Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #61  
Old 25 Jul 2007, 02:40
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Real name: Hambil
Originally Posted by quiklink View Post
So the opinions of the users of these mods doesn't matter?
Feel free to have all the opinions you want. Have an opinion party. How much they count really depends on the opinion, and how well you express it.

You were defending Jelsoft policy. Since you don't work for them, doing much more than noting your opinion on the subject and moving on, isn't very productive to the discussion.
__________________
  #62  
Old 25 Jul 2007, 02:46
quiklink quiklink is offline
 
Join Date: Jun 2007
Originally Posted by hambil View Post
Feel free to have all the opinions you want. Have an opinion party. How much they count really depends on the opinion, and how well you express it.

You were defending Jelsoft policy. Since you don't work for them, doing much more than noting your opinion on the subject and moving on, isn't very productive to the discussion.
Yep I am defending not leaving the mod users at risk. Sorry if that seems to be a strange or unpopular choice. Where I learned programming we try to watch out for our customers rather than leave them vulnerable to attack.

I have yet to see a reasonable justification for leaving the mod users vulnerable to attack.
  #63  
Old 25 Jul 2007, 02:54
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Real name: Hambil
Originally Posted by quiklink View Post
Yep I am defending not leaving the mod users at risk. Sorry if that seems to be a strange or unpopular choice. Where I learned programming we try to watch out for our customers rather than leave them vulnerable to attack.

I have yet to see a reasonable defense for leaving the mod users vulnerable to attack.
I've given several.

1) Calling attention to a vulnerability before a fix is available actually increases the risk to the end-user.
2) Not giving clear instructions, but simply saying 'disable' or 'uninstall' will likely not remove the vulnerability is many cases, since file edits and template edits may have been made.
3) Sending these notices out over and over again, as is starting to happen now, creates an atmosphere in which the users will simply begin to ignore them, once again increasing their risk.

Now, if a fix is not provided by the author within a reasonable time frame, then pulling the hack and notifying the users is the only logical choice. But, it is not the best choice as a first line of defense.

There are reasons why Jelsoft and other companies don't operate that way. It is logical to assume they don't want to harm their customers because that's bad for business. So to believe that the policy being used here is the correct policy, you have to believe that everyone else in the industry got it wrong.
__________________
  #64  
Old 25 Jul 2007, 03:06
quiklink quiklink is offline
 
Join Date: Jun 2007
Originally Posted by hambil View Post
I've given several.

1) Calling attention to a vulnerability before a fix is available actually increases the risk to the end-user.
That's not a good reason. They are still vulnerable to the attack. You don't know exactly how widespread the problem is before being finally notified about it. And are these notices detailing exactly how the exploit is occurring?

2) Not giving clear instructions, but simply saying 'disable' or 'uninstall' will likely not remove the vulnerability is many cases, since file edits and template edits may have been made.
Template edits aren't usually going to be a security issue. File edits yes I agree would. While detailed removal instructions would be good, it would be difficult for vborg to give such instructions for every mod. I agree that in the graveyard the info for proper removal/uninstall should be left so that the user can get that info if they don't already have it.

3) Sending these notices out over and over again, as is starting to happen now, creates an atmosphere in which the users will simply begin to ignore them, once again increasing their risk.
That's the end user's problem. You can't fix stupid.

Now, if a fix is not provided by the author within a reasonable time frame, then pulling the hack and notifying the users is the only logical choice. But, it is not the best choice as a first line of defense.
What exactly is a reasonable time frame for leaving a user vulnerable? Answer: No time, they should be informed immediately. Are you willing to accept the responsibility and liability for any damage or theft of information because you didn't announce the vulnerability when you first learned about it? No I thought not...But believe it or not, an end-user could quite easily decide to haul you into court for doing just that. You can post all the disclaimers in the world and it doesn't protect you.

There are reasons why Jelsoft and other companies don't operate that way. It is logical to assume they don't want to harm their customers because that's bad for business. So to believe that the policy being used here is the correct policy, you have to believe that everyone else in the industry got it wrong.
Everyone in the industry certainly does not do this. In fact, with most major applications the vulnerabilities are posted immediately on known sites to get the information out as fast as possible. This is often how the developers learn about the vulnerabilities in their own code in the first place.

Sorry but all I am seeing from this is an attempt by the mod developers to cover their reputations at the risk and expense of the user.
  #65  
Old 25 Jul 2007, 03:35
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Real name: Hambil
Originally Posted by quiklink View Post
Sorry but all I am seeing from this is an attempt by the mod developers to cover their reputations at the risk and expense of the user.
Well, you're wrong on pretty much all accounts, but hey, free speech man.
__________________
  #66  
Old 25 Jul 2007, 03:57
Neal-UK's Avatar
Neal-UK Neal-UK is offline
 
Join Date: Feb 2004
Real name: Neal
Originally Posted by hambil View Post
This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.
That's right, some hacks also have a seperate install funtion as well as the plugin which means that if you remove it via the plugin without doing the product uninstall via the product itself, the template and DB edits, etc. are still there and you can't re-download the files.

If a hack is marked as a security risk, the files should still be left so people can deal with the above issues. If they install it to use normally, that's their own bloody fault as they don't read or listen to the risks.

