To All Members

[Kazoo]

XS is faced with a decision tonight. Something which not only effects all members, but effects the very heart and soul of the forum. The decision we face must be decided by all.

XtremeSystems has long been an open forum. We promote the best of the web, sharing information, ideas, tips and comaradie around the world with others who share our interests in overclocking, folding, cooling, and good hard debate. We are, and always have been, innovators, inventors, dreamers, movers and shakers in the community we all love. We are a forum without boundaries, having members from every continent in the world.

In the last year, we've added nearly 10,000 new members from everywhere around the globe. We had great success in reaching many goals. 7.2GHz, setting new ORB records, the ATI Lan Event bringing together Macci, and Oppainter, and Fugger as well as PC Ice and Chilly. Our folding team has faced the loss of DF Folding, only to come back stronger with D2oL. In cooling we've been the leaders in setting wr's for cooling. We were hacked and survived to come back bigger, and better and stronger.

That is not just my vision of XS, that is who we are.

But I digress. Six days ago a member posted malicious code on the forum. A tiny little blip that crashed I.E. at one of our busiest times, in at least one of our busiest threads.

He was banned yesterday. After he was banned, I spoke with him on AIM. He admitted he had posted the code, and thought it was pretty funny. He admitted he had already created a new user account using a proxy and that he could have posted something far more vicious. Below, you will find the conversation we had.

After our conversation, I contacted an administrator of the site he calls home, with a copy of our AIM message. That admin graciously replied that he would take care of the issue. I sent a message to all members to make sure all IE patches were installed, and then I sent the IM to Fugger and we notified the proper authorities, and other site Admins.

I assumed that was the end of it.

Tonight, a user sent me a link to a thread on XR. I have to admit, I was taken aback to see what had been posted, and contacted an assistant administrator of the site to show him the thread, assuming he would remove it. I assumed incorrectly. Instead, he choose to blame me for not having the proper "security" and insulted me with foundless accusations to my integrity.

So I had to think about it.

What I realized was that the security we have created on site is based on the very core of our belief of what XS is. . .

Free.

Which brings me to the decision we must all make. Do we need to turn off html on the site? If we do this for our security, links will no longer work. Custom sigs like Jeff created for D2oL will cease to exist. Links that exist now will be broken, and any future freedoms we have in that area will disappear. This saddens me, because I see our freedom being stripped away as a personal insult.

But I will leave the choice to you, our members, to decide the risk. Please vote in the poll I created for this purpose. And read below for yourself my conversation with Boshi:

