Weekend work: Security patches and forum access

Due to numerous inherited flaws in the codebase we’re seeing rather a lot of spam, both in the forums and in the email of registered users. As such this weekend we’ll be applying a number of patches, and stop-gap measures to tighten things up.

Our primary concern is the reports we’ve received from people who have begun to receive spam email to addresses that are only utilised on PublicWhip. We despise spammers and can categorically state that we have never, and will never, share or sell the personal data that our users entrust with us. If you have received spam email to an address that has only been used on PublicWhip, would you please let us know the address details (email team@publicwhip.org.uk) to help us identify where the data leak is coming from and to plug it.

One of the main culprits is a very out of date installation of PHPBB and whilst we look at alternatives, and gather input as to the usefulness of the forum (beyond acting as a changelog for divisions and policies), we’ll be taking the forum offline.

We’re still getting to grips with a system and a codebase that is relatively new to us, but we’re determined to make the site the best that it can be, and data security and data integrity will always be at the heart of what we do.

10 thoughts on “Weekend work: Security patches and forum access

  1. I will try again seem my comments do not get through.

    I will now retire as the sites moderator, since it’s obvious your going to deal with the bits and pieces your self.

    • Hello Treborc,

      PublicWhip is currently a side project and, to try and keep spam down on this blog comments are moderated and may, therefore, take a while to appear (I’ve actually just deleted 23 spam comments that we’ve received in the last 24 hours).

      We are planning on resurrecting the forums in one form or another, but we need to get the spam under control and get the site secured first. We are only two people and we ask that you please give us a chance. From what we’ve seen from the statistics, the forums aren’t used that much compared to the main site and so as a “stop gap” security measure, we’ve temporarily disabled them.

      • Well, you’re dead right about the forums not getting a lot of use, and I’ve tried to spread the word, with little appreciable success, but that’s precisely why I can’t understand why you claim to be seeing ‘a lot of spam’. Unless someone else, besides treborc and me (joker), who were the only recognised moderators, was working his/her hiney off to remove spam on the boards, there was practically none, because spammers soon realised the boards were actively patrolled. The only exception was that ‘cdpress’ person, who seemed to think he could spam reams of text about conferences in Europe.

        It would have been nice to have received a warning about the closures beforehand, but so long as you will let us know when they are returning…


        • Actually, Treborc was one of the people who alerted us to the spam problem in the first place. He emailed the team address after clearing down over 500 items. That, in conjunction with complaints regarding email addresses leaking from the forum software, caused us to take the action described.

          With regard to keeping people informed, we’ve done the best we could with the access and the information we were given, hence why we’ve been as active as we can updating the team email lists, on the Twitter account and posting information here.

          We couldn’t reasonably notify people of whom we had no knowledge or contact details.

          Sorry your nose has been put out of joint over this, but we have to put the security and availability of the main site before other considerations.

          • I don’t think this can be characterised as my nose being out of joint. Treborc’s first comment to this entry didn’t communicate the idea that *he* was happy about the level of feedback either. When the forum was open, it was a very simple matter to notify us, and even with it closed, I still have the power to log in and edit divisions, despite you not having my contact details.

            As I said, my experience was that the spamming had more or less ceased. It’s conceivable that there was a sudden rush because of our efforts to advertise Public Whip, but I would expect to have seen some examples myself, rather than treborc whizzing around cleaning it all up before I had a chance to. He can confirm if that was actually what was happening.

            I’ve always like VBulletin/Php boards, but there’s also Proboards, Zetaboards, and Webs.org do very nice free sites with equally nice messageboards bundled in. I’ve got one of each. I don’t know how well they’d mesh with the rest of Public Whip. Probably no worse than the old board, though.

  2. Yes, definitely time to move on from phpBB!

    These days there are quite funky new options – such as having a Disqus thread (with backup of the content that it enables) on each division. And I’m sure more that you can think of!

    There are a couple of quite active people on the forum – the ones who posted in the recent threads about the transition. Might be worth emailing them and getting them to help with whatever knew community tool you use!

    • Hi Francis,

      Thanks – it’s just deciding which forum software to replace it with. We’ve thought of just using Google Groups, VBulletin, an up to date copy of PHPBB (hadn’t considered Disqus to be honest) or something else.

      We’re hoping that once the rewrite is mostly completed (with an entire new Authentication system: hopefully OpenID/OAuth supporting), we can integrate whichever community system into the site in a much fuller method.

  3. +1 There are a couple of quite active people on the forum – the ones who posted in the recent threads about the transition. Might be worth emailing them and getting them to help with whatever knew community tool you use!

    thank you

  4. The last comment (by Cinsel Saglik) looks like spam to me, so who’s going to remove it?

    After more than half a year, has the forum software been replaced? What ‘forum’ are these ‘quite active people’ posting on? Speaking from a pro-forum perspective, I’m not seeing the activity, and I want to be able to…

Comments are closed.