Well, I was doing my best to ignore the personal attacks from Mr. Horn. However, today he pointed out "security holes" in BlogCFC. I want to make sure my users are aware that not one single thing he pointed out was true. I'm sure he wrote his post in attempt to help others, and not as a personal attack. I'm sure he isn't the one behind all the foul mouthed blog comments recently. Anyway, let's take a look at what he says:
Anyone who wants to gain access to YOUR Blog (assuming you are STUPID enough to actually use BlogCFC) simply by using the built-in HACKER's interface as-designed by the original author "Ray Camden".
Err.... why is my name in quotes? Am I a concept now? Am I a movement? Anyway...
I have been working on locking-down my Blog and I am STUPID enough to use BlogCFC and wouldn't you know it... Somebody has been hacking into my Blog as Admin placing unwanted TackBacks into my Blog.
The fact that Trackbacks() shows up on your blog implies that you did not read the manual. The docs cleary say the proper way to turn off trackbacks is to use the allowtrackbacks option in the blog.ini file. I'd be willing to bet Mr. Horn simply added a cfabort to the trackbacks.cfm file - and probably after the form submission. Therefore nothing is stopping the form submission.
(1). The file named blog.cfc was coded with a lot ofdefinitions that allow "remote" access. Why ? Because coding CFC functions this way allows for remote access such as a HACKER might wish to use to gain access to someone else's Blog as Admin. There is no reason to code CFC functions this way otherwise.
"Remote" does not equal "Hacker." Remote access can be a security risk if you are not careful. If you actually looked at the code you would have noticed two things:
a) The items that add, delete, or modify blog entries have the roles attribute. Even if you run these methods remotely you will be blocked since you are not in the admin role.
b) BlogCFC doesn't work remotely. This is a bug - but is something I've ignored since folks haven't asked for it. It won't work since all the settings (DSN, etc) are set in the INIT method. Therefore, BlogCFC only works locally when used as the result of a createObject.
(2). The file named blog.cfc was code to allow anyone who has access using (1) to SPOOF as Admin because the Administrative functions do NOT disallow access when the user is not in the Administrative Role. This means anyone who has the source code can SPOOF as Admin to do anything they desire in your Blog.
Um. So the fact that I used a file named blog.cfc is a security hole? Not quite sure about that. Every single admin function (adding, editing, deleting content) requires the admin role. If you do not believe this, please try to hack my blog. Go ahead. Hey, maybe you will find something. Great. I'll fix it, and will be sure the fix goes into source and is released. I will not charge people for it.
(3). Even when the GUI has been locked-down a HACKER who has the source code for BlogCFC can still gain access to YOUR Blog to do whatever they desire.
Go ahead. You have access. Be my guest. I do not pretend to be perfect. I am far from perfect. Look at my "big" releases and how quickly I follow them up with fixes. That being said, I am fairly certain this blog cannot be hacked.
(4). Ray Camden designed BlogCFC in this manner to allow him or his supporters to control every single site that uses BlogCFC remotely. If you wish to deny this then look at the source code very carefully and then YOU decide on your own.
Also - aliens landed in Roswell, Bigfoot roams the forests, and Bush actually won the election. (Sorry, couldn't resist.) You are absolutely right - BlogCFC is all part of my plan to take over the world.
(5). This IS the problem with Open Source Code - it is far too wasy for the Author to quietly code-in backdoors and spoofing channels others can use to gain access to whatever they wish.
Um - right - since the code is open and can be read like anyone. Didn't you encrypt the mods you made to BlogCFC?
I will refuse to make this argument personal. You may attack me as much as you want. If anyone has any questions about Mr. Horn's allegations, please comment here. If anyone finds a security hole, please let me know and I will get it fixed and patched asap. Maybe then we can move on?
Archived Comments
Ray, I don't think anyone seriously believes for a second that you wrote some form of malicious code and gave it away in some kind of evil plot. Rather, these kinds of remarks are just intended stir up trouble. My advice is to simply ignore it.
Best,
Chris
Well, as you see, I responded to his TECHNICAL things mainly, and blew off the paranoid/personal attacks. My concern is with my users (blogcfc users). I want them to feel safe. I'm not too concerned about defending myself. The funny thing is - I have not once attacked him. Ever. Others did and he blames me for that since apparently I have cronies.
If it was so bad, why did he start using it in the first place?
Best part of it was $100 bucks to get the list of problems and $200 to fix them.
This IS the GREAT thing about open source code! If there are problems that the author did not notice, folks can make the changes themselves or let the author know about them.
None of us is smarter than all of us
I think your response was entirley appropriate. I didn't know that you have cronies. Can you add a "be a crony" pod to your blog? I want to join!
>> original author "Ray Camden".
