An open letter to Philip Linden

Warning: this is not a question!
A copy of this has been posted to the sldev mailing list and also the jira entry

"On 5/22/07 bbcode was turned off in the forums. The only reason given was that the forums were pending an upgrade. Since that time, no further explanations have been given.

Well, we know why bbcode was disabled. On Monday, January 31, 2005 a cross site scripting vulnerability was discovered in all versions of vBulletin prior to v3.06. The forums are using vBulletin v 3.05, so that for nearly a year and a hlf, we were vulnerable to someone stealing our authentication cookies. The exact same authentication used for our SL accounts.

But even with an upgrade to a newer version of vBulletin we would still probably be vulnerable under the present login scheme. Historically
bbcode has been a popular hacking target. The new autentication API being worked on by LL will bypass any further security concerns with the use of bbcode. I can't see any reason why after it's full implementation, the forums can't be upgraded to a newer version and bbcode reenabled.

But............................................ What I do not understand is why a complete and full explanation has never been given and why we end up with remarks like this in the jira entry concerning bbcode:

https://jira.secondlife.com/browse/WEB-156

"Jeff Linden - 26/Oct/07 06:34 PM
We have plans for upgrading the forums. Unfortunately, compared to some of our other priorities, it is frankly not as high. The reason why we haven't said anything is simply because despite Torley's constantly pinging, there isn't a lot of time to post updates or even investigate who should be posting updates.

As far as I know, BBCode will remain disabled until we upgrade the forums."

Well, excuse my language but this is bullshit. Evidently to the lindens, the forums are nothing more then the the old "General" or present "Resident Answers" sections. I would suggest that ALL of the lindens scroll down the page to the content creation forums and start reading there. You will find that many residents have spent hundreds if not thousands of hours w/o any compensation creating applications for other residents to use and then many more hours helping noobs learn to use them. Then you have many other residents, some with full time succesful businesses, who spends thousands of hours every year helping noobs by answering questions.

After all of this time we have not asked for anything back, we do it so that others can learn scripting, texturing and building. Well actually there is one thing we have asked and that is for bbcode to be reenabled and yet the officail linden response is that "Sorry, we don't have 5 minutes to answer that question."

with utter contempt,
Jesse Barnett
1,103 posts answering questions"

/me claps.

And then drops the question that hopefully keeps the thread open...

WHY HASN'T BBCODE BEEN FIXED?

Seconded

I never did understand what problems this caused but I can see the bigger issue you bring up here in your letter. Good points.

amen!

also the time they have wasted giving us bs tiptoe lipservice they could have upgraded 10x already

/me votes.

Can anybody with vBulletin admin experience tell us if things like php tags, which seem to be just a font change, can be enabled/disabled separately or is it one big switch that turns all formatting features on & off?

Jesse 1. Linden 0.

/me has come to accept that Linden priorities have little to do with resident priorities.

Lindens have prioirties? o.0

*checks the Tao of Linden*

That's NOT in the script!!!

*oh, and goes to vote on the JIRA entry*
~Jessy

what?!!

good looking out..where do i vote?

I read somewhere that this version if the software is so outdated that it would be an effort to upgrade, beyond either LL's interest or capabilities.

/signed

/already voted. How long would it take one person to upgrade the forum software ? A few hours ? Thanks in advance.

Bravo!!

Vote here

https://jira.secondlife.com/browse/WEB-156

First, it would have to be in their TAO to do it

Well if the reason they haven't turned BBC code back on is to keep our passwords safe ..

Then I'm cool with that.




Dear LL, when are we going to get a account name that isn't public knowledge anyhow?

Jesse, do you know when the new auth api is likely to be rolled out? (no, this is not a trick question, i have no idea). You are right, that would be a good time to raise the priority of this issue.

That has high priority and is being worked on now. Parts of it have already been implemented. But have absolutely no idea how long it will take to complete. When it is finished it will tie together the logins to jira, forums, our account pages and the viewer.

Sigh, when they get through with the improvements that tie the inworld login to the web login, I wager I won't be able to use the forums on one computer and run Second Life of the other like I have been doing for years. Not with the same account.

This is not based on evidence, just years of life experience that suggest that dismal predictions are more likely to come true than cheerful ones. Hey, maybe they'll make it where the web login page won't work with Opera!

Vb is on version 3.6.8 now. There have been many many security flaws and then fixes since 3.05. So I think LL should be upgrading the software as well if they are truly worried about security.

Well, yes, the authentication api is a source of trepidation for a lot of us. With many unaswered questions such as being able to log into multiple accounts at the same time for debugging and testing.

And BTW, I know I stated it in a thread or two but couldn't find in jira where I gave you credit for the vBulletin security threat. Just so everyone knows, Suzanne spotted it before me.

And finally, talking about Opera, the beta version 9.5 is incredibly fast. Unfortunately it breaks the bbcode workaround. Wasn't able to correct it no matter what and it is a known problem with user.js scripts. Hopefully corrected before final release.

STAY AWAY!!!!!


oh no .... wait........ that was another one..........


resident answer : good luck

I run a few vBulletin forums and it is one of the easiest to upgrade forums out there, assuming that you have no custom code it's literaly a few minutes. (Even on a forum this size)

The issue however comes when you have heavily customised bits, which the forum does. Not being familiar with how they wrote their modifications I can not judge the difficulty in upgrading accurately, but if they have done it right, a few minutes, if they did it badly, many hours potentially.

Besides the obvious security fixes there are many wonderful things in newer versions of vB, assuming of course they would enable them.

as Collete mentioned, part of it is the exposed flaw inherent in tying our acount PW to the forum...

as someone else mentioned, there the security flaws in in vBulletin, which makes the previous design flaw VERY risky, and parts of it are still applicable (thankfully not the account logon)

given those two, rather than update the forums, they're just waiting for Auth to be finished, and apply that... so rather than work at fixing what's here they're leaving it broken untill they get their planned solution working

and all that sounds good, except how many times have we heard about updates to code planned but dumped for the next best thing that came along? Havok anyone?

Well, I think it is worth even a number of hours, and could have been done 36 times over by now, if they had just done it.

"The reason why we haven't said anything is simply because despite Torley's constantly pinging, there isn't a lot of time to post updates or even investigate who should be posting updates."

That bothers me so much. What a . . . really insane way to run things!

I'm just floored.

Can't even spare the time to figure out who is supposed to post updates?

How hard can it be to "investigate" who should be posting updates?

What the heck? Do they have to send smoke signals to Siberia or something?

I mean, they are the ones who crippled the forums in the FIRST place, so somebody MUST know, and somebody is surely responsible for being able to post updates.

I just don't buy any of that nonsense at all.

If they can't even figure out who is supposed to post updates about it, that's a pretty fair indication to me that no one is concerned with it or working on it at ALL.

We can sit and post questions and speculate on answers and pose solutions till the end of time, but after all these months, it turns out the Lindens can't even devote enough time to figure out who is responsible for it in the first place!

*Boggle*

Am I missing something here? (I hate how often something in SL is so inexplicable that I have to keep posting, "Am I misunderstanding this?"

I imagine if they REALLY put their nose to the grindstone, they could make it their PRIORITY to, you know, holler over the cubicles (and they don't even HAVE cubicles; they're all in the same room!) and figure out which one of them is going to bother doing anything about this, or even so much as post an update.

Some huge "investigation" that must be!

I imagine they could have done that in less time than it took to write the post I quoted above, about how finding out who is supposed to handle this just isn't a "priority."

And if they really wanted to just go crazy, they could even make it their priority to spend a few minutes or a number of hours fixing the forums so their forums aren't stuck in the DARK AGES; so that people can flipping underline or bold something; so that people can actually put a forum signature that LOOKS halfway decent; and so that people could actually post a SCRIPT in the scripting forums.

You know, it's kind of the same pattern as that of a classic procrastinator, one who is really debilitated by procrastination (though I have never seen this pattern permeate an entire organization):

a. The longer severe procrastinators put a thing off, the less able to actually do it they become.

b. Whatever task has been put off starts to seem 100 times more onorous than it really is, and therefore becomes even less likely to be done.

c. The procrastinators will spend more time rationalizing why they can't get around to doing something than it would have taken to just go ahead and do it.

coco

nah. more likely that they make some weird shit that _only_ works with internet explorer. good bye mac users, good bye linux users, good bye windows users who know what they're doing.