Ain't Misbehavin'

So long as no real harm is done, I think finding bugs is extremely beneficial. Especially exploitable ones. Things like the XSS bug recently pointed out are very good to get fixed. Things like Rashakil's rep bot are less important and cause a stir, but I'd label it as mostly harmless (but not necessarily tolerable, entertaning as the fuss was).

Heck, I might have to start coming to the chat room :P

theres's a chat room?

There is an IRC chat:
http://www.daniweb.com/chat/

Hopefully Dave and Josh aren't going to kill me for posting this - what happened was I was wondering if it was a bug that whenever you change your nickname in the IRC chat, the IRC page shows the member with the nickname you chose active (in other words, if I choose the nickname of "joshSCH" before he logs in, the IRC page would show the member joshSCH as active and posting). Then Josh and Dave changed their nicknames to the other's. Here's a little snippet of the log:

Evil_Dave is now known as joshSCH.
Josh: aw what
Josh is now known as joshSC1.
joeprogrammer: Heh >.>
joshSCH: Uh, hu-huh.
joshSCH: Hey Beavis!
joshSC1: shucks
joshSC1 is now known as Dav1.
joshSCH: I think capitalism sucks.
Dav1: lol
Dav1 is now known as Dav3.
joshSCH: Ree-ligion is my name, God is my game.
Dav3: hi everyone, I'm retarded
Dav3: I can't even spell my name
joeprogrammer: You guys crack me up.
Dav3: I need a smoke
Dav3: :D
• joshSCH prays for Dav3.
joshSCH: Dav3, have you found Jesus?
Dav3: Yes, I praise jesus without even thinking for myself!
Dav3: I just do what I'm told, and thats that!
joshSCH: Good.
Dav3: yes sir
joshSCH: Good.
• Dav3 bows to the master
Dav3: What is thy bidding, my master?
joshSCH: Stop playing with yourself.
Dav3: yes, sir. I have my woman, here.
joshSCH: Deflate her.

I thought it was kind of funny -- and stupid, but I certainly didn't expect them to get banned. I admit, I left before the whole thing was finished. But Dave does have a point: it's a vulnerability in the system. Exposing it isn't such a bad thing.

haha.. it's cool, Joe. Yes, Dave and I were playing around a bit in the IRC, and at the same time exposing risks to Daniweb. We were able to change our nicknames, and trick the system into 'thinking' we were different members. While this may be easily uncovered by a simple whois query on our ips, some may still be fooled. I think everyone who registers at Daniweb should automatically have their nick registered in the IRC with the same password as their Daniweb account. And perhaps make people authenticate before using a nick (I'm no IRC guru, so I don't even know if this is possible). Right now this may not be a high priority for Daniweb, but I believe in the future the IRC may become more popular, and thus important to prepare now.

pointing out potential exploits to admins is fine. Doing so by writing and executing that exploit is definitely NOT fine.

True, but the only way to discover some exploits is by trying it yourself.. Wouldn't it be better if a trustful daniweb member discovered something by testing the system through hacking rather than an unknown, potential threat?

rashakil had to have known the hole existed before he started writing that exploit.
He should have reported that hole (plus possibly mentioning ways to abuse it) rather than execute the exploit.

What he did is the equivalent of breaking a rusty lock, clearing out the house, and leaving a note to the effect that you found that the lock was not secure.

Way to go Joeprogrammer, you wern't even there for the bad part of the conversation which is why I banned them. How about thinking before posting. The one thing that I have to say is that pointing out the system, and abusing the system are completely different.

The comments that were made earlier in the conversation are so unacceptable, I won't even repeat them, as they are childish and stupid.

I am still looking at the possabilities to prevent abuse like this in the future, although, I'm sad that I would even have to consider such measures with our userbase.

ya know, I have no idea whats going on :S

surprise surprise.. :p

Sorry about that, blud. It did briefly occur to me that I may have missed something, but based on what you had told me in IRC, I assumed that Dave and Josh and just taken things a little too far. I'm really sorry for jumping in like that.

Wait, it's a bug that people can logon as others on IRC? I thought that was a feature.

What do you think NickServ is for?

True, but the only way to discover some exploits is by trying it yourself.

That line might work had you only done it once, reported the flaw and been done with it. I am scrolling through todays log right ot see you are still doing it. This is not about trying to be "helpful" it's about you just trying to cause problems. Your reputation precedes you Josh.

Regarding the reputation spam ...

As if you had to guess, my take on it is that I am very against doing these things. It could have been just as effective to have come to me privately or posted some feedback saying, "Ya know, you can do so-and-so and that would exploit the system" and I would have said, "Ya know what, you're right. I'll have to figure out a workaround." There are times in life when you have to be at least somewhat diplomatic and follow the appropriate channels before taking extreme action. I can understand in cases where the higherups are ignoring you or aren't listening or don't understand and you feel you have no other alternatives available to get your message across. But that wasn't the case here. Diplomacy really does work. You should try it sometime. It seems to me that the appropriate way to ask for a raise at work is not to go on strike the very first day thinking that will get the message across as efficiently as setting up a meeting with your manager.

