[wp-hackers] List etiquette
r at schestowitz.com
Fri Apr 21 00:21:00 GMT 2006
___/ On Thu 20 Apr 2006 20:33:17 BST, [ Matt Mullenweg ] wrote : \___
> Elliotte Harold wrote:
>> I disagree. Security by obscurity is at best 1 out of 2. Because you
>> posted the proof of concept I was able to analyze it, understand it,
>> and figure out how to protect myself against the attack despite a
>> huge amount of misinformation that continues to be thrown around on
>> this list. If you hadn't posted the proof of concept, I still
>> wouldn't understand exactly what the problem is or how to prevent it.
> Yes, but the main responsibility of developers is not to Elliotte
> Harold. Your selfish interests do not coincide with the WP community.
I think this reply is a bit harsh (phrasing that was chosen in haste is
probable), but I tend to agree with the general idea. Protecting oneself
based on a description is something that only a puny userbase cares for, to
say the least.
> I also missed your patch on Trac.
> Publishing line-by-line exploits or details about security
> vulnerabilities when we do a release would help crackers far more
> than our general user base, which is overwhelmingly non-technical. We
> get flak about it, but frankly I care far more about our non-savvy
> and more vulnerable users than security-blinded idealists.
People aspire to get some merit for discovering bugs and reporting them. By
making reports non-public and offering no bounty, you are likely to deter
the required behaviour. Look at them vulnerabilities that are auctioned in
eBay. I am not suggesting that Autommatic should reveal its pocket.
> This is not "security by obscurity," our source code, SVN diffs, and
> Trac tickets are entirely public, it's just common sense of trying to
> help your users more than script kiddies.
Security can also be attained by excess and 'noise'. Trac would be hard to
follow and script kiddies won't bother.
> Firefox has a very similar approach.
It does, but let's not pretend that WordPress is on par with Firefox, or
even Apache (pertaining to a previous discussion/rant sparked by Skippy).
Roy S. Schestowitz
http://Schestowitz.com | SuSE Linux ¦ PGP-Key: 0x74572E8E
1:10am up 43 days 14:53, 6 users, load average: 0.30, 0.61, 0.72
More information about the wp-hackers