Discussion:
Plugin update & security / privacy
Moritz 'Morty' Strübe
2007-09-23 09:35:41 UTC
Permalink
I know this will not change until Monday, but is it really necessary to
transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
find WP-Blogs via google. But imagine have them all nicely in a database
- All of them. Including version, plugins and so on. If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!

-> update.php:85 $http_request .= 'User-Agent: WordPress/' .
$wp_version . '; ' . get_bloginfo('url') . "\r\n";

Cheers
Morty
Omry Yadan
2007-09-23 08:52:13 UTC
Permalink
1. no need to even send the version to know there is a need to update
(just get the latest version number and compare to the current version).

2. if wp send information about the blog, the users should be aware of
this and be able to turn it off. this is a bad publicity bomb waiting to
go off.
Post by Moritz 'Morty' Strübe
I know this will not change until Monday, but is it really necessary to
transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
find WP-Blogs via google. But imagine have them all nicely in a database
- All of them. Including version, plugins and so on. If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!
-> update.php:85 $http_request .= 'User-Agent: WordPress/' .
$wp_version . '; ' . get_bloginfo('url') . "\r\n";
Cheers
Morty
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Viper007Bond
2007-09-23 10:52:41 UTC
Permalink
Your logic is flawed. You assume that someone looking to exploit won't
attack the latest version. This is usually untrue. If a serious exploit is
found, hackers usually just Google for "WordPress" (it's already on your
site for "powered by WordPress") or like wp-login.php and then attempt to
exploit it, regardless of version. If some database somewhere somehow did
get leaked, then all it'd do is just make the hackers job easier -- it
wouldn't enable them.

And by checking for an update, your server's IP address is sent
automatically. It wouldn't be hard to reverse lookup that IP.

Simply put, if you really insist on wearing a tin foil hat, it's uber easy
to disable the automatic update checker. For the other 99.99999% of people
out there, this feature will be a godsend to them in both terms of new
features and more importantly, the _only_ real way to make sure your site
doesn't get hacked -- by running the latest version.
Post by Moritz 'Morty' Strübe
I know this will not change until Monday, but is it really necessary to
transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
find WP-Blogs via google. But imagine have them all nicely in a database
- All of them. Including version, plugins and so on. If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!
-> update.php:85 $http_request .= 'User-Agent: WordPress/' .
$wp_version . '; ' . get_bloginfo('url') . "\r\n";
Cheers
Morty
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Viper007Bond | http://www.viper007bond.com/
Alex Günsche
2007-09-23 11:12:49 UTC
Permalink
Post by Viper007Bond
And by checking for an update, your server's IP address is sent
automatically. It wouldn't be hard to reverse lookup that IP.
That's not true. Most blogs are on virtual hosting environments, where
many domains are assigned to one IP. And even if in fact you have only
one domain on your server, the party performing a reverse lookup will
not be able to tell that. Therefore it's a large difference whether you
log the client IP or you transmit the blog URL. And this is the very
reason why Automattic logs the Blog URL.
Post by Viper007Bond
Simply put, if you really insist on wearing a tin foil hat, it's uber easy
to disable the automatic update checker. For the other 99.99999% of people
out there, this feature will be a godsend to them in both terms of new
features and more importantly, the _only_ real way to make sure your site
doesn't get hacked -- by running the latest version.
It's none of WP's business who runs a blog. I know some people don't
care about privacy, I however do, and I disapprove anybody trying to
gather more information than neccessary about me and what I do. Unless
anybody can give me a good explaination for why Wordpress/Automattic
needs to know my URLs.

By the way, I was rather shocked when I saw what big bunch of data
Akismet transmits on connecting to its server. Why the heck does Akismet
transmit *all* my $_SERVER environment variables? That's a big reason to
mistrust Akismet, unless there are *very* good reasons for that. And I
doubt there are any.


Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
Alex Günsche
2007-09-23 11:15:41 UTC
Permalink
Post by Alex Günsche
By the way, I was rather shocked when I saw what big bunch of data
Akismet transmits on connecting to its server. Why the heck does Akismet
transmit *all* my $_SERVER environment variables? That's a big reason to
mistrust Akismet, unless there are *very* good reasons for that. And I
doubt there are any.
By the way, does Rule No. 1 of Automattic's privacy policy still apply?

"We don't ask you for personal information unless we truly need it. (We
can?t stand services that ask you for things like your gender or income
level for no apparent reason.)"

http://automattic.com/privacy/

Because, I also can't stand services that retrieve my $_SERVER variables
and my blog URL for no apparent reason.

</rant>


Kind regards,
Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
Jamie Holly
2007-09-23 12:37:01 UTC
Permalink
We were discussing this on a political blogger mailing list I am on. There
are about 30 WP users on that list. As of this morning, 18 of them said they
will not be moving to WP 2.3 solely because of this. Like one of the
bloggers said; "If they are not telling you about this feature when you
upgrade, then when will they take other personal information like emails and
secretly send them to a server".

I know this is a small micro-sampling of WP users, but it has had me
thinking. While most of us on the mailing list know Matt and that he
wouldn't be out to do something like that, how about the other 99%+ WP users
out there who don't know him? In a time when internet privacy concerns are
in our daily newspapers, I believe a lot more consideration should be given
to this before rolling it out. IMHO the best option would be to include the
feature as a bundled plugin. That way people can opt into it.

Personally, my biggest complaint is with the persistence of this
notification. I changed the version # just so I could see it. There really
needs to be a way to close this out. Having it show all the time is a nag. I
say make it so when someone closes it, it will come back every 24 hours or
so. It shouldn't be that bad to implement a way to close this out.

- Put a close link on the notification. Have it remove it either via ajax or
a get method (possibly read in admin.php). When it's closed you set an
option HideUpdateNotification_{$user->ID}. Set that with the
currenttime+time_to_hide_it. This is option is checked and if the option
time<currenttime, go ahead and show it again (then the person can close it
again if they so choose).

Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Sunday, September 23, 2007 7:16 AM
Subject: Re: [wp-hackers] Plugin update & security / privacy
Post by Alex Günsche
By the way, I was rather shocked when I saw what big bunch of data
Akismet transmits on connecting to its server. Why the heck does
Akismet
Post by Alex Günsche
transmit *all* my $_SERVER environment variables? That's a big reason
to
Post by Alex Günsche
mistrust Akismet, unless there are *very* good reasons for that. And I
doubt there are any.
By the way, does Rule No. 1 of Automattic's privacy policy still apply?
"We don't ask you for personal information unless we truly need it. (We
can?t stand services that ask you for things like your gender or income
level for no apparent reason.)"
http://automattic.com/privacy/
Because, I also can't stand services that retrieve my $_SERVER variables
and my blog URL for no apparent reason.
</rant>
Kind regards,
Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Alex Günsche
2007-09-23 13:09:35 UTC
Permalink
Post by Jamie Holly
We were discussing this on a political blogger mailing list I am on. There
are about 30 WP users on that list. As of this morning, 18 of them said they
will not be moving to WP 2.3 solely because of this. Like one of the
bloggers said; "If they are not telling you about this feature when you
upgrade, then when will they take other personal information like emails and
secretly send them to a server".
I wouldn't go so far to accuse WP/Automattic of *secretly* submitting
data. However, I dislike it when software tries to gather too much data,
and other people obviously agree. (Just imagine what would happen if,
say, MS IIS would send your server environment variables to a MS
server.) So I always look for ways to cut off this kind of behaviour.

Anyway, not upgrading is a bad idea, you know the reasons. You *could*
go back to 2.0.x, but not without much effort and potential issues.

As for Akismet, one can simply find the following section and comment it
out:

foreach ( $_SERVER as $key => $value )
if ( !in_array( $key, $ignore ) )
$comment["$key"] = $value;

Luckily, this modification doesn't affect Akismet's functioning, and if
it would (e.g. in a future version), it wouldn't be a problem faking
this data. As Akismet resides in wp-content/ the plugin isn't directly
affected by core upgrades either.
Post by Jamie Holly
- Put a close link on the notification. Have it remove it either via ajax or
a get method (possibly read in admin.php). When it's closed you set an
option HideUpdateNotification_{$user->ID}. Set that with the
currenttime+time_to_hide_it. This is option is checked and if the option
time<currenttime, go ahead and show it again (then the person can close it
again if they so choose).
Sounds interesting. However, I have an idea for a hack to prevent the
submission of the blog URL in this specific case, and I think I'll
release it as a plugin in case it should become neccessary.

