On February 18, 2008, these three stories ran:

1 - DevicePedia reported "Harvard Site Hacked and Then Leaked on BitTorrent", indicating someone inappropriately obtained the System Administrator userid and password and accessed a Harvard server, backed up a couple of databases and many files on the server and shared those files and credentials with the world on BitTorrent.

2 - Enigmax on TorrentFreak reported "Harvard Site Hacked and Leaked on BitTorrent" repeating the same message, as above, linking to the torrent on Pirate Bay.

3 - Jeremy Kirk of PCWorld reported the same message in an article entitled "Harvard Site Hacked, Alleged Content Hits BitTorrent" where he gives the same story about system administrator usernames and passwords and points to the file on Pirate Bay.

This is the only article that suggests the compromise was a Joomla! failing. Not a single one of the modules listed in this article are even on the website that was exposed, a fact easily confirmed if one would download the Torrent or look at the site.

Free software is held to strenuous standards and that is a good thing. What is not appreciated, however, is to have to invest limited time and energy focusing on incorrect media stories.

Please correct the misstatements in this article.

1 - http://www.devicepedia.com/security/harvard-site-hacked-and-then-leaked-on-bittorrent.html
2 - http://torrentfreak.com/harvard-website-hacked-080218/
3 - http://www.pcworld.com/article/id,142589/article.html

Amy,

I fail to see any misstatements in this story. Other publications approach the story from angles which make sense to them. We approach it from the angle which makes sense to us - ie for me, Joomla! is the story here. This Hacking story came around at the exact time I was researching common hacking methods for another article. It happened to be a Joomla! story. Voila.

I am a firm believer in the Joomla! project, and in Open Source; which products I use whenever possible. Now if we want to have a debate, let's talk about whether the Joomla! project is secure enough? Is there an adequate reporting framework for reporting bugs/vulnerabilities etc.? Is there an adequate facility for letting webmasters know when new versions of modules are released (given that old versions of modules, if they incorporate Web forms, often amount to an open invitation to Web hackers)? Is the core itself adequately protected to common attack vectors? I don't suggest that the project lacks in security. But it's worth talking about.

Believe me: I'm happy to do an article on 'Why Joomla! Security is the Best in OSS'. Or, 'Why Joomla! Security Will Be The Best in OSS in 2009'. Give me the ammunition I need, and I'll be the first to write that article- and I expect CMSWire will be the first to publish that story. But Joomla! team or OSC should not throw the rattle out of the pram the moment someone raises questions about the project. These questions surely are essential to healthy Open Source communities.

John -

You did not address my very specific, singular concern. This article seems to insinuate that the Harvard website was cracked. It further insinuates that Joomla! was the cause that allowed the crack.

The Harvard Web site was not cracked.

If you examine the evidence (i.e., the contents of the BitTorrent file) - if you review the other three stories (I provided the links, above) - you will see what happened: an unethical person gained illegal access to a system administrator userid and password. With those keys in hand, that person walked right in the front door to the server.

Once inside, they took a copy of a January backup of a couple of databases: one was Joomla! and the other was a database of personally identifiable contact information. They copied folders of a file server - those files included, but were not limited to, a Joomla! website. The database backups and the copies of the files were zipped up with the username and password used to gain access to the server - and the contents were floated out to the world of BitTorrent. A couple of days later, the media figured out what happened and gave this very account - the one I shared - to the world.

That might not be sexy, John, but that is what happened. It wasn't a Web site crack. It was an illegal use of system administrator credentials.

Regarding your offer for a debate on security matters, I am not interested. Regarding your offer to write a positive story on Joomla! security, I am not asking for that. I am asking that you be fair and accurate in your reporting and that you correct these false insinuations in this article.

To be clear:

1. Do you believe the Harvard server was cracked because of Joomla! vulnerabilities?

2. If so, on what evidence do you stake that claim?

++++++

This morning, you wrote an article entitled "How They Hack Your Website: Overview of Common Techniques." (1) At first, this story appears to be generic look at XSS and security exploits. And yet, Joomla!'s name is mentioned two times in connection with XSS.

- Your article provides a link that readers can use to find Beta or Release Candidate Joomla! v 1.5 installations which still have vulnerable XSS code.

- Your article provides instructions on how readers can pull the trigger on those sites.

- Your article does not mention any other XSS vulnerabilities for any other open source CMS.

If the "How They Hack Your Website" article is intended to ask "the tough questions no one wants to ask" on XSS exploits, would it not seem reasonable to mention that Drupal 6.1 was released 14 days after Drupal 6.0 (2) because of multiple XSS security vulnerabilities in core (3)?

Shiflett's 2005 PHP Security Guide (4) lists escaping data as critical to Web site security. Shiflett's 2005 article entitled "My Top Two PHP Security Practices" (5) pleads with developers to do these two things, if nothing else: 1) Filter your input and 2) Escape your output.

Failing to do so is a major mistake. And yet, amazing world-class coders fall down. Amazing communities of open source testers miss things. Even after a year of testing. Even during release candidate testing.

Are you telling a fair and unbiased story?

- Will you write an article sharing links where readers can find Beta or Final Drupal 6.0 sites that are vulnerable?

- Will you repeat the instructions you provided in today's "How They Hack Your Website" article describing how readers can attack those sites?

- Would it be a good idea or a bad idea to share those links? Does sharing those links on CMSWire make the world a better place? Are we safer now that innocent people's websites are less vulnerable than before?

++++++

OK. John. Imagine my further surprise to see your article entitled "Preview of "Introducing Acquia" Presentation at DrupalCon" where you share Acquia marketing material and overview their commercial offerings. What happened to your desire for investigative reporting? You bend over so far the other way that your article even *credits* Acquia for having already done what their marketing material indicates they *will* do.

And, I quote from your article: "Updates from the community are tested by Acquia. Vetted adequately, they are then pushed through to Carbon subscribers from network.acquia.com."

John - there *are no Carbon subscribers* yet. There *has been no vetting* yet. What you printed is the marketing material shared by Acquia regarding future plans. Now, I have every confidence that Acquia will follow through with their promises. It is a company built with some of the most intelligent and ethical people in open source - some of whom I even consider friends - and they will do great things.

But, one would hope for a bit more impartiality from a journalist. At least wait until there is *one* Carbon subscriber and there has been one community update vetted and shared before your articles say it is happening.

+++++

Are my concerns starting to make a bit of sense?

+++++

1. http://www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php
2. http://drupal.org/node/3060/release
3. http://drupal.org/files/sa-2008-018/SA-2008-018-6.0.patch
4. http://shiflett.org/php-security.pdf
5. http://shiflett.org/blog/2005/feb/my-top-two-php-security-practices
6. http://www.cmswire.com/cms/web-cms/preview-of-introducing-acquia-presentation-at-drupalcon-002379.php