Can someone from vB.org please let me know if this will be possible?
__________________
talkGEEK | Burnley Online
  #67  
Old 25 Jul 2007, 04:16
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
If news of an exploit has been made public (by whatever route) and the modification moved to the GY, then the files will no longer be downloadable. This means all files in the thread, we cannot seperate out individual files because they happen to be instructions - in most cases there is only one zip file anyway (containing everything).
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
  #68  
Old 25 Jul 2007, 12:39
dsotmoon dsotmoon is offline
 
Join Date: Jun 2003
Originally Posted by Paul M View Post
If news of an exploit has been made public (by whatever route) and the modification moved to the GY, then the files will no longer be downloadable. This means all files in the thread, we cannot seperate out individual files because they happen to be instructions - in most cases there is only one zip file anyway (containing everything).
then you are just informing people of a risk but not letting them have all the tools they may need to eliminate it? infact making their vB installation more vurnerable!
  #69  
Old 25 Jul 2007, 12:50
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Real name: Andreas
Well, they are advised to disable/uninstall it. If they don't do that, it's their problem really.
IMHO it's better to inform users imediately rather than having them run vulnerable code without knowing.
If they know, they can take appropriate actions - if they don't they cant.
  #70  
Old 25 Jul 2007, 14:28
GaryP's Avatar
GaryP GaryP is offline
 
Join Date: Jan 2006
Real name: Gary
As a user of a lot of modifications on this site, I say that we should be warned of the problem with a modification as soon as the problem is highlighted. If we then opt to still use the affected modification and something happens to our site then this is our problem but if we disable or remove it then we know that we are safe.

Imagine for a minute that you buy a tin of beans from a shop. Now the next day the manufactorer finds that a bit has broke off the machine. They check the batch numbers of the beans produced since the last known time that the piece was there and then issue a recall notice with the product, description, and batch details and tell you not to eat them.

Now in the same way, vB.org has told us about the product and the version that is affected by security issues. This is something that needs to be done right away. Proper testing of modifications before they are released to the trusting non-coders should be done by the coders to make sure that this doesn't happen, although there will always be some that get through anyway.

Coders then can fix the problem, or not, as they decide while the people using the modification can see it, or not, at their own risk as they are aware that there is an issue.

Really it's like everything - if you know something is dangerous would you still do it? If going down a mountain do you take the path, the cable car or jump from the top? If you opt for the cablecar then find out that the cable is frayed, would you still use it while waiting for it to be fixed?
  #71  
Old 25 Jul 2007, 14:42
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Real name: Hambil
Originally Posted by GaryP View Post
Imagine for a minute that you buy a tin of beans from a shop. Now the next day the manufactorer finds that a bit has broke off the machine.

Really it's like everything - if you know something is dangerous would you still do it? If going down a mountain do you take the path, the cable car or jump from the top? If you opt for the cablecar then find out that the cable is frayed, would you still use it while waiting for it to be fixed?
But those examples aren't like 'everything'. They are life and death. Anytime something is a matter of life and death companies always immediately inform everyone (let's not get into automobile recalls that are not done or delayed - yes companies make evil decision, too but as a rule in life and death people are immediately informed).

Nothing on this site will kill you.
__________________
  #72  
Old 25 Jul 2007, 14:51
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
But it might kill the data that took you years to get on your site.....
__________________
Marco van Herwaarden
Ex vBulletin.org Coordinator
  #73  
Old 25 Jul 2007, 14:51
Princeton's Avatar
Princeton Princeton is offline
 
Join Date: Nov 2001
Real name: Joe Velez
Nothing on this site will kill you.
but it will cause hardship .. many members devote hours to their sites - in some cases this is their livelihood that we our dealing with.

Our priority is to protect our members.

Can we find a balance between protecting members and making our coders happy?
We are discussing the matter.

I would like to hear more SOLUTIONS - instead of what's better and for whom it should favor. Who knows .. it may be something we haven't thought about.
__________________
Former vBulletin.org Staff Member

Latest Articles:
Liquid Layout = Less Ad Revenue?
How to Monetize Your Site
Improve Web Page Performance
How To Write For The Web


If it needs instructions, there's room for improvement.
Give users what they actually want, not what they say they want. And whatever you do, don't give them new features just because your competitors have them!
  #74  
Old 25 Jul 2007, 14:54
-=Sniper=-'s Avatar
-=Sniper=- -=Sniper=- is offline
 
Join Date: May 2002
Originally Posted by Marco van Herwaarden View Post
But it might kill the data that took you years to get on your site.....
well have you considered the FACT instructing users to uninstall a mod would do the same thing, not everyone backups their data or knows that on on uninstalling the mod it would remove the related database tables. Now the mod could be a gallery or a article system etc
  #75  
Old 25 Jul 2007, 14:57
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
One of the improvements we are currently discussing (and i think this has already been mentioned in this thread) is if we can give a more tailored advice based on the type of vulnerability and the modification in question to the users. This might however not be possible as we can not be aware of all the ins and outs of a modification and how to block only access to vulnerable locations in the modification.
__________________
Marco van Herwaarden
Ex vBulletin.org Coordinator
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 10:24.

Layout Options | Width: Wide Color: