Sending of Hacks to the Graveyard

[dsotmoon]

Quote:

Originally Posted by hambil

This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.

i have just ran into a problem uninstalling one in the graveyard, i uninstalled but it left a graphic behind that now i cannot find how to remove, searching for it in templates does not find it and the thread is locked so i cant ask questions and its a hack so vB.com wont support my problem

come on vB.org, this was not thought through

[Wayne Luke]

Quote:

Originally Posted by dsotmoon

i think wayne should be running things here because his ideas make alot more sense than whats happening right now

Not my job. The people in charge here are more than capable. The system just seems to need some refinement and I am sure they can do that. I am just putting in a suggestion as a user of the site.

[quiklink]

Quote:

Originally Posted by -=Sniper=-

That would be much better but as the author I still want to have the opportunity to FIX the issue and send the security issue message at the SAME TIME. Rather than leaving users waiting for a fix! If I don't update it yeh sure send the message but the opportunity needs to be there.

In the meantime while they are waiting for you to fix the problem, upload the update, and verify that it corrects the security issue, everyone who has the mod on their site is sitting vulnerable. By sending the emails out immediately the end user now is aware that there is a security issue and can decide for themselves whether or not to remove the mod until it is fixed.

[-=Sniper=-]

@quiklink;

ok, so WILL you uninstall vbulletin if it had a security issue? yes or no? will you uninstall a hack or no? please don't answer! Why don't Jeloft inform me about security issues when discovered but only when they have published the fix?

Do you feel the same way about vbulletin as a standalone product?

You have to understand the issue was reported privately hence no one knows about it (or very few) so the author has the opportunity to fix it and tell users at the same time. Now if someone made the security issue public, fair enough you would inform as many users as possible, since someone will now try to exploit the issue no doubt.

Now if you ask users to uninstall mods, e.g. if you had articles mod, six months later there is a security issue, by now the site might have plenty of articles etc and on uninstall everything will be lost, would you want that? you have to understand not everyone is technically minded or even simple things like uninstalling or disabling would mean the same thing to them...

as always there are pro/cons to every procedure.

[quiklink]

Quote:

Originally Posted by -=Sniper=-

@quiklink;

ok, so WILL you uninstall vbulletin if it had a security issue? yes or no? will you uninstall a hack or no? please don't answer! Why don't Jeloft inform me about security issues when discovered but only when they have published the fix?

While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known. It's one thing to have a liability on your own product, it's quite another to assume potential liability on a 3rd party product. And regardless of what Jelsoft does with it's own products, what YOU are doing is advocating allowing the end users to remain vulnerable for a security issue you created.

Quote:

Do you feel the same way about vbulletin as a standalone product?

Jelsoft's practices have no bearing on this discussion because these are not Jelsoft mods.

Quote:

You have to understand the issue was reported privately hence no one knows about it (or very few) so the author has the opportunity to fix it and tell users at the same time. Now if someone made the security issue public, fair enough you would inform as many users as possible, since someone will now try to exploit the issue no doubt.

Obviously at least one person knows of the vulnerability, there quite possibly could be many others who are choosing to exploit the vulnerability rather than announce it. Again, you advocate allowing this to happen.

Quote:

Now if you ask users to uninstall mods, e.g. if you had articles mod, six months later there is a security issue, by now the site might have plenty of articles etc and on uninstall everything will be lost, would you want that? you have to understand not everyone is technically minded or even simple things like uninstalling or disabling would mean the same thing to them...

It's up the the end user to make that decision. You have no right to make it for them and you have a responsibility to inform them of the vulnerability immediately so that they may protect themselves from harm through code you produced.

Quote:

as always there are pro/cons to every procedure.

There is no pro to your argument. Only cons, and the con is to the end user you want to keep at risk to protect your own reputation.

[-=Sniper=-]

Quote:

While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known. It's one thing to have a liability on your own product, it's quite another to assume potential liability on a 3rd party product. And regardless of what Jelsoft does with it's own products, what YOU are doing is advocating allowing the end users to remain vulnerable for a security issue you created.

Have I said Jelsoft should be held reposible for anything made by 3rd party, where SHOW ME! Jelsoft choose not to inform users when they discover a security issue but only and as quickly as the release the fix.

So its fine for Jelsoft not to inform its users but not me? you don't seem to make sense, you are asking me to inform all my hack users, then why not Jelsoft?

Quote:

Jelsoft's practices have no bearing on this discussion because these are not Jelsoft mods.

who said it does? so you like Jelsoft practices but not mine, its a shame that the practices are exactly the same! yet you see a difference? I wan't to try and make sure when I inform users of a security issue I issue the fix at the same time, if I am unable to fix its fair to say I should inform them with 24 hours IF i can't fix it!

Quote:

Obviously at least one person knows of the vulnerability, there quite possibly could be many others who are choosing to exploit the vulnerability rather than announce it. Again, you advocate allowing this to happen.

the same again applies with every script out there not matter who creates it, if no one reports a security issue, it won't be fixed. Remember the user reporting has done so in good faith so the issue can be fixed, no doubt there are users who won't report it and rather take advantage. Ones a issue becomes public it becomes a race to get the fix out before even more users are able to take advantage. Now the minority has become the majority. And now there's more pressure on the mod creator.

Quote:

It's up the the end user to make that decision. You have no right to make it for them and you have a responsibility to inform them of the vulnerability immediately so that they may protect themselves from harm through code you produced.

Wait so Jelsoft have the right to make the decision for you and I don't? why not me? Wheres my right? So you trust Jelsoft more than the coders here.

Quote:

There is no pro to your argument. Only cons, and the con is to the end user you want to keep at risk to protect your own reputation

wait don't Jelsoft do that?

I'm sorry for using Jelsoft as a example I'm sure theres more out there.

[hambil]

Quote:

Originally Posted by quiklink

While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known.

Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth

[-=Sniper=-]

Quote:

Originally Posted by hambil

Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth

thanks will do

its a shame there are narrow minded people out there...doh.

Quote:

Originally Posted by Wayne Luke

I am just putting in a suggestion as a user of the site.

damn Wayne, it's time to drop that user title then.. lol..

[quiklink]

Quote:

Originally Posted by -=Sniper=-

Have I said Jelsoft should be held reposible for anything made by 3rd party, where SHOW ME! Jelsoft choose not to inform users when they discover a security issue but only and as quickly as the release the fix.

So its fine for Jelsoft not to inform its users but not me? you don't seem to make sense, you are asking me to inform all my hack users, then why not Jelsoft?

So because Jelsoft follows such a practice that makes it ok for you to do so?

Quote:

who said it does? so you like Jelsoft practices but not mine, its a shame that the practices are exactly the same! yet you see a difference? I wan't to try and make sure when I inform users of a security issue I issue the fix at the same time, if I am unable to fix its fair to say I should inform them with 24 hours IF i can't fix it!

We aren't talking about Jelsoft, though you keep trying to use them as your defense. So again you advocate leaving the end user and their customers vulnerable to cover your own reputation. Nice.

Quote:

the same again applies with every script out there not matter who creates it, if no one reports a security issue, it won't be fixed. Remember the user reporting has done so in good faith so the issue can be fixed, no doubt there are users who won't report it and rather take advantage. Ones a issue becomes public it becomes a race to get the fix out before even more users are able to take advantage. Now the minority has become the majority. And now there's more pressure on the mod creator.

You have no idea if the exploit has already been know by others and is only now being reported by a responsible person. But apparently the risk to the people who are using your mods means nothing to you save what it means to your reputation should it be found out that your mod has a security flaw.

Quote:

Wait so Jelsoft have the right to make the decision for you and I don't? why not me? Wheres my right? So you trust Jelsoft more than the coders here.

Again, quit trying to use Jelsoft's practices as an excuse for your own. If you or I have an issue with how Jelsoft handles security for vBulletin it belongs over at the vb.com site, not here. We are talking about security risks in the mods available here.

Quote:

Originally Posted by hambil

Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

That means absolutely nothing and would not prevent Jelsoft from being drug into court should someone decide to sue them over a vulnerability in a mod obtained from here. It also does not necessarily mean they will win either, particularly if they were aware of a security vulnerability in a given mod and allowed it to continue to be available and did not warn those who had it installed.

Quote:

Originally Posted by hambil

Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth

So the opinions of the users of these mods doesn't matter? Guess I should have already realized that from those coders who are condoning leaving the users vulnerable because announcing a flaw in their code might hurt their reputations.

I've been programming for better than 20 years and I'm quite aware that stuff happens and vulnerabilities occur. It's a fact of life when programming. What I have an issue with are those coders who are willing to leave their users hanging and at risk rather than notify them immediately of the risk and then working to get a fix out as fast as possible. That's just plain irresponsible. I have a lot more respect for the coder who thinks of their users first and their reputations second.