two instances, the developers of these calendars chose ease of use over security as part of their systems engineering roadmap.

Certainly a dangerous trade-off. As a result, both calendars (PHP || Perl) were compromised and I was then forced to take down both calendars. It seems that the grey hats , were keenly interested in setting up E-Bay storefronts and IRC servers. Luckily, we don't maintain anything that has any monetary value on that server. Additionally, neither attempt exposed root access. My datacenter monitors bandwidth use quite closely, so the accts were closed in short order. Nonetheless, it's pretty embarrassing and forensics are very time consuming.

I'll eventually restore the calendars, but not after I've chastised the developers for not applying patches early and often. An easy solution would be for these guys to install an RSS feed to alert users of new patches and potential vulnerabilities.

Update:Actually, one of the developers has recently setup a blog with an RSS feed. I think he gets it.

Posted by AG at November 12, 2005 9:28 AM