Right, this thread is for telling folk that the 'proper' ILX is down again, so if you see this above the "ILX is back up" thread it means ILX is back down

Pash, Stet and KeefW in particular are dedicated to providing -- as has been noted, on a strictly *volunteer* basis -- the best possible home for ILX at the present time. They coordinated the effort, they have shown a hell of a lot of energy and good judgment in general, and they do want make sure that ILX runs efficiently and securely. No offense but you might want to cut *THEM* slack first.

-- jw (jo...), February 11th, 2007.

Uh, that is not Chicago Sarah.

This thread is about QA, right?

As Ned says, a helpful person would send an email going "look, here is a loophole I have found, do you want to fix it" rather than fucking shit up for everyone else and claiming that somehow that was a better way of drawing said loophole to the attention of Keith, Stet and Pashmina, if he's really doing this for the collective good of ILX.

I mean, everyone acts as though he's destroyed ILX. FFS, he just hacked into the database and banned/elected himself mod. That's quickly solved, no?

Excuse me, I'm going to go find a wall to bang my head against.

Oh, that small matter of TOTAL POTENTIAL TO FUCK SHIT UP? That's all right then. Hurrah for Jon! Boo to over-reacting coders/admins!

Everybody:

Jon found a security hole in ILX that lets him get access to the database. Full access, so he can give himself mod privs, delete posts, threads, boards, the whole site.

He didn't tell Keith or me how he did it, he just took advantage of it. Keith and I are the only people with access to the server right now. We both have full-time jobs. The old ILX code running depends on people not trying to break it, or hack in.

If Jon is going to hack the boards by finding holes -- of which there are many -- we can't leave them up without doing a lot more admin work to try and stop him. On top of which, the new host's backup system hasn't been set up yet, so we have no backups right now.

We're going to move to the new secure code. It's not quite ready, it hasn't had all the features fleshed out, but it lets you post and is largely secure.

-- stet (bonald...), February 11th, 2007. (later)

(someone please randomly ban nathalie for experimental purposes)

The principle is that you don't ban people because you don't like them. Which, yeah, isn't a Fundamental Human Right or anything, and obviously jon comes from the noise board where that principle doesn't hold at all. But that's part of why he doesn't have site-wide powers, and why people are anxious about him giving himself them.

Nath, can I repeat something I JUST FREAKIN' POSTED FROM STET'S EARLIER COMMENT:

The old ILX code running depends on people not trying to break it, or hack in.

If Jon is going to hack the boards by finding holes -- of which there are many -- we can't leave them up without doing a lot more admin work to try and stop him.

In otherwards, could you please allow for the fact that, perhaps, the mods maybe possibly kinda knew that there were problems with the code as it stands?

also, we must all remember that this is just ILx. Not terribly huge and important in the great scheme of life. (as opposed to our feet.)

I don't know how many other ways there are for people to say this.

And the first time he did this, people took his intentions into account and said "thanks, but don't do it that way". But this isn't the first time he's done this kind of shit, or even the tenth.

mmm, yes, because NONE of us knew that, did we?

come on: this code is held together with chewing gum and string. that's why it's being recoded, FFS! which jon knows, as does everyone else: what the fuck is the point of "pointing out" security holes in something that's about to be canned anyway?

i can't believe anyone's buying this "it was for the public good" line. it was to noise people up (pun vaguely intended), as is so often the case with jon's little escapades. in which case:

I just mean: cut him some slack

no. don't get me wrong: i like jon some/most of the time, and enjoy his posts. but every so often he seems to have this compulsion to stick his dick into ILX, which only serves to fuck it up for everyone else. why doesn't he cut the board some slack?

Yeah, and why I'm saying it's all very well going, "oh it's just Kate, she's a bit loopy and annoying haha", but I imagine it being someone other than Kate may lead the likes of Nathalie (in fact,it is just nathalie, isn't it?) to taking this a bit more seriously.

In case you were suggesting I didn't know what a principle was. If it wasn't me you were getting at, ignore me.

Entirely true. Those who have made it part of their lives on a regular basis via site maintenance, coding, etc., however, have an understandable interest in database and hacking concerns that I think is being ignored or misunderstood by a number of those who haven't. And that's a damn shame. Nobody's looking for hosannas to boost our collective ego, but exactly what is so surprising to you about moderator worries about this situation?

Also, those who have made it part of their lives on a regular basis by READING and CONTRIBUTING (that aren't morons).

Though this is going to end with RJG turning up and telling everyone to let go, isn't it?

Well, duh, but he'd've had no reason to ban those people. Okay, maybe Ally...but not the others! Point being: there are a number of people on the boards behaving badly in various ways and NO ONE IS DOING ANYTHING ABOUT THEM. Like, not even really standing up to them and saying "Your behavior sucks. Please stop or don't be my/our friend/s." Jon is arguably one of them, everyone's perspective on this will differ. But the lovely virtues of tolerance and politeness and cultivating NICENESS in the world are running up against the fact that plenty of people are oblivious or unconcerned about tactful silences and the gentle pressure of suggestion. It's occasionally helpful to have people around who don't mind rocking the boat, as much of a pain in the ass as they inevitably are.

I'm still waiting for Jon to explain how this is different.

This is a fully legitimate but still separate concern from the hacking question. Conflating the two issues is doing nobody any favors here.

(also, Kate doesn't even know about any of this, so it hasn't exactly worked)

Yeah, but it's not much of a principle if you have to go "imagine if it was someone who counts" (er, not that Kate doesn't count). The principle is that it matters more if it's someone unpopular (I'd make an analogy to legal representation for terrorists, but I want to be able to turn up to Nu-Shimura Curves gigs without wearing a disguise).

And I think Nathalie acknowledges that it was wrong, but doesn't think it's important - it's Laurel that's going "Go go gadget-Jon!"

Furthermore, from what the mods and Jon have both said: the mods are not aware of the exploit that Jon used, and it is an exploit that would seem to allow him to use the boards *as any user* - he certainly said he could carry out mod actions and have it recorded that another mod had done them.

As people upthread have said: if you find a hole like that, the ethical thing to do is inform the people responsible. If they ignore you, you're then free to tell people about it. Actually *using* the hole is not ethical.