XtremeKazoo (6:53:56 PM): so you've been permanently banned from XS
blue boshi (6:54:08 PM): yeah
blue boshi (6:54:27 PM): didnt get an explanation or warning though
XtremeKazoo (6:54:37 PM): for posting bad code
XtremeKazoo (6:54:44 PM): that crashed IE browser
blue boshi (6:54:51 PM): did you see the code?
XtremeKazoo (6:55:03 PM): no, but I know what it is
XtremeKazoo (6:55:23 PM): and it remains invisible as soon as you post it
blue boshi (6:55:40 PM): isnt it odd that IE can be crashed by html code?
XtremeKazoo (6:56:00 PM): yep, but it's a known MS thing
blue boshi (6:56:24 PM): a known MS thing?
XtremeKazoo (6:56:31 PM): Microsoft thing
blue boshi (6:56:31 PM): I created that damn code three years ago
blue boshi (6:56:45 PM): and sent it to microsoft and securityfocus
XtremeKazoo (6:56:56 PM): so why post it on XS?
blue boshi (6:57:06 PM): for s and giggles
blue boshi (6:57:12 PM): took you guys 4 days to figure it out
XtremeKazoo (6:57:26 PM): I didn't crash, so didn't know there was a problem.
XtremeKazoo (6:57:38 PM): pretty immature tho...and a permaban. That's sad.
blue boshi (6:57:52 PM): lol
XtremeKazoo (6:57:58 PM): got a lot of good things happening there.
XtremeKazoo (6:58:11 PM): and more good coming
blue boshi (6:58:22 PM): too bad all my posts got deleted
XtremeKazoo (6:58:28 PM): there not deleted
blue boshi (6:58:33 PM): no?
XtremeKazoo (6:58:36 PM): nope
blue boshi (6:58:42 PM): why arent they visible then?
XtremeKazoo (6:58:51 PM): admin priviledges
blue boshi (6:58:55 PM): ah
XtremeKazoo (6:59:22 PM): hope it was worth it for you and whatever
blue boshi (6:59:31 PM): well
blue boshi (6:59:41 PM): I really just got to XR
blue boshi (6:59:57 PM): I saw through the theft about 5 months ago and stopped going to XS regularly
blue boshi (7:00:21 PM): I thought it was weird that almost all the old mods and admins had been deleted
XtremeKazoo (7:00:35 PM): like I said, I hope it was worth it.
blue boshi (7:00:41 PM): it really was
blue boshi (7:00:45 PM): especially
blue boshi (7:00:51 PM): since there are worse pieces of code
blue boshi (7:00:53 PM): out there
blue boshi (7:01:04 PM): and you guys still have html turned on
blue boshi (7:01:18 PM): there are ones that format your hard drive, I didnt post any though
blue boshi (7:01:36 PM): I'm not a mean person
blue boshi (7:01:54 PM): I wouldnt do that to the members, crashing IE is funny, but not destructive
XtremeKazoo (7:05:24 PM): so, then you don't mind if I post this IM on the forum?
blue boshi (7:05:55 PM): sure
blue boshi (7:06:05 PM): make sure you put the part about the theft of XS
blue boshi (7:06:10 PM): oh wait
blue boshi (7:06:15 PM): fugger will delete that part
XtremeKazoo (7:06:59 PM): no, as XS was never stolen. But I've given up trying to convince people that fairy tale isn't real.
XtremeKazoo (7:07:34 PM): People will believe what they will.
blue boshi (7:08:02 PM): of course
blue boshi (7:08:06 PM): its like religion
XtremeKazoo (7:08:11 PM): exactly
blue boshi (7:09:07 PM): so what did happen that makes a large number of people think that?
blue boshi (7:09:24 PM): there is a kernel of truth in every fairy tale, though it may be horribly distorted
XtremeKazoo (7:09:50 PM): Yeah, the truth part is they were all mods at one time. After that, the rest is fiction.
blue boshi (7:10:31 PM): so why is fugger user # 70?
blue boshi (7:10:38 PM): were 1-69 test accounts?
XtremeKazoo (7:10:49 PM): lol
blue boshi (7:11:04 PM): why is his join date way after the creation of the forum?
XtremeKazoo (7:12:35 PM): like I said, I'm not here to convice you of anything, nothing I say is going to change an already made up mind. XS belongs to Fugger and Chilly. XR belongs to whoever. I am glad they are making a success of it, and so are we. Most of those former members still visit, and it's been amicable for quite some time.
blue boshi (7:13:15 PM): but what happened to the people who started XS?
blue boshi (7:13:21 PM): did they decide to leave?
blue boshi (7:13:27 PM): did they sell the forum to fugger?
blue boshi (7:13:43 PM): did they die in a horrible blimp accident over the rose bowl?
XtremeKazoo (7:13:46 PM): maybe you should ask Fugger these questions.
XtremeKazoo (7:14:00 PM): Maybe you should have asked a long time ago.
blue boshi (7:14:10 PM): does he use aim?
XtremeKazoo (7:14:15 PM): nope
blue boshi (7:15:30 PM): I guess i'll have to go with the blimp accident scenario
XtremeKazoo (7:15:49 PM): makes sense, it goes along with the rest of the fairy tale.
XtremeKazoo (7:18:28 PM): FWIW, those early users of the site and started it threw it away, Chris gave up, didn't want it anymore. Fugger pulled it out of the trash and he and the guys from Icronic could continue to post and communicate using XS. To this end he built the server, and other parts that were donated, and put up a wireless server
XtremeKazoo (7:18:55 PM): at his office in LV. Then there was a meeting between Frank, Fugger, Opp and Chris.
XtremeKazoo (7:19:05 PM): Where Chris gave control over to Fugger and Frank.
XtremeKazoo (7:19:16 PM): Frank took the front page, and Fugger took the domain.
XtremeKazoo (7:19:53 PM): Everything was all hunky dory, until Frank conspired with a number of others to cut Fugger out.
XtremeKazoo (7:20:19 PM): Using less then reputable means.
XtremeKazoo (7:21:22 PM): All of this, is 100% provable. And we have all the evidence, and hold all the cards. Fugger owns the domain, the trademark, and the copyright, and has had all but the trademark, since shortly after that meeting.
XtremeKazoo (7:21:56 PM): All of the proof is on servers we don't control, namely XR and OC Forums.
XtremeKazoo (7:22:14 PM): We do have full copies of everything.
blue boshi (7:23:58 PM): hmm
blue boshi (7:24:10 PM): so you claim that the people who ran it before he took over didnt want it?
XtremeKazoo (7:24:29 PM): I don't claim it, thats what we have proof of.
XtremeKazoo (7:24:57 PM): Chris was running it on a free server, and had too many headaches and personal issues. He didn't want it any longer.
XtremeKazoo (7:26:28 PM): Boshi, many people were lied to and duped. Some knowingly helped perpetrate bad things.
blue boshi (7:26:47 PM): thats no kidding
XtremeKazoo (7:27:44 PM): You believe Fugger is the perpetrator. He was not. His only fault lied in being too trusting.
blue boshi (7:28:04 PM): ah
blue boshi (7:28:05 PM): I see now
blue boshi (7:28:43 PM): I'm sorry, is it possible to have my permaban turned into a one week or month ban instead?
XtremeKazoo (7:28:51 PM): no
blue boshi (7:29:06 PM): :-(
blue boshi (7:29:26 PM): no animals were harmed in the making of that code
XtremeKazoo (7:29:36 PM): lol good
XtremeKazoo (7:30:01 PM): I really wish you the best and hope you find everything you are looking for.
XtremeKazoo (7:30:13 PM): You're amusing. I like that in a person.
blue boshi (7:30:20 PM): like a duplicate account and a proxy server in denmark?
blue boshi (7:30:27 PM): I've already got one of those
blue boshi (7:30:37 PM): its really impossible to keep people off of forums
blue boshi (7:30:55 PM): you just reset their post counts when you ban them
XtremeKazoo (7:31:18 PM): don't boshi, in the end you will only hurt yourself. Forget XS, it's now in your past.
blue boshi (7:31:28 PM): lol
blue boshi (7:31:34 PM): good one
XtremeKazoo (7:34:57 PM): good luck to you dude...bye
blue boshi (7:35:04 PM): you too fella

