Suggested by Bevan in #2373453: Drupalgeddon project long-term support plans

Constantly remind users that drupalgeddon is not reliable;
The project page already makes this clear.
If drush drugtest was negative (no known-signs of compromise), issue a warning "Nevertheless, the website may have been compromised".

Regardless of the drugtest result, issue the warning "Restoring from pre-15 Oct 2014 backups and updating to 7.32+ is the only certain way to secure a publicly accessible website that was vulnerable to SA-CORE-2104-05 (Drupageddon)".

Comments

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
CreditAttribution: xurizaemon commented
Title: Avoid suggestion of absolute security » Avoid suggestion of absolute security / improve recommendations
Issue summary: View changes
omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

From our experience it should be as short as possible and in an absolutely plain English. We have seen people who received a few BOA alerts sent automatically because drupalgeddon discovered drupaldev/megauser pair created in their site - yet, they not only don't delete this user/role. They simply proceed with site upgrade, or ask for extra explanation, because what we wrote on our website was too hard to understand for them, so they keep enabling the site daily just after BOA disabled their site (daily) with clearly communicated alert. It is just depressing sometimes... but the conclusion is that we should proceed under the assumption that:

1. People don't read unless you put it at the top and it's ~5 lines max.
2. People who do read, do not really understand the danger anyway.

Yeah, I know this may sound extreme, but because of depressing facts we have seen, I know that the message should be bold enough, and as short as possible.

I would propose to add disclaimer saying something like this:

WARNING! Please don't trust in results of this test! YOUR SITE IS ALREADY COMPROMISED, unless you have updated or patched it BEFORE Oct 15th, 11pm UTC. This test may only confirm what you already know: YOUR SITE IS HACKED! It can't tell you that you are safe. You are not safe, even if the test couldn't find known exploits. More information: https://www.drupal.org/PSA-2014-003

Bevan’s picture

Bevan CreditAttribution: Bevan commented
Issue summary: View changes
Bevan’s picture

Bevan CreditAttribution: Bevan commented

Thanks @omega8cc. Your text was longer than mine, but simpler and clearer. I tried to take the best of both versions in this draft:

WARNING! Do not trust the results of this test. It can not tell if a website is safe even if it did not find exploits.
Unless updated or patched before Oct 15th, 11pm UTC, the website is PROBABLY COMPROMISED.
This test can only confirm what you probably already know: that YOUR WEBSITE IS HACKED.
Restoring from backups and updating to 7.32+ is the only certain recovery. See drupal.org/PSA-2014-003

I think is probably still too long and complicated.

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

I agree, it should be less than a half of this, or people will skip this with TL;DR

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

We link to drupal.org/PSA-2014-003 so we don't need to explain what to do next etc. So maybe just this?

===
WARNING! Do not trust the results of this test!
It can not tell if a website is safe just because it did not find known exploits.
Unless patched before Oct 15, 11pm UTC, the website is probably COMPROMISED!
Now what? Please read: https://www.drupal.org/PSA-2014-003
===