GIJOE - clearly you are a well respected individual who does great things for Xoops. I have used your modules and your advice with great success for which I thank you.

That said, I do feel that if you know something about the security of the XOOPS system that is as valuable as what you have just demonstrated using Herko's account (an offence under section 1 and 2 of the Computer Misuse Act here in the UK BTW), then in the spirit of open-source development you should endeavour to team up with the XOOPS developers to help them make it more secure as opposed to criticising the security of the XOOPS system.

Please don't take this as a criticism - I just like to see everyone as friends making things as good as they can possibly be! If I had the intellect that you and other XOOPS developers have, I'd be on board straight away. Unfortunately, I'm not, so I just have to sit back and enjoy what people like you create for me.

Please make friends!

@GIJOE

Just because you can do something doesn't mean you should. Why not use your skill to better the XOOPS core instead of just making yourself look immature.

What you did in this thread shows an utter lack of respect for Xoops, the Core Team, and the community as a whole. Your point would have been better taken if you would have setup a demo site and invited the Core Team to a demonstration to be immediately followed by a detailed bug report. Instead, you have chosen to make yourself look like just another script kiddie.

BTW... If you decide to make another "point" by hacking my, or anyone else's account or site, you will only be solidifying a reputation of being a hot-headed script kiddie.

::shakes head in disbelief::

hi All.

At first, I've worked for Xoops, the Core Team, and the community as a whole.
The crystal of the effort is my Protector.

Quote:
OK. I'm sorry that I did bad manners.

But, you should know that we've reported again and again from 2004's summer to Herko as a member of core team.

Herko ignored us.

That's the reason why I made Protector for benefits of all XOOPSers.

Inspite of this fact, Herko slandered Protector is just an AntiDoS module.
Moreover, he repeasts blindly "XOOPS is quite secure as is".

I can't permit Herko's attitude at all.

Although I'll never write how to crack anywhere, well-skilled programmer can find the way.

Thus, I shall say again and again.
Install Protector if you want to be cracked.

Quote:

The irony of that is great for the end of the year. I think you mean don't want to be cracked

Is this about not getting Protector code in the core? I'm all for always fixing security issues at the root and then having defences like Protector on top. However, being core or 3rd party if it works I don't see a problem.

The politics of history I'm not aware of is of no interest to me. Makes me think of another battle around here that comes up once in a while.

Happy secure new years to all anyway.
let's all have a pint or sake or some nice tea.

Hello GIJOE,

Quote:
I'm not skill enough in security materials and I think that I'm not alone in this case. Could you teach us how to make secure programming please ?
It could be a real benefice for all of us.

Bye,
Hervé

Quote:

I understand your frustration and I am not trying to discredit your claim. On the contrary, I don't find it hard to believe taht your bug reports may have been overlooked or that nothing has been done about them yet. The point is, there is better ways of getting your point accross.

I don't think anyone here would ever say that your work has not been a benefit to the community. You are a very skilled programmer who has contributed much. But again, don't misuse your skill.

Quote:

I didn't see anything in Herko's post that was all that offensive. Granted, you have a right to your feelings, but what Herko said certainly didn't justify your actions. You could have easily have taken the issue up with Herko in PM instead of performing a very unethical act.

Quote:

While I can certainly appreciate your cautious stance, I personally think your comment is a bit extreme. Yes, XOOPS can be hacked if you want to bad enough. However, if XOOPS is installed on a properly administered server with properly configured admin and chmod settings, it is by far the most secure CMS out there. Note: I am not saying it is hack proof. Nothing is! Not even the Protector module. If it can be coded, it can be hacked, period. That being said, I've developed sites for clients that have been running for over a year with no AntiDOS or Protector module without there ever being the first successful hack. Not one. That certainly is good testiment to XOOPS security. PHP-Nuke didn't last 3 months without being hacked. Is there room for improvement? Yes! But I'd say that the Core Team isn't doing too bad.

I agree that integration of something like Protector into the core would be a tremendous benefit, but I don't think your demonstration is going to hasten protector's inclusion one bit.

I know it's not my place to jump to the defense of Herko or the Core Team, but your actions really disturbed me. You have a tremendous amount of skill. I would hope that your ethics would match your skill. After your "demo" today, I'm not sure that I trust your values enough to want to continue to recommend your modules. If you can't be trusted to make the right choice here, what is to say that you won't embed malicious code in your modules? Think about it carefully. What you did today gave a very bad impression. Do you want the reputation of being the guy who openly hacked the XOOPS site just to make a point? Who is going to trust someone like that? Not me.

The truth shall set you free but first it will piss you off. A quote I remember from somewhere.

Although the awakening may have been rude. It is surely something that we all need to be aware off.

My thanks to GIJOE for the information.

How about an authentication system like CAS.from Yale University?

^^^^^^^^^^^^^^ okay, I call foul.
I think you know what I'm talking about..
if not,
never mind.

Quote:
Are you absolutely sure that Herko received the reports? I am in more or less daily contact with Herko and I am sure he would have mentioned it as we are both very concerned about security issues, but lack the skills to do much about it.

However, Herko may be the XOOPS Project Manager, but as far as I know, he has never committed a single line of code for XOOPS and would therefore not necessarily be the best go-to guy with these concerns. I would suggest Skalpa or Onokazu or maybe even myself as persons better capable of judging the severity of the security holes.
Quote:I don't believe, I have seen Herko slander Protector as just an AntiDoS module - I have seen Herko mention the AntiDoS module, but not in any way say anything like "you don't need Protector as it is just another AntiDoS module and besides, XOOPS is as secure as it gets"

Herko HAS said that XOOPS is quite secure and that it is as secure as we can make it - that does not mean it is as secure as you can make it... We have been requesting feedback, help and a connection to the Asian communities that have so much more knowledge in this area than ourselves, but have not got feedback from you. I can only assume that our requests have been likewise lost in the turmoil and multitude of messages going back and forth.
But I learn that there is a XOOPS fork somewhere out there that you label as the most secure XOOPS at the moment... Why have we never heard of it? That disappoints me.

Come on, let's work on this together, shall we?

@GIJOE: You're unbelieveable. that's scary demo.. come on, let's works on this together.