credit where credit is due

[Guest]

I was just going through the showcase shops...

 

I only saw one or two that left the credit in the footer:

 

powered by osCommerce.

 

I think that is sad.

 

I, for one, PROUDLY display the credit.

 

This is not just a reflection on thw wonderful work the core team has done,

but on each of us that is a member of this or ANY other open source project.

[Guest]

That's a very good point that willk has raised.

 

I would certainly like to display the credit code in the footer but the reason not to is quite simple. If I know that a shop is running oscommerce, I have a fair idea how to begin hacking the site/s to glean whatever information I can from it. Not displaying the credit is just an attempt to confuse simple hacking attempts.

 

I always leave credits in source code etc where they are relevant, and I never hide the fact that I am using oscommerce from the people I am developing the site for.

 

I do this for all scripts I use, not just oscommerce. If a script says that the credit must be displayed in a footer and i can see no security reason for not displaying it, then I do. If it says I must display the credit and I can see a security reason not to, I look for another script or write one myself.

 

I for one am extremely grateful for the application, and will always do whatever is possible to help the community in any way shape or form I can.

 

Does anyone else have any reasond for not displaying the powered by oscommerce footer?

[Jan0815]

If a script says that the credit must be displayed in a footer and i can see no security reason for not displaying it, then I do.

 

If a license says you must show the credits and you decide to not do so you will be violating the license.

 

osCommerce is quite secure. We had one(!) issue a few months ago that was solved in 4 hours.

 

The real risk of running osCommerce is the PHP-interpreter. There are known problems with a lot of PHP versions out there and there are a lot of hosting companies that are not willing to update ASAP.

 

Security through obscurity is not a safe method. And to say "I do not show the credits as I am not sure how secure osCommerce is" is showing a slight lack of confidence in our work ;-)

 

It is more a question of intentions. Do you also remove the {Ford, GM, Toyota, ..., Ferrari} logo from your car as you think it would keep thieves from trying to break it?

 

Any trivial hacker will see that you use osCommerce by looking at the URL parameters. You can change all file names, but you can't change all parameters.

 

Conclusion: Hiding the "powered by osCommerce" is your decision. But using security as an argument is not the best possible reason ...

[Guest]

Nah mate, you have misread what i said,

 

Let me have another go at making it clearer,

 

* If a script says I must display a credit, and I think it is safe to do so, then I display the credit.

* If a script says I must display a credit, and I don't think it is safe or a good idea to do so, then I look for another script or write something myself.

 

Also, I am quite happy with the security that oscommerce provides, otherwise I wouldn't use it, recommend it, or customise it for clients. I am also quite confident in the ability of a few "colleagues" to hack it if they felt the need or had the incentive to. I have seen what these guys can do with almost anything, hence I am always quite paranoid regarding anything to do with security.

 

If there was ever a security loophole discovered in osc, then there would most likely be postings and chat all over IRC etc just as you see with any other app, you know the places these guys hang out as well as i do. I wouldn't like to see a security loophole found, and the details of it posted to some of the less morally fibred amongst us.

 

A search using the search engine of your choice for the words "powered by oscommerce" pulls up plenty of sites ready for using any exploit on, I just wouldn't like to see any of mine pop up in the search result.

 

I certainly don't remove the badges from my cars, but if I did own a porsche, (wishful thinking), there is no way known I would be painting a big badge on my garage doors to indicate to a prospecting thief what was parked inside...

 

Once again, thanks for the great app you guys produce, I will continue to recommend, use, and help anyone that asks for it in all respects with osc as I have done for well over 12 months now.