Ron Pope Motorsports                California Custom Roadsters               

Some brief changes

Mike,


I figured you'd been there / done that on the phpbb3 thing, but could you please explain what part of "insecure" is the problem. I mean, what are the security concerns that you have. (Just for my own edification...) Other than something like the donations, and peoples private email addys / passwords, I'm not sure what other security issues there are, and I'd like to know more about that. Yes, phpbb3 is miles better than phpbb2, and from the perspective of the user, I think it could work OK. Tons of forums out there using it now, so it must be fairly adequite. I hadn't considered the security issue, I guess because I don't know what it is. Sometimes being dumb about stuff gives one a false sense of security I guess...
On the donations thing, I was only thinking that perhaps a text block that appeared up in the advertisers area if donations were falling short, say the only on the last 5 days of the month, wouldn't really upset anyone. Just a reminder, not a big link, and not there all the time. Maybe that's not possible, and maybe it's just not a good idea...

Thanks,

Corley
 
Mike,


I figured you'd been there / done that on the phpbb3 thing, but could you please explain what part of "insecure" is the problem. I mean, what are the security concerns that you have. (Just for my own edification...) Other than something like the donations, and peoples private email addys / passwords, I'm not sure what other security issues there are, and I'd like to know more about that. Yes, phpbb3 is miles better than phpbb2, and from the perspective of the user, I think it could work OK. Tons of forums out there using it now, so it must be fairly adequite. I hadn't considered the security issue, I guess because I don't know what it is. Sometimes being dumb about stuff gives one a false sense of security I guess...
On the donations thing, I was only thinking that perhaps a text block that appeared up in the advertisers area if donations were falling short, say the only on the last 5 days of the month, wouldn't really upset anyone. Just a reminder, not a big link, and not there all the time. Maybe that's not possible, and maybe it's just not a good idea...

Thanks,

Corley
There are a lot of hackers out there and Mike has stopped alot from comeing in here and disabling the whole thing.
 
Rick,
I'm not sure that the concern you voiced is any different for one BBs than any other one, that being can a hacker get at the ACP (Administrator's Control Panel). If you get to that, you can do anything you want to any forum site, but I assume that is password protected pretty much the same for one set of software as another. I'm still thinking there must be some other security concerns that Mike has in mind. Getting to the data base would of course be bad, as a hacker could wipe that or corrupt it, but that could be restored / handled through backups I suppose. Keeping phony users out is a difficult problem, and I don't know how Mike handles that, but I'd think there are the same sorts of solutions for any BBS. Anyway, this is not a criticism in any way, but I'd sure like to hear more of what Mike has to say about details of his security concerns if that is the only reason for not using the free software that is out there. No, not an inquisition, I'm just curious... Do these forums have a lot of hacker interference other than fake user IDs put there so they can post ads for viagra or ??? The best thing about being ignorant is it makes me curious...

Corley
 
Corley, there's really not much to do with forum security I care to discuss. Identifying weaknesses in software is just that. And while one package might be better hardened in those areas, it can still be a vulnerability. There are enough crackers out there already, without me loading anyone's gun for them. And I certainly don't want to educate my own assassins, either. :winkn: I always get a kick out of how people will indignantly announce their ACME brand forum was cracked and then go into the precise details of how it happened. Hello? Don't post that stuff, it just gives people ideas.

If you look in the footer, you'll see the required Invision copyright information, but you will also notice it does not announce what version of the software we are running. No sense making life easy for the crackers, aye?

No security scheme is perfect, but some are a lot better than others. It's a bit like home security. The locks on my doors are not dime-store versions any child can bump, they are premium locks that cost a dreadful amount of money. The redundant burglar alarm system I have installed on all my doors and windows is another expense I would rather not pay. But at the end of the day, if a crook is skilled enough and dedicated enough, I'm sure he can waltz right in here and take whatever he chooses. We can pay boatloads of money for locks and alarms, but we're still only keeping the honest people honest.

If you're interested in establishing a forum and open source software is what you must use, my recommendation would be to pay more attention to the MyBB package. Of the freebie scripts, it's one of the best I've ever played with. I find SMF to be slightly better with respect to search engine optimization, but I would still lean toward using MyBB. It's still the difference between night and day, comparing either of them to this package. For the $100/year the IP.Board, IP.Content and IP.Gallery license renewals cost, I'll be staying right where I am, thank you very much. Someone with no experience will doubtless look at the available offerings and figure a forum is a forum is a forum, so why spend any money on forum software licenses. And that's really OK with me, because I just might get hired to fix the cracked freebie site, somewhere down the road. :nod:

Another aspect to keep in mind is that commercial forum packages are sold by companies with paid staff. If an exploit is discovered in a commercial script, a patch rarely takes more than a couple hours to be released. How long will it take to get a patch for one of the freebie sites? I was with vBulletin software for a little over 4 years and when we left them, we had seen five major releases of the software. In the 18 months since converting to Invision, we are running on the second major release and I posted some screenshots of yet another release that will be coming before the end of the year. By comparison, SMF 2.0 has been in development since December 2005, wasn't available as a public Beta release until March 2008 and three years later is still only available as 2.0 Release Candidate 5, which they advise against using in a live, production environment. How long did it take the dev team at phpBB to bring Olympus to the light of day? Five years plus? How long was MyBB 1.6 in development? Over two years? One of my pals is a former MyBB dev, who left in disgust and started writing his own forum software with two other devs, He has since been hired away from that project by Invision, which completely stalled development of the other package.. If someone quits an unpaid position, it gets a little tough to find a suitable replacement, also willing to work for nothing. If someone quits a position at Invision, they hire a new dev and keep right on working.

I've been at this for a lot of years and there really is a method to my madness. If I hadn't considered Invision software to be the best bang for the buck, we wouldn't be running it. And as Forrest Gump would say, that's all I have to say about that. :smile:
 
Mike,


I didn't mean to pry, just curious. I sure don't want to point out any vulnerabilities to anyone either! I guess I'm coming from a different background, you see we don't feel the need to lock our doors at night, and my shop has been unlocked "forever" (unless I leave home for a few days), with all of my tools exposed to anyone coming in to get them. I used to lock things up when we lived in Cal., but no longer feel the need... I've been hit by PC viruses 3-4 times, when I did something stupid like opening an attachment or something, but all in all I feel pretty safe and secure if I just use my head. Plus, if I ever get a hint that something is not quite right, I immediately hit the power off button, to purge it from memory, then as soon as I reboot I run my bevy of scans. Works for me...

I don't question your history of forum software security concerns at all, but on a related subject, what brings you then to believe that Linux is a very secure OS? (You've mentioned that in the past a few times.) I'm not saying that it isn't vastly securer than Windows, but I have to believe that is mostly because people target Windows for hacking a lot more, and just leave Linux alone, not so much that Linux is inherently secure. JMS(tupid)O. Again, I'm not meaning to argue, I'm just curious and since you are very knowledgeable on these things I like to query someone that knows a lot more than I do. (That's how I became a freaking genius on almost everything else already. Uh, well, maybe not!) Don't feel compelled to answer ANY of my queries either, I know you are a busy guy, and I, being retired, probably have more time available for asking than you have for answering. It's always informative to get others perspectives though, and I value your opinions...


On a different topic. I have an idea for a new forum subject / topic. That being, "Shop Tools". For example, a couple weeks ago I had need to reverse a motors direction for a drill press, and also change it to 220v. The motor had a chart for the voltage conversion, but didn't have any way to reverse the direction. I had to dig into the internal connections to isolate the start winding, and rewire it from scratch. It would have been nice to have a place to post an enquiry of what it takes to do that, and it COULD have been useful to someone else in the future. There are a lot of cool back yard type tools that people have built that are not on the shelf at the Ace hardware or NAPA stores, or that are out of price range for the occational user, that some folks might find interesting as well. (Like me, for instance.) Since we are mostly a bunch of builders, it seems a tools topic would be a natural. Just an idea I thought I'd mention.....
Thanks again,
Corley
 
