[HacktionLab] Drupocalypse v3 Can it ever stop

Mike Harris mike.harris at xtreamlab.net
Mon Apr 30 10:50:01 UTC 2018 

On 2018-04-27 11:11, naomi wrote:
> I agree, Clara.
> 
> Drupal is extremely useful if you have a site of any complexity.
> 
> Any continually evolving, web-facing application with a huge user base
> is going to be constantly targeted by hackers. The fact that Drupal has
> a lot of security updates doesn't mean it is worse than other similar
> applications - it means it is better, because it means it is being
> looked after.
> 
> Babies and bathwater, woods and trees, tha knows

flogging and dead horses as well? :P

> 
> N
> 
> 
> On 27/04/18 12:24, clara wrote:
>> Hi,
>> 
>> The reason why two security updates came after each other like that 
>> was
>> in fact to protect those sites that would be patched straight away.
>> 
>> The security team could have straight away made a patch that would 
>> have
>> fixed everything - but that would also directly point to the 
>> vulnerability.
>> When they released the first patch, the issue was something that could
>> be exploited - but for which (as far as they knew) there weren't any
>> exploits out.
>> And when an exploit came out they straight away released the second 
>> patch.
>> So that means sites where the maintainers are swamped with work got an
>> extra 3 weeks that kept them safer.
>> 
>> The problem is not Drupal - it's the fact that any dynamical generated
>> site does need maintenance.
>> Even with Wordpress' auto-update, there are still plenty of Wordpress
>> sites that are now hacked to mine bitcoins.
>> 
>> If somebody doesn't have time or money to ensure that their site is
>> update then there are several options.
>> 
>> 1) Ask yourself before you build the site what you actually need and
>> what you can maintain or have somebody else maintain for you. If you
>> can't have it maintained and don't need the functionality, then use a
>> dynamically generated site (neither Drupal, nor Wordpress nor anything
>> like that), use a static site generator.
>> 
>> 2) Use a shared hosting like Mayfirst collective or Pantheon or so if
>> you want it more commercial. They usually provide the core updates.
>> 
>> 3) Pay for a service that does the updates. Dropguard costs about 9€ a
>> month to do that, and there some are others as well. Don't expect 
>> others
>> to save you and your site out of the goodness of their heart - at 
>> least
>> not repeatedly or without having agreed on that.
>> 
>> And the point that interest me most:
>> 
>> 4) Build a network to share the skills and the work. I could have 
>> easily
>> patched a few more sites while I was on it. And I would also be happy 
>> to
>> know that there are trusted people around who have the needed access 
>> to
>> a machine in case I'm travelling on Wednesday.
>> 
>> In solidarity
>> clara
>> 
>> 
>> _______________________________________________
>> HacktionLab mailing list
>> HacktionLab at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
> 
> 
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

-- 
--
Mike Harris
XtreamLab Internet Services Limited
w: https://xtreamlab.net
t: +44 7811 671 893
0: https://mbharris.co.uk/keys/pgp.html

More information about the HacktionLab mailing list