News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

SMF Copyright Rewording

Started by NewUsername, July 16, 2005, 05:51:59 AM

Previous topic - Next topic

NewUsername

Hello everyone. I have just installed SMF for a web designers' community site and I have some concerns regarding the copyright messages generated by SMF. The site will contain several copyright notices including the one generated by SMF. All the other copyright messages are fine except for the SMF copyright which muddles the other copyright messages.

There have been a few questions regarding *removing* the copyright message generated by the software. The answer to all those questions have been in the line of "you cannot remove the copyright messages". I am aware that the SMF license prohibits removal of the copyright notices that are generated by the software. That's okay. Lewis Media is well within its rights to have those clauses in their license.

I have read the thread found here:

http://www.simplemachines.org/community/index.php?topic=36056.0

However it's already too watered down that I felt the best course of action is to start a new thread. So here goes...

My main concern is how the copyright message is worded. Another concern is with security (explained later). Here is an example:

Some Forum on Some Site | Powered by SMF 1.1 Beta 3.
© 2001-2005, Lewis Media. All Rights Reserved.


It is not clear here what this copyright message is acknowledging. Does it mean that:

1. Lewis Media owns the copyright to SMF;

or

2. Lewis Media owns the copyright to the "Some Forum on Some Site" forum and its contents;

or

3. Lewis Media owns the copryight to the whole site itself;

I already know that the correct interpretation is #1 here. But to casual visitors to the site, the interpretation remains open to either 1, 2, or 3. I am also aware that one can also add one's copyright message (i.e. the copyright to the site itself). But that would only confuse things even more. Now there will be two copyright claims on the same page!

My proposal is to reword the copyright message generated by SMF as such:

Some Forum on Some Site | Powered by SMF (Simple Machines Forum)
SMF is © 2001-2005, Lewis Media. All Rights Reserved.


This effectively disambiguates the copyright notice and makes it possible to place several copyright claims on the same page without muddling the other claims.

Note that I removed the version number here on purpose. Which brings me to my second concern: security.

As with the recent phpBB security debacle, advertising the software version number increases the likelihood that SMF sites will also be hax0red. Eventually, SMF will replace phpBB (unless the phpBB team get their act together). By then, SMF will be the new target. Kiddies will download and install SMF on their local XAMPP installation and start to poke around to find holes and ways of exploiting them. Once they do, all that is needed is to search for the string "Powered by SMF x.x.x" to find vulnerable sites. Easy because of the "sticky-copyright" clause in the license. You know what will happen next...

So hopefully the devs consider this request and include it in the next release. I am sure that it will satisfy all concerned parties, even ones who find the "sticky-copyright" clause in the license too restrictive. In the meantime, I hope that it is okay with the devs if I reword the copyright message to the second example given above.

--

J. Baller Esq.

Trekkie101

I cant really say anything about the copyright notices, but about the security points. I know others have removed the version number just to be safe, but what phpBB and others dont have is the same development skill and logic of the SMF team, ever if SMF is hacked/exploited it only takes a very short time for the development team to quickly repair that small bit of code, and release a full patch into the Package Manager. A quick patch, a quick flick of a switch, SMF calls home, SMF goes nuts telling you about updates. All mods still working away, everything just purring along nicely. The way in which SMF conducts itself is a lot more secure than phpBB. Even the way in which versions are released, by going down a ladder to get to the normal users, it allows a huge ammount of time to squash bugs which could otherwise be exploits.

NewUsername

Quote from: Trekkie101 on July 16, 2005, 06:39:40 AM
but what phpBB and others dont have is the same development skill and logic of the SMF team, ever if SMF is hacked/exploited it only takes a very short time for the development team to quickly repair that small bit of code, and release a full patch into the Package Manager. A quick patch, a quick flick of a switch, SMF calls home, SMF goes nuts telling you about updates. All mods still working away, everything just purring along nicely. The way in which SMF conducts itself is a lot more secure than phpBB. Even the way in which versions are released, by going down a ladder to get to the normal users, it allows a huge ammount of time to squash bugs which could otherwise be exploits.

Yes but this is assuming that every SMF board is patched at the exact same time that the patch is released, which is impossible. We all live in different timezones and it could very well be that I am asleep when an exploitable bug was discovered by kiddies, they write the exploit and search using everyone's favorite search engine for the SMF copyright phrase+version number. They find my board and they target it. I wake up the next day and my board is hax0red. If I am lucky, the exploit did not allow them to changed my admin password and allow me to download the patch. If I am lucky maybe they haven't messed up the system enough and the patch will work. If I am lucky.

And mind you, some kiddies can more subtle and not just deface your site straight off. They can plant a mass mailer and use your server as a spambot. Or just prepare your machine for a rootkit insertion. In this case, you will never know that it was through SMF that your machine got compromised, and neither will the devs. Unless of course the exploit becomes so widespread that it gets noticed and finally fixed. But by then, it could already be too late for you.

It is not right to downplay the issue because you have total confidence in the developers and the release process. I have total confidence in them as well. But security is still at the top of my priorities when maintaining a website. It is far better to use pre-emptive and proactive measures such as not displaying the version number of the software in public than it is to be passive and reactive.

And as for the copyright messages, I certainly do hope the devs and Lewis Media do consider the rewording. I could reword it myself in my installation. But that would be in violation of their terms. If that is not acceptable to them, then I propose that they provide a list of acceptable reworded versions and certainly an FAQ or something with regards to this. I am sure this issue will come up over and over again.

The current copyright message is not that totally ambiguous when displayed on its own as explained in my initial posting. It is not that I have trouble understanding it. It is because when it is thrown in with other copyright messages on the same page, the SMF copyright message muddles everything because of its ambiguity.

And btw, IAALS  :)

--

J. Baller Esq.

Trekkie101

I completely understand what you mean, and hope the day an exploit does appear we can all patch fast.


Ben_S

You can remove the version by removing it from index.php.
Liverpool FC Forum with 14 million+ posts.

I, Brian

I actually thought it was against the forum licence to interfere with any part of the notice.

And the concern about version number is absolutely right - simply helps hackers, not users.


Cerberus

How about something like this?
Forum powered by SMF 3.1.2 © Lewis Media. All Rights Reserved.
(SMF & Lewis Media are links)
Best Regards, Cerberus
YaBB Gold -> YaBB 1.1 -> YaBB SE (YaPP -> PfaBB) -> SMF
Pocket PC Russia

NewUsername

Quote from: Cerberus on July 18, 2005, 06:15:05 AM
How about something like this?
Forum powered by SMF 3.1.2 © Lewis Media. All Rights Reserved.
(SMF & Lewis Media are links)

That would be acceptable too. It would even be better if the devs could provide a way for users to configure the display of the copyright message. Some options come to mind:

1. Show/Hide SMF version number.

2. Select which copyright message format they want. Devs and Lewis Media could provide a list of accepted message formats.

I would prefer that there would be a way to select between different versions of the copyright message, at least when SMF generates the message it will be one of the approved versions.
--

J. Baller Esq.

rhizome

Quote from: NewUsername on July 18, 2005, 12:16:37 PM

...
It would even be better if the devs could provide a way for users to configure the display of the copyright message. Some options come to mind:

1. Show/Hide SMF version number.

2. Select which copyright message format they want. Devs and Lewis Media could provide a list of accepted message formats.

I would prefer that there would be a way to select between different versions of the copyright message, at least when SMF generates the message it will be one of the approved versions.
--

J. Baller Esq.

I think that's an excellent suggestion, and would keep things simple, as opposed to member requests for alterations

Tristan Perry

Quote from: NewUsername on July 18, 2005, 12:16:37 PM
Quote from: Cerberus on July 18, 2005, 06:15:05 AM
How about something like this?
Forum powered by SMF 3.1.2 © Lewis Media. All Rights Reserved.
(SMF & Lewis Media are links)

That would be acceptable too. It would even be better if the devs could provide a way for users to configure the display of the copyright message. Some options come to mind:

1. Show/Hide SMF version number.

2. Select which copyright message format they want. Devs and Lewis Media could provide a list of accepted message formats.

I would prefer that there would be a way to select between different versions of the copyright message, at least when SMF generates the message it will be one of the approved versions.
--

J. Baller Esq.
Nice idea, post in features and request? I'd use this feature.

Cerberus

Let's wait for the devs' opinion on the matter :)
Best Regards, Cerberus
YaBB Gold -> YaBB 1.1 -> YaBB SE (YaPP -> PfaBB) -> SMF
Pocket PC Russia

Tristan Perry

Quote from: Cerberus on July 18, 2005, 12:44:58 PM
Let's wait for the devs' opinion on the matter :)
Yeah, hence why I said maybe post it in features and request  :) It'll be cool to see what the dev's think of this idea. It could be useful for some, or at least I think giving people the option to hide the version number is a good idea.

Ben_S

Quote from: I, Brian on July 18, 2005, 06:00:55 AM
And the concern about version number is absolutely right - simply helps hackers, not users.

I disagree, if people don't upgrade then they are still at risk, hiding the version number is giving them a false sence of security, having the version displayed makes it far easier to provide support, the ammount of people that don't bothered to mention what version they are running is getting silly.
Liverpool FC Forum with 14 million+ posts.

† ÐëepÇuT¹ †

Quote from: Cerberus on July 18, 2005, 06:15:05 AM
How about something like this?
Forum powered by SMF 3.1.2 © Lewis Media. All Rights Reserved.
(SMF & Lewis Media are links)

That would probably be the best option :).



Personal Website
x3Generation - gaming
graphics and anime.
 

Favorite Forums
> SimpleMachines Forum
> GamerzPlanet Forums


Cerberus

Quote from: Ben_S on July 18, 2005, 12:56:56 PM
I disagree, if people don't upgrade then they are still at risk, hiding the version number is giving them a false sence of security, having the version displayed makes it far easier to provide support, the ammount of people that don't bothered to mention what version they are running is getting silly.
But people can't be online 24-7 and upgrade the forum immediately when an update is released :(. Let's suppose I'm on a 2 weeks vacation and a critical update is released. Scriptkiddies may attack and even hack my forum if they do know that my version has that hole.

hehe.. guys, am I paranoic? ;D
Best Regards, Cerberus
YaBB Gold -> YaBB 1.1 -> YaBB SE (YaPP -> PfaBB) -> SMF
Pocket PC Russia

Kindred

yes, but automatic updates is just stupid...    the frist thing I do with any software (Especially windows!) that has auto-update is TURN IT OFF!   There is absolutely no reason that any software should be doing anything to my system (or in this case, my site) without *ME* intitiating the action.

If you're on a 2 week vacation, then make a backup of your site before you go....  or have a Cron job that does a streaming backup...

What would you do on that same vacation if your host had connectivity problems?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Ben_S

If I were a script kiddy, I'd probably search for forums that aren't displaying the version number personally.
Liverpool FC Forum with 14 million+ posts.

Cerberus

Quote from: Kindred on July 18, 2005, 01:50:36 PM
yes, but automatic updates is just stupid...    the frist thing I do with any software (Especially windows!) that has auto-update is TURN IT OFF!   There is absolutely no reason that any software should be doing anything to my system (or in this case, my site) without *ME* intitiating the action.

If you're on a 2 week vacation, then make a backup of your site before you go....  or have a Cron job that does a streaming backup...

What would you do on that same vacation if your host had connectivity problems?

In fact I don't use them :)
I have regular backups as well, but I'm really concerned about security and server's uptime.
Quote from: Ben_S on July 18, 2005, 02:06:04 PM
If I were a script kiddy, I'd probably search for forums that aren't displaying the version number personally.
Why?
In order to try out all the exploits discovered since the 1st version os SMF has been released?
IMHO it's too complicated for them ;)
Best Regards, Cerberus
YaBB Gold -> YaBB 1.1 -> YaBB SE (YaPP -> PfaBB) -> SMF
Pocket PC Russia

Ben_S

Quote from: Cerberus on July 18, 2005, 02:23:39 PM
In order to try out all the exploits discovered since the 1st version os SMF has been released?
IMHO it's too complicated for them ;)

How many is it, about 2 maybe 3? No time at all.
Liverpool FC Forum with 14 million+ posts.

Cerberus

Quote from: Ben_S on July 18, 2005, 03:01:34 PM
How many is it, about 2 maybe 3? No time at all.
Really?
I thought there're more exploits ::)
Best Regards, Cerberus
YaBB Gold -> YaBB 1.1 -> YaBB SE (YaPP -> PfaBB) -> SMF
Pocket PC Russia

Advertisement: