Yea, and unfortunately it seems that I failed say what I wanted to. Everyone is talking about this being part of the update information system, which it isn't. It only for statistics. And nobody seems to get the difference between transmitting URL and plugin data separately to transmitting them together. Seems like having a gray position isn't very popular. Or maybe it's just too complicated that to things are not that dangerous by them selves as they are linked to each other. :-/
> It's shocking how inaccurate that is. If anyone has a few spare > moments to drop some sanity in that discussion it would be a big help. > It was obviously written by someone with malicious intent toward > WordPress.
Matt: I'm not you (obviously), but I think you need to get out ahead of this one, pronto, before digg, reddit, propellor, etc. get wind and blow it even further out of proportion. Put down your thoughts, either on Photomatt or on the Dev Blog, explain your reasoning (especially as to why it coming to a head so late in the release cycle weighed upon committing changes that would reverse it) and then submit it to Slashdot, etc. Make a nice "Lead WordPress developer responds to 'privacy' complaints" headline and see what shakes out.
On 9/25/07, Moritz 'morty' Struebe <mo...@gmx.net> wrote:
> Yea, and unfortunately it seems that I failed say what I wanted to. > Everyone is talking about this being part of the update information > system, which it isn't. It only for statistics.
Well, it is part of the update system. It's not currently *necessary* for the update system to function, but still...
> And nobody seems to get > the difference between transmitting URL and plugin data separately to > transmitting them together.
Well, I understand the difference, but I still disagree with you. The information itself is not noteworthy. Somebody who knows all this information knows nothing of importance. It's not actually information that they can use against you.
> Seems like having a gray position isn't very popular. Or maybe it's just > too complicated that to things are not that dangerous by them selves as > they are linked to each other. :-/
Actually they're not dangerous either way. A lot of people run "lists of plugins I'm running" on their blog. Is that dangerous? _______________________________________________ wp-hackers mailing list wp-hack...@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-hackers
>> Seems like having a gray position isn't very popular. Or maybe it's just >> too complicated that to things are not that dangerous by them selves as >> they are linked to each other. :-/
> Actually they're not dangerous either way. A lot of people run "lists > of plugins I'm running" on their blog. Is that dangerous?
IMHO it is. Once you start hacking systems you do get careful. (E.g. I shut down my WLAN quite quickly and redesigned my home network after hacking my WEP-key ) _______________________________________________ wp-hackers mailing list wp-hack...@lists.automattic.com http://lists.automattic.com/mailman/listinfo/wp-hackers
While I agree with Morty, I think most of the public "reaction" to this issue isn't so much about security or the data being transmitted but just the fact that it's being done without a button to disable it.
> -----Original Message----- > From: wp-hackers-boun...@lists.automattic.com [mailto:wp-hackers- > boun...@lists.automattic.com] On Behalf Of Moritz 'morty' Struebe > Sent: Tuesday, September 25, 2007 8:57 PM > To: wp-hack...@lists.automattic.com > Subject: Re: [wp-hackers] Plugin update & security / privacy
> >> Seems like having a gray position isn't very popular. Or maybe it's > just > >> too complicated that to things are not that dangerous by them selves > as > >> they are linked to each other. :-/
> > Actually they're not dangerous either way. A lot of people run "lists > > of plugins I'm running" on their blog. Is that dangerous?
> IMHO it is. Once you start hacking systems you do get careful. (E.g. I > shut down my WLAN quite quickly and redesigned my home network after > hacking my WEP-key ) > _______________________________________________ > wp-hackers mailing list > wp-hack...@lists.automattic.com > http://lists.automattic.com/mailman/listinfo/wp-hackers
On 9/25/07, Doug Stewart <zamo...@gmail.com> wrote:
> Matt: > I'm not you (obviously), but I think you need to get out ahead of this > one, pronto, before digg, reddit, propellor, etc. get wind and blow it > even further out of proportion. Put down your thoughts, either on > Photomatt or on the Dev Blog, explain your reasoning (especially as to > why it coming to a head so late in the release cycle weighed upon > committing changes that would reverse it) and then submit it to > Slashdot, etc. Make a nice "Lead WordPress developer responds to > 'privacy' complaints" headline and see what shakes out.
> Just my $.02.
Nice work, Matt. *grin* They just updated the story (the notorious kdawson edited his own verbiage for once!)
I guess someone out there isn't familiar with the term "mailing list" and that "arguments" and "flamewars" like this one aren't really that big of a deal in the long-run :D
On 9/25/07, Computer Guru <computerg...@neosmart.net> wrote:
> Nice one :)
> I guess someone out there isn't familiar with the term "mailing list" and that "arguments" and "flamewars" like this one aren't really that big of a deal in the long-run :D
The problem is I kinda saw this reaction coming and, had Matt not reacted quickly and /. not posted the correction, further damage to WP's overall reputation could have been done, and fast.
Everybody in the newspaper industry knows that sensationalism runs on page A1, corrections on D41, so once the (incorrect) cat is out of the bag, the damage has been done.
Doug Stewart wrote: > The problem is I kinda saw this reaction coming and, had Matt not > reacted quickly and /. not posted the correction, further damage to > WP's overall reputation could have been done, and fast.
As long as accurate information is available to reasonable people, I think WordPress will be fine. There is *a lot* of FUD and outright lies spread about the project by people with various motivations but truth is the best defense. (And continuing to have a kickass product.)
