Someone Being Naughty before the ISSA-LA Holiday Party?

This story is part two into a several months-long investigation conducted by vBTruth. During the investigation on the accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility, we at vBTruth ultimately felt this story warranted coming out of retirement and sharing these individuals’ combined stories. vBTruth is continuing its investigation and will report subsequent updates as new evidence is uncovered.

…We have not given approval to include our name in the Eventbrite invitation and I was surprised to see it in the (Eventbrite)… I wasn’t even aware tickets were already on sale for it.

― Shannon Brewster, ISC2 LA President

As part of our ongoing, months long investigation into accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility at ISSA-LA. vBTruth recently observed an upcoming joint holiday party on Eventbrite, allegedly hosted by ISSA-LA, Women’s Society of Cyberjutsu, Open Worldwide Application Security Project (OWASP), Association of Information Technology Professionals – Los Angeles (AITP-LA), the Southern California (SoCal) Chapter of the Cloud Security Alliance and ISC2 Los Angeles.

vBTruth reached out a few of these organizations to confirm their participation and attempted to obtain copies of any agreements.

More than one organization was surprised that they were included in the holiday party because they did not give consent. Even more surprised was the fact that their respective organizations were featured as one of “six” non-profits hosting the holiday party – on both the ticket sales page and separate, sponsorship sales pages. Both ISC2 LA and Cloud Security Alliance stated that the use of their names on were unauthorized.

ISC2 LA leadership had some informal discussions over email with ISSA-LA’s board regarding a joint holiday party. They reached out a few weeks ago and invited us to participate but we had not made a final decision. We were waiting on a written proposal and an agreement that disclosed the expected costs and responsibilities.

Given that nothing has been finalized, we have not given approval to include our name in the Eventbrite invitation and I was surprised to see it in the (Eventbrite)… I wasn’t even aware tickets were already on sale for it.” Shannon Brewster, ISC2 LA President wrote to vBTruth.

An anonymous source familiar with the matter at Cloud Security Alliance told vBTruth that “they never agreed to participate at the holiday party and were extremely disappointed in the attempt to obligate the SoCal chapter in(to) participating and the unnecessary deception to the (security) community at large.

Both Cloud Security Alliance and ISC2 LA have issued demands to have their names removed from any promotional material or website stating their participation in the holiday party. Both have stated they will not be participating in this year’s holiday party. At one point, the sponsorship Eventbrite page stated five non-profit organizations. It was further updated to remove ISC2 LA.

Both Eventbrite pages have been updated since the demands were made by Cloud Security Alliance and ISC2 LA.

Another recent significant update was the keynote speaker at the holiday party. On November 2, 2023, the website featured Bryan Hurd, Chief of Office, Aon Cyber Solutions (Stroz Friedberg). Fast forward to November 10, Bryan Hurd has been removed from the website and replaced with Demetrios Lazarikos (Laz).

The question we have not been able to answer is: “Why was Bryan Hurd replaced one month before the holiday party?” The only two logical conclusions were:

  • Schedule Conflicts
  • Unauthorized Use of Name/Attempt to Obligate

An analysis of both claims would lead us to believe at vBTruth that it was an attempt to obligate Mr. Hurd as the keynote speaker of the holiday party without his consent.

First, we have not one, but two attempts in a single event to obligate, maybe force, two independent organizations to participate in the ISSA-LA holiday party. Both organizations have issued statements to vBTruth, stating they never agreed to participate.

Next, we can assume it was not a ‘mistake’ per se, but intentional. Two Eventbrite webpages listed all organizations allegedly hosting the holiday party. It also listed the actual names and the actual number count of organizations participating. To list and name a number organizations, including two organizations who did not agree to participate, on two different Eventbrite webpages and with both having a precise count of non-profit organizations participating on both Eventbrite webpages, one must conclude that this was intentional.

Lastly, keynote speakers are typically booked months in advance. To cancel at the last minute usually means a change of schedule, or something personal is occurring. It is highly unlikely a schedule conflict occurred to force Mr. Hurd to withdraw because it is a holiday party and holiday party usually have large turnouts and a keynote speaker would set the necessary time aside and block calendars.

That leaves the last option: Unauthorized use of name and attempt to obligate. There are already two documented instances in this one event to obligate two other organizations. It is certainly not unreasonable to assume that more attempts occurred without the general public’s knowledge.

“There’s an old saying in Tennessee — I know it’s in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can’t get fooled again.”

― President George W. Bush, 43rd President of the United States of America

Regardless of what happened with Mr. Hurd, it does not change the fact that ISSA-LA falsely published two organization’s participation and tried to potentially strongarm and obligate their entire organization and their respective leaders. Marketing this event to both potential attendees and sponsors of participation by organizations who did not agree to participate is duplicitous, dishonest and fraudulent behavior.

Those reasons alone puts ISSA-LA and its leaders on the naughty list and rightfully earning all of them lumps of coal this holiday season.

ISSA-LA Chapter President Accused of Fraud, Malfeasance and Breach of Fiduciary Responsibility

This story is part one into a several months-long investigation conducted by vBTruth. During the investigation on the accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility, we at vBTruth ultimately felt this story warranted coming out of retirement and sharing these individuals’ combined stories. vBTruth is continuing its investigation and will report subsequent updates as new evidence is uncovered.

Sunlight is the best disinfectant. This mantra of transparency still remains true today. After several months of attempting to resolve concerns of fraud, conflicts of interest, self-dealing, breach of fiduciary responsibility and malfeasance behind closed doors with no resolution, individuals are finally coming forward and shining a light.

Multiple individuals, including several current and past members of the ISSA-LA Chapter, have accused the current sitting ISSA-LA Chapter President and now the former OWASP-LA Chapter President Richard Greenberg and the current sitting ISSA-LA Chapter Vice President and now former OWASP-LA Chapter Vice President David Wettenstein of fraud, conflicts of interest, self-dealing, breach of fiduciary responsibility and malfeasance. The accusations of malfeasance and breach of fiduciary responsibility are starting to extend to the current sitting ISSA-LA chapter board for turning a blind eye to conflicts of interests by the current Chapter President and Vice President, failure to enforce the bylaws of the chapter, and failure to remove the Chapter President and Vice President. The number of individuals making accusations appears to be growing more and louder by the day. The number of victims continues to grow with each passing moment, and the number of causalities in this journey towards finding a resolution continue to rise.

On March 25, 2021, ISSA-LA Chapter President Richard Greenberg filed articles of organization with the Wyoming Secretary of State’s office, forming a new limited liability company: Layer 8 Masters. Legal business filings were obtained from both the Wyoming Secretary of State’s Office and California Secretary of State’s Office. Listed in these business filings were Richard Greenberg, Haral Tsitsivas, David Wettenstein, and Alexander Braehler – members of the limited liability company. The purpose of the business is to host cyber security educational events under the brand “Planet Cyber Sec Conference”.

Since September 2021, Planet Cyber Sec has held 11 cyber security conferences throughout Southern California, including CIO/CISO Forums, AppSec SoCal, and other security conferences and events.

ISSA-LA, a 501(c)(3) nonprofit charity, is operated by a volunteer group of individuals who make up the leadership and board of ISSA-LA. These same volunteers have a primary place of employment in which they derive income from for expenses.

While it is not unethical to hold a primary place of employment and serve concurrently on a 501(c)(3) nonprofit board, nor is it unethical to directly compete against the nonprofit, it is questionable to start a brand new business that competes in the same industry, the same vertical, the same geographic area, and space (security conferences) that offers nearly identical services, and where the same for profit company and nonprofit obtains the vast majority of its income – while concurrently led by identical sitting leaders of both the for profit organization and nonprofit organization.

It is clearly unethical, and a clear conflict of interest to be using the ISSA-LA member’s money, the ISSA-LA’s non-profit resources, and to be profiting from their position as leaders in the non-profit for a for-profit organization, especially one directly owned by the ISSA-LA Chapter President and Chapter Vice President. The Chapter President and Chapter Vice-President has been using member’s money, using member owned resources, have a conflict of interests, and are potentially profiting from sponsorships and revenue from ticket sales at their for-profit enterprise while potentially leaving ISSA-LA members holding the bill on indirect expenses. Multiple individuals have raised these concerns privately and quietly, often having lengthy conversations and sharing their concerns.

Multiple newsletters sent by ISSA-LA share a consistent repeating theme of offering an ISSA-LA member discount to attend Planet Cyber Sec events. Each email lacks any notification and disclosure to anyone reading the newsletter that the current Chapter President and Vice President were owners of Planet Cyber Sec and had an equity and financial stake in the success of Planet Cyber Sec. Effectively the lack of transparency, how each email is phrased, could be perceived, and interpreted by any reasonable individual “Planet Cyber Sec” is an ISSA-LA organized event. vBTruth was able to obtain copies of newsletters and verify their authenticity.

One individual interviewed by vBTruth, on condition of anonymity, because this individual had concerns about a reoccurrence of being harassed, defamed, and slandered by the Chapter President, witnessed firsthand at the brand confusion, promoting, and selling Planet Cyber Sec at other local events. Representatives from ISSA-LA gave away tickets, selling it as “ISSA-LA is giving away two tickets to Planet Cyber Sec”. There was no disclosure to potential speakers, and potential sponsors that Planet Cyber Sec is directly owned by the ISSA-LA Chapter President and Vice President.

The list of concerns continues, ranging from inappropriate use of chapter resources such as mailing lists, chapter intellectual property, multiple social media accounts across multiple platforms owned by ISSA-LA. vBTruth has independently verified that select social media owned by ISSA-LA does indeed promote Planet Cyber Sec. In all instances, there are no disclosures the Chapter President or Vice President are owners of Planet Cyber Sec.

This individual further alleges there was never any chapter board approvals given to Planet Cyber Sec or its owners to promote Planet Cyber Sec, to use chapter social media, and other chapter assets in the manner it was used for Planet Cyber Sec. The same individual alleged that Richard Greenberg sent Planet Cyber Sec information across all multiple marketing channels – all done without permission and a vote by the chapter boards, effectively bypassing chapter board approval not once, but multiple times.

One individual vBTruth interviewed, on condition of anonymity because they feared retaliation and physical harm from the Chapter President, stated they had serious misgivings and concerns not just over the use of chapter resources, but chapter member’s money. According to the individual, the Chapter President spent member’s money on himself on lavish, all-expense paid trips to RSA Conference, in San Francisco, CA, and BlackHat USA in Las Vegas, NV. These trips were completely paid for by ISSA-LA members. These trips are not cheap. Hotels can easily run over a thousand dollars a night during RSA Conference and BlackHat USA, according to this individual. These board approved trips were intended to raise the profile of ISSA-LA and build relationships with potential speakers and sponsors.

However, this individual alleged that the Chapter President was no where to be found during RSA Conference and BlackHat USA. This individual never ran into the Chapter President at the RSA Conference or BlackHat USA exhibit halls. Several other individuals with ties to the Chapter President never encountered the Chapter President on the exhibit hall floor. vBTruth was unable to verify the claim, however the individual was able to provide multiple receipts and credit card bills showing their presence at RSA Conference and BlackHat USA. vBTruth was also able to find photos on social media indicative and aligning to what this individual alleges, including one photo where the Planet Cyber Sec logo is clearly visible on a polo shirt worn by the ISSA-LA Chapter President while on ISSA-LA member’s money.

