News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

SMF Copyright Rewording

Started by NewUsername, July 16, 2005, 05:51:59 AM

Previous topic - Next topic

Dannii

Forums have been hacked in the past because:
1. they have serious securities in the first place
2. Updates fixing these are slow to come
3. People don't update them

now SMF hasn't had any serious security holes that I'm aware of. (at least in public versions). Stopping the process at the first problem means that the other steps are irrelevant.

In the unlikely event that a version is published with a serious flaw, it is most likely it will get fixed before people even know about it, and another version made soon after. If people don't know about it then hackers won't know to use it against an unupdated version.

If somehow it does become widely publicised, then it is possible that unupdated forums could be at risk. HOWEVER if you take the simple measure of always keeping updated then it's unlikely you'll be at danger. You mentioned going on vacation, well I think the chances of a serious flaw being included in a public version that you update to, becoming widely known and widespread across the internet to the stage when people write scripts to exploit it, and where people search through google for your version number so that they can attack you at random, all in the time of your vacation, is highly remote.

In the even more remote chance that a serious exploit escapes being noticed for a few versions, well, a hacker would have to know the SMF code more thoroughly than [Unknown] to be able to exploit it. If the numerous SMF crew can't find it, no hacker will.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

Trekkie101

Even if you do remove the version number, the phpBB worm that went across the net never looked for the version.....

It specifically went after any forum with "Powered by phpBB" and thats what google blocked! A lot of updated forums even had the spider hit them to try, it never got anywhere though.

Search the phpBB forums, version numbers werent even remotely useful in the attack, removing them would be pointless.

Ben_S

If I was a script kiddy, I'd go looking for forums not displaying a version number based on the assumption that if they have wanted to removed it, they are likely to not have updated.

That said, I can't beleive the length of the discussion about it, if you want to remove it, remove it.
Liverpool FC Forum with 14 million+ posts.

crazystu

Quote from: Ben S on August 11, 2005, 06:51:51 AM
If I was a script kiddy, I'd go looking for forums not displaying a version number based on the assumption that if they have wanted to removed it, they are likely to not have updated.

That said, I can't beleive the length of the discussion about it, if you want to remove it, remove it.
I thought I saw this claim along way back on the thread?
Anyway, I've done a bit of thinking and it doesn't matter if you remove the version number. If a forum has a issue fixed then the spyders will look at the next one and leave yours alone.
If your going on vacation or something then get a friend to update it. It's very easy.
I guess I've switched sides.

1MileCrash

Quote from: nesianstyles on August 11, 2005, 04:44:13 PM
Quote from: Ben S on August 11, 2005, 06:51:51 AM
If I was a script kiddy, I'd go looking for forums not displaying a version number based on the assumption that if they have wanted to removed it, they are likely to not have updated.

That said, I can't beleive the length of the discussion about it, if you want to remove it, remove it.
I thought I saw this claim along way back on the thread?
Anyway, I've done a bit of thinking and it doesn't matter if you remove the version number. If a forum has a issue fixed then the spyders will look at the next one and leave yours alone.
If your going on vacation or something then get a friend to update it. It's very easy.
I guess I've switched sides.

It was my intellegent, well-proven points that made you decide to switch sides, wasnt it?  :P
The only thing php can't do is tell you how much milk is left in the fridge.



Caveman

Im sorry guys, but for all the ease with which it is possible to update SMF, there are still those out there running SMF 1.0.4.  I found

http://www.x-zone.co.uk/ [nofollow]

by shoving "Powered by SMF 1.0.4" into Google.  And although I really respect what you guys do and the way you go about doing it, you cannot always beat the hackers to finding and pluggin the hole and I would be generally...... happier if I could remove the version number without feeling like a c**t. 

As for "why not just update", I do generally get worried about how the whole updating thing works wrt mods (as in from the package manager) - I dont trust it to not go tits up on me.  This isnt due to me not trusting you (the authors) to be competent to write it, its just because Murpheys law says what can go wrong will go wrong in the worst way at the worst time.

