The Arcive of Official vBulletin Modifications Site.

hambil · #61 07-25-2007, 12:40 AM

Quote:

Originally Posted by quiklink

So the opinions of the users of these mods doesn't matter?

Feel free to have all the opinions you want. Have an opinion party. How much they count really depends on the opinion, and how well you express it.

You were defending Jelsoft policy. Since you don't work for them, doing much more than noting your opinion on the subject and moving on, isn't very productive to the discussion.

quiklink · #62 07-25-2007, 12:46 AM

Quote:

Originally Posted by hambil

Feel free to have all the opinions you want. Have an opinion party. How much they count really depends on the opinion, and how well you express it.

You were defending Jelsoft policy. Since you don't work for them, doing much more than noting your opinion on the subject and moving on, isn't very productive to the discussion.

Yep I am defending not leaving the mod users at risk. Sorry if that seems to be a strange or unpopular choice. Where I learned programming we try to watch out for our customers rather than leave them vulnerable to attack.

I have yet to see a reasonable justification for leaving the mod users vulnerable to attack.

hambil · #63 07-25-2007, 12:54 AM

Quote:

Originally Posted by quiklink

Yep I am defending not leaving the mod users at risk. Sorry if that seems to be a strange or unpopular choice. Where I learned programming we try to watch out for our customers rather than leave them vulnerable to attack.

I have yet to see a reasonable defense for leaving the mod users vulnerable to attack.

I've given several.

1) Calling attention to a vulnerability before a fix is available actually increases the risk to the end-user.
2) Not giving clear instructions, but simply saying 'disable' or 'uninstall' will likely not remove the vulnerability is many cases, since file edits and template edits may have been made.
3) Sending these notices out over and over again, as is starting to happen now, creates an atmosphere in which the users will simply begin to ignore them, once again increasing their risk.

Now, if a fix is not provided by the author within a reasonable time frame, then pulling the hack and notifying the users is the only logical choice. But, it is not the best choice as a first line of defense.

There are reasons why Jelsoft and other companies don't operate that way. It is logical to assume they don't want to harm their customers because that's bad for business. So to believe that the policy being used here is the correct policy, you have to believe that everyone else in the industry got it wrong.

quiklink · #64 07-25-2007, 01:06 AM

Quote:

Originally Posted by hambil

I've given several.

1) Calling attention to a vulnerability before a fix is available actually increases the risk to the end-user.

That's not a good reason. They are still vulnerable to the attack. You don't know exactly how widespread the problem is before being finally notified about it. And are these notices detailing exactly how the exploit is occurring?

Quote:

2) Not giving clear instructions, but simply saying 'disable' or 'uninstall' will likely not remove the vulnerability is many cases, since file edits and template edits may have been made.

Template edits aren't usually going to be a security issue. File edits yes I agree would. While detailed removal instructions would be good, it would be difficult for vborg to give such instructions for every mod. I agree that in the graveyard the info for proper removal/uninstall should be left so that the user can get that info if they don't already have it.

Quote:

3) Sending these notices out over and over again, as is starting to happen now, creates an atmosphere in which the users will simply begin to ignore them, once again increasing their risk.

That's the end user's problem. You can't fix stupid.

Quote:

Now, if a fix is not provided by the author within a reasonable time frame, then pulling the hack and notifying the users is the only logical choice. But, it is not the best choice as a first line of defense.

What exactly is a reasonable time frame for leaving a user vulnerable? Answer: No time, they should be informed immediately. Are you willing to accept the responsibility and liability for any damage or theft of information because you didn't announce the vulnerability when you first learned about it? No I thought not...But believe it or not, an end-user could quite easily decide to haul you into court for doing just that. You can post all the disclaimers in the world and it doesn't protect you.

Quote:

There are reasons why Jelsoft and other companies don't operate that way. It is logical to assume they don't want to harm their customers because that's bad for business. So to believe that the policy being used here is the correct policy, you have to believe that everyone else in the industry got it wrong.

Everyone in the industry certainly does not do this. In fact, with most major applications the vulnerabilities are posted immediately on known sites to get the information out as fast as possible. This is often how the developers learn about the vulnerabilities in their own code in the first place.

Sorry but all I am seeing from this is an attempt by the mod developers to cover their reputations at the risk and expense of the user.

hambil · #65 07-25-2007, 01:35 AM

Quote:

Originally Posted by quiklink

Sorry but all I am seeing from this is an attempt by the mod developers to cover their reputations at the risk and expense of the user.

Well, you're wrong on pretty much all accounts, but hey, free speech man.

Neal-UK · #66 07-25-2007, 01:57 AM

Quote:

Originally Posted by hambil

This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.

That's right, some hacks also have a seperate install funtion as well as the plugin which means that if you remove it via the plugin without doing the product uninstall via the product itself, the template and DB edits, etc. are still there and you can't re-download the files.

If a hack is marked as a security risk, the files should still be left so people can deal with the above issues. If they install it to use normally, that's their own bloody fault as they don't read or listen to the risks.

Can someone from vB.org please let me know if this will be possible?

Paul M · #67 07-25-2007, 02:16 AM

If news of an exploit has been made public (by whatever route) and the modification moved to the GY, then the files will no longer be downloadable. This means all files in the thread, we cannot seperate out individual files because they happen to be instructions - in most cases there is only one zip file anyway (containing everything).

dsotmoon · #68 07-25-2007, 10:39 AM

Quote:

Originally Posted by Paul M

If news of an exploit has been made public (by whatever route) and the modification moved to the GY, then the files will no longer be downloadable. This means all files in the thread, we cannot seperate out individual files because they happen to be instructions - in most cases there is only one zip file anyway (containing everything).

then you are just informing people of a risk but not letting them have all the tools they may need to eliminate it? infact making their vB installation more vurnerable!

Andreas · #69 07-25-2007, 10:50 AM

Well, they are advised to disable/uninstall it. If they don't do that, it's their problem really.
IMHO it's better to inform users imediately rather than having them run vulnerable code without knowing.
If they know, they can take appropriate actions - if they don't they cant.

GaryP · #70 07-25-2007, 12:28 PM

As a user of a lot of modifications on this site, I say that we should be warned of the problem with a modification as soon as the problem is highlighted. If we then opt to still use the affected modification and something happens to our site then this is our problem but if we disable or remove it then we know that we are safe.

Imagine for a minute that you buy a tin of beans from a shop. Now the next day the manufactorer finds that a bit has broke off the machine. They check the batch numbers of the beans produced since the last known time that the piece was there and then issue a recall notice with the product, description, and batch details and tell you not to eat them.

Now in the same way, vB.org has told us about the product and the version that is affected by security issues. This is something that needs to be done right away. Proper testing of modifications before they are released to the trusting non-coders should be done by the coders to make sure that this doesn't happen, although there will always be some that get through anyway.

Coders then can fix the problem, or not, as they decide while the people using the modification can see it, or not, at their own risk as they are aware that there is an issue.

Really it's like everything - if you know something is dangerous would you still do it? If going down a mountain do you take the path, the cable car or jump from the top? If you opt for the cablecar then find out that the cable is frayed, would you still use it while waiting for it to be fixed?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04267 seconds Memory Usage 2,265KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (11)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!