[wp-hackers] List etiquette

Brian Layman Brian at TheCodeCave.com
Thu Apr 20 17:03:54 GMT 2006

I'd like the opinions of the PTB (powers that be), on this list, regarding
an etiquette issue.

You saw that I'd posted that "proof of concept" link.  I'm new here and
really don't know the rules of how this list is run.  So, I'd like to know:

1. Should I have posted it or not?  I'd mailed a more functional one to
Matt.  Should I have kept my mouth shut at that point?

2. Once people know that something has been done, others will try it repeat
it.  Should I have even mentioned that I had proved what we were discussing
was more than just theory?

3. Did I provide too much detail on the approach, or would it perhaps have
been alright to provide further detail?

4. The archive of this discussion is public.  Given that, would it be
unreasonable (pronounced harmful) to echo that post onto my blog?  My blog
is intended as a archive of neat technical stuff I've played with.  This
definitely qualifies.

5. The fact that I could mask the attack as a viable link when outside of
the admin area was, I think, a clever idea.  Should I have kept that to
myself even though it highlights the danger?

6. This link was rather limited in its danger.  If the attack I'd found
imposed a much greater risk, would that change any of the above?

7. If I decide to attempt to prove cookies are vulnerable, should I mention
any positive (or negative) results?  That could figure into the nonce
implementation design.  I've not responded to anyone's questions "Am I
missing something here?" Though I've read that stealing cookies is possible,
I've not seen discussions of how it is done.  That makes it more likely that
it is just rumor or no longer an issue.  If it is possible, that could
eliminate a whole avenue of discussion here.  That's why I am asking these
questions.  If I figure anything out, what should I do with that knowledge?
8. People will Google for the name of an attack and WordPress.  Should we be
careful using the names of these attack methods in these threads?

Thank you for your thoughts on these issues...
Brian Layman

More information about the wp-hackers mailing list