Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PowerDNN: Put up or shut upPowerDNN: Put up or shut up
Previous
 
Next
New Post
5/23/2008 12:38 PM
 

I can't freeze this post, but I would strongly recommend everybody stick to the thread (URL below) for further comment, to save everybody repeating themselves:

http://www.dotnetnuke.com/Community/Forums/tabid/795/forumid/118/threadid/228767/scope/posts/Default.aspx



Alex Shirley


 
New Post
5/23/2008 12:52 PM
 

Joe Brinkman wrote

Also, because these vulnerabilities have existed for a couple of years there was no reason to create a panic in the community.  Prior to this there is no evidence that anyone had discovered much less exploited these vulnerabilities even though numerous audits by professional security organizations and governments had been performed.  Delaying notification until the DotNetNuke team had a chance to create a patch would not have jeapardized their own customers and would have kept the rest of the community safe until a permanent fix could have been distributed.

Just to emphasise Joe's point here - the two isses identified by PowerDnn have existed for (1) 18 months at least and (2) since September 2004, and have NOT ever been reportd as being taken used to target a site. 

Therefore the case that this "panic" was neccessary is spurious - it could have been fixed within 24-48 hrs without raising this panic if PowerDNN had followed normal industry-standard security practices.

No-one here is saying that PowerDNN's service is not excellent - Ed is obviously happy with his service - and his testimonial is front and center on their home page. 

The issue here is the un-professional response shown by PowerDNN in panicking the community with:

  1. an unneccessary email blast to its clients 24 hrs before releasing the information to the Security alias - its the timing that is the problem - taking advantage of the issue before reporting it through the appropriate channels
  2. a blatant (at least to many people on these forums) attempt to make money from the community with the Security Scanner tool  and
  3. the Press Release mentioned above - which was not neccessary and again promotes PowerDNN as being the white knight that saved DotNetNuke, rather than the Company that caused the scare.

I have attempted to give them the benefit of the doubt - as you can see by my comments on other threads, but so-far PowerDNN have done nothing to justify that and my respect for them is fast disappearing.

Tony has my IM and has not been reluctant to use it when he wants me to provide him with free advice - the least he could have done would have ben to IM me and let me know they had found an issue.


Charles Nurse
Chief Architect
Evoq Content Team Lead,
DNN Corp.

Want to contribute to the Platform project? - See here
MVP (ASP.NET) and
ASPInsiders Member
View my profile on LinkedIn
 
New Post
5/23/2008 1:17 PM
 

PowerDNN is not greedy for money, $20.00 a pop is not going to make anybody rich, but their greed for PR severely clouded their judgement...

The need for fame and recognition is what got them...

Interesting case, whose gonna put together the case study/article/press release on how NOT to handle a zero-day vulnerability finding???

They are going to be known and famous after all...

 

 

 
New Post
5/23/2008 1:28 PM
 

Carlos,

  The article on how to handle the issue was already posted 2 days ago - http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/1839/Default.aspx


Joe Brinkman
DNN Corp.
 
New Post
5/23/2008 1:28 PM
 

Ed DeGagne wrote

The unprofessionalism of a public "lynching" by the original poster (and a few others) astounds me to no end.

I've been a customer of PowerDNN since their inception and have not had one single issue with the way they handle their end of the business. I am actually quite proud to have them "watching my back" instead of being an absentee landlord as a hoster.

I have to stand behind Mr DeGange here.

I too have sites with PowerDNN and that occurred after using numerous unreputable hosting companies who didnt live up to their promises.

I dont exagerrate when i say that, at least in my case, PowerDNN has never come short of their claims. Further, they have on several occasions gone out of their way to help.

On other occasions where there was something outside their services, I was able to pay them VERY reasonable fees to deal with issues and that resulted in me being much more effective. Other hosting providers might not have done it at all, couldn't be trusted to do it, or would have charged ridiculous rates. I cannot emphasize how valuable this has been to me.

I have to wonder if some of these hit posts which attack PowerDNN in these forums are generated by other hosting providers.

Joe

 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PowerDNN: Put up or shut upPowerDNN: Put up or shut up


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out