By janit on

A month ago there was much talk about outdated WordPress and Drupal sites being the cause for the "Panama Papers" leak at Mossack Fonseca. There are plenty of articles that claim this was the reason:

What I have not found is any reference from the Drupal community. The Mossack Fonseca client portal running Drupal still online, but seems to have been upgraded from the vulnerable version.

Maybe we'll get information later on from investigations - but up until then search results for Drupal Panama Papers leaves Drupal as a likely subject for the Mossack Fonseca leak, the largest single incident of exposing private documents to the world.

I was hoping for some reaction on this from the Drupal project leadership on the matter. If not for anything else, then to push awareness of the importance keeping installations up to date.

Categories: Drupal 7.x

Comments

selfuntitled’s picture

selfuntitled commented

I too read these stories, and found it interesting (though not surprising) that, given their popularity, both Drupal and Wordpress were implicated.

When I first read this post, my initial reaction was - the Drupal security team and project leadership did make a serious communications push around Drupalgeddon, and you'd need to have been living under a rock to miss the national news stories about it when it came out. I'm much more embarrassed by the fact that we were using mt_rand for psudorandom number generation than the fact that multiple serious code reviews missed an SQL injection bug. Even without that specific event, if you've got updates enabled on your site, it takes some willful disregard to ignore email updates and big red warnings in the admin interface when core or related modules are vulnerable. It feels like the push to keep your site current is already happening in lots of different ways, unless you want automatic core and module updates, why bother with another redundant statement about updates, just because we made the news?

Then I think I got your underlying concern.
The audience you're worried about is not the Drupal community, it's the tech press and the non-Drupal world.
This is a concern about the value of the Drupal brand in the public eye when there's several rounds of negative press in the news cycle.

It feels like this doesn't need to be anything big or complex a statement, probably from the DA about the Panama Papers -
"Drupal has lead the open-source CMS world in security policies and practices. Critical vulnerabilities in Drupal only make the news because they are so rare in comparison to similar systems. That said a website, like any other tool, must be maintained. While we are concerned to hear that Drupal may have played a role in the Mossack Fonseca leak, we still strongly believe that Drupal offers one of the most secure and enterprise appropriate CMS solutions in the market today and that no system can stand up to neglect and lack of maintenance... etc"

The other piece - and I'm guessing some of this exists informally, or maybe even formally -
What about a crisis communications team, with some automatic triggers that pull people from regular responsibilities whenever Drupal appears in the national/international media in a negative light, so the voice of Drupal (the DA?) can be a part of these pieces?

@holly.ross I'm sure you're bored right now, it's not like you have a major event coming up /s
That said, if you have a moment, I'd love to hear your thoughts?

Is the DA responsible for preservation and support of the Drupal brand, or is that Dries and Acquia, or is it the Drupal community in general?

holly.ross.drupal’s picture

holly.ross.drupal commented

Hi all -

So just to share what we contemplated on our end... Whenever there is a Drupal security issue, we do pull together an ad-hoc crisis communications team. Myself, our CTO Josh, the Association Comms team, and the security team work together to monitor the situation and respond appropriately. We did monitor this closely and ultimately decided that responding directly in the media would not be in our best interest. First - the VAST majority of Panama Paper coverage did not mention Drupal at all. The sites that did mention Drupal did a pretty good job of making it clear that the site had not been patched, and that it was carelessness of the site administrators, not Drupal, that was the problem. Lastly, we can speculate that the un-patched site was the source of the leak, but no on had proved that.

Putting a statement out to the media would likely have made Drupal a bigger part of the story than it needed to be, given that we just don't know if it was an issue or not. In other words, no need to draw negative attention to ourselves. You may have noticed updates from the security team around that time though - they stepped up the calls to make sure your sites were patched!

Hope that makes is clear that we are involved in these situations, and how.

janit’s picture

janit commented

Now that I come to think of it, this is pretty much like the news about how ISIS favors Toyota pickups:

I think it's quite obvious that Drupal and other popular software is used by sinister organisations such as ISIS. This is as clear as the fact that terrorists will use the best available trucks for them. Odds are that the largest manufacturer is the supplier.

Neither Acquia or Toyota will likely post these cases as references in their marketing... The difference is that Toyota is a single corporation rather than an amalgamation of companies and enthusiasts. This is why Toyota had to respond - even if it was stating the obvious:

“It is impossible for any automaker to control indirect or illegal channels through which our vehicles could be misappropriated, stolen or resold,” Toyota said.


Toyota responds to U.S. inquiry over vehicles being used by ISIS

horncologne’s picture

horncologne commented

Chris!

Please do not conflate Acquia == Drupal. I encounter this misinformation all the time, especially in the non-Drupal PHP world. Acquia is big and important, but there is much more to Drupal and the community.

In any case, Acquia's CISO also published a response to the Panama situation on Acquia.com, entitled: "The Challenge of Keeping Software Up to Date, and What Happens if You Don't" - It's at https://www.acquia.com/blog/challenge-keeping-software-date-and-what-hap...

If I understand it correctly, Dries owns and defends the Drupal trademark, helped the Drupal Association and the various national Drupal Associations and official bodies (Drupal Initiative e.V. in Germany, for example).

All of us in the community have an interest in defending the Drupal "brand", but some of us obviously have more reach when doing so :-)

Thanks!

- jam.

selfuntitled’s picture

selfuntitled commented

@horncologne Oh, I know Acquia != Drupal. I mentioned Dries, and by extension Acquia, because of his ownership and control over the name and brand. Maybe I could have left Acquia out of this, but the water feels a little muddy for me as he wears two hats, and I don't really think he can take off either cleanly or completely in any given moment.

I hadn't seen the Alan's piece, thanks for sharing it - he does make some of the points I was thinking should be covered, but it feels a bit like and ad for Acquia hosting as much as it is a message supporting the Drupal brand overall.

jaypan’s picture

jaypan
Location Victoria, BC
commented

If I understand it correctly, Dries owns and defends the Drupal trademark

Not always. Drupal.jp has existed for years, and goes against the trademark. It causes me no end of headaches here in Japan due to its existence, since any Japanese company considering Drupal that sees that sight immediately drops Drupal as something work considering.

I even offered to dedicate my company resources to helping Dries find lawyers and whatever else was needed, but he didn't respond to it.

Contact me to contract me for D7 -> D10/11 migrations.