Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityCommunity Membe...Community Membe...Any PowerDNN users? Any PowerDNN users?
Previous
 
Next
New Post
5/21/2008 4:08 PM
 
Joe Brinkman


Joe Brinkman's Avatar

blog.theaccidentalgeek.com
Joined: 5/18/2003
Posts: 2356

Tony,

  There are at least 5 different people who monitor the security@dotnetnuke.com email with 24 hour coverage.  In fact I know that I have special rules setup in outlook just to isolate any email coming into that account so that it can be handled in a timely manner.  You have had time to find the bug, isolate the bug, create a patch for the bug, create a security scanner, make a page and marketing material about the security scanner and make numerous posts about the bug and yet you haven't had time to resend an email that you claim to have sent 2 days ago - or to IM any one of us, whom you've IM'd dozens of times in the past?  

Joe Brinkman
DNN Corp.
 
New Post
5/21/2008 4:15 PM
 

Joined: 1/1/0001
Posts: 0

Bill- Again, I think for the third time, our customers are primarily businesses who are running staging and production environments.  many of these customers even have development departments within their organizations that develop locally and push live versions to PowerDNN.  It is our responsibility to notify them of this change or else they would be unprotected the next time they pushed a new site live.  If you noticed, this thread was started by one of our customers who had recieved this e-mail.  I would not look into it as anything more than that, and to do so would be foolish given our circumstances.

Every word on our testimonials are directly from our clients. Periodically clients send us testimonials, which is very nice of them.  We try to get every testimonial sent to us published on the website.  Andy Graves had many problems with DNN early on and we helped him get a lot of things ironed out.  We are specifically a DNN specialist, and every person on our staff has a passion for the framework that all of us on this forum love. 

I think that their were some miscommunications, and we should have pushed information out in a slightly different mannor.  But there was never any ill will, or any sort of mal intent associated with discovering, and patching an issue that effected over 5,000 domains we host.  Being a hosting and service provider we are in a very unique position to many others in that we are responsible for an extremely large number of DNN sites with varying levels of service agreements.  All of our clients expect to be getting the best from PowerDNN and it's our responsibility to give it to them.  This has been very far from a "fear-based marketing attack", no e-mails were sent to anyone except our own customers, that's not marketing that's communication.
 
New Post
5/21/2008 4:18 PM
 
Chad Nash

www.datasprings.com/default.aspx?tabid=367
Joined: 11/13/2003
Posts: 158

So.... As of right now (1:15 PST), has the core team received the information on the bug / security issue?
 
New Post
5/21/2008 4:22 PM
 
Carlos Rodriguez

www.almacigo.com
Joined: 6/10/2003
Posts: 615

The behavior of the PowerDNN people is typical of the YouTube generation, they are probably very proud of generating all this "free" publicity and/or buzz, whether good or bad.  It is also typical of "security analysts" to make this maneuvers just to be able to say that they uncovered a vulnerability in a major product.  They are probably celebrating and watching everybody being so scared while they prepare their press releases and case studies.  They forgot that DNN is an open source project and did not act in good faith to actually help the Core Team and the community in general, that would have looked a lot better and would have scored major points for them.

But they don't really care about the community, they are just interested in the buzz.

And they should take the scanning tool off-line, anybody can capture its traffic and see what it is that it is looking for in the so called vulnerability.

Carlos

 
 
New Post
5/21/2008 4:28 PM
 
Stefan Cullmann


Stefan Cullmann's Avatar

Joined: 1/6/2005
Posts: 2867

Tony Valenti wrote

In regards to the blast email to our customers, in all circumstances, our customers are our first priority and we needed to notify them that we were making critical updates to their site so that they would not overwrite our patches with a development version of their website.

None of your customers, like anyone else, was aware of the issue. Nothing would have happened if you would have bben quite some more days.
By fixing the bug and spreading the news, you provided enough information so that every of your customers is now able to turn the fix into a weapon by reverse engineering. One sinle black sheep would be enough. At the same time, the communitiy outside is more or less helpless.
 
 Page 8 of 13
Previous123...789...13Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityCommunity Membe...Community Membe...Any PowerDNN users? Any PowerDNN users?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out