How far is it appropriate to go in describing a WTF?

  • SockDev

    I have a case that would be classic for TDWTF regulars to dismantle. Trouble is, to understand just how much of a WTF it is, it pretty much requires naming and shaming, as well as providing details that aren't public knowledge and potentially has serious consequences for all concerned (not least me for disclosing them)

    And I know there's all the anonymising that goes on but frankly it's just not enough in this case because to understand the WTF you pretty much have to know who it is. Even if I didn't outright name the company, it really wouldn't be hard to find it out pretty darn quickly.

    So I don't know what to do, because I want to share - because I know you lovely people would have a field day with it.

  • Post it here and we'll tell you whether there's any risk.

  • SockDev

    Oh, trust me, there's risk. We're talking about a company that provides a specific class of product, for which certain good practices are required but then fails to carry out those practices itself, and when called on its BS, goes mysteriously quiet, while leaving possibly libellous claims blaming a 3rd party vendor for their own mistakes.

    Were I to divulge details, and the details got into the wider consciousness, this would be a bad thing for that company, and some people might also consider it a seriously unethical breach of trust on my part because I'm privy to the inner details of how much WTF there is.

  • Private message everyone!

  • SockDev

    It is extremely tempting, especially as this is a product I'm sure everywhere here will have heard of, and I would like to hope many of you would already have learned to not trust it...

    I hate being cagey. I much prefer being open and blunt about such things. We are, after all, talking about a well known security software vendor.

  • As a bonus, you could send messages with different details so that if the story comes out you know who spilled the beans.

    Thank you Kim Kardashian.

    Filed under: things you didn't expect to hear today.

  • SockDev

    wait, what?

  • Looks like Kim Kardashian just lost a close friend.

    The new mom recently conducted a little experiment by sending a few fake baby photos to different friends she feared would sell the pics to the tabloids.

    Sure enough, one pal in question brought a photo to TMZ. And then another so-called friend tried to sell a different picture.

    TMZ says " Our K & K sources have seen the pic and claim it's not the real deal."

    Here's a possible alternative to this story  —  The photo is actually North West but Kardashian can't admit it because she would lose a lucrative deal with a weekly celebrity magazine (that she probably already has set up) to debut her newborn bundle of joy.

    Either way, Kardashian is a master press manipulator and we hope this storyline makes it onto the show so we get to find out who the culprit is.

    Page I'm quoting

    Filed under: two line breaks will end a blockquote, seriously??

  • SockDev

    It was more a WTF-level reaction to 'something Kim Kardashian is good for?' that you'd want to thank her for...

    I thought about it but honestly the level of WTFery involved means I don't know why I'm defending the company in question.

    So, we're talking about a security software vendor that was owned through a piece of third party software on their website. And it's apparently the third party software's fault.

    A number of claims have been made, ranging from the not-infeasible through to the absurd and all of them were shot down, decisively and completely. Even down to the 'we caught them straight away'... no, they got in 6 months ago and you never noticed them until they tried to get back out again with the goodies of your forum's member details.

  • @Arantor said:

    Were I to divulge details, and the details got into the wider consciousness, this would be a bad thing for that company, and some people might also consider it a seriously unethical breach of trust on my part because I'm privy to the inner details of how much WTF there is.

    So, erm, why are you bringing this thread up just to annoy us with ITS A SEEEEKRET?

  • Discourse touched me in a no-no place

    Some people like attention from Internet Strangers.

  • SockDev

    Because it's not all a secret. Some of it is public. I'm just trying to figure out where the boundaries are between what I can tell you, what is necessary to make the point of how many WTFs there are and so on.

    But I think we're at the stage where I will kick off with the public statement by the third party vendor:

    So, that's the situation. Avast was using SMF as their forum software, and their installation got hacked. And while SMF has some WTFs in it, the RWTF is how insecure the installation was left. The whole "OSS is the WTF", "PHP is TRWTF" stuff is irrelevant here.

    Let me sum up the WTFery in that link. This is still not all of it.

