Really...?

wow is all i can say from readin this thread... i known of one that had it but it was removed right away and fixed... but i think things are getting a lil crazy around here anymore... and its time for the staff to take actions against these people... i think it would be wise to post the coders that have done it... this way it lets them know it wont be tolerated and has been noticed.... i guess its time to watch out what im installin and look over the code first... ashame that it now comes to this.... just one more hurdle this week for vb.org

Yes, really.

^^ These are the same type of people that sign important contracts without ever reading them... :p

I guess at this point, the only way to find out which hacks have the "install" code is to look through it yourself. And I'd still like an answer as to why this wasn't in the readme files? Why does that keep getting overlooked?

The issue has been dealt with and plans or in the works to make sure this never happens again. As was said in this thread, it was a small non-intrusive item but we are working to avoid ANY such instances in the future.

There seems to be some confusion at the extent of what has happened.

The issues that have been made public, are completely harmless. They are not backdoors into your forum. They will not break your forum.

The issue here is that some coders implemented a way to automatically click "Install" on vb.org whenever a product/plug-in was uploaded. The reason why we've decided to let users know about this, is because most of the time this happens with out the Admin's consent.

The "backdoor" involved here was with www.vbulletin.org, not your forum. External GET requests we're not being checked, which allowed certain authors to do this, but we now have blocked anything like this.

Your forum was never in jeopardy. Marco has bolded various statements in his post that further clarify this statement. We will not give out the names of the coders who did this, because it is not needed.

This new policy was put in place because we became aware that some products/plugins had unethical (not to be mistaken with HARMFUL) code in them, and the staff felt that any unethical code should not be tolerated.

Harmful code was never (and never will be) tolerated on vbulletin.org.

Nicely said Danny. :)

Nothing here is 'verified' as such. The only person/people you could POSSIBLY have a claim against would be Hacks posted by vBulletin staff, and even then..it is up to you, the end-user, to determine whether these hacks are "unsafe".

Really, anyone who installs 3rd-party modifications on their site without verifying the integrity of the code is asking for trouble.

FYI: I probably have some of these hacks installed. I care very little. I click INSTALL on everything I install, both to show respect to the author and to keep track of the hacks I have installed.

I don't install hacks provided by.. well, lets just say I only install hacks written by people I trust. I developed that trust by following threads here and working out who was an honourable person.

That explains why my install count is always down by one. I thought we... I need a minute here to collect myself, I'm sorry... :(

[high]* Logikos hands Boofo a tissue :([/high]

Oh yeah, you gotta watch that Boofo guy.. I installed the /you code hack once, and found that my bank account was emptied, my rubbish bins overturned and my cat pregnant.

That was a doozy of a backdoor, that was. :)

Wait till you see my next version dubbed, the /kall code hack. You think your cat had problems...

:surprised: you better lock your dog up now ;)

Almost every plugin or product i have installed has done that...didnt realise it could be deemed a security threat.

Oh man, when I read this in my email, I thought the post above mine was in response to post #172.

How I laughed. :D

That is why the issue has now been raised, before it got to all of them.

A small number of coders were doing this, so the majority of releases never have had any issues relating to this.

That's just the sort of thing that I do. It makes a serious thread really funny. :D

How? Will all code that is submitted for download go though rigorous testing before being made available to the public? Anything short of that means nothing is being done about it.

You can out rules in place and a reporting procedure to notify of violations, but steps like that are meant to protect your legal exposure, not our vulnerability to exploitation.

What are you going to do?

Let's just say it will be avoided in the future. ;)

Thats not exactly comforting, nor is it sufficient. Lets review.

Some authors were inserting, albeit harmless, hidden function code in their programs.

Those functions went unnoticed for months. The staff here didn't find the problematic code for some time, even though it affected their own site.

The points out a glaring security hole in the methodology of this site. Anyone with malicious intent, having read this thread, now knows the best way to exploit VB websites: release code here with hidden functionality.

Thats the issue that needs addressing. And you can't dismiss it with a promise that "something" that we don't get to hear about will be done.

VB.Org opened this can of worms by making it public. You've raised a secuity and business data protection issue, the highest concern in all of IT. Many forums being run support real business, not hobbiests. Your answers are insufficient for that population.

You must come forward, sooner rather than later, and explain how you will verify the integrity of the code available here.

I already "came forward" as you say and told you things are being put into place to prevent things like this from happening in the future. It dsoesn't matter how that will happen, as long as it does, right? 'Nuff said.

With all due respect, you haven't. Look at the very title of the thread, "Its all about trust". When you - and by you I mean VB.Org, not you in particular - allowed it to happen, you lost some of our trust. You lost the expectation that you could tell us something nonspecific is going to be done and leave it at that. You don't have that level of trust anymore. If you want to gain it back, you owe it to us, the people that now realize you place out sites at risk every time we install a download from here, to be more specific and tell us how you will catch the next hacker who does have malicious intent.

You own us that much, but if you don't see it that we, its indicative of a far greater problem.

Read post 167 in this thread and it will explain it all to you better than I ever could. ;)

Wow ... may I call you John Wayne

some pretty hard straight talking

:D

Sorry, but that is incorrect. Every code downloaded from vb.org and installed on your own board is your own responsibility. vb.org cannot go through every single line of code released here, and checks out for security holes. We can just react if we find something, and that has happened now. It's still and was every up to you, to make sure, the code you upload to your forum, will do what it says. If it doesn't the next contact you have is the author, to find out if it's maybe a bug. If you think it has been happening for purpose, then it's time to contact the moderators to take the appropriate actions.

We will do whatever we can to prevent such problems in the future, yes, hence a reason for the increas of staff members, but in the last run, you are the only one responsible for any code you apply to YOUR board.

FASherman, there IS a procedure in place for security risks. Code that is found to have them (through our discovery or user reports) goes through a process by which users are warned and the mod is removed if necessary.

But, this is a peer coding community. Ideally, anybody who installs the mods here has reviewed the code before installing it on their forum. It is not a commercial download site where the code is vetted by the company. Huge difference in concepts.

If any CYA stuff needs to be done on the part of Jelsoft, I suppose a huge click through disclaimer when you register here would work.

Before everything becomes a total fight over nothing it would be great if we were able to try bridge that gap, where an even greater level of trust can be established in the service that vB.org provides.

Most persons know that it is the users' responsibility for what is put on their forums, however would it not be possible in the future for vB.org to attach a stamp of approval to the code that has been checked, so that the level of trust can be increased.

This is not about blame but simply more an effort to feel safe within vB.org

So, if you download a hack and it doesn't 'yet' have the 'stamp of approval' then the user knows it is at their own peril

Something like this would be appreciated

Thanks

C

At clayton: yeah, a good system, which we already working on :)

just give use a bit time, not everything can be made over one night ^^

Just to clarify a couple of other points - someone mentioned it being around for months - the auto install code referred to only existed for 4 weeks - also, it never actually touched peoples forums, it made a simple GET request from your browser to the install link at vb.org.

well since you let the cat out of the bag :surprised: yeah i did see it in your Display who has read a thread - Version 3 product... but then it was removed in the next update...

Great to Hear

You (VBorg/VBcom staff/volunteers et al) have failed to grasp my vailed attempt to bring some sanity into your actions, or inactions.

You have missed or simply refused to listen to JohnBee's comments.

How patronizing... Are you suggesting that you know what trust you had with members and what you have and have not lost?

No, it would not.

I am absolutely horrified by the lack of business sense vBorg/Jelsoft team has demonstrated in this, and similar threads.

Wake up Jelsoft.

There were no harmful backdoors, and what was found, did no put your board at risk. Period.
It is bound to happen. Many people do look through the code to see how things work, so these things are usually found quickly. I imagine this one took so long because it was not harmful, and therefore did not bother people who saw it.

If you want to modify your board, you are doing so at your own risk. Jelsoft is not the author of the hacks. Jelsoft does not hold responsibility for the content of the hacks; though they remove anything that is unsafe.

You guys are missing the point of the thread, here is my take:

• Something bad happened.
• Proper action was taken.

If you really want them to go through EVERY line of code (probably tolling in the millions now), then you should expect to pay more for people to have to verify it all. Until it is Jelsoft is the ones creating the hacks, you should be holding the coder responsible for anything that happens to your board. Not Jelsoft.

You've completely missed the point. Let me try to restate it.

Code with backdoors were uploaded to this site and downloaded by users of this site.

The code found thus far is relatively harmless, but it was only found because it interacted with this site AND it took several months to be noticed.

This does not mean that all backdoors have been found. Nor does it mean all that all as of yet unfound backdoors are harmless.

Someone said there is a procedure in place for security risks. I disagree. There may be procedures for reacting to vulnerabilities once known, but nothing of a proactive nature to expose potential vulnerabilities before they happen.

And lets stop referring to Jelsoft. If the VB.Org staff is to be believed, and I think they are entitled to that, then VB.Org is NOT Jelsoft. This is a unique and separate entity.

So, my two cents on a solution...

1. Hacks not supported by the author should not even be here. Thats the biggest risk right there.

2. Hacks/Mods/plugins/products - anything with PHP code - should only be allowed to be posted by individuals in a particular group, coder group for example.

3. There should be a verification process for allowing an individual into the coder group, some identifying credentials that translates a computer username into a real person with a verified location in the real world.

4. Coder titles should not be based on post counts. If I release a poor product, I could easily ratchet up my post count supporting that dog. Coder titles should be a formula taking into account longevity, post count, threads started in the release areas, combined install bases, number of monimations for HOTM and number of times won, all properly weighted so that no one variable matters significantly. It is the overall body of work that matters.

5. HOTM should be based on something other than raw install numbers. You need a more meaningful criteria than that, plus then there is no need for install numbers to generate this type of an issue. The folks on the coding team should be able to make nominations based on merit if their good enough developers in their own right. And what's wrong with 10 nominees? Let each coding team member nominate 2 hacks and give us a narrative as to why.

6. Again for the coding team. Any hack/file/plugin/product should be subject to random audits and the results made known. Maybe not specifically, but perhaps award the code a "VB.Org" certified label. Also something for the programmer themselves, showing that their code meets VB.Org standards.

7. Finally, when you do find something amiss, IMMEDIATELY email all users who have installed the prodcut/plugin/code and tell us to suspend its operation immediately. Your loyalty in that situation is to us, the install base of the code, and not to the coder.

8 I lied. THIS is the final thought. Charge for listing commercial software if you so desire, but give a discount for any developer that offers a useful "lite" version here. You should definitely differentiate between those that see VB.Org as a target market and those that support the site with lite versions.

Flame away, boys and girls. I'm a big boy. I can take it.

Good post FASherman...if it is all do-able given the limited resourses the staff has here, then I'm all for it. What it may come down to in order to achieve these type of results is a certain level of paid staff...this remains to be seen.

1. Why not? They are still useful to others. This ties into the 'users becoming lazy' discussion that the product system brought. Many 'hacks' are ways to edit your board; whether or not the author supports it, the value is still there.

2. I disagree. How do you expect people to learn? If this was the case, I bet you that 50% of the hacks here would be gone - including many of the popular ones.

3. They can always hold the license owner responsible...

4. They are based on # of installs. Don't take them so seriously; they are just for show.

5. I beleive the top 10 installed hacks are placed into the poll automatically, but the voting is done by users.

6. If something HAS been inspected by the coders, then yes, some sort of 'verified' status would be good. The downside, though, is that users will begin to not install unverified hacks. It should be a plus, not a requirement.

7. Yes, if the coder does something wrong, they should be pointed out. That is probably punishment enough.

You are taking the 'coders' usertitles and the 'coding team' way too seriously. Many users have far more talent who are not 'coders' or who aren't on the team. Everyone also has very different standards. What I consider a good coder, may greatly differ from who the staff considers a good coder (either way). Who's call is it? Are they qualified to make this decision?

-as a developer, so my thoughts may be a little bias.

I've got an asnwer for that too, if it takes more staff. Charge for user access.

What I mean is this:

Keep track of the release dates of uploads. Lets say I upload GeeWiz 1.0 into the product release directory. All contributing members get immediate access to that new release. Non-contributing members get access after 30 days.

Then I update the code to GeeWiz1.1. Contributing members can download v1.1 right away. Non-contributing members must wait for 30 days. For those 30 days, v1.0 is still available for download. After 30 days, v1.1 is available and v1.0 is archived.

30 days could just as easily be 45 or 60 days. Doesn't matter.

Contributor memberships cost $25/per year.

Just another idea.

If this is the case then the coder in question must face the responsibility for his or her actions.

Look at it this way, from a legal stand point if you present a product such as software with a list of features but fail to mention or disclose hidden features, then you as a coder are miss representing a product where end users are incapable of properly evaluating the risks involved before committed the said product to there own site.

In an overall case this is an illegal procedure. This situation has brought a very interesting point to my attention. It would seem that neither Jelsoft, vb.org or the coder claim liability for such actions and under these conditions the system is in serious need to change.

I understand what happened, but I'm still failing to see how it's apparently such a struggle to just let us know which hacks you found out about? Why won't someone post it? No one is going to die. And those people obviously aren't going to step forward & say it's their hacks otherwise they would've done it already.

Its called protecting the guilty at the expense of the innocent.