Fri 07 Nov 2008 |
Take the easy way out, just blame Joomla!
Written by Brad Baker
Well... another day in the Stupid Section' (Security) of the forum. The cycle still continues though, and it's been a few weeks since I blogged about it, so it's that time again.
First off, WHY oh WHY do people not read the stickies and the forum note in this section? If they did, they would start off with this post and then follow this link to the Security Checklist. Are these links not clear enough? Do people these days, in the modern world, lack the ability to use the big box up the top right - SEARCH?
My personal favorite (insert other word of your choosing) post for today is this one. These people *think* that a feature of Joomla! is an admin password expiry. Instead of bothering to consider that such a feature makes no sense at all, and perhaps entertain the fact that their site and/or host may well have been compromised they claim that we (Support) are hiding something from them.
Anyway... that subject for another day, the one that we, the Joomla! Community should (obligated, must, have to, help me now) be providing free support to people.
Seriously though, have you seen how extensive and well written the Security Checklist is? Is it too hard to find? Perhaps we should close the entire security forum, as these days 99% of the posts come back to 2 things (the same two I have blogged about many times):
1. Users keeping their sites updated/patched and
2. Secure Hosting setup (php5, suphp, among other things).
Are we not doing enough to educate people? Or are the webhosts to blame such as the one spoken of here. Surely it is not too much to expect that users will at least *try* to help themselves before they blame the Joomla! Community? Surely peoples hosting providers have a part to play also in placing the blame in the correct place (usually with the user or the provider) and if need be, learning from it?
Maybe I live in a different world.. or maybe we should just lock all threads in that forum from now on? People don't read the stickies or the notes up the top, what good is it?
Proof there is a problem:
- How to make joomla very secure ?
- User login error linked to security update for 1.5.7
- Hacked By X
- Hacked - Please be merciful
.. actually.. just read the entire forum. I can't find a single thread on the first page that is not down to one of the 2 issues I posted above. I can't find a single thread there either where the user would not have benefitted from using ultra-hidden-blend-into-the-rest-of-the-forum search box.
Now it's time I go and find a drink to calm myself down.
Previous posts of mine:
- Hosting Companies with Joomla Users: Listen up!
- Joomla! Security, do you take it seriously like we do?
- Hosting providers - Isn't it time?
2008-11-07 08:12:05
If you had an audience of 50, you'd need to spend a great deal of effort to get the point across. Now, multiply that audience by 100, 1000 or 10,000. All that brain-numbing repetition starts to feel like government work, doesn't it?
But that's the price you pay when you've got a success on your hands. Ironically, if you all keep doing your jobs right, the parade from the noob-side never ends. And so it goes.
Keep fightin! -JC
2008-11-07 09:07:52
2008-11-07 09:13:28
2008-11-07 10:13:00
I don't think so.
You could have written this post in the forum, in your personal blog, on the wall outside your house.
But writing this kind of things, blaming the users who make the Joomla project as successful as it is, is not something I'd expect from a Core Team Member.
Perhaps you should write something, go to sleep, wake up next morning and re-read what you wrote.
Does anyone agree with me?
2008-11-07 10:42:50
It's all their fault!
2008-11-07 14:33:44
Keep in mind that many of the users that post in the security forum are new Joomla users. When I first started using Joomla and using the forum, it was confusing. I had never used a forum before then. I had the idea that the forum was there to solve my problems so I really did not have to do anything. I often posted a question, but then did not try to find the answer for myself.
This can be aggravating to advanced users. Users need to realize that Joomla is all about the community. Do your share of the work! People are not paid to answer questions, it is a volunteer staff.
In closing, this problem will always be around, you will always get new users, but sadly many people today lack common sense logic (me included, though I am changing that!). There is really nothing you can do except raise the issue.
2008-11-07 15:41:36
I would suggest perhaps a bit more humility and appreciation for folks who DO something, whether "good or bad" in your opinion to try and help all Joomla users.
Thanks.
2008-11-07 15:44:49
Don't ignore the documentation site of Joomla! is one of the most user unfriendly things ever
2008-11-07 20:23:36
2008-11-07 22:03:10
It would help with a more neutral tone. That's all.
2008-11-08 06:26:48
2008-11-08 15:58:51
You CAN'T change a world with few articles. You can't make the world more educated even within few generations!
So - THE SOLUTION - is to improve Joomla "runtime" environment to not to function in insecure conditions. This could be a performance bottle neck, if performed on every web server call. But, surely, there are some place where to put it in. Paranoid setup program, and some infrequent paranoid security checks.
2008-11-08 20:30:36
I am a novice....I have never ever read a book on programing...never paid any attention to programing language until 6 months ago.