On a second note, what went on, especially with the reputation system, I took personal offense to because, for me, at least, this site is not just a nice hangout but it's my livelihood and my career that I hope to be banking the next 40 years of my life on. I can understand how you may think it was fun amusement that it just a couple of hours of extra cleanup duty for me. But it's much more than that. To me, it's the difference between telling some dirty jokes laying by the beach on the weekend and storming into my office at work and being vulgar in front of my boss. I had people to answer to for what you've done. There are advertisers who are my sole source of income who don't want their brands to be associated with such immaturity and there are investors who I have to personally answer to. I fully understand that to you guys the business side of things is for the most part this abstract concept that doesn't affect how you interact with DaniWeb or our community, and the only reason I am even mentioning this is because, well, you asked. :)

Regarding the IRC server, it is behaving exactly as I've designed it. If you don't want others to use your handle, then register it. There are instructions on how to do so on the IRC chat page and they have always been there. Additionally, I allow members to enter a custom handle in their member preferences. Because I have 'Dani' set in my member preferences, going to the IRC page showed that 'Dani' on the IRCs is 'cscgal' on the forums and the person who is logged in as 'cscgal' on the IRCs is an anonymous user. That's the intended behavior.

In fact, upon logging into the IRC server you are presented with an announcement saying to always listen to the ops and opers and not doing so will get you banned.

When an op asked you to stop and you didn't, you got banned. The ban worked.

I consider the entire IRC incident parallel to someone registering with the username 'DaniWeb Administrator' on the forums, refusing to agree to change their username when requested to by a moderator, and subsequently getting banned. That doesn't necessarily make the forums buggy just as coming onto the IRCs, not following the rules, and getting banned as a result, doesn't make the IRC server buggy. On the other hand, what I would consider a problem with the IRC server was if there wasn't an op on hand to handle the situation, just as I would consider it a problem with the forums if they were overtaken with spam and there weren't any moderators to handle it.

Addendum: I don't think that the poll you have for this thread is very fair. It asks the question if whether Pointing Out Issues (Even If Annoying to Admins) is good or bad. I am a huge advocate for constructive criticism and taking in all opinions and I encourage people to point out issues even if I get annoyed that people go on and on about ideas I don't like or if it's annoying because it's a lot of extra work to fix the problems. In that context, I would vote that it's a good thing to let the admins know how you feel even if you think they'll disagree with you (hey, you never know till you ask) or you're constantly annoying them with suggestion after suggestion. I would have voted 'good' if I wasn't aware of the events you were really talking about. In fact, this poll only makes sense in context to those who actually were witnesses to the reputation and IRC events. For that reason, I think the poll is totally biased.

wow.. Never seen you post so serious and business-like (a bit angry, as you certainly have every right to be).. I do agree with you about both issues.. however, the IRC incident wasn't as clear cut as an operator telling someone to stop, and that person not obeying. As I go back and look at the logs, it appears that people were just banned for seemingly no reason without warning.. No need to go into specifics as such an event shouldn't have occurred anyway. I suppose many Daniweb members don't quite know what goes on beneath the very nice looking forums webpages..

I just find the whole thing incredibly disrespectful because it's done despite deliberately knowing that you're crapping on everything I've built over the past couple of years just for the sake of some cheap laughs.

As I said, in the greater scheme of things, these types of actions should only be done by those who have already exhausted all conventional channels to get their point across and still aren't being heard - and most likely not even then. It's just all very disrespectful and distasteful and very offensive at a personal level.

Diplomacy really does work.

From my perspective, not really. There were several threads over several years pointing out issues, and they seemed to fall on deaf ears.

Rashakil accomplished more in a couple hours of festive hackery than in years of diplomacy. You now have a better system, although some might argue that there is still room for improvement.

There are advertisers who are my sole source of income who don't want their brands to be associated with such immaturity and there are investors who I have to personally answer to.

Your investors are not interested in how you would handle attacks to your system? "I hide the bugs" is not an answer.

Sure, the methods were not pleasant for the other end, but I've rarely been party to friendly reports of defects in the field that I can sweep under the rug for a couple years at my leisure. They usually come along just like this -- as an inconvenient annoyance. Although at least this field test was targeted in a limited scope.

Regarding the IRC server, it is behaving exactly as I've designed it.

Well, I was thoroughly confused when Josh changed me into someone else. If that is intended behavior, I guess I'm just new.

When an op asked you to stop and you didn't, you got banned. The ban worked.

I had fun pursuing my limited knowledge of what I could do in chat, but others who know more can obviously do much better. There did happen to be parts at the end in which I was merely trying to figure out who I was and who I could be. "Banned for insisting on void main()".

We were both Central Time, this wasn't going to go on forever.

I consider the entire IRC incident parallel to someone registering with the username 'DaniWeb Administrator' on the forums, refusing to agree to change their username when requested to by a moderator, and subsequently getting banned.

I considered it field testing with a known bug -- which admittedly was fun for the testers at that time.

Addendum

A lot of what I post could be worded differently.

Absent malice, bug investigated for free, I didn't get the beef.

I just find the whole thing incredibly disrespectful because it's done despite deliberately knowing that you're crapping on everything I've built over the past couple of years just for the sake of some cheap laughs.

That's part my quote, mentioned in levity. Obviously your funny bone is tickled differently.

I wish I enjoyed the luxury of having defects detected in the field for free by testers willing to push the boundaries of a programmer's efforts to improve the source. I should be so lucky as be able to berate them for doing so as well.

> There were several threads over several years pointing out issues, and they seemed to fall on deaf ears.

Rashakil accomplished more in a couple hours of festive hackery than in years of diplomacy.

I have always read all feedback passed my way, regardless of whether I've decided to implement everything ever suggested. However, never once has someone brought a bug to my attention that I didn't fix within the day. Had someone simply brought to my attention the idea that someone could go through the same 5 people over and over again in one day I would have done something about it, but no one ever did that. I can give you a 100% guarantee that if someone suggested that such a bot could be designed, the problem would have been fixed within the day. Instead they chose to just create a bot and set it wild before ever approaching me first.

You had to have known the system was broken by watching it in action.

I thought you knew that there wasn't a limit on how much reputation which could be given out per day. I remember specifically reading that there was such a limit, and then soon finding out that there wasn't. Even with this knowledge, it would be easy to write a program to hand out reputation constantly, and ultimately do just as rash did.

> I wish I enjoyed the luxury of having defects detected in the field for free by testers willing to push the boundaries of a programmer's efforts to improve the source

There's a difference between detecting a bug and telling the programmer so they can fix it and detecting a bug and exploiting it and letting the programmer find out on his/her own that there's a bug when they realize their code has already been exploited.

I have always read all feedback passed my way, regardless of whether I've decided to implement everything ever suggested. However, never once has someone brought a bug to my attention that I didn't fix within the day.

Actually, I have sent you notifications of bugs without a reply before. The most recently would be this one:

Hm.. I didn't know if you realized this or not, so I just decided to pm you

When you search for threads/posts or use the 'view posts' link on someone's profile.. the profanity is not filtered in the post preview. Lets use this as an example (hah as I just saw rash's thread in community feedback): http://www.daniweb.com/forums/search3861995.html

There are a couple instances where '****' can be read clearly even though it is filtered out when you view the actual post. I don't know if this is a glitch.. or if you already knew, but I just found out and decided to tell you (Since 13 year olds are allowed to enter, and I don't want you being bitched at for allowing profanity ). I don't mind it, but others might..

Thanks,
Josh

I just checked it again, and yes there is still profanity shown within searches. When such notifications of bugs, however minor, are ignored like this.. it just makes the person feel as though his/her discovery his gone unnoticed. It makes people take a different approach..

> I wish I enjoyed the luxury of having defects detected in the field for free by testers willing to push the boundaries of a programmer's efforts to improve the source

There's a difference between detecting a bug and telling the programmer so they can fix it and detecting a bug and exploiting it and letting the programmer find out on his/her own that there's a bug when they realize their code has already been exploited.

We told you it was a broken system again and again, diplomatically, and it was shrugged away. We tolerated abuses, such as those who might claim a "MySpacer" tie. Nothing was done.

Dash made the issue quite clear in his own way that obviously the rest of us lacked in our prose. Poetry++.

I thought you knew that there wasn't a limit on how much reputation which could be given out per day. I remember specifically reading that there was such a limit, and then soon finding out that there wasn't. Even with this knowledge, it would be easy to write a program to hand out reputation constantly, and ultimately do just as rash did.

The reputation system is a built-in vBulletin feature. If I did mention something about the way it worked in the past, I was most likely just quoting a vanilla install from the vBulletin documentation. I never gave it much thought that it could be exploited because I was just using a vanilla install out of the box and assumed vBulletin had already taken those kind of precautions for me. If someone had brought to my attention that someone could repeatedly hit the same 5 people every day I would have realized that the vBulletin code needed to be altered, which is what I ended up doing.

If someone had brought to my attention that someone could repeatedly hit the same 5 people every day I would have realized that the vBulletin code needed to be altered, which is what I ended up doing.

We did. We mentioned the solution(s) provided elseweb. You shrugged. [edit]We moved on with the working model.[/edit]

Re: profanity in searches

Touche. I do remember getting that PM but I was busy at the time when I got it so I saved it to get to it later and then just completely forgot all about it. I'll work on it right now.

Re: broken system

People were complaining that people were giving each other profane comments in the rep system. I fixed that by making the reputation system public and thought that had fixed that problem. I then saw that people were giving people rep because they liked or disliked the person and pleaded for suggestions of how to fix this, but no one ever gave me any suggestions of what about the system to change - simply that it was currently not working. Finally I got the idea to remove rep points from counting in the Coffee House. No one ever mentioned that the carousel of requiring 5 people before hitting the same person would be something that could be abused by a bot. If that idea had been suggested, I would have done something about it.

Link me to a specific post from the past where the suggestion is made to only let someone rep the same person once per day, which is the change that came from the rep bot. Had anyone made that suggestion pre-bot, it would have been implemented.