[=[PULSAR]=]

Is there really a point in having HTML enabled? I think we have done just fine without it

[sr4470]

[chilly1]

Is there really a point in having HTML enabled? I think we have done just fine without it

Html has always been enabled here

[Charles Wirth]

Thanks 9mm. confirming what I was told.

lets give it a try.

[Dissolved]

Is there really a point in having HTML enabled? I think we have done just fine without it

if HTML is disable, then say goodbye to ALL Picture Sigs.


im the first to Vote yes..

Why?

Cuz its more secure, and safe. We allready have people from other forums trying to "hack" or "crack" or just otherwise mess with our forum. Disableing HTML will help Alot.

Bye bye Picture Sigs tho :-\

[bachus_anonym]

No, keep it ON...
We just need to make sure that everyone has their OS updated with all critical IE updates. Is it that difficult?

[sr4470]

We just need to make sure that everyone has their OS updated with all critical IE updates.

I use Mozilla so I dont have this problem

[bachus_anonym]

To be honest, I stopped using IE some time ago, too... Opera and Firefox, that's what I got But still, a lot of ppl are still using IE.

[Charles Wirth]

Boshi please contact me via email charles@pictographics.net so we can discuss this more.

[sjohnson]

I was the second to vote Yes - too many sites get hacked, why keep known vulnerabilities in the forums? Protecting against "unknown" vulnerabilities is hard enough.

[Dissolved]

To be honest, I stopped using IE some time ago, too... Opera and Firefox, that's what I got But still, a lot of ppl are still using IE.

Well with IE and FFOX thats like telling people to use linux cuz windows isn't Safe. Yea, Os's are different but its the same idea.

Not many people can use FFOX, people @ work & such..

But yea, its up to the admins.. but it html posses such a threat against XS and its users then it should be removed. I dont study programming, hell i cant spell half the time, so i wouldn't know how safe leaveing HTML on is. but alot of forums dont use it.

[conrad.maranan]

I voted to keep HTML off. What would you rather have? Pretty pictures and fancy sigs, or data that maintains its integrity and security? Keep in mind that the value of this forum lies not only in the contributing members, but also in the information that we share.

EDIT: I just realized that this was not a server-side attack, therfore the integrity of the data contained within was not vulnerable to the malicious code. I supoose you can leave the HTML on if no harm is presented to XS' server(s). I feel that it's up to users to keep their own personal systems up-to-date with the latest security patches.

[Minnyboy]

I voted no to this but I have a few things to say.

I turn "automatic updates" off with my XP as I don't want SP2 as yet. Every start & end of the month I go out & apply patches for XP. It would be a tad annoying if I had to look for updates when I want to browse THE "BEST" FORUM out there (only MY OPINION - I'm hoping others out there think the same)...

The sad thing is, I can see it from the other point of view & would want the site to be more secure. It gets frustrating relying on trust when you have pranksters/idiots out there. Some ppl just don't learn...

If it must be then it must be. I'll just get FireFox up & running & I don't really have any proplems with sigs & stuff.

Maybe a trial run would be alright, just to let ppl know there's a more secure alternative.

It was darn annoying having IE carsh on me evry time I wanted to view the "ATI OCing PICS" thread as well the "Fugger, OPP, Macci" thread crashing all the time.

