[wp-hackers] Revisiting phone home and privacy
Jacob Santos
wordpress at santosj.name
Tue Dec 8 14:08:57 UTC 2009
No, it would not be hard, the problem was never difficulty. One simply
has to weigh the advantages of sending a small amount of information
verses having to do things manually. Some bosses are not concern about
security until their site is turned over and spread out with 9 inches
pounding the site for all it is worth.
I would say to those people, "Well, what is your concern? WordPress.org
does not sell the information, and only really uses the information to
make further decisions based on usage. Some of the information is
required to be sent, but can be sent without WordPress.org knowing it
came from you. This will allow updating the site without me being there.
It will save you such and such dollars each time or you can spend such
and such dollars every time their is an update, but most likely you
aren't going to spend that money as often is required so you're not
going to update at all, which will put your site at risk.
"Even if you use another CMS, you'll have the same problem with
security, only it may or may not take longer for the exploit to be
fixed, may take longer before the exploit is even found, and you'll
still have the problem where you'll be required to update. However with
other CMSes, more often then not, you'll modify some core component that
drastically increases the time required to properly upgrade the site
with all of the current features."
The ethical factor kind of becomes skewed when you're being paid to do
something, but if your boss tells you to leave a few screws loose on a
bridge are you really going to do that? I wouldn't.
Jacob Santos
Lynne Pope wrote:
> I hear what you are saying Jacob but have to wonder if there would be more
> people seeing update notifications if some were not disabling these over
> privacy concerns. With the company I mentioned, I had no idea they had used
> these plugins to avoid sending their blog URL. I imagine there would be a
> lot of us who work with users and who don't know what they have installed
> until there is a problem.
>
> A subset of current users were around in 2007 and took note when all hell
> broke loose over the phone home. I suspect a larger proportion never see
> reports about such things. The average user doesn't see Slashdot or follow
> tech news. Since then, of course, thousands of new users have come along and
> I doubt many of them are even aware of what information gets sent back.
>
> Then there's the users who, in 2007, installed the plugins to block update
> checks (the 2.3 announcement even linked to this) and who have just
> blissfully carried on blocking. This is where the privacy concerns are
> actually hurting WordPress. If we want people to use the automatic update we
> should, in my opinion, not be giving them reasons for not using it. Sure,
> its easy to look at the numbers and say most people don't care, but its just
> as valid to say they might, if they knew about it.
>
> For my last comment on this issue I just want to ask one thing - is it so
> hard to simply remove the blog URL from being sent as part of the User-Agent
> in the core? A function is all very well (and I thank you for that) but by
> the time anyone mentions that they won't use WordPress or that they are
> using plugins to remove update notifications its already too late to help
> them out.
>
> Lynne
>
> 2009/12/8 Jacob Santos <wordpress at santosj.name>
>
>
>> I should apologize, I realize that you are correct. It has been a long time
>> and I've forgotten a lot of the issues that were bought up at that time.
>>
>> Given the lack of popularity of the Tin-foil hat plugin compared to those
>> using WordPress, I can say that it is unlikely that any options will be
>> added. I believe it was discussed at that point, but a lot of the argument
>> against it was that if only a few are ever going to turn it on, then it
>> wasn't worth spending the time for development and testing to do it.
>>
>> As far as the business connection, I think that well, it doesn't really
>> matter what I think. I would hope that any business would weigh the
>> advantages of what WordPress offers for keeping WordPress and plugins
>> up-to-date and the time that is saved, however that is their business with
>> how they want to handle that.
>>
>> Furthermore, the lack of opt-in was intentional and there was, I believe,
>> fear that people would care more about privacy than security and opt-out
>> rather than be updated on when new releases are out. Given the apathy in the
>> past, it seemed reasonable to assume it and given recent events, it seems
>> that even with the update notifications that people are still not taking the
>> update notifications seriously.
>>
>> The Tin-foil hat plugin should solve your problems, but the code below
>> could be applied to a plugin and would do what you wish with at least the
>> useragent.
>>
>> function paranoia_remove_url($default)
>> {
>> global $wp_version;
>> return 'WordPress/'.$wp_version;
>> }
>>
>> add_filter('http_headers_useragent', 'paranoia_remove_url');
>>
>> For what it is worth, I'm not against your idea, it is just that there are
>> alternatives to which you speak and I'm wondering why those alternatives
>> (i.e the filters) weren't applied first to the problem before attempting to
>> change WordPress fundamentally for everyone. Also, I'll rather the
>> statistics for PHP version be sent so that PHP4 can be dropped as soon as
>> possible, unless their using PHP4, then please use the Tin-foil hat, so that
>> they'll skew the results towards quicker adoption of PHP5+.
>>
>> It should also be noted that the above will only remove the URL from the
>> useragent. The plugins and themes and wp_version will still be sent, but I
>> believe that is the only place where the Blog URL is sent.
>>
>>
>> Jacob Santos
>>
>> Lynne Pope wrote:
>>
>>
>>> 2009/12/8 Jacob Santos <wordpress at santosj.name>
>>>
>>>
>>>
>>>
>>>> In what way does WordPress.org or Automattic having your URL affect the
>>>> security and privacy of your site?
>>>>
>>>>
>>>>
>>>>
>>> It compromises privacy because users are not being given the option to
>>> send
>>> or not send information about their site. It compromises security when
>>> users
>>> disable update checks in order to avoid sending information they don't
>>> wish
>>> to send.
>>>
>>> The specific response I got from the people I was working with was that
>>> business information, such as which plugins they use, is nobody's business
>>> except theirs. They consider this to be business information. Plugin and
>>> theme data contains identifying information about products and staff which
>>> they do not want broadcast to anyone.
>>>
>>>
>>>
>>>
>>>
>>>> How does preventing WordPress.org from using this data protect you from
>>>> anything?
>>>>
>>>>
>>>>
>>>>
>>> WordPress.org is not a legal entity and cannot therefore be held legally
>>> accountable for misuse of data. They have no confidence in WordPress.org's
>>> ability to keep the data private and confidential and say that as they do
>>> not opt-in to sharing it then wordpress.org has no legal right to collect
>>> it.
>>>
>>>
>>>
>>>
>>>
>>>> Why doesn't the plugins available address your problems with privacy?
>>>>
>>>>
>>>> The filters were placed in for the sole purpose of overriding the URL
>>>> that
>>>> is sent and for those concern with privacy. While it could be said that
>>>> the
>>>> small amount of people who downloaded the plugin verses the much larger
>>>> amount that uses WordPress says that not enough people consider sending
>>>> an
>>>> URL is all that important. It might just be that not enough people
>>>> realize
>>>> that their WordPress is sending this information.
>>>>
>>>>
>>>>
>>>>
>>> Which plugin just overrides the blog URL? If there is one that simply does
>>> that then I'd point them to it.
>>>
>>>
>>>
>>>
>>>
>>>> It is but the URL, plugins, and themes, along with the PHP version that
>>>> is
>>>> sent. None of the passwords, visitors (unless you use the WordPress.com
>>>> Stats plugin), etc is sent. There is also a legitimate and reasonable
>>>> purpose behind sending this data and it is to allow for upgrading those
>>>> plugins (however, the URL isn't required, unless they changed that, but
>>>> you
>>>> could just send www.example.com if you wanted).
>>>>
>>>> By the way, the filters were a compromise to those who said to fork it.
>>>>
>>>>
>>>>
>>>>
>>> Providing the means to check if plugins, theme, or core updates are
>>> available is great. The stickler is the sending of the blog URL (and for
>>> this company - data about custom plugins).
>>>
>>> IMO, there needs to be more transparency about what WordPress does behind
>>> the scenes and what data is collected. I understand the concerns when
>>> custom
>>> plugins & themes use staff and product names - this sends way too much
>>> identifying information!
>>>
>>> The alternative would be if WordPress only checked against theme and
>>> plugin
>>> names that are in the WordPress repository, instead of collecting data on
>>> every theme and plugin.
>>>
>>> I love the work you did on this Jacob. However, its now 2 years since
>>> wordpress.org started collecting blog URL's with the update and it's
>>> still
>>> unnecessary data capture. If WordPress.org has future plans for using this
>>> information then a simple opt-in would prevent these kinds of issues. If
>>> there is no good reason for capturing the URL then perhaps its time it was
>>> removed?
>>>
>>> Lynne
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>>
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
>
>
>
>
More information about the wp-hackers
mailing list