
Mossack Fonseca Exposes Unmaintained Open Source CMS Risks - velmu
http://react-etc.net/entry/mossack-fonseca-exposes-unmaintained-open-source-cms-risks
======
timthelion
I think that this article failes to see the main problem, which is the
failiure to protect your data from your CMS. Sure, I run wordpress on my VPS,
but my VPS has NO access to my data. My VPS is UNTRUSTED!

\-----

One thing that is problematic with the untrusted model, is that I also run my
mail server on my VPS. Email is insecure, it is unencrypted as it travels
through the internet. Unfortunately, I cannot do much about that fact. I
should however, be worying more about separating my email server from my
wordpress installation than about making sure that my wordpress has no
security flaws. OF COURSE the wordpress could be hacked, even though I always
install updates on time!

~~~
pjc50
_failiure to protect your data from your CMS_

How can you do that if the CMS is the place where the data is stored? That's
why people use a CMS after all, to manage content.

~~~
timthelion
OK, your CMS, AKA your blog, should not have the data of tens of thousands of
customers in it...

~~~
pilsetnieks
It's not in this article but in the one about Drupal
([http://drupal.ovh/drupal-panama-papers-leaks-mossack-
fonseca](http://drupal.ovh/drupal-panama-papers-leaks-mossack-fonseca)) it
says that they were running a customer portal for the purpose of giving
customers access to those very same documents. So yes, they probably should
have ran their Wordpress site and Drupal portal separately but it wouldn't
have changed anything anyway.

------
fowl2
The fact that the software was Open Source is completely irrelevant, other
than the fact that it means that it was possible to fix it, given resources.

------
Neil44
The only link made between Drupal/Wordpress and the hack is that Mossack used
them, despite the headlines implication.

~~~
blowski
I thought the same - I saw no evidence that WordPress or Drupal were an attack
vector used at any point to get the information. You could say "someone in the
company was using an old kettle, and then they got hacked, so make sure you
get new kettles."

Of _course_ you should be keeping your installation of WordPress/Drupal or
whatever up to date, but it's not obvious how relevant that is to this
conversation.

------
pygy_
s/Open Source CMS/servers exposed to the internet/

The article later makes that point, actually.

 _> Not due to the nature of Open Source, but because _[these programs have]
_become an interesting target for malicious activities._

~~~
Piskvorrr
...which makes the title clickbait.

------
jkmcf
From many years consulting to both rich and poor startups, they don't want to
pay for maintaining what's been built. Part of that might be how the work is
sold to tech-ignorant business people.