By the way, could you (Jamie) send me a link to your list, specifically
to the mentioned discussion, to my e-mail address? Thanks.

Kind regards,
Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
Alex Günsche
2007-09-23 14:57:47 UTC
Permalink
Post by Jamie Holly
We were discussing this on a political blogger mailing list I am on. There
are about 30 WP users on that list. As of this morning, 18 of them said they
will not be moving to WP 2.3 solely because of this.
Ok, before you guys don't upgrade at all, here's a little plugin which
will completely(!) suppress the version checker.

------- SNIP -------
<?php
/*
Plugin Name: No Update Checker
Description: *Very* rough hack to suppress the WordPress update checker.
Version: 0.1
*/

function noupdatechecker()
{
if ( !defined('WP_INSTALLING') )
define('WP_INSTALLING', true);
}
add_action('init', 'noupdatechecker', 9);
?>
------- SNIP -------

Save the above as noupdatechecker.php (or whatever) in
wp-content/plugins/. No whitespace must be outside the PHP tags! Then
activate the plugin in the admin panel.

Note: The plugin deactivates the version checker by defining
WP_INSTALLING, a constant that is used in other parts of the core, too.
I had a quick grep, looked at the respective positions, and tested the
associated WP features -- the normal functioning of WordPress seems not
to be impacted by this hack. Anyway, if strange things happen due to its
usage, let me know. Feedback is apprechiated (e-mail me).


Kind regards,
Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
John Blackbourn
2007-09-23 15:07:36 UTC
Permalink
I already made a plugin to do that at
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/
:-)
Post by Alex Günsche
Post by Jamie Holly
We were discussing this on a political blogger mailing list I am on. There
are about 30 WP users on that list. As of this morning, 18 of them said they
will not be moving to WP 2.3 solely because of this.
Ok, before you guys don't upgrade at all, here's a little plugin which
will completely(!) suppress the version checker.
------- SNIP -------
<?php
/*
Plugin Name: No Update Checker
Description: *Very* rough hack to suppress the WordPress update checker.
Version: 0.1
*/
function noupdatechecker()
{
if ( !defined('WP_INSTALLING') )
define('WP_INSTALLING', true);
}
add_action('init', 'noupdatechecker', 9);
?>
------- SNIP -------
Save the above as noupdatechecker.php (or whatever) in
wp-content/plugins/. No whitespace must be outside the PHP tags! Then
activate the plugin in the admin panel.
Note: The plugin deactivates the version checker by defining
WP_INSTALLING, a constant that is used in other parts of the core, too.
I had a quick grep, looked at the respective positions, and tested the
associated WP features -- the normal functioning of WordPress seems not
to be impacted by this hack. Anyway, if strange things happen due to its
usage, let me know. Feedback is apprechiated (e-mail me).
Kind regards,
Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Alex Günsche
2007-09-23 15:32:22 UTC
Permalink
Post by John Blackbourn
I already made a plugin to do that at
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/
:-)
Cool, that's good to know. However, as far as I see, this won't stop
wp-includes/update.php from executing. That file contains a function
that is registered via the 'init' hook, and it is loaded on each page of
the admin panel.


Kind regards,
Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
John Blackbourn
2007-09-23 15:44:04 UTC
Permalink
Alex, if you're looking at wp-includes/update.php then that function
is for the core update system (which can be disabled with my other
plugin http://wordpress.org/extend/plugins/disable-wordpress-core-update/).

The plugin update system is handled in wp-admin/incluces/update.php
and is called on the load-plugins.php hook.

John.
Post by Alex Günsche
Post by John Blackbourn
I already made a plugin to do that at
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/
:-)
Cool, that's good to know. However, as far as I see, this won't stop
wp-includes/update.php from executing. That file contains a function
that is registered via the 'init' hook, and it is loaded on each page of
the admin panel.
Kind regards,
Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Alex Günsche
2007-09-23 15:58:47 UTC
Permalink
Post by John Blackbourn
Alex, if you're looking at wp-includes/update.php then that function
is for the core update system (which can be disabled with my other
plugin http://wordpress.org/extend/plugins/disable-wordpress-core-update/).
The plugin update system is handled in wp-admin/incluces/update.php
and is called on the load-plugins.php hook.
Great! This is indeed much better than my solution -- I also should have
thought of remove_action(). Thumbs up! :-)

Kind regards,
Alex
--
Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc
Moritz 'Morty' Strübe
2007-09-23 11:33:08 UTC
Permalink
Post by Viper007Bond
Your logic is flawed. You assume that someone looking to exploit won't
attack the latest version. This is usually untrue.
And as the version gets transmitted you also get a nice list of outdated
blogs.
Post by Viper007Bond
If a serious exploit is
found, hackers usually just Google for "WordPress"
Didn't I already say I thought of that?
Post by Viper007Bond
(it's already on your
site for "powered by WordPress") or like wp-login.php and then attempt to
exploit it, regardless of version. If some database somewhere somehow did
get leaked, then all it'd do is just make the hackers job easier -- it
wouldn't enable them.
That's why I'm referring to plugins. Opposed to Wordpress plugins have
fewer installations and often maintained by a single person. Fewer
installations makes them less interesting for attacks, because it is not
always easy to find them. But if you have a nice list, including the
version in use.... The problem with the single person is, that this
person is maintaining the plugin in his spare time. Opposed to Wordpress
it self where a lot of people, making money, are interested in Wordpress
being safe.
Post by Viper007Bond
And by checking for an update, your server's IP address is sent
automatically. It wouldn't be hard to reverse lookup that IP.
First of all you don't need a reverse lookup as you can just enter the
IP. Second if you do a reverse lookup you often only get something linke
serverxy.hoster.tld, because most people don't want to spend so much
money for a v-server or even a real server. Therefore the IP doesn't
help you that much. Of couse you can check all the Domains on that Host,
but you would also have to check for subdomains and or subdirectories.
Of course there are people where you can start an attack using the IP or
with the domain you get with a reverse lookup, but those are not the
installations I'm worried about. BTW: Being able to access a server by
IP number or the reverse DNS-entry is a security flaw in my eyes, but
that is another matter.
Or in short: The IP helps you, but not much.
Post by Viper007Bond
Simply put, if you really insist on wearing a tin foil hat, it's uber easy
to disable the automatic update checker.
I do not want to do that! And I never suggested that! (I hope you know
what a md5 is....)
Post by Viper007Bond
For the other 99.99999% of people
out there, this feature will be a godsend to them in both terms of new
features and more importantly, the _only_ real way to make sure your site
doesn't get hacked -- by running the latest version.
But still that is no reason to tell everybody which version I'm running.
And sorry I'm not able to update my Software 24/7. This is no f*ck'n
pro/contra update checking discussion. It is a: Do you really need to
collect all this information? And do you know that collecting it is a
reasonable threat? Because if there is a security update and someone
does get that list he can run an attack on those hosts who haven't
updated yet.

Morty
Post by Viper007Bond
Post by Moritz 'Morty' Strübe
I know this will not change until Monday, but is it really necessary to
transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
find WP-Blogs via google. But imagine have them all nicely in a database
- All of them. Including version, plugins and so on. If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!
-> update.php:85 $http_request .= 'User-Agent: WordPress/' .
$wp_version . '; ' . get_bloginfo('url') . "\r\n";
Cheers
Morty
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
strübe.de <http://xn--strbe-mva.de>

Diese Email ist signiert. Sollte Dein Email-Client keine Signaturen
unterstützen wird eine smime.p7s-Datei im Anhang angezeigt.

