New vB exploit

Status
Not open for further replies.
Wayne Luke was even more hilarious with his comment about it being passed down to consumers. I wonder if IB's lawsuits are being passed down to consumers as well?
 
It's good to know Internet Brands values the security of its vBulletin customer's boards at below $1,000.

The whole thing reeks of irresponsibility.

a) Why hasn't that thread been hidden? They're aware of the potential exploit, that thread is only serving to make more people aware that there is a potential exploit. It's only a matter of time before someone DOES buy it, and boy will people have red faces when vBulletin.org and others get hacked as a result.

b) It is tantamount to blackmail, but regardless it's a small price to pay even to prove something as false. At least they can then publicise that it's false and put their customers peace of mind at rest.

What an awful company with a **** attitude.
 
Are vB MD5 encrypted passwords salted ? (I know XenForos are) ...
Storing passwords as just MD5 is asking for trouble.

<agree with chris.. in that threads like that should be hidden>

I'm not sure about the black mail part...
 
Not sure I agree with all of the above. You can't justify spending even $1 just because some criminal claims to have an exploit because where does it end? You'd be paying out money to anyone who claims an exploit whether it's true or not. And as vB staff have said, it's blackmail in effect, it's like paying a ransom, isn't this just supporting the criminals and hackers?

This is just picking another reason to "bash" vB and their staff, I thought we weren't doing that in this forum anymore?
 
I have to agree with Ingenious as I have experienced a similar situation. Our server got hacked in some way and the hacker offered to 'help' for x amount which we denied. Although it's not exactly the same as an exploit, I think it's still a bad idea to consent with such practices. It only encourages this bad behavior in the future.

Now if they would approach vB in a different way, like legitimately offering their services to improve security in general that would be different.
 
While on the topic of security.....

IPB also known as IP Board has a total of 9 critical security flaws and 13 non critical.

People have been.... busy .... Looking for things.

Invision Power Services Inc (IPS) developers of IPB / IP Board to the best of my knowledge will not settle in order to resolve issues either. Something they have in common with vBulletin / Internet Brands Inc.
 
Ingenious said:
Not sure I agree with all of the above. You can't justify spending even $1 just because some criminal claims to have an exploit because where does it end? You'd be paying out money to anyone who claims an exploit whether it's true or not. And as vB staff have said, it's blackmail in effect, it's like paying a ransom, isn't this just supporting the criminals and hackers?

This is just picking another reason to "bash" vB and their staff, I thought we weren't doing that in this forum anymore?
Click to expand...

Isn't it a bit pretentious to assume the person selling the exploit is a criminal?
 
The best way is to offer predefined rewards for finding an exploit depending on severity and full disclosure. This encourages quality coding and QA from the get go, as well as encouraging disclosure of exploits as if you find an exploit and don't tell anyone, someone else might beat you to the reward.
 
Ingenious said:
Not sure I agree with all of the above. You can't justify spending even $1 just because some criminal claims to have an exploit because where does it end?
Click to expand...

There are talking points and then there is the real world. Everyone likes to say "don't negotiate with criminals or terrorists", but then they do. Everyone does.....the FBI, CIA, Justice Department, etc.....

What would it have cost IB in testing to discover such a flaw? My guess is quite a bit.

Here is a real world example. Our local sports org had a URL like myaa.net, because someone had purchased the .com - they were a domain squatter in FL who then put the worst Porn pics up on all their sites.....

They did it ONLY so local town would be horrified and then buy the domains! Most all local sport leagues have the "aa" in them for athletic association, so this dude bought thousands of them.

The price was $3K. I remember having a long conversation with our local Police Chief about it. Long story short - they paid the 3K.

You can pay the ransoms and then work harder on security so you don't have to do so in the future.
 
ManagerJosh said:
Isn't it a bit pretentious to assume the person selling the exploit is a criminal?
Click to expand...

It's an assumption on my part, certainly. I am assuming that people who exploit software and then try and sell the exploits, are criminals. I don't know how those actions could be taken as "for the good". Maybe we need a "Hug an exploiter" awareness campaign then if these people are actually working towards world peace?

It's quite different than a corporation offering a bounty for bringing exploits (privately) to the table in the framework Slavik describes.
 
Ingenious said:
It's an assumption on my part, certainly. I am assuming that people who exploit software and then try and sell the exploits, are criminals. I don't know how those actions could be taken as "for the good". Maybe we need a "Hug an exploiter" awareness campaign then if these people are actually working towards world peace?

It's quite different than a corporation offering a bounty for bringing exploits (privately) to the table in the framework Slavik describes.
Click to expand...

There are legitimate security researchers out there who do sell exploits back to the developers for a living. I have a friend who does that and has made quite a bit of money off it.
 
Ingenious said:
It's an assumption on my part, certainly. I am assuming that people who exploit software and then try and sell the exploits, are criminals. I don't know how those actions could be taken as "for the good". Maybe we need a "Hug an exploiter" awareness campaign then if these people are actually working towards world peace?

It's quite different than a corporation offering a bounty for bringing exploits (privately) to the table in the framework Slavik describes.
Click to expand...

Look at it this way....

When you code an add-on you do so for the profit. That profit maybe money or maybe the joy of doing good for others. However the case, the price is set at your own value and it is not criminal.

Finding exploits and reporting them falls under those same principles. You may not want to think of it that way, but it is that way. Period.

XenForo I help debug for free. Because we see a personal value of "profit" in the joy of doing good for others who use XenForo and the development team.
 
Status
Not open for further replies.

Similar threads

JoshyPHP
XF 2.3 Making it easier to release a new version of an add-on
Replies
0
Views
36
JoshyPHP
JoshyPHP
R
XF 2.3 /whats-new/posts/ - Mainnavi WhatsNew / Forum
Replies
3
Views
60
Kirby
K
Taylor J
XF 2.3 Class extension issues for new ThreadType
Replies
3
Views
71
Taylor J
Taylor J
pegasus
Fixed New URL romanization options do not enforce intl extension properly
Replies
6
Views
313
XF Bug Bot
XF Bug Bot
Mr Lucky
Permissions to View thread but not thread content - not applied to new post list
Replies
5
Views
66
Mr Lucky
Mr Lucky
Back
Top Bottom