[wp-hackers] Re: Plugin update & security / privacy

Kevin wyldwolf at gmail.com
Mon Sep 24 14:04:07 GMT 2007


I would suggest that you get a basic understanding of what you are talking
about BEFORE you deride people's security concerns. Even Microsoft has made
Auto update both Opt-IN, and non-server side. They even tell you where on
your computer update info is stored so you can wipe it off if you want/need
to.

Anything which is "automatic" needs to spell out exactly what it is doing,
and if you are storing MY data on your server, then you have the
responsibility to disclose what you are doing to safeguard that data. You
aren't even encrypting the data transmission from my WP install to your
server, why should I believe you are doing anything to safe guard it once it
is on the server.

Go do some research on PII (Personal Identifying Information). The IRS has a
good primer on it:
http://www.irs.gov/irm/part1/ch08s05.html

Your home address and phone numbers are PII, even though they are publicly
available. The same is true of my blog URL and plugin information.

This really is the type of thing you have to make as public as possible
before hand. This should have been discussed by the entire WP community (we
are a community right? This isn't just your personal play toy right?) before
line one of code was written.

As Matt mentioned a few emails ago, this was brought up as an issue the day
before the release. You know why? Because once again WP has not involved the
community directly.

Also, remember that SENDING the data is only a small part of the issue here.
The real issue is the storing of the data. Obvious security issues aside
(the second you store my information, it IS a security issue, whether you
believe the data is valuable or not), the simple fact that you can then use
that information for any purpose you want (since there is no TOS/EULA
associated with it) at any point in the future is a problem.

Kevin
<http://technogeek.org/>


More information about the wp-hackers mailing list