[wp-hackers] Plugin update & security / privacy

Otto otto at ottodestruct.com
Mon Sep 24 20:58:06 GMT 2007

I fail to grasp your argument. The reasons for the data being sent are
straightforward and obvious, to notify the blogger about upgrades
being available for both WordPress and plugins. With all the security
issues lately, and so many people bitchin' about WordPress having
security problems, then keeping people in the know about upgrades is
an important thing to do.

I agree that not having an option to turn it off is an oversight. And
I agree that not having a stated privacy policy is ridiculous. But the
facts cannot be disputed.

For the record, matt has stated that the backend doesn't store
anything whatsoever. It uses the data sent to check for updates to the
given bits. That's it. In theory, it could use the same information to
keep a count of the installed WordPress base and what versions are
being run, for statistical reasons. For now, it doesn't do that.

As for discussion, this has been discussed on trac for *years*, there
was plenty of discussion and debate about it. #1476 springs to mind.

Look, as matt correctly pointed out, this sort of information is not a
security risk. Nobody not wearing tinfoil on their head would
reasonably have objections to this information being available.

The legitimate complaints are:
- No opt-out method built in
- No privacy policy
- Poor implementation from an optimization perspective.

Jumping up and down and going OMG IT SENDZ DATA OH NOEZ! doesn't help
things. It doesn't send any data that could be used against you.
Really. And they're not even saving it on their end. And it is, in
fact, easily disabled with two lines of code or a simple plugin, if
you're of the tinfoil hat variety.

But more to the point, don't be over-exaggerating things. I'll
certainly be putting in some patches to correct the deficiencies that
I see in it, and with any luck, they'll make it into 2.3.1. Hopefully
matt and such will step up and consider a wordpress.org privacy policy
and perhaps a mod for the installation to notify the user will make it
into the release as well.

This is not a world-ending problem. Okay? Version 2.3 isn't a security
release, so if you don't want it, don't install it yet.


On 9/24/07, Computer Guru <computerguru at neosmart.net> wrote:
> > -----Original Message-----
> > From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> > bounces at lists.automattic.com] On Behalf Of Jamie Holly
> > Sent: Monday, September 24, 2007 11:08 PM
> > To: wp-hackers at lists.automattic.com
> > Subject: RE: [wp-hackers] Plugin update & security / privacy
> >
> > staking a position of saying it is or isn't. Think Microsoft. They
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> Enough said.
> Does anyone here seriously believe Microsoft gives a damn about *you* personally and personally identifying info?
> If Microsoft were to start silently and without warning begin recording even NECESSARY info and sending it at regular intervals to Redmond, do you think they would use that info to personally identify anyone or let that data be leaked anywhere? The obvious answer is no f*****ing way.
> But if Microsoft were to start doing such a thing, there would no end to the litigation, lawsuits, and complaints. Businesses WOULD stop using it, in the blink of an eye if they feel they've really been violated. And governments - do you think the CIA would appreciate the fact that their OS of choice is "spying" on them? Imagine the litigation and class-action lawsuits to follow...
> So why is it ANY different for WordPress? Being open source isn't a "Get out of jail free" card, is it?
> The latest versions of Windows and Office have a "consumer improvement" program that sends periodic data to MS, *WITH* a guarantee that no personally identifying info will be sent, AND a button you can press to see ALL info being transmitted. What's more, it's OFF by default (as in opt-in). And of course, they have one hell of a privacy policy.
> Sure, I love and respect WP and the team. I know you guys won't misuse this info, and so do many people out there too. I always opt-in to these programs, because a developer I know the importance of statistics. But the fact of the matter is, it's stupid, reckless, and just plain un-thought-through to secretly send data back to WP/Automattic/whatever-the-hell-it-is, *ESPECIALLY* without even an opt-OUT button and most definitely without a privacy policy. I've got to say, what the hell were you guys thinking?
> This is the INFORMATION age. Information reigns king. It's valuable, yes. But trust is even more valuable. WP is a piece of open source community software, and decisions like this need to be done in the open with tons of feedback - not with a bit of code slipped in under the radar with no warning or discussion and absolutely no way of disabling it by default.
> Just think about it. I haven't heard a _single_ argument that gives a real /reason/ for what's being done (no, "it's harmless" isn't a valid excuse). If it were ANY other for-profit company, each and everyone one of you would be screaming up and down. So why is WP an exception? Like I said before, Open Source isn't a carte blanche that lets you do whatever the hell you please, it's just a frikkin license - and doing this kind of stuff assuming that everyone would forgive you just because you're not a Microsoft/Google/Apple/eBay/Whatever doesn't just not get you off the hook but gives open source a really bad name if that's the excuse.
> The golden rule: "Do unto others what you would have them do unto you"
> If someone can give me a SINGLE good reason why it's OK for WordPress to do this whereas it's not for anyone else, I'm all ears. But just think: "what if it was Microsoft" and see what happens.
> Every day I see a blog post about "OMG <INSERT BIG COMPANY HERE> is using WP!!! WE PWNZ THE WORLD!!!" Cool.
> Great. But what are all those big companies going to think when they realize you're effectively spying on them???
> Computer Guru
> NeoSmart Technologies
> http://neosmart.net/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list