Based on the advice of a good friend and one of the few independent thinkers still willing to post independent thoughts on moodle.org, I think it’s time to close this thread…its about run its course.

My offer to remove the YouTube video, and make this post unavailable until some point in the future, IF I’m asked to do so by the Moodle Lead Dev., stands.

Thanks to all for a good discussion…try having these on moodle.org from time-to-time and, although messy and sometimes even ugly, Moodle will benefit!

That said, if something in the past has limited your ability to follow the process, I can see why you have to go another way. Sounds like an unpleasant and unproductive situation for all involved – I’m sorry for those scars.

I do, as a matter of fact, think that messenger and message are both important. You’re modeling a kind of behavior in reporting bugs here, and the context that you’ve personally tried and failed to get them recognized is important. Sorry, there’s that “user services” mindset instead of “developer”.

And yes, I am working on replicating issues so we can enter useful tracker reports about the fundamental problems with the course backups. I expect them to be treated as significant security issues and made invisible until patched.

Short term? Just kill backup rights of teacher and course creator and use an admin password such as I have described (phrase with substitution) making sure that anyone with admin rights follows suit. Implement a forced password change for users and if your students are
minors use this opportunity to teach about trusted community and Internet security.

Well then, it sounds like YOU need to be filing some tracker issues and making your case in the forums…have you?

But yes, as a matter of fact, I think you should remove the video pending the release of 1.9.7.

Okay…here’s what I’ll agree to do. If Moodle HQ asks me to remove it, then I will. But, I haven’t been asked and don’t expect I will be.

This isn’t about what the Moodle developers knew or didn’t know.

Disagree. It has everything to do with what moodle devs knew and didn’t know…and what they did and didn’t do.

Again, it’s possible – even probable – that it was justified to force Moodle’s hand in this case. 7 months is too long for this kind of hole, and maybe Moodle deserved a kick in the pants.

There is a point where we are in 100% agreement.

But what I’m seeing is not the informed action of a contributing member of the community, but a rash decision by someone who isn’t really informed about the development process. I’ve asked you repeatedly about how _you_ handled it, and you’ve repeatedly pointed me to _other people’s_ posts.

I’m far more informed than you realize. The reason you don’t see me as a “contributing member of the community”, is because I was banned from the community by the lead dev himself for pushing issues just like this. I suppose I could have gone knocking on the door pleading for someone to listen to me, but I don’t feel moved to do that.

You have repeatedly tried to make this about the messenger instead of the message–been there, experienced that, have the scars to prove it.

Okay, Joe…we’ve had good exchanges for the past few days. We’ve disagreed, but I haven’t questioned your professionalism, or your commitment/contributions to the community you seem to care so much about. So, time to man-up…what is your identity on moodle.org?

I would simply like to see how much of an “informed, contributing member of the community” you are.

Now that the exploit is public, it seems that there’s little benefit in keeping the information secret. I see your point. But yes, as a matter of fact, I think you should remove the video pending the release of 1.9.7. My site is not “secure” – it’s “more secure than it was.” We don’t have the programming expertise to address the core issue; that’s going to have to come through an upgrade.

This isn’t about what the Moodle developers knew or didn’t know. It’s about what the actual most effective way is to get the news out to the people who need it. It’s about the huge amount of disconnected work that your approach has caused in the community, when I’m hopeful that many of these issues will be handled centrally by the release of a critical security patch/point release.

Again, it’s possible – even probable – that it was justified to force Moodle’s hand in this case. 7 months is too long for this kind of hole, and maybe Moodle deserved a kick in the pants. But what I’m seeing is not the informed action of a contributing member of the community, but a rash decision by someone who isn’t really informed about the development process. I’ve asked you repeatedly about how _you_ handled it, and you’ve repeatedly pointed me to _other people’s_ posts.

I don’t think Moodle is responsible for making admins read their email. I know that some communities of admins shared this message with each other, to make sure fewer people missed it. And surely you don’t think your site “informed everyone who needs to be informed”, do you?

Let me understand this…my video helped you secure your site. Are you suggesting I now “classify”/remove it…forget about anyone else who may still be in the dark? You got your flu shot…to heck with everyone else?

Do you really think that belated email moodle sent out has informed everyone who needs to be informed? I talked with a moodle admin (a furious moodle admin) today, who is on the registered users list to receive those notices and he didn’t know anything was sent out…he’s the second one on the mailing list I’ve spoken with who didn’t get the mail. Why? It seems it may have been marked as “low priority” and was caught by his spam filter…lots of filters do that with things marked “low priority”.

As I’ve said, MDL-18807 is what you are missing. I could publish it, but there is no need…let’s be clear…Moodle HQ has not denied knowing about this. In fact, the “alert” sent out a few days ago, so much as admitted knowing about it by saying:

Moodle development policy has always generally been “we trust teachers”.

Well, so do I, but I don’t trust them with my bank account information.

However, if you want to see the origin of MDL-18807, take a look at this thread:

http://moodle.org/mod/forum/discuss.php?d=120180

What else is there to say? If someone really needs to draw a picture of the problem, then maybe my video is the picture.

I’m baffled as to what you think moodle devs didn’t know? Are you really suggesting that you think they didn’t know course backups included the complete user table for everyone in the backup?

For what it’s worth…the security reporting procedure IS to report issues to tracker. One more time — MDL-18807 may shed some light on this for you. You comment here…which is appreciated, but you haven’t asked to see that issue yet, have you?

By the way, you’re welcome and I do believe your name is Joe…apologies for my sarcasm earlier.

Look, I’m in agreement that this issue highlights some serious problems in Moodle’s approach to security. Sure, “education is not like banking”, but it’s still mission-critical for the institutions that do it.

I also know that people who actually do development, or even, like me, give a damn about how it’s done, understand that there are proper procedures to follow, and that random veiled comments on discussion boards aren’t part of them.

What I’m suggesting is that the Tracker probably has an immense amount of power in deciding what gets worked on and what doesn’t. There’s a time and place to violate procedure, of course – and as soon as anyone can tell me they themselves tried to follow procedure by writing or voting on or commenting on formal Tracker issues, I’ll stop calling names.

Until then, it’s not “calling names”, it’s being linguistically precise in describing behavior.

@figaro, regarding whether I’m willing to dig – I’m interested in digging out right now, figuring out what is broken, and how much, and how to fix it for my install. And again, I recognize that it’s your impetus that’s made my install more secure than it was Monday morning, and thanks again for that.

What I’ve dug through so far (in terms of the Moodle discussion history) has mostly been an unhelpful morass of opinion (on both sides), not usable facts. If you think something more will clarify for me, point me to a specific post.

figaro :
@Joe
“I’d expect to see MDL-18807 “declassified”…”
How can you “classify” something that has been sitting out in public for 7 months? That’s like me removing this video from YouTube and saying, sorry, it’s now classified.
Looks like we are at an impasse, but if my “unprofessional” conduct helped you secure your site…you’re very welcome. Read MDL-18807 one of these days when it’s “declassified”.

I disagree. I think it’s like someone with swine flu being quarantined so they stop spreading the germ. Sure, it’s bad that they wandered around for a few days, but it’s better when it stops.

Maybe it’s all academic – once the exploit is public, there’s little value in adding security so you might as well leave it alone. Or maybe you follow best practices anyway, because there’s value in them.

And you did help me secure my site, and genuinely, thank you for that.

And Joe is honestly the name my parents gave me. No need for quotes, “Figaro.”