Since then I have created over 1000 Joomla websites...and I have NEVER BEEN HACKED...Because...I READ THE JOOMLA STUFF...So for people who complain..
Let me tell them...READ THE POSTS, FORUMS...They are there for a reason...
The developers of Joomla have brought us an invaluable product. If you use it...USE IT PROPERLY...read up and don't be lazy people.
2008-11-08 21:04:37
2008-11-08 21:08:04
Joomla makes it possible, indeed easy, for everyone and his dog to create a website.
This is on the one hand greatly liberating but on the other very dangerous. Naive users don't know how to evaluate their security. They don't understand the importance of keeping Joomla and extensions up-to-date. So until they get hacked they don't consider security. And when they do get hacked they panic.
Now because they are naive they don't know how to evaluate the posts on the security forum and as many of the posts are from other naive users they jump to irrational conclusions.
What would be really cool would be if it were possible to notify the admin when Joomla or any extensions need to be updated. Sadly it's probably too hard to do.
Nick
2008-11-09 03:00:25
I have a personal philosophy about communication. It is always the responsibility of the 'speaker' to make sure s/he is heard. If your audience is hard of hearing, speak up and if they are deaf, learn sign language if you have to.
It's Joomla's responsibility to make sure security holes in THEIR software are applied ASAP. Spend your energy figuring out how to do this and stop wasting your time complaining that your customers are hard of hearing.
Better yet, Brad, perhaps you need some time away from the support end of things. Not everyone is cut out for this type of work!
2008-11-09 06:08:28
like the man said, "But that's the price you pay when you've got a success on your hands. Ironically, if you all keep doing your jobs right, the parade from the noob-side never ends. And so it goes."
2008-11-09 06:36:46
Great point.. I'll remind the JSST to work a bit faster next time. 2 hours and 50 mins is far too slow.
See: http://developer.joomla.org/section-blog/26-coordinator-blog/245-how-joomla-156-came-about.html
BTW I am happy to take flack over this post of mine. I'll learn from it.. but I also perceive there to be serious points that could still be taken on board by people who avail themselves of the free community help that is made available to them.
What I was hoping for though, was more constructive suggestions on how we might be able to help peoples education on this subject further, and perhaps more users like yourselves offering to help in the Security Forum.
Do you want to notify the admin when Joomla is updated? See: http://docs.joomla.org/Security_and_Performance_FAQs#How_can_I_add_the_Joomla.21_Security_Announcements_Feed_to_the_Admin_Control_Panel.3F
2008-11-09 06:48:02
2008-11-09 08:23:57
However, I do not like the arrogant overtones that the core developers blogs have had in recent of times. It is not friendly to call people stupid. Yes venting will make you feel better, but by doing so you will give a negative perception to the Joomla philosophy.
Rather than saying "can't believe how stupid some Joomla user are, they can't even follow instructions", please say something like: "Security is important to us at Joomla and we like to help people keep their Joomla site safe. Here is what you could do to keep your site safe: link"
We are all here to help make the Joomla community a positive place and I feel that you should use some more humility in your blog.
Thanks, Marius
2008-11-09 15:24:53
I guess this post was made in an emotional state. Nevertheless, I understand what you are saying.
Addressing the problem here, is not what you should do. It would be better to come up with a solution. Well, that said. Closing the forum is by far most stupid reaction you can do. As so many people are asking the same questions, it is probably not stupidity on the user side, but somewhere deeper within documentation or navigating the website or something else.
First of all, as I mentioned before in another post. The backend of Joomla should have an option to check if there is an upgrade available. No discussion about that.
Second.... This is not an offense. But the site navigation is crap and could use some work from an interaction designer.
my comment is too long
2008-11-09 15:25:59
Example?
As example, picture a user which is not so technical but managed to install it's Joomla! website. From one day to another there is this "all your base belongs to us" message on his website.
USER: I have been hacked!!!
ACTION: www.joomla.org
USER: The first look at the homepage... Ah, on the bottomright is says security.
ACTION: Click.
SCREEN: "Security Strike Team"
USER: Well this doesn't help me. What's next. Oh, documentation on top.
ACTION: Click.
USER: Great, a Wiki... Well I have been hacked. So let's search for "hack".
SCREEN: "hack-section-table-category-blog"
USER: Yes a page about "hack: section - table, category -blog".
ACTION: Click
USER: NO results again.. pfff, I am getting tired of Joomla! Oh, I see there is this forum too. Let's check it.
ACTION: Click
USER: WOW, there is even a security topic. Let's click it.
ACTION: Click
SCREEN: "Have your site been hacked? READ THIS"...
2008-11-09 15:26:43
USER: GREEEEAAAT, Just what I need.