At the same time, there were serious questions whether the time and money spent on these trips or utilization of LinkedIn was for the Chapter President’s personal gain, his personal business, or for the Chapter. As one individual pointed out, “It is very hard to distinguish whether Richard was doing things to build his business or for ISSA-LA as they are all comingled together.” This pattern mixing utilization of chapter funded resources for personal gain extends to LinkedIn as well, as ISSA-LA is paying for the Chapter President’s LinkedIn Premium account.

The concerns of unethical behavior, using member’s money, using chapter resources, creating brand confusion, self-dealing, and the lack of transparency and reasonable disclosure have created various degrees of confusion. It is believed that more than one exhibitor thought they were sponsoring and giving money to ISSA-LA and not Richard’s Planet Cyber Sec. There has been at least one accusation that the President and Vice President was redirecting and diverting potential sponsors, money (through sponsorships and ticket sales) and speakers away from ISSA-LA events and towards Planet Cyber Sec while lining the Chapter President’s and Vice President’s own pockets.

The concerns have triggered a wave of resignations at ISSA-LA, with at least one confirmed resignation was in protest to the unethical behavior by the Chapter President and Vice President. Based on information that vBTruth has been able to assemble, the board turnover at ISSA-LA has been extreme. Since May 2022, at least eight ISSA-LA chapter board members have resigned or have chosen to not continue on the board. Their roles range from Chapter Secretaries, Chapter Treasurers, and multiple Directors. That is at least an 80% board turnover in 18 months on a ten-seat chapter board, or a 67% board turnover on a twelve seat chapter board. Several individuals appear to have held board positions multiple years and abruptly quit with no public reason given. Additionally, starting August 2023, six advisory board members also abruptly resigned over a short period of two months. Yet the President and Vice President continues to remain in power ten plus years later.

At least two board positions remain vacant to this day, in violation of the ISSA-LA bylaws: the Executive Director and Social Media Director positions. In the upcoming 2024 board elections for ISSA-LA being held December 2023, the position of Technology Director is unfilled, and the Executive Director and Social Media Director are mysteriously not on the ballot nor being advertised as vacant.

Citing these concerns, multiple individuals have privately raised numerous questions, concerns, and complaints to numerous organizations including, ISSA-LA, ISSA International, OWASP International, International Information System Security Certification Consortium, and other organizations regarding the founders of Layer 8 Masters and Planet Cyber Sec.

At least one individual has expressed their concerns to one organization’s general counsel because they fear potential physical harm by the Chapter President, as well as slander as they have been the confirmed victims of slander by the Chapter President.

They also expressed no confidence or independence in the ISSA-LA board. They firmly believed that any action brought by the members would not lead to any action because not enough victims or individuals would be willing to come forward and confront and challenge the Chapter President and Vice President in a meeting as written in the ISSA-LA bylaws. They have concerns that those frustrated members and victims have chosen not to renew their memberships, refuse to get involve and have tried to move on, or transferred as members to another chapter as to keep distance between themselves and the current Chapter President and Vice President. They also firmly believed that the board lacks independence because Richard Greenberg, Chapter President of ISSA-LA and face of Planet Cyber Sec can appoint and fill vacant ISSA-LA board positions, per the ISSA-LA bylaws. They reasonably believe the board is now filled with the Chapter President’s cronies.

OWASP International appears to be the only organization who has conducted any investigation of the complaints and examination of the evidence to date on the unethical behavior of Planet Cyber Sec founders. It appears that OWASP International found the complaints valid as Richard Greenberg, Haral Tsitsivas, and David Wettenstein are no longer listed as leaders of OWASP-LA and OWASP-OC. vBTruth did not reach out to OWASP International to verify because their website cites confidentiality related to these types of issues.

Tensions, frustrations, and anger have reached a breaking point with multiple victims and individuals. Many are suffering from emotional exhaustion. They want to close the chapter on this saga.

Other than OWASP, these victims and individuals believe more than one organization has turned a blind eye. These organizations are refusing to take any actions and refusing to move forward due to procedural semantics because their policies do not allow whistleblower and anonymous submissions. Often these victims find themselves having to defend their positions to remain anonymous because of a deep fear of retribution. Multiple individuals have expressed similar concerns, including potentially physical altercation, physical intimidation, defamation, slander, harassment, or libel between themselves and Richard Greenberg.

One question remains: Who actually cares about these ethics violations and will take action to stand up to these clear infractions and violations? An individual lamented that this has been a frustrating, disheartening, and discouraging multiyear process.

These victims feel abandoned. Alone. Exhausted. The very ethics, and the upstanding principals spoken throughout the security industry ring hollow. These organizations are no where to be found when confronted with overwhelming evidence that something is amiss.

What lies ahead for each remains to be seen. And yet there are those who continue to champion the ethics, the morals, and the principals that so many have seem to have conveniently forgotten.

vBTruth will be continuing its investigation into this story. Stay tuned for additional updates, including a Part 2 to this story.

Early Lessons Learned from Capital One Data Breach

Capital One, one of the nation’s largest financial institutions announced that one of its employees has gone rogue and was responsible for stealing information from consumers, and small businesses.

This information included personal information Capital One collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Approximately 140,000 Social Security numbers and 80,000 linked bank account numbers were also compromised as part of the theft. 1 million Canadian Social Insurance Numbers were compromised as well.

Capital One stored consumer and small business information on S3, a cloud storage offered by Amazon.com.The court complaints detail the investigation conducted by the FBI that enabled an attacker to access download data from Amazon S3 from up to 700 different S3 Buckets.

There have been a number of different data breaches related to improper security controls at various organizations using Amazon S3.

Something as simple as a misconfiguration can have huge consequences to an organization’s reputation. With a growing number of data breaches from medical records to how one purchases, it is starting to paint a comprehensive picture on the average individual. With any technology implementation, due diligence must be performed to reduce the likelihood of a cyber breach.