Meinen PGP/GPG-Key gibt es auf den üblichen Keyservern.
Moritz 'Morty' Strübe
2007-09-23 13:30:02 UTC
Permalink
To get some facts out added some debugging output.
Notice that there are 11k of data transmitted. Also of course your
Wordpress version and your url (which I already encapsulated in a md5).
IMHO a list of plugin names and a answer with the current version
numbers is enough data to be transmitted.

The request:

POST /plugins/update-check/1.0/ HTTP/1.0
Host: api.wordpress.org
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 11000
User-Agent: WordPress/2.3-RC1; 4b028de5098db7fb05c6d6dd264de215

And the data:

data:object(stdClass)(2) {
["plugins"]=>
array(15) {
["akismet/akismet.php"]=>
array(5) {
["Name"]=>
string(7) "Akismet"
["Title"]=>
string(71) "<a href="http://akismet.com/" title="Visit plugin homepage">Akismet</a>"
["Description"]=>
string(354) "Akismet checks your comments against the Akismet web service to see if they look like spam or not. You need a <a href="http://wordpress.com/api-keys/">WordPress.com API key</a> to use it. You can review the spam it catches under &#8220;Comments.&#8221; To show off your Akismet stats just put <code>&lt;?php akismet_counter(); ?></code> in your template."
["Author"]=>
string(80) "<a href="http://photomatt.net/" title="Visit author homepage">Matt Mullenweg</a>"
["Version"]=>
string(5) "2.0.2"
}
["cjd_delete_de.php"]=>
array(5) {
["Name"]=>
string(35) "CJD-<br />Spam Nuke <br />(deutsch)"
["Title"]=>
string(121) "<a href="http://chrisjdavis.org/category/wp-hacks/" title="Visit plugin homepage">CJD-<br />Spam Nuke <br />(deutsch)</a>"
["Description"]=>
string(216) "Dieses Plugin macht all die Kommentare sicht- und l&ouml;schbar, die mit dem Attribut &#8216;Spam&#8217; in der Datenbank herumliegen. Deutsche Bearbeitung: <a href="http://www.journal.kylaloo.net/">Mathias Hundt</a>"
["Author"]=>
string(105) "<a href="http://chrisjdavis.org/" title="Visit author homepage">Chris J. Davis, Scott (skippy) Merill</a>"
["Version"]=>
string(5) "1.5.3"
}
["follow.php"]=>
array(5) {
["Name"]=>
string(10) "Follow-URL"
["Title"]=>
string(79) "<a href="http://blog.taragana.com" title="Visit plugin homepage">Follow-URL</a>"
["Description"]=>
string(108) "Dieses Plugin entfernt das <strong>nofollow</strong>-Attribut, dass WordPress an Links in Kommentaren setzt."
["Author"]=>
string(90) "<a href="http://blog.taragana.com/" title="Visit author homepage">Angsuman Chakraborty</a>"
["Version"]=>
string(3) "1.0"
}
["gengo/gengo.php"]=>
array(5) {
["Name"]=>
string(5) "Gengo"
["Title"]=>
string(88) "<a href="http://jamietalbot.com/wp-hacks/gengo/" title="Visit plugin homepage">Gengo</a>"
["Description"]=>
string(180) "Multi-language blogging for WordPress.<br/>Licensed under the <a href="http://www.opensource.org/licenses/mit-license.php">MIT License</a>, Copyright &copy; 2006-2007 Jamie Talbot."
["Author"]=>
string(80) "<a href="http://jamietalbot.com/" title="Visit author homepage">Jamie Talbot</a>"
["Version"]=>
string(3) "0.9"
}
["gravatars2.php"]=>
array(5) {
["Name"]=>
string(10) "Gravatars2"
["Title"]=>
string(84) "<a href="http://zenpax.com/gravatars2/" title="Visit plugin homepage">Gravatars2</a>"
["Description"]=>
string(326) "Implements Gravatars (global avatars: gravatar.com) with enhanced caching support, cron support, &#038; administrative interface to control default options. Registered users can use local Gravatars (also cached). Copyright 2006 Kip Bond; Licensed under the terms of the <a href="http://www.gnu.org/licenses/gpl.html">GPL</a>."
["Author"]=>
string(82) "<a href="http://zenpax.com/gravatars2/" title="Visit author homepage">Kip Bond</a>"
["Version"]=>
string(5) "2.6.1"
}
["gravatars2-wpcron.php"]=>
array(5) {
["Name"]=>
string(18) "Gravatars2 WP-Cron"
["Title"]=>
string(92) "<a href="http://zenpax.com/gravatars2/" title="Visit plugin homepage">Gravatars2 WP-Cron</a>"
["Description"]=>
string(194) "Refreshes the cached gravatar images using a pseudo-cron implementation &#8212; Requires WP-Cron (http://skippy.net/blog/2005/10/09/wp-cron-14/) &#038; Gravatars2 (http://zenpax.com/gravatars2/)"
["Author"]=>
string(82) "<a href="http://zenpax.com/gravatars2/" title="Visit author homepage">Kip Bond</a>"
["Version"]=>
string(3) "1.1"
}
["hello.php"]=>
array(5) {
["Name"]=>
string(11) "Hello Dolly"
["Title"]=>
string(78) "<a href="http://wordpress.org/#" title="Visit plugin homepage">Hello Dolly</a>"
["Description"]=>
string(295) "This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page."
["Author"]=>
string(80) "<a href="http://photomatt.net/" title="Visit author homepage">Matt Mullenweg</a>"
["Version"]=>
string(3) "1.5"
}
["locktest.php"]=>
array(5) {
["Name"]=>
string(9) "Lock test"
["Title"]=>
string(96) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Lock test</a>"
["Description"]=>
string(14) "Tests locking."
["Author"]=>
string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
["Version"]=>
string(3) "1.0"
}
["a_o42-clean-umlauts.php"]=>
array(5) {
["Name"]=>
string(17) "o42-clean-umlauts"
["Title"]=>
string(116) "<a href="http://otaku42.de/2005/06/30/plugin-o42-clean-umlauts/" title="Visit plugin homepage">o42-clean-umlauts</a>"
["Description"]=>
string(366) "Das Plugin konvertiert die deutschen Umlaute in den Beitragstiteln, Kommentaren und Feeds zu ASCII. - Aus &auml;,&uuml;,&ouml;,&szlig; wird ein ae, ue, oe und ss. auf der L&ouml;sung von <a href="http://www.papascott.de">Scott Hanson</a>. Das Plugin wirkt sich nur aus, wenn bei der Permalinstruktur &#8220;<em>Basierend auf Datum und Name</em>&#8221; aktiviert ist."
["Author"]=>
string(79) "<a href="http://otaku42.de/" title="Visit author homepage">Michael Renzmann</a>"
["Version"]=>
string(5) "0.2.0"
}
["wp-pagesnav/wp-pagesnav.php"]=>
array(5) {
["Name"]=>
string(7) "PageNav"
["Title"]=>
string(88) "<a href="http://www.adsworth.info/wp-pagesnav" title="Visit plugin homepage">PageNav</a>"
["Description"]=>
string(18) "Header Navigation."
["Author"]=>
string(80) "<a href="http://www.adsworth.info/" title="Visit author homepage">Adi Sieker</a>"
["Version"]=>
string(5) "0.0.1"
}
["post_notification/post_notification.php"]=>
array(5) {
["Name"]=>
string(17) "Post Notification"
["Title"]=>
string(104) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Post Notification</a>"
["Description"]=>
string(74) "Sends an email to all subscribers. See readme or instructions for details."
["Author"]=>
string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
["Version"]=>
string(8) "1.2.rc 5"
}
["PN_mailfix.php"]=>
array(5) {
["Name"]=>
string(25) "Post Notification Mailfix"
["Title"]=>
string(112) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Post Notification Mailfix</a>"
["Description"]=>
string(54) "Fixes problems sending HTML-mails - Only for WP 2.2.x!"
["Author"]=>
string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
["Version"]=>
string(5) "1.2.1"
}
["timezone.php"]=>
array(5) {
["Name"]=>
string(9) "Time Zone"
["Title"]=>
string(92) "<a href="http://kimmo.suominen.com/sw/timezone/" title="Visit plugin homepage">Time Zone</a>"
["Description"]=>
string(136) "Automatische Umstellung von Sommerzeit auf Winterzeit. Einstellungen k&ouml;nnen unter: Optionen &raquo; Time Zone ge&auml;ndert werden."
["Author"]=>
string(85) "<a href="http://kimmo.suominen.com/" title="Visit author homepage">Kimmo Suominen</a>"
["Version"]=>
string(3) "2.1"
}
["update-monitor.php"]=>
array(5) {
["Name"]=>
string(14) "Update-Monitor"
["Title"]=>
string(78) "<a href="http://blogshop.de/" title="Visit plugin homepage">Update-Monitor</a>"
["Description"]=>
string(133) "Stay informed about new WordPress releases. <em>Powered by <a href="http://wordpress-deutschland.org">WordPress Deutschland</a></em>."
["Author"]=>
string(79) "<a href="http://blogshop.de/" title="Visit author homepage">Olaf A. Schmitz</a>"
["Version"]=>
string(3) "1.3"
}
["wp-db-backup.php"]=>
array(5) {
["Name"]=>
string(25) "WordPress Database Backup"
["Title"]=>
string(105) "<a href="http://www.skippy.net/blog/plugins/" title="Visit plugin homepage">WordPress Database Backup</a>"
["Description"]=>
string(44) "On-demand backup of your WordPress database."
["Author"]=>
string(80) "<a href="http://www.skippy.net/" title="Visit author homepage">Scott Merrill</a>"
["Version"]=>
string(3) "1.8"
}
}
["active"]=>
array(3) {
[0]=>
string(12) "locktest.php"
[1]=>
string(39) "post_notification/post_notification.php"
[2]=>
string(27) "wp-pagesnav/wp-pagesnav.php"
}
}
--
strübe.de <http://xn--strbe-mva.de>

