IPB 2.1.5 Released

[gizmo]

Well I have to say something here.
I have been registered here for quite some time, seen a lot of changes, my main concern is and will be the way IPS now conducts this board.

I went to VB for a year came back here, then after 5 days of users software got hacked like some many users.

Never ever been hacked in 5 years of using Forums (Until I came back).
yep "How's that for timing"?
My first reaction was rage & fury at the way I was treated through support (Stil waiting for a reply on a complaint) apparently I complained as the said they had fixed exploit for me but the Iframe issue was still there etc.

What exactly is if for now? (This board)
You sell a product here but no one can comment anymore, without getting a slap!
What happened to the way it was?

Why on earth always direct users to ipsbeyond.
Yep VB has simalar setup and has for some time, but at least you can make post for help & make comments, they also give you the most common questions, & help posted on the forum, for things like custom sql querries etc, skin tweaks etc, support is excellent.

Not a moan by far just getting my point across in public, I'm back and intend to stay as long as the Product itself does what I want it to.

I know exploits will always be out there but this was a vicious and nasty one, it damages faith in all of us, & our members.

Best to move on and let time heal the wounds.

[princetontiger]

I wonder why these forums didn't get hacked?

[UBERHOST.NET]

I wonder why these forums didn't get hacked?

Because the wrath of Debbie is known worldwide. :ph34r:

[Brandon C]

Because the wrath of Debbie is known worldwide. :ph34r:

Yes, and because Rikki would hunt the culprits down himself! :lol: :ph34r:

[Matt]

To address specific points:

Never ever been hacked in 5 years of using Forums (Until I came back).

yep "How's that for timing"?

Very bad timing. It's very unfortunate that you switched back during our heaviest spell of reported vulnerabilities. We can't do anything about the vulnerabilities reported other than make timely fixes and make them available. If one chooses to ignore the update and/or not update their software, then we can't be held responsible for the consequences and this is made very clear in our license agreement.

A modicum of irritation is expected and no-one would blame you. However as we explained in the ticket, we can't do anything to remove the cached data your user's browsers have which may still contain the iframe.

Without recovering old ground, the fact remains that we can't do anything about zero day security exploits.

IPB is a very complex application spanning hundreds of files with hundreds of thousands of lines of code. It's a portable application that be used on linux, OS X, Windows, etc that is accessed by many different browsers. Each OS and browser have their own problems, bugs and security vulnerabilities. Furthermore, IPB is written in PHP and uses either MSSQL, Oracle or MySQL databases each with their own problems, bugs and security vulnerabilities.

It's virtually impossible to produce a piece of software that isn't open to some kind of attack under these circumstances. As a reminder, a lot of the recent vulnerabilties have been due to browser vulernabilities which leave PHP applications exposed.

Additionally, with "full disclosure" (where the hacker makes the expoit known) the bad-guys have a repository of information on how to attack unpatched boards. Often this involves writing a script to take advantage and to "speed up" the process. We can do nothing about this.

What we can do is be proactive in our approach to security and to notify customers about new updates. As mentioned previously, we've upgraded the security notification system to make it very clear when a security update has been made and we're also going to have our next software revision (IP.Board 2.2.0) audited by a third party to increase security.

Over the last few weeks we've seen a lot of security updates - that's true. Historically, we have a good security reputation. We've only had two active periods this year (early March and late April / early May) where we've had to release updates. We've reacted properly in each case by making ready a fix and making it available and notifying our customers. Security is a constant battle; in that regard we're no different from Microsoft and Apple. We have a very popular and high profile product where the source code is readable by anyone - this makes it a prime target.

[Dll]

Can I just ask what is happening with the third part security audit you were said to be considering a few months back? I'm guessing that with the recent security concerns and damage that must have done to the invision brand, now would be the ideal time to be pro-active and have that completed?

[gizmo]

I'd like to know how the hackers find such sites that are not quick enough to patch such exploits!

I for one have now taken off any of my domains related to this site IE: My sig & profile.

Some of us cannot always update so quick, no matter what the warning.
Surely there should be a more better way to police these so called "Hackers"

Then us the user & the company will suffer a lot less.
Stick them on the moon or something.

A modern world & they still can't catch most hackers, Said.......
Bill Gates is partly to blame, see how secure Apple systems compared to windows!

[ellawella]

Can I just ask what is happening with the third part security audit you were said to be considering a few months back? I'm guessing that with the recent security concerns and damage that must have done to the invision brand, now would be the ideal time to be pro-active and have that completed?

Read the thread more carefully.

I'd like to know how the hackers find such sites that are not quick enough to patch such exploits!

Some of us cannot always update so quick, no matter what the warning.

Surely there should be a more better way to police these so called "Hackers"

Stick them on the moon or something.

Bill Gates is partly to blame, see how secure Apple systems compared to windows!

See, IMO this demonstrates emphatically the kind of uninformed attitude that leads to such attacks on companies like IPS.

