On 10/13/10 5:29 PM, A. wrote:
Hi Glenn,One of my clients had their site hacked over the weekend (in-house server). This is what their server manager had to say about it — do you share this opinion? Am I putting my clients at risk by recommending these programs?
A.
You should be aware that there are a couple of major security problems with Joomla/PHP/MySQL and its probably just a matter of time until the hacking happens again. We can change the backup method to keep the content more up to date and just rebuild the server each time it gets hacked but over time that will be pretty expensive I suspect.
Hi A. –
Of course you know I smile when I read that.
Here are the issues:
MySQL:
Yep, open source, but also yep, managed by a company with a vested interest (Sun) and incidentally owned by Oracle.
Yes, there are potential security issues, especially with older versions (4.x).
No, it is in no way less secure than Microsoft SQL Server, if that’s what he’s arguing.
Here I really smile because I’m more than happy to demonstrate exactly that to your client.
If you really want an iron-clad database, get Oracle and pay for the support. It’ll be worth it if you’re Amazon.com, and less so if you’re smaller.
PHP:
Okay, I’ll call that bluff: name specifically which issues he’s talking about. Because:
What is the preferred alternative? If not open source (PHP, Python [which are the languages Amazon and Google are built on, by the way], Ruby/Rails, etc.) then “closed-source,” meaning either a .NET or pure Java implementation.
Java? Got aeons to develop your software?
.NET? Secure? Are you really serious?
Nope, there are no secure languages, only good programmers. One has to choose: the closed model of Microsoft or the peer-reviewed model of all academia, the scientific community, and open-source languages.
Joomla:
Yessirreebob, Joomla has vulnerabilities. ALL frameworks do.
What your responsibility to your clients is, keep their Joomla sites patched to current version. I grind my teeth at keeping my own site up to date, but it’s something you’ve gotta do.
My ISP kindly warns me to update if I get too far behind, but frankly, it’s a laughably easy process – built right into the menu system!
So no: you are not irresponsibly endangering clients by recommending Joomla, no more so than you would be with any other platform.
You are, of course, pointing out to them that they’re choosing a free alternative, and they have every right to choose to pay.
But read a Microsoft EULA some time: they strictly repudiate any indemnity for suitability of software, security, financial loss or anything and everything else. So you certainly have no legal recourse against them.
Then read the papers: this virus, that exploit, this cool SQL hack. Does anyone really believe Microsoft’s products *are the most secure?*
Since you ask for my opinion, this is it, with all the usual caveats, namely, anyone can exploit human nature to defeat security.
How, exactly, was their Joomla site hacked?
The most common exploit is this: an administrative assistant receives an email, quite official, that they have submitted a password change, could you please click here to accept it?
90% of AAs will click here.
This is not a Joomla exploit, this is a human exploit.
Just curious…..
By the way, your sysadmin could take an image of (Ghost) the server and restore it in minutes. That’s a standard practice I recommend to all my clients. Not keeping server images costs many, many hours when restoration is necessary. Just saying.
Hope this is useful –
Glenn