Diese Email ist signiert. Sollte Dein Email-Client keine Signaturen
unterstützen wird eine smime.p7s-Datei im Anhang angezeigt.

Meinen PGP/GPG-Key gibt es auf den üblichen Keyservern.
Omry Yadan
2007-09-23 13:14:45 UTC
Permalink
Sounds good to me.

maybe we should only send plugin file, version and name.

also, in the spirit of my original proposal:

1. this should not be bundled with the new version check.

2. users should explicitly agree to send info before WP sends anything.
Post by Moritz 'Morty' Strübe
To get some facts out added some debugging output.
Notice that there are 11k of data transmitted. Also of course your
Wordpress version and your url (which I already encapsulated in a md5).
IMHO a list of plugin names and a answer with the current version
numbers is enough data to be transmitted.
POST /plugins/update-check/1.0/ HTTP/1.0
Host: api.wordpress.org
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 11000
User-Agent: WordPress/2.3-RC1; 4b028de5098db7fb05c6d6dd264de215
data:object(stdClass)(2) {
["plugins"]=>
array(15) {
["akismet/akismet.php"]=>
array(5) {
["Name"]=>
string(7) "Akismet"
["Title"]=>
string(71) "<a href="http://akismet.com/" title="Visit plugin homepage">Akismet</a>"
["Description"]=>
string(354) "Akismet checks your comments against the Akismet web service to see if they look like spam or not. You need a <a href="http://wordpress.com/api-keys/">WordPress.com API key</a> to use it. You can review the spam it catches under &#8220;Comments.&#8221; To show off your Akismet stats just put <code>&lt;?php akismet_counter(); ?></code> in your template."
["Author"]=>
string(80) "<a href="http://photomatt.net/" title="Visit author homepage">Matt Mullenweg</a>"
["Version"]=>
string(5) "2.0.2"
}
["cjd_delete_de.php"]=>
array(5) {
["Name"]=>
string(35) "CJD-<br />Spam Nuke <br />(deutsch)"
["Title"]=>
string(121) "<a href="http://chrisjdavis.org/category/wp-hacks/" title="Visit plugin homepage">CJD-<br />Spam Nuke <br />(deutsch)</a>"
["Description"]=>
string(216) "Dieses Plugin macht all die Kommentare sicht- und l&ouml;schbar, die mit dem Attribut &#8216;Spam&#8217; in der Datenbank herumliegen. Deutsche Bearbeitung: <a href="http://www.journal.kylaloo.net/">Mathias Hundt</a>"
["Author"]=>
string(105) "<a href="http://chrisjdavis.org/" title="Visit author homepage">Chris J. Davis, Scott (skippy) Merill</a>"
["Version"]=>
string(5) "1.5.3"
}
["follow.php"]=>
array(5) {
["Name"]=>
string(10) "Follow-URL"
["Title"]=>
string(79) "<a href="http://blog.taragana.com" title="Visit plugin homepage">Follow-URL</a>"
["Description"]=>
string(108) "Dieses Plugin entfernt das <strong>nofollow</strong>-Attribut, dass WordPress an Links in Kommentaren setzt."
["Author"]=>
string(90) "<a href="http://blog.taragana.com/" title="Visit author homepage">Angsuman Chakraborty</a>"
["Version"]=>
string(3) "1.0"
}
["gengo/gengo.php"]=>
array(5) {
["Name"]=>
string(5) "Gengo"
["Title"]=>
string(88) "<a href="http://jamietalbot.com/wp-hacks/gengo/" title="Visit plugin homepage">Gengo</a>"
["Description"]=>
string(180) "Multi-language blogging for WordPress.<br/>Licensed under the <a href="http://www.opensource.org/licenses/mit-license.php">MIT License</a>, Copyright &copy; 2006-2007 Jamie Talbot."
["Author"]=>
string(80) "<a href="http://jamietalbot.com/" title="Visit author homepage">Jamie Talbot</a>"
["Version"]=>
string(3) "0.9"
}
["gravatars2.php"]=>
array(5) {
["Name"]=>
string(10) "Gravatars2"
["Title"]=>
string(84) "<a href="http://zenpax.com/gravatars2/" title="Visit plugin homepage">Gravatars2</a>"
["Description"]=>
string(326) "Implements Gravatars (global avatars: gravatar.com) with enhanced caching support, cron support, &#038; administrative interface to control default options. Registered users can use local Gravatars (also cached). Copyright 2006 Kip Bond; Licensed under the terms of the <a href="http://www.gnu.org/licenses/gpl.html">GPL</a>."
["Author"]=>
string(82) "<a href="http://zenpax.com/gravatars2/" title="Visit author homepage">Kip Bond</a>"
["Version"]=>
string(5) "2.6.1"
}
["gravatars2-wpcron.php"]=>
array(5) {
["Name"]=>
string(18) "Gravatars2 WP-Cron"
["Title"]=>
string(92) "<a href="http://zenpax.com/gravatars2/" title="Visit plugin homepage">Gravatars2 WP-Cron</a>"
["Description"]=>
string(194) "Refreshes the cached gravatar images using a pseudo-cron implementation &#8212; Requires WP-Cron (http://skippy.net/blog/2005/10/09/wp-cron-14/) &#038; Gravatars2 (http://zenpax.com/gravatars2/)"
["Author"]=>
string(82) "<a href="http://zenpax.com/gravatars2/" title="Visit author homepage">Kip Bond</a>"
["Version"]=>
string(3) "1.1"
}
["hello.php"]=>
array(5) {
["Name"]=>
string(11) "Hello Dolly"
["Title"]=>
string(78) "<a href="http://wordpress.org/#" title="Visit plugin homepage">Hello Dolly</a>"
["Description"]=>
string(295) "This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page."
["Author"]=>
string(80) "<a href="http://photomatt.net/" title="Visit author homepage">Matt Mullenweg</a>"
["Version"]=>
string(3) "1.5"
}
["locktest.php"]=>
array(5) {
["Name"]=>
string(9) "Lock test"
["Title"]=>
string(96) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Lock test</a>"
["Description"]=>
string(14) "Tests locking."
["Author"]=>
string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
["Version"]=>
string(3) "1.0"
}
["a_o42-clean-umlauts.php"]=>
array(5) {
["Name"]=>
string(17) "o42-clean-umlauts"
["Title"]=>
string(116) "<a href="http://otaku42.de/2005/06/30/plugin-o42-clean-umlauts/" title="Visit plugin homepage">o42-clean-umlauts</a>"
["Description"]=>
string(366) "Das Plugin konvertiert die deutschen Umlaute in den Beitragstiteln, Kommentaren und Feeds zu ASCII. - Aus &auml;,&uuml;,&ouml;,&szlig; wird ein ae, ue, oe und ss. auf der L&ouml;sung von <a href="http://www.papascott.de">Scott Hanson</a>. Das Plugin wirkt sich nur aus, wenn bei der Permalinstruktur &#8220;<em>Basierend auf Datum und Name</em>&#8221; aktiviert ist."
["Author"]=>
string(79) "<a href="http://otaku42.de/" title="Visit author homepage">Michael Renzmann</a>"
["Version"]=>
string(5) "0.2.0"
}
["wp-pagesnav/wp-pagesnav.php"]=>
array(5) {
["Name"]=>
string(7) "PageNav"
["Title"]=>
string(88) "<a href="http://www.adsworth.info/wp-pagesnav" title="Visit plugin homepage">PageNav</a>"
["Description"]=>
string(18) "Header Navigation."
["Author"]=>
string(80) "<a href="http://www.adsworth.info/" title="Visit author homepage">Adi Sieker</a>"
["Version"]=>
string(5) "0.0.1"
}
["post_notification/post_notification.php"]=>
array(5) {
["Name"]=>
string(17) "Post Notification"
