Topics

Anahita Atrium

Anahita Atrium's Topics

Bunthan Say

August 05 2011

White Label? The true one.

Recently, I read through some articles while highlighted the concern of hacking the site when the hackers know the source of the engine of the site. It could be true that knowing the source could lead to possibly open harm of the site. So far, I don't know whether anahita has concerned about this. With true white label, it could help a lot. Does Anahita social engine is going to have its white label solution? #anahita #social #networking #engine

James Imani
James Imani
August 05 2011 Permalink
True. Thats a problem which Joomla has for example.
The results of hacked websites powered by Anahita are fatal.
Only a software without lacks is secure but which software is coded perfectly?

Interesting topic.
Rastin Mehr
Rastin Mehr
August 07 2011 Permalink
@Bunthan How would you define a true white label software?
Bunthan Say
August 08 2011 Permalink
It's quite hard to define a true one but let me try to define a simple one.

True white label software is a software that offer a flexible identity that can change from an identity of the software or a platform created into something new. It should address a truly hidden identity. By doing so, it should automatically remove the old and replace the new with the following matters:
1. Remove "powered by xxx" from title and footer.
2. Remove "xxx" JavaScript class name, which can be found in all JavaScript and many HTML files.
3. All HTML forms had a security token using the unique name, like $core....
4. All static index placeholders "index.html" files had a unique phrase associated with xxx should be removed.
5. Any phrases within the AdminCP that contain products name will be removed.
6. Remove all JavaScript files have copyright information related to the company of the software.
7. The right click to view source code should be blank or just a simple html code.

**********Legend: xxx=the software/joomla/nooku/anahita***********
Please feel free to add more.
Rastin Mehr
Rastin Mehr
August 08 2011 Permalink
@Bunthan

1 and 3 are already doable in Anahita

Questions:

1. Where did you find this list or did you put it together?
2. Do you know of any open source projects who have implemented this list?
3. Implementing 2,4,5,6, and 7 seem like efforts to achieve Security Through Obscurity which is known to be a poor type of security to being with.
James Imani
James Imani
August 08 2011 Permalink
Especially aspect 2 and 7, how is it possible to hide the source code?
Your browser needs the source code to download and build your website.
Makes no sense.
And hiding class-names makes also no sense since Anahitapolis distributes the Anahita-software to more than 1 member only.


There are 2 or 3 ways to increase your security but this could be an infringement against Anahitapolis's business-model.
Lets see what Rastin and Ash think about.
Way 1) Remove Meta-tags!
Way 2) Remove all Copyright-references from css-files and javascripts.
Way 3) Rename files like anahita.js

The another way could be that Anahitapolis will not distribute the Anahita-Software for free anymore. So you get more control and monitoring about the people who are using Anahita-software.
I don't think trouble-maker are going to buy a licence.
And as a Anahitapolis-member I'm sure Andy, Scott and the others have no intention to hack our sites after analyzing the code. :)

But again here...Thats not the business-model of Anahitapolis.
I remember the free-as-in-free-beer-slogan by Rastin since Anahitapolis.com exists.
So its not smart enough to change the promise.
Rastin Mehr
Rastin Mehr
August 08 2011 Permalink
Assuming that all of those changes are made by the site owner, they will no longer be able to apply the frequent updates and that becomes a much greater security issue itself.
Rastin Mehr
Rastin Mehr
August 08 2011 Permalink
@james removing the copyright terms also goes against the GPL

You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
James Imani
James Imani
August 08 2011 Permalink
@Rastin...
What do you mean by "no longer be able to apply the frequent updates".
You mean if someone remove the copyright your membership will be terminated?


Another question.
What about removing Meta-Tags?
Also my template is using css as overrides where I have my own copyright in the top. So you can't see the Anahita-copyrights anymore because they are overwritten. But I don't touch the original-files.
What do you think here? A legal gray area?
Rastin Mehr
Rastin Mehr
August 09 2011 Permalink
@james no, what I meant is that if somebody change the core files, the next time that they get an update their changes get overwritten.

Removing the copyright notice from the code is already an infringement regardless.

It is possible to build a custom template that overrides many of the js, css, and html outputs and make it difficult for someone to guess what technology the site is powered on, but I don't think it will be a 100 through effort. There are still core libraries such as anahita.js that need to be used for the software to operate.

In general when you use or derive from somebody else's code, you have to respect their copyright or else it would be both unethical and illegal. If you create your own code from scratch, you can treat it anyhow you like.

Removing the footer copyright notice is perfectly fine. People like to have their own look, feel, and brand.

I personally don't see much value in trying to hide what type of technology is powering the website. As I said security through obscurity is a very poor type of security to begin with. If somebody really wants that, they better develop their own code from scratch rather than using open source. Good security is when you have perfect knowledge about the software's type and source code and still won't be able to crack an installation of it. That is the type of security we would like to aim for.
Bunthan Say
August 09 2011 Permalink
@Rastin, I compiled from several readings.
@7, I added my own. Let me draw an attention here. I'm not a coder but learning on the way. Many have addressed the concerns that knowing the source is better to hack. So the more we could hide it the more it better. Some concern to the real name using on social engine, some concern one the platform, like Joomla, which at the backend the hackers can login, so the coders come up with another security layers. For instant, OSE Security Suite™ from www.opensource-excellence.com has provided a good solution and I have not been using it. Another example, Jsecure Authentication from www.joomlaserviceprovider.com also address the problem and has a way out.

I have seen the white label has addressed well with the hosting service provider. If you want to become their reseller, they can offer a very unique which present as if you are the one who created the hosting service. All services and knowledgebase appear to be the name you provided to the main seller. I feel that they have done a good job. And most of all, they fixed all the problem and securities at the backend and the reseller just sleep in peace. So I feel that if the social engine can provide that it could be awesome and we all are happy to buy annual subscription and we only work to get more customers/people/content to use our sites.

@7 I have crossed some sites which show only simple html code but indeed they have a lot great engine.
Scott Crawford
Scott Crawford
August 09 2011 Permalink
I think this is related, but have you had a look at how Magenta handle their Administrator login? Upon installation you're asked to provide a secret word, and the Admin login URL is then based on the secret word. It seemed like it could be easy to implement and had the potential of at least preventing some lesser sophisticated break-in attempts.
James Imani
James Imani
August 09 2011 Permalink
Do you using apache-server?
Why don't you protect your admin-backend via htaccess-password?

Easy and fast. But I'm not sure about the Security quality.


@Rastin....
"Good security is when you have perfect knowledge about the software's type and source code and still won't be able to crack an installation of it."

But unfortunately every software is crackable since you give out the code-source
James Imani
James Imani
August 09 2011 Permalink
By the way. A group of hackers or crackers announced to destroy facebook. Maybe you guys know them. They call theirself as "Anonymous".

http://www.businessinsider.com/anonymous-facebook-2011-8
Scott Crawford
Scott Crawford
August 09 2011 Permalink
@James - thanks for pointing out .htaccess as an option. There has been some major learning going on in my corner of the world over the last several months.

I can't say that I've ever known anyone introducing themselves as Anonymous, except myself of course.
Could it be interesting to invite a security expert to discuss this further? I am not sure I know one, but there should be someone in this network who knows someone that might know someone. What do you think?
Rastin Mehr
Rastin Mehr
September 09 2011 Permalink

But unfortunately every software is crackable since you give out the code-source

This is what our prof said in the first session of communication networks class:


"There is no such a thing as absolute security and security by obscurity is the lowest quality form of security."

Security by obscurity sells quite well to the business people though, because in the business world a lot of security is done by obscuring and hiding it. That means you can still go ahead and build computer security products and services based on that principal and many will pay for it.

Powered by Anahita