ACTION: CLICK!
USER: HUH? I will not get much sympathy? Why not?? I just need some HELP. What did I do wrong? Let's post.. Oh, before I post I have to read that link, good.
ACTION: CLICK (again)
SCREEN: [20080902] - Core - Random Number Generation Flaw
USER: WTF... What is this, I don't understand.
ACTION: Close window
SCREEN: Link to checklist
USER: Ok, another link to a checklist? I don't need a checklist!! My site has been hacked so long already, and I have been searching this site more than 5 minutes now and have no solution yet.
ACTION: Let post something "Help my site has been hacked, it says...etc."
SCREEN: Reply post "You're a n00b, read books, topics, bla".
USER: Ok, let's try Drupal.....
Now... let's drink!
2008-11-09 15:36:19
And why do you use wiki for that? Joomla! is a CMS, if it can not deal with its own documentation it is funny.
2008-11-09 23:23:13
Earlier posts pointed out that Joomla is marketed to those who have neither the time nor the inclination to learn how to code websites. If we knew how, we wouldn't need Joomla. Don't make your 'customers' feel stupid or eventually you won't have any and then all your troubles will surely be gone as well.
2008-11-09 23:33:02
Joomla is for me anyway... and awesome DEVELOPMENT PLATFORM, and an end user CMS.
What is happening is that folks with only M$ Office knowledge, think they can build a website. This CAN be fantastic, however it also exposes them to things that some of us take for granted (security etc)...
Therefore, is Joomla's popularity a good thing? Probably, but perhaps we all need to become better at communicating. I for one will put my hand up and say I get frustrated with low end users, and I need to get better at it.
Well done Brad
2008-11-10 02:02:56
If you want to help relieve the workload some people carry and you want to talk to someone about what opportunities are available, feel free to contact me (AmyStephen AT community DOT joomla DOT org.
Or, contact Brad - he is, without a doubt, one of the "foundations" of Joomla! and without him, I'm pretty certain we'd be in sorry shape - and very possibly not using Joomla!, at all. We owe him a great deal.
2008-11-10 03:25:47
But the reality is a few people at Joomla make all the decisions based on their perspective. There isn’t any real open debate in the forums, and sometimes well meaning ideas (and offers for contribution) are even met with hostility. Even the white papers were not decided based on popularity of users but on the priorities of the devs.
2008-11-10 03:26:33
You are intelligent, skilled and able people and you obviously deserve to have the main say in how things are done because you do the most work. But don’t forget that you have a lot of talented, professional users who may have stronger skills in certain areas that you may not. For a big project like Joomla, these skills and viewpoints should be considered closer or equal in value to development. With our help, but absolutely not without…you can keep Joomla at the top.
p.s don't get mad at the beginners. Take a deep breath and challenge yourself (and us) on how to ease the problem. I suggest opening up an ongoing dialog on the subject.
2008-11-10 05:10:38
The first reason is, Joomla! is not a government. It is a technical, geeky, cool, fun project. Freedom and democracy come from governments, not Joomla!.
So, how are decisions made? Mostly, decisions are made by individuals and groups who decide to do something and make it happen.
Judge a free software community on one thing -> Are you able to participate and share your "no strings attached" gift? Anyone who wants to do that and needs help finding a way in - give me a holler. I'll help you get plugged in. So can Brad.
2008-11-10 05:56:38
I'm still listening and trying to learn from this experience. Remember though, I am also like you, just a volunteer. I also assure you, being a Core Team member is far from easy and demands hours and hours of my time EACH DAY.
If anyone has time and wants to make a difference.. please get in touch.. there is always things to do. I challenge you.. jump into that security forum.. see if you can make a difference...
2008-11-10 07:04:51
I just had some ideas for ways you might attract more contribution. I mentioned democracy, but I should have mentioned some sort of semi-democracy was more the idea, possibly with voting on some decisions. But you can take my ideas or leave them. Sorry, I will not contribute when I feel it makes no sense. Just not motivated to make a larger mess. I did offer to help with documentation. That offer still stands, but not in the form of the wiki. As several people point out, it is not helpful either to this problem, nor the challenge of learning Joomla for a beginner.
2008-11-10 14:14:27
I don't mean that one can't find out it's just that if one is unfamiliar there are too many clicks.
A page explaining about the Joomla Administrators Security Checklist and what to do to get help would be really useful. There are scripts to check the integrity of a site and one to record system information. These need to be made better known.
Nick
2008-11-10 15:20:05
2008-11-10 16:39:25
When I click on the Security Center link from Joomla.org the information seems very helpful:
- Security Alerts (please subscribe);
- Helpful Security "How to's";
- Instructions to report possible vulnerabilities
Would you be willing to help work together in a Google Doc or on the Wiki to define improvements that might be helpful? In 1.5.8, you'll see the Bug Squad added information to the Administration panel. Hopefully, that will help too. It is good to have many perspectives so I hope you consider contributing in this way.
2008-11-10 18:44:22
The links that you highlight are not orientated towards new users.
I'm game to attempt to write a comprehensive guide for new users.
Nick
2008-11-10 19:42:08
2008-11-10 23:59:39
When I first found Joomla/Mambo, I was looking for a development platform that once I had finished building the site, my clients (content owners), could manage their site (from the front end ONLY) and update the content.
This was a MASSIVE step forward for me, there was no way I could build such a CMS.
As I have said many times, from my experience MANY of the so-called issues with Joomla, relate to peoples lack of WEB/HOSTING knowledge... which I'm not blaming them for, nor am I saying they need to learn either, rather they need to understand that Joomla is a DEVELOPMENT platform, and therefore they need more skills than JUST how to install Joomla.
Cheers
2008-11-11 10:10:55
2008-11-12 05:27:48
2008-11-12 05:30:52
2008-11-12 05:32:21
I think the main problem here is not finding people to do the work, but a fundamental communication problem between team members coordinating project priorities with non-members, and the willingness to at least discuss outside input in meaningful ways. Personally, I think I’ve tried as much as I can to make a good input, but I just feel like no one’s willing and either ignore…or very oddly…sometimes even get sore about trying to SIMPLY DISCUSS the bigger issues. I’ve been told by a few that I don’t understand open source, but does anyone? I think the jury is still out on exactly what it is...
Peace and happy growing pains everyone
2008-11-12 06:13:52
~ * ~
Unleash it - thank you, again, for your comments. Since you have expertise in the area of helping beginners and since you are able to see areas of concern, please consider contributing solutions that address those problems. Your work would be warmly received. If you prefer not working in the Wiki, someone could help transfer your work to that medium. So, don't let the Wiki, or anything else, stop you from contributing.
2008-11-28 09:18:29
2008-12-03 22:53:38
So, I'd just like to mention a nice alternative to suPHP which might help people convince their hosts to upgrade and tighten security on their servers. It's called MPM-ITK and you can check it out at http://mpm-itk.sesse.net
This works on the Apache-level and might just well be the tad bit more familiar for your server operator, enough for him to give it a whirl if he for some reason dislikes suPHP.
On a sidenote: Why not make the security checklist one of the clearly visible testdata content articles (possibly via RSS)? So that when admins install their new Joomla, the first thing they'll read is the security checklist.. (I think the "whats new in 1.5" is getting old, and this is an easy change that could be done without any fuzz)
Thanks for your continued effort!
Chris
2008-12-26 22:39:53
now where that c&p of Brads Idots checklist....
2009-01-17 21:05:38
And offcourse blame them for thinking this is a reality:
"Since Joomla is so easy to use, as a Web designer or developer, you can quickly build sites for your clients. Then, with a minimal amount of instruction, you can empower your clients to easily manage their own sites themselves."
Now stop writing those ridicoulous self important nerdy crap posts and WARN the bloody noobs before they get to work with your oh so high and mightly bloody CMS.
2009-01-17 21:42:02
2009-01-17 21:48:49
For those who want to learn, I recommend spending time with The Absolute Beginner's Guide to Joomla! at http://docs.joomla.org/Beginners
At the top of that page, you will find a Quick Start to Joomla!. A couple of our GHOP High School kids created what I consider to be the *very best* getting started resource, ever, including several books I have read. The Quick Start PDF and video are at the VERY top of the Beginner's page. It takes about 4 hours and is well worth the time as you will learn to build a fully function Joomla! Web site in the process.
Hats off to Kevin Hayne and Michael Casha, Quick Start authors and Joomla! contributors, extraordinaire.
2009-01-19 11:48:15
I'm a Web designer who's recently created a site for a client that's been recently hacked. I'm going to gloat here and say. I never posted my hack on the forums. I went straight through the checklist. Client's hosting is running PHP4!
The support ticket for PHP update has been submitted to the hosting company. THe system works so dont lose heart. The work of the support team doesn't go unappreciated. There's just a silent mass of people who you never know you helped.
2009-02-16 10:48:31
2009-03-04 18:07:42
2) Tidy up the stickies and links that point to the 'security check lists' and the 'check list' itself as it's very messy, mixed up, all over the place and often not relevant depending on your Joomla version.
These two steps will make it much simpler and more people will follow the check lists and stop asking stupid questions.
2009-09-28 15:12:39
http://docs.joomla.org/Htaccess_examples_(security)
I would suggest a little more explanations in that page...