The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#111
07-26-2007, 12:49 PM
|
||||
|
||||
As I said in another thread - it may just be a matter of perception (god knows I have that problem, too) but those kind of responses, given how and where they were, feel like attempts to shut down discussion. Sometimes they are even accompanied by the closing of the thread.
|
|
#112
07-26-2007, 01:14 PM
|
|||
|
|||
|
Quote:
In the above post Paul replied to the suggestion to let staff check all modifications before making them available to the public. He responded that this is unlikely to happen in the foreseeable future. (Some reasons for this reply are simple: Not enough staff to do so - we tried to setup such a thing with volunteer members performing this in the past but that did not get enough volunteers for a longer period of time - and the fact that if we "aprove" a modification we might be implicit liable for anything vulnerability that we miss) The thread you are reffering to is on a totally different topic (advice to users in case of a found vulnerability) and we have never said (on the contrary even) that we would not reconsider the current message sent to users. |
|
#113
07-26-2007, 02:52 PM
|
||||
|
||||
|
Quote:
You might also be interested to know that I am not the one who found the vulnerabilities in your modifications, I'm merely the one that confirmed their existence. In any event, I suggest you focus more on coding according to vBulletin's standards instead of attempting to analyze someone based solely on the contents of their profile. 
|
|
#114
07-26-2007, 03:19 PM
|
|||
|
|||
|
hum, interesting, now we're on personal attacks... flaming is not permitted here, so please, everybody, behave correctly, or just quit discutting...
|
|
#115
07-26-2007, 03:44 PM
|
||||
|
||||
|
Quote:
Quote:
I suggst you concentrate on posting useful suggestions instead of some of the not so useful posts you seem to be making recently - and try not to engage in pointless arguments over the wording of posts (mine or anyone elses). |
|
#116
07-26-2007, 07:29 PM
|
|||
|
|||
|
Quote:
Keep up the good work, vbulletin.org - it's good to know you'll let mod users know of vulnerabilities. |
|
#117
07-26-2007, 08:06 PM
|
||||
|
||||
|
Quote:
Still, if you want to see the worst in something, or someone, then I can't stop you. As the famous quote goes: You can't use logic to argue someone out of a position they didn't use logic to get into. |
|
#118
07-26-2007, 08:08 PM
|
|||
|
|||
|
Quote:
You say it their data can get wiped out, yes it can if they haven't backed up. That's the end user's problem not yours. Then again if they get hit due to the vulnerability while waiting for a fix they can run into a lot worse problems. I have no problem with changing how the user is notified and what they are told, it's a good idea. But it's never a good idea to leave them vulnerable. I mean how long is an adequate time to wait? What happens if the coder doesn't get the message about the vulnerability immediately because they are away from their computer, out of town, asleep, can't be bothered to update the code, etc? The end user is forced to remain at risk which is unacceptable. |
|
#119
07-26-2007, 08:51 PM
|
||||
|
||||
|
Quote:
|
|
#120
07-26-2007, 09:23 PM
|
||||
|
||||
|
After reading this thread, I don't know who on this site to trust as an actual programmer. I know that anything that Kirby or Paul or Princeston (and a select few others) programs/writes/codes, I would trust, but beyond that, I don't know whether they are some noob/novice that learned how to hack a php script and accidently got it working without any real knowledge of how it works, but released it as a hack/product or whether the individual actually knows php, does it for a living (not a hobby) and cares about the script itself and not the acolades that may or may not come with it....
As a professional programmer and database admin, it disgusts me to see people that call themselves programmers want to keep a known vulnerability from an end user/client. There is NOTHING, not a darn thing positive about this at all and is totally unprofessional. Its your responsibility when you release code to an end user/client to also protect that client from any harm by insuring that your code is to standard and does not have any potentially harmful vulnerabilities. If you don't know what you are doing and don't care, then don't pretend you do by releasing code to the public. Another part of being a programmer is to notify them ASAP of any known or posible vulnerabilities, ensure them that you are currently working on the issue(s), give them recommendations, ie, remove the hack until its fixed, continue to use the hack/code/product but inform them of what may or may not happen,(leave the option to the end user to make the decision to remove it or disable it) and get them the fix ASAP. Most programmers and end users/clients understand that you don't want to publish what the vulnerability actually is, cause hackers search for that stuff and then can easily do more damage.... But to sit here and argu that withholding information from an end user/client about a vulnerability is good practice is beyond me. Im certainly adding this topic to my hiring check list that I use to interview potential programmers. I have and probably will in the future fire someone over this unprofessional practice. I can not believe what I've read in this thread. Its too bad that there are not more members that REALLY care (not pretend they do) about their product. Seems like this place is getting over run by novice hackers (I can't and won't call them programmers). I keep reading comments about the loss of data due to uninstalls, well, that goes back to the programmer getting off his back side and giving the recommendation to the client on how to prevent that from happening while a fix/solution is being worked on. This should be included in the first post when releasing a hack/script/module/product. Anyone that has been a professional programmer knows that IT departments (good ones) have what are called disaster and recovery plans. When you release a product, you also have steps on how to deal with vulnerabilities, data loss prevention, down time, recovery, disabling, removing, etc etc etc ... I can't believe I even have to bring that up. Recommendations: I recommend that the wording that is sent out to members that have installed a hack that is found to contain a vunerability be changed slightly (which I think Paul has already mentioned that it would be).... 1) I would not use the word "Uninstall" as the first course of action. 2) I would inform the end user of several courses of action that they can take, not just to uninstall. 3) I would recommend that the end user contact the author of the thread for further guidance by first reading the thread to see if the author has posted how to deal with vulnerabilties or if the author has posted about the reported vulnerability. 4) I would assign one of the staff members to monitor the situation of the vulnerability. This would entale the staff member working with the author to ensure that a solution is being worked on or if the author has no desire come up with a solution. This way the staff member could then tag the thread as being abandon and vBorg could inform members that no solution to the vulnerability is being worked on by the author. They could then choose to fix it themselves giving the members a solution or they could inform the members that nothing will be done and the thread locked. On the other side, they could assist the author if the author requests it. 5) I would recommend that authors include procedures on how to deal with potential vulnerabilities within the release of the product. 6) I would recommend that an article be written by one of your better writers on how to deal with vulnerabilties (to prevent the loss of important data particularly). A link to this article would be included in the email sent to the end users. 5) PLEASE DO NOT stop informing members of vulnerabilties! Anyway, I hope that the vBorg staff continues to notify members of vulnerabilities of hacks published on this site, cause god knows, some of the authors of these hacks certainly don't care and won't. |
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 09:52 AM.