["Title"]=>
string(104) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Post Notification</a>"
["Description"]=>
string(74) "Sends an email to all subscribers. See readme or instructions for details."
["Author"]=>
string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
["Version"]=>
string(8) "1.2.rc 5"
}
["PN_mailfix.php"]=>
array(5) {
["Name"]=>
string(25) "Post Notification Mailfix"
["Title"]=>
string(112) "<a href="http://xn--strbe-mva.de/post-notification/" title="Visit plugin homepage">Post Notification Mailfix</a>"
["Description"]=>
string(54) "Fixes problems sending HTML-mails - Only for WP 2.2.x!"
["Author"]=>
string(86) "<a href="http://xn--strbe-mva.de" title="Visit author homepage">Moritz Str&uuml;be</a>"
["Version"]=>
string(5) "1.2.1"
}
["timezone.php"]=>
array(5) {
["Name"]=>
string(9) "Time Zone"
["Title"]=>
string(92) "<a href="http://kimmo.suominen.com/sw/timezone/" title="Visit plugin homepage">Time Zone</a>"
["Description"]=>
string(136) "Automatische Umstellung von Sommerzeit auf Winterzeit. Einstellungen k&ouml;nnen unter: Optionen &raquo; Time Zone ge&auml;ndert werden."
["Author"]=>
string(85) "<a href="http://kimmo.suominen.com/" title="Visit author homepage">Kimmo Suominen</a>"
["Version"]=>
string(3) "2.1"
}
["update-monitor.php"]=>
array(5) {
["Name"]=>
string(14) "Update-Monitor"
["Title"]=>
string(78) "<a href="http://blogshop.de/" title="Visit plugin homepage">Update-Monitor</a>"
["Description"]=>
string(133) "Stay informed about new WordPress releases. <em>Powered by <a href="http://wordpress-deutschland.org">WordPress Deutschland</a></em>."
["Author"]=>
string(79) "<a href="http://blogshop.de/" title="Visit author homepage">Olaf A. Schmitz</a>"
["Version"]=>
string(3) "1.3"
}
["wp-db-backup.php"]=>
array(5) {
["Name"]=>
string(25) "WordPress Database Backup"
["Title"]=>
string(105) "<a href="http://www.skippy.net/blog/plugins/" title="Visit plugin homepage">WordPress Database Backup</a>"
["Description"]=>
string(44) "On-demand backup of your WordPress database."
["Author"]=>
string(80) "<a href="http://www.skippy.net/" title="Visit author homepage">Scott Merrill</a>"
["Version"]=>
string(3) "1.8"
}
}
["active"]=>
array(3) {
[0]=>
string(12) "locktest.php"
[1]=>
string(39) "post_notification/post_notification.php"
[2]=>
string(27) "wp-pagesnav/wp-pagesnav.php"
}
}
Moritz 'Morty' Strübe
2007-09-23 14:29:29 UTC
Permalink
Omry, although I do agree with you, I'm not sure whether you understand
the situation. We are not discussing what we - in this case they, as I
am not a core-dev and I think neither are you - should do or what is the
best way to solve this problem. The code is there and tested. The
release is Monday, tomorrow. There will be _no_ changes is the way it
works. The only thing that might happen, is that the URL get's wrapped
in a md5 or better not transmitted at all.
Cheers
Morty
Post by Omry Yadan
Sounds good to me.
maybe we should only send plugin file, version and name.
1. this should not be bundled with the new version check.
2. users should explicitly agree to send info before WP sends anything.
Post by Moritz 'Morty' Strübe
To get some facts out added some debugging output.
Notice that there are 11k of data transmitted. Also of course your
Wordpress version and your url (which I already encapsulated in a md5).
IMHO a list of plugin names and a answer with the current version
numbers is enough data to be transmitted.
POST /plugins/update-check/1.0/ HTTP/1.0
Host: api.wordpress.org
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 11000
User-Agent: WordPress/2.3-RC1; 4b028de5098db7fb05c6d6dd264de215
data:object(stdClass)(2) {
["plugins"]=>
array(15) {
["akismet/akismet.php"]=>
array(5) {
[...]
Omry Yadan
2007-09-23 13:40:45 UTC
Permalink
You confused me a bit with the suggestion to add plugin information.

in this case, I agree that sending md5 of the url is a step in the right
direction.


in all truth, I don't see why the client even NEED to send it's version.
it can be nice for statistics purpose, but nothing more..

it can just as easily be implemented by requesting the latest version
number from the server and comparing it to the current version.

but as you said, it's probably already too late for this.


I think it's a shame that the concerns raised in this mailing list in
past few weeks about this were ignored.
Post by Moritz 'Morty' Strübe
Omry, although I do agree with you, I'm not sure whether you understand
the situation. We are not discussing what we - in this case they, as I
am not a core-dev and I think neither are you - should do or what is the
best way to solve this problem. The code is there and tested. The
release is Monday, tomorrow. There will be _no_ changes is the way it
works. The only thing that might happen, is that the URL get's wrapped
in a md5 or better not transmitted at all.
Cheers
Morty
Mark Jaquith
2007-09-23 17:48:34 UTC
Permalink
Post by Moritz 'Morty' Strübe
I know this will not change until Monday, but is it really
necessary to
transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
find WP-Blogs via google. But imagine have them all nicely in a database
- All of them. Including version, plugins and so on. If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!
-> update.php:85 $http_request .= 'User-Agent: WordPress/' .
$wp_version . '; ' . get_bloginfo('url') . "\r\n";
I don't know, but I'm trying to find out. It seems unnecessary to
me. And it definitely works without it (or with a different --
anonymous -- string). Matt wrote that code, so I'll try to get a
hold of him today.

--
Mark Jaquith
http://markjaquith.com/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/
Matt Mullenweg
2007-09-23 19:35:26 UTC
Permalink
Post by Moritz 'Morty' Strübe
I know this will not change until Monday, but is it really necessary to
transmit the URL?
Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.
Post by Moritz 'Morty' Strübe
If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!
Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against WordPress
don't bother checking the version or if a plugin is there or not, they
just seek out every WP blog and check the specific capability or
vulnerability.

Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2 years
of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
ones. :)

I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people knowing
there is an update and actually updating just doesn't happen, and this
is a necessary first step. If the only "trade-off" is sending an ALREADY
PUBLIC blog URL to wordpress.org, then great!

I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
Moritz 'Morty' Strübe
2007-09-23 21:10:38 UTC
Permalink
Post by Matt Mullenweg
Post by Moritz 'Morty' Strübe
I know this will not change until Monday, but is it really necessary to
transmit the URL?
Your blog URL and version has been sent by default for 4+ years to
every ping service in the world, including Ping-O-Matic, every time
you make a post. Of course you can turn that off, just like you can
turn update notification off, but statistically no one does.
The only new information being sent by the update checker is PHP
version and a list of plugins. If you don't like that feature, please
http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/
Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.
I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP
and not your server IP they have far more implications for privacy.
I think you didn't get my point. This is not about what I write, but
what information gets collected at one point and whether I can decide
about that. Of course I have an interest in spreading my word. And I
already said that it is no problem being listed on google. It's the
combination of Plugins + Versions + Url.
Post by Matt Mullenweg
Post by Moritz 'Morty' Strübe
If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!
Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against
WordPress don't bother checking the version or if a plugin is there or
not, they just seek out every WP blog and check the specific
capability or vulnerability.
Well it will also be more effective, because less people will notice.
And yes you are right it will be more efficient, something that is
probably worth a bit of money.
Post by Matt Mullenweg
Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2
years of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
ones. :)
NSA, CIA, FBI, NASA, all thought their systems are safe. And if there is
nothing to loose there is nothing to bother. And as I said. I have no
problem with collecting data, but with being able to relate them.
Post by Matt Mullenweg
I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people
knowing there is an update and actually updating just doesn't happen,
and this is a necessary first step.
I'm with you.
Post by Matt Mullenweg
If the only "trade-off" is sending an ALREADY PUBLIC blog URL to
wordpress.org, then great!
Once again. It's not about the blog-URL, its about the relationship
BlogURL & plugins & their versions. Blogurl | plugins & their versions
is no problem with me.

Morty
Jamie Holly
2007-09-23 22:13:52 UTC
Permalink
Post by Matt Mullenweg
I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP
and not your server IP they have far more implications for privacy.
This takes me back to when I was teaching. I can't tell you the countless students that would say "well X does it so why can't I"?

Now consider these applications you mentioned. Every one of them also has EULA's, privacy statements, etc. Take Windows as an example. Once you complete an install you are presented with the "Stay up to date" option. Also when you install these applications you do agree to the terms laid out within said agreements (think of that little checkbox you must check to install it). Now I concede that a majority of people do not take the time to read what they are agreeing to, but it is there none the less. Having said that, using these applications as an example is nothing more than creating a straw man on the issue.

Now the complaint I am hearing involves the transparency of this feature. When users upgrade, or even install fresh, they are not told anywhere that this information is being sent, let alone any mention or promise that it won't be used for some malicious purpose. That is why I strongly feel an option to opt in/out should be given on the upgrade/install screens.

I want to reaffirm that I know this information will *not* be used for malicious purposes. I actually think it is a good idea. Think of how the stats involving PHP versions versus overall installations would have aided in the PHP4/PHP5 debate.

Jamie Holly
http://www.intoxination.net
Charles
2007-09-23 21:34:17 UTC
Permalink
Post by Matt Mullenweg
Post by Moritz 'Morty' Strübe
I know this will not change until Monday, but is it really
necessary to transmit the URL?
Your blog URL and version has been sent by default for 4+ years
to every ping service in the world, including Ping-O-Matic,
every time you make a post.
So, this is a bit confusing...

- Ping-O-Matic is receiving my "version"? Huh?

- Automattic's not getting this data in pre-2.3 versions, correct? If that's the case, then the (obvious) problem with that is that somebody decided to flip this switch without making it opt-in.

This WordPress feature *requires* Automattic?

-- Charles
Mark Jaquith
2007-09-23 21:54:25 UTC
Permalink
Post by Matt Mullenweg
I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people
knowing there is an update and actually updating just doesn't
happen, and this is a necessary first step. If the only "trade-off"
is sending an ALREADY PUBLIC blog URL to wordpress.org, then great!
Back up a minute. Why is the blog URL needed? The update
notification functionality works fine without it. You don't need it
for statistics purposes -- wp_hash('update-notification') 's output
would be just as unique. How do users benefit by sending their blog
URL? I think the onus is on us to show why it is necessary or
beneficial. If we can't, it shouldn't be there.

--
Mark Jaquith
http://markjaquith.com/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/
Matt Mullenweg
2007-09-23 22:09:35 UTC
Permalink
Post by Mark Jaquith
Back up a minute. Why is the blog URL needed?
1. It does no harm.
2. It's simple, easy, and self-evident.
3. It could be useful in the future.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
Moritz 'Morty' Strübe
2007-09-23 22:29:28 UTC
Permalink
Post by Matt Mullenweg
Post by Mark Jaquith
Back up a minute. Why is the blog URL needed?
1. It does no harm.
It can. We only have your word for that. And sorry, that is not enough
for me. Especially if it does not have to be.
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
Wrapping md5 around it is, too.
Post by Matt Mullenweg
3. It could be useful in the future.
What for?
Amy Stephen
2007-09-23 22:33:36 UTC
Permalink
For when we take over the world. Did you not get the memo? ;-)

Harmless fun!
Amy :)
Post by Moritz 'Morty' Strübe
Post by Matt Mullenweg
3. It could be useful in the future.
What for?
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
***@gmail.com
http://OpenSourceCommunity.org
Matt Mullenweg
2007-09-23 22:41:19 UTC
Permalink
Post by Moritz 'Morty' Strübe
It can.
Your blog URL is completely harmless.
Post by Moritz 'Morty' Strübe
We only have your word for that. And sorry, that is not enough
for me. Especially if it does not have to be.
If you don't trust wordpress.org, I suggest you do one of the following:

1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
Moritz 'Morty' Strübe
2007-09-23 22:52:27 UTC
Permalink
Post by Matt Mullenweg
Post by Moritz 'Morty' Strübe
It can.
Your blog URL is completely harmless.
Yes, but not, as a pointed out several times before, in combination with
the installed plugins and their versions.
Post by Matt Mullenweg
Post by Moritz 'Morty' Strübe
We only have your word for that. And sorry, that is not enough
for me. Especially if it does not have to be.
1. Use different software.
Wordpress is a great software. No reason to do so.
Post by Matt Mullenweg
2. Fork WordPress.
This would be quite stupid. I don't have the time to do so. And I not
going to that because of one or two lines of code. I as a coder can
easily change those. And this is not what this discussion is about.
Post by Matt Mullenweg
3. Install one of the aforementioned plugins.
Not an option. The update-notification is one of the reasons to switch
to 2.3

Cheers
Morty
Matt Mullenweg
2007-09-23 23:29:09 UTC
Permalink
Post by Moritz 'Morty' Strübe
Yes, but not, as a pointed out several times before, in combination with
the installed plugins and their versions.
What if someone knows your blog URL can they hack your blog?

No.

What if someone hacks ping-o-matic or weblogs.com and gets all the blog
URLs in the world, can they hack your blog?

No.

What if someone simply subscribes to the list of updated blogs on
weblogs.com, can they hack your blog?

No.

What if someone blindly checks for filenames in your wp-content/plugins
directory to see what plugins you're using, can they hack your blog?

No.

What if someone hacks wordpress.org and gets a list of blog URLs and the
plugins they use, can they hack your blog?

No.

What if wordpress.org also stored what version of a plugin you were
using, which there are no plans to do, AND the hacker broke in and stole
that, can they hack your blog?

No.

What if you're running an insecure version of a plugin or WordPress, can
someone hack your blog?

Yes. And they can (and do) do it without any of the above.

Please reread that.

Will the update notification feature shipping tomorrow in WordPress 2.3
mean fewer people are running insecure versions of WordPress and plugins?

Yes.

