vBulletin: Exploits, Bugs, Exposed Customer Data – We’ve got it all!

“The world as we have created it is a process of our thinking. It cannot be changed without changing our thinking.” ― Albert Einstein

Perhaps Internet Brands (IB) could learn a thing or two from this quote by Einstein. In their eyes, things were looking up for them. For a period of nearly three years, IB was in the news for the lawsuit they filed against XenForo. This lawsuit happened to coincide first public beta release of XenForo as IB announced the lawsuit one day prior to XF beta launch and claimed it was a mere coincidence. IB was also accused of bullying XF and its developers Kier Darby and Mike Sullivan so they received some negative attention for it. After the lawsuit was finally settled in February 2013, IB was hopeful to put this behind them and move on, and was hoping people would essentially forget about the previous events that took place in fear that it would continue to “tarnish” their reputation.  In the mean time in the private license holder forum at vBulletin we have vB staff members openly bashing customers, disrespecting them and showing absolutely no professionalism at all towards customers.

The reality is, the great reputation vB once had only came due to the strong community and quality development of the old team before Jelsoft was acquired by Internet Brands, and this is when things started to go downhill (in 2009 Kier Darby, Mike Sullivan and Scott MacVicar all left vB/IB)

IB was merely riding the wave of the old development team and the older quality versions of vB and as expected once the original core team left, the quality of the product suffered as a result: This brings us to vBulletin 5 Connect. Not only was vB5 released as “gold” lacking many basic features that vB4 had but the forum software is considered to be a joke by many forum administrators and even some of the largest forum sites that were previously using vBulletin made the switch to XenForo ditching vB all together.

This takes us back to the quote above and the lack of change IB is doing with their thinking. Internet Brands continues to treat their customers so poorly and with such disrespect. The heads at IB made a terrible move by essentially forcing out the old, extremely qualified developers. They followed this bad move by filing a frivolous lawsuit against XF which only lead to increased negative attention and uproar from the community. They ignored any feedback from the community (i.e., their customers) and made a bad situation even worse by releasing the joke of a software that is vBulletin 5…But wait there’s more! In the latest fiasco which Veritas covered earlier – a recent breach on vBulletin.com which resulted in vBulletin sending out emails urging users to change their passwords because of this hack. The hacker group claimed they used a zero-day exploit, an exploit for a previously unknown vulnerability in order to compromise the vBulletin.com server and download the user database. In sum, vBulletin was using a copy of the live database on a test system and “forgot” to patch it to fix this bug. In doing this, they left the door open to these hackers and risked (and exposed) the personal details of us, the customers.
How’s that for quality?

Some free advice for you Internet Brands: change your thinking, stop disrespecting and ignoring your customers and learn from the mistakes you have made from the past if you want any chance to succeed. Doing otherwise will result you being a mere footnote in Wikipedia when people are reading about vB vs. XF since most people will have migrated to XenForo by then.

vBulletin Staff – Behind the Curtains

First, let me start by saying a big thank you to Internet Brands, and the staff at vBulletin. Thank you for not making me regret my decision to ditch vBulletin, for the far superior XenForo. Thank you for continuing in the downwards spiral that you have been going in, one which will ultimately lead to your demise.

It has been some time since I last visited vBulletin forums. Still having an active vBulletin license, I do like to frequent the forums time to time to read about the latest happenings, but in truth mostly to get a good chuckle out of the mess vBulletin has become. Recently, I was browsing the “Licensed Customer Feedback” forum and a thread caught my attention and actually shocked me. This forum is a private forum only accessible to current licensed members of vBulletin, and is not visible to the public, which is most certainly a good thing for Internet Brands because it allows them to hide and censor the reality of the debacle that is now vBulletin.

Recently, a new staff member joined the team – Lawrence Cole. Here I was thinking it couldn’t possibly get any worse for vB, then they surprise me yet again by hiring this 34 year old man who behaves like a child. Having read many of his posts in the private forums, it was apparent that he is completely unprofessional and has no respect for the customers. He engages to cheap tactics and resorts to name calling, belittling and being all out rude to customers. His excuse and justification was essentially (paraphrasing) “if you attack me, I’ll attack you” I think he fails to understand that he is a staff member, one who should be focusing on CSR and not engaging in picking fights with customers. Do any of the other staff members come in to support the customers? No why would they actually care about concerns have, instead they let the thread, and bashing by the staff member continue, until he decides to close the thread.

Don’t take my word for it, have a look at what happens behind the closed doors, if only the public knew just how bad it was in this private forum.

In sum, there is no excuse for someone in his position to behaving this way towards paying customers. Even if other customers were “attacking” him, the solution is not to retaliate in this manner, as a customer I would expect them to approach it in a professional, courteous matter…then again this is vBulletin and it seems that shipped sailed long ago.

Internet Brands, enjoy the customers you have, it’s only a matter of time before the remaining ones you have follow the rest of us and move on from vBulletin to bigger and better things. The primary reason you are even able to get new customers is because you censor any signs of conflict in the public forums, and allow it to go in in the private forums that new members (and potentially new customers) have no knowledge of. This ruse is a temporary solution, and since you will do nothing for an actual solution, it will be just that – temporary. Enjoy it while it lasts.

vBulletin v. XenForo (Case #2)

As many of you have read by now, there is a second lawsuit filed against XenForo (XF) by Jelsoft Enterprises and vBulletin Solutions (vBSI)

Case Number: CV10-8209-R
vBulletin Solutions, Inc. v. XenForo Limited

Complaints For:
1. Copyright infringement
2. Declaratory relief over ownership of software
3. Misappropriation of trade secrets
4. Intentional interference with prospective economic advantage
5. Breach of contract
6. Breach of duty of loyalty

First, let me make it clear that I am no legal expert. I have very limited experience with the technicalities of law so this is intended as mere feedback and commentary from reading the filing and is not meant to be anymore then that.

Veritas and I had a chance to read through the 44 pages of the filing and wanted to share some of our initial thoughts on it, and this case against XF and Kier, who used to work for Jelsoft.

Upon the first reading the filing, I have concluded that the majority of the filing is based on nothing but pure speculation. There is no factual basis for any of the six claims made but instead the claims are mere assumptions by vBulletin Solutions Inc.

Factual Background:
vBSI first acknowledges that Kier Darby was hired as the lead developer of Jelsoft products who “had unfettered access to over $100 million of VSBI assets” (6) and access to proprietary information which was located at the vBSI which Kier often frequented for meetings. Although this part does not come as surprise and we would expect the lead developer of vBulletin to have access to such information to perform his duties, this is the basis of the argument presented by vBSI which will be discussed further. Along with this, vBSI contends that because Kier “repeatedly complained about the new ownership and management” (7) they knew he was going to leave the company to pursue his own goals in establishing a new competing product. vBSI then goes on to accuse Kier of having convinced current and former employees of Jelsoft to collect confidential information, while having kept proprietary information himself – All of this is based on the word of a representative from vBSI HR department because apparently her opinion which I’m sure is very objective and not at all biased is good enough for them.

“Software of the kind released by XL generally takes several years to develop. Based in part on the speed in which XenForo product was released–slightly more then a year and a half after Darby and Sullivan left vBSI–vBSI is informed and believes, and on that basis alleges, that Darby retained Jelsoft’s and vBSI’s proprietary materials obtained during his employment by Jelsoft pertaining to existing and future versions of vBulletin, and used said materials to commence commercial planning and technical development of the XenForo software product prior to his resignation from Jelsoft.” (10)

This part stood out for me – To me, this reads as more speculation and no actual proof. vBSI is essentially contending that, due to the speediness of the development of XF, they must have stole the code and took advantage while they had the opportunity to access vBSI proprietary information. They claim that they were “informed” about this but I have yet to see any actual proof of it. They also proceed to drag Scott Molinari into this in the next section “Moreover, based on knowledge obtained while Darby and Sullivan were employed by Jelsoft, defendants contacted Scott Molinari, the principal of one of vBulletin’s exclusive distributors” – Once again, I am curious about this “knowledge” and “information” they are referring to which they conveniently don’t explain in further detail. Are we to take their word at face value about this? Is vBSI forgetting that XF is headed by the world renowned developer Kier and Mike, both of who have had extensive experience developing software?

First Claim:
In the first claim, vBSI accuses XF of copyright infringement.

“Defendants have reproduced, created derivative works from, distributed, and otherwise infringed upon vBSI’s protected works without vBSI’s authorization.” (11)

In this unfounded claim, I found no basis and the only argument being that the software created by XF is similar to vBulletin in the sense that each serves a similar purpose – community/forum software, that’s it. There is no evidence about similar/identical code being used by XF so using this logic the multiple other forum software available is also in violation of copyright infringement.

Second Claim:
In this second claim, vBSI argues that Kier “misused Jelsoft property and resources for his benefit and the benefit if XL by, among other things, creating source code that is now used for XenForo but which belongs exclusively to vBSI as the successor and assignee of Jelsoft’s intellectual property.” (12)

What I gather from this, is that the lead developer of vBulletin isn’t allowed to work on the software he was hired to work on, without the assumption that he was in fact working on a competing product, so now, the work he did and the source code which is apparently in XenForo (yet again without any proof) actually belongs to vBSI?

