Repost of: “No, You Really Can’t” by Mary Ann Davidson

This is a copy of a recently deleted blog entry by Oracle Chief Security Officer (CSO) Mary Ann Davidson. It was some of the best writing we have seen in quite sometime that we felt it was worthwhile to post a copy on this blog for posterity. A more formal reply will be composed after we stop laughing hysterically.

No, You Really Can’t – by Mary Ann Davidson

I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, we’ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me).

Writing mysteries is a lot more fun than the other type of writing I’ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.> This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems. That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down – in short, the usual security hygiene – before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.

Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products – and there is so much more to assurance than running a scanning tool – there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or “good code” seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors – at least, most of the large-ish ones I know – have fairly robust assurance programs now (we know this because we all compare notes at conferences). That’s all well and good, is appropriate customer due diligence and stops well short of “hey, I think I will do the vendor’s job for him/her/it and look for problems in source code myself,” even though:

  • A customer can’t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)
  • A customer can’t produce a patch for the problem – only the vendor can do that
  • A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)

I should state at the outset that in some cases I think the customers doing reverse engineering are not always aware of what is happening because the actual work is being done by a consultant, who runs a tool that reverse engineers the code, gets a big fat printout, drops it on the customer, who then sends it to us. Now, I should note that we don’t just accept scan reports as “proof that there is a there, there,” in part because whether you are talking static or dynamic analysis, a scan report is not proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD. (That is what I planned on saying all along: FUD.) This is why we require customers to log a service request for each alleged issue (not just hand us a report) and provide a proof of concept (which some tools can generate).

If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: “Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs…” which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

Why am I bringing this up? The main reason is that, when I see a spike in X, I try to get ahead of it. I don’t want more rounds of “you broke the license agreement,” “no, we didn’t,” yes, you did,” “no, we didn’t.” I’d rather spend my time, and my team’s time, working on helping development improve our code than argue with people about where the license agreement lines are.

Now is a good time to reiterate that I’m not beating people up over this merely because of the license agreement. More like, “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.” I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.

For this reason, I want to explain what Oracle’s purpose is in enforcing our license agreement (as it pertains to reverse engineering) and, in a reasonably precise yet hand-wavy way, explain “where the line is you can’t cross or you will get a strongly-worded letter from us.” Caveat: I am not a lawyer, even if I can use words like stare decisis in random conversations. (Except with my dog, because he only understands Hawaiian, not Latin.) Ergo, when in doubt, refer to your Oracle license agreement, which trumps anything I say herein!

With that in mind, a few FAQ-ish explanations:

Question: What is reverse engineering?
Answer: Generally, our code is shipped in compiled (executable) form (yes, I know that some code is interpreted). Customers get code that runs, not the code “as written.” That is for multiple reasons such as users generally only need to run code, not understand how it all gets put together, and the fact that our source code is highly valuable intellectual property (which is why we have a lot of restrictions on who accesses it and protections around it). The Oracle license agreement limits what you can do with the as-shipped code and that limitation includes the fact that you aren’t allowed to de-compile, dis-assemble, de-obfuscate or otherwise try to get source code back from executable code. There are a few caveats around that prohibition but there isn’t an “out” for “unless you are looking for security vulnerabilities in which case, no problem-o, mon!”

If you are trying to get the code in a different form from the way we shipped it to you – as in, the way we wrote it before we did something to it to get it in the form you are executing, you are probably reverse engineering. Don’t. Just – don’t.

Question: What is Oracle’s policy in regards to the submission of security vulnerabilities (found by tools or not)?
Answer: We require customers to open a service request (one per vulnerability) and provide a test case to verify that the alleged vulnerability is exploitable. The purpose of this policy is to try to weed out the very large number of inaccurate findings by security tools (false positives).

Question: Why are you going after consultants the customer hired? The consultant didn’t sign the license agreement!
Answer: The customer signed the Oracle license agreement, and the consultant hired by the customer is thus bound by the customer’s signed license agreement. Otherwise everyone would hire a consultant to say (legal terms follow) “Nanny, nanny boo boo, big bad consultant can do X even if the customer can’t!”

