Go Back   vb.org Archive > Community Central > vBulletin.org Site Feedback
FAQ Community Calendar Today's Posts Search

Closed Thread
 
Thread Tools Display Modes
  #11  
Old 09-10-2009, 11:46 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If a modification is quarantined because of a security problem and the details of the problem were posted, then I think that would be a pretty stupid thing for us to do. It would just make it that much easier for those who have nothing better to do than hack boards to go around testing for the flaw in the mod.

If I were you, and I got a notice that a modification I had installed was quarantined, I think I would assume there is something wrong with it and disable it until a fix is posted.
  #12  
Old 09-11-2009, 12:00 AM
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Posts: 687
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

That's just it Lynne - I dare say a good majority of times there is no fix posted. Posting the details of the problem or adding it to the email notice wouldn't be stupid - sometimes I've seen exploits posted over at milw0rm before it's even talked about on vB.org --- IDK - I just believe it's a solid idea that people who have marked a modification as installed be included in the discourse - ya know that saying about "knowledge is golden" and all... Oh wait - that's "silence is golden" -- but still the same concept I guess. Anyway - it's just frustrating to be told that a modification has been quarantined and simultaneously be told absolutely nothing at the same time.

Jacquii.
  #13  
Old 09-11-2009, 12:13 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I still disagree that it would be a good idea to go into details about the exact exploit. I do, however, think that the email would be better done to state whether it is an exploit and then strongly recommend that users disable it. Right now, it simple suggests you may want to consider it disabling a mod, whereas I think if it is an exploit, it should recommend, not ask you to consider, disabling it. The email also doesn't say if it is an exploit or not, and I see no problem with the email saying that if that were the case. My opinion, of course.
  #14  
Old 09-11-2009, 01:21 AM
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Posts: 687
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Lynne View Post
I still disagree that it would be a good idea to go into details about the exact exploit.... The email also doesn't say if it is an exploit or not, and I see no problem with the email saying that if that were the case.
I think what I'm trying to espouse is that "no info" is simply horrid. For me "all-inclusive info share" is ideal - because I honestly think there's absolutely no point in even sending out the quarantine email if there is no further info included with it. That's like saying, "The mod you've downloaded/installed is no longer available for download/install. But HA! We're not gonna tell you what's wrong with it. In fact - FU!" -- That's probably very crass - but that's exactly how I've translated the scenario...

Of course - I'm of the school that the graveyard and quarantined modifications should still be allowed download access, if only for purposes of fixing and/or improving the modification so that it may be shared once again within the vB Community. I think if one cannot access the download - then the download really has no business being shown in the first place. What? Are we trying to tease each other here?

Simply put - I'm only thinking of those who have downloaded and installed such a quarantined or graveyarded modification. Perhaps not everyone should have access to the info or downloaded files (if even available) - but those who have at least clicked the install button should be given some sort of details. The idea here is to have a board which is SECURE from exploits, as well as modified to our liking. And if a modification is no longer classified as secure and quarantined as such - then it's not only the responsibility of the board owner to take appropriate action BUT it's ALSO the responsibility of vBulletin.org to provide all information available so that Members CAN take the appropriate action for the security of their forum.

That's what I'm saying - and yes - It's my opinion. Anyway - I hope this better explains the reason for my original post.

Jacquii.
  #15  
Old 09-11-2009, 08:35 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ok let me start by addressing some of the issues you raise in this thread.

There are only 2 situations in which a modification is quarantined:

- A (possible) exploit has been discovered. As per our Mod Exploit Guidelines we will snet out a warning email to all that have marked the modification as installed. Such an email is only sent in case of an exploit. So if you receive such an email it is to warn you about a possible vulnerability.
- The modification is breaking a rule that can be resolved. No email to the users is sent in this case as this is a private issue between vB.org (rules) and the author.

Details of a possible vulnerability are only sent to the coder and not to the users. We have no intention to change this. But if you think that we should update our text to make it more clear that the email was sent because of a possible vulnerability, then feel free to suggest an alternative text. But the current text was made after discussions with members.

Files are not available for download when a modification is quarantined. One of the reasons for this is not to help potential hackers to exploit such a vulnerability before a fix is provided by the author. But also the current version might not be available anymore.

Files can become unavailable for many reasons, in most of the situations these files are either deleted or can not be shared anymore for copyright issues. This is not limited to a quarantined modification. For this reason it is always your own responsibility to ensure that you can uninstall a modifiction, even if the files are not available anymore. There are many ways to solve this, most people simply save a copy of a modification when they install it. You can try to make this our responsibility, but how you run your board is really your own.