Third Claim:
In the third claim, vBSI claims that Kier misused trade secrets which he learned at vBSI in order to advance his competing product at XF. It is a well known fact that employees of the company have access to these “trade secrets” and access to propriety, confidential software which they use while at said employer, but what proof is there that these trade secrets were “taken with blatant disregard of Jelsoft and vBSI’s rights” (14) and were then used at XF? Is one supposed to pretend they no longer posses skills once they leave one employer for another?

Fourth Claim:
vBSI now claims that because they have such a large consumer base who has a vBulletin license, current and new prospective members were discouraged to stay current vB customers due to the interference by XF. vBSI disregards and fails to mention that an extremely large base of their customers were upset with the recent licensing fiasco that took place with vBulletin 4x and the overall direction the company was taking with the new management. They fail to mention that the Licensed Customer Feedback forum is filled with thousands of posts from unhappy clients who constantly express their concerns and frustrations over vBulletin, they fail to mention that customers are unhappy about the unstable, bug filled version of vBulletin 4x released prematurely and rushed compared to the version released by the old vBulletin team with Kier and company. Instead they want us to focus on how they potentially lost clients because of XF, but not because of their own stupidity and the fact that they kept digging themselves a deeper hole. They failed to mention that they lost a number of clients to Invision, well before the inception of XF but instead want to direct all the attention to the new competition which rightfully will take away their customers, but will do so for the right reasons – due to the fact that XenForo is a far superior product.

Fifth Claim:
Next we have breach of contract against Kier. vBSI claims once again that Kier provided trade secrets to XF and its employees in order to get a competitive advantage and Kier’s apparent refusal to hand back trade secrets belonging to vBSI – All of this yet again based on the word of the HR rep working for vBSI. Exactly what information was it that Kier had which he refused to turn in? How are we to know for certain that this was indeed a trade secret and not something belonging to Kier himself? Oh yes, we shouldn’t question the word of the HR rep I suppose and just accept the blanket statement as is.

Sixth Claim:
The final claim made by vBSI is breach of duty of loyalty.
Here they claim that Kier did not have the company’s interest in mind while working for them. Apparently their crystal ball was able to read his mind and know precisely what he was thinking at every given time in the day. vBSI also claims that Darby was “developing and creating XenForo software while employed by Jelsoft” (16) Was Kier “caught in the act” working on XF when he was employed at vBSI? What proof is there that he was working on XF while employed at vBSI other then the previous assumptions, which say that the software was made too soon? Or are we to yet again just take these claims at face value?

I find it ironic, and curious at the same time that the first lawsuit in UK was filed and made public the first day XF went on sale. It’s quite obvious this was to deter sales and used as a scare tactic by vBSI.

Clearly vBSI thinks they have a better chance here in the US compared to the UK courts, hence this second filing, but I see it as a continuation of the scare tactic they first used. Upon reading this filing, I have yet to see any actual evidence of wrongdoing by XF and instead we are just presented with multiple assumptions and mere speculation. Perhaps vBSI is shocked that Kier and company are able to develop a superior product so quickly, which in its beta stage is even more stable then vBulletin 4x. Perhaps they are continuing to do their absolute best, in this last ditch effort to survive since they know they will only continue to lose customers after this pathetic feeble attempt and this frivolous lawsuit – time will tell, but in the meantime, Veritas and I will continue to follow it and post our followups.

More vBulletin Security Flaws – Yes Please, May I Have Another?

As many are now aware, a recent security flaw was discovered in vBulletin 3.8.6 which could potentially allow a hacker to gain crucial information such as the MySQL username and password. Although Internet Brands was quick to release a patch and fix this issue, the question still stands – How did this happen?

No doubt the die-hard IB fans will say it’s perfectly normal and expected that software have some bugs, as it’s part of the process, and I agree with this to a point, but to have a flaw as big as this is completely unacceptable. We’re not talking about a minor bug, we are talking about extremely critical administrator information being potentially exposed to anyone in a few simple steps to take advantage of this flaw. How does this make it past QA, and if they are missing flaws this extreme, what else lies beneath that we have yet to discover? With vBulletin 3 being as mature as it is, should we not have higher expectations, or is that asking too much?

Bravo, you have really outdone yourself this time Internet Brands.

What do the rest of you think? Is this something that’s acceptable or are we blowing this out of proportion?

vBulletin 4x – We Want More – ASAP!?

vBulletin 4x – We Want More – ASAP!? Or do we?

Let’s take a look back and do a quick review.

First we get the release of vBulletin 4.0 Gold. This build of vB 4.0.0 is plagued with bugs and known issues, yet it’s still released. Then we get vB 4.0.0 PL1, which is a release patch to fix a newly discovered exploit. This takes us to vB 4.0.1, which is a “maintenance release” that fixed 200+ bugs.
Finally, this brings us to 4.0.2, which was supposed to have been released February 4th, 2010 (now delayed).

The mentality used by IB is amusing, but not at all surprising. Instead of focusing on releasing a solid, stable build, they are merely pumping out versions as quickly as they can, and releasing them prematurely, even when they are clearly not ready to be deployed due to known bugs.

Only now with the delay of the 4.0.2 release have they actually held off releasing it to provide a more “quality” build. Maybe they finally learned their lesson that quality > quantity? We’ll soon find out.

@IB, you disappoint me, yet again. Dare I say, we told you so?
I would highly suggest you take a page out of the old vB team and focus on building a quality product. The old Jelsoft actually valued and knew the importance of releasing a solid build instead of just releasing as many, and bug filled versions as they could.

A Look Back: Then and Now

It was in May 2009 when the world first became aware of the infamous vBulletin 4 leak. Forums and blogs all over the Internet had screenshots posted for the upcoming plans for vBulletin 4. This extensive thread contained future plans in terms of pricing, licensing changes, changes to support, the process of beta testing, and so on.
Let’s take a look at some of the proposed changes and what ended up happening.

The pricing changes that were brought up in the thread ended up happening.
vB4.0 Publishing Suite – New license: $285, Upgrade: $250
vB4.0 Forum Classic – New License: $195, Upgrade: “Free”.

Note, that I am intentionally leaving out the discounted “pre-order” prices, since there was no mention of these in the leaked thread.

Also keep in mind, the pricing above is for vB 4x. Upgrading to vB 5x will be an additional fee (notice a pattern here?) which has not yet been determined.

The change to support – These changes also ended up happening.
Although customers get access through the forums, the Forum Classic customers only get access through the support system for 30 days and they will be forced to pay extra if they need additional support through a ticket.

One major reason people chose vBulletin is because of the affordable prices in the past, and the excellent support that was offered through tickets and the forum, yet once again, IB is taking something that worked well, and engaging in price gouging, because they know they can by charging extra for the software itself and for support tickets.

Beta Testing:
In the past, when the times were good and we had original development team, open beta testing was something of the norm. This was important because it gave members to try out the software so they could get a head start on getting their communities ready. It was also important because members of the modding and skinning community were able to play with the software to prepare their products for the new version of vBulletin. All of this changed however with IB and the new development team. Beta access to vB4 was only given to a select handful of customers. Later after much controversy they decided to give members who pre-ordered it a chance to try the beta as well, but only because they were forced to, because of all negative attention, and this was a feeble attempt to “give back” to the community.

News of this leak caused an upheaval. Most people were furious to hear about some of these planned changes. When the topic was brought up on the forums, it resulted in nothing but closed threads and IB simply ignored the subject, telling us to wait for “official word”.

In the leaked screenshots, Steve clearly states that if the situation is not handled correctly, it could cause a “negative impact” and he pretty much nailed it – yet even with this, they failed to transition correctly and failed to handle the situation accordingly. The last line regarding the customer issue is what makes this whole situation ironic: “If we want loyalty from our customers, then we should be loyal to them in return”.

IB had a chance to try and reassure their customers but failed to do so. People grew more and more frustrated and IB turning their heads in the opposite direction, continually ignoring the subject only added to this frustration. IB should have taken what they learned from the original leak to make changes, improve and do everything in their power to assure the community but they failed to do so.

Censorship Part Deux

In our previous entry, Veritas went over the topic of censorship. Basically, the vBulletin staff felt it was necessary to enact more “strict” methods of moderation. They first started slow by simply closing threads, then after this didn’t quite work, they started to actually delete threads or move them into private forums, not accessible by the public.
If that wasn’t bad enough, they have now resorted to permanently banning users. Yes, the very same clients who helped vB become what is today are now finding their accounts are banned for simply speaking about vBulletin in a “bad” way, that is, nearly any comment that is negative. Here we have a number customers who are simply trying to get answers, and others who express concern in the direction vB is heading in, and

Clearly these actions are drawing much attention to IB/vB, but it’s probably not the attention they want. It seems more and more sites and blogs are appearing online for people to use as a medium to express their concerns, since they obviously can’t do it at the official vBulletin site without their comments/concerns being censored, but don’t take our word for it – even The Register has caught on to it in their latest story.

What are your thoughts? Were any of you given a warning, or have had your thread closed/deleted, or even worse, been banned for speaking out?