Draconian Fundament
XoreThis morning i recieved a rather interesting email
=========================
On Apr 12, 2005 6:53 AM, Patrick O’Keefe - phpBBHacks.com wrote:
Hello,
I hope that you are well. I just wanted to ask if you were keeping us updated on the Cash Hack. We’ve pulled it for the moment as we noticed there was a vulnerability reported for it a while back… I just wanted to check to see if you had any updates that you could submit that address that issue so that we can get it back up for everyone.
I appreciate your time.
Sincerely,
Patrick O’Keefe
iFroggy Network - http://www.ifroggy.com
=========================
Now, pardon the hell out of me, but isn’t this email 5 months too late? The security exploit was posted on Bugtraq back in November, and i had phpBB.com’s update posted even before it was released on bugtraq, thanks to about 24 hours head notice. I still don’t know who did it, but once again, my thanks to the group of people that got the report to me so i could have a release available before it got blown wide open. For what little it’s worth, you have to have a server with a really poor security configuration for the exploit to be executable in the first place. With that said, to anyone reading this, if you got your version of Cash Mod off phpBBHacks before this date, or off phpbb.com before mid-november, i recommend you upgrade to Cash Mod 2.2.2. There were also a few other compatibility fixes packaged, most notably a small fix so that it doesn’t break when coupled with the junior admin mod.
My response was as follows:
=========================
Hello,
The problem in Cash Mod was addressed and fixed last year. Updates may be forthcoming if phpBBHacks is willing to guarantee that it would be released as Cash Mod, not Cash Hack. The silence with which my request was met with on it’s original submission and obvious lack of effect was nothing short of an insult. It was determined that no updates would be forthcoming until the situation was rectified. I’m not looking for an apology and I doubt you’d be interested in offering one. All I need is the aforementioned guarantee. Until then, feel free to redirect your users to the updated version on phpBB.com.
It would be nice to see this resolved, as I otherwise have no issue with Cash Mod being released on phpBBHacks.com.
Cheers,
Xore
=========================
Yea, so i sound a bit like i’ve got something big and heavy shoved up my ass. These things may or may not include a gopher, a 6-pack of pilsner, or the state of Ohio. Perhaps my issue here is childish and immature… but i’ll only openly admit to it if the phpBBHacks staff likewise admit that what they did was equally childish, or even moreso, given that i had worded my original request rather politely.
phpBBHacks is a self-titled ‘hacks’ site. i don’t begrudge them that they like to call things hacks. They’re perfectly capable of calling it “The Cash Mod hack” if they want to, and i have no issue with that. Taking the name of my product and changing it without my permission and then releasing it is vaguely similar to Torvalds taking windows source code, slapping a penguin on the box and and releasing it as ‘Microsoft Linux’ — props are still given to Microsoft, but you can be sure there would be a small army of microsoft lawyers camping out on a front lawn in Finland somewhere the next morning.
I have very distinct views on the differences between what people call ‘Mods’/modifications and what people call ‘Hacks’. I’m not saying my views are correct or should even be an accepted standard… this is merely my opinion. A hack is an extension of software that ‘does what it does’ to extend the functionality. Want a airplane to go faster? use some rope and packing tape to strap a big ol’ extra jet engine on it’s back. Does it look pretty? Hell no. Does it work? Yes. (theoretically anyway… i can imagine an engineer in Boeing choking on a lunch donut right now, reading this. I know nothing about aerodynamics, but the metaphor still holds). The associated metaphor for a mod would be to upgrade the infrastructure of the plane so that it can support another jet engine in a proper place… under the wings or on the tail, or wherever it is that jet engines go on planes.
That’s the way i see Cash Mod. I’ve put in a significant amount of time seing to it that it has an installer that’s very easy to use, compared to other mods of a similar size. A fairly-intuitive control panel and a moderate amount of documentation, which people never bother to read. Furthermore, the 2.2 line had been structured to make it very easy to upgrade… the 2.2.1 to 2.2.2 upgrade involved no editing… simply copying the new source in place and optionally running an sql query to update the internal version number stored in the database.
Anyway, that’s pretty much all i have to say about it. If you’re interested in downloading Cash Mod, you can always get it at phpBB.com. I’ll also be stating here that i’m no longer supporting Cash Mod for phpBB 2.0.x - the time it takes to answer all your questions, especially when most of your questionis could be answered by reading the FAQ, is more than i’m willing to donate to it, and cuts into the development time i have for the next version. I’m glad so many of you have enjoyed using Cash Mod. If you want to show your appreciation, feel free to click the ‘Donate’ link in the Cash Mod admin panel.
Edit: The saga continues:
=========================
On Apr 12, 2005 12:40 PM, Patrick O’Keefe - phpBBHacks.com wrote:
Hello,
Thank you for your response.
I’m sorry, but I cannot do that. I edit all descriptions and website content to fit within common words, terms, sentence structure, etc. as best as I can (which isn’t easy with information coming from so many different sources). One of these words/terms is hack instead of mod. Such as how we use templates to describe what some would call styles. We stick to one common word. This is no different from how an editorials site would have a styling guide. It is about consistency and professionalism. On our forums (except for tutorials), people can say whatever word they want and in your hack description, you will have noticed, we didn’t change it. But, on the website pages and website content, we try to keep things as consistent as we can and will continue to do so.
I am no longer interesting in hosting your download. We place a great deal of freedom in the hands of authors and allow them to be responsible for their downloads. We do not want to host downloads from authors who do not take this responsibility seriously, such as an author who would knowingly and purposely leave a security issue out there for users to download.
Sincerely,
Patrick O’Keefe
iFroggy Network - http://www.ifroggy.com
=========================
My response:
=========================
Hello
Your email speaks of giving authors freedom to be responsible for their downloads, yet you strip from me the freedom to even name my product. I respect your wish to keep your site consistant and professional. Please understand that I have the same wish as it applies to my own endeavors. I released a peice of software called ‘Cash Mod’, not ‘the cash mod’. Had it been the later, then I would have no problem with you relabelling it to ‘the cash hack’, this being an issue of common versus proper nouns. Had you instead wanted to call it the Cash Mod hack, then i likewise see no problem with this. However, I did not write, nor release a peice of software called ‘Cash Hack’. If this is incompatible with the way your website operates, that is unfortunate. I find it highly unprofessional of you to have released something under my authorship, renamed, despite my explicit requests at the time that you do not do so, without so much as consulting me on the matter. I regret the series of events that lead up to this. This issue should have been resolved then, rather than now.
As for taking my responsibilities as an author seriously, the update in question was released on phpbb.com before notice of it even occurred on bugtraq. The notice I was given was less than 24 hours in advance, yet I had the problem resolved and updated within several hours, having postponed an important appointment I had scheduled for that day in order to do so. It’s worth noting that the security vulnerability in question only affects servers with very poor security configurations (register globals on, remote code inclusion on). While many servers on the internet do indeed have poor configurations, these configurations are generally disabled by default. Over the time I’ve been working with phpBB software, I’ve seen many hacks distrubuted on your site with similar problems; I believe your attack on my character is unwarranted and not without some measure of hypocrisy.
Have a nice day,
Xore
=========================
April 12th, 2005 at 1:06 pm
Wow, guess I should never go back to phpBBhacks to download anything again.
April 12th, 2005 at 1:07 pm
Don’t these people ever check phpbb.com?
April 12th, 2005 at 1:12 pm
Edward Says:
….
< / >
Whoa whoa whoa…
I’m not saying that people should never go back to phpBBhacks. I’m not even here to discredit or defame Patrick… He’s perfectly welcome to do that to himself… I hear he’s alienating lots of developers at phpbbhacks anyway, but that’s only rumor i’ve gotten, and shouldn’t be taken seriously short of more substantial evidence (although… i think what just happened today is evidence enough). I have a lot of respect for the fact that he’s got a thriving development community going, however, i don’t have a lot of respect for him personally. I think it’s pretty clear that my personal opinion of him has hit an all time low. I’m also not really planning to release stuff on phpBBhacks again, less all aforementioned conditions are met, with one addition: this time I -do- require an apology.
April 12th, 2005 at 1:20 pm
You go Xore :p
April 13th, 2005 at 1:53 pm
Xore: Sorry for not detailing my comment enough. Well, even before I read this particular post, I’ve heard of many people saying how phpBBhacks released products are old, and some-most have bugs that haven’t been fixed, although the newest version of that product does have it fixed.
This post that you posted had enough proof in it to tell me that those things I’ve heard were true. Not that I doubted it in the first place… anyways… I see now how Patrick… takes a long time to ask for an update his MOD database.
Anyways… I gotta give phpBBhacks some credit… It has more mods than phpBB… although that’s why, I think that they aren’t updating much. Too many things to worry about, and they are adding loads more every… week? without checking through it throughly. Some mods there don’t even work.
Edward
April 15th, 2005 at 9:44 am
Xore,
Yikes. That’s about all I have to say. While Patrick does have a nice little empire for himself, it doesn’t do anybody much good to do what he just did to you. I think this is all I can say in public.