Just like there is premature optimization we could argue about for days,
I think there is also premature paranoia. What's in trunk is what is
shipping with WordPress tomorrow. I don't think your concerns are valid
in the real world, and even if you assume a malicious wordpress.org the
security and privacy of WordPress users will be no different tomorrow
than it is today. It's optimized for a reasonable person, but with hooks
and filters for those with niche concerns.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
Roy Schestowitz
2007-09-24 01:37:54 UTC
Permalink
Captain's log. We received a signal from Matt Mullenweg on StarDate
Post by Matt Mullenweg
Just like there is premature optimization we could argue about for
days, I think there is also premature paranoia. What's in trunk is
what is shipping with WordPress tomorrow. I don't think your
concerns are valid in the real world, and even if you assume a
malicious wordpress.org the security and privacy of WordPress users
will be no different tomorrow than it is today. It's optimized for
a reasonable person, but with hooks and filters for those with
niche concerns.
Pardon me for asking something which might already have an answer on
the Web (I read this before), but do you know the figure that
corresponds to #/% of WordPress blogs that run the very latest (as of
today), i.e. least insecure version of WordPress?

It's an honest question, by the way; no provocation intended at all,
but one has to be realistic. Patching it about liability more than
practicality, IMHO.

- --
~~ Best of wishes

Roy S. Schestowitz, Ph.D. Candidate in Medical Biophysics
http://Schestowitz.com | GNU/Linux | PGP-Key: 0x74572E8E
http://othellomaster.com >> GPL-licensed 3-D Othello
http://iuron.com >> proposing an Open Source, non-profit search engine
Open Source journalism contributer @ http://newassignment.net
Freelance writer @ http://itmanagement.earthweb.com/
Joint Editor @ http://boycottnovell.com
Austin Matzko
2007-09-23 23:02:38 UTC
Permalink
Post by Matt Mullenweg
3. It could be useful in the future.
What's a potential benefit for users that would require knowing both
their URLs and associated plugins, as opposed to knowing just the
plugins?
Omry Yadan
2007-09-23 19:06:41 UTC
Permalink
Using their host, you can obtain their home address via whois, and then
send them personalized security warnings by snail mail.
Post by Austin Matzko
Post by Matt Mullenweg
3. It could be useful in the future.
What's a potential benefit for users that would require knowing both
their URLs and associated plugins, as opposed to knowing just the
plugins?
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Robin Adrianse
2007-09-24 02:54:14 UTC
Permalink
How are your responses constructively debating the issue at hand? Nothing
personal, but IMO this is the wrong kind of approach from your position. So
if an individual using the open source software (which theoretically anyone
can contribute to) is questioning what a feature of the software is worth,
you tell them to put up and shut up, or leave altogether?

I may regret sending this email, but this response just stoked a reaction
from me.
Post by Matt Mullenweg
Post by Moritz 'Morty' Strübe
It can.
Your blog URL is completely harmless.
Post by Moritz 'Morty' Strübe
We only have your word for that. And sorry, that is not enough
for me. Especially if it does not have to be.
1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Viper007Bond
2007-09-24 03:12:45 UTC
Permalink
Is anyone else confused as me to what this argument is over? Security
through obscurity isn't security at all.
--
Viper007Bond | http://www.viper007bond.com/
Robin Adrianse
2007-09-24 03:16:20 UTC
Permalink
It's mainly about the reasons why Automattic/WordPress need your blog's URL
in order to check updates, but in truth they don't need it at all, at least
that's my take on the discussion that's taken place.
Post by Viper007Bond
Is anyone else confused as me to what this argument is over? Security
through obscurity isn't security at all.
--
Viper007Bond | http://www.viper007bond.com/
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Moritz 'Morty' Strübe
2007-09-24 09:39:26 UTC
Permalink
Post by Viper007Bond
Is anyone else confused as me to what this argument is over? Security
through obscurity isn't security at all.
It's about security and as much obscurity as possible. Of course you
should have an up to date system. But if you don't there is no need to
tell anyone. That's why I'm not in favor of installing the plugins that
deactivate the plugins.

Morty
Mark Jaquith
2007-09-24 04:01:42 UTC
Permalink
Post by Matt Mullenweg
Post by Mark Jaquith
Back up a minute. Why is the blog URL needed?
1. It does no harm.
That's not really an argument /for/ it.
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't really
apply. Self-evident? Evident to whom? Evident for what purpose?
Post by Matt Mullenweg
3. It could be useful in the future.
Having a unique token is certainly nice, because it allows you to
identify unique WP installs and track percentages of people running
outdated versions or core or plugins. That sort of data can help
guide the project. For instance, if we want to change something that
will break a few plugins, we can see how many people are using those
plugins, and get an idea of the impact. That can be done with an
anonymous token.
Post by Matt Mullenweg
I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people
knowing there is an update and actually updating just doesn't
happen, and this is a necessary first step. If the only "trade-off"
is sending an ALREADY PUBLIC blog URL to wordpress.org, then great!
But it's not a necessary trade-off. The update functionality works
just as well with an anonymous token.

I'm not about to douse myself with gasoline here, but it does seem
like we could address the privacy concerns (edge/paranoid though they
may seem) without affecting the functionality in a negative way and
without affecting WP.org's future ability to track WP/plugin version
statistics. If you have some killer feature that could be enabled on
WP.org without a WP update and that would require the use of blog
URLs (but doesn't expose private data like which plugins they have
installed), then please share. Maybe that will be enough to set
people at ease about the data they're providing.

--
Mark Jaquith
http://markjaquith.com/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/
Jamie Holly
2007-09-24 04:27:06 UTC
Permalink
Post by Mark Jaquith
I'm not about to douse myself with gasoline here, but it does seem
like we could address the privacy concerns (edge/paranoid though they
may seem) without affecting the functionality in a negative way and
without affecting WP.org's future ability to track WP/plugin version
statistics. If you have some killer feature that could be enabled on
WP.org without a WP update and that would require the use of blog
URLs (but doesn't expose private data like which plugins they have
installed), then please share. Maybe that will be enough to set
people at ease about the data they're providing.
--
I was just looking at Drupal status update module, and they do this very
thing. They create a site key that is sent:

$site_key = md5($base_url . $drupal_private_key);

That does offer a nice way to distinguish unique installs.

I also looked into PHPBB's core update checked. That just downloads a text
file:

http://www.phpbb.com/updatecheck/30x.txt

So that means no version checking or anything.

I was curious and decided to look at some other methods out there :)

Jamie Holly
http://www.intoxination.net
Post by Mark Jaquith
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Matt Mullenweg
2007-09-24 04:59:25 UTC
Permalink
Post by Mark Jaquith
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't really
apply. Self-evident? Evident to whom? Evident for what purpose?
URLs are useful unique identifiers and in my opinion the best one to use
on the web. You can normalize them, organize them by domains and
subdomains, look for odd characters or paths, create stats by TLDs, map
them to hosting providers, use them as a basis for a crawl, and
associate them with WordPress.org profiles. MD5s are unique, but don't
have a lot of value beyond that, and even a capitalization or trailing
slash change will change the whole MD5. There are also things I think we
haven't imagined yet that could make URLs useful. Maybe a .org toolbar
that ties into your .org profile and makes it easy to manage multiple
blogs and tie them together. If by the time 2.5 comes around we're still
not doing anything useful with it then we can re-examine it.

I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just by
pre-computing the URL MD5s and comparing. So they would be different,
but not really better. You'd have to add a salt of some kind. We're
hours from the release arguing about a bikeshed that was checked in over
a month ago.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
Viper007Bond
2007-09-24 05:19:15 UTC
Permalink
I'm not trying to suck up or anything, but I have to agree with Matt on this
one. I still have yet to a valid security related issue with transmitting
the install URL when checking for updates. Not to mention all of this is
going on the assumption that Joe Blow has an Office Depot "Easy Button" for
hacking into the WP.org server and even then, as Matt said, nothing is being
stored.

The paranoid factor however is valid, as shown by this long discussion. It
seems just too many people are wearing tin foil hats these days and getting
worked up over what in my opinion is nothing. "The Man" is not out to get
you, people.

