Discussion of NodeBB Updates
-
Then
E_NOREPRO
-
@zecc said in Discussion of NodeBB Updates:
@tsaukpaetra said in Discussion of NodeBB Updates:
Wtf is going on with those image embeds?
That line has been there for a while: https://github.com/boomzillawtf/tdwtf/blob/master/plugins/nodebb-plugin-tdwtf-customizations/custom.less#L75
I presume to neuter Dwarf Fortress screen shots or something similar.
-
Oh hey, that was fun, I read all the way up to the last page, realised I was logged out, logged in, and was booted back to page 26. I guess that's where my bookmark was
In all seriousness, guys, I want to spend a quick minute to mention that we've taken your criticisms to heart and want to come up with a solution that doesn't seem like we're raking in money and expecting free pull requests when things go sideways.
UI/UX bugs and oddities aside, we want to focus on security and penetration testing, and so we've reached out to Hackerone and Bugcrowd. They've given us quotes, but they're beyond what I was expecting to pay*.
Bug bounty aside, these programs seem to want me to pay a large amount of money (in my view) for access to their system... but aren't these programs basically CRUD apps with nice interfaces to track vulnerabilities and host leaderboards so security researchers can show others how well they fared against each other?
Not that I'm complaining, I think that the social aspect is great, but I personally feel that goes contrary to the whole premise of a bug bounty program: to have security researchers help projects find holes in software. I'm feeling a bit conflicted about whether gamifying the penetration testing industry is a net positive or not.
I'll paste what I wrote earlier today to a security researcher to reached out to us:
As project owners, our goal is to produce high-quality software with no security vulnerabilities, and so having exposure to security researchers is a plus. So I should ask, would a self-managed bug bounty program be a deterrent to you and your colleagues?
We don't quite know what we're going to do with respect to a bug bounty system yet, but we're more than happy to establish one privately and see where that goes. At the start we're matching Discourse's payout strategy:
- Medium β CSRF / exploit that causes a user to perform an operation they didn't explicitly consent to ($128)
- High β XSS exploits ($256)
- Critical β exploit resulting in privilege escalation to admin, or downloading the site database ($512+)
Standard spiel about not testing against community.nodebb.org applies (use try.nodebb.org), social and physical attacks don't count... disclose all discovered vulnerabilities to security@nodebb.org.
* I want to point out here, that I'm not a security researcher, nor do I have much exposure to the pentesting community, and so if the prices I was quoted are in the standard range, then I am the one who is misinformed. The last thing I want to do here is come off as hypocritical.
-
@julianlam said in Discussion of NodeBB Updates:
$128
$256
$512+lol really? That's so nerdy the rofl might just attract people...
-
@tsaukpaetra said in Discussion of NodeBB Updates:
@julianlam said in Discussion of NodeBB Updates:
$128
$256
$512+lol really? That's so nerdy the rofl might just attract people...
It's $512+ so they have the option to pay out $655.36.
-
@tsaukpaetra I will admit I found the payout figures amusing. I can't take credit for that one though.
-
@julianlam said in Discussion of NodeBB Updates:
Oh hey, that was fun, I read all the way up to the last page, realised I was logged out, logged in, and was booted back to page 26. I guess that's where my bookmark was
Haha! I notice a critical bug in my own product and instead of feeling ashamed at shipping such a buggy piece of crap I just draw a smiley and move on with my life! I R PROFESSAL SOFRWRE DEVELOR!
-
@blakeyrat said in Discussion of NodeBB Updates:
@julianlam said in Discussion of NodeBB Updates:
Oh hey, that was fun, I read all the way up to the last page, realised I was logged out, logged in, and was booted back to page 26. I guess that's where my bookmark was
Haha! I notice a critical bug in my own product and instead of feeling ashamed at shipping such a buggy piece of crap I just draw a smiley and move on with my life! I R PROFESSAL SOFRWRE DEVELOR!
Not knowing where you've been seems pretty standard nowadays..
-
Rep. Ben Ray LujΓ‘n, head of the Democratic Congressional Campaign Committee
not to be confused with @ben_lubar lojban... amirite?
-
@julianlam said in Discussion of NodeBB Updates:
We don't quite know what we're going to do with respect to a bug bounty system yet, but we're more than happy to establish one privately and see where that goes. At the start we're matching Discourse's payout strategy:
discourse had a payout strategy?
@julianlam said in Discussion of NodeBB Updates:
High β XSS exploits ($256)
Fuck, i gave away free discourse XSS for nothing and then got a pittance of a donation of $25 later, only because i'd submitted a required # of bugs to their shitty forum too?
@julianlam said in Discussion of NodeBB Updates:
- I want to point out here, that I'm not a security researcher, nor do I have much exposure to the pentesting community, and so if the prices I was quoted are in the standard range, then I am the one who is misinformed. The last thing I want to do here is come off as hypocritical.
hell, you're willing to pay for security, you're already 1 step ahead of
-
@julianlam now you just need to gain admin powers, act like a jackass and start jeffing posts, and then you'll have dozens of good security devs motivated to crack this shit wide open for free.
-
@julianlam at the place I'm just leaving, we did have access to Qualys and its automated test suite. While not perfect by any means, it did at least find things in our platform.
For Β£635 a year, it's not entirely ridiculous and we found it was a magic badge of getting things through big name clients. Like being ISO 27001 certified is a free pass with certain awkward customers.
-
@julianlam said in Discussion of NodeBB Updates:
@tsaukpaetra I will admit I found the payout figures amusing. I can't take credit for that one though.
Neither can they. That particular trait apparently started with Donald Knute and bugs in TeX.
-
@arantor qualys any good? I'm used to the shittacular type of auditors that know fuck-all about IT security and couldn't even find the blindingly obvious exploits that I've complained about for years.
but hey, they'll run nmap and portscan you for noobsploits and call it a day.
-
@arantor Feel free to share details via the appropriate channels ;)
-
@darkmatter for automated scans they aren't terrible. Yes, it does the usual port scan shite, but it does at least try to do interesting XSS type attacks on things. We found many issues on our platform with this.
Note that you can easily end up with a report hundreds of pages long where it ends up being the same thing over and over and the automated scanner doesn't know any different.
I believe you can ask for a free trial of the platform to get a feel for it and whether it will be of any use to you.
-
@blakeyrat said in Discussion of NodeBB Updates:
@julianlam said in Discussion of NodeBB Updates:
Oh hey, that was fun, I read all the way up to the last page, realised I was logged out, logged in, and was booted back to page 26. I guess that's where my bookmark was
Haha! I notice a critical bug in my own product and instead of feeling ashamed at shipping such a buggy piece of crap I just draw a smiley and move on with my life! I R PROFESSAL SOFRWRE DEVELOR!
Where's the bug? That it didn't update the bookmark for a logged out user?
It may have been a bug that caused him to get logged out, or a session might have expired.
-
@jaloopa said in Discussion of NodeBB Updates:
a session might have expired
Is the most likely cause. I doubt even the rat would claim that session expiry is a bug.
-
@raceprouk said in Discussion of NodeBB Updates:
I doubt even the rat would claim that session expiry is a bug
Depends if he's already doubled down or not
-
@darkmatter said in Discussion of NodeBB Updates:
discourse had a payout strategy?
12 listed here: http://thesecuritynews.com/topics/discourse/
-
@arantor said in Discussion of NodeBB Updates:
@julianlam at the place I'm just leaving, we did have access to Qualys and its automated test suite. While not perfect by any means, it did at least find things in our platform.
For Β£635 a year, it's not entirely ridiculous and we found it was a magic badge of getting things through big name clients. Like being ISO 27001 certified is a free pass with certain awkward customers.
HPE Fortify is pretty good too. I'm most impressed by its auditor interface -- it gives you exactly the scenario it's positing ("if this happens, then that happens..."), letting you click through each frame in the stack to view the relevant source code. And (thank God) it allows you to select multiple findings at once and enter one comment/resolution that applies to all of them. I consider that a must for any static code analysis as false positives are inevitable.
-
@heterodox Qualys isn't static code analysis. It literally tries various types of attacks directly on your website (presumably a test instance!) and lets you know if it succeeded and how it determines this. Even does things like SQL injection testing.
That said, there is a place for static analysis too. The tooling for PHP isn't as good as I'd like it to be though...
-
@arantor said in Discussion of NodeBB Updates:
@heterodox Qualys isn't static code analysis. It literally tries various types of attacks directly on your website (presumably a test instance!) and lets you know if it succeeded and how it determines this. Even does things like SQL injection testing.
That said, there is a place for static analysis too. The tooling for PHP isn't as good as I'd like it to be though...
Acknowledged. Fortify is static code analysis, though, hence my comment. Different tools for different vectors.
-
@arantor said:
Β£635
Β£635 we can do. A figure an order of magnitude higher (and then some) makes me pause. But on the other hand, HackerOne and Bugcrowd are not automated tools, though I bet some of their members would troll new accounts and run automated tools for quick money...
-
@jaloopa said in Discussion of NodeBB Updates:
Where's the bug? That it didn't update the bookmark for a logged out user?
It may have been a bug that caused him to get logged out, or a session might have expired.
It was because the last time I was in this topic was when you guys were still posting around page 29. For all I know that could've been last week
Me reading up to the latest as anon doesn't update my bookmark for my logged in user, of course.
It reminds me of https://github.com/NodeBB/NodeBB/issues/2563, which I closed because it added complexity, but this bug makes it something to re-consider opening.
-
@ben_lubar said in NodeBB Updates:
Expect giant pink rabbits everywhere.
if i see one on the forum as an easter egg i will be SEVERELY disappointed in you. -_-
just a warning.
:-P ο§ ο§ ο§
-
@accalia said in Discussion of NodeBB Updates:
@ben_lubar said in NodeBB Updates:
Expect giant pink rabbits everywhere.
if i see one on the forum as an easter egg i will be SEVERELY disappointed in you. -_-
just a warning.
:-P ο§ ο§ ο§
No forum easter eggs, but LOOK AT THE CUTE BUNNY
-
@accalia said in Discussion of NodeBB Updates:
@ben_lubar said in NodeBB Updates:
Expect giant pink rabbits everywhere.
if i see one on the forum as an easter egg i will be SEVERELY disappointed in you. -_-
just a warning.
:-P ο§ ο§ ο§
Well, he did say rabbits plural, so....
-
@ben_lubar said in Discussion of NodeBB Updates:
THE CUTE BUNNY
is not pink.
Also, apparently nested quotes aren't working anymore....
edit: Good though, the raw is correct...
-
@tsaukpaetra said in Discussion of NodeBB Updates:
@ben_lubar said in Discussion of NodeBB Updates:
THE CUTE BUNNY
is not pink.
Also, apparently nested quotes aren't working anymore....
You can dye the mounts any color you can dye your armor, and I have hot pink dye unlocked.
-
@tsaukpaetra said in Discussion of NodeBB Updates:
edit
Apparently, submitting an edit just disables the submit button and doesn't dismiss the composer when it's saved.
Edit: testing...
Edit edit: Yeah, and apparently the websocket dies too...
Edit again!
Yes?
-
@tsaukpaetra said in Discussion of NodeBB Updates:
@accalia said in Discussion of NodeBB Updates:
@ben_lubar said in NodeBB Updates:
Expect giant pink rabbits everywhere.
if i see one on the forum as an easter egg i will be SEVERELY disappointed in you. -_-
just a warning.
:-P ο§ ο§ ο§
Well, he did say rabbits plural, so....
if i see multiple i see one and one is the trigger threshold.
-
@tsaukpaetra said in Discussion of NodeBB Updates:
@tsaukpaetra said in Discussion of NodeBB Updates:
edit
Apparently, submitting an edit just disables the submit button and doesn't dismiss the composer when it's saved.
Edit: testing...
Edit edit: Yeah, and apparently the websocket dies too...
Oops. Is it fixed now?
-
@accalia said in Discussion of NodeBB Updates:
@tsaukpaetra said in Discussion of NodeBB Updates:
@accalia said in Discussion of NodeBB Updates:
@ben_lubar said in NodeBB Updates:
Expect giant pink rabbits everywhere.
if i see one on the forum as an easter egg i will be SEVERELY disappointed in you. -_-
just a warning.
:-P ο§ ο§ ο§
Well, he did say rabbits plural, so....
if i see multiple i see one and one is the trigger threshold.
FWIW, I am with @accalia on this one.
-
Shit. I probably just made that an eventuality.
Goddamn it.
-
@ben_lubar said in Discussion of NodeBB Updates:
@tsaukpaetra said in Discussion of NodeBB Updates:
@tsaukpaetra said in Discussion of NodeBB Updates:
edit
Apparently, submitting an edit just disables the submit button and doesn't dismiss the composer when it's saved.
Edit: testing...
Edit edit: Yeah, and apparently the websocket dies too...
Oops. Is it fixed now?
It appears not as broken now, if only slightly...
-
@polygeekery said in Discussion of NodeBB Updates:
Shit. I probably just made that an eventuality.
Goddamn it.
I'll definitely post pictures of the Springer mount dyed hot pink when I get it, but it's not going to be in random non-GW2-related parts of the forum unless someone copies it there.
-
@ben_lubar said in NodeBB Updates:
Post revision history! You can allow other users to see your edits in your profile settings.
Great, now we just need to make it so that it's enabled by default for certain users (*cough* fbmac) and they can't turn it off...
-
@ben_lubar IMO you could be free to put easter eggs and pranks in the garage, all the over-sensitive users already avoid there anyway, and it would be amusing
-
@wharrgarbl said in Discussion of NodeBB Updates:
@ben_lubar IMO you could be free to put easter eggs and pranks in the garage, all the over-sensitive users already avoid there anyway, and it would be amusing
so, if i'm understanding it correctly @wharrgarbl is advocating putting this:
as the background of the garage?
that's...... possibly the worst idea ever.
-
@accalia said in Discussion of NodeBB Updates:
that's...... possibly the worst idea ever.
Yeah, the image is way too small to be a background.
-
@ben_lubar said in Discussion of NodeBB Updates:
@accalia said in Discussion of NodeBB Updates:
that's...... possibly the worst idea ever.
Yeah, the image is way too small to be a background.
would it surprise you tto learn that i deliberately downsized it so you wouldn't be able to use it as is because i want no part of the blame for you actually implementing @wharrgarbl 's idea?
cause it's true.
-
@accalia we need a new fox for that one to work in a good flame war
-
@wharrgarbl said in Discussion of NodeBB Updates:
@accalia we need a new fox for that one to work in a good flame war
the original fox won't play with flames, ask @Perverted_Vixen, she likes wax play so she might like fire play too.
-
@ben_lubar said in Discussion of NodeBB Updates:
@accalia said in Discussion of NodeBB Updates:
that's...... possibly the worst idea ever.
Yeah, the image is way too small to be a background.
At ~10% opacity you probably wouldn't be able to tell it's blurry from upscaling.
I wouldn't care, it'd be funny. I could userscript it away anyhow if I didn't want people shoulder-surfing me and noticing.
-
@anotherusername said in Discussion of NodeBB Updates:
I could userscript it away
Check your settings page for a secret box that was added months ago!
-
@ben_lubar can that put different styles on different PCs like my userscript can?
-
@ben_lubar said in Discussion of NodeBB Updates:
@anotherusername said in Discussion of NodeBB Updates:
I could userscript it away
Check your settings page for a secret box that was added months ago!
wait...... we have a custom Javascript box now too?!
COOOL!
/me runs to check.......
oh.....
-
@accalia said in Discussion of NodeBB Updates:
wait...... we have a custom Javascript box now too?!
Out that would be awesome!
-
@tsaukpaetra said in Discussion of NodeBB Updates:
@accalia said in Discussion of NodeBB Updates:
wait...... we have a custom Javascript box now too?!
Out that would be awesome!
That would be a great way to permanently fuck over users if there was ever an XSS bug.