>>Err.... why is my name in quotes? Am I a concept now? Am I a >>movement? Anyway...
I stand by my earlier opinion, nija monkey bots. I'm telling ya...
Ray thanks for the update, but I think it would have gone without saying that no one thinks you have malicious plans. Personally I can't believe that idiot is still harping about this, all he is doing is digging himself deeper into the hole of being a laughing stock for the entire community. I should take a moment to praise you for your calm responses and even-headedness, because most other people (myself included) would probably have gone ballistic over the absurdity and childness of his actions and statements. Cheers.
What a jerk! It is quite apparent he did not follow the instructions. Who would pay $100 to get advice from a guy who didn't even read the documentation?? Too funny!
This really jumped out at me: "(5). This IS the problem with Open Source Code - it is far too wasy for the Author to quietly code-in backdoors and spoofing channels others can use to gain access to whatever they wish."
Uh, no. One of the things that makes open source great is the ablity to examine the code for backdoors and security issues before deploying it. It's closed-source code that seems to have all the security problems lately. Security through obscurity is a very failed strategy. The number of successful hacking attacks/worms on Apache, the worlds most widely used web server, approaches zero.
Well, didn't Ray Horn state in a previous comment that he was let go from his last job within weeks of his hire date? If so, it is certainly easy to see why. In less than one week, he has demonstrated an intentional lack of ethics... he has demonstrated that he has no understanding of open source software... and he has shown us a very poor, child-like attitude (which is extra sad, because if he has truly been working in the field for 30 years, this makes him what... a 45-55 year old man behaving like a toddler?)
And now... for someone who claims to have 30 years of experience under his belt... he has proven that his programming skills are sorely lacking. I mean, first to not RTFM... but then to admit he attempted to lock down his journal and failed?? Not someone I'd want on my dev team! Eek!
Well, didn't Ray Horn state in a previous comment that he was let go from his last job within weeks of his hire date? If so, it is certainly easy to see why. In less than one week, he has demonstrated an intentional lack of ethics... he has demonstrated that he has no understanding of open source software... and he has shown us a very poor, child-like attitude (which is extra sad, because if he has truly been working in the field for 30 years, this makes him what... a 45-55 year old man behaving like a toddler?)
And now... for someone who claims to have 30 years of experience under his belt... he has proven that his programming skills are sorely lacking. I mean, first to not RTFM... but then to admit he attempted to lock down his journal and failed?? Not someone I'd want on my dev team! Eek!
Uh oh Ray!
Watch your back matey, mr horn will be suing you for loss of earnings because you gave away his "Secret sauce" for free!
I would like to point out this though
" For a $200 donation you get compiled CF Code that contains all the lock-downs already installed."
I do believe this becomes a violation of your new license mr ray!
Well, only if he downloads the new version.
I am glad I dont have to work with someone like Mr Horn. His scruples and attitude seems to suck.
As someone else that provides (codes) open source software, I salute all the work you are doing.
MD
>Others did and he blames me for that since apparently I have cronies.
How does one sign-up to be a Camden Crony? I want to be one... do we get free t-shirts?
Wow, this guy is something else. Can't create anything useful on his own so he has to bash what other people have done. He even accuses you of extortion and he's the one charging for "fixes". Rabid seems to be an apt description.
I wonder if he is releasing code (ok, 'selling code') based on the 'broken' blogCFC release. What a maroon.
BTW, aren't the statements considered libel and slander?
Nice work Ray! I'm surprised it took so long for such an intelligent programmer as Captain Horn to figure out your evil plans! I met with Joe and Paul this evening, and we will all be doing some more work to obfuscate our evil remote methods, as we have a standardized api worked out. Soon ModelGlue, Tartan, Fusebox, ColdSpring, Reactor and Transfer will also contain the malicious world domination code we all planed on from the start! Soon the internet will be dragged to it's knees as the evil open source coldfusion movement finally unleashes the crippling ultra-destructive combined FrameWork of DOOM!! on the unsuspecting masses!
(BTW, I hope that posting that here doesn't ruin our plans...)
Ray, to be honest I don't even think you need to respond to this guy's technical assault on your code. I'm fairly certain that any rational person that reads your blog (and his, of course) will realize he's off the deep end. His arguments make no sense, his writing style wears me out, he's obviously trying to draw you into an immature mud slinging match, and he has an unholy love affair with JavaScript. In short, the dude is a few french fries short of a happy meal.
I don't know how I'd react in your position, but it would probably sound like this: "Tony, sic your ninja monkey bots on that mo-fo!" I give you props for having more restraint than I do.
Seth, you should see the numerous private emails he has sent. I do not reply to them. In this case, however, I was worried that some of my users, who may not be very CF-savvy but still use the software, I was worried they may not understand that his arguments are bunk.