You can't "police" hackers any more than you can "police" murderers or thieves. You can potentially bring them to justice after they have perpetrated their crimes, but it's much more difficult to stop them from doing it in the first place.

Sites running Invision boards can easily be found in Google through any one of several keyword searches. There is no hiding, assuming your board is public and indexable by spiders.

And what do you mean by "I for one have now taken off any of my domains related to this site IE: My sig & profile"? You mean you're no longer advertising your forums on your sig here? Won't make a difference to your risk of being exploited, I don't think.

IPB is an excellent piece of software which just so happens to be complex, created by people prone to human error or oversight, and running on top of other pieces of software prone to human error or oversight. Furthermore, it often isn't anyone's fault an exploit is present in a piece of software, it's just impossible to forecast every possible one. Exploits are discovered in pretty much every widely available piece of complex software. It is a fact of life. There is no way around this at all.

[gizmo]

You can't "police" hackers any more than you can "police" murderers or thieves. You can potentially bring them to justice after they have perpetrated their crimes, but it's much more difficult to stop them from doing it in the first place.

I merely mentioned "There most be a better way to police"

Sites running Invision boards can easily be found in Google through any one of several keyword searches. There is no hiding, assuming your board is public and indexable by spiders.

Well minimising the risk does no harm

Again if I can minimise the risk why not

IPB is an excellent piece of software which just so happens to be complex, created by people prone to human error or oversight, and running on top of other pieces of software prone to human error or oversight. Furthermore, it often isn't anyone's fault an exploit is present in a piece of software, it's just impossible to forecast every possible one. Exploits are discovered in pretty much every widely available piece of complex software. It is a fact of life. There is no way around this at all.

You seem very protective of IPS, we are all here making statements or views.
I'm annoyed as it's damaged my well established site, no sorries no nothing just the fact IPS are telling us Exploits are always there.

What they don'y mention is most are minor, the latest I consider very serious.
I understand FULLY, exploits are all part of.........the www
My point of view on the matter.

[UBERHOST.NET]

You seem very protective of IPS, we are all here making statements or views.

I've read ellawella's post and was impressed by the impartiality. I don't think he was being "protective" of IPS at all, just truthful in his assessment of the situation. You have had your board attacked, so I can understand how upset you are, but because of that, I think it's your view that is biased. And as for your previous comment about Bill Gates, how did he figure into this discussion? That's quite off topic since we're talking about hacking into code that has nothing to do with Windows or Mac.

[ellawella]

I merely mentioned "There most be a better way to police"

Well, there isn't. Sorry.

Well minimising the risk does no harm

True, but you're minimising the risk by so little an amount it's basically pointless to do. In fact, by removing it you might be losing out on potential traffic from people browsing these forums. A balance to take into consideration.

You seem very protective of IPS, we are all here making statements or views.

I'm annoyed as it's damaged my well established site, no sorries no nothing just the fact IPS are telling us Exploits are always there.

What they don'y mention is most are minor, the latest I consider very serious.

I understand FULLY, exploits are all part of.........the www

My point of view on the matter.

Do you still not understand?

There will ALWAYS BE EXPLOITS, both serious and minor, no matter what software you use or who has coded it. Would you rather IPS didn't tell you about new exploits then, if your complaint is that they're telling you exploits are "always there"? I bet that's a pain. :rolleyes:

Sucks your site got hit, but it really is nobody's fault other than the person who released the exploit publicly and the person who carried it out on your board.

[Sam A]

EDIT: Ignore.

[Michael P]

With regards to todays exploit: Do the update instructions work for pre 2.1.6 installations? One of my boards is 2.1.5 and I really don't want to have to shell out $70 to stay secure.

Thanks :)

[Matt]

They'll work just fine.

[Michael P]

They'll work just fine.

Excellent :) Thanks for providing them publicly!

[gizmo]

I've read ellawella's post and was impressed by the impartiality. I don't think he was being "protective" of IPS at all, just truthful in his assessment of the situation. You have had your board attacked, so I can understand how upset you are, but because of that, I think it's [i]your[/i] view that is biased. And as for your previous comment about Bill Gates, how did he figure into this discussion? That's quite off topic since we're talking about hacking into code that has nothing to do with Windows or Mac.

MATT Made this quote:

IPB is a very complex application spanning hundreds of files with hundreds of thousands of lines of code. It's a portable application that be used on linux, OS X, Windows, etc that is accessed by many different browsers. Each OS and browser have their own problems, bugs and security vulnerabilities. Furthermore, IPB is written in PHP and uses either MSSQL, Oracle or MySQL databases each with their own problems, bugs and security vulnerabilities.

That's why I mentioned Bill gates (Windows) so hardly see why it's off topic.

As to person who mentioned

Do you still not understand? Are you even fit to be administrating a website and using the software you are?

Was there any need to give a personal attack on my comment.
Well I'm outta this topic, blimey If I can't express my views without personal attacks.

Critisism I can take but personal attacks stuff that.......

[Energizer]

There will never be 100% safety. No matter whether IPB or VBulletin, there always are hackers who try it. Who has problems with that doesn't need a forum operated.

One cannot expect than the IPS makes this as safe of IPB as possible any more.

There isn't more safety. Also not at Vbulletin

[mtlister]

Just confirming this. I am thinking of upgrading my forum, but do not want to mess anything up or lose any data. I have no mods installed, only a couple links I added to the header. Now if I go ahead and upload all of the new files to my server and then follow the instructions in the /upgrade folder do I have to worry about losing any posts, members, data, etc?

[gel]

Excellent :) Thanks for providing them publicly!

Hope they'd provide 2.0.4 manual patch instructions publicly too.

[GeeZuZz]

In any case, the patches were attached to an announcement made recently. You are able to download them and apply them to your board.

No, i'm not. "If you are running a version previous to 2.1.6, please update to 2.1.6 by downloading the main download zip."
Where is the 2.1.6 main download? Oh - i'm not a customer anymore, so i'm not allowed to download it.

AND THANK YOU VERY MUCH IPS! MY BOARD JUST GOT HACKED!
But of course you don't care - my licence expired a few months ago. :thumbsup:

And btw: Yes, you wrote in the forum that the licence would include "unlimited" updates., but only 1 year technical support.
But my thread were i asked about that is "magically" gone. Together with all other lies back in the days when you went from providing the software for free to commercial.

[Dll]

You're wrong - unlimited updates applies to the perpetual licence as was always the case. I can't understand people moaning about things like this, would you expect to get your car serviced for free once the warranty has expired?

[GeeZuZz]

You're wrong - unlimited updates applies to the perpetual licence as was always the case.

No, it was not always the case. According to the date you registered, you don't know what i'm talking about (assuming you were not browsing as guest long before that date).

And yes, why would i not expect to get free updates after paying a fee, when the software was completely free right before?

Anyway this is not the biggest problem here now. The biggest problem is that IPS refuses to help me secure my board, just because my licence expired.

Just for reference, Microsoft even provides security updates to people who have pirated windows. It's common practice to release security updates regardles of version, or customer relation.

As you probably understand, it's frustrating to run a board, when you know someone else have admin access. And you can't get help to fix it.

[ellawella]

So your licence ran out just before some security updates were released. Tough sheezy. That's the way the world works. As pbm says, "would you expect to get your car serviced for free once the warranty has expired?" I assume not.

I honestly wonder if people who complain about not receiving updates after their licence has expired are actually familiar with the ways of the real world in any way shape or form. You paid for a year's updates. That was the contract between you and IPS. Now the year has run out. Therefore you don't get updates anymore.

Just for reference, Microsoft even provides security updates to people who have pirated windows

This is simply not true. Windows Update now checks that the installation being updated is genuine before proceeding.

And yes, why would i not expect to get free updates after paying a fee, when the software was completely free right before?

So you were OK paying a fee after it went paid but now you're desperate for your updates you're saying, "oh, it was free before, can I have some free updates"? At least be consistent in your whining.

[UBERHOST.NET]

No, it was not always the case. According to the date you registered, you don't know what i'm talking about (assuming you were not browsing as guest long before that date).

IPS honors their agreements. I may not be their biggest fan, but they do take care of their obligations. Those with lifetime licenses get lifetime support. Perpetual license holders get upgrades for as long as there are upgrades made, etc.

Anyway this is not the biggest problem here now. The biggest problem is that IPS refuses to help me secure my board, just because my licence expired.

If you had a support package, a technician would help you. You could also post a message that wouldn't be deleted over at IPSbeyond. The rules here are clear about posting for support--it's not a support board.

Just for reference, Microsoft even provides security updates to people who have [b]pirated[/b] windows.

Just for reference, no they don't. Pirated versions of XP can not be upgraded to SP2, for instance.

As you probably understand, it's frustrating to run a board, when you know someone else have admin access. And you can't get help to fix it.

I guess the $30/yr for support doesn't look so expensive now? :lol:

[GeeZuZz]

You paid for a year's updates. That was the contract between you and IPS. Now the year has run out. Therefore you don't get updates anymore.

You have totally missed the point. Sorry.

IPS honors their agreements.

I'm not very sure about that. The problem is that when IPS decided to go commercial (IPB), everything was a mess. They changed the "rules" very often. First promising it's free always, then free for non-commerisial, then trial etc. Pricing and licencing types also changed often.

I think it's very suspicious that old posts in this forum have just been deleted. That's post from the time when IPB started getting commercial.

I'm not 100% sure that IPS broken their promise to me - therefore it would be very interesting to see my deleted posts from this forum. I'm 100% sure i have posted questions about this, and 95% sure that i asked about it in a new thread i created. If IPS want me to shut up, they can easily prove that i'm wrong, by retrieving that thread from a backup and give it to me.

And if anyone doubts: I don't care about the money. 150$ or what the unlimited licence costs is dirt cheap. It's about prinsiples - I don't like supporting a company that treats me badly.


About windows and security updates: Yes they do give security updates. Read here if you are in doubt (2nd paragraph)