What is Involved in a code review of phpBB??

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
SamG
Registered User
Posts: 1241
Joined: Fri Aug 31, 2001 6:35 pm

Re: What is Involved in a code review of phpBB??

Post by SamG »

vanderaj wrote: And so the security discussion moves from phpBB to bugtraq where the damage to your users is so much worse.
It doesn't follow that path by necessity, but by choice.

In any event, moderators don't set policy. It's not up to us to decide the merits of the various arguments on how best to handle phpBB security issues, though the community is forever trying to get us so involved. We have administrators, they have a clear policy, and whether you or I agree in whole or in part or even not at all with that policy, that's the way it is.

Now, we as a community can abide by the rules established by the administrators, or we can break those rules. There should be no head scratching when the cause-and-effect process plays out on a rule violation. phpBB is their project, and phpBB.com is their resource. Just like any other .com, there are people who are in charge, and the rest of us aren't. I'm not sure why phpBB.com is often assumed to be an exception and that we can "bend" rules to conform policy and procedure to some higher authority or ethic - by brute force if necessary.

Any constructive criticism over security policy and procedure is best addressed privately to theFinn or to psoTFX. [Re]Hashing these issues out regularly in various phpBB.com forums is counterproductive on several fronts, in my opinion, and ought to be avoided.
"I hate trolls!" - Willow Ufgood

kieroth_whiteleaf
Registered User
Posts: 72
Joined: Wed Apr 07, 2004 7:23 pm

Re: What is Involved in a code review of phpBB??

Post by kieroth_whiteleaf »

Security discussions (just like everything else) aren't my call - BUT -

Bugs don't belong on the forums in a project like this. Here's why:

1) The phpBB team has a good history for having security related bugs patched within a fairly rapid timeframe, at least in the distribution code. Major exploits are corrected fast.

2) More importantly, your average user doesn't upgrade the system nearly as fast as he should. Which means that a publicly posted bug can be exploited on a user's system likely before he knows (or cares) that it's even there.

3) Let's face it - a large percentage of the time security through obscurity works (to an extent). I'm not saying it's ideal, I'm not even saying it's a good policy, but it's FAR better than showing every script kitty on the market how to hack someone.

Obviously, a comprehensive security audit and corrections based on said audit is one of the more ideal solutions, although I'd be willing to bet that even after said audit is complete some kind of hole/exploit will be found (such is the nature of software development)

SFG

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: What is Involved in a code review of phpBB??

Post by psoTFX »

blobber wrote: Despite from what vanderaj already mentioned, I don't get what's the point in deleting a posting which is not specifically about any particular security issues, but rather about looking for volunteers who would be willing to participate in a code reviewing effort to -ultimately- support the dev team ? Such a call should be perfectly legitimate, shouldn't it ?
Without wishing to sound rude ... it's not your call. Whomever supposedly deleted a topic/post would have had a good reason for doing so. As Sam says, there are procedures in place which work. So I'd kindly ask you to keep in mind you are not a party to even some of the relevant information.

If vanderaj feels he's been badly treated re: moderation
he

should contact the moderation team leader. That's his call, not yours. I'd be grateful if you keep that in mind.
blobber wrote: Also, to some extent I think vanderaj's statement about exploits being posted using the bugtracker is worth to think about.
And I think you're quite wrong ... and that's my experience. May I ask what your experience is? We are not CERT ... critical security issues are patched very very quickly and I'd be grateful if you and vanderaj would acknowledge that fact a little more often.

And while I'm replying I'll note how most displeased I am with vanderaj's post to a web application security tracker. It's so far out of context and so out of whack with what's been said here it's not even remotely amusing. I think it entirely appropriate of him to follow that post up to ensure readers know the full story. For a "respected" security commentator to leave post "as was" without response is IMHO quite poor and will ultimately reflect badly upon him.

blobber
Registered User
Posts: 96
Joined: Wed Mar 16, 2005 6:28 pm

Re: What is Involved in a code review of phpBB??

Post by blobber »

deleted, because psoTFX must have obviously noticed that our opinions do not differ that much ;-)

vanderaj
Registered User
Posts: 29
Joined: Sat Oct 25, 2003 6:57 am
Location: Melbourne, Australia
Contact:

Re: What is Involved in a code review of phpBB??

Post by vanderaj »

Please close this discussion. Paul's unnecessary, offensive and incendary posts has riled me so much that I refuse to help.

I've never met such a group who outright refuses to help themselves. Never in my life have I seen a group treat a subject matter expert so poorly and learnt so little from the experience.

I have several e-mails from the movers and shakers in the security industry reflecting my views. My reputation is untarnished, so I don't think that's an issue.

All of my posts are in the open so anyone who cares can come read them until you delete them.

Find another code reviewer before someone reviews it for you and writes exploits.

Andrew

Magnotta
Registered User
Posts: 80
Joined: Wed Feb 09, 2005 12:49 am

Re: What is Involved in a code review of phpBB??

Post by Magnotta »

man, everyone's always ragging on Paul. If I ever had to put up with half the stuff he's had to so far, I wouldn't even be half as nice as he's been/trying to be.

SamG
Registered User
Posts: 1241
Joined: Fri Aug 31, 2001 6:35 pm

Re: What is Involved in a code review of phpBB??

Post by SamG »

Discussion closed, per vanderaj's request.
"I hate trolls!" - Willow Ufgood

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: What is Involved in a code review of phpBB??

Post by psoTFX »

Incendary remarks ... yeah, right ... My saying "We're interested but we can't drop everything right now" ... incendary, of course, my mistake. Meanwhile vanderaj posts to a security mailing list talking utter nonsense and claims his position is untarnished. As for all your posts being in the open ... well, they're not are they ... you chose to delete a rather nasty post quite quickly didn't you. As comments in replies by myself and another user noted at the time. I knew I should set the edit time to zero here :)

Oh as for "our" treatment of you ... for an "expert in the field" to go about things the way you have, geez. Why didn't you contact at the very least a listed team member privately? Why did you continue posting "in the open" when it was clear to you and other community members that you were not reaching the "correct" people? The vast vast vast majority of replies you received were from community members ... and yet you get wriled because "developers" haven't responded. Well, shock surprise the best way of contacting those people is to talk to them directly. Do you ring Microsoft and tell the operator of a security issue in Windows? Of course not, you email the appropriate persons.

So let's set that straight shall we ... you'd do well in future to talk to the correct people from the get go. Maybe in doing so you'll not annoy other projects as you have our community. I add that again we, the "appropriate people", remain open to such a review despite the rather nasty post vanderaj made to already mentioned security list.

Locked