    WTF 1: SMF lets you upload bundles of things containing real live PHP code, both as add-ons and as themes, as well as letting you configure theme PHP code directly. (But in some small modicum of defence, this is for 'customisability' and is something I have been very vocal about for years in trying to get them to change... but it is very quick and dirty for people wanting to do changes to their site)

    WTF 2: Avast publicly declared the fault was a remote code exploit in SMF before any investigation had taken place, while asking people not to jump to conclusions.

    WTF 3: WTF 1 is completely mitigated if you leave the files read only on the server. Guess what did not happen. Avast even admit this to be the case.

    WTF 4: Not noticing the file modification time had unexpectedly changed... but not doing anything about it for months.

    WTF 5: Claiming that a given release of software fixed a vulnerability but the changelog didn't detail this was the case and so chose not to install that particular release

    WTF 6: Not actually vetting said update themselves to see if it is the case (SMF 2.0.7 was advertised as a non security update, primarily for PHP 5.5 compatibility but that it would still work - the only real changes were minor bug fixes and dealing with PHP deprecating the /e function in preg_replace)

    WTF 7: Reusing an admin password from another site.

    WTF 8: Only noticing an intrusion when the intruder did something to draw attention to themselves.

    WTF 9: Not keeping several months' worth of access logs.

    Remember: this is a security company. You'd think they'd know better. Oh, and there's so much more to this that I can't divulge as much as I'd like to, because I've seen the files and seen the interesting things that have happened.

  • WTF 10: Half-assed updates and local modifications to code.

    1- Avast claims to have been running SMF v2.0.6. We know of NO vulnerabilities in v2.0.6, and none have been reported to us.
    1a- The site image taken by Google shortly before the hack indicates a copyright of 2012 on their SMF installation. This suggests to us that they are not being fully honest with their statement, since the last version of SMF to use a 2012 copyright date was 2.0.3.
    (correction added: 2.0.3 used (c)2011. 2.0.4 used (c)2013 - since Avast clearly shows (c)2012, we can confidently state that they were not applying the full SMF approved patches from version to version and that whatever they were doing to patch their system was done by them, possibly manually)
    1b- We know that the Avast installation was not a default installation and that some personal modifications had been made to their installation.

  • SockDev

    Let me add more context to that.

    Firstly, SMF stores the copyright mess including the year in the language strings. Specifically in the one that every language has, known as 'index' (e.g. index.english.php) and the year is stored bare. Or it was until the in-development 2.1 version where I fixed it to not be stupid.

    Anyway. The master language files appear to have been updated yearly to include that - but the patch files don't. The patch files, I'll note, are distributed as the same format as the bundle of code nuggets. In other words: like actual patch files. Find/replace of code. All delineated in fun and excitingly awkward XML. (I only wish I were kidding. I am not.)

    Because of these two things, the patch files don't normally change the language entries, seeing how it would require changing 80-odd files (40+ supported languages, in both ISO- and UTF-8-encoded versions), so it's not totally impossible that a 2012 copyright would be shown, but it would be unusual.

    At the point of that (prior) post you mention, an investigation had not taken place. The SMF team had not seen the code and were speculating on things. But they must have modified the code somewhere because they weren't showing the version number in the footer, which is not stored in the language string but injected from elsewhere (which is a minor WTF in itself: why is the version but not the year injected? Again, that one I got to fix)

    There are some very interesting modifications they made to the code but nothing that contributed to this particular WTF. I wouldn't describe their updates as half-assed, because it was running all the security fixes in everything up to 2.0.6. But it's not stock. And it's certainly interesting, with all the engineering definition of the word.

  • My suggestion would have been to send it to Erik Gern for anonymization.

  • SockDev

    I thought about it but I didn't want to subject the community to a week's worth of terribad articles that hide just how much WTF really is here.

  • SockDev

    Oh wow. Avast has reopened their forum... running SMF after swearing blind they were going to change forum software to 'something more secure'.

Log in to reply

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.