Thread: Putting skins into the interface folder is bannable
View Single Post
09-03-11, 09:22 PM   #20
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
Okay, I know Seerah closed this thread, but I'm going to override her decision because I feel that something that was said needs to be addressed and responded to, publicly.

Originally Posted by Vladinator View Post
Hmm, I see. But there are still chances you have a mole in your moderator team that makes a deal with a hacker to flag an tool safe while it in fact contains key-logging software, or somehow disguise the decompiled files/sources, so you don't see the real threat. Then users just have to trust it's safe but never be able to check it themselves, when there are no sources accompanying the exe! What do you say to that?
I realize that this is, as you said yourself in a later post, that this was an exaggeration. However I feel that it should be responded to, not necessarily for your benefit Vladinator, but for other users who may not know us as well and are possibly suddenly finding themselves concerned because of your example. So, without further preamble:

We (MMOUI) have been running User Interface Customization sites for over nine (9) years now. We have seven sites covering eight games. Over the years we have built a sterling reputation with both the game companies themselves and with the users of our sites. We are Official Fan Site Program members for every single game we support. In many cases we are the only Official UI Fan Site for a game. In one case our site is actually linked to, and searches can be done on it, from within the game itself. Between all of our sites, we've got close to a million registered users. Given that we don't require registration to download from our sites, you can be sure that the actual number of users (both registered and not) is exponentially higher. That is a lot of trust placed in us, trust earned by a lot of hard work over a lot of years. No one has ever been hacked as a consequence of using our site or any addons downloaded from any of our sites. Ever.

In those nine years, we have had only one single instance of one of our sites being compromised. The two compromised files were quarantined in less than two hours after being infected. The entire incident was completely resolved in less than six hours. The hole that the malicious programmers found got closed and additional safety protocols were put in place. Also, we were extremely upfront about the fact that the compromise had occurred, with a major announcement on the front page of our site, links to the announcement on the various social networks, full explanation of what the malicious files were, how to find them and how to clean them from your system if you happened to have gotten either of the infected files before we got them locked down.

Every single file that is uploaded to, or updated on, any of our sites go through numerous steps before they are ever made available for the general public to download;
  • they are manually opened by site staff and checked to make sure there are no executables;
  • they are manually virus scanned by site staff;
  • the description and screenshots are manually scrutinized by site staff;
  • an MD5 hash is automatically generated by our system and applied on upload/update; and
  • a SHA hash is automatically generated by our system and applied on upload/update.
Only after a file has gone through and passed all of those steps is it released for download.

(This next part applies specifically to your hypothetical situation, where we've got a "mole" in our moderation team)

Every night, there are automatic steps that all files in our database go through:
  • automatic virus scans;
  • the MD5 and SHA hashes are verified.; and
  • there are other safety protocols in place as well, but no point letting the malicious programmers know everything we are doing to protect our sites and our users.
As well, we periodically pick a random file that has an executable and put it through the same scrutiny that it went through the first time it was uploaded. This includes us de-compiling it, getting the source code, running it in a 'safe' environment and watching the processes, if it makes any 'outside' connections, etc.

Yes, it is important to be careful when downloading things, but that doesn't mean that every executable is automatically malicious, nor that every site is rife with malware. Yes, any site can be infiltrated. That has been proven, very dramatically, this year. That includes the site on which we are currently having this discussion. All we (everyone using the internet) can do is try our best to be sensible.

When it comes right down to it, though, if you are that uncomfortable, then just don't download and use it. Or else run it through your own virus scans. Or ... It's not like any of the files we are talking about are absolutely necessary for you to have. And the only way you can ever be truly safe when using the internet ... is to just not use the internet.

Finally, that was a very insulting thing to even joke about, concerning our moderation team. You've been a member here for 6 years, you know better than that. They are fantastic people that give freely of their time to make sure this site stays as great as it is, for all of our users.

tl:dr = Don't be stupid when using the internet. Use sites you can trust, that have a proven track record of doing everything they can to protect their site and users. Check the stuff you download.
Last edited by Cairenn : 09-03-11 at 09:36 PM.