On Sun Sep 23 11:12:56 2007, Alex Günsche <ag.ml2...@zirona.com> wrote:
> By the way, I was rather shocked when I saw what big bunch of data > Akismet transmits on connecting to its server. Why the heck does Akismet > transmit *all* my $_SERVER environment variables? That's a big reason to > mistrust Akismet, unless there are *very* good reasons for that. And I > doubt there are any.
Irregardless of WordPress calling home with URL and plugin info (my 2 cents: not too bad, but it should be a core option), people seem to be glossing over this. What is Akismet sending during each spam check?
If you have a basic HTTP AUTH (.htaccess, etc) set up on top of WordPress (or I believe WordPress itself has an option for using HTTP AUTH instead of cookie sessions), you are sending usernames and passwords.
I'm not accusing Automattic of doing this intentionally, but this is a MAJOR security problem.
Ryan Finnie wrote: > Irregardless of WordPress calling home with URL and plugin info (my 2 > cents: not too bad, but it should be a core option), people seem to be > glossing over this. What is Akismet sending during each spam check?
Akismet does send *and use* the $_SERVER variables in a spam check, however it excludes with this line:
$ignore = array( 'HTTP_COOKIE' );
If you file a patch to that array with the other variables you think shouldn't be in there I'll get it in. BTW, Akismet's privacy policy is here:
> It's shocking how inaccurate that is. If anyone has a few spare moments > to drop some sanity in that discussion it would be a big help. It was > obviously written by someone with malicious intent toward WordPress.
On 9/25/07, Matt Mullenweg <m...@mullenweg.com> wrote:
> Ryan Finnie wrote: > > Irregardless of WordPress calling home with URL and plugin info (my 2 > > cents: not too bad, but it should be a core option), people seem to be > > glossing over this. What is Akismet sending during each spam check?
> Akismet does send *and use* the $_SERVER variables in a spam check, > however it excludes with this line:
> $ignore = array( 'HTTP_COOKIE' );
> If you file a patch to that array with the other variables you think > shouldn't be in there I'll get it in. BTW, Akismet's privacy policy is here:
What information is used? I'm not saying that to be a jerk (indeed, looking through a dump I could find some use for some of the _SERVER variables, especially for something like Akismet), but my point is this sort of data gathering should be by include, not exclude. That way it's not prone to accidental sensitive information leakage (as what is happening here).
That being said, since this is an immediate problem, here's a patch that will solve this specific problem.
On 9/25/07, Doug Stewart <zamo...@gmail.com> wrote:
> Matt: > I'm not you (obviously), but I think you need to get out ahead of this > one, pronto, before digg, reddit, propellor, etc. get wind and blow it > even further out of proportion. Put down your thoughts, either on > Photomatt or on the Dev Blog, explain your reasoning (especially as to > why it coming to a head so late in the release cycle weighed upon > committing changes that would reverse it) and then submit it to > Slashdot, etc. Make a nice "Lead WordPress developer responds to > 'privacy' complaints" headline and see what shakes out.
> Just my $.02.
Add my $0.02 and that's 0.04 -- I think the same. Plus, people always like Photomatt's clarification on anything :)
Captain's log. We received a signal from Computer Guru on StarDate 25/09/07 19:15. Translated to English it stated:
> Nice one :)
> I guess someone out there isn't familiar with the term "mailing > list" and that "arguments" and "flamewars" like this one aren't > really that big of a deal in the long-run :D
The good news is that, at the end, another myth is squashed, which* helps* image rather than damages it. There was a recent scenario just like this which involved Con Kolivas and Linus Torvalds.
I think a large part of the objection to changing it at this point may not necessarily be the nature of the issue itself (or lack of clarity / understanding) but rather the timeliness of the complaint.
Regarding the transmission of the URL, it's certainly up for debate whether the PR value of not sending it outweighs the potential future benefits of including it.
It probably does (IMHO) even assuming, as I think most of us do, that it would never be used for "evil" purposes. :)
However, this particular thread was just too late in the game to consider for this release. 2.3 had been in bug-fix-only mode for quite a while. There's already a trac ticket (#5066) for this, so hopefully we can just discuss that in a calm and rational manner (for a future release) going forward.
Hey, the good thing is that we have an update mechanism in place to change it quickly later on if that's deemed appropriate. :)
- Jared
On 9/25/07, Moritz 'morty' Struebe <mo...@gmx.net> wrote:
> Yea, and unfortunately it seems that I failed say what I wanted to. > Everyone is talking about this being part of the update information > system, which it isn't. It only for statistics. And nobody seems to get > the difference between transmitting URL and plugin data separately to > transmitting them together. > Seems like having a gray position isn't very popular. Or maybe it's just > too complicated that to things are not that dangerous by them selves as > they are linked to each other. :-/
Sigh... you can always count on digg to beat a dead horse into the ground, even on an issue that's already been clarified / corrected in the linked post / story.
Congrats on your quick and appropriate response. Hopefully (as you said) that will serve to keep the reasonable people reasonable, and there's not much we can do about everyone else.
Captain's log. We received a signal from Computer Guru on StarDate 25/09/07 21:12. Translated to English it stated:
> Joined today, spamming Digg with this content.... yep, sounds like the
same person :) I wouldn't expect a confession though :P
> Seems like he/she is a subscriber to WP-Hackers :/ a lot of that stuff
is cut and paste from here.
Send a complaint to Digg [Digg Feedback <feedb...@digg.com> ]. They are actually very responsive. They eliminated about 4 account of forgers of my profile and even if they don't reply, they investigate and take action in order to improve quality and keep the community in a healthy state.