 

Cloud Computing does not outsource risk and security

Cloud computing is simply borrowing someone’s computer. By no means does it equate to transferring the risk and security responsibilities to that entity. Risk and threat models need to reflect the change of ownership of computers, and where data lives on a day to day basis. At the end of the day, it is on executive management and senior management to understand and accept that risks and security burdens are still on the organization but appears differently operationally. Cloud is not the silver bullet to your security challenges.

Regular Reviews

We are all human. We make mistakes. No one is perfect. It is the reality of being mortal. It is important that assessments, audits, penetration tests, and red team engagements are performed on a regular basis. It is even more important that the mantra of trying to “pass” these engagements by any means possible be put behind us. Achieving a passing score is an important metric but achieving it by any means possible sets an entire organization back because it does not allow the necessary resources to be allocated to address gaps identified during these reviews. When sick, we do not get better unless we disclose all the symptoms to a doctor can assess and prescribe the correct medicine.

Soft Skills

Technologists, practitioners, subject matter expects, and management need better soft skills. The days of assume that management understands everything is long gone. The days in which technologists and practitioners staying in their cubicles or digital walled gardens is no longer possible. Technical experts need to improve their abilities in communicating risks of adopting technology. Management needs to press upon their technical experts to due proper due diligence to identify risks.

Audit, Logging, Monitoring, and Acting Upon Them

A huge saving grace for Capital One was the level of detail the logs enabled them to reconstruct the series of unfortunate events. Organizations should have robust logging and controls in place to protect those logs. However, despite Capital One having these logs, the data breach went undetected for close to four months. Consistent active monitoring and knowing what to look for is essential to identifying anomalies quickly and rapidly. Your threat hunters are looking for needles in ever growing haystacks.

This data breach joins the long line of many. We can not accept that data breaches are the new norm. As we learn more from this insider attack, more lessons we should learn to minimize the likelihood of another data breach of this magnitude. We must be vigilant to protect our stakeholders who entrust us to protect our data, our identity, and our livelihood at all times.

Repost of: “No, You Really Can’t” by Mary Ann Davidson

This is a copy of a recently deleted blog entry by Oracle Chief Security Officer (CSO) Mary Ann Davidson. It was some of the best writing we have seen in quite sometime that we felt it was worthwhile to post a copy on this blog for posterity. A more formal reply will be composed after we stop laughing hysterically.

No, You Really Can’t – by Mary Ann Davidson

I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, we’ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me).

Writing mysteries is a lot more fun than the other type of writing I’ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.> This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems. That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down – in short, the usual security hygiene – before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.

Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products – and there is so much more to assurance than running a scanning tool – there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or “good code” seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors – at least, most of the large-ish ones I know – have fairly robust assurance programs now (we know this because we all compare notes at conferences). That’s all well and good, is appropriate customer due diligence and stops well short of “hey, I think I will do the vendor’s job for him/her/it and look for problems in source code myself,” even though:

  • A customer can’t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)
  • A customer can’t produce a patch for the problem – only the vendor can do that
  • A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)

I should state at the outset that in some cases I think the customers doing reverse engineering are not always aware of what is happening because the actual work is being done by a consultant, who runs a tool that reverse engineers the code, gets a big fat printout, drops it on the customer, who then sends it to us. Now, I should note that we don’t just accept scan reports as “proof that there is a there, there,” in part because whether you are talking static or dynamic analysis, a scan report is not proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD. (That is what I planned on saying all along: FUD.) This is why we require customers to log a service request for each alleged issue (not just hand us a report) and provide a proof of concept (which some tools can generate).

If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: “Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs…” which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

Why am I bringing this up? The main reason is that, when I see a spike in X, I try to get ahead of it. I don’t want more rounds of “you broke the license agreement,” “no, we didn’t,” yes, you did,” “no, we didn’t.” I’d rather spend my time, and my team’s time, working on helping development improve our code than argue with people about where the license agreement lines are.

Now is a good time to reiterate that I’m not beating people up over this merely because of the license agreement. More like, “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.” I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.

For this reason, I want to explain what Oracle’s purpose is in enforcing our license agreement (as it pertains to reverse engineering) and, in a reasonably precise yet hand-wavy way, explain “where the line is you can’t cross or you will get a strongly-worded letter from us.” Caveat: I am not a lawyer, even if I can use words like stare decisis in random conversations. (Except with my dog, because he only understands Hawaiian, not Latin.) Ergo, when in doubt, refer to your Oracle license agreement, which trumps anything I say herein!

With that in mind, a few FAQ-ish explanations:

Question: What is reverse engineering?
Answer: Generally, our code is shipped in compiled (executable) form (yes, I know that some code is interpreted). Customers get code that runs, not the code “as written.” That is for multiple reasons such as users generally only need to run code, not understand how it all gets put together, and the fact that our source code is highly valuable intellectual property (which is why we have a lot of restrictions on who accesses it and protections around it). The Oracle license agreement limits what you can do with the as-shipped code and that limitation includes the fact that you aren’t allowed to de-compile, dis-assemble, de-obfuscate or otherwise try to get source code back from executable code. There are a few caveats around that prohibition but there isn’t an “out” for “unless you are looking for security vulnerabilities in which case, no problem-o, mon!”

If you are trying to get the code in a different form from the way we shipped it to you – as in, the way we wrote it before we did something to it to get it in the form you are executing, you are probably reverse engineering. Don’t. Just – don’t.

Question: What is Oracle’s policy in regards to the submission of security vulnerabilities (found by tools or not)?
Answer: We require customers to open a service request (one per vulnerability) and provide a test case to verify that the alleged vulnerability is exploitable. The purpose of this policy is to try to weed out the very large number of inaccurate findings by security tools (false positives).

Question: Why are you going after consultants the customer hired? The consultant didn’t sign the license agreement!
Answer: The customer signed the Oracle license agreement, and the consultant hired by the customer is thus bound by the customer’s signed license agreement. Otherwise everyone would hire a consultant to say (legal terms follow) “Nanny, nanny boo boo, big bad consultant can do X even if the customer can’t!”

Question: What does Oracle do if there is an actual security vulnerability?
Answer: I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time. However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”

Question: But the tools that decompile products are getting better and easier to use, so reverse engineering will be OK in the future, right?
Answer: Ah, no. The point of our prohibition against reverse engineering is intellectual property protection, not “how can we cleverly prevent customers from finding security vulnerabilities – bwahahahaha – so we never have to fix them – bwahahahaha.” Customers are welcome to use tools that operate on executable code but that do not reverse engineer code. To that point, customers using a third party tool or service offering would be well-served by asking questions of the tool (or tool service) provider as to a) how their tool works and b) whether they perform reverse engineering to “do what they do.” An ounce of discussion is worth a pound of “no we didn’t,” “yes you did,” “didn’t,” “did” arguments. *

Question: “But I hired a really cool code consultant/third party code scanner/whatever. Why won’t mean old Oracle accept my scan results and analyze all 400 pages of the scan report?”
Answer: Hoo-boy. I think I have repeated this so much it should be a song chorus in a really annoying hip hop piece but here goes: Oracle runs static analysis tools ourselves (heck, we make them), many of these goldurn tools are ridiculously inaccurate (sometimes the false positive rate is 100% or close to it), running a tool is nothing, the ability to analyze results is everything, and so on and so forth. We put the burden on customers or their consultants to prove there is a There, There because otherwise, we waste a boatload of time analyzing – nothing** – when we could be spending those resources, say, fixing actual security vulnerabilities.

Question: But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?
Answer: Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked. I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true. We do require development teams (on premises, cloud and internal development organizations) to use security vulnerability-finding tools, we’ve had a significant uptick in tools usage over the last few years (our metrics show this) and we do track tools usage as part of Oracle Software Security Assurance program. We beat up – I mean, “require” – development teams to use tools because it is very much in our interests (and customers’ interests) to find and fix problems earlier rather than later.

That said, no tool finds everything. No two tools find everything. We don’t claim to find everything. That fact still doesn’t justify a customer reverse engineering our code to attempt to find vulnerabilities, especially when the key to whether a suspected vulnerability is an actual vulnerability is the capability to analyze the actual source code, which – frankly – hardly any third party will be able to do, another reason not to accept random scan reports that resulted from reverse engineering at face value, as if we needed one.

Question: Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!
Answer: <Bigger sigh.> Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)

I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.

Question: If you don’t let customers reverse engineer code, they won’t buy anything else from you.
Answer: I actually heard this from a customer. It was ironic because in order for them to buy more products from us (or use a cloud service offering), they’d have to sign – a license agreement! With the same terms that the customer had already admitted violating. “Honey, if you won’t let me cheat on you again, our marriage is through.” “Ah, er, you already violated the ‘forsaking all others’ part of the marriage vow so I think the marriage is already over.”

The better discussion to have with a customer —and I always offer this — is for us to explain what we do to build assurance into our products, including how we use vulnerability finding tools. I want customers to have confidence in our products and services, not just drop a letter on them.

Question: Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why would you try to restrict the behavior of customers with good motives?
Answer: Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.

At this point, I think I am beating a dead – or should I say, decompiled – horse. We ask that customers not reverse engineer our code to find suspected security issues: we have source code, we run tools against the source code (as well as against executable code), it’s actually our job to do that, we don’t need or want a customer or random third party to reverse engineer our code to find security vulnerabilities. And last, but really first, the Oracle license agreement prohibits it. Please don’t go there.

* I suspect at least part of the anger of customers in these back-and-forth discussions is because the customer had already paid a security consultant to do the work. They are angry with us for having been sold a bill of goods by their consultant (where the consultant broke the license agreement).

** The only analogy I can come up with is – my bookshelf. Someone convinced that I had a prurient interest in pornography could look at the titles on my bookshelf, conclude they are salacious, and demand an explanation from me as to why I have a collection of steamy books. For example (these are all real titles on my shelf):

 

    1. Thunder Below! (“whoo boy, must be hot stuff!”)
    2. Naked Economics (“nude Keynesians!”)***
    3. Inferno (“even hotter stuff!”)
    4. At Dawn We Slept (“you must be exhausted from your, ah, nighttime activities…”)

My response is that I don’t have to explain my book tastes or respond to baseless FUD. (If anybody is interested, the actual book subjects are, in order, 1) the exploits of WWII submarine skipper and Congressional Medal of Honor recipient CAPT Eugene Fluckey, USN 2) a book on economics 3) a book about the European theater in WWII and 4) the definitive work concerning the attack on Pearl Harbor. )

*** Absolutely not, I loathe Keynes. There are more extant dodos than actual Keynesian multipliers. Although “dodos” and “true believers in Keynesian multipliers” are interchangeable terms as far as I am concerned.

**** I might be exaggerating here. But maybe not.

#1YearToGo and Brazil Launches Corruption Probe in Olympics Scandal

Members of a local rowing club practice among floating dead fish at the Rodrigo de Freitas Lagoon that will host rowing and canoeing events during Rio 2016 Olympic Games. (Yasuyishi Chiba/AFP/Getty Images)
Members of a local rowing club practice among floating dead fish at the Rodrigo de Freitas Lagoon that will host rowing and canoeing events during Rio 2016 Olympic Games. (Yasuyishi Chiba/AFP/Getty Images)

One of our readers sent in a couple of news tip about how the Brazilian Government is launching a massive investigation into the corruption associated with the 2016 Olympic Games.

