ozoneocean
Password thing? Haven't seen it.

o.O …What's the use of a bug forum if no one reads the damn WERWERSDFSDFSDFsd!!!@! AAAAAAAARGH!

I wanna be a lemming now. *jumps off a cliff*

I looked in there like I said and still didn't find it.

I'm not the only Admin you know… Skoolmunkee will know, she looks pretty carefully through the bug forum ;)

ozoneocean
I looked in there like I said and still didn't find it.

I'm not the only Admin you know… Skoolmunkee will know, she looks pretty carefully through the bug forum ;)

SIGH.

http://www.drunkduck.com/community/view_topic.php?pid=563928&cid=230&tid=40820#563928

Atom Apple
But you love his comic! :0

I read on faghoot's Wiki!

Please try and stay on topic, this is an important thread and really shouldn't be closed.

Lord Shplane

Atom Apple

Lord Shplane
Ok, images<Password theft.

Tell Volte that. ASAP

I disagree because I've never seen the latter happen.

Even the possibility is serious enough to be looked in to instead of worrying about images that are probably so crappy we don't want to see them anyway.

Imagine what would happen if, say, someone got an admin's password and went around deleting subforums and turning everyone's post into child pornography.

4Chan KNOWS that this place exists, after all.

Don't feed the troll.

I think I may have come dangerously close to figuring out the password exploit last night, but I kept running into some weirdness. I did manage to make a script send me my own password to my own email address, but so far that's it. All the admins have to do is contact MadHatter though.

edit:

Also, this thread isn't just about the bugfixes that are needed and when those are happening. It's as much about that as it is about the somewhat ridiculous lack of communication going on. Things like what happened with WWLA and nobody getting PMed about the DrunkDuck presence and not getting any forum posts about it either. Or things like the DD book now, that ended up having artists dropped. That's understandable, given the buyout, but what ISN'T is that it seems there were a fair number of people who were dropped without being told.

yeh this site does need to be fixed.

I think you are on to something anonymousposterchild… keep pushing.
no matter how many people tell you to stop bitching.

anonymousposterchild
Also, this thread isn't just about the bugfixes that are needed and when those are happening. It's as much about that as it is about the somewhat ridiculous lack of communication going on. Things like what happened with WWLA and nobody getting PMed about the DrunkDuck presence and not getting any forum posts about it either. Or things like the DD book now, that ended up having artists dropped. That's understandable, given the buyout, but what ISN'T is that it seems there were a fair number of people who were dropped without being told.

I for one would of loved to of known about a table presence at WWLA. I thought we were cool, Platinum. :(

The general lack of communication was one of the main themes that was brought up repeatedly in the admin forum. It's why Volte6 later proposed a meeting and yesterday we had our second monthly one. From those meetings, we broke down tasks for Volte6 to look into in hopes that it would be more realistic (baby steps first, giant leaps later.)

Below are the three fixes that we all agreed upon:
1. Image bug
2. Favourite bug
3. Security issues

Changes to the front page will occur after those are addressed (in particular, the tweaking of the features and the news). It is worth noting that nothing is set in stone. We're trying to be flexible here as well. I am simply relaying things to you guys so that you know what was discussed in the meetings. Please do not use that list, braid it into a rope, and hunt Volte6 down for a lynching.

Regarding the DD book, there is very little I want to talk about publically. I will say though that I had everyone's files and I had checked them, both three years ago and this year, to see if the resolution was correct. Newer contributor's files were checked by either me or SpANG. I was always available through e-mail and I made my concerns known. Volte6 is a nice guy because it's the only explanation I have for him not blocking me on Google Talk even though I ask him every single week (sometimes daily) about the book. (And he wasn't even involved in it!)

(If you are a contributor though and have a concern or complaint, you can still contact me at blackkitty (at.) gmail (dot) com. I don't know how much help I can be for you at this point but I'm actually around.)

I don't know anything about WWLA so I can't offer any commentary.

I've added Black_kitty's latest post to the OP. I'm going to be doing this as long as we keep getting updates in an attempt to keep this thread easy to navigate and free of any sort of spin. Basically, what is said by the admins will be posted there. Word for word, no edits unless I am, for some reason, requested by them to remove it.

Start asking questions, people, we've got what looks to be a really good line of communication starting.

I haven't checked my favorites since the new update. not seeing them listed on the sidebar just took away my desire the read them. This is probably just me, but the new layout has pretty much killed my interest in comics that used to be my favorites. Hell, since the new layout, I haven't even glanced at the main page, I've just been heading straight to the forums.

There are tons of complaints, and after reading this thread, I haven't seen anyone actually address any of them. All the admin posts have basically been: “Volte's working on the image problem. Please be patient. He's only one person.” All the new information is pretty much useless. The admins have a monthly meeting? Interesting. Never knew that before. But it doesn't seem to affect the site. Maybe it will when they have more meetings, I don't know.

Sorry if I sound like a pessimistic and cynical whiner, but I'm tired and the forums seem to be the only part of this site that is remotely alive.

And why can't Volte let anyone help him with this site? I know hardly anything about hosting webcomic sites, so maybe I'm missing something, but why is Volte the only one who can make changes?

LIZARD_B1TE
I haven't checked my favorites since the new update. not seeing them listed on the sidebar just took away my desire the read them. This is probably just me, but the new layout has pretty much killed my interest in comics that used to be my favorites. Hell, since the new layout, I haven't even glanced at the main page, I've just been heading straight to the forums.

There are tons of complaints, and after reading this thread, I haven't seen anyone actually address any of them. All the admin posts have basically been: “Volte's working on the image problem. Please be patient. He's only one person.” All the new information is pretty much useless. The admins have a monthly meeting? Interesting. Never knew that before. But it doesn't seem to affect the site. Maybe it will when they have more meetings, I don't know.

Sorry if I sound like a pessimistic and cynical whiner, but I'm tired and the forums seem to be the only part of this site that is remotely alive.

And why can't Volte let anyone help him with this site? I know hardly anything about hosting webcomic sites, so maybe I'm missing something, but why is Volte the only one who can make changes?

Well, some of the things we HAVE learned, at least, is that the admins are at least aware that there is a serious communication issue, but possibly that they really didn't have any idea how to approach it. Thankfully, I am loud and awesome. We also now know that we shouldn't expect any updates very fast, considering ozoneocean's remarks about the update schedule being similar to that of Craving Control's.

Basically, I think what we can expect is something like this:
(admins, correct me on anything that is out of order, I'm just going in what seems the most logical priority)

1. Security fixes
2. Image bug
3. Favourite bug
4. The main page

As it stands, there seems to be no ETA on any of this, however, which is what seems the most damning. While this is all stuff that a lot of us have speculated on, we at least now have a more precise confirmation.

anonymousposterchild
Basically, I think what we can expect is something like this:
(admins, correct me on anything that is out of order, I'm just going in what seems the most logical priority)

1. Security fixes
2. Image bug
3. Favourite bug
4. The main page

I understand that you're going for what you feel is the most logical but that is not what I listed. ^^;; I don't want to sound cranky but what I listed is what we're expecting. Why would I put image bug as first but then expect you guys to think security is first?

You guys are all free to ask questions but please keep in mind that we may not have all the answers. Sometimes I don't even respond to these kind of threads anymore because well…how many times do you guys want to hear “he's working on it?”

Black_Kitty

anonymousposterchild
Basically, I think what we can expect is something like this:
(admins, correct me on anything that is out of order, I'm just going in what seems the most logical priority)

1. Security fixes
2. Image bug
3. Favourite bug
4. The main page

I understand that you're going for what you feel is the most logical but that is not what I listed. ^^;; I don't want to sound cranky but what I listed is what we're expecting. Why would I put image bug as first but then expect you guys to think security is first?

You guys are all free to ask questions but please keep in mind that we may not have all the answers. Sometimes I don't even respond to these kind of threads anymore because well…how many times do you guys want to hear “he's working on it?”

The… image bug… has priority over the giant XSS exploit that allows you have user passwords sent to you in plain text?

…

…

…

…

…

…

…

…

…

…

Now, you can say that it's being worked on all you want, but now we run into a different sort of problem. A somewhat more… drastic one, in that the person working on it has a very warped sense of priorities. Allow me to lay out a very easy potential scenario:

1. Person uses the password exploit to have user password emailed to them. This exploit seems to be able to be tied directly to the username that the password is associated with as well, judging by the reports. If that is the case, it stands to reason that it wouldn't be too hard to get the user's email from this as well. Innocuous enough, it's just a comic host. But let's continue this VERY easy series of events from there.

2. Now we've got somebody who has the username, password and email of a person on this site. Well, if we're lucky, they'll play nice and not do anything with it. If we're realistic, we could see a few accounts goatse'd. If we've got a particularly dickish person, we have them finding if the person has any other accounts anywhere else with the same username or email. It wouldn't be too much of a stretch to assume that some people have the same password for multiple sites. Shit!

3. We now have a situation where somebody's email, maybe a few forum accounts and such are compromised. While this certainly isn't the end of the world by any means, that is a huge security problem that Drunkduck itself has not taken immediate steps to resolve. This is, quite frankly, a bit retarded.

The question at this point isn't “Is he working on it?”, it's “Does he know what he's doing?”. This seems harsh, but I have to call competence into question here given the situation at hand.

Look APC, those are actually specialist exploits. We thank Hatter VERY much for finding them, but it's not something any idiot could do. Hatter is pretty damn clever and cluey about that sort of thing, not just some twit script-kiddy like the people who generally try for that sort of thing.

The thing is, this is a comic site. Images are 80% or more of what goes on here. That bug affects EVERY SINGLE user all the time and impacts the operation and reputation of the entire site, constantly. It HAS to be number one priority in this case.

We've only got one person working on this, so it's pretty much a given that it's going to take him time to get things done and that he can't really guarantee deadlines due to the fact that he's only one person. Which I suppose brings me to my big question: what's the likelihood we can get Volte some help or something? With a site this big that's growing at the rate it is, it seems like it would really be a good idea to get another coder to help out just to keep up with the expansion of the community.

Maybe you guys could put that on the table with platinum at the next meeting or something.

We ask that on every possible occasion :)
There is someone coming to help with that now ^_^

ozoneocean
Look APC, those arse actually specialist exploits. We thank Hatter VERY much for finding them, but it's not something any idiot could do. Hatter is pretty damn clever and cluey about that sort of thing, not just some twit script-kiddy like the people who generally try for that sort of thing.

The thing is, this is a comic site. Images are 80% or more of what goes on here. That bug affects EVERY SINGLE user all the time and impacts the operation and reputation of the entire site, constantly. It HAS to be number one priority in this case.

…

You guys do realise you've been hacked in the past right? On more than one occasion? Three times in as many years, as I recall.

I mean, maybe it's just me, but hey, making sure the users can actually feel secure using the site is a big deal. Not only that, but once he explained what the bug was, I was able to figure out about five theories about how it could be executed. None of them were terribly complicated and one was coming pretty close to working.

You guys are taking a pretty lame attitude towards a big problem. This is not something that you need a working knowledge of everything going on on the DD servers to pull off. Not only that, but the ways that DD has been hacked in the past are still there. This is not some hypothetical situation we're dealing with. Security exploits HAVE been used on this site, and they're STILL open.

Take a pill Henny-penny. The sky is still there.

We've given you your answers, no need to get alarmist and demand we dance to your tune. :)

Some negligible stuff happened to the site once quite a while ago now. It was due to the use of old PHP here and a simple exploit- a published cross scripting attack. A script kiddie got control of an admin account for an hour or two. That was it.

That hole was plugged by Volte as soon as he learned of it.
—————–

Security is SERIOUS. Everyone knows that. Volte is well aware. All of us make sure that he is. Right now Images come first though.

The image bug is an issue, that's true. But we're really, really pushing our luck with this password exploit. Imagine if someone got ahold of your password Ozone, think about what they could probably do with it.

Even worse… what if they got Volte's?

Even if it needs to be done concurrently, or extra help needs to be hired just to help get this managed, even on a temp basis. This has me very worried.

ozoneocean
Some negligible stuff happened to the site once quite a while ago now. It was due to the use of old PHP here and a simple exploit- a published cross scripting attack. A script kiddie got control of an admin account for an hour or two. That was it.

That hole was plugged by Volte as soon as he learned of it.

…wait, so by that statement, does it mean that DrunkDuck has to get “hacked” again just so that some work is done and the exploits are fixed?

Okay, I think this has gone around long enough. Ozone and BK have been patient enough in explaining things to all of you.

We understand the exploit. More than most, actually. Admins don't need to be talked at like we are fourth-graders that don't understand the ramifications. We get it. We've mentioned it on number of occasions to PS, and we are having ongoing conference calls. However, because of certain circumstances that we cannot discuss, the order of fixes is going to work EXACTLY the way Black Kitty has laid out.

Thanks for your concern. The security issue is HUGE, we know. But nothing on this site is ever irreversible.

There is no need for further discussion about this. We will examine it again at the next conference, maybe sooner. But your opinions (and several others BEFORE YOU) have already been noted.

This issue is closed.