And just because I am paranoid does not mean that are not out to get me......

QuoteBut, if you make this change, I assume you plan to post your version number expressly with every support topic you post here, every time.

Yes, I would.  If not only for your information, but for people who then look at these forums in one month/year time and search for their problem and see that my help was for version 1.0.5 and they are now on 1.6.17 so it might not apply and they might want to search on a little bit more.

Ben_S

Hiding the version number does not make those 1.0.4 boards any more secure.

Quote from: Caveman on August 12, 2005, 11:32:22 AM
As for "why not just update", I do generally get worried about how the whole updating thing works wrt mods (as in from the package manager) - I dont trust it to not go tits up on me.

So if the version wasn't displayed, you would be less likely to stay upto date? Good reason for displaying it then isn't there.

Quote from: Caveman on August 12, 2005, 11:32:22 AM
Yes, I would. 

You would be one of the few then.
Liverpool FC Forum with 14 million+ posts.

Caveman

Quote from: Ben_S on August 12, 2005, 11:38:36 AM
Hiding the version number does not make those 1.0.4 boards any more secure.

No, it makes them less likely to be found and exploited.  And surely any steps you can take to make things "more secure" (read less likely to be exploited, as it isn't really more secure at all, but meh) should be taken.

QuoteSo if the version wasn't displayed, you would be less likely to stay upto date? Good reason for displaying it then isn't there.

Not at all.  I am as equally unlikely to keep up to date if it is there as I would be checking it wouldn't blow up in my face when I try to update, so I might be a day or two behind depending on my workload.
Quote
Quote from: Caveman on August 12, 2005, 11:32:22 AM
Yes, I would. 

You would be one of the few then.

I worked in tech support for half-life adminmod, I know how much of a pain in the ass it can be if people dont give you the whole story and how much easier it is if they just state it straight off.  I also dont want to sound like a complete muppet so I would try and explain the problem in as full terms as possible.


Kindred

security through obscurity is not security at all...

your argument about scriptkiddies searching for 1.0.4 is specious... they could search for and attack all smf that DON'T show a version... because (one can assume) those people are more likely to be out of date...
They could search for all SMF that DON'T have 1.1...   heck they could search for anything with a copyright DATE of before 2005....
(and the date IS required as part of the copyright)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

sabastina

I have a couple things I'd like to point out on the subject of the copyright notice...I'm not complaining, I just want to point out a few facts as I see them....

The first one is that removing the dates from ANY copyright is a no-no.  The proper format of a copyright demands that the date MUST be placed in the copyright notice in a specific format.

Here is the link for the Library of Congress and it is to the Copyright division:

hxxp:www.copyright.gov/ [nonactive]

I completely respect the smf copyright on my forum. 

The problem that I've had is that the name of your company is Lewis MEDIA....part of my forums will be used by professionals eventually...(psychology researchers primarily)  Where research credit is important...I realize that it's as simple as placing your own copyright in each post, but really...that sort of distorts the ease of a forum...(pointing this out as a marketing factor for the smf product)

I've had a couple personal comments to me regarding the fact that it seems that a MEDIA company has over written the sites basic copyright notice...yes, I could likely add my own notice down there someplace...but, I'm NOT a coder (though I'd like to be...and am trying to learn as I can) I don't have enough time off of school right now to build and run my forums and work on coding templates...

This is a key marketing factor even if there IS a simple answer because not everyone who LOOKS into using the software understands how support sites work...

After all, for someone like me who has experience working with the phpbb forums, I'm afraid to try to add my own wording there because I might mess everything up completely....I see this as being a potential risk where future smf (non code savvy) clients may opt out of using the smf due to fear that others will refuse to fully use the forums because they're paranoid about the loss of their copyright. 

I have however thought of a couple things that could help remedy this issue...

1.  LEAVE the copyright rules that smf already contains!  I mean, it's only right that software developers have the UTMOST protection!  I'm sure too many people already assume that because smf is currently free that it is under the GNU license. 

Although the addition of the word IS does remove any question that there is an ulterior motive for Lewis Media to jump up and claim they own the rights to this or that...I realize that this is an unreasonable way for people to see this...But you have to consider that many on line companies do attempt to infringe on intellectual property rights in their TOS and so on!  It's important to avoid this stigma right from the beginning!

Keeping in mind that to market a product you MUST look at that product in it's entirety and see it from the view of the prospective buyer...if PROFESSIONALS refuse to use the forum fearing they will lose their research due to fancy legal maneuvers than they aren't going to use the software...and though I personally trust the developers...others may not.

Adding the word IS allows users of forums to feel safe in posting their information in such forums.  I don't understand why this is being so strongly objected to...and I can see (though I don't necessarily agree with) the paranoia that is being conveyed here...I mean, people are asking to have a small bit of added protection that doesn't remove ANY rights from Lewis Media yet they are being denied...speaking psychologically...it does SEEM shady to someone who doesn't KNOW and understand copyrights...which in the end...WILL be somewhat harmful to marketing this product to those in a professional field like psychology, scientific research, authors...these are people who can afford to buy the forums, or even pay hefty amounts to simply have it installed..just some thoughts on that part...mind you I am not saying I see this motive - just that I can see how others see this...

So considering that the copyright notice WILL NEVER be altered from it's current state, I suggest the following as one possible advancement in the product...

2.  Links in the footer...Ok, I think that if those running a forum have the option of placing their own notices in the footer that this would negate any effects caused by assumption regarding the wording of the smf copyright.  I believe that the developers feel this way as well...which is why they don't object to allowing this to be done...

Problem with this is that many who are simply reviewing dozens of forums to find the right one will not even know that this is POSSIBLE!  I realize that such people should likely just hire someone to do it for them...but what if they don't know how? What if they hire someone who messes it all up and then blames the forum it's self for the difficulties?  This site doesn't plaster offers to hire their services out to do such things...a definite bonus as it shows how serious you are about client relations.

Possible solution...avoid ALL of these future issues by employing a admin section that allows the admin to create and place their OWN Legal notices!  (I think this would greatly improve the product in many ways!)

If someone could make it so that the footer looks similar to this, I think it would be great:

Clickable links of course!

yoursite copyrights | Privacy Policy | Terms of Use|  Adminchoice 1| Admin choice 2| Admin Choice 3

Then, below this would be the standard smf copyright notice...

This method would allow the site owner to have clear legal notices, and the smf license would stand out because it would be centered...And unchanged- also no one would have any reason to suggest changes in it anymore...

I would try to make this myself if I knew how to do it...

I think it would need to have forms added to the admin panel where one could add the title to appear in the footer, the position of each title, up to say 2 rows of links (allowing for disclaimers, rules or other stuff they need to add pages for.)   Also of course, the field to add the body of the notice text.  Or possibly arrange it so that there is ONE forum set up specifically for these notices...then when someone uses a link at the footer they are taken to that specific forum...full of all legal type notices that appear in the footer...This would make owners feel protected!

Another thought is to also make it so that these links are added to the footer of the emails that are sent from the site...but this is just a suggestion.

Just some thoughts that I figured I'd throw out for others to think about.

thanks for reading,

Sabastina


Dannii

The GNU GPL isn't as good as people generally think it is. For this reason and others, SMF has its own licence, which is included with it, and located here http://www.simplemachines.org/about/license.php. However, just because its not GNU GPL, doesn't mean its not free open software :)
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

[Unknown]

If you're worried about post content, or users are, you can direct them to the agreement, which states (by default) in so many words that you remain responsible for all content you post.

You are also free to add under the copyright notice another notice describing the ownership and copyrights as they apply to the post content.

-[Unknown]

Advertisement: