[wp-hackers] List etiquette
m at mullenweg.com
Thu Apr 20 19:33:17 GMT 2006
Elliotte Harold wrote:
> I disagree. Security by obscurity is at best 1 out of 2. Because you
> posted the proof of concept I was able to analyze it, understand it, and
> figure out how to protect myself against the attack despite a huge
> amount of misinformation that continues to be thrown around on this
> list. If you hadn't posted the proof of concept, I still wouldn't
> understand exactly what the problem is or how to prevent it.
Yes, but the main responsibility of developers is not to Elliotte
Harold. Your selfish interests do not coincide with the WP community.
I also missed your patch on Trac.
Publishing line-by-line exploits or details about security
vulnerabilities when we do a release would help crackers far more than
our general user base, which is overwhelmingly non-technical. We get
flak about it, but frankly I care far more about our non-savvy and more
vulnerable users than security-blinded idealists.
This is not "security by obscurity," our source code, SVN diffs, and
Trac tickets are entirely public, it's just common sense of trying to
help your users more than script kiddies.
Firefox has a very similar approach.
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
More information about the wp-hackers