Account Options

  1. Sign in
The old Google Groups will be going away soon.
Switch to the new Google Groups.
Google Groups Home
« Groups Home
wp-hackers
Home
+ new post
About this group
Join this group
Message from discussion Plugin update & security / privacy
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Moritz 'Morty' Strübe  
View profile  
 More options Sep 23 2007, 5:10 pm
From: Moritz 'Morty' Strübe <mo...@gmx.net>
Date: Sun, 23 Sep 2007 22:10:38 +0100
Local: Sun, Sep 23 2007 5:10 pm
Subject: Re: [wp-hackers] Plugin update & security / privacy
Print | View thread | Show original | Report this message | Find messages by this author
Matt Mullenweg schrieb:

> Moritz 'Morty' Strübe wrote:
>> I know this will not change until Monday, but is it really necessary to
>> transmit the URL?

> Your blog URL and version has been sent by default for 4+ years to
> every ping service in the world, including Ping-O-Matic, every time
> you make a post. Of course you can turn that off, just like you can
> turn update notification off, but statistically no one does.

> The only new information being sent by the update checker is PHP
> version and a list of plugins. If you don't like that feature, please
> install a plugin to disable it:

> http://wordpress.org/extend/plugins/disable-wordpress-core-update/
> http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

> Of course don't forget the WP dev blog and planet RSS feeds, and most
> importantly the incoming links feed which ALSO transmits your blog URL.

> I would also recommend disabling the updates in Mac OS X, Firefox,
> Windows, Thunderbird, Adobe Photoshop, and any other third-party
> applications you have. As all of those are tied to your personal IP
> and not your server IP they have far more implications for privacy.

I think you didn't get my point. This is not about what I write, but
what information gets collected at one point and whether I can decide
about that. Of course I have an interest in spreading my word. And I
already said that it is no problem being listed on google. It's the
combination of Plugins + Versions + Url.

>> If that database
>> gets public and you find a security bug in one of the plugins - there
>> are enough - you can start a _very_ effective attack!

> Such an attack would not be more effective, it would just be more
> efficient. Historically, however, scripts that attack against
> WordPress don't bother checking the version or if a plugin is there or
> not, they just seek out every WP blog and check the specific
> capability or vulnerability.

Well it will also be more effective, because less people will notice.
And yes you are right it will be more efficient, something that is
probably worth a bit of money.

> Nevertheless, we're beefing up the infrastructure and security of
> WordPress.org, which Barry is working on right this instant. In 2
> years of running WordPress.com and Akismet, two extraordinarily
> high-visibility targets, there has never been a problem on a server
> Barry set up. The only problems we've had (once on WP.org, once on
> PhotoMatt) have been things I set up, and I'm not setting up these new
> ones. :)

NSA, CIA, FBI, NASA, all thought their systems are safe. And if there is
nothing to loose there is nothing to bother. And as I said. I have no
problem with collecting data, but with being able to relate them.

> I think this feature is actually going to dramatically improve the
> security of WordPress overall. We all saw the survey that 95% of WP
> blogs were vulnerable. That didn't even look a plugins. I think the
> survey was flawed, but you still can't deny that for most people
> knowing there is an update and actually updating just doesn't happen,
> and this is a necessary first step.

I'm with you.

> If the only "trade-off" is sending an ALREADY PUBLIC blog URL to
> wordpress.org, then great!

Once again. It's not about the blog-URL, its about the relationship
BlogURL & plugins & their versions. Blogurl | plugins & their versions
is no problem with me.

Morty

_______________________________________________
wp-hackers mailing list
wp-hack...@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google