Sending of Hacks to the Graveyard

[Clayton]

Quote:

Originally Posted by deezelpope

Noooo, he's not saying that at all. I believe he's saying that he would rather have a board with zero modifications, rather than have a board that was defaced by hackers due to exploited modifications or modifications with security issues.

to be absolutely honest, if were not for vb.org and the various hacks then vbulletin would be simply another set of forums

@marco

adding fuel to fire should be left to trolls


thanks jammiegirl for a level headed approach



as mentioned hopefully this can be avoided in the future

[deezelpope]

Quote:

Originally Posted by MicroHellas

Funny!! That's why I wrote "I apologize etc etc". I don't know the meaning of "deface". I got the meaning of "full of" as the other member wrote above.

I'm sorry...I used the term "defaced" in my post, not realizing you did not know. Defacing is a very bad thing...

Quote:

Originally Posted by Clayton

to be absolutely honest, if were not for vb.org and the various hacks then vbulletin would be simply another set of forums

@marco

adding fuel to fire should be left to trolls


thanks jammiegirl for a level headed approach



as mentioned hopefully this can be avoided in the future

Oh, you're absolutely right! Even though I'm through modifying my own board (I think), I still love coming here to see the new mods. But seeing good mods end up in The Graveyard makes me sad.

You're welcome...I try! Hehe...you called me "jammiegirl"...how cute!

[hambil]

Quote:

Originally Posted by Clayton

finding a solution to the problems are number one, which should be always be the aim

however

as mentioned by microhellas, you don't find vBulletin sending out an email to all their users, when they find a vulnerability, to uninstall their software. They work to first find a solution.

to see how an email was sent out to all the users of Microhellas' hacks before finding a solution with the author was (imo) irresponsible and it has led to a valid contributor now making her hacks unavailable to the users of vb.org

I can see her point, the email sent out creates alarm (which from a business point of view for her is plain destructive) and causes the users of her products to get the impression that there is something inferior or wrong with her products

in this instance a solution was easily found by the author and this whole scenario could have been avoided

hopefully those involved can learn from this

Thank you everyone for working to provide a service of value to all users

Been here, had this argument, lost it, and that's why my hacks are no longer available here either. Glad to see I'm not alone in feeling this way, though

[Paul M]

Quote:

Originally Posted by Clayton

when exploits are found with vBulletin they do not send out an email to all their users telling them to uninstall.

What Jelsoft do is not relevant - they own and write vbulletin, so they simply fix any exploits and advise you to upgrade.

vbulletin.org do not own/control/write the modifications so they advise you to uninstall - whether you take that advice is entirely up to you.

Quote:

This modification contains an xxxxx vulnerability. You are hereby advised to uninstall this modification until such time that the author provides a fix.
-- vBorg Staff

[Wayne Luke]

Wouldn't it be much better for the people involved to do this:

1) Modification is reported with an exploit and it is verified.

2) Staff member puts a "Exploit found" flag on the modification. Within a notes field, the staff member can document the exploit and add any other necessary comments. When they save it, an email is fired off to the Author(s) of the addon.

3) The flag above also puts a notice on the addon and prohibits new users from downloading it until a new version is uploaded by the author. People who have already marked it as installed can still download it but a warning is shown on the first post in nice bright, eye-catching letters. This could also send the email out to users who have installed it. The text of which could be modified to something like:

Quote:

An vulnerability in XXX modification has been reported and confirmed. We have notified the author about this and are awaiting a fix for the issue. At this time it is advised to disable this addon on your site. To get more infomation about this issue please visit the modification support thread at:

4) Staff looks at new version, if okay then flag is removed and everyone goes about their merry business.

This would prevent moving addons to the "graveyard", give authors time to fix the problem and not make the exploit available to new users. Current customers can continue to get support. Addon authors keep their work and such and less work overall for the staff here. Seems likes it would be win-win-win all-around.

It seems most of this system is in place. Just a little different way of handling it

[hambil]

Quote:

Originally Posted by Wayne Luke

Wouldn't it be much better for the people involved to do this:

1) Modification is reported with an exploit and it is verified.

2) Staff member puts a "Exploit found" flag on the modification. Within a notes field, the staff member can document the exploit and add any other necessary comments. When they save it, an email is fired off to the Author(s) of the addon.

3) The flag above also puts a notice on the addon and prohibits new users from downloading it until a new version is uploaded by the author. People who have already marked it as installed can still download it but a warning is shown on the first post in nice bright, eye-catching letters. This could also send the email out to users who have installed it. The text of which could be modified to something like:




4) Staff looks at new version, if okay then flag is removed and everyone goes about their merry business.

This would prevent moving addons to the "graveyard", give authors time to fix the problem and not make the exploit available to new users. Current customers can continue to get support. Addon authors keep their work and such and less work overall for the staff here. Seems likes it would be win-win-win all-around.

It seems most of this system is in place. Just a little different way of handling it

For what it's worth, I would fully support this. Thanks Wayne.

[-=Sniper=-]

That would be much better but as the author I still want to have the opportunity to FIX the issue and send the security issue message at the SAME TIME. Rather than leaving users waiting for a fix! If I don't update it yeh sure send the message but the opportunity needs to be there.

[dsotmoon]

i think wayne should be running things here because his ideas make alot more sense than whats happening right now

[Neal-UK]

Please leave the install .txt file on graveyarded modifications and a list of files that would have been added to the server and their location.

If it's a file that causes the problem, then by removing the plugin only will not stop the risk, IMO.

[hambil]

Quote:

Originally Posted by Neal-UK

Please leave the install .txt file on graveyarded modifications and a list of files that would have been added to the server and their location.

If it's a file that causes the problem, then by removing the plugin only will not stop the risk, IMO.

This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.