Question: What does Oracle do if there is an actual security vulnerability?
Answer: I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time. However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”

Question: But the tools that decompile products are getting better and easier to use, so reverse engineering will be OK in the future, right?
Answer: Ah, no. The point of our prohibition against reverse engineering is intellectual property protection, not “how can we cleverly prevent customers from finding security vulnerabilities – bwahahahaha – so we never have to fix them – bwahahahaha.” Customers are welcome to use tools that operate on executable code but that do not reverse engineer code. To that point, customers using a third party tool or service offering would be well-served by asking questions of the tool (or tool service) provider as to a) how their tool works and b) whether they perform reverse engineering to “do what they do.” An ounce of discussion is worth a pound of “no we didn’t,” “yes you did,” “didn’t,” “did” arguments. *

Question: “But I hired a really cool code consultant/third party code scanner/whatever. Why won’t mean old Oracle accept my scan results and analyze all 400 pages of the scan report?”
Answer: Hoo-boy. I think I have repeated this so much it should be a song chorus in a really annoying hip hop piece but here goes: Oracle runs static analysis tools ourselves (heck, we make them), many of these goldurn tools are ridiculously inaccurate (sometimes the false positive rate is 100% or close to it), running a tool is nothing, the ability to analyze results is everything, and so on and so forth. We put the burden on customers or their consultants to prove there is a There, There because otherwise, we waste a boatload of time analyzing – nothing** – when we could be spending those resources, say, fixing actual security vulnerabilities.

Question: But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?
Answer: Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked. I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true. We do require development teams (on premises, cloud and internal development organizations) to use security vulnerability-finding tools, we’ve had a significant uptick in tools usage over the last few years (our metrics show this) and we do track tools usage as part of Oracle Software Security Assurance program. We beat up – I mean, “require” – development teams to use tools because it is very much in our interests (and customers’ interests) to find and fix problems earlier rather than later.

That said, no tool finds everything. No two tools find everything. We don’t claim to find everything. That fact still doesn’t justify a customer reverse engineering our code to attempt to find vulnerabilities, especially when the key to whether a suspected vulnerability is an actual vulnerability is the capability to analyze the actual source code, which – frankly – hardly any third party will be able to do, another reason not to accept random scan reports that resulted from reverse engineering at face value, as if we needed one.

Question: Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!
Answer: <Bigger sigh.> Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)

I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.

Question: If you don’t let customers reverse engineer code, they won’t buy anything else from you.
Answer: I actually heard this from a customer. It was ironic because in order for them to buy more products from us (or use a cloud service offering), they’d have to sign – a license agreement! With the same terms that the customer had already admitted violating. “Honey, if you won’t let me cheat on you again, our marriage is through.” “Ah, er, you already violated the ‘forsaking all others’ part of the marriage vow so I think the marriage is already over.”

The better discussion to have with a customer —and I always offer this — is for us to explain what we do to build assurance into our products, including how we use vulnerability finding tools. I want customers to have confidence in our products and services, not just drop a letter on them.

Question: Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why would you try to restrict the behavior of customers with good motives?
Answer: Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.

At this point, I think I am beating a dead – or should I say, decompiled – horse. We ask that customers not reverse engineer our code to find suspected security issues: we have source code, we run tools against the source code (as well as against executable code), it’s actually our job to do that, we don’t need or want a customer or random third party to reverse engineer our code to find security vulnerabilities. And last, but really first, the Oracle license agreement prohibits it. Please don’t go there.

* I suspect at least part of the anger of customers in these back-and-forth discussions is because the customer had already paid a security consultant to do the work. They are angry with us for having been sold a bill of goods by their consultant (where the consultant broke the license agreement).

** The only analogy I can come up with is – my bookshelf. Someone convinced that I had a prurient interest in pornography could look at the titles on my bookshelf, conclude they are salacious, and demand an explanation from me as to why I have a collection of steamy books. For example (these are all real titles on my shelf):


    1. Thunder Below! (“whoo boy, must be hot stuff!”)
    2. Naked Economics (“nude Keynesians!”)***
    3. Inferno (“even hotter stuff!”)
    4. At Dawn We Slept (“you must be exhausted from your, ah, nighttime activities…”)

My response is that I don’t have to explain my book tastes or respond to baseless FUD. (If anybody is interested, the actual book subjects are, in order, 1) the exploits of WWII submarine skipper and Congressional Medal of Honor recipient CAPT Eugene Fluckey, USN 2) a book on economics 3) a book about the European theater in WWII and 4) the definitive work concerning the attack on Pearl Harbor. )

*** Absolutely not, I loathe Keynes. There are more extant dodos than actual Keynesian multipliers. Although “dodos” and “true believers in Keynesian multipliers” are interchangeable terms as far as I am concerned.

