[wp-hackers] Plugin update & security / privacy

Moritz 'Morty' Strübe morty at gmx.net
Mon Sep 24 23:17:22 GMT 2007

Has all been talked through on the stats collecting thread (not this
one). This one started, because I looked into the code yesterday because
I wanted to make sure my plugin works alright with the update system.
I pretty much gave up on this discussion. My minimum goal was to at
least md5 the URL or remove it, as it isn't needed - it works fine
without the URL.
I'm just a little plugin-dev - and it seems like I am the first one to
notice, although this is a long announced feature. Are there core devs
on this list? Or is it matt, some plugin-devs and the people who treat
php4 vs php5 as a religion? Or are there so few people really caring
about their privacy and security?
And I have to state this again: I would have had no, well much less a
problem with this whole thing if the URL would have been transmitted
separate to the version and the plugin data. It no ones business that I
have the admin-porn plugin running, which shows a beautiful woman on
every admin page. Just as well that nobody needs to know that I'm
running the old version of plugin xy.
Yes, you can do a brute force, but it's a hell lot more efficient (as
Matt pointed out) if you have a nice list of domains to attack.

Morty (Who is more sad then frustrated)

P.s.: Before anyone asks where to get the admin-porn plugin. You may add
it here: http://wordpress.org/extend/ideas/

James Thomas Snell schrieb:
> I just joined this mail list about three hours ago - but I think I've
> already seen enough to feel inclinded to say:
> It seems perfectly acceptable to me to collect unpersonalized stats ONLY IF
> the blog administrator manually enables such functionality. Perhaps it's
> already been suggested, but why not add a step to the upgrade.php script
> that provides an unchecked check box asking the admin to check it if they
> wish to donate statistics? Perhaps this functionality could be accessed as a
> plugin that can be controlled at the admin's will?
> Sorry if I'm jumping in too soon here, I really don't have the time to go
> back through the log of the previous messages. But maybe that there is a yet
> to be made suggestion.
> Cheers friends,
>   JT
> On 9/24/07, Computer Guru <computerguru at neosmart.net> wrote:
>>> -----Original Message-----
>>> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
>>> bounces at lists.automattic.com] On Behalf Of Jamie Holly
>>> Sent: Monday, September 24, 2007 11:08 PM
>>> To: wp-hackers at lists.automattic.com
>>> Subject: RE: [wp-hackers] Plugin update & security / privacy
>>> staking a position of saying it is or isn't. Think Microsoft. They
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> Enough said.
>> Does anyone here seriously believe Microsoft gives a damn about *you*
>> personally and personally identifying info?
>> If Microsoft were to start silently and without warning begin recording
>> even NECESSARY info and sending it at regular intervals to Redmond, do you
>> think they would use that info to personally identify anyone or let that
>> data be leaked anywhere? The obvious answer is no f*****ing way.
>> But if Microsoft were to start doing such a thing, there would no end to
>> the litigation, lawsuits, and complaints. Businesses WOULD stop using it, in
>> the blink of an eye if they feel they've really been violated. And
>> governments - do you think the CIA would appreciate the fact that their OS
>> of choice is "spying" on them? Imagine the litigation and class-action
>> lawsuits to follow...
>> So why is it ANY different for WordPress? Being open source isn't a "Get
>> out of jail free" card, is it?
>> The latest versions of Windows and Office have a "consumer improvement"
>> program that sends periodic data to MS, *WITH* a guarantee that no
>> personally identifying info will be sent, AND a button you can press to see
>> ALL info being transmitted. What's more, it's OFF by default (as in opt-in).
>> And of course, they have one hell of a privacy policy.
>> Sure, I love and respect WP and the team. I know you guys won't misuse
>> this info, and so do many people out there too. I always opt-in to these
>> programs, because a developer I know the importance of statistics. But the
>> fact of the matter is, it's stupid, reckless, and just plain
>> un-thought-through to secretly send data back to
>> WP/Automattic/whatever-the-hell-it-is, *ESPECIALLY* without even an opt-OUT
>> button and most definitely without a privacy policy. I've got to say, what
>> the hell were you guys thinking?
>> This is the INFORMATION age. Information reigns king. It's valuable, yes.
>> But trust is even more valuable. WP is a piece of open source community
>> software, and decisions like this need to be done in the open with tons of
>> feedback - not with a bit of code slipped in under the radar with no warning
>> or discussion and absolutely no way of disabling it by default.
>> Just think about it. I haven't heard a _single_ argument that gives a real
>> /reason/ for what's being done (no, "it's harmless" isn't a valid excuse).
>> If it were ANY other for-profit company, each and everyone one of you would
>> be screaming up and down. So why is WP an exception? Like I said before,
>> Open Source isn't a carte blanche that lets you do whatever the hell you
>> please, it's just a frikkin license - and doing this kind of stuff assuming
>> that everyone would forgive you just because you're not a
>> Microsoft/Google/Apple/eBay/Whatever doesn't just not get you off the hook
>> but gives open source a really bad name if that's the excuse.
>> The golden rule: "Do unto others what you would have them do unto you"
>> If someone can give me a SINGLE good reason why it's OK for WordPress to
>> do this whereas it's not for anyone else, I'm all ears. But just think:
>> "what if it was Microsoft" and see what happens.
>> Every day I see a blog post about "OMG <INSERT BIG COMPANY HERE> is using
>> WP!!! WE PWNZ THE WORLD!!!" Cool.
>> Great. But what are all those big companies going to think when they
>> realize you're effectively spying on them???
>> Computer Guru
>> NeoSmart Technologies
>> http://neosmart.net/
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


strübe.de <http://xn--strbe-mva.de>

Diese Email ist signiert. Sollte Dein Email-Client keine Signaturen
unterstützen wird eine smime.p7s-Datei im Anhang angezeigt.

Meinen PGP/GPG-Key gibt es auf den üblichen Keyservern.

More information about the wp-hackers mailing list