Now let's address your complaint on how you are treated by staff.

- You start a thread on a topic that has already been discussed before, and you know this. Now i don't have a problem with someone making a suggestion again, but you bring no new arguments, you only repeat the same as in older threads on this topic. Not a surprise that you will receive the same answers.
- The title of your post is not like your intentions are to make a serious suggestion, it is more the start of a rant: Concerned about another quarantine email I received. Does vB.org just not give a damn. If it had been only the first sentence it would have been fine, but by adding that vb.org doesn't give a damn you are already paving the way to get a negative response by staff.
- "Why the HELL are the people who have marked the modification as installed not given the reason for the quarantine?" Why the need to use langauge like "Why the HELL". Also you are asking a question that has been answered to before.
- "And it's my assumption that vB.org just does not give a damn about its Members' board security if the only thing to do is send that bogus email as quoted above." Again, no positive suggestions, only a rant. If you think these mails are bogus then this would invalidate most of your rant. If you don't want them, don't mark modifications as installed. Sending out a warning is a service we provide to our members to help them mitigate security issues.

How do you think staff should respond when you only post a rant about things already discussed before in such a negative way?

I won't go anyalyzing your other posts in this thread as i think i already gave enough examples from your first post in this thread, but your responses only go further down the road.
  #16  
Old 09-11-2009, 10:58 AM
Shelley_c's Avatar
Shelley_c Shelley_c is offline
 
Join Date: Jan 2006
Location: United Kingdom
Posts: 1,992
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Suggestion - Extract the uninstall .txt file from the .zip archive and allow members to view this. Not a fully fledged solution if the file didn't come with uninstall instructions but it's something. I'm guessing that a proportion of scripts that have an exploit found within them will have a .txt file within the archive and or/post.
  #17  
Old 09-11-2009, 11:09 AM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The mod in question consists entirely of a single product, all that is needed (if you so wish) is to disable it.
  #18  
Old 09-11-2009, 02:35 PM
kevcj's Avatar
kevcj kevcj is offline
 
Join Date: Mar 2007
Location: East Texas
Posts: 334
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Does vB.org just not give a damn

I'am a member of a LOT of CMS and forum sites, and vb.org is probably the only one that sends out a notification when a security issue is found. If they did not care, they would not disable the mod and send out an email. In fact, its just the opposite, they do care.

If you do not know how to uninstall a modification - that is your own fault. Always keep a backup of the modifications that you have downloaded.

It is not vbulletins place to discuss security issues - you need to contact the developer about that. Better yet, remove the modification from your forum and wait for an update. The more time a developer has to spend answering emails and private messages, the less time they have to work on a fix.
  #19  
Old 09-11-2009, 05:48 PM
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Posts: 687
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Marco van Herwaarden View Post
Ok let me start by addressing some of the issues you raise in this thread.

There are only 2 situations in which a modification is quarantined:

- A (possible) exploit has been discovered. As per our Mod Exploit Guidelines we will snet out a warning email to all that have marked the modification as installed. Such an email is only sent in case of an exploit. So if you receive such an email it is to warn you about a possible vulnerability.
- The modification is breaking a rule that can be resolved. No email to the users is sent in this case as this is a private issue between vB.org (rules) and the author.

Details of a possible vulnerability are only sent to the coder and not to the users. We have no intention to change this. But if you think that we should update our text to make it more clear that the email was sent because of a possible vulnerability, then feel free to suggest an alternative text. But the current text was made after discussions with members.

Files are not available for download when a modification is quarantined. One of the reasons for this is not to help potential hackers to exploit such a vulnerability before a fix is provided by the author. But also the current version might not be available anymore.

Files can become unavailable for many reasons, in most of the situations these files are either deleted or can not be shared anymore for copyright issues. This is not limited to a quarantined modification. For this reason it is always your own responsibility to ensure that you can uninstall a modifiction, even if the files are not available anymore. There are many ways to solve this, most people simply save a copy of a modification when they install it. You can try to make this our responsibility, but how you run your board is really your own.

Now let's address your complaint on how you are treated by staff.

