Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #46  
Old 24 Jul 2007, 21:51
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Real name: Hambil
Originally Posted by Wayne Luke View Post
Wouldn't it be much better for the people involved to do this:

1) Modification is reported with an exploit and it is verified.

2) Staff member puts a "Exploit found" flag on the modification. Within a notes field, the staff member can document the exploit and add any other necessary comments. When they save it, an email is fired off to the Author(s) of the addon.

3) The flag above also puts a notice on the addon and prohibits new users from downloading it until a new version is uploaded by the author. People who have already marked it as installed can still download it but a warning is shown on the first post in nice bright, eye-catching letters. This could also send the email out to users who have installed it. The text of which could be modified to something like:




4) Staff looks at new version, if okay then flag is removed and everyone goes about their merry business.

This would prevent moving addons to the "graveyard", give authors time to fix the problem and not make the exploit available to new users. Current customers can continue to get support. Addon authors keep their work and such and less work overall for the staff here. Seems likes it would be win-win-win all-around.

It seems most of this system is in place. Just a little different way of handling it
For what it's worth, I would fully support this. Thanks Wayne.
__________________
  #47  
Old 24 Jul 2007, 22:32
-=Sniper=-'s Avatar
-=Sniper=- -=Sniper=- is offline
 
Join Date: May 2002
That would be much better but as the author I still want to have the opportunity to FIX the issue and send the security issue message at the SAME TIME. Rather than leaving users waiting for a fix! If I don't update it yeh sure send the message but the opportunity needs to be there.
  #48  
Old 24 Jul 2007, 23:08
dsotmoon dsotmoon is offline
 
Join Date: Jun 2003
i think wayne should be running things here because his ideas make alot more sense than whats happening right now
  #49  
Old 24 Jul 2007, 23:11
Neal-UK's Avatar
Neal-UK Neal-UK is offline
 
Join Date: Feb 2004
Real name: Neal
Please leave the install .txt file on graveyarded modifications and a list of files that would have been added to the server and their location.

If it's a file that causes the problem, then by removing the plugin only will not stop the risk, IMO.
__________________
talkGEEK | Burnley Online
  #50  
Old 24 Jul 2007, 23:12
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Real name: Hambil
Originally Posted by Neal-UK View Post
Please leave the install .txt file on graveyarded modifications and a list of files that would have been added to the server and their location.

If it's a file that causes the problem, then by removing the plugin only will not stop the risk, IMO.
This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.
__________________
  #51  
Old 24 Jul 2007, 23:30
dsotmoon dsotmoon is offline
 
Join Date: Jun 2003
Originally Posted by hambil View Post
This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.

i have just ran into a problem uninstalling one in the graveyard, i uninstalled but it left a graphic behind that now i cannot find how to remove, searching for it in templates does not find it and the thread is locked so i cant ask questions and its a hack so vB.com wont support my problem

come on vB.org, this was not thought through
  #52  
Old 24 Jul 2007, 23:30
Wayne Luke's Avatar
Wayne Luke Wayne Luke is offline
 
Join Date: Jan 2002
Real name: Wayne
Originally Posted by dsotmoon View Post
i think wayne should be running things here because his ideas make alot more sense than whats happening right now
Not my job. The people in charge here are more than capable. The system just seems to need some refinement and I am sure they can do that. I am just putting in a suggestion as a user of the site.
__________________
Wayne Luke
Get started with your own social network. Purchase and download vBulletin today.
  #53  
Old 24 Jul 2007, 23:57
quiklink quiklink is offline
 
Join Date: Jun 2007
Originally Posted by -=Sniper=- View Post
That would be much better but as the author I still want to have the opportunity to FIX the issue and send the security issue message at the SAME TIME. Rather than leaving users waiting for a fix! If I don't update it yeh sure send the message but the opportunity needs to be there.
In the meantime while they are waiting for you to fix the problem, upload the update, and verify that it corrects the security issue, everyone who has the mod on their site is sitting vulnerable. By sending the emails out immediately the end user now is aware that there is a security issue and can decide for themselves whether or not to remove the mod until it is fixed.
  #54  
Old 25 Jul 2007, 00:35
-=Sniper=-'s Avatar
-=Sniper=- -=Sniper=- is offline
 
Join Date: May 2002
@quiklink;

ok, so WILL you uninstall vbulletin if it had a security issue? yes or no? will you uninstall a hack or no? please don't answer! Why don't Jeloft inform me about security issues when discovered but only when they have published the fix?

Do you feel the same way about vbulletin as a standalone product?

You have to understand the issue was reported privately hence no one knows about it (or very few) so the author has the opportunity to fix it and tell users at the same time. Now if someone made the security issue public, fair enough you would inform as many users as possible, since someone will now try to exploit the issue no doubt.

Now if you ask users to uninstall mods, e.g. if you had articles mod, six months later there is a security issue, by now the site might have plenty of articles etc and on uninstall everything will be lost, would you want that? you have to understand not everyone is technically minded or even simple things like uninstalling or disabling would mean the same thing to them...

as always there are pro/cons to every procedure.

Last edited by -=Sniper=-; 25 Jul 2007 at 00:49.
  #55  
Old 25 Jul 2007, 01:29
quiklink quiklink is offline
 
Join Date: Jun 2007
Originally Posted by -=Sniper=- View Post
@quiklink;

ok, so WILL you uninstall vbulletin if it had a security issue? yes or no? will you uninstall a hack or no? please don't answer! Why don't Jeloft inform me about security issues when discovered but only when they have published the fix?
While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known. It's one thing to have a liability on your own product, it's quite another to assume potential liability on a 3rd party product. And regardless of what Jelsoft does with it's own products, what YOU are doing is advocating allowing the end users to remain vulnerable for a security issue you created.

Do you feel the same way about vbulletin as a standalone product?
Jelsoft's practices have no bearing on this discussion because these are not Jelsoft mods.

You have to understand the issue was reported privately hence no one knows about it (or very few) so the author has the opportunity to fix it and tell users at the same time. Now if someone made the security issue public, fair enough you would inform as many users as possible, since someone will now try to exploit the issue no doubt.
Obviously at least one person knows of the vulnerability, there quite possibly could be many others who are choosing to exploit the vulnerability rather than announce it. Again, you advocate allowing this to happen.

Now if you ask users to uninstall mods, e.g. if you had articles mod, six months later there is a security issue, by now the site might have plenty of articles etc and on uninstall everything will be lost, would you want that? you have to understand not everyone is technically minded or even simple things like uninstalling or disabling would mean the same thing to them...
It's up the the end user to make that decision. You have no right to make it for them and you have a responsibility to inform them of the vulnerability immediately so that they may protect themselves from harm through code you produced.


as always there are pro/cons to every procedure.
There is no pro to your argument. Only cons, and the con is to the end user you want to keep at risk to protect your own reputation.
  #56  
Old 25 Jul 2007, 01:56
-=Sniper=-'s Avatar
-=Sniper=- -=Sniper=- is offline
 
Join Date: May 2002
While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known. It's one thing to have a liability on your own product, it's quite another to assume potential liability on a 3rd party product. And regardless of what Jelsoft does with it's own products, what YOU are doing is advocating allowing the end users to remain vulnerable for a security issue you created.
Have I said Jelsoft should be held reposible for anything made by 3rd party, where SHOW ME! Jelsoft choose not to inform users when they discover a security issue but only and as quickly as the release the fix.

So its fine for Jelsoft not to inform its users but not me? you don't seem to make sense, you are asking me to inform all my hack users, then why not Jelsoft?

Jelsoft's practices have no bearing on this discussion because these are not Jelsoft mods.
who said it does? so you like Jelsoft practices but not mine, its a shame that the practices are exactly the same! yet you see a difference? I wan't to try and make sure when I inform users of a security issue I issue the fix at the same time, if I am unable to fix its fair to say I should inform them with 24 hours IF i can't fix it!

Obviously at least one person knows of the vulnerability, there quite possibly could be many others who are choosing to exploit the vulnerability rather than announce it. Again, you advocate allowing this to happen.
the same again applies with every script out there not matter who creates it, if no one reports a security issue, it won't be fixed. Remember the user reporting has done so in good faith so the issue can be fixed, no doubt there are users who won't report it and rather take advantage. Ones a issue becomes public it becomes a race to get the fix out before even more users are able to take advantage. Now the minority has become the majority. And now there's more pressure on the mod creator.