OK, so I don't talk much, if at all. I have learned a great deal of tricks, workmanship, and better ways of doing stuff that I need/want to do on my T. I was/am happy to contribute to keep the information going and maybe, someday, I will know enough to also contribute to the knowledge here. I, for one hope, the BEST T Bucket site on the Web stays up.
Any way it ends up Mike, I appreciate you running this site and keeping it interesting and fun without all the egos and BS I find on other sites. I doubt that I would contribute to any others.
 
(That's how I became a freaking genius on almost everything else already. Uh, well, maybe not!)
I have an avatar I break out on rare occasions, when I feel it is appropriate. It says, "I suck at Life, but I'm WICKED COOL!

Why should I care about anything, when I can be wicked cool? :wolf:

Linux security? I find it is more secure for several reasons. One is what you've already mentioned, Linux users are such a small percentage of users that there's little to be gained by creating cracks on Linux boxes. Call it security through obscurity.

Then there is the Linus Law, named for Linus Torvalds, which states that given enough eyeballs, all bugs are shallow. Which means there is security in transparency. Redmond has a finite number of developers, working to create new code and working to harden existing code. Linux is open to anyone and if you discover a security flaw, you can report it to thousands of other users, or possibly even fix it yourself. If Redmond discovers a security flaw, you'll learn about it when they release the security patch to fix it. Unless, of course, you are unfortunate enough to have your machine exposed to that flaw before the patch becomes available.

Then comes security through diversity, meaning that while most of the world is running some variation of Windows, Internet Explorer and Outlook or Outlook Express, some of us choose to use something different. A single virus, written to target those Windows/IE/Outlook users can cripple them, whereas with Linux we have different distributions with different shells, different packages and different applications.

Port security is something most computer users don't understand. Linux has always been written to open ports for communication and then to close them when finished. I've yet to find a Windows script that can reliably identify the open ports on a Windows box, let alone the unused, open ports.

User permissions are one of the most overlooked aspects of Linux security, but likely one of the most important. In nearly all Linux installations, you have to go out of your way to gain root access to the operating system. In Windows, most people have no concept of what root access even is, let alone knowing whether or not they actually have it (most do). I can give you the details that would allow you to crack my user account on this machine, but since my account is not root, there is no way you can ever cause system-wide damage to the machine. You might be able to create havoc with my personal account, but you will never be able to touch the core operating system.

File permissions are another important security detail in Linux. There simply are no dangerous .exe files to be concerned with in Linux. I can attach a bit of malicious code to an e-mail with a subject line like, "Check out the incredible hOOters on this blond bombshell" and likely crash the majority of the boxes that receive it. To do that in Linux, I would have to send an e-mail with the attachment, that also gave instructions on how to save the attachment to the system, how to give the attachment executable permissions and then explain how to run the executable file.

Something a lot of people don't understand is that you can send a Linux user a malicious file attached to an e-mail, and while it will not have any effect on the Linux machine, by simply forwarding the e-mail on to other Windows users, their machines can be infected. No one will ever get a e-mail virus passed to them from me, because I refuse to forward e-mails. I won't do it, just to prevent e-mail scrapers from picking over multiple e-mail addresses on each server hop. It's a very rare occasion that I will ever address an e-mail to more than one recipient, for the same reason. If I send a message to 10 people and they all turn around and forward the message to ten more people, look at all the possible opportunities for your e-mail address to be scraped.

And don't let the Apple users fool you, those machines have as many security soft-spots as Windows machines. The last advisory I have on file for OS X lists some 37 vulnerabilities. And iOS isn't exactly locked down, either, as the last advisory I have on it lists 4 holes in it. All the iPhone users were hooting it up, because it took so much time and effort to jailbreak Android phones. With an iPhone, all you had to do was visit the JailbreakMe Web site and the phone was automagically jailbroken. Uh-huh. Now think about that one for a bit. JailbreakMe could access and unlock the iPhone operating system, because of a flaw in how the iPhone renders .pdf files. Well, what's to prevent me from placing a malicious file on a Web site and inviting iPhone users to come pay me a visit, so I can exploit the operating system in the very same manner? Since the iPhone is so popular, I imagine there are several iPhone owners reading this post. Were ever aware of how vulnerable your iPhone was, prior to reading this post? Visit this site to save 50% on your next iPhone. PWNED!

The majority of Linux security is common sense thinking and very little else. If a Windows user operates his system with awareness of what the system is capable of doing and uses common sense, he'll not have any problems either. I've been using computers online for 31 years and I've never had a virus on any of my machines.
 
About all I can say is that Sony has a need, maybe this is your next big thing Mike?

Wow, unpatched and no firewall? Seriously?

http://consumerist.com/2011/05/secu...re-was-obsolete-months-before-psn-breach.html

Where did Sony buy their security consulting from? Pandit and Aput's Data Security Services and Screen Door Co. ?

The latest statement I saw has them claiming that users' passwords weren't stored in clear text. Get this Mike, they are hashed. Oh boy, close enough to clear text... why bother? :soapbox:
 
Well folks, you go away for a month or two, (we had an earthquake that killed about 180 people in our city) & when you get back, it looks like the party is over.

But then I kept reading and learned that its "lets party on" but the partyers are all talking computer stuff & I figure its a foreign language to the less gifted such as myself. Tho Im from New Zealand, so I am a foreigner.

And I once had a PayPal account, but forgot the passwords (and everything else actually)so figure that I will have to resurrect it to make my contributions. I made one once, just had to get USD cash sent to another member who made it on my behalf. Told you I was less gifted.

Anyway, I was thinking about the good times Ive has here, and for nostalgia sake here they are:

Got to hear some of Mikes old drag racing stories
Got to talk with Ted Brown
Got to buy some of Rons stuff so one of my projects with have RPM dna in it
Got to see Gerrys bucket build
Got to be on a forum with Danny who built the Leg Show Tee

Regardless of where we go from here, I just want to thank everyone for being part of the forum, and I want to thank Mike for hosting us at his party.

Todd Stevenson
Christchurch
New Zealand
 
My donation status will change this next week, Glad its staying alive........ruggs
 
Thanks for the reminder, Ron. :thumb: If we can stay ahead of the curve on the bills, we'll be in great shape. I paid the bills on 1 June and had enough to cover the next three months still on hand. So matching the quota each month means we'll always be current and we'll also have a 90 day cushion. My initial estimate of a 60 day cushion was in error, because the matching $300 donated by RPM was not part of the Donation Tracker totals.

Now that we've finally got some real summer weather happening, our daily post counts are dropping back a bit. But that matches the model we've charted since Day One, so no real need for concern. Which doesn't address the fact post activity has never been an accurate metric with which to chart site growth. As Rick knows, I could go into post whore mode and pick the post count right back up. :nod: The total members logging into the site each day is another inaccurate method of charting activity, since not everyone logs into the site each day. Traffic numbers are an accurate indication of how active the site actually is.

Here are some interesting traffic numbers for you:

May 2010 saw yet another new traffic record for the site. The previous record was set in April 2011.

As of 20 May 2011, we had already exceeded the total traffic from May 2010.

Comparing the traffic totals from January through May 2010 to the same time period this year, our traffic is up 46.5%.

As of midnight, last night, our total traffic for June 2011 is already 39.09% of June 2010's total traffic numbers. So our June traffic numbers are already looking good.
 
As RPM stated -- Hey it's a new month
Where is all those site donations
I have given mine
Don't get lazy and wait for the next time the site is OUT OF MONEY
Let's keep that 3 month buffer that we built up last month
That way we can keep this site STRONG


JUST MY $25.00 worth
Frank
 

     Ron Pope Motorsports                Advertise with Us!     
Back
Top