- You start a thread on a topic that has already been discussed before, and you know this. Now i don't have a problem with someone making a suggestion again, but you bring no new arguments, you only repeat the same as in older threads on this topic. Not a surprise that you will receive the same answers.
- The title of your post is not like your intentions are to make a serious suggestion, it is more the start of a rant: Concerned about another quarantine email I received. Does vB.org just not give a damn. If it had been only the first sentence it would have been fine, but by adding that vb.org doesn't give a damn you are already paving the way to get a negative response by staff.
- "Why the HELL are the people who have marked the modification as installed not given the reason for the quarantine?" Why the need to use langauge like "Why the HELL". Also you are asking a question that has been answered to before.
- "And it's my assumption that vB.org just does not give a damn about its Members' board security if the only thing to do is send that bogus email as quoted above." Again, no positive suggestions, only a rant. If you think these mails are bogus then this would invalidate most of your rant. If you don't want them, don't mark modifications as installed. Sending out a warning is a service we provide to our members to help them mitigate security issues.

How do you think staff should respond when you only post a rant about things already discussed before in such a negative way?

I won't go anyalyzing your other posts in this thread as i think i already gave enough examples from your first post in this thread, but your responses only go further down the road.
Marco - My intentions with posting this thread was NOT TO START A FLAME WAR - it was to make a suggestion! Instead of treating this thread as some "ranting of Jacquii" as you obviously have done - you can analyze the content of my SUGGESTION:

Quote:
The idea here is to have a board which is SECURE from exploits, as well as modified to our liking. And if a modification is no longer classified as secure and quarantined as such - then it's not only the responsibility of the board owner to take appropriate action BUT it's ALSO the responsibility of vBulletin.org to provide all information available so that Members CAN take the appropriate action for the security of their forum.
If you cannot see that as a valid - then YES - It seems as if vB.org just not give a damn- in fact - why not just close the thread as AGAIN it's quite apparent that another suggestion for the betterment of vBulletin.org and for the security of Members' forums will not be considered.

Jacquii.

btw - Thanks a lot for that bogus infraction. I do not see how any of my posts in this thread deserve an infraction. It's ridiculous - but I've come to expect absolutely nothing better from the likes of you Marco.

--------------- Added [DATE]1252695192[/DATE] at [TIME]1252695192[/TIME] ---------------

Quote:
Originally Posted by Paul M View Post
The mod in question consists entirely of a single product, all that is needed (if you so wish) is to disable it.
Paul - This thread is not about "the mod in question" -- This thread is regarding ANY AND ALL modifications which may have been quarantined and/or graveyarded. Your comment is exactly the kind which lead to the 2nd sentence of the thread title "Does vB.org just not give a damn" --- Meh.

Jacquii.

--------------- Added [DATE]1252695628[/DATE] at [TIME]1252695628[/TIME] ---------------

Quote:
Originally Posted by kevcj View Post
It is not vbulletins place to discuss security issues....
Yes it IS! This is an official vBulletin modification site. If vBulletin is not to care about the security of its Members purchased products, then who is? And yes - I know - vBulletin cannot officially blablabla offer support for modified boards blablabla... But the gist of my suggestion and others who have made the same suggestion is that vBulletin.org should have a policy in place which actually is for the security of Members' boards.

I don't understand what's so difficult to grasp about the concept... And again - this is the type of comment which makes me ask, "Does vB.org just not give a damn?" --- hmmm perhaps that is an incendiary, not-quite-tactful way to phrase the question and I just did not realize it. Meh. That's not to say that it's not a damn good question though. I think it is - and obviously the vB.org Coordinator and one of the Administrator have answered with an overt, "Nope. Sure doesn't. And neither do I."

Oh well...

Jacquii.
  #20  
Old 09-11-2009, 06:41 PM
kevcj's Avatar
kevcj kevcj is offline
 
Join Date: Mar 2007
Location: East Texas
Posts: 334
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by JacquiiCooke View Post
Yes it IS! This is an official vBulletin modification site. If vBulletin is not to care about the security of its Members purchased products, then who is?

Jacquii.
Is it Fords responsibility to discuss a flaw in Firestone tires? Nope.
Is it Dodges responsibility to discuss a flaw in Goodyear tires? Nope.
Is it Dells responsibility to discuss a flaw in Norton Anti-Virus? Nope.

You buy a product, any modifications or add-ons you install later on are NOT the responsibility of the original manufacture.

If you use cheap motor oil in your car, and your motor burns up; its not GM, Ford, Toyota, Dodge, Nissans,,, fault that you used a cheap motor oil.

Jelsoft has provided you with a product - anything you do to that product besides the default install is your responsibility.
Closed Thread


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:03 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05017 seconds
  • Memory Usage 2,285KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (7)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete