News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Anyone else see this post?

Started by Opentoe, January 23, 2013, 09:23:37 PM

Previous topic - Next topic

Opentoe

This post was written by the admins at bitcointalk.org. Anyone from SMF see this?
Do you guys at SMF write custom stuff? I'm a little taken back about the security stuff.




The forum's software has proven to be insufficient for our needs. In particular, the general architecture of the code is both insecure and difficult to modify, and the moderation facilities are limited. Therefore, the forum is accepting bids for the job of delivering software that meets the requirements listed below.

I don't care whether you build the software from scratch or just create a bunch of modifications for some already-existing software. There are benefits and drawbacks to both methods which will be considered in relation to the rest of your bid.

Bids should include at least this info:
- A description of the general architecture you plan
- A list of any of the optional features I mentioned that your software will have
- Additional features your software will have that I didn't mention
- Samples of your past code
- A price. If you want links or other "perks", include these as part of the price.

The forum has about 650 760 920 1120 1720 2267 3000 BTC on hand at this moment, but you can bid more than that. If your bid is the best, I'll just wait until the forum has collected the required amount of money.

I will consider offers that only have ~95% of the "required features" listed below, as long as you're delivering a usable product. For example, you don't need to use my preferred programming languages. It's also OK for you to deliver an incomplete (but working and stable) product quickly and then add onto the software after it's being used.

You can't bid on just one aspect such as design or programming. You need to deliver a complete product.

This thread is only for bids, questions from bidders about the specifications, and questions that I have for bidders. Other discussion about this process should go in a separate topic.

Requirements:

Overview of problems with SMF

SMF is very good when viewed from the outside. I like the GUI's look, it has many useful features, and it's fast. However, the code is absolutely terrible. It was clearly written by people who don't have a good understanding of security or coding style. Examples:

- Many of the high-level functions like RemoveTopic can only be used in one place because of the assumptions they make, but the lower-level functions (removeTopics for RemoveTopic) omit important stuff like security checks. When doing anything complex with SMF, I often find myself copy/pasting high-level functions except for a few modified lines.
- Even the low-level functions sometimes misbehave when used outside of their intended area by, for example, printing errors. There's often no way of handling errors yourself without hacks.
- The coding style mostly sucks. The conditional operator is used too much. There's confusing stuff like if(!empty($enabled)).
- A lot of data is cached, but it's difficult to know when cached data is available and where this data is located when it is available. The user's profile data might be in $context['user'], $user_info, elsewhere, or it might not be available yet.
- SMF does crazy stuff like scanning binary attachments for "suspicious strings" (like <?php) in the name of "security".
- Many limits and security restrictions can be bypassed easily by exploiting quirks in the code. There are many easy denial-of-service attacks.
- Logic is tied very closely to presentation.
- Pretty much every SMF modification is buggy in some way or other because modification authors are usually amateurs and because SMF's code is so difficult to deal with.
- Database inconsistency can happen accidentally.

Ideally, what I'd like to get from this project is software very similar to SMF on the outside (similar features, fast, etc.), but with code that is clear and secure, plus a few extra features that SMF doesn't have (mostly moderation-related) listed below.

xrunner

OK, so what do you like about SMF?

Let's play dislikes against likes.

Arantor

QuoteThis post was written by the admins at bitcointalk.org. Anyone from SMF see this?
Do you guys at SMF write custom stuff? I'm a little taken back about the security stuff.

This did the rounds a bit back.

QuoteIn particular, the general architecture of the code is both insecure and difficult to modify

Mostly FUD.

QuoteMany of the high-level functions like RemoveTopic can only be used in one place because of the assumptions they make, but the lower-level functions (removeTopics for RemoveTopic) omit important stuff like security checks. When doing anything complex with SMF, I often find myself copy/pasting high-level functions except for a few modified lines.

That is actually quite standard design mentality. You put the user facing stuff up top and let the user facing stuff do security checks. Then you have utility functions whose job it is to actually do the work and be left to get on with it.

QuoteEven the low-level functions sometimes misbehave when used outside of their intended area by, for example, printing errors. There's often no way of handling errors yourself without hacks.

So, let me get this straight, you use something out of context, outside of how it was designed and then complain about it?

That's like complaining that your car breaks down when going at 150mph - you're not generally supposed to do it.

Quote
- The coding style mostly sucks. The conditional operator is used too much. There's confusing stuff like if(!empty($enabled)).

Presuming he means ternary, yes, it is used quite heavily. Compactness of code counts for something, as does performance.

Also, there's nothing confusing to a competent programmer about that - $enabled could be a variable of multiple states, if it is not empty, it is logically true, therefore it is enabled. For performance there are times it may not even be defined (whereupon it is false)

Quote- A lot of data is cached, but it's difficult to know when cached data is available and where this data is located when it is available. The user's profile data might be in $context['user'], $user_info, elsewhere, or it might not be available yet.

$context['user'] and $user_info are mostly the same thing... though it would be nice if they were cleaned up.

If you're not sure about if it's available, check. That's how real programmers do it.

Quote- SMF does crazy stuff like scanning binary attachments for "suspicious strings" (like <?php) in the name of "security".

How is that crazy? There are scenarios where files can be sent to the user directly. I would also note that back in 2009 there was a hack that got in through an SMF vuln and allowed for servers to be taken over in the worst cases.

Quote- Many limits and security restrictions can be bypassed easily by exploiting quirks in the code. There are many easy denial-of-service attacks.

I call BS. There is only one DOS scenario I can think of and it's not fixable and other systems have the same problem. You can, at best, mitigate it.

Quote- Logic is tied very closely to presentation.

Yes, because it's a bit daft doing a lot of logic that you're never going to use >_<

Quote- Pretty much every SMF modification is buggy in some way or other because modification authors are usually amateurs and because SMF's code is so difficult to deal with.

Nah, it's not because SMF's code is so difficult to deal with, it's because mod authors are usually amateurish. However, that's not SMF's fault that amateurs write code for it.

Quote- Database inconsistency can happen accidentally.

Um, yes, just as they can for any other system. There is something that can be done, on some configurations only, and that's to do everything in transactions, though there are fairly stiff performance matters to also attend to.

Quotebut with code that is clear and secure, plus a few extra features that SMF doesn't have (mostly moderation-related) listed below.

At this point the guy's talking mostly out of his posterior.

Let me explain. Programming, by definition, is a triangle, with the words 'security', 'performance' and 'customisability/features' at the corners. You can have any two of the three words (one side of the triangle) at the cost of the other.

So you can have very secure, plus either performance or features. Can't have all three. I'd rather have it run faster without being as 'clean' to do it, personally.


EDIT: Likely going to upset some people, but I elaborated on more of his requests/demands/rants, at http://wedge.org/pub/off/7386/bitcointalk-org-$11k-bounty-for-new-forum-software/

Mick.

Quote from: Opentoe on January 23, 2013, 09:23:37 PM
Do you guys at SMF write custom stuff? I'm a little taken back about the security stuff.

I have been using SMF since 2006. Never been hacked.

Kindred

Lol... Wow...

First of all, arantor did a great breakdown of the bs that is spewing from that guy.
Let me just add this.
SMF has the best security record out of all of the free forum softwares out there.

My site was hacked once... And that was due to a separate installation of zen photo. I have been running SMF one various sites since before it was SMF...   Ad those sites have never been hacked through the forum.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

ARG01

I have been running SMF since it's birth and have set up countless (well over 200) SMF sites for customers. To my knowledge not one has ever been hacked.
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

Matthew K.

I am very glad that Arantor took the time to reply to those statements, because I would have felt obligated to reply myself.

Arantor

Quote from: Labradoodle-360 on January 24, 2013, 02:40:07 AM
I am very glad that Arantor took the time to reply to those statements, because I would have felt obligated to reply myself.

Why don't you anyway?

Surely it would be better coming from a member of the development team than a regular community member?

Opentoe

Quote from: xrunner on January 23, 2013, 09:26:52 PM
OK, so what do you like about SMF?

Let's play dislikes against likes.

That was a post on another very active large forum at bitcointalk.org. It wasn't my own views. I use SMF myself on a small forum and suits my needs just fine. I've tried phpbb before and just didn't like it. I was just curious to see if anyone else saw that post and what everyone thought, that's all.
I also apologize if that post was spread around here already. Sorry.



Arantor

It wasn't spread around here, it was spread elsewhere.

mashby

Quote from: Arantor on January 24, 2013, 12:14:24 PM
Quote from: Labradoodle-360 on January 24, 2013, 02:40:07 AM
I am very glad that Arantor took the time to reply to those statements, because I would have felt obligated to reply myself.

Why don't you anyway?

Surely it would be better coming from a member of the development team than a regular community member?
You're not the typical regular community member though. Your post count and more importantly your post quality suggests otherwise.
Always be a little kinder than necessary.
- James M. Barrie

Arantor

A proper statement from a developer would be good too, to reassure people that SMF isn't a seething mess of security pus and boils.

And while I'm not a typical member, I don't have a badge saying otherwise ;) (Nor do I want a badge back, but that's another matter entirely.)

mashby

Bah, so useless are these badges/titles. If SMF is truly "seething mess of security pus and boils", do you think this site would still exist? I think your analysis/breakdown (as Kindred said) is rather great. Lab was acknowledging that.
Always be a little kinder than necessary.
- James M. Barrie

Arantor

Yeah, you know that and I know that, but I really do think there should be an official answer from the team refuting the points.

* Arantor is curious to know what the official mighty devs would have said :)

mashby

Quote from: Arantor on January 23, 2013, 09:35:28 PM
QuoteThis post was written by the admins at bitcointalk.org. Anyone from SMF see this?
Do you guys at SMF write custom stuff? I'm a little taken back about the security stuff.

This did the rounds a bit back.

QuoteIn particular, the general architecture of the code is both insecure and difficult to modify

Mostly FUD.

QuoteMany of the high-level functions like RemoveTopic can only be used in one place because of the assumptions they make, but the lower-level functions (removeTopics for RemoveTopic) omit important stuff like security checks. When doing anything complex with SMF, I often find myself copy/pasting high-level functions except for a few modified lines.

That is actually quite standard design mentality. You put the user facing stuff up top and let the user facing stuff do security checks. Then you have utility functions whose job it is to actually do the work and be left to get on with it.

QuoteEven the low-level functions sometimes misbehave when used outside of their intended area by, for example, printing errors. There's often no way of handling errors yourself without hacks.

So, let me get this straight, you use something out of context, outside of how it was designed and then complain about it?

That's like complaining that your car breaks down when going at 150mph - you're not generally supposed to do it.

Quote
- The coding style mostly sucks. The conditional operator is used too much. There's confusing stuff like if(!empty($enabled)).

Presuming he means ternary, yes, it is used quite heavily. Compactness of code counts for something, as does performance.

Also, there's nothing confusing to a competent programmer about that - $enabled could be a variable of multiple states, if it is not empty, it is logically true, therefore it is enabled. For performance there are times it may not even be defined (whereupon it is false)

Quote- A lot of data is cached, but it's difficult to know when cached data is available and where this data is located when it is available. The user's profile data might be in $context['user'], $user_info, elsewhere, or it might not be available yet.

$context['user'] and $user_info are mostly the same thing... though it would be nice if they were cleaned up.

If you're not sure about if it's available, check. That's how real programmers do it.

Quote- SMF does crazy stuff like scanning binary attachments for "suspicious strings" (like <?php) in the name of "security".

How is that crazy? There are scenarios where files can be sent to the user directly. I would also note that back in 2009 there was a hack that got in through an SMF vuln and allowed for servers to be taken over in the worst cases.

Quote- Many limits and security restrictions can be bypassed easily by exploiting quirks in the code. There are many easy denial-of-service attacks.

I call BS. There is only one DOS scenario I can think of and it's not fixable and other systems have the same problem. You can, at best, mitigate it.

Quote- Logic is tied very closely to presentation.

Yes, because it's a bit daft doing a lot of logic that you're never going to use >_<

Quote- Pretty much every SMF modification is buggy in some way or other because modification authors are usually amateurs and because SMF's code is so difficult to deal with.

Nah, it's not because SMF's code is so difficult to deal with, it's because mod authors are usually amateurish. However, that's not SMF's fault that amateurs write code for it.

Quote- Database inconsistency can happen accidentally.

Um, yes, just as they can for any other system. There is something that can be done, on some configurations only, and that's to do everything in transactions, though there are fairly stiff performance matters to also attend to.

Quotebut with code that is clear and secure, plus a few extra features that SMF doesn't have (mostly moderation-related) listed below.

At this point the guy's talking mostly out of his posterior.

Let me explain. Programming, by definition, is a triangle, with the words 'security', 'performance' and 'customisability/features' at the corners. You can have any two of the three words (one side of the triangle) at the cost of the other.

So you can have very secure, plus either performance or features. Can't have all three. I'd rather have it run faster without being as 'clean' to do it, personally.


EDIT: Likely going to upset some people, but I elaborated on more of his requests/demands/rants, at http://wedge.org/pub/off/7386/bitcointalk-org-$11k-bounty-for-new-forum-software/
As titles have no meaning to you and me, here's my official response to said topic as the lead dev.
Always be a little kinder than necessary.
- James M. Barrie

MrPhil

Quote from: Arantor on January 24, 2013, 11:05:47 PM
It wasn't spread around here, it was spread elsewhere.

(manure spreader)

Arantor

Pretty much. It just so happened that I'd seen it the first time it circulated as well as when it finally made it here.

thearmykid

hmmm i can hack with vulnerabilities but never found vulnerabilities to hack on my own forum like sql or xss rfi looks like the developers do good infact

Arantor

Funny, there are XSS fixes in 2.0.4... ;)

thearmykid

haha these bloody developers are better at finding vulnerabilities than hackers LOL xD love it

Advertisement: