Been a bazaar of unabated collaboration, among the community were rebels who prefers to hack the system and smite at rotten and broken code. Among such a hacker was a young punk who by giving us a single url string could hack into any Compiere webstore window, and by definition ADempiere's also, without logging in. Some kiddie easily exposed Jorg Janke's password and took a few snapshots in the closet to prove to others that such a security flaw is real. At that time there are about 33,000 live installations of Compiere worldwide.
Now that shocked us out of our wits and immediately we had a series of bouts i mean internal heated debates what to do. The hacker school of thought is that been Eric Raymond's chaotic bazaar and a community open source project as opposed to the commercial one that is Compiere, we have to expose such a serious security flaw without ado. In the words of Linus Torvalds, "show me the code". But the other school of thought, mainly System Integrators and Implementors that seeks to protect their end-users' exposed systems objected in horror.
So we took a vote. Only those 2 hackers and I alone say aye. The rest say nay. And so as leader i supported the majority under protest to hide such flaws and refer them to a security council first before exploding the device.
We then have a more systematic approach to release such timebombs to the world. We decided to inform our sister projects namely Compiere and OpenBravo. Emisaries (emails) were sent but Compiere as usual does not take the rebels' cause heavily. Nothing was done about our patch submission to them.
So in a limbo and out of care for the many lives that are in danger for using a system where hackers could easily compromise the system's integrity, i have to send a specially encoded message that proves that I have seen Jorg Janke with his pants down. A prompt reply came soon after from Kathy Pink thanking me and the rebel for the cause. However Compiere as usual will not take our patch directly. Instead, based on our patch and telling them where to look, they created their own version of the patch. Then they announce to their unknowing end-users that they have solved a security breach. Sounds familiar?
So in conclusion, we have to reconcile to this fact of software life. Are we to treat software as some commercial commodity under patent and greed, or are we to treat it as a common knowledge capital shared under public interest to remain open and free, its community supporting it getting the honour and respect they deserve?
Or are we to continue drugging the masses and end-users with paid advertisment that has never tell the whole truth nothing but the truth?
- (above is a screenshot proof that if your password is obtained anything can be done. Such as login as Jorg Janke and read his email. So. Be afraid. Be very afraid.)
Disclaimer: This is an unpaid public broadcast. No taxpayer money has been used.
Leader's Note: All you smart people out there. Join us, and have fun!
Editor's Note: This article does not reflect the position of the ADempiere Project and the majority of its peace loving community. Our standard policy is that if any security flaw is discovered it is discussed by select email, solved and then released with a patch. In the interest of public safety we only declassify certain information when ample notice has travelled far and wide.
1 comments:
Hi Red1,
I've read some of your blog articles.
I'm new to the Adempiere world, plan to join the community, and am collecting information about it at the moment. I haven't got time to read tons of wiki pages and forum posts, maybe I could find my answer somewhere.
You wrote that there were about 33000 live installations of Compiere (in 2008). Do the community have any information about the number of live adempiere installations?
Thank you, Imre
Post a Comment