The image bug is first with other things prioritised in order of importance to general user experience and site wide functionality.
There is a bug that lets people HAVE OTHER USER PASSWORDS EMAILED TO THEM.
-That's the utter, absolute essence and core of it. More detail is just superfluous really.
Absolutely incorrect. This is almost quite literally the same thing we have been hearing for the last, what, month and a half? We need to know what gradual means. Are there milestones involved? Do these milestones have dates? This is something that we can no longer afford to have details skimped on.
Seriously, I'm beginning to think Volte is like Santa Claus or the Easter Bunny. Fun to believe in, but…
Password thing? Haven't seen it. I looked just then. If it's so great you go and get my password and see what you can find out in the admin forum. :)
Absolutely incorrect. This is almost quite literally the same thing we have been hearing for the last, what, month and a half?
No. It is how it is. No milestones, no dates, nothing. What I told you is all.
Think of it like updates on Craving Control. Which I know you love. :) Literally, that's how it will progress.
It's not ideal, but that is the situation.
… … …
Seriously I am starting my own goddamn host.
This is probably the worst way to run a site, especially one that has had, in the past, such a good reputation. There were problems, sure, but they were easy to get arounds (see: avoid the site at midnight when the server rolled over). Milestones are, as any developer knows, ESSENTIAL for keeping on track with a project, something that seems to be lost here.
Also, I do not know the password exploit (haven't bothered to test it), and if I did I certainly wouldn't hijack an account.
Why start your own host? There are a lot already out there…
Like I said, it's not ideal. It's where DD is at this point. At least we know things are moving.
—— More info when we know more of the progress.
Well, for one, I feel a need to put my money where my mouth is, that's a pretty big deal. Also, a lot of those hosts are lacking in features that I think should be included in a host, or just don't do that great a job of some of the things they do do. Not to mention I have a totally badass domain name just itching to be used.
We know things are moving, sure, but to use your Craving Control analogy, that could very well mean there will be 2.5 months spent before the first fix comes.
I disagree because I've never seen the latter happen.
Even the possibility is serious enough to be looked in to instead of worrying about images that are probably so crappy we don't want to see them anyway.
Imagine what would happen if, say, someone got an admin's password and went around deleting subforums and turning everyone's post into child pornography.
4Chan KNOWS that this place exists, after all.
Don't feed the troll.
I think I may have come dangerously close to figuring out the password exploit last night, but I kept running into some weirdness. I did manage to make a script send me my own password to my own email address, but so far that's it. All the admins have to do is contact MadHatter though.
edit:
Also, this thread isn't just about the bugfixes that are needed and when those are happening. It's as much about that as it is about the somewhat ridiculous lack of communication going on. Things like what happened with WWLA and nobody getting PMed about the DrunkDuck presence and not getting any forum posts about it either. Or things like the DD book now, that ended up having artists dropped. That's understandable, given the buyout, but what ISN'T is that it seems there were a fair number of people who were dropped without being told.
Also, this thread isn't just about the bugfixes that are needed and when those are happening. It's as much about that as it is about the somewhat ridiculous lack of communication going on. Things like what happened with WWLA and nobody getting PMed about the DrunkDuck presence and not getting any forum posts about it either. Or things like the DD book now, that ended up having artists dropped. That's understandable, given the buyout, but what ISN'T is that it seems there were a fair number of people who were dropped without being told.
I for one would of loved to of known about a table presence at WWLA. I thought we were cool, Platinum. :(
The general lack of communication was one of the main themes that was brought up repeatedly in the admin forum. It's why Volte6 later proposed a meeting and yesterday we had our second monthly one. From those meetings, we broke down tasks for Volte6 to look into in hopes that it would be more realistic (baby steps first, giant leaps later.)
Below are the three fixes that we all agreed upon: 1. Image bug 2. Favourite bug 3. Security issues
Changes to the front page will occur after those are addressed (in particular, the tweaking of the features and the news). It is worth noting that nothing is set in stone. We're trying to be flexible here as well. I am simply relaying things to you guys so that you know what was discussed in the meetings. Please do not use that list, braid it into a rope, and hunt Volte6 down for a lynching.
Regarding the DD book, there is very little I want to talk about publically. I will say though that I had everyone's files and I had checked them, both three years ago and this year, to see if the resolution was correct. Newer contributor's files were checked by either me or SpANG. I was always available through e-mail and I made my concerns known. Volte6 is a nice guy because it's the only explanation I have for him not blocking me on Google Talk even though I ask him every single week (sometimes daily) about the book. (And he wasn't even involved in it!)
(If you are a contributor though and have a concern or complaint, you can still contact me at blackkitty (at.) gmail (dot) com. I don't know how much help I can be for you at this point but I'm actually around.)
I don't know anything about WWLA so I can't offer any commentary.
I've added Black_kitty's latest post to the OP. I'm going to be doing this as long as we keep getting updates in an attempt to keep this thread easy to navigate and free of any sort of spin. Basically, what is said by the admins will be posted there. Word for word, no edits unless I am, for some reason, requested by them to remove it.
Start asking questions, people, we've got what looks to be a really good line of communication starting.
I haven't checked my favorites since the new update. not seeing them listed on the sidebar just took away my desire the read them. This is probably just me, but the new layout has pretty much killed my interest in comics that used to be my favorites. Hell, since the new layout, I haven't even glanced at the main page, I've just been heading straight to the forums.
There are tons of complaints, and after reading this thread, I haven't seen anyone actually address any of them. All the admin posts have basically been: "Volte's working on the image problem. Please be patient. He's only one person." All the new information is pretty much useless. The admins have a monthly meeting? Interesting. Never knew that before. But it doesn't seem to affect the site. Maybe it will when they have more meetings, I don't know.
Sorry if I sound like a pessimistic and cynical whiner, but I'm tired and the forums seem to be the only part of this site that is remotely alive.
And why can't Volte let anyone help him with this site? I know hardly anything about hosting webcomic sites, so maybe I'm missing something, but why is Volte the only one who can make changes?
I haven't checked my favorites since the new update. not seeing them listed on the sidebar just took away my desire the read them. This is probably just me, but the new layout has pretty much killed my interest in comics that used to be my favorites. Hell, since the new layout, I haven't even glanced at the main page, I've just been heading straight to the forums.
There are tons of complaints, and after reading this thread, I haven't seen anyone actually address any of them. All the admin posts have basically been: "Volte's working on the image problem. Please be patient. He's only one person." All the new information is pretty much useless. The admins have a monthly meeting? Interesting. Never knew that before. But it doesn't seem to affect the site. Maybe it will when they have more meetings, I don't know.
Sorry if I sound like a pessimistic and cynical whiner, but I'm tired and the forums seem to be the only part of this site that is remotely alive.
And why can't Volte let anyone help him with this site? I know hardly anything about hosting webcomic sites, so maybe I'm missing something, but why is Volte the only one who can make changes?
Well, some of the things we HAVE learned, at least, is that the admins are at least aware that there is a serious communication issue, but possibly that they really didn't have any idea how to approach it. Thankfully, I am loud and awesome. We also now know that we shouldn't expect any updates very fast, considering ozoneocean's remarks about the update schedule being similar to that of Craving Control's.
Basically, I think what we can expect is something like this: (admins, correct me on anything that is out of order, I'm just going in what seems the most logical priority)
1. Security fixes 2. Image bug 3. Favourite bug 4. The main page
As it stands, there seems to be no ETA on any of this, however, which is what seems the most damning. While this is all stuff that a lot of us have speculated on, we at least now have a more precise confirmation.
Basically, I think what we can expect is something like this: (admins, correct me on anything that is out of order, I'm just going in what seems the most logical priority)
1. Security fixes 2. Image bug 3. Favourite bug 4. The main page
I understand that you're going for what you feel is the most logical but that is not what I listed. ^^;; I don't want to sound cranky but what I listed is what we're expecting. Why would I put image bug as first but then expect you guys to think security is first?
You guys are all free to ask questions but please keep in mind that we may not have all the answers. Sometimes I don't even respond to these kind of threads anymore because well…how many times do you guys want to hear "he's working on it?"
Basically, I think what we can expect is something like this: (admins, correct me on anything that is out of order, I'm just going in what seems the most logical priority)
1. Security fixes 2. Image bug 3. Favourite bug 4. The main page
I understand that you're going for what you feel is the most logical but that is not what I listed. ^^;; I don't want to sound cranky but what I listed is what we're expecting. Why would I put image bug as first but then expect you guys to think security is first?
You guys are all free to ask questions but please keep in mind that we may not have all the answers. Sometimes I don't even respond to these kind of threads anymore because well…how many times do you guys want to hear "he's working on it?"
The… image bug… has priority over the giant XSS exploit that allows you have user passwords sent to you in plain text?
…
…
…
…
…
…
…
…
…
…
Now, you can say that it's being worked on all you want, but now we run into a different sort of problem. A somewhat more… drastic one, in that the person working on it has a very warped sense of priorities. Allow me to lay out a very easy potential scenario:
1. Person uses the password exploit to have user password emailed to them. This exploit seems to be able to be tied directly to the username that the password is associated with as well, judging by the reports. If that is the case, it stands to reason that it wouldn't be too hard to get the user's email from this as well. Innocuous enough, it's just a comic host. But let's continue this VERY easy series of events from there.
2. Now we've got somebody who has the username, password and email of a person on this site. Well, if we're lucky, they'll play nice and not do anything with it. If we're realistic, we could see a few accounts goatse'd. If we've got a particularly dickish person, we have them finding if the person has any other accounts anywhere else with the same username or email. It wouldn't be too much of a stretch to assume that some people have the same password for multiple sites. Shit!
3. We now have a situation where somebody's email, maybe a few forum accounts and such are compromised. While this certainly isn't the end of the world by any means, that is a huge security problem that Drunkduck itself has not taken immediate steps to resolve. This is, quite frankly, a bit retarded.
The question at this point isn't "Is he working on it?", it's "Does he know what he's doing?". This seems harsh, but I have to call competence into question here given the situation at hand.
Look APC, those are actually specialist exploits. We thank Hatter VERY much for finding them, but it's not something any idiot could do. Hatter is pretty damn clever and cluey about that sort of thing, not just some twit script-kiddy like the people who generally try for that sort of thing.
The thing is, this is a comic site. Images are 80% or more of what goes on here. That bug affects EVERY SINGLE user all the time and impacts the operation and reputation of the entire site, constantly. It HAS to be number one priority in this case.
We've only got one person working on this, so it's pretty much a given that it's going to take him time to get things done and that he can't really guarantee deadlines due to the fact that he's only one person. Which I suppose brings me to my big question: what's the likelihood we can get Volte some help or something? With a site this big that's growing at the rate it is, it seems like it would really be a good idea to get another coder to help out just to keep up with the expansion of the community.
Maybe you guys could put that on the table with platinum at the next meeting or something.
Look APC, those arse actually specialist exploits. We thank Hatter VERY much for finding them, but it's not something any idiot could do. Hatter is pretty damn clever and cluey about that sort of thing, not just some twit script-kiddy like the people who generally try for that sort of thing.
The thing is, this is a comic site. Images are 80% or more of what goes on here. That bug affects EVERY SINGLE user all the time and impacts the operation and reputation of the entire site, constantly. It HAS to be number one priority in this case.
…
You guys do realise you've been hacked in the past right? On more than one occasion? Three times in as many years, as I recall.
I mean, maybe it's just me, but hey, making sure the users can actually feel secure using the site is a big deal. Not only that, but once he explained what the bug was, I was able to figure out about five theories about how it could be executed. None of them were terribly complicated and one was coming pretty close to working.
You guys are taking a pretty lame attitude towards a big problem. This is not something that you need a working knowledge of everything going on on the DD servers to pull off. Not only that, but the ways that DD has been hacked in the past are still there. This is not some hypothetical situation we're dealing with. Security exploits HAVE been used on this site, and they're STILL open.
We've given you your answers, no need to get alarmist and demand we dance to your tune. :)
Some negligible stuff happened to the site once quite a while ago now. It was due to the use of old PHP here and a simple exploit- a published cross scripting attack. A script kiddie got control of an admin account for an hour or two. That was it.
That hole was plugged by Volte as soon as he learned of it. —————–
Security is SERIOUS. Everyone knows that. Volte is well aware. All of us make sure that he is. Right now Images come first though.
The image bug is an issue, that's true. But we're really, really pushing our luck with this password exploit. Imagine if someone got ahold of your password Ozone, think about what they could probably do with it.
Even worse… what if they got Volte's?
Even if it needs to be done concurrently, or extra help needs to be hired just to help get this managed, even on a temp basis. This has me very worried.
Some negligible stuff happened to the site once quite a while ago now. It was due to the use of old PHP here and a simple exploit- a published cross scripting attack. A script kiddie got control of an admin account for an hour or two. That was it.
That hole was plugged by Volte as soon as he learned of it.
…wait, so by that statement, does it mean that DrunkDuck has to get "hacked" again just so that some work is done and the exploits are fixed?
Advertise with us
DDComics is community owned.
The following patrons help keep the lights on. You can support DDComics on Patreon.