Here are a couple of highlights from the main article that caught my attention

  • Rio’s city government is at times being forced to act like a bank, lending companies money to prevent a slowdown in construction
  • OAS, one of Brazil’s biggest construction firms, filed for bankruptcy protection in March after its credit lines dried up. OAS is part of the group that is behind the very much delayed Deodoro Sports Complex.
  • Mendes Junior SA backed out of a contract to fix the drainage around the Maracana soccer stadium set to host Olympic matches.
  • Rio has admitted it will fail to make good on promises it made in its Olympics bid to improve the sewage system and reduce water pollution in the Guanabara bay by 80 percent.

Forgive me, but the fact that the Rio government is bailing out construction companies is quite concerning. Moreover, it appears the Government too itself is at fault for not paying these construction companies in time so they can complete payroll and pay operational costs. Combine that with the recent discovery that Glanders disease was discovered at Rio Olympic Sites, we have a disaster beyond our imagination waiting to happen. Even Ganders is recognized by the Center for Disease Control as something that could potentially infect humans, despite it normally affecting animals.

 

What we have here ladies and gentlemen, is a diseased ridden country, with corruption that’s touched all corners of the Rio government that it can’t even pay its own vendors on time. Moreover its these same vendors who are caught in a massive investigation on accusations of bribery and corruption.

We are ONE YEAR AWAY from RIO and we’re just barely dealing with this? I walk away in disbelief in this article that two construction firms are in massive trouble, with one of Brazil’s largest firms about to go under because of the sheer crushing volume of debt and another one who’s broken contractual agreements (likely because of the lack of payments from the Brazilian government). That’s two construction companies who are likely not operating or assisting in construction.

We also have two means of infectious diseases impacting guests and athletes of the 2016 Olympic Games: From contaminated water and sewage impacting the Guanabara Bay AND now Glanders impacting horses, trainers, vets, and countless others.

The 2016 Olympic Games is becoming a death trap. There are no backup plans for ANY of the venues, and right now, both animal and humans lives are at risk.

If I was an athlete, I would say no to Rio. If I was a coach, I would be demanding the IOC move the 2016 Summer Olympic Games right now.

It’s clear that no amount of money thrown at these problems will correct these problems in a manner that would be safe for both spectators and athletes. The most valuable currency the Rio and Brazilian Government needs is time, and it is something they do not have enough of.

It is after all one year until the 2016 Summer Olympic Games.

AP Investigation: Rio’s 2016 Olympic Waters Highly Contaminated

Last week, the Associated Press (AP) published the results of an independent investigation for both viruses and bacteria in the waters surrounding the boating and swimming areas.

The results: According to the AP, “the water is so contaminated with human feces that they risk becoming violently ill and unable to compete in the games”

In some instances, some tests show that there is “1.7 million times the level of what would be considered hazardous in a Southern California beach”. It is essentially “raw sewage”.

In fact, not one water venue was found safe for any water sports, swimming, or boating.

 

Forgive me, but President Bach, members of the International Olympic Committee (IOC) – We are one year away from the 2016 Olympic Games. Where is your concern for the welfare of athletes? Do athletes need to suffer from massive illness, or even death before the IOC will act and intervene?

These latest results are screaming “move the Olympics”. Brazilian officials are not planning any alternative venues should these venues not be ready. Experts are weighing in that 99% of all athletes who swim in those waters will likely contract something if they ingest just three teaspoons of water.

We are asking for a HUGE black eye for the Olympics where politics and money trump common sense. It will be a massive, huge distraction from the Olympic games should athletes fall ill, or even, die from something that is preventable.

Even Rio Gov. Luiz Fernando Pezao has acknowledged “there’s not going to be time” to finish the cleanup of the bay ahead of the games.

Members of the IOC, it is time to make the judgement call. It is time to put the welfare, and health of athletes ahead of all else. Brazil and Rio has had their chance to be on the global stage. They’ve had more than sufficient chance to prepare for the Olympics.

Now it is time for Rio bow out.

2016 Rio Olympic Games Construction Update

Thanks to one of our readers, they sent us a link for a construction update on the 2016 Olympic Games in Rio as of June 15, 2015. The Daily Mail, granted, while not the most popular piece of journalism out there, did take quite a few photos and videos.

rio_2016_5_pranchas_formato_a1_pagina_1

0 (14)

Ideally the Olympic Village should start resembling as proposed above, however, the reality is that after looking at several of the photos and aerial footage taken by the Daily Mail, I’m astounded at how far behind they are.

Alex Riberio for Mail Online. Photo Courtesy of The Daily Mail
Alex Riberio for Mail Online. Photo Courtesy of The Daily Mail.

There are additional photos, videos and details available at The Daily Mail. Construction is in complete disarray. Several buildings are really just concrete foundation. There is a complete lack of urgency that the games are 400 days away, and nothing is completed. This is clearly becoming classic case of “over-promising and under-delivering”. It appears only three of the venues on the map are remotely complete, and that’s just externally.

Even though they have the exteriors of a few facilities complete, they still have to build out each of the stadiums internally. That means plumbing, electrical, heating, ventilation, air and cooling! We are not even factoring in other things such as seating, signage, concessions, and other arena amenities.

According to Wikipedia, there are 34 proposed sporting venues. Of which, 10 of them do not require any permanent work. 8 requires some permanent work. 9 more venues require brand new construction and there are still 7 temporary venues that need to be worked on.

The writing is on the wall, and it is clear as day that Rio is completely far behind. The situation is grave, and the 2016 Olympic Games are at risk. The budget risks are swelling to astronomical proportions, and no doubt the International Olympic Committee is wearing Rose Colored Glasses thinking and believing everything will still be delivered on time. Construction, project, and budget risks are not being managed.

If what the Daily Mail witnessed is true, the Brazilian Government is in complete disarray and disharmony, not able to work together to bring the 2016 Olympic Games to fruition in Rio.

Rio is so far behind it makes the Athens Games look competent. Can they pull off a Hail Mary like Athens? Doubtful in my opinion as Greece has full access to existing infrastructure and technical resources in the European Union that enables them to recover. Remember they barely delivered all venues on time in the July/August 2004 time frame! Literally down to a few days before the Olympic Games. The situation is completely different in Rio and they may not have the resources or existing infrastructure to accomplish what Greece did.

It is time to select and enact Plan B, International Olympic Committee. It is time to rescind the games from Rio and award it to another city.

 

A Case for Moving the 2016 Olympic Games to Los Angeles

2016 Rio Olympic Games LogoThe 2016 Olympic Games are scheduled to begin in a little over 400 days. That is 400 days to complete venues. 400 days to build infrastructure. 400 to prepare to invite the world to the 2016 Olympic Games. The sad reality is that Rio is not ready.

In May, Reuters ran a piece on the readiness of Rio:

  • Rio has only 10% of 56 Olympic Construction, overlay and energy projects are finished. This is in contrast with 80% for the 2012 London Olympic games
  • State-run Oil Company Petrobras is embroiled in a corruption scandal, which has implicated several construction firms delivering Olympic Projects, is adding to the possibility of delays.
  • Deodoro – The second largest cluster of Olympic Venues located west of Rio where 11 sports including equestrian, BMX Biking, and kayaking will take place is completely unfinished
  • Deodoro has limited construction going on – mostly scaffolding about two stories high but nothing else.
  • Contracts have yet to be tendered to build the beach volleyball stadium on the sands of Copacabana
  • Guanabara bay – where sailing is suppose to be held – is a complete health hazard. The promises to clean the bay will not be cleaned in time.
  • Temporary venues for rugby and mountain biking have not been selected.
  • Power contracts have not been awarded yet. London awarded them in 20 months before the London games began. There are less than 14 months left before the Rio games begin.

Even Senior International Olympic Committee official John Coates commented that Rio’s readiness for the Olympics are the “worst I have experienced”

It is safe to say Rio is no where near ready, and we’re getting to a point where we’re nearing a level of incompleteness similar to Sochi.

 

The Case for Los Angeles

2024 Los Angeles Olympic Bid
2024 Los Angeles Olympic Bid

Los Angeles last held the Olympics in 1984. Despite the passage of time between 1984 and 2015, much of the venues have since has been refurbished, modernized, maintained, or replaced. Unlike the venues of the 2004, 2008, and 2012 Olympic games, they still exist and are actively being used in one capacity or another.

In fact, Los Angeles may be one of the very few cities that can adequately be ready in the compressed timeframe of a little over a year. With its recent 2024 bid, arguably, 95% of the plans of where sports should be held are complete. There are a few exceptions as some venues proposed in the 2024 plan are not remotely ready (example: Farmer’s Field)

Proposed 2016 Venues (Adapted from the 2024 Plans)

  1. LA Memorial Coliseum – (Opening Ceremonies, Closing Ceremonies, Track and Field)
  2. LA Convention Center – (Badminton, Gym – Rhythmics, Gym – Trampoline, Table Tennis)
  3. Staples Center – (Volleyball Finals – Indoor, Gymnastic Artistic)
  4. Galen Center – (Basketball)
  5. LA River – (Canoe/Kayak Slaom
  6. Uytengsu Swim Stadium – (Diving)
  7. Microsoft Theatre aka Nokia Theatre – (Fencing – Finals)
  8. Aquatics Center – (Swimming, Sync, Swimming)
  9. LA 84 Foundation Swim Stadium – (Water Polo)
  10. Walt Disney Concert Hall – (Taekwondo Finals)
  11. Shrine Auditorium – (Weightlifting)
  12. Drake Stadium – (Archery, Cycling – BMX)
  13. Pauley Pavilion – (Basketball Prelims 2)
  14. Rivieria Golf Club – (Golf)
  15. Corsair Stadium – (Field Hockey)
  16. Santa Monica Beach – (Triathlon, Volleyball – Beach)
  17. Velo Sports Center – (Cycling – Track)
  18. StubHub Track Stadium – (Field Hockey)
  19. StubHub Soccer Stadium – (Rugby, Football)
  20. StubHub Tennis Stadium – (Tennis)
  21. Long Beach Marine Stadium – (Canoe/Kayak Spring, Rowing)
  22. Walter Pyramid – (Handball)
  23. Long Beach Marina/Queen Mary – (Sailing)
  24. Long Beach Arena – (Handball)
  25. Long Beach Convention Center – (Judo, Taekwondo, Wrestling)
  26. Griffith Park – (Cycling – Mountain Bike)
  27. Hollywood Sign – (Cycling – Road)
  28. Santa Anita Park – (Equestrian)
  29. Hollywood Blvd – (Fencing)
  30. Rose Bowl Stadium – (Football Finals and Prelims)
  31. Qualcomm, AT&T, Sam Boyd Stadiums – Football Prelims 3, 4,& 5)
  32. The Forum – (Volleyball – Indoor)
  33. Fairplex Fairgrounds – (Modern Pentathlon, Shooting)
  34. Rodeo Drive – (Triathlon)

Possible other venues that could be used that was not proposed for 2024:

  • Dodgers Stadium
  • Angels Stadium of Anaheim
  • Honda Center for Basketball or Boxing
  • Anaheim Convention Center (Used in 1984 Olympics)
  • Ontario Convention Center
  • Mount San Antonio College
  • California State Polytechnic University Pomona
  • California State Dominguez Hills (Used in 1984 Olympics)
  • California State Fullerton (Used in 1984 Olympics)
  • East Los Angeles College (Used in 1984 Olympics)

Despite not having Farmer’s Field to host basketball, Los Angeles has a huge amount of additional venues capable of hosting any number of additional sporting events. All these facilities are actively being maintained and used.

If anything, the possibilities of being ready in a short amount of time is realistic. The money being invested into Rio could be invested into Los Angeles in building out mass transit for the residents of Los Angeles as a thank you for saving the games.

 

Let’s face it. Los Angeles is more ready than Rio, and it isn’t even trying. International Olympic Committee, it is time to face the reality that Rio isn’t ready. No amount of money we throw at it will have it ready in time. Let’s save face for the Olympic Games. Let’s move the games to Los Angeles.

Athlete’s health and safety are in jeopardy. The reputation of the Olympic Games are at risk. It is time to accept the fact that we need to execute Plan B, and Los Angeles may be the only real city that wants the Olympics and is ready for the 2016 Olympics.

What’s Next for Rio and us

2016 Rio Olympic Games LogoChronos and I have been spending a lot of time, talking offline enjoying the wonders and taking in life. Since 2009, we have been authoring the disasters of Internet Brands and vBulletin. Here we are six years later, and it is safe to say things have gone from bad to worse. Needless to say, our voices fell on deaf ears at Internet Brands, and the outcome was less that spectactular (unless you count the spectactular blunder that is called vBulletin 5).

We both have been talking as of late what to do with this blog. We both agreed that walking away from it is not in the best interest as we have a unique opportunity to share our thoughts and some very blunt truths.

We are still intending to blog about vBulletin and how Internet Brands is more like “imitation brands” but we’re taking the unique opportunity to occasionally talk about other upcoming disasters.

We will be blogging in the coming weeks about multiple upcoming disasters, and one of them comes to mind: the Journey to Rio – as in the 2016 Summer Games.

Both Chronos and I are avid sports enthusiasts and we have been appalled at the fact the International Olympic Committee and the host country has been mismanaging the project. In fact, both of us are once again in a similar spot to where we were six years ago: Frustrated at a management team who is completely disconnected from what is happening at the front lines. Both Chronos and I felt it’s time to voice our opinion as there is something more at stake.

 

The issues and problems facing the Rio games are so bleak, my heart becomes heavy thinking about all the friends and families of athletes to have to endure and suffer through the 2016 Games due to potentially inadequate or shoddyly, and hasily constructed facilities.

In fact, the official word from the International Olympic Committee is that there is no backup for Rio. In fact, the only solution they have at this point in time is to throw more money at the Rio games in an effort to get things complete by 2016.

The reality is that money can fix many things, but it won’t fix cultural issues and continously gross mismanagement. Sochi was a clear indicator for that, and it was a massive spectacle as athletes that the 2014 Winter Games started trending on social media as #sochifails.

As we head into the 2016 Summer Games, it appears the sheer volume of #riofail are growing, and tensions are rising. The safety and welfare of atheletes, coaches, and guests from around the world are in jeopardy. The reputation of the Olympic Games are at stake.

Hard Decisions need to be made. These are no ordinary times. It is time for extraordinary actions and steps to be taken. Politics be damned, there is more at stake than simply the pride of a country. It is the pride of the entire world.
It is time for the International Olympic Committee to recind the games from Rio and move it to a city that has facilities that can support the summer games. Move the games to Beijing. Move it to Atlanta. Move it to Sydney. Move it to Los Angeles.

Either way, a disaster beyond our imagination is growing in Rio.

vBulletin 5 – Years Later…

Chronos and I have been busy with real life. Sadly, we both gave up on vBulletin. The once iconic forum platform is now a smoldering piece of dung. No one loves being told their baby is ugly. Sadly, ugly is putting it politely.

We cracked open the mailbag curious to see what’s left of the ashes, and we found no phoenix. Only more scathing letters. We’re adding another one from Will this week.

 

Sharing my Story
By Will D.

So nearly a decade ago I logged into my first vBulletin and helped a friend run a forum.  It was slick, it did it’s job exceptionally well.  Around the time vBulletin 4 came out I purchased and configured my first vBulletin forum and ran it for several years without problems.  Regular updates went smoothly, bugs were few and far between and in general the product was simply excellent. I’ve since moved in from that community and shut it down, but it was an exceptional experience.

When I started seeing vBulletin 5 Connect advertisements hit my mailbox I checked out the Beta and saw what I expected to be a huge leap forward in the CMS/Forum software.  Recently I found myself needing to setup a CMS and Forums for a non profit and wanted something I was relatively familiar with and would be rock solid.  Without a thought I advised we purchase vBulletin 5 Connect assuming it would be vBulletin 4’s feature set improved/expanded…
The product having been released for nearly a year, with the current version of 5.0.5, I assumed most of the early adoption pains would be absent, and that I’d be dealing with a rock solid product that was going to make my life easy.
Imagine my disappointment when I find out that two key features, Calendar and CMS were simply left out of the release.  The CMS was expected for 5.1.0… which had a very loose ETA of ‘End of 2013’.  The Calendar isn’t even planned at this point!  I was stunned.
I took a good look and realized I could limp along with their existing features until 5.1.0 released and went ahead setting up my forums.  What I didn’t know is the number of ‘bugs’ I’d run into that would qualify as ‘major’ in my mind that vBulletin support simply accepts as facts of life.
Images have no configuration options in posts… they are supposed to, but it will be fixed in 5.1.1… maybe…
Insert a table and it ignores settings you configure in the UI… it looks fine in the WYSIWYG editor and when you click post goes to the most basic table without any options.  vBulletin support’s answer to this?  They simply say it’s the way CSS and HTML interact and I need to advise users to use the advanced tab and apply formatting that way… yea, good answer.
At present my forums just went live with a small community of users and I’m frankly looking for an alternative that will give me CMS options with a solid Forum backend… once I find this I’ll be buying it out of my own pocket and migrating away from vBulletin forever.