Thanks for posting illluck. I was thinking about becoming a founder of kaya.gs, it looks an interesting project. I'd rather not, even more after reading yesterday the PR onslaught on the avenger controller PR-guy.

Security by obscurity in very-late-2011? Seriously? And what do we do when all our emails (possibly also Facebook, Twitter, paypal and more information) are compromised because the server was broken because "you knew about the SSH patch but thought it was not that important/known"?

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

Illuck made nothing public that wasn't already obvious, and the tone of Gabriel's responses is extremely disappointing to this "founder" and probably more damaging to kaya.gs than anything anyone else could say.

_________________
Go? It's like sharing two bowls of cookies, but one person gets all of them.

I don't give a crap about the security of the alpha test (although it's sort of bizarre that Kaya wouldn't just email out registration links where you can set your password and be done with it) nor do I really care what anyone says in a chatroom, but when I read this PM excerpt

"I dont really take your post seriously, but i know other people might. Just in case that you really intended to put ur 2 cents and not just negatively blabbering about something, i must say that the greatest "security concern" to ever happen at Kaya.gs was you, by publicizing things that might want other users try to break things up, or panic."

it made me wish I could withdraw the donation I made earlier this year. Just some feedback on customer relations.

Another founder here, but still happy to be one. Perhaps I'm naive but I thought the risk from someone knowing my email address was largely limited to getting rude emails. And the login issue could let someone login to kaya.gs as me. Period. So he let off steam and wrote an email whilst angry, which wasnt intended for public forums and shouldn't really be posted here IMO. I'm happy to wait and see how kaya.gs shapes up rather than jump to assumptions. Happy to have my donation as a donation. If kaya.gs were 100% finished it wouldn't be alpha. No offence intended to anyone.

_________________
I am John. John-I-Am.

I will answer the other people that are concerned about this issue.



First of all RBerenguel, take let's take a step back and look at the situation as a whole. Kaya.gs Alpha had no security breach because it had no sensitive information. How things were handle was known for all users right from the start, because it was of public domain. illuck's post doesnt not reveal any information founders didnt know right from the start, which is why people that considered their email sensitive, sent apersonal email to me, instead of putting it in the server.

There is no security issue in kaya because we do NOT store passwords and certainly not any other kind of sensitive information. That is not how a basic security system works.
If we were to handle such, we would take the proper cautionary precautions as i did as soon as i saw fit that a user had intentions of posing other users for his own content, which is what happened.


I am sorry that you perceive something so negative about that private message i sent to Illuck. It might be lost in translation ,but even re-reading it after a good night sleep, the point still stands. He made an aggressive post, that showed me he had intentions of impersonating other users, which is why i promptly (in the next 2 hours) i put up the passwords, which were already implemented well from before, but i needed to be able to send them to as most founders that i could.

Regarding the chat in the server, it is taken quite out of context, as several founders know i even jokingly call dp such when something has to be done on the design/board functionality.

I am sorry i have made you or anyone else that supports this project upset at this event. I will be more carefuly with my wording in the future.

Just take into account the facts, as how someone made a very agressive post in a very bad tone:
-I responded both publicly (explaining and determining a course of action) in a polite manner,
-I responded privately (telling him what is the proper procedure if security concerns are really legitimate).
-I reacted to the situation by promptly fixing it.
-Right from the appearence of the post, i told all founders that were in the server and was completely open about the issue, the process of the solution and the outcome as they were being developed. Let me add that this "illuck's issue" was discussed and talked over many times inside the server with the founders and had founderst shown or expressed any concern from it, i would have finished it before.

The only reason why i delayed it was the bureacracy of matching emails with the paypal donations.

I have no intentions of responding to Illuck's posts as they are obviously meant to be inflammatory, which is why my private message was sterile. He has done things with ill intentions , including publicizing private messages and impersonating a founder. I also understand that the standard for me is higher than him, as i have more responsibilities, which is why i repeat, im sorry of this dissapointment for you (or any other founder that might feel the same) and i will be more careful in the future in the way i communicate with hostile and ill-intended users.

I stand by the message now public message, that illucks concerns are not shared by my own. But as it is usual in human behaviour, if someone says its serious, others can believe it even though its not. I was not demeaning the concern of adding passwords, i was stating that the message he originally posted made the "problem" much much worse, by showing that at least one user(himself) had intentions to log in as another founder, and inciting others to do so by providing the means comfortable through links to all the informatino.

Maybe i perceive a tone of agressiveness from this posts that other users don't, but they are certainly meant for that.
I did learn a lesson from this, and that holding this project raises my profile and some people can be tempted into damaging my image or worse, the projects image. I promess i will make an effort to keep such opportunities to the minimum.

I hope you feel better about this whole matter after reading this post, cata.




Except he has a name i dont know, or he really didnt want me to know he was a founder, he isn't one. illuck has no relation whatsoever to the Kaya.gs project ,other than his curiosity. He is not a customer or a user, he is just someone that read the blog and blew public information out of proportion.
You can talk to any founder in the server and ask them how i have been treating them, and i assure you they will tell you that i've done everything in my power to be of assistance.



Just in case im totally wrong about him, i invite him to continue a private conversation, were all the details can be discussed and ironed out, and later on we can post a public message in mutual agreement with our conclusions of the whole ordeal.

_________________
Founder of Kaya.gs

Thanks for the clarification. I like that you addressed the issue so quickly -- actions speak loudest. I guess we just have a difference of opinion about illluck's intent. I disagree that his (original) post was meant to be inflammatory, aggressive, or threatening; maybe it's just an Internet culture thing.

Here's hoping things are calmer in the future.

In general, it is polite to inform a company privately of security issues before making it public. It's, of course optional, but a courtesy that one can make if they are truly interested in the security of a particular system.

_________________
it's be happy, not achieve happiness

On the other hand, perhaps making it public has succeeded in increasing the care the kaya developers will take in the future.

Why is this necessary if they respond to private messages.

Punishment? You can't always expect the first person to find a weakness to be the reporting kind. But it still looks like kaya will have your average website security, so there's nothing to worry about too much here.

punishment for what? not securing unclassified information that belongs to Kaya. That doesn't make much sense.

What about their privacy policy? Anyway, I'm not looking for a debate. Private is still generally better.

I'm not saying you aren't generally correct, but in light of the following I'd say that making the issue public was the proper course of action to have it redressed.

So, as illluck suspected, had he merely sent a private message he would, most likely, have only been asked to remain quiet about it, and the problem would have not been fixed.

And I am sorry to bring this up again, but this is similar to the whole "name" thing that I (and myself alone it would seem) have a problem with. If it (name confusion with KGS, security) truly becomes an issue then the solution will come too late; so Kaya.gs should be proactive with security issues, and this does not set a good precedent. This is the point illluck was making, I think.

Let's not be coy. The name confusion with KGS is intentional.

It was pointed out many times at the beginning of the project, and the reaction was "I already bought the domain."

You have no reason to believe that would have been the case, and the history of the project proves totally otherwise in every single case. Had illuck sent me that exact post as a private message, i would have done the same thing.
I wasnt a security issue, its was an authenticity issue. And it became urgent when it was known that someone was going to abuse it.
Some people in the Alpha even had logged on as me when we talked about it , days before illucks post.

In the past week since release, Kaya changed almost everything users asked for that was possible within the time-frame, from bugs to details. From blog posts to my communication accessibility(anyone can contact me at any time, and i have answered almost always VERY quickly) i have rarely let someone without an answer for more than 24hs. This very thread is an example of me answering pretty much any question or concern, and always doing so in a very timely manner.

Let's not escalate the conversation. You can like or dislike Kaya. Its not reasonable for me to expect everyone to like it or to become a fan and less so at this stage, where many people that have an opinion on it have not seen the server functioning. By the "same rule", dont expect to like everything we do or happens.
We make our decisions with the users as our number #1 priority and thats why we have such an open Feedback section. If there is something you would like Kaya.gs to change, you can propose it there even if you are not an actual user of it, and other users will vote on it if they like it. Then we choose on what we can do, or makes sense to do, and everytime providing an explanation.



When this matter become a conversation in this very thread, I was very flexible and gave a very clear condition for us to change the name from Kaya.gs to Kaya: that people vote on it.
https://kaya.uservoice.com/forums/130479-ideas-and-suggestions-for-kaya/suggestions/2226710-call-the-project-simply-kaya-

I closed it down on December 7, when we started to design the prizes for the Meijin donors to not cause an issue with sending them outdated material.

It received 8 votes in total from 4 people. That is 8%(4/64) of this months active users, or 2%(4/195) of the users since the feedback site creation . It has over 45 ideas above it being discussed, some of them having 8 times the number of votes.

To add a last thing to this matter, you can call this project kaya as 95% of the people do on a daily basis, including me and Pato. As much as KGS is a short(or used to be) for "Kiseido Go Server" Kaya is a short for Kaya.gs.
It is true the people that dislike that similarity, dislike it very much. I gave a way for us to change our minds on the name. Look a way for you to accept that Kaya.gs is just fine, and its not going to cause issues for KGS o Kaya, which there is no reason to.

Both at that matter as much as this, im totally open to dialogue and im very open minded. If i truly believe a different course of action will benefit end users, i will do it. If illucks intention were innocent and well-intended, he can always clarify that with me as he could when i sent him the private message , and as he can do now by sending me one.

_________________
Founder of Kaya.gs

Just commenting on one point: If you're asked to stay silent, that doesn't force you to stay silent, right? You can tell them, see if they do the right thing, and then go public if they don't.

_________________
Occupy Babel!

Too much paranoia hurts. If you have serious problem with Kaya how can you handle things like Carrier IQ espionage or Facebook?
Or if you want to complain only about Kaya why not talks about security vulnerabilities in their chosen technology instead?
I think it is better to focus on functionality and basic tests first and dont waste time on too much security. There is no reason for giving private information to Kaya other than your email so security isnt big problem atm.

I never read that there was a poll, and I imagine that if you had posted one here, where there is a broader community instead of buried in the feedback section of your site, you might have gotten a good deal more response. BTW, *all* of the people who commented on your poll were in favor of using the name kaya instead of kaya.gs.

_________________
Go? It's like sharing two bowls of cookies, but one person gets all of them.

Interesting point to bring up. The feedback site has been clearly linked to and I think it should be the eventual center of Kaya feature discussion. But for now, more people would be reached here even if a single forum thread isn't a very good way to do this. (not that I feel like my ideas have any better chance here than "buried" there)

I personally never thought of the name as a "feature," so I wouldn't have thought that such a discussion would take place there, and I didn't hear it announced here either. What I did hear was opposition to the idea here in this thread, and a rather breezy attitude of it not being such a big deal from the developer. It doesn't seem as if there was much serious interest in hearing feedback on this issue.

_________________
Go? It's like sharing two bowls of cookies, but one person gets all of them.