News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

SMF Copyright Rewording

Started by NewUsername, July 16, 2005, 05:51:59 AM

Previous topic - Next topic

1MileCrash

The only thing php can't do is tell you how much milk is left in the fridge.



Seta Soujiro


crazystu

It does. Many scripts using search engines look for a version number which can be hacked.
It may not really do anything, but once a exploit comes out many hackers will try and use it.

Alexandre P.

It may help hackers to find vulnerable SMF installations, but it also helps us to track outdated installs and contact the owners to upgrade.
Aucun support par M.P., courriel ou messagerie instantanée / No support by P.M., email or I.M.

1MileCrash

Quote from: Alexandre P. on August 10, 2005, 11:55:53 PM
It may help hackers to find vulnerable SMF installations, but it also helps us to track outdated installs and contact the owners to upgrade.

ooooh....a predicament.

Quote from: Seta Soujiro on August 10, 2005, 11:34:43 PM
Quote from: Tippmaster on August 10, 2005, 11:27:46 PM
not really.
You are evil.  You do not believe in security.

No. You dont get my point.

Tippmaster's point-

1. [Unknown] said "You can remove the version number if you'd like, but dont expect to get good support here".

2. There is no point in hiding your version number if you simply keep your installations up to date.

So, youre basically saying this-
"I will sacrafice good support from the SMF team for not having to upgrade my SMF installations"

Now ask yourself, doesnt that seem stupid, when all you have to do is click a link in the package manager to do it?! Think about it.
The only thing php can't do is tell you how much milk is left in the fridge.



dtm.exe

Why is this topic still open?  It's useless...  Why not keep he current copyright and add a <br /> and THEN add your own?

-Dan the Man

agentbob

Quote from: [Unknown] on August 10, 2005, 10:45:46 PM
But, if you make this change, I assume you plan to post your version number expressly with every support topic you post here, every time.

But of course =) SMF's homepage claims it's designed with security in mind. This should be added to the list of things to keep in mind. Yes security by obscurity is no substitute for real security and keeping software up to date, but it still helps.

agentbob

Quote from: OIDanTheManIO on August 11, 2005, 12:08:58 AM
Why is this topic still open?  It's useless...  Why not keep he current copyright and add a <br /> and THEN add your own?

-Dan the Man

Lol nice! Motion to close down the topic, then throw in a jab to get the conversation stirring again! hahaha  ;D

- Dan

Seta Soujiro

So what do I edit to get it to say:
Site Contents and Design © 2005 Example.com
Powered by SMF. © 2001-2005, Lewis Media. All Rights Reserved.

[Unknown]

Quote from: agentbob on August 11, 2005, 12:14:20 AM
Quote from: [Unknown] on August 10, 2005, 10:45:46 PM
But, if you make this change, I assume you plan to post your version number expressly with every support topic you post here, every time.

But of course =) SMF's homepage claims it's designed with security in mind. This should be added to the list of things to keep in mind. Yes security by obscurity is no substitute for real security and keeping software up to date, but it still helps.

I'm sorry, but I just don't agree.  If I wanted to hack every phpBB forum out there not up to date, I could do it easily.  Searching based on version number wouldn't be a problem - I'd just find them all and hack them all.  It wouldn't matter.

Of course, I don't want to do this.  The point is that hiding behind a paper shield only protects you from paper arrows.

Anyway, if you were so right that this is a huge security problem and makes SMF not designed with security, you should look at... everything else.  I mean everything.  Why do secure areas in buildings say "secure area" - isn't that an advertisement to break in?  Why do other software packages almost unanimously show the version number in some form or another?  Why are keyholes always uniformly in the same place, using generally the same mechanisms as all other locks?

Having security in mind doesn't mean throwing everything out.  It's nice to have a metal safe no one can get into, but if you can't get into it yourself it's at least as useless as no box would be.

-[Unknown]

dtm.exe

If you fear that your forum is at risk because it's at a version that can be easily hacked, UPGRADE!  Don't be lazy and just take out the version part of the copyright.

-Dan The Man

agentbob

Quote from: [Unknown] on August 11, 2005, 12:42:09 AM
Of course, I don't want to do this.  The point is that hiding behind a paper shield only protects you from paper arrows.

Anyway, if you were so right that this is a huge security problem and makes SMF not designed with security, you should look at... everything else.  I mean everything.  Why do secure areas in buildings say "secure area" - isn't that an advertisement to break in?  Why do other software packages almost unanimously show the version number in some form or another?  Why are keyholes always uniformly in the same place, using generally the same mechanisms as all other locks?

Trouble is that paper arrows are cheap, so theres many of them available to any lay person. Since that's the case, >90% of the arrows thrown at you will be made of paper. Nice to avoid those if at all possible.

The reason it doesn't exactly translate into real-world security, is that you can't do a google search for every house using a mastercraft model 19559-TPB lock within your neighbourhood.... A lock that we've found out can be opened by a 3 year old using scissors and a paper clip... but of course it's the owner's fault for not upgrading their locks yet, right?

Don't get me wrong, I think SMF is a great product, and the copyright code should remain and give credit where it's due. And it makes sense if a person doesn't know what they're doing, it's easier to support them or tell them to upgrade if you can easily see their version number on their site. It's always a good idea to keep an open mind to new ideas and ways of doing things though.

- Dan

1MileCrash

Quote from: OIDanTheManIO on August 11, 2005, 12:55:06 AM
If you fear that your forum is at risk because it's at a version that can be easily hacked, UPGRADE!

-Dan The Man

EXACTLY.

or, you can do it the way everyone wants and remove the version number (which would probabally take longer than upgrading to the next release) and lose the priveledge of good support here.

The answer seems pretty obvious to me. Why waste your time removing the version number?
The only thing php can't do is tell you how much milk is left in the fridge.



dtm.exe

Why modify the copyright at all?  All SMF asks for in return for great software is TWO SMALL LINES on the BOTTOM of every page.  Is that so much to ask?  No one said you couldn't add your copyright on a third line.

-Dan The Man

agentbob

Quote from: OIDanTheManIO on August 11, 2005, 12:55:06 AM
If you fear that your forum is at risk because it's at a version that can be easily hacked, UPGRADE!  Don't be lazy and just take out the version part of the copyright.

-Dan The Man

Sure, after all it's pretty easy right? Unless of course you maintain 20 forums. And then of course there's always pesky vacations that may get in the way. Or any other number of valid reasons. I mean people just love microsoft cause it's so easy to run windows update and install the latest security patches every second day.

dtm.exe

Quote from: agentbob on August 11, 2005, 01:00:59 AM
I mean people just love microsoft cause it's so easy to run windows update and install the latest security patches every second day.

Just shows how vulnerable Microsoft is to attacks.  So how is that good that you update every other day?

-Dan The Man

1MileCrash

Quote from: agentbob on August 11, 2005, 01:00:59 AM
Quote from: OIDanTheManIO on August 11, 2005, 12:55:06 AM
If you fear that your forum is at risk because it's at a version that can be easily hacked, UPGRADE!  Don't be lazy and just take out the version part of the copyright.

-Dan The Man

Sure, after all it's pretty easy right? Unless of course you maintain 20 forums. And then of course there's always pesky vacations that may get in the way. Or any other number of valid reasons. I mean people just love microsoft cause it's so easy to run windows update and install the latest security patches every second day.

would you rather upgrade 20 forums, or remove the version number off of 20 forums?

Remember, that with the stable releases...you can usually just click a link in the package manager to  upgrade.....
The only thing php can't do is tell you how much milk is left in the fridge.



agentbob

Quote from: OIDanTheManIO on August 11, 2005, 01:02:01 AM
Just shows how vulnerable Microsoft is to attacks.  So how is that good that you update every other day?

Perhaps I should have added </sarcasm> in my previous post? Point is why stay still like a sitting duck and draw a big bulls eye on your forehead? Make the f**kers chase you. :D

Quotewould you rather upgrade 20 forums, or remove the version number off of 20 forums?
I'd rather do both personally. Like I said, can never have enough un-intrusive security measures.

Isaac

Unless you're a lazy Admin, there's no need to remove the version number.

[Unknown]

Quote from: agentbob on August 11, 2005, 12:57:18 AM
Trouble is that paper arrows are cheap, so theres many of them available to any lay person. Since that's the case, >90% of the arrows thrown at you will be made of paper. Nice to avoid those if at all possible.

Wooden arrows are almost as cheap.  If you think that 90% of the arrows sent at you are going to be paper, you're definitely *not* thinking with security in mind.  Plus, that's not even true.

Quote from: agentbob on August 11, 2005, 01:00:59 AM
Sure, after all it's pretty easy right? Unless of course you maintain 20 forums. And then of course there's always pesky vacations that may get in the way. Or any other number of valid reasons. I mean people just love microsoft cause it's so easy to run windows update and install the latest security patches every second day.

I can update one forum in under a minute.  I can update 20 in about 12, and most of that time is entering my passwords.  If they're all on the same server, it's quite possible I could streamline it too.

It's really not nearly that hard to upgrade - even on vacation or even with someone to watch things while you're gone.

And, Microsoft only releases security updates once a month now, because doing it every other day became too much for IT people.  This means you're unpatched (potentially) for up to 30 days, if they patch it on the first day of the cycle.  But, really, this isn't that much of a problem - the sea of forums or Windows installs take a long time to sift through, and as long as you update within a reasonable timeframe (a month is reasonable enough) you'll be fine.

Still, of course, I would recommend updating immediately.  But, surely, taking a vacation for a week is highly unlikely, especially with the backups you are (we assume) making periodically, to lead to a security problem, even in the unlikely event that a patch is released while you are on vacation.

And, don't even go into automatic updates.  There leads to even more problems than without.  It's better for a forum to keep working, than for it to update and suddenly stop because of the update - and not be able to update itself again.  There are countless problems down that road.

-[Unknown]

Advertisement: