[SGVLUG] The SGVLUG website -- Mambo-style

Dustin laurence at alice.caltech.edu
Sat Jul 2 11:10:09 PDT 2005 

On Sat, 2 Jul 2005, Tom Emerson wrote:

> > Actually, I'm not sure that's a good idea, mainly because 
> > once the world finds out it's there we might have less 
> > freedom to test.
> 
> Yeah, I thought about that roughly 3 ohmoseconds after I did it
> (whem I was posting the above message) but actually you may be
> Pretty safe anyway

Still, I'd rather it not be there.  I think the mailing list notice is
sufficient.  I got a nasty surprise when I installed WordPress and got
comment spam *instantly*.  Turns out that WordPress automatically
registers it's RSS feed somewhere or the other.  It was probably intended
to be a blog finder site or something, but it's real function is to
provide a convenient central location for the spambots to find new blogs
to hit.  So I'm sort of paranoid about how fast you can be found, rational
or not.

Plus I don't much like what I see of Apache's authentication capabilities 
(kinda looks like I'd have to create the accounts by hand, no automatic
capability), so I may want to just enable the twiki site without any.  
That makes it kinda defenceless.

That version of WordPress also had a pair of vulnerabilities that let them
place spam messages way into the future, *even with comments turned off*,
so literally every posting would get two instant spam comments that were
already in the database, just waiting for a new message to be generated
with the id number they referenced.  Took me a while to find out why 
comments would appear even when it should have been impossible.

> I noticed that once someone is marked as "admin", they CANNOT
> Be demoted -- you have to purge the user entirely.  (I suppose
> There is a way to do this directly in the database using a standalone
> Query tool, but that could get messy...)

Nah, nothing that complicated.  You just have to be superadmin (the "real"  
root account) to do it.  :-)

> Well, I think we're pretty much monitoring it close enough
> That this is unlikely, and if it should come to pass, you do
> Have the right to "pull the plug" without warning (especially
> If the "bozo" is cluefull enough to delete the rest of the
> Admins so we can't lock him out) 

He can't do that entirely, since I can boot him as superadmin.  However, 
the point wasn't that it couldn't be dealt with, but rather that it would
screw up our testing.

> > [...] I don't mean 
> > y'all aren't welcome if you think looking at > 1400 pictures 
> > of someone else's baby is fun
> 
> Oh, I'm sure there are a few people out there that would think
> Of that as "fun"... ;)

Yeah, but I bet you anything you like they're kinda underrepresented among 
the subpopulation that belongs to a LUG. :-)

Dustin

More information about the SGVLUG mailing list