Seriously Ray, I wouldn't be too concerned about non-CF people using the software. I'd uess 95% of the people using it that don't know CF are probably still tech-savvy and would doubt someone would put a security 'hole' the size that 'the other' claims in a blog. the other 5% probably would ignor him (and the hole) totally.
Oh, and Seth? Those are *my* ninja monkey bots! Tony (of the weeg clan) can get his own toys!
Mista Horn wa hen na baka da!! If chucklehead from the BMW (Bitchers Moaners Whiners) club can't handle a little bit of ethicality in his work then maybe he should go back to the drawing board and create the next killer CF-Blog himself instead of bitching or ad homineming. Hell, his writing style is so painful to read that I often think he comes across as an uneducated pea-brain who has a hard time double-checking what he types because he can't keep a straight thought and put it to word. Besides all that, since the Real Ray (Camden of course) has made BlogCFC open source El Raycito Falso can go right ahead and try to make it better because he can see the code gracias to El Real Ray. I know of someone else who has a good CF blog for sale and he has java-bited the code so you can't peak under the hood (damn the learning luck!). So, I applaud the Real Ray for keeping it REAL and allowing us to be able to see coding practices and learn from them. Thank you Real Ray. However, I do disagree with you on Bush. But hey, we can agree to disagree agreeably on different topics outside of CF. CF Rocks and YOU, the Real Ray, do too!
Con todo respeto y hontou ni kenson ni yoroshiku,
Tom
Ray: I guess I didn't think there were that many people using the blog that weren't CF developers. I'm sure you did the right thing.
And even though its amusing to point out the mack-truck sized holes in the arguments of our beloved Ray "Javascript rulez, OSS suxorz" Horn, I think the best thing we as a community can do is ignore the guy and get back to discussing CF. And ninja monkeybots, but that's always appropriate.
Anthony: sorry for the mix-up. As I was posting my comment I actually was thinking "that's weird, Tony usually mentions the weeg clan in his sig... Maybe this Anthony person is someone else".
But then I thought "yeah, but I don't want to have to look through the comments to be sure, so screw it. Besides, I'm running the Anti-Ninja-Monkeybot-Firewall 2000, so who cares if I tick him off by being wrong?"
Man, I'm lovin the "ninja monkey bot" phrase. I wonder if ninjamonkeybots.com is taken?
"You are absolutely right - BlogCFC is all part of my plan to take over the world"
So what do you want to do tonight, Brain?
Same thing we do every night, Pinky - try to take over the world with BlogCFC!
This dude is just too funny - Wouldn't it be weird if he started dressing like Ray, growing a beard like Ray and joined a company named MindzEye? This guy is the bizzaro Raymond Camden.
Thats a lot of smack to talk for someone who has given away a very nice *free* application that has been used by over 100 sites.
It must be worthless garbage. (lol)
From the post, it doesnt seem like this guy even offered his 'solutions' to the problem.
Ray: When you take over the world, can I at least be promised some menial position ?
Well, this is just about the best way to find out the access=remote thing isn't harmfull after all.
I just downloaded and installed blogCfc, and was a bit concerned about having the /org folder within the webroot. My concerns grew when I found some functions with access=remote, but my worries turned into laughter while reading this post. Great way to find out it's nothing to worry about!
btw: why do these cffunctions have their access type set to remote, instead of public (or just omitted)? Since it wasn't designed to be accessed remotely, I don't see the use.
Thanks for the great app, I'm more then happy with it!
Paul - well, my thinking at the time was to make methods remote that I thought would make sense, like getEntries. As it stands, I do have a prototype proxy CFC that lets you use the blog via Flex. It isn't ready for primetime, and even then, it won't be using remote methods of blog.cfc, but remote methods of the proxy, but you get the idea.
I read this (Ray Camden's) blog infrequently but it stands out in my mind as a good source for CF information and I have a high opinion of Mr. Camden. When I came across this other Ray's website from a link on the CF exchange site (now run by Adobe I guess) I was really surprised to see Camden being attacked. I came here just to see if there was any reply.. Im glad to see there was one post explaining away all of the "security issues" and "bugs" and no long drawn out argument.. Good call taking the high road Mr. Camden- This <I>other</I> Ray is just a jackass I am now convinced.. Anyone every used his AJAX cusom tag? Im really curious what the hell it might be..
Is this the same Ray Horn that ran Hal-Smalltaker years ago? This SOB ran a hosting operation that was a total sham. He took me for hundreds of dollars and then threatened to sue me for asking for a refund because he sold me useless web space that never worked. This was a long time ago but I will never forget it this arrogant piece of crap and the way he tried to belittle me while screwing me out of my money and causing me a serious hardship. If I ever run across him in real life, he's gonna lose some teeth. Dirty Sonofabitch.