Karma Description Mod?

NEMINI · June 09, 2008, 02:47:55 PM

After much searching (the search on this site does not work properly BTW) I finally found the topic for this mod only to discover its been locked but no post saying why and the link to the mod returns no known mod. I don't know who locked it or why, I'm sure there is a valid reason, but why not post a simple explanation when performing the lock? Sure avoids a lot of confusion.

Eliana Tamerin · June 09, 2008, 03:00:16 PM

It was removed from the mod site because of an attack vulnerability. It will be returned to the mod site if and when the author fixes it.

NEMINI · June 09, 2008, 08:25:10 PM

fair enough. Figured there would be a logical explanation, just a shame one has to waste mods valuable time by asking.

Eliana Tamerin · June 09, 2008, 09:28:09 PM

Better to ask about it and get the information than be without the information.

NEMINI · June 10, 2008, 03:23:09 AM

true, hence why I asked. IMO though it would have been even better had the person who locked the topic given an explanation on why it was locked.

Eliana Tamerin · June 10, 2008, 02:27:32 PM

The topics are automatically locked when the mod is pulled from the mod site. But if you meant the mod author, they haven't logged into the site since March.

NEMINI · June 10, 2008, 08:23:17 PM

okay, I thought someone manually locked it.

Two issues though,

1. if a mod has a flaw that can be exploited and is pulled so no one else downloads it, what about the people who have already installed it? We don't deserve a warning that our site is now vulnerable? That perhaps we should remove the mod until it is fixed?
2. The community is still left with a locked topic that doesn't appear (within) the topic to be locked for any particular reason.

Douglas · June 10, 2008, 09:35:07 PM

Greetings, NEMINI!

While I am not a team member any longer, I can still answer the two questions for you, so bear with me on these, okay?

Quote1. if a mod has a flaw that can be exploited and is pulled so no one else downloads it, what about the people who have already installed it? We don't deserve a warning that our site is now vulnerable? That perhaps we should remove the mod until it is fixed?

Unfortunately, when a mod gets pulled because of an exploit issue, and the mod author is nowhere around, the exploit will probably not be fixed unless another person takes over the project. And even then, there are some guidelines that have to be followed before we allow a second person to take over the first person's projects.

Part of the agreement that Mod Authors have with SMF is the fact that they are directly responsible for maintaining and supporting that modification package.

Now, if someone else were to make a similar modification package to replace the one that hasn't been updated, I don't think that would be an issue, however, the customization team would be the best people to ask.

As far as affected users are concerned, the very first thing they should do is uninstall the mod that contains the exploit. I know that the SMF Team would definitely make that their first recommendation. After that, the person should be able to start a new thread, reference the locked post and indicate that the new thread is for discussion on how to secure the mod from exploit(s).

It's a sticky and unfortunate situation to be in, sadly.

Quote2. The community is still left with a locked topic that doesn't appear (within) the topic to be locked for any particular reason.

Okay, it looks like I actually answered this one above.

I hope this helps.

NEMINI · June 10, 2008, 10:48:31 PM

Quote from: Douglas on June 10, 2008, 09:35:07 PM
Greetings, NEMINI!

While I am not a team member any longer, I can still answer the two questions for you, so bear with me on these, okay?

Quote1. if a mod has a flaw that can be exploited and is pulled so no one else downloads it, what about the people who have already installed it? We don't deserve a warning that our site is now vulnerable? That perhaps we should remove the mod until it is fixed?
Unfortunately, when a mod gets pulled because of an exploit issue, and the mod author is nowhere around, the exploit will probably not be fixed unless another person takes over the project. And even then, there are some guidelines that have to be followed before we allow a second person to take over the first person's projects.

Part of the agreement that Mod Authors have with SMF is the fact that they are directly responsible for maintaining and supporting that modification package.

Now, if someone else were to make a similar modification package to replace the one that hasn't been updated, I don't think that would be an issue, however, the customization team would be the best people to ask.

As far as affected users are concerned, the very first thing they should do is uninstall the mod that contains the exploit. I know that the SMF Team would definitely make that their first recommendation. After that, the person should be able to start a new thread, reference the locked post and indicate that the new thread is for discussion on how to secure the mod from exploit(s).

It's a sticky and unfortunate situation to be in, sadly.

Quote2. The community is still left with a locked topic that doesn't appear (within) the topic to be locked for any particular reason.
Okay, it looks like I actually answered this one above.

I hope this helps.

I do appreciate the help however I believe you missed my point also, so lets review.

1. We had a locked topic with no explanation
2. We had a mod removed, with no explanation.

Until I asked about the mod, no one once ever said there was a security issue with it. Shouldn't a general warning have been posted to say something like, "hey, stop using this mod until its fixed or your site might get hacked"?

While I appreciate your words of wisdom there still hasn't been a single SMF team member come out asd advise against its continued usage. Which again brings me back to the need to provide people an explanation in a topic at the very time it is locked. I've no idea when the karma description mod topic was locked but what would have if a topic was quietly locked, and a bunch of SMF sites got hacked because of a known vulnerability in that mod. Do you think people would have a right to be pissed off, when a simple 'hey stop using this for now' warning may have saved some or all of them?

If it seems like I am trying to take the piss out of anyone, I'm not, I'm just having an open and frank discussion.

SleePy · June 10, 2008, 11:04:51 PM

The issue for one is very hard to accomplish, and another it could just cause panic by users and do something irrational such as delete their boards or ban users

The way it occurs though it would be super rare for it to occur and wouldn't cause anything more than an annoyance

Eliana Tamerin · June 10, 2008, 11:52:55 PM

In any case, I've only seen three or four mods pulled because of security issues. Compared to the hundreds of mods available, I'd say that's pretty good.

karlbenson · June 11, 2008, 08:41:46 PM

Its a dousy.
We have to balance providing an explanation to users versus announcing an exploit to the world [without any patch available]

Personally in this situation I find it best that only the mod author is informed without any explanation.
Even saying there is an exploit in this mod is bringing attention to what wasn't a publicly known exploit.
For me the best time then to make people aware is when the author has a patched version available.

(but i guess this topic saw the end to our plans)

NEMINI · June 12, 2008, 04:05:37 AM

okay Karlbenson, while I don't agree with that reasoning, I can understand it. However in this case, as Douglas pointed out above, what happens when a mod author has not been around and/or doesn't want/can't fix the mod? Does SMF bury their heads in the sand and hope no one ever figures it out and some sites get ruined or is there a policy of 'okay X amount of time has passed no ones done anything to fix it so we'll let people know that it is dangerous to keep using it'?

While we know SMF is not responsible technically, it will be their reputatins that will get hurt pubically if it was ever found out they hid an exploit and peoples sites got ruined. SMF isn't responsible yet they approve/disapprove and remove mods for failing to be secure and they won't be responsible if they [keep secret a known to them vulnerability?

It is a very slippery slope.

aldenddlove · June 12, 2008, 06:01:30 AM

uninstall the mod.

akash_9105 · June 19, 2008, 12:02:26 PM

mods make boards more vulnerable, thats a fact

Douglas · June 19, 2008, 12:15:38 PM

Quote from: akash_9105mods make boards more vulnerable, thats a fact

While some do, a good majority of those do not. Please do not spread fallacies. Thanks.

SleePy · June 19, 2008, 05:47:06 PM

Quote from: akash_9105 on June 19, 2008, 12:02:26 PM
mods make boards more vulnerable, thats a fact

If thats the case then I have over 50 vulnerabilities one one of my sites and 13 on another. Never been hacked through SMF and only once had a hacking issue, but was due to an old script I didn't remove on the server.

karlbenson · June 19, 2008, 06:14:49 PM

I use 100+ and have never had a vulnerability.

But thats probably because I test each mod out and scan through the code before uninstalling it on my forum.
That way there are no surprises.

BellGab.com · February 17, 2009, 05:37:54 AM

Quote from: Eliana Tamerin on June 10, 2008, 02:27:32 PM
The topics are automatically locked when the mod is pulled from the mod site.

i think that's bad business. a mod being pulled from the site is explicitly WHY people would and should want to talk about it... particularly if it's pulled for a security concern. i know this thread is old news and no longer applicable as the mod is again available. just thought i'd add my thoughts regarding that policy.

gift_ka · March 05, 2009, 02:02:49 AM

uninstall mod

News:

Karma Description Mod?