Brandon C Posted November 17, 2006 Posted November 17, 2006 I think these independent security audits need to be channeled to another company/individual who can better suit the bill as obviously Gulftech aren't doing a good job (as it was in testing and auditing with them for a long while, and here Tom comes in two days and finds a lot), considering at least 5 or more major exploits were discovered by Tom in a short series of two days in IPB 2.2.0 recently.
Tim Dorr Posted November 18, 2006 Posted November 18, 2006 Call me ignorant, but who is this Tom fellow everyone's talking about?One of my friend's, Someotherguy, has modified our IPB 2.1 installation to check all new posts against Akismet. I'm sure he wouldn't mind if you wanted to contact him about it.I just made a small hack to limit posting links before you have 3 posts on our forum. It's been extremely effective so far.
Logan Posted November 18, 2006 Posted November 18, 2006 Call me ignorant, but who is this Tom fellow everyone's talking about?Meet Tom.
Amy T Posted November 18, 2006 Posted November 18, 2006 I think these independent security audits need to be channeled to another company/individual who can better suit the bill as obviously Gulftech aren't doing a good job (as it was in testing and auditing with them for a long while, and here Tom comes in two days and finds a lot), considering at least 5 or more major exploits were discovered by Tom in a short series of two days in IPB 2.2.0 recently.where did you find this data?
Brandon C Posted November 18, 2006 Posted November 18, 2006 where did you find this data?Which part? Gulftech are the company that does independent security audits for IPS. Tom (as linked to above) has found many exploits in IPB in the past, and I even permitted him to do one of the exploits on my IPB 2.2.0 dev board and he got into it with no problem. ^_^
Dark Phantom Posted November 18, 2006 Posted November 18, 2006 Which part? Gulftech are the company that does independent security audits for IPS. Tom (as linked to above) has found many exploits in IPB in the past, and I even permitted him to do one of the exploits on my IPB 2.2.0 dev board and he got into it with no problem. ^_^It doesn't mean that Gulftech, did not find those same exploits.Let me put it this way, who knows how bad IPB 2.2.x would be without the security audit that took place ( lets face it, enough changed that it could have been a huge problem ). Needless to say, no independent security firm would find every single issue, and the time they took might have been caused by any number of possible issues.Like I said, enough changed that several weeks on each new feature that was added would be more then reasonable for a security firm. Let me put it this way, IPB 2.2.0 was developed for a really long time, and any delay of IPB 2.2.x was because of the amount of work that went into it.
Brandon C Posted November 18, 2006 Posted November 18, 2006 It doesn't mean that Gulftech, did not find those same exploits.Let me put it this way, who knows how bad IPB 2.2.x would be without the security audit that took place ( lets face it, enough changed that it could have been a huge problem ). Needless to say, no independent security firm would find every single issue, and the time they took might have been caused by any number of possible issues.Like I said, enough changed that several weeks on each new feature that was added would be more then reasonable for a security firm. Let me put it this way, IPB 2.2.0 was developed for a really long time, and any delay of IPB 2.2.x was because of the amount of work that went into it.Don't get me wrong; I'm not bashing IPS for their actions. However, being one of the most widely recognized security auditing companies on the internet, and after auditing IPB for that long and not finding that many major exploits (even if they found any; I don't know whether they did or not), and then you have an individual come along and finds several major exploits in IPB in two days is quite odd. I'm just articulating feedback appropriately for IPS in the fact that they should take this into decision when doing future independent security audits for their products, as the events that have happened in regards to these exploits being found by an individual and missed by a company and a team whose job is that worries me, and tells me something is wrong with that. IPS need to re-evaluate the situation at-hand and make changes accordingly by outsourcing to more than one independent security auditing company with a proven record besides Gulftech for maximum efficiency and security purposes.
Dark Phantom Posted November 18, 2006 Posted November 18, 2006 Don't get me wrong; I'm not bashing IPS for their actions. However, being one of the most widely recognized security auditing companies on the internet, and after auditing IPB for that long and not finding that many major exploits (even if they found any; I don't know whether they did or not), and then you have an individual come along and finds several major exploits in IPB in two days is quite odd. I'm just articulating feedback appropriately for IPS in the fact that they should take this into decision when doing future independent security audits for their products, as the events that have happened in regards to these exploits being found by an individual and missed by a company and a team whose job is that worries me, and tells me something is wrong with that. IPS need to re-evaluate the situation at-hand and make changes accordingly by outsourcing to more than one independent security auditing company with a proven record besides Gulftech for maximum efficiency and security purposes.I actually don't disagree with you, how about we agree that IPS should look into using multiple security firms in the future to bring the best possible products to its customer :-)Like I said, no company would find all the issues, so multiple firms look at things in different ways is the best solution.Plus it sounds better then saying they should think about switching companies :-)
Brandon C Posted November 18, 2006 Posted November 18, 2006 I actually don't disagree with you, how about we agree that IPS should look into using multiple security firms in the future to bring the best possible products to its customer :-)Like I said, no company would find all the issues, so multiple firms look at things in different ways is the best solution.Plus it sounds better then saying they should think about switching companies :-)Yeah, sorry if I portrayed it that way, because I didn't mean to. That's what I was trying to convey and fully agree/support this suggestion that Dark Phantom and I have stated. :)
Amy T Posted November 18, 2006 Posted November 18, 2006 Which part? Gulftech are the company that does independent security audits for IPS. Tom (as linked to above) has found many exploits in IPB in the past, and I even permitted him to do one of the exploits on my IPB 2.2.0 dev board and he got into it with no problem. ^_^A link to where you got the data would be helpful.
Brandon C Posted November 18, 2006 Posted November 18, 2006 A link to where you got the data would be helpful.Again, could you please specify "the data" you are referring to? There are no publically published links for the security exploits that Tom has found.
Amy T Posted November 18, 2006 Posted November 18, 2006 Again, could you please specify "the data" you are referring to? There are no publically published links for the security exploits that Tom has found.then how do you know he found them?I am not asking for proof I am asking how Tom came into play.The first time I heard of him finding any thing was in this thread. what I am asking is how you know he found them.It is not that I do not believe you but it is confusing to me.
Brandon C Posted November 18, 2006 Posted November 18, 2006 then how do you know he found them?I am not asking for proof I am asking how Tom came into play.The first time I heard of him finding any thing was in this thread. what I am asking is how you know he found them.It is not that I do not believe you but it is confusing to me.As I already stated before:Which part? Gulftech are the company that does independent security audits for IPS. Tom (as linked to above) has found many exploits in IPB in the past, and I even permitted him to do one of the exploits on my IPB 2.2.0 dev board and he got into it with no problem. ^_^I talked to Tom on MSN about it when he first found them, if you must know. Also, Matt stated it on one of his recent blog entries: http://blog.mattmecham.com/archives/2006/11/dear_diary.htmlNow that IPB is back off to have a final security audit (and thanks to Tom for his work in identifying a few areas (ahem) that needed improvement)
Amy T Posted November 18, 2006 Posted November 18, 2006 As I already stated before:I talked to Tom on MSN about it when he first found them, if you must know. Also, as it states on Matt's blog at: http://blog.mattmecham.com/archives/2006/11/dear_diary.htmlThank you that is what I was asking for. I do apologize for not seeing it right away. I was following a different path on this thread and all at once I hear a name and do not know why and now thanks to you I do know why.You have provided me with the data I asked. Thank you.
TestingSomething Posted November 18, 2006 Posted November 18, 2006 The security audit is not for spammers, its for people who find and try to abuse short commings in IPS's software to gain control of your forum.I know. Sorry, I worded that all weirdly. I meant to say that I didn't ever understand how features to stop bots would solve the problem of those spammers signing up. lol
Management Matt Posted November 20, 2006 Management Posted November 20, 2006 Ok, let me set the record straight by mentioning that each release of IPB 2.2.0 has been labeled as 'un-supported' and not fit for use as a public board.During an early beta release, we sent the code off to Gulftech for the first-pass audit. Gulftech found a few general areas for improvement (extra parsing on all incoming variables, stripping off null byte characters, etc). The agreement we had with Gulftech was for a two stage audit.A 'general' one to identify large areas that required improvement and then a final audit of the final (or near-final) code so that we could identify any areas of code that could be exploited. It made sense to do it this way rather than pay for a single audit on beta code and run the risk of the beta / RC stage changes to the code creating another vulnerability.Now, Tom - a regular of the IPB community and an all round good-guy had a peek at IPB 2.2.0 and noticed a lack of cleaning in the IP.Converge folder. He notified us and we sorted it out on the next release. Tom also wrote in with some other issues he'd spotted. A few of them we couldn't get working, another was already fixed due to input cleaning being applied in the converge folders and a potential 'register_globals' issue that we couldn't reproduce. It's a bit of a stretch to say that Tom identified 5 "major vulnerabilities" - I fear this just sensationalism rather than something Tom has said directly.Tom has been a massive help and we've given him our thanks for letting us know of the issues. We are confident that Gulftech would have highlighted them on the final audit but we're certainly grateful for his professionalism and expertise.I would like to conclude that it would be a stretch of marketing verbiage to claim that the security audit will find every single area that may be exploited. Security is a moving target and new vulnerabilities are always being found in apache, PHP and MySQL as well as Firefox and IE. The audit is just a pro-active step in making IPB the most secure release possible. We take security extremely seriously and our big name customers (AMD, Nvidia, NBC, Sony, etc) are always targets of malicious users so extra precaution is a wise step.
Amy T Posted November 20, 2006 Posted November 20, 2006 Well I am glad your doing it as I said as I really do not want to be hacked again.
.Ryan Posted November 20, 2006 Posted November 20, 2006 Sounds good to me, you guys work with NBC? Anyways when is it coming out and how long does a "security audit" take?
Guest Posted November 20, 2006 Posted November 20, 2006 multiple security firms wouldn't be reachable, this would mean another price increase for ipb. it's more than high enough as they are now with the new announced ones.don't understand me wrong I'm glad IPS is having security audits, having one by multiple firms seems over the top.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.