I rode through the storm & although I know most of the storyline (sounds funny huh??) I don't let it get to my head & start annoying others because I become persuaded by others.

I come to this forum to post my thoughts regarding this & that in my PC adventures & try to help out here & there.

But the most IMPORTANT thing is: I come for the forums & do not let the underlying politics get in the way... You should go into Politics if you want that.

I'm blabbering aren't I??

In the end, I just want the forums to remain & not let it be brought down by IDIOTS/Pranksters & just pure Imbociles (I hope I spelt that right)...

What needs to be done should be done. I'm all for it as I want a reliable forum to go to...

Cheers,
Minnyboy

[sjohnson]

The thing is, I run a system using Win2k with ALL Windows updates, plus some hotfixes and the page(s) in question would still crash IE. So, maintaining current patches wouldn't have helped in the case that precipitated this discussion.

A site needs to maintain security. The HTML in question wasn't server-side but server-side HTML attacks DO exist. Does XS want/need that kind of soft underbelly?

[Kazoo]

we'll test this tonight

[Poki]

I know in some BB's you have an option in the user CP to disable HTML... Would it be possible to have this option with vBulletin? Is there a mod to enable this?
If there isn't i would still like to leave it enabled as most anyone should be able to maintain a browser that's patched against most know vunerabilities.

[Disposibleteen]

its off right now, i already dont like it, all of the D2OL sigs that ps2_pc_gamer worked so hard on arent showing up. He worked so hard on these sigs and i think we should be able to use them around here. If it absolutely cannot be avoided though it wouldnt kill us to turn it off. It would just be alot nicer to keep it on. Things like this really make me mad, why would someone want to hurt something as good as XS?

[chilly1]

Ben Franklin said it best "Anyone who is willing to give up any of their rights or privilages for a margin of security deserves to lose both."

[Disposibleteen]

but if we keep it on, XS is vulnerable to malicious code, at least IE users are. there has to be another way...

[isp]

You can turn it off, won't bother me at all...

[matt9669]

Complete security is an illiusion. You can never be completely safe. We could implement the world's best security on the forums and still people would find ways to subvert it. That is the nature of things.

9/11 taught us not to cower in fear from terrorism, but to live our lives in freedom despite the threats we face in a free and open society. Turning off HTML code to plug a browser vulnerability only limits our freedoms in using the forums. If boshi came here with the deliberate attempt of posting malicious code, he has a problem that nothing can fix save banning his worthless butt for all eternity.

It's OUR fault that malicious code was posted on the forums? How absurd! That's like saying it's my fault if my TV is stolen because I forgot to lock the door. I didn't choose to steal the TV. Someone else did. Now, locking my door every day doesn't limit my freedom significantly. Turning off HTML code does. As it's been said, this was not a server-side attack, no XS data was made vulnerable. Users should be responsible for maintaining their own updates, patches, antivirus and antispyware. Everyone should know the risks of visiting any website - we CANNOT make this website 100% safe, it is impossible.

Boshi chose to create a problem. We only make his efforts succeed if we decide to turn off HTML code as a result. Registered users are required to abide by the forum rules, and if they do not appropriate action is taken. XS is not a community of malicious intent, and the quality of our members should mean we can trust them not to exploit the forums in any way. If we cannot, the only thing that will solve the problem is shutting down the forums completely. It's like sex - the only true safe sex is abstinence.

We should choose to keep our freedoms, to let the boshi's of the world know we are not scared of them; we should not change our ways because of one member's lack of discretion. We are better.

-- Matt

[heater918]

I for one would do any thing that would ensure that this forum remains protected from malicios people's efforts to try & disrupt or bring down formum as there is so much to learn from such knowleable people associated with this group. I for one am a novice and have nothing to add, only to learn. Sometimes i feel like i'm on wrong forum (being a beginner but i fell like i get the best info. here with out getting so much bad info that is offered at other beginner sites.If it comes to useing a different browser (other than I.E. i would like to see a small section devoted to these alternatives if possible. Trusting members to steer me in the right direction. Hope i'm on the right track by posting here. To all Xtreme members you are the best .

[matt9669]

Everyone needs to chill about this whole thing IMO. There are no worms, viruses, bugs, exploits or vulnerabilities with this piece of code. The code simply has an error - the "span" tag is not closed. IE should have fixed this a long time ago, it is NOT proper behavior for a browser to crash when a tag is not properly closed. In fact, it is common practice not to close the paragraph or "p" tag.

We're completely overreacting IMO. We should think of creative ways to solve this rather than limiting the creativity and functionality of the forums to fix a tiny MS bug.

[conrad.maranan]

I think matt9669 just wrapped it all up.