**** I might be exaggerating here. But maybe not.

vBulletin 5 – Years Later…

Chronos and I have been busy with real life. Sadly, we both gave up on vBulletin. The once iconic forum platform is now a smoldering piece of dung. No one loves being told their baby is ugly. Sadly, ugly is putting it politely.

We cracked open the mailbag curious to see what’s left of the ashes, and we found no phoenix. Only more scathing letters. We’re adding another one from Will this week.


Sharing my Story
By Will D.

So nearly a decade ago I logged into my first vBulletin and helped a friend run a forum.  It was slick, it did it’s job exceptionally well.  Around the time vBulletin 4 came out I purchased and configured my first vBulletin forum and ran it for several years without problems.  Regular updates went smoothly, bugs were few and far between and in general the product was simply excellent. I’ve since moved in from that community and shut it down, but it was an exceptional experience.

When I started seeing vBulletin 5 Connect advertisements hit my mailbox I checked out the Beta and saw what I expected to be a huge leap forward in the CMS/Forum software.  Recently I found myself needing to setup a CMS and Forums for a non profit and wanted something I was relatively familiar with and would be rock solid.  Without a thought I advised we purchase vBulletin 5 Connect assuming it would be vBulletin 4’s feature set improved/expanded…
The product having been released for nearly a year, with the current version of 5.0.5, I assumed most of the early adoption pains would be absent, and that I’d be dealing with a rock solid product that was going to make my life easy.
Imagine my disappointment when I find out that two key features, Calendar and CMS were simply left out of the release.  The CMS was expected for 5.1.0… which had a very loose ETA of ‘End of 2013’.  The Calendar isn’t even planned at this point!  I was stunned.
I took a good look and realized I could limp along with their existing features until 5.1.0 released and went ahead setting up my forums.  What I didn’t know is the number of ‘bugs’ I’d run into that would qualify as ‘major’ in my mind that vBulletin support simply accepts as facts of life.
Images have no configuration options in posts… they are supposed to, but it will be fixed in 5.1.1… maybe…
Insert a table and it ignores settings you configure in the UI… it looks fine in the WYSIWYG editor and when you click post goes to the most basic table without any options.  vBulletin support’s answer to this?  They simply say it’s the way CSS and HTML interact and I need to advise users to use the advanced tab and apply formatting that way… yea, good answer.
At present my forums just went live with a small community of users and I’m frankly looking for an alternative that will give me CMS options with a solid Forum backend… once I find this I’ll be buying it out of my own pocket and migrating away from vBulletin forever.


vBulletin: Exploits, Bugs, Exposed Customer Data – We’ve got it all!

“The world as we have created it is a process of our thinking. It cannot be changed without changing our thinking.” ― Albert Einstein

Perhaps Internet Brands (IB) could learn a thing or two from this quote by Einstein. In their eyes, things were looking up for them. For a period of nearly three years, IB was in the news for the lawsuit they filed against XenForo. This lawsuit happened to coincide first public beta release of XenForo as IB announced the lawsuit one day prior to XF beta launch and claimed it was a mere coincidence. IB was also accused of bullying XF and its developers Kier Darby and Mike Sullivan so they received some negative attention for it. After the lawsuit was finally settled in February 2013, IB was hopeful to put this behind them and move on, and was hoping people would essentially forget about the previous events that took place in fear that it would continue to “tarnish” their reputation.  In the mean time in the private license holder forum at vBulletin we have vB staff members openly bashing customers, disrespecting them and showing absolutely no professionalism at all towards customers.

The reality is, the great reputation vB once had only came due to the strong community and quality development of the old team before Jelsoft was acquired by Internet Brands, and this is when things started to go downhill (in 2009 Kier Darby, Mike Sullivan and Scott MacVicar all left vB/IB)

IB was merely riding the wave of the old development team and the older quality versions of vB and as expected once the original core team left, the quality of the product suffered as a result: This brings us to vBulletin 5 Connect. Not only was vB5 released as “gold” lacking many basic features that vB4 had but the forum software is considered to be a joke by many forum administrators and even some of the largest forum sites that were previously using vBulletin made the switch to XenForo ditching vB all together.

This takes us back to the quote above and the lack of change IB is doing with their thinking. Internet Brands continues to treat their customers so poorly and with such disrespect. The heads at IB made a terrible move by essentially forcing out the old, extremely qualified developers. They followed this bad move by filing a frivolous lawsuit against XF which only lead to increased negative attention and uproar from the community. They ignored any feedback from the community (i.e., their customers) and made a bad situation even worse by releasing the joke of a software that is vBulletin 5…But wait there’s more! In the latest fiasco which Veritas covered earlier – a recent breach on which resulted in vBulletin sending out emails urging users to change their passwords because of this hack. The hacker group claimed they used a zero-day exploit, an exploit for a previously unknown vulnerability in order to compromise the server and download the user database. In sum, vBulletin was using a copy of the live database on a test system and “forgot” to patch it to fix this bug. In doing this, they left the door open to these hackers and risked (and exposed) the personal details of us, the customers.
How’s that for quality?

Some free advice for you Internet Brands: change your thinking, stop disrespecting and ignoring your customers and learn from the mistakes you have made from the past if you want any chance to succeed. Doing otherwise will result you being a mere footnote in Wikipedia when people are reading about vB vs. XF since most people will have migrated to XenForo by then.

vBulletin – Not fit for purpose (or use) – By TheDevil666

vbulletin-5-homepageAs a vBulletin user for many many years I just wanted to take the time to say how disappointed and cheated I feel with my recent purchase of vB5.

I run many forums and use vBulletin 4.x, IP Board and Xenforo, for my latest forum which I have invested a lot of time and money into I wanted the latest forum software and decided on vB5. I had not read any reviews which is obviously a mistake on my part and solely went on the fact that up until now vBulletin have been by far the market leader, I was comfortable using it and to be honest vB4 was pretty good, surely vB5 would be an improvement?

So I paid the $399!!! …within a week or so I could see that there were lots of changes and that lots (and I mean lots) of functions literally didn’t work. Now this was a fresh install of vB5 so not an upgrade so the optimal conditions really.

I decided pretty quickly that this software was not fit for purpose and asked for a refund, where I was told that as I had downloaded the software this was not possible and that I could sell the licence to someone else if I wanted, but obviously I wouldn’t get my full money back and who in their right mind would buy it?

As I didn’t have much choice I decided to persevere as I thought the next update would fix a lot of the problems I was having, in all honesty the latest update caused more problems than the initial version and this time when I tried to contact technical support I was literally a few days out of the ‘free month of support’ and told to post on the forum or pay for additional support.

Now to be honest I don’t have much spare time and didn’t want to create multiple threads on the problems I was now having so paid for an extra months support where I could detail all the issues in 1 email, hoping they would be fixed. This was a complete waste of money and time as all they do is direct you to JIRA!!! …and rarely actually fix any of the problems there and then.

My issue with JIRA is I have to spend the time either searching for someone else with the same problem and vote for the issue to be fixed or take the time to explain the problem I am having in multiple new posts hoping someone will also have this issue in order for it to actually be fixed. There is never a quick solution and no guarantee that my problems will ever be fixed.

Wait a minute didn’t I just pay $399 for this software and an additional $40 odd dollars for support? Why the hell am I having to spend time pointing out all these problems in the hope that someday they will be fixed? Wasn’t this software extensively tested before being released or is that now my job after spending a fortune on it? vBulletin know of all these problmes yet the product is still for sale.

One day when all the bugs are ironed out Vbulletin will have a great platform once again and reap the rewards, but it is at our cost as we are the people having to point all these problems out and struggle by with software that doesn’t work at the moment.

In my opinion this software was released waaaaaay before it should have been, it is nowhere near as good as vB4, IP Board or Xenforo which would have been a start and has endless bugs and issues that should have been fixed before release. Some of the issues literally stop users from using my forum so in my opinion it is not fit for purpose.

Just simple things that should just work, MARK CHANNELS READ button not working, seriously how hard can that be to fix? Site Maps not working, not that that’s an important function, it’s not like Google ask for a Site Map or anything. Errors when members post. No RSS feed, lots of forums like to post out to their twitter feed, not with vB5!!!!

vBulletin should be ashamed of the whole situation and the position they have left myself and many many other people in, I literally feel like I have been ripped off!

I am sure if this post is allowed to stay that I will get the obligatory ‘I am sorry you feel this way’ but that doesn’t fix any of the problems I have had and currently have.

vBulletin 5 – The World’s Most Disappointing Forum Software by BUSA

vbulletin-5-homepageI made the biggest mistake ever to trust vBulletin. I was using VB 4 with minor issues but having faith in the company, I upgraded to VB 5. It’s been down the road since then. Been a big fan of VBulletin since 2004, but really disappointed with the latest VB 5. I have upgraded to all latest versions of the software (VB5) and all are having some error or the other. So many issues, it’s baffling. If you can’t make a trouble free software, why launch it in the first place?

Even after using the latest version of VB 5, I have following problems –

  1. In-line image addition does not work.
  2. User gets pop up when posting a reply -“You did not answer the question correctly”.
  3. Upload more than 3 images, they won’t show in the post.
  4. Start a new thread and the title changes to the title of the last picture uploaded.
  5. Open (not start but open in a browser) multiple posts and some posts won’t have the comment box below.
  6. and many more..

So thanks to VB5, I have spent so much time, energy and money on it. Needless to say, my web designer has given up after having spend hours (for which I had to pay). I will make sure others don’t face this issue but telling them not to buy VB 5, at least not till the issues are resolved.

Potential vBulletin Exploit (vBulletin 4.1+, vBulletin 5+)

Are you surprised? I’m not. There are more bugs in vBulletin than a roach motel. Can someone please call the exterminator?

It’s rather amusing Internet Brands does not even know where the vulnerability is in THEIR OWN software. If they can’t even find it when it is pointed out to someone, how do you expect Internet Brands to deliver a bug-free product?

Here is the initial security advisory.

A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X – /install/
5.X – /core/install

After deleting these directories your sites can not be affected by the issues that we’re currently investigating.

vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.

Source: vBulletin

Why I Left vBulletin & Haven’t Looked Back

vbulletin-5-homepagevBulletin is a sinking ship at this point. There is nothing that can save it. @BobBrisco has managed to take an industry leader (and I am talking by a huge margin) and royally fuck it up in a spectacular fashion.

I’ve seen a lot of people move from vBulletin to xenForo but they have also gone on to other software such as Invision Power Board. So all I want from you is to reply in the comments below and tell me why you left vBulletin. You can be as detailed as you want. The more information the better. It would be nice if you could tell us when you left to give us a bit of a time line to see when the acceleration really started. It doesn’t even have to be about the current state of the company. If you left during the good ole days, I’d love to hear why you left and where you ended up.

I am mainly looking for people that have converted from vBulletin to another software and not those that just decided to stop hanging out at

My Story

I have been around the forum world since May of 2003. I bought my first hosting package for less than 100 dollars for a year. I don’t even remember the company I bought it from but it was a shared hosting package. There my journey started with phpBB. Fast forward a year or two down the road and I knew I had something good going with my forum. I had a decent member base and we were having fun. phpBB was suffering greatly from security issues. So bad to the point that when a security exploit was revealed it was so easy to exploit it that I was able to do so using the exploit release details. We aren’t talking about complicated exploits but simply appending an SQL statement to a filename in a URL. On top of that I was wanting something a little more professional where updates with new features were happening.

My research lead me to only one solution and that was vBulletin. Everyone was using it. It was the talk of the forum town at the time. If you weren’t using vBulletin, you weren’t cool. You know, peer pressure and all that shit. Well I took the bite at the time. I bought a leased license at the time because it was all I could afford. I was in college and working at Dominos part time to pay what bills I had. Still living at home. The typical still growing up phase of life.

I loved it. It was cutting edge at the time. The developers were having fun and the community was vibrant. I happily continued down the vBulletin path until July 4, 2007. What was significant about that date? That was the date that vBulletin went from a software company developing for their customers first to a software company developing for their newly acquired parent company, Internet Brands. Internet Brands, even back in 2007, was a gigantic company. A huge player in the forum world. They owned high value forums such as  They were just beginning their massive spending spree to acquire forums in some of the most lucrative niches available.

I’m not here to tell you that is when I bailed on vBulletin because it isn’t. I was skeptical about the sale but not completely aware of the end goal that Internet Brands was after. I was also 21 at the time and was not really looking toward the future in any aspect of my life. Reading my comments on now make me cringe. That’s another story though… back to the topic.

Once the takeover was announced the next major release of vBulletin was 3.7. This was not heavily influenced by IB staff but still had some touches of their influence in it. I thought this was a decent release but it was sloppy. It tried to do too much at once with Social Networking and it failed at making it all play together nicely. Concerns were brought up in the forums and we all waited until 3.8 to see if this was fixed so everyone could go on loving vBulletin again.

Then 3.8 came out. This release was 100% Internet Brands influenced as far as features go. This release introduced more social features with Social Groups. It didn’t fix any of the issues of all the other previous social features introduced. User albums? Good luck browsing them. New social group posts? Good luck finding them. New profile posts? Good luck finding them.

It was clear that they weren’t listening to their user base. At the same time it was also becoming clear to me what Internet Brands was doing. At the time I was running my Ford Mustang website, The site was becoming larger and larger and I was now making decent money with it. In 2008 I also became a member of a pretty awesome group that now resides at What I started out doing as fun and for a hobby was now making me money. I was amazed that this could be possible. So the journey started to see what all there was to this new money I was finding. Could I really do this for a living? Was that possible?

I had to look no further than the very company that owned the software I was using to realize just how much money was now being invested in forums.

To go back a bit, used to use an ASP based software. I had always wanted the domain name because it was so appealing. A top level domain for its niche. Well one day I woke up and opened up and noticed something different at the bottom. The Internet Brands logo. Then I noticed it was no longer an ASP based board but was running vBulletin now! I was confused and started digging. It took me a few minutes to process that. Then things just started firing in my head. Internet Brands is now the owner of a website that directly competes with me for members. That sucks. They have a pile of money. Wait… oh shit. Internet Brands also happens to own vBulletin software. Fuck. Now this site was running the same software as me and the company had complete control over that software.

That is when things started unraveling for me. I started to realize long before Internet Brands actually fucked up the vBulletin software that Internet Brands was not looking out for my best interest when coding vBulletin. Their entire intention was to buy up the top branded forum software in the world and keep it in their grasp while they built their forum empire.

Bob Brisco is a smart business man. A completely shitty software company owner but a smart man. He won big at the sake of all the vBulletin customers. He used the money he had with Internet Brands to make smart web property purchases via online forums. He did fail magnificently at running a software company though. He managed to destroy a trusted brand. The sad part is he won’t ever feel the pain of doing that. Only the customers will. Bob will still be floating high in a year or two when the hedge fund that took IB from a public company to a private company breaks apart IB into smaller sections and has a fire sale. So it was at that time I started making plans to move away from vBulletin. I sold my Ford Mustang site to a friend of mine at Social Knowledge last year and along with it went the last site I ever messed with vBulletin with. Any other sites I buy with vBulletin software immediately start the process of being converted to xenForo. Most of the time I don’t even want the licenses. I actually try to sell the licenses to other people before they transfer them to me due to their one transfer policy.

So that is my story and reasoning. I don’t expect you to go into that detail, though I will be kind of impressed to see if Disqus will even allow it!

So if you see me on an admin forum and I don’t have anything nice to say about vBulletin, now you have a little background on why. I prefer to look toward the future now though and that simply doesn’t exist with vBulletin and hasn’t for many years now.

So, what is your story or reasoning?


Originally Posted on

Don’t Buy! vBulletin is not what it use to be..

Internet Brands operates communities for anyone to speak. But more importantly, are they truly listening to their customers and what they are saying?
Internet Brands operates communities for anyone to speak. But more importantly, are they truly listening to their customers and what they are saying?

vBulletin was a great product 3-4 years ago but it’s filled with bugs and dated code now. The current version “vBulletin 5” really just needs to be completely rewritten. There are literally 100’s of reported bugs that the developers know about as well as major missing functions from the vBulletin 4 series like the CMS. This was pushed hard in the vBulletin 4 sales days as the more expensive vBulletin Suite package. I have around 100 active clients right now that all run vBulletin 3 or 4. I’ve had a few that have been interested in upgrading so we’ll setup a development site. I put countless hours into upgrading vBulletin 3 or 4 to the current version vBulletin suggest (5.x) and then I let them play with it for a week or two. I’ve yet to get any positive feedback; it’s too slow, error messages all over the place and missing integral functions from previous versions.
It’s sad really; vBulletin was once a flagship company, but that all left in late 2009 when it was bought out by Internet Brands. The lead developers got fired or left within a few months and there has been a LOT of turnover since then as far as project managers and those in charge of development.

If you have money to blow and want to see what $300 will get you, go for it. If you want to do a little research on forums other than (unlicensed members don’t see the feedback forum) you’ll see that there are a lot of longtime forum owners out there that have tried to switch to vBulletin 5 because the promo emails were saying it’s so great and then realized it was a complete disaster. You see large threads from the members complaining about browser issue, slow load time and missing functions that they had been used to.

If you read this a year from now then it may have given vBulletin enough time to fix everything and it may be a stable product, that’s what happened with vBulletin 4. Sales were pushed hard (just like vb5) and the script was sold as gold, about 18 months before it was ready. The difference this time is it’s the public’s job to report bugs in the software. You have to use the jira ticketing system which is complicated for the average Joe to figure out. You’re actually paying $300 for a basic forum script, and then you have to spend your time reporting all the bugs while your forum runs at a crawl.. go figure.

Originally posted at

The vBulletin 5 Fiasco

fgBU2Some of the latest testimonials about vBulletin 5 from license holders. Summary, do not buy!

You may have noticed today (August 8th) we attempted to give you users some much wanted change to the forums. What better way than to get you guys the latest and greatest: vBulletin 5!

Boy was I wrong. After purchasing and then slaving away at getting it up and running (it took me 8 straight hours through the night to get it up) all it did was give us troubles. vBulletin 5 is so poorly coded that we were forced to revert back to the current forum you’re on this very moment.

I wanted it to work, I truly did. However the staff and I decided that it was just impossible. vBulletin 5 is riddled with bugs and poor coding, everywhere we looked there was something going wrong or something missing, it was truly horrific. I was genuinely upset that I put the forum in this position, I felt like I was screwing everyone over even though at my heart I was trying to just give some change.

But we’re back! And I managed to keep the damage to a minimum. All we lost was essentially a couple of posts from the vBulletin 5 version of the site, which were basically all complaints anyway.

If something is wrong with your account please let me know as soon as possible, I’m pretty sure I recovered everything correctly but, as we learned with vb5, you just never know what’s going to happen.

Thanks for sticking through it, and hey! Modio was only down for like 10 minutes anyway, so that’s a plus!



vBulletin 5.0 – It’s Crap.

Have you tried using vBulletin 5? It’s the worst written piece of crap I have ever seen in my life.

I have seen my fair share of poorly written applications in my lifetime, but this by far is the worst I’ve seen. This blunder makes vBulletin 4.0 look extremely well thought out. I would rather recommend an open source application that’s bug infested over vBulletin 5.

To name a few small problems:

  • Performance – What the hell is going on? It’s slower than molasses. It is so slow even Internet Brands’s very own vBulletin staff have started complaining that the performance is pathetic.
  • Comments – Were the idiots even thinking when they implemented this? It is a black plague to communities. It will disrupt and destroy communities. It is also one of the worst possible implemented posts.
  • Bugs – vBulletin 5 is worst than a infestation of bed bugs.

Don’t buy it. Save your money. Save your pain. Save your frustration. Save your headaches.

If you wanted your money back, you could not get it back. People learned the hard way. Don’t let this happen to you.


vBulletin 5 is crap. Pure Utter Crap.