It's up the the end user to make that decision. You have no right to make it for them and you have a responsibility to inform them of the vulnerability immediately so that they may protect themselves from harm through code you produced.
Wait so Jelsoft have the right to make the decision for you and I don't? why not me? Wheres my right? So you trust Jelsoft more than the coders here.

There is no pro to your argument. Only cons, and the con is to the end user you want to keep at risk to protect your own reputation
wait don't Jelsoft do that?

I'm sorry for using Jelsoft as a example I'm sure theres more out there.
  #57  
Old 25 Jul 2007, 02:02
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Real name: Hambil
Originally Posted by quiklink View Post
While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known.
Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth
__________________
  #58  
Old 25 Jul 2007, 02:04
-=Sniper=-'s Avatar
-=Sniper=- -=Sniper=- is offline
 
Join Date: May 2002
Originally Posted by hambil View Post
Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth
thanks will do

its a shame there are narrow minded people out there...doh.

Last edited by -=Sniper=-; 25 Jul 2007 at 02:31.
  #59  
Old 25 Jul 2007, 02:04
nexialys
Guest
 
Originally Posted by Wayne Luke View Post
I am just putting in a suggestion as a user of the site.
damn Wayne, it's time to drop that user title then.. lol..
  #60  
Old 25 Jul 2007, 02:11
quiklink quiklink is offline
 
Join Date: Jun 2007
Originally Posted by -=Sniper=- View Post
Have I said Jelsoft should be held reposible for anything made by 3rd party, where SHOW ME! Jelsoft choose not to inform users when they discover a security issue but only and as quickly as the release the fix.

So its fine for Jelsoft not to inform its users but not me? you don't seem to make sense, you are asking me to inform all my hack users, then why not Jelsoft?
So because Jelsoft follows such a practice that makes it ok for you to do so?

who said it does? so you like Jelsoft practices but not mine, its a shame that the practices are exactly the same! yet you see a difference? I wan't to try and make sure when I inform users of a security issue I issue the fix at the same time, if I am unable to fix its fair to say I should inform them with 24 hours IF i can't fix it!
We aren't talking about Jelsoft, though you keep trying to use them as your defense. So again you advocate leaving the end user and their customers vulnerable to cover your own reputation. Nice.

the same again applies with every script out there not matter who creates it, if no one reports a security issue, it won't be fixed. Remember the user reporting has done so in good faith so the issue can be fixed, no doubt there are users who won't report it and rather take advantage. Ones a issue becomes public it becomes a race to get the fix out before even more users are able to take advantage. Now the minority has become the majority. And now there's more pressure on the mod creator.
You have no idea if the exploit has already been know by others and is only now being reported by a responsible person. But apparently the risk to the people who are using your mods means nothing to you save what it means to your reputation should it be found out that your mod has a security flaw.

Wait so Jelsoft have the right to make the decision for you and I don't? why not me? Wheres my right? So you trust Jelsoft more than the coders here.
Again, quit trying to use Jelsoft's practices as an excuse for your own. If you or I have an issue with how Jelsoft handles security for vBulletin it belongs over at the vb.com site, not here. We are talking about security risks in the mods available here.

Originally Posted by hambil View Post
Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.
That means absolutely nothing and would not prevent Jelsoft from being drug into court should someone decide to sue them over a vulnerability in a mod obtained from here. It also does not necessarily mean they will win either, particularly if they were aware of a security vulnerability in a given mod and allowed it to continue to be available and did not warn those who had it installed.

Originally Posted by hambil View Post
Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth
So the opinions of the users of these mods doesn't matter? Guess I should have already realized that from those coders who are condoning leaving the users vulnerable because announcing a flaw in their code might hurt their reputations.

I've been programming for better than 20 years and I'm quite aware that stuff happens and vulnerabilities occur. It's a fact of life when programming. What I have an issue with are those coders who are willing to leave their users hanging and at risk rather than notify them immediately of the risk and then working to get a fix out as fast as possible. That's just plain irresponsible. I have a lot more respect for the coder who thinks of their users first and their reputations second.

Last edited by quiklink; 25 Jul 2007 at 02:20. Reason: Automerged Doublepost
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 23:44.

Layout Options | Width: Wide Color: