Go Back   vb.org Archive > Community Central > vBulletin.org Site Feedback
  #111  
Old 07-26-2007, 12:49 PM
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Location: Seattle
Posts: 1,719
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

As I said in another thread - it may just be a matter of perception (god knows I have that problem, too) but those kind of responses, given how and where they were, feel like attempts to shut down discussion. Sometimes they are even accompanied by the closing of the thread.
  #112  
Old 07-26-2007, 01:14 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nexialys View Post
it is not contradiction... Paul told us at least 4 or 5 times this week that the suggestion would never come executed... and you just posted a new thread for suggestion about our point of view - in the coders thread.... THAT is in contradiction with what Paul said to all last week...
Not trying to get this thread turned into a word game now, but:

In the above post Paul replied to the suggestion to let staff check all modifications before making them available to the public. He responded that this is unlikely to happen in the foreseeable future. (Some reasons for this reply are simple: Not enough staff to do so - we tried to setup such a thing with volunteer members performing this in the past but that did not get enough volunteers for a longer period of time - and the fact that if we "aprove" a modification we might be implicit liable for anything vulnerability that we miss)

The thread you are reffering to is on a totally different topic (advice to users in case of a found vulnerability) and we have never said (on the contrary even) that we would not reconsider the current message sent to users.
  #113  
Old 07-26-2007, 02:52 PM
Kirk Y's Avatar
Kirk Y Kirk Y is offline
 
Join Date: Apr 2005
Location: Tallahassee, Florida
Posts: 2,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by MicroHellas View Post
Even if it's something that many users thought, I believe that the real reason is something else than Marco wrote before ("Lots of reports lately").

In my opinion the problem came from the new moderators who came in the field like bulls in crystall shop, trying to get their first congratulations.

To be honest, I was very upset with this situation (for many reasons) but when I seen the moderator's profile, I understood many things just by seeing his photo. By the way (this is for Cordinators and Administrator), don't you think that Moderators (in other words staff) must be more carefull on choosing their photo? "Caesar's wife dosen't need just to be good. She must look good too". At least he has the 2 fingers up and not just one
I beg your pardon? My profile or whatever you think you know about me by looking at my profile picture has absolutely nothing to do with your modifications containing a vulnerability. And if by some extremely inaccurate measure you think that I'm unqualified for this position simply because I'm younger, you're sadly mistaken.

You might also be interested to know that I am not the one who found the vulnerabilities in your modifications, I'm merely the one that confirmed their existence.

In any event, I suggest you focus more on coding according to vBulletin's standards instead of attempting to analyze someone based solely on the contents of their profile.
  #114  
Old 07-26-2007, 03:19 PM
nexialys
Guest
 
Posts: n/a
Default

hum, interesting, now we're on personal attacks... flaming is not permitted here, so please, everybody, behave correctly, or just quit discutting...
  #115  
Old 07-26-2007, 03:44 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nexialys View Post
Actually Paul, i would suggest that you never use that kind of sentence again...
Thank you, I'm afraid I don't think I'll be taking up that suggestion.

Quote:
Originally Posted by nexialys View Post
Paul told us at least 4 or 5 times this week that the suggestion would never come executed... and you just posted a new thread for suggestion about our point of view - in the coders thread....
I'm not sure what I've said 4 or 5 times (nothing I can think of). If you are refering to site policy then you are mistaken. Asking for suggestions on how to word something is not setting site policy.

I suggst you concentrate on posting useful suggestions instead of some of the not so useful posts you seem to be making recently - and try not to engage in pointless arguments over the wording of posts (mine or anyone elses).
  #116  
Old 07-26-2007, 07:29 PM
STT STT is offline
 
Join Date: Mar 2007
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by quiklink View Post
So the opinions of the users of these mods doesn't matter? Guess I should have already realized that from those coders who are condoning leaving the users vulnerable because announcing a flaw in their code might hurt their reputations.
Couldn't agree more with this - I've certainly had my eyes opened a little to the motivations of at least one coder in this thread. I hasten to add that the majority of coders do an excellent job and do indeed think of their users first, but a minority seem to be thinking first of their wallets (or indeed purses).

Keep up the good work, vbulletin.org - it's good to know you'll let mod users know of vulnerabilities.
  #117  
Old 07-26-2007, 08:06 PM
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Location: Seattle
Posts: 1,719
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by STT View Post
Couldn't agree more with this - I've certainly had my eyes opened a little to the motivations of at least one coder in this thread. I hasten to add that the majority of coders do an excellent job and do indeed think of their users first, but a minority seem to be thinking first of their wallets (or indeed purses).

Keep up the good work, vbulletin.org - it's good to know you'll let mod users know of vulnerabilities.
Consider for a second that most uninstalls remove data from the database. Now consider that you have to deal with numerous angry and confused users and explain to them that the data they spent months, perhaps years, building and collecting has just been wiped out because they acted on advice to uninstall for a problem you could have fixed in 5 minutes had you been given some advanced warning. It costs real time, and yes, if you don't work for free then real money, to deal with that mess. It's also very upsetting to the users. Beyond that, there are numerous already stated reasons to tweak the process from how it is done now, and even the staff agrees, which is why changes are being discussed.

Still, if you want to see the worst in something, or someone, then I can't stop you. As the famous quote goes: You can't use logic to argue someone out of a position they didn't use logic to get into.
  #118  
Old 07-26-2007, 08:08 PM
quiklink quiklink is offline
 
Join Date: Jun 2007
Posts: 81
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by hambil View Post
Consider for a second that most uninstalls remove data from the database. Now consider that you have to deal with numerous angry and confused users and explain to them that the data they spent months, perhaps years, building and collecting has just been wiped out because they acted on advice to uninstall for a problem you could have fixed in 5 minutes had you been given some advanced warning. It costs real time, and yes, if you don't work for free then real money, to deal with that mess. It's also very upsetting to the users. Beyond that, there are numerous already stated reasons to tweak the process from how it is done now, and even the staff agrees, which is why changes are being discussed.
None of which has anything to do with or justifies leaving the end user vulnerable.

You say it their data can get wiped out, yes it can if they haven't backed up. That's the end user's problem not yours. Then again if they get hit due to the vulnerability while waiting for a fix they can run into a lot worse problems. I have no problem with changing how the user is notified and what they are told, it's a good idea. But it's never a good idea to leave them vulnerable. I mean how long is an adequate time to wait? What happens if the coder doesn't get the message about the vulnerability immediately because they are away from their computer, out of town, asleep, can't be bothered to update the code, etc? The end user is forced to remain at risk which is unacceptable.
  #119  
Old 07-26-2007, 08:51 PM
sinisterpain's Avatar
sinisterpain sinisterpain is offline
 
Join Date: Feb 2006
Location: New Hampshire
Posts: 571
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by MicroHellas View Post
A first step is to inform members to Disable a product and not to uninstall it. Most members don't know that by uninstalling it they're loosing their data. I realized it from a huge amount of emails that I got from members asking me (but after uninstallation) if they lost their data.
This sounds like the most logical solution for both sides.
  #120  
Old 07-26-2007, 09:23 PM
bobster65's Avatar
bobster65 bobster65 is offline
 
Join Date: Mar 2006
Location: Montana
Posts: 1,169
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

After reading this thread, I don't know who on this site to trust as an actual programmer. I know that anything that Kirby or Paul or Princeston (and a select few others) programs/writes/codes, I would trust, but beyond that, I don't know whether they are some noob/novice that learned how to hack a php script and accidently got it working without any real knowledge of how it works, but released it as a hack/product or whether the individual actually knows php, does it for a living (not a hobby) and cares about the script itself and not the acolades that may or may not come with it....

As a professional programmer and database admin, it disgusts me to see people that call themselves programmers want to keep a known vulnerability from an end user/client. There is NOTHING, not a darn thing positive about this at all and is totally unprofessional. Its your responsibility when you release code to an end user/client to also protect that client from any harm by insuring that your code is to standard and does not have any potentially harmful vulnerabilities. If you don't know what you are doing and don't care, then don't pretend you do by releasing code to the public. Another part of being a programmer is to notify them ASAP of any known or posible vulnerabilities, ensure them that you are currently working on the issue(s), give them recommendations, ie, remove the hack until its fixed, continue to use the hack/code/product but inform them of what may or may not happen,(leave the option to the end user to make the decision to remove it or disable it) and get them the fix ASAP.

Most programmers and end users/clients understand that you don't want to publish what the vulnerability actually is, cause hackers search for that stuff and then can easily do more damage.... But to sit here and argu that withholding information from an end user/client about a vulnerability is good practice is beyond me. Im certainly adding this topic to my hiring check list that I use to interview potential programmers. I have and probably will in the future fire someone over this unprofessional practice. I can not believe what I've read in this thread.

Its too bad that there are not more members that REALLY care (not pretend they do) about their product. Seems like this place is getting over run by novice hackers (I can't and won't call them programmers).

I keep reading comments about the loss of data due to uninstalls, well, that goes back to the programmer getting off his back side and giving the recommendation to the client on how to prevent that from happening while a fix/solution is being worked on. This should be included in the first post when releasing a hack/script/module/product. Anyone that has been a professional programmer knows that IT departments (good ones) have what are called disaster and recovery plans. When you release a product, you also have steps on how to deal with vulnerabilities, data loss prevention, down time, recovery, disabling, removing, etc etc etc ... I can't believe I even have to bring that up.

Recommendations:

I recommend that the wording that is sent out to members that have installed a hack that is found to contain a vunerability be changed slightly (which I think Paul has already mentioned that it would be)....

1) I would not use the word "Uninstall" as the first course of action.

2) I would inform the end user of several courses of action that they can take, not just to uninstall.

3) I would recommend that the end user contact the author of the thread for further guidance by first reading the thread to see if the author has posted how to deal with vulnerabilties or if the author has posted about the reported vulnerability.

4) I would assign one of the staff members to monitor the situation of the vulnerability. This would entale the staff member working with the author to ensure that a solution is being worked on or if the author has no desire come up with a solution. This way the staff member could then tag the thread as being abandon and vBorg could inform members that no solution to the vulnerability is being worked on by the author. They could then choose to fix it themselves giving the members a solution or they could inform the members that nothing will be done and the thread locked. On the other side, they could assist the author if the author requests it.

5) I would recommend that authors include procedures on how to deal with potential vulnerabilities within the release of the product.

6) I would recommend that an article be written by one of your better writers on how to deal with vulnerabilties (to prevent the loss of important data particularly). A link to this article would be included in the email sent to the end users.

5) PLEASE DO NOT stop informing members of vulnerabilties!

Anyway, I hope that the vBorg staff continues to notify members of vulnerabilities of hacks published on this site, cause god knows, some of the authors of these hacks certainly don't care and won't.
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:32 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04929 seconds
  • Memory Usage 2,275KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (8)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (9)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete