kbasa
Well-known member
I've tried asking this question elsewhere and got roundly dissed and blown off by OM, so I'm escalating this for visibility. He's not willing to provide an answer, so I'm hopeful that someone will deal squarely with me and answer my inquiries.
v6, their current version, is what we want, not 5. 5 was introduced in 2013 and got sunsetted last month.
Moreover, please don't dismiss me; it's insulting and unprofessional. I'm going to keep bringing it up because I'm not getting responses to my question other than "we'll get right on that", delivered with sarcasm by Henzilla when I asked about updates, or the dismissive response you just served up. If you are not willing to respond to the membership's questions, maybe being part of club leadership isn't for you. You, as part of leadership, are accountable to the membership and it is expected that you will deal earnestly with member questions and comments. This post does not meet that standard of respect and obligation to the membership in my opinion. As I was regularly reminded while serving the club "officers work for the members, not the other way around".
I started by wondering why we don't have a like button, but some investigation reveals that we are not on the most secure version of our forum software. It's almost 7 years since v4.2.5 version was discontinued by vB. For those not following along, that means that we likely haven't had a security patch since then, at the most recent. Would you trust your bank to be sitting on security they put in place back then?
I'm a club member and an IT professional. IT security means keeping software up to date and applying all patches should be our standard process. We are on a version that was EOL'd in 2017. Is that good IT hygiene? No. It is not. Is there a two factor authentication option to protect my credentials and prevent them from being poached? No, there is not. Do we have Okta integration like other forums I'm on? No we don't.
If there were a breach, those gaps will be what torpedoes us and exposes us to highly avoidable lawsuits. We have not done due diligence to protect member data, as far as I can see, so we will be found responsible in any legal action resulting from a data breach or loss. I hope I'm wrong, but I believe that I am not, having seen our scenario play out for the worse with some of my clients. If you wind up in court and the plaintiff points out that the organization is using a software product that's ten years out of date and has known security gaps, we will be held responsible for the members' loss of privacy. It will not be cheap when plaintiffs demonstrate that we knew we were using old software and didn't remediate an obvious risk vector.
My largest concern is that 4.x is vulnerable to code injection, which means that folks can gain direct access to the data tables on vB, among other items, including user credentialing and PII. I have supported other SQL based web enabled products that have been subject to this potential exploit, but not in almost ten years because everyone has shut the door on that type of hack. Do we want to get ransomewared? Because this is how we get ransomewared. Do we want to expose our membership to identity theft? Because this is how we do that, too.
I work for a company that responds to data breaches and you do not want to expose this organization to even the tactical cost of remediating this kind of event, much less the litigation exposure. Every document or record potentially exposed is typically analyzed for PII manually, by a room full of lawyers, and those who've had their PII exposed get a notice that this has occurred. Is that financial and reputational risk something we should be exposing this organization to?
Do we have the money to buy every member a year's membership in LifeLock once their data is breached? I expect that we do not have the financial wherewithal to do that if we have a breach and it may destroy the club if we're not insured for such an occurrence. Civil litigation from data breaches is a real thing. I work in that sphere where IT and the law intersect.
So. Can I please get a responsive and informative answer to my question? I'm not violating any forum rules and have been unfailingly polite. I expect an answer in kind.
Here it is again: Why haven't we updated our forum software?
Feel free to escalate to one of the admins, presuming you're a mod, or someone on the BoD, if appropriate, and I'm happy to have a conversation via PMs if that's helpful. As a paying member, I believe I have a right to a full and accurate answer to my query.
We have a fiduciary responsibility to proactively protect the data our members entrust us with. I think that as part of that trust obligation, it's fair to ask questions about how we treat, manage and protect member data. Not getting a response feels like you're not responding in good faith to a straightforward and important question.
I will keep asking about this until we are provided a coherent, clear answer to why we are so far behind on updates. I apologize if that feels antagonistic, but blowing me off really pisses me off when I ask an honest, good faith question. I should, at minimum, be able to expect a response in kind. I've sat in the Big Seat and it was my duty and obligation to respond in good faith to questions from the membership.
Thank you.
Dave
Dave Swider
teamkbasa@comcast.net
vBulletin 5 is most likely not the answer- https://www.theadminzone.com/threads/why-do-people-still-hate-vbulletin-5.154064/
No real need to keep bringing it up.
OM
v6, their current version, is what we want, not 5. 5 was introduced in 2013 and got sunsetted last month.
Moreover, please don't dismiss me; it's insulting and unprofessional. I'm going to keep bringing it up because I'm not getting responses to my question other than "we'll get right on that", delivered with sarcasm by Henzilla when I asked about updates, or the dismissive response you just served up. If you are not willing to respond to the membership's questions, maybe being part of club leadership isn't for you. You, as part of leadership, are accountable to the membership and it is expected that you will deal earnestly with member questions and comments. This post does not meet that standard of respect and obligation to the membership in my opinion. As I was regularly reminded while serving the club "officers work for the members, not the other way around".
I started by wondering why we don't have a like button, but some investigation reveals that we are not on the most secure version of our forum software. It's almost 7 years since v4.2.5 version was discontinued by vB. For those not following along, that means that we likely haven't had a security patch since then, at the most recent. Would you trust your bank to be sitting on security they put in place back then?
I'm a club member and an IT professional. IT security means keeping software up to date and applying all patches should be our standard process. We are on a version that was EOL'd in 2017. Is that good IT hygiene? No. It is not. Is there a two factor authentication option to protect my credentials and prevent them from being poached? No, there is not. Do we have Okta integration like other forums I'm on? No we don't.
If there were a breach, those gaps will be what torpedoes us and exposes us to highly avoidable lawsuits. We have not done due diligence to protect member data, as far as I can see, so we will be found responsible in any legal action resulting from a data breach or loss. I hope I'm wrong, but I believe that I am not, having seen our scenario play out for the worse with some of my clients. If you wind up in court and the plaintiff points out that the organization is using a software product that's ten years out of date and has known security gaps, we will be held responsible for the members' loss of privacy. It will not be cheap when plaintiffs demonstrate that we knew we were using old software and didn't remediate an obvious risk vector.
My largest concern is that 4.x is vulnerable to code injection, which means that folks can gain direct access to the data tables on vB, among other items, including user credentialing and PII. I have supported other SQL based web enabled products that have been subject to this potential exploit, but not in almost ten years because everyone has shut the door on that type of hack. Do we want to get ransomewared? Because this is how we get ransomewared. Do we want to expose our membership to identity theft? Because this is how we do that, too.
I work for a company that responds to data breaches and you do not want to expose this organization to even the tactical cost of remediating this kind of event, much less the litigation exposure. Every document or record potentially exposed is typically analyzed for PII manually, by a room full of lawyers, and those who've had their PII exposed get a notice that this has occurred. Is that financial and reputational risk something we should be exposing this organization to?
Do we have the money to buy every member a year's membership in LifeLock once their data is breached? I expect that we do not have the financial wherewithal to do that if we have a breach and it may destroy the club if we're not insured for such an occurrence. Civil litigation from data breaches is a real thing. I work in that sphere where IT and the law intersect.
So. Can I please get a responsive and informative answer to my question? I'm not violating any forum rules and have been unfailingly polite. I expect an answer in kind.
Here it is again: Why haven't we updated our forum software?
Feel free to escalate to one of the admins, presuming you're a mod, or someone on the BoD, if appropriate, and I'm happy to have a conversation via PMs if that's helpful. As a paying member, I believe I have a right to a full and accurate answer to my query.
We have a fiduciary responsibility to proactively protect the data our members entrust us with. I think that as part of that trust obligation, it's fair to ask questions about how we treat, manage and protect member data. Not getting a response feels like you're not responding in good faith to a straightforward and important question.
I will keep asking about this until we are provided a coherent, clear answer to why we are so far behind on updates. I apologize if that feels antagonistic, but blowing me off really pisses me off when I ask an honest, good faith question. I should, at minimum, be able to expect a response in kind. I've sat in the Big Seat and it was my duty and obligation to respond in good faith to questions from the membership.
Thank you.
Dave
Dave Swider
teamkbasa@comcast.net