I'm not on ASPD staff any more. I have no serious inside information here, just what's been made public.

Your solution simply wouldn't work well. The board software is heavily customized. Things like BCD access, BCD credit, review counts, credit, warning points, etc. are unique or heavily customized. All these customizations have to be redone if the board software is updated.

You may argue that the right solution is to update all this stuff up to the new version of the board software. I won't say you're wrong. I will say that that's not likely to happen quickly.

You are also implying that the board was hacked due to obsolete software. You don't know that, but it's fun for us to get on our high horses and act superior like we know everything. It's entirely possible that the attack that was used would have worked even if everything was up to current patch level.

Remember that high dollar corporate web sites with up-to-date software get hacked all the time. The corporate guys have enough staff to quickly rebuild things from scratch. ASPD doesn't have hordes of high dollar IT staff to pop up and change things willy-nilly overnight. Perhaps if we were a big-time subscription-only web site, but we're a user-service-oriented web site.

You're offering a million-dollar solution. We're not a million-dollar corporation. We're a community of people with like interests helping each other.

The idea that one should blindly change bulletin board software, web server, OS and platform "just because" is also silly. You need to determine how the board was hacked, why you had the vulnerability, and whether there is a fix.

If, for instance, you found out that there was a security hole in the pbl demon on XYZ Linux that was used, fix that security hole. Changing to GHI Unix just to make a change would be foolish, unless you know that GHI Unix is, in general, more secure. It may very well be that XYZ Linux with the pbl patch is much more secure than GHI Unix.

If the security hole used was in, for instance, the apache server, changing the platform, hardware, and board software wouldn't do anything to help prevent another hack, unless you fix the security hole in the apache server.

I won't say the site was maintained correctly. I think we could do better. I hope we do better in the future. Yes, maybe the board was hacked because the board software was old. I don't know. I just don't like having people speak up assuming the worst about the way the board was run when they don't know the details.

I'll also agree that if I had a multi-million dollar corporate client, I'd do many of the things you suggest. Not because it would necessarily make the company more secure, but because it give the appearance of security and gives you a good level of plausible deniability. "Your honor, we spent $3 million fixing and upgrading the web server." Never mind that you didn't really fix anything related to what went wrong. As the CIO, you have to look good to the board, stockholders, and Wall Street.

I also agree, long term, that we should migrate to a much later version of bulletin board software, and keep the rest of the software up to date. Actually, forget "long term." It needs to be soon. I just don't think we necessarily have to do all that stuff before we bring ASPD back to life.

Note: Yes, I say "we" a lot. I'm part of the community, not part of the management or volunteer staff.