News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

SMF: Security vs. Functionality

Started by elfishtroll, December 29, 2007, 04:48:03 PM

Previous topic - Next topic

elfishtroll

Quote from: Dannii on December 29, 2007, 03:48:01 AM
2.0 probably won\\\'t as it\\\'s basically feature frozen, but for the version after I definitely hope so. However to change the admin CP (for the better) we really need to know what the current problems are. Specific problems. If you can think of specific settings that weren\\\'t where you expected, or that did something you didn\\\'t expect, please write about them here. But if all that people post is \\\"the admin CP is confusing\\\" how will the team know what to fix? :)

the best thing is to abandon the unwieldy code base of 2.0 and leapfrog it totally with SMF 3 (or 4)
Identify the best and most useful mods and implement them into the core

Security is a joke..mostly because the \\\"security\\\" is written by people WHO DO NOT RUN FORUMS

Integration with add-ons is ridiculous (the mods actually edit the code files?? )
Orstio is right when he says bridge implementations shouldnt edit source files...neither should mods!

Similarly with Templates also! (Too many mods \"can only  \\\"work with default themes\\\" WTF?)

Semantic code output is a must also, ALSO Framework support for accessibility and SEO. Not to make this a whats wrong with SMF rant, SMF is still Head and Shoulders above most forum software (including in some contexts, VB) however, like \\\"Head and Shoulders\\\" , SMF is surrounded by a fair amount of dandruff in flaky code and legacy support minefields with tangled code supporting PHP3 it looks like :)




* ps WtF with the \\\\ \\ \\ around everything????

Sverre

Although I'm used to the current ACP and don't have any problems finding what I need, I certainly hope 2.0 will at least offer some improvements over the 1.1 ACP, especially in regards to the hierarchical structure and the total waste currently known as the "quick_admin_tasks" area...

Quote from: adicrst on December 29, 2007, 04:32:24 AM
well in this case we should make a topic "admin cp feature" and post there, so they wont have to browse trough all this posts

Here's a link to a topic where the team apparently accepted (?) input on the 2.0 ACP:

http://www.simplemachines.org/community/index.php?topic=148736.0

gemigene

Quote from: Augh on December 22, 2007, 12:12:56 PM
you mean permission management or what? Because that permission management in phpbb...well I got nothing good to say about it.

I sure agree with you and I posted the following on their forum:

QuoteOne of the new features I dislike (to the point of switching to SMF or MyBB, which I'm playing around with) is the "new and improved" permissions system. It seems to be quite cryptic, overkill, lacks documentation, problematic (due to users not fully understanding it, search for permissions on this forum and read a few of the thousands of posts on this subject).

Needless to say, the thread was locked by a moderator with the following comment:

QuoteYou are welcome to start further topics on specific issues, but please keep in mind what has been said in this topic. We welcome constructive criticism, but only if you are willing to change your initial opinion as well.

Does the last sentence make sense to you?

Look like the phpBB moderator's handbook was based on Mein Kampf or maybe the moderators work for Homeland Security...

Cheers,
Gene
"Religion is metaphysical statism. I will be ruled by no man on earth, nor by any god in heaven"

Dannii

Quotethe best thing is to abandon the unwieldy code base of 2.0 and leapfrog it totally with SMF 3 (or 4)
Identify the best and most useful mods and implement them into the core
Which parts of it are unwieldy? It would be a huge waste of time to rewrite what works, and most of SMF is very well written.

QuoteSecurity is a joke..mostly because the \\\"security\\\" is written by people WHO DO NOT RUN FORUMS
You really think SMF's security is a joke?

QuoteIntegration with add-ons is ridiculous (the mods actually edit the code files?? )
Orstio is right when he says bridge implementations shouldnt edit source files...neither should mods!

Similarly with Templates also! (Too many mods \"can only  \\\"work with default themes\\\" WTF?)
Although there's a need for more hooks etc, to have truely innovative mods and themes you're just going to have to rewrite code somewhere. The package manager generally does a great job of it though.

QuoteSemantic code output is a must also, ALSO Framework support for accessibility and SEO. Not to make this a whats wrong with SMF rant, SMF is still Head and Shoulders above most forum software (including in some contexts, VB) however, like \\\"Head and Shoulders\\\" , SMF is surrounded by a fair amount of dandruff in flaky code and legacy support minefields with tangled code supporting PHP3 it looks like :)
Agreed.

Quote* ps WtF with the \\\\ \\ \\ around everything????
WYSIWYG bugs.

QuoteHere's a link to a topic where the team apparently accepted (?) input on the 2.0 ACP:

http://www.simplemachines.org/community/index.php?topic=148736.0
Ahh yes I'd forgotten about that topic ;)
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

shadow82x

Also how do you not know the devs do not have forums? Just beause they don't advertise there forum does not mean they do not have one.
Colin B
Former Spammer, Customize, & Support Team Member

Gary

#5
Actually, most of the devs do have forums. They're listed in their profiles.
Gary M. Gadsdon
Do NOT PM me unless I say so
War of the Simpsons
Bongo Comics Fan Forum
Youtube Let's Plays

^ YT is changing monetisation policy, help reach 1000 sub threshold.

metallica48423

#6
elfishtroll, A good majority of the team members, myself included, do run forums. 

Mine i do not advertise because, frankly, i don't need to.

I also take personal offense (though perhaps i shouldn't) to the notion that we/the devs don't listen to peoples' concerns.  If you want to be heard, try not offending people with your posts.   Otherwise, don't expect a reasoned response from someone if you aren't willing to do it without offending someone.

Things take time to do.  Any changes *we* make also affect *thousands* of other forums.  This can have *many* side effects on others' sites.  Changing output suddenly and randomly, for example, can cause search ranking issues in sites and for some who may be on the verge of being banned for example by google, that sudden codebase change could push that user over!  That is but one example but if you're going to be so rude about it, i don't feel you need one at all.

if you can't coexist here, then dont.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

AbBh

Unlike phpBB, SMF pretty easy to use and modify. It may lack a couple of features but it still has more features than phpBB3. There are some great mods too which make it even more feature rich.
Oh and the security is the best. I don't get how it can be called a joke.
hxxp:www.simplycricket.net [nonactive]

anunlike

#8
Quote from: Dannii on December 29, 2007, 09:32:04 PM
QuoteSecurity is a joke..mostly because the \"security\" is written by people WHO DO NOT RUN FORUMS
You really think SMF's security is a joke?

I'm curious about how / why you think it's a joke, as well.

Grudge

Quote
the best thing is to abandon the unwieldy code base of 2.0 and leapfrog it totally with SMF 3 (or 4)
Identify the best and most useful mods and implement them into the core
Do you not think it would look a little odd for people if we went from SMF 1.1 to SMF 4.0? As for unwiedly codebase of 2.0 you clearly (and indeed hopefully) have not actually seen 2.0. We've done a good lot of abstraction of common functionality - a trend we intend to continue with SMF 2.x afterwards. It also seems a little inconsistent to say that we should abondon the code base of 2.0 whilst at the same time implementing many mods into the core. Abandoning a code base is no simple task, it's practically impossible infact. Even Windows Vista will contain code from Windows 3.1, phpBB3 probably has bits of phpBB 1, SMF still has some code directly translated from YaBB. SMF can only ever evolve, it's not realistic to "abandon a codebase" of something with circa 100,000 lines of code.

Quote
Security is a joke..mostly because the "security" is written by people WHO DO NOT RUN FORUMS
I'd be interested in seeing evidence to back up this statement. Last time I looked SMF has had seven reported exploits in the last four years, all considered "moderate" at worst and all patched. We implement a very fully featured banning and flood control system, and have recently implemented CAPTCHA - the latter two of which are implemented further in 2.0. We also have IP tracking functionality to help admins catch people registering multiple accounts, have a security reporting form on the website and investigate any reports of exploits. For a team that considers security to be the top priority to suggest our implementation is a joke is somewhat insulting.

Quote
Integration with add-ons is ridiculous (the mods actually edit the code files?? )
Whilst there are potential ways to improve this it's always going to be a fact of life that any "full blown" modification is going to have to edit the source code unless you make everything so abstracted that you make a huge speed sacrifice in the process. At least SMF has an automated mod installer, which in 2.0 will install on multiple themes where possible. I know that vB, for example, has a way to hook into the code which is OK - but only really works in practice for minor modifications. Again, this is something we keep looking at and our work towards abstracting functionality will help but it's a case of making lots of small steps I'm afraid - it's not possible to simply change the whole of SMF in 6-12 months - particularly without a full time development team of 20.

Also, I think this topic has taken a slight detour from the original intent...
I'm only a half geek really...

gemigene

QuoteIntegration with add-ons is ridiculous (the mods actually edit the code files?? )

My 2 cents worth, I've been playing around with SMF for over a week (seeking a replacement for 3 of my phpbb 2.0.22 forums and simply hate phpBB3 with a passion) and if there is one weakness I found, it's the Package Installer. I installed a Mod on a virgin board and ended-up with 62 pages of errors on the forum error log. The weird thing is, the Mod does work....  ???

Personally, I would rather hard code the Mods using the Parser so I can see what the mod code changes (especially if you have other mods installed).

I prefer software that uses "plugins" (Worpress or MyBB for example), you only need to ftp the plugin to it's directory, activate it and if you don't like it, deactivate and delete. No change to the code.

Cheers,
Gene
"Religion is metaphysical statism. I will be ruled by no man on earth, nor by any god in heaven"

Dannii

QuoteMy 2 cents worth, I've been playing around with SMF for over a week (seeking a replacement for 3 of my phpbb 2.0.22 forums and simply hate phpBB3 with a passion) and if there is one weakness I found, it's the Package Installer. I installed a Mod on a virgin board and ended-up with 62 pages of errors on the forum error log. The weird thing is, the Mod does work....  ???
If mods are causing errors that's not the fault of SMF, and it probably wouldn't matter if they edited code directly or not. Hopefully though mods like that will get noticed by the team and rejected.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

gemigene

Quote from: Dannii on December 30, 2007, 08:09:25 PM
QuoteMy 2 cents worth, I've been playing around with SMF for over a week (seeking a replacement for 3 of my phpbb 2.0.22 forums and simply hate phpBB3 with a passion) and if there is one weakness I found, it's the Package Installer. I installed a Mod on a virgin board and ended-up with 62 pages of errors on the forum error log. The weird thing is, the Mod does work....  ???
If mods are causing errors that's not the fault of SMF, and it probably wouldn't matter if they edited code directly or not. Hopefully though mods like that will get noticed by the team and rejected.

LOL! I posted this on the mod author's support thread and he answered that it probably is a Package Installer problem...

Gene
::)
"Religion is metaphysical statism. I will be ruled by no man on earth, nor by any god in heaven"

Dannii

Getting off topic.. but what were the errors?
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

gemigene

"Religion is metaphysical statism. I will be ruled by no man on earth, nor by any god in heaven"

christicehurst

There is something that bothered me with SMF Beta 2 and that was the lack of changes from 1.1.4. I asked a number of members what differences they could see and only pointed out one or two small changes. I do feel SMF 2 is a admin update and doesn't do anything for the average joe blow member.
www.brisbanelionsunited.com - A forum for everyone!

elfishtroll

Quote from: anunlike on December 30, 2007, 11:24:34 AM
Quote from: Dannii on December 29, 2007, 09:32:04 PM
QuoteSecurity is a joke..mostly because the \\\\\\\"security\\\\\\\" is written by people WHO DO NOT RUN FORUMS
You really think SMF\\\\\\\'s security is a joke?

I\\\\\\\'m curious about how / why you think it\\\\\\\'s a joke, as well.

the security is primarily a joke because it focuses on CODE not PEOPLE.

People do not install forums  to just RUN THE CODE (as, perhaps you install excel to run the code and edit a spreadsheet) they run the forum code to CREATE A COMMUNITY
Therefore, COMMUNITY MANAGEMENT issues need to be addressed and be at the forefront of security concerns, as they fall to the heart of what KILLS or HEARTENS a community.
Logical issues -captha for guest or newbie postings, optional captha for logins are deferred in favor of, \\\\\\\"DEFAULT BIRTHDAY GREETING\\\\\\\"

I say Security is a joke, because whenever issues are addressed then subsequently referenced, its always in a dismissive tone,as \\\\\\\"moderate\\\\\\\" YET EACH ONE ALLOWED AN ATTACKER TO TAKE COMPLETE CONTROL (potentially) OF A FORUM AND SITE.
others which are more arguably moderate (i.e. the IP SPOOFING loophole which STILL EXISTS) go toward the security risk of the FORUM itself when members can post with multiple IPs and/or impersonate others on the board, something that is anathema to COMMUNITY SECURITY (even though they cannot-ostensibly-take control of the site, it CAN make members lose confidence in the community- the \\\\\\\"fixes\\\\\\\" that were addressed in this manner simply meant storing an additional field in the database -a bit of a kludge.... yes, there were backward compatibility issues at stake, but they werent taken care of well, IMHO)

Quote from: gemigene on December 29, 2007, 08:18:06 PM...

Needless to say, the thread was locked by a moderator with the following comment:

QuoteYou are welcome to start further topics on specific issues, but please keep in mind what has been said in this topic. We welcome constructive criticism, but only if you are willing to change your initial opinion as well.

Does the last sentence make sense to you?

Look like the phpBB moderator\\\\\\\'s handbook was based on Mein Kampf or maybe the moderators work for Homeland Security...

Cheers,
Gene


LOL... contrast that Mein Kampesque post then with this one from HERE! lol

Quote from: BlackMage on December 30, 2007, 10:07:58 AM
Things take time to do.  Any changes *we* make also affect *thousands* of other forums.  This can have *many* side effects on others\\\\\\\' sites.  Changing output suddenly and randomly, for example, can cause search ranking issues in sites and for some who may be on the verge of being banned for example by google, that sudden codebase change could push that user over!  That is but one example but if you\\\\\\\'re going to be so rude about it, i don\\\\\\\'t feel you need one at all.

if you can\\\\\\\'t coexist here, then dont*. emphasis added


*veiled threat,etc
look, both examples have to be just viewed in the context of people \\\\\\\"protecting their turf\\\\\\\" :)  both SMF and PHPBB are on the cusp of \\\\\\\"big money\\\\\\\" so temper your criticism or comments if you know what\\\\\\\'s good for you! (and even if you dont) :P

look, even though SMF is demonstrably the best in many categories, and arguably the best in some others, it still fails or falls short in many areas.  Since we probably dont have an urge to switch to something else, Its best we strive to improve SMF (as long we can get over the hurdle of pretending problems dont exist) :)





(ok, these damned slashes are \\\\\\\\\\\\\\pissing me off! lol\")

Dannii

QuotePeople do not install forums  to just RUN THE CODE (as, perhaps you install excel to run the code and edit a spreadsheet) they run the forum code to CREATE A COMMUNITY
Therefore, COMMUNITY MANAGEMENT issues need to be addressed and be at the forefront of security concerns, as they fall to the heart of what KILLS or HEARTENS a community.
Logical issues -captha for guest or newbie postings, optional captha for logins are deferred in favor of, \\\\\\\"DEFAULT BIRTHDAY GREETING\\\\\\\"

...
You're using a different meaning of 'security' than everyone else. Community management systems could definitely be improved, and Captcha for guest posting would be great, but they're not security issues.

Quote(ok, these damned slashes are \\\\\\\\\\\\\\pissing me off! lol\")
Then don't use the WYSIWYG editor.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

metallica48423

you're welcome to interpret my post as you please, but my point was more of, if you want respect, give respect, it is a mutual thing.  I do not want anyone to leave and i certainly do not intend to force anyone to leave.  Really, i have threatened to do nothing. at all. 

A lot of what can be said can be said without saying it in a way which will undermine one person's contributions or offend them. 

My point was that this topic is neither the time nor the place for this discussion.  Security is not the only focus of the developers by far, though it is one that is being addressed at the current moment in the development cycle.. i feel to assert such is wrong, even if because i can see what is going on with development here while at the meeting.

Basically, if you want your opinions to be respected, i do not feel it is wrong to expect respect (respect != agreement) on our responses... its all in how you state things.

i don't disappreciate your opinions, and while i don't agree with parts of them, that doesn't give you the right to come insult us.  Where is the constructiveness in that?

If i really WANTED you gone, you wouldn't be here.  But what would that accomplish?  I certainly don't want to see you stop posting your thoughts, i simply want you to realize that we're human beings behind these screennames too.






Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

Grudge

#19
elfishtroll,

The IP spoofing issue does *not* still exist. SMF 1.1 and 2.0 both use $_SERVER['REMOTE_ADDR'] as the primary IP address for all forms of IP tracking and checking. In addition it uses an intelligent guess of the users actual IP (From using the X_FORWARDED header) as a *secondary* log in the members table so admins have the option of using this if they wish as there is always a risk that REMOTE_ADDR will result in them banning a whole proxy server rather than just a user.

As for security as I detailed in my previous post it is taken seriously from both a user and code standpoint. In 2.0 CAPTCHA has been implemented for personal messages, posting and searching - and we've added flood control to the latter. 1.1 introduced a set of anti-spamming features for personal messaging and added functions like reporting of personal messages. You are correct that a birthday greeting scheduled task was added to the (yet unreleased) 2.0 but that was not at the expense of any other feature - it was added as a (default disabled) "fun" feature.

In all honestly I do think the that that we did not roll out CAPTCHA for basic posting in 1.1 was probably our biggest omission but CAPTCHA itself was a late feature addition to 1.1 and we hadn't really clocked on to the amount of forums that use guest posting - it was one of the first things to be put into 2.0.

As it currently stands I cannot think of one security feature that 2.0 should have that it does not currently have and have not seen any feedback from Charter Members to the contrary. It's also not fair to say that we don't have we, as developers, don't have experience of operating a forum to know what actual admins want. The developers have an intrinsic link to the running of this forum here which suffers from attempted spamming, hacking (Our error logs are currently full of people trying to run these generic hacking scripts people seem to think work getting errors) and moderation issues. One thing I think was been a fantastic addition here is the introduction of the 2.0 warning system has allowed our team members (And I think maybe moderators - not sure about the latter) to discipline users without giving the power to administrate or ban.
I'm only a half geek really...

Advertisement: