[wp-hackers] List etiquette

Roy Schestowitz r at schestowitz.com
Fri Apr 21 00:21:00 GMT 2006

___/ On Thu 20 Apr 2006 20:33:17 BST, [ Matt Mullenweg ] wrote : \___

> Elliotte Harold wrote:
>> I disagree. Security by obscurity is at best 1 out of 2. Because you 
>> posted the proof of concept I was able to analyze it, understand it, 
>> and figure out how to protect myself against the attack despite a 
>> huge amount of misinformation that continues to be thrown around on 
>> this list. If you hadn't posted the proof of concept, I still 
>> wouldn't understand exactly what the problem is or how to prevent it.
> Yes, but the main responsibility of developers is not to Elliotte 
> Harold. Your selfish interests do not coincide with the WP community.

I think this reply is a bit harsh (phrasing that was chosen in haste is
probable), but I tend to agree with the general idea. Protecting oneself
based on a description is something that only a puny userbase cares for, to
say the least.

> I also missed your patch on Trac.
> Publishing line-by-line exploits or details about security 
> vulnerabilities when we do a release would help crackers far more 
> than our general user base, which is overwhelmingly non-technical. We 
> get flak about it, but frankly I care far more about our non-savvy 
> and more vulnerable users than security-blinded idealists.

People aspire to get some merit for discovering bugs and reporting them. By
making reports non-public and offering no bounty, you are likely to deter
the required behaviour. Look at them vulnerabilities that are auctioned in
eBay. I am not suggesting that Autommatic should reveal its pocket.

> This is not "security by obscurity," our source code, SVN diffs, and 
> Trac tickets are entirely public, it's just common sense of trying to 
> help your users more than script kiddies.

Security can also be attained by excess and 'noise'. Trac would be hard to
follow and script kiddies won't bother.

> Firefox has a very similar approach.

It does, but let's not pretend that WordPress is on par with Firefox, or
even Apache (pertaining to a previous discussion/rant sparked by Skippy).

Best wishes,


Roy S. Schestowitz
http://Schestowitz.com  |    SuSE Linux    ¦     PGP-Key: 0x74572E8E
  1:10am  up 43 days 14:53,  6 users,  load average: 0.30, 0.61, 0.72

More information about the wp-hackers mailing list