Simply put, I think we should do what is best for the majority. For the
minority, plugins will work nicely.
Post by Matt Mullenweg
Post by Mark Jaquith
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't really
apply. Self-evident? Evident to whom? Evident for what purpose?
URLs are useful unique identifiers and in my opinion the best one to use
on the web. You can normalize them, organize them by domains and
subdomains, look for odd characters or paths, create stats by TLDs, map
them to hosting providers, use them as a basis for a crawl, and
associate them with WordPress.org profiles. MD5s are unique, but don't
have a lot of value beyond that, and even a capitalization or trailing
slash change will change the whole MD5. There are also things I think we
haven't imagined yet that could make URLs useful. Maybe a .org toolbar
that ties into your .org profile and makes it easy to manage multiple
blogs and tie them together. If by the time 2.5 comes around we're still
not doing anything useful with it then we can re-examine it.
I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just by
pre-computing the URL MD5s and comparing. So they would be different,
but not really better. You'd have to add a salt of some kind. We're
hours from the release arguing about a bikeshed that was checked in over
a month ago.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Viper007Bond | http://www.viper007bond.com/
Mark Jaquith
2007-09-24 05:44:06 UTC
Permalink
Post by Matt Mullenweg
URLs are useful unique identifiers and in my opinion the best one
to use on the web. You can normalize them, organize them by domains
and subdomains, look for odd characters or paths, create stats by
TLDs, map them to hosting providers, use them as a basis for a
crawl, and associate them with WordPress.org profiles. MD5s are
unique, but don't have a lot of value beyond that, and even a
capitalization or trailing slash change will change the whole MD5.
There are also things I think we haven't imagined yet that could
make URLs useful. Maybe a .org toolbar that ties into your .org
profile and makes it easy to manage multiple blogs and tie them
together. If by the time 2.5 comes around we're still not doing
anything useful with it then we can re-examine it.
I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just
by pre-computing the URL MD5s and comparing. So they would be
different, but not really better. You'd have to add a salt of some
kind. We're hours from the release arguing about a bikeshed that
was checked in over a month ago.
[ Tried to send this ~25 minutes ago but it didn't show up. Sorry if
it doubleposts ]

wp_hash() uses an unchanging salt (set once in the database and not
updated by WordPress ever). So wp_hash('update-check') will remain
constant for the life of the blog. The uses of a URL identifier you
mention are interesting -- though none seem "killer," and some of
those uses should probably be "opt-in."

--
Mark Jaquith
http://markjaquith.com/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/
Mark Jaquith
2007-09-24 05:21:28 UTC
Permalink
Post by Matt Mullenweg
URLs are useful unique identifiers and in my opinion the best one
to use on the web. You can normalize them, organize them by domains
and subdomains, look for odd characters or paths, create stats by
TLDs, map them to hosting providers, use them as a basis for a
crawl, and associate them with WordPress.org profiles. MD5s are
unique, but don't have a lot of value beyond that, and even a
capitalization or trailing slash change will change the whole MD5.
There are also things I think we haven't imagined yet that could
make URLs useful. Maybe a .org toolbar that ties into your .org
profile and makes it easy to manage multiple blogs and tie them
together. If by the time 2.5 comes around we're still not doing
anything useful with it then we can re-examine it.
I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just
by pre-computing the URL MD5s and comparing. So they would be
different, but not really better. You'd have to add a salt of some
kind. We're hours from the release arguing about a bikeshed that
was checked in over a month ago.
wp_hash() uses an unchanging salt (set once in the database and not
updated by WordPress ever). So wp_hash('update-check') will remain
constant for the life of the blog. The uses of a URL identifier you
mention are interesting -- though none seem "killer," and some of
those uses should probably be "opt-in."

--
Mark Jaquith
http://markjaquith.com/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/
Peter Westwood
2007-09-24 12:33:47 UTC
Permalink
Post by Matt Mullenweg
Post by Mark Jaquith
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't really
apply. Self-evident? Evident to whom? Evident for what purpose?
URLs are useful unique identifiers and in my opinion the best one to use
on the web. You can normalize them, organize them by domains and
subdomains, look for odd characters or paths, create stats by TLDs, map
them to hosting providers, use them as a basis for a crawl, and
associate them with WordPress.org profiles. MD5s are unique, but don't
have a lot of value beyond that, and even a capitalization or trailing
slash change will change the whole MD5. There are also things I think we
haven't imagined yet that could make URLs useful. Maybe a .org toolbar
that ties into your .org profile and makes it easy to manage multiple
blogs and tie them together. If by the time 2.5 comes around we're still
not doing anything useful with it then we can re-examine it.
I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just by
pre-computing the URL MD5s and comparing. So they would be different,
but not really better. You'd have to add a salt of some kind. We're
hours from the release arguing about a bikeshed that was checked in over
a month ago.
I think I agree with matt here. The main point is this is a bikeshed issue.
Post by Matt Mullenweg
From personal experience running the webservice for my version-check
plugin [1] I have had no complaints of issues with the fact that it sends
the blog url with every request.

For me the main points are:

1. Sending the url doesn't expose any private information.
2. We have been sending our urls out as pings for years without any issue.
3. Sending the url may allow Wordpress.org to do analysis of the user
base in the future - we should probably state this if and when it
happens.

In my view the best thing that could be done now is to document the API on
the front page of api.wordpress.org and point there from the release
notes.

[1] http://blog.ftwr.co.uk/wordpress/wp-version-check/
--
Peter Westwood <***@ftwr.co.uk>
http://blog.ftwr.co.uk
Doug Stewart
2007-09-24 13:31:18 UTC
Permalink
Post by Peter Westwood
I think I agree with matt here. The main point is this is a bikeshed issue.
Post by Matt Mullenweg
From personal experience running the webservice for my version-check
plugin [1] I have had no complaints of issues with the fact that it sends
the blog url with every request.
1. Sending the url doesn't expose any private information.
2. We have been sending our urls out as pings for years without any issue.
3. Sending the url may allow Wordpress.org to do analysis of the user
base in the future - we should probably state this if and when it
happens.
In my view the best thing that could be done now is to document the API on
the front page of api.wordpress.org and point there from the release
notes.
[1] http://blog.ftwr.co.uk/wordpress/wp-version-check/
I don't think discussion of an optional plugin is exactly apposite to
the discussion of a mandatory feature in the core product.

As the stories surrounding Yahoo!, Google, Microsoft, et al. and their
[mis]use of customers' information shows, average information
consumers are becoming increasingly worried about and sensitive to
issues pertaining to their privacy, regardless of the actual impact or
severity of the information exposed.

This isn't a bikeshed issue, in my opinion, due to the fact that when
it comes to the marketplace of ideas, perception IS reality. If
TechCrunch, Engadget, Slashdot, Kuro5hin, Linux Today, Ars Technica,
etc. get wind that WordPress is "phoning home" and not notifying users
that it is doing so (with some explanation as to the full
ramifications), well, I think Six Apart's recent issues with Open
Sourcing MT 4 are going to look like a tempest in a teapot. Your
reputation is something that is extremely difficult to build up,
fairly difficult to maintain and EXTREMELY easy to lose very quickly.

To developers, the potential benefits to having each WP install send
this info back are fairly evident. To average users, frightened by
CNN Headline News' unending litany of identity theft reports, the
benefits are not so plain.

I'm not advocating that we strip it out at the last moment. I'm
advocating for full, up-front and transparent disclosure, including,
but not limited to, the Dev Blog announcement, the release notes and
any external communications that get sent out to whomever cares to
receive information on the latest WordPress releases.
--
-Doug

http://literalbarrage.org/blog/
Doug Stewart
2007-09-24 13:47:57 UTC
Permalink
Post by Doug Stewart
I'm not advocating that we strip it out at the last moment. I'm
advocating for full, up-front and transparent disclosure, including,
but not limited to, the Dev Blog announcement, the release notes and
any external communications that get sent out to whomever cares to
receive information on the latest WordPress releases.
Not to reply to myself, but, well...

We already have a subpage under Options called "Privacy" dedicated to
a single radiobutton option. In 2.3.1 or 2.4, we ought to add "Send
my blog information back to the WordPress mothership. This will help
WordPress developers make WordPress better, faster, safer and more
secure."

Then, the bikeshed can be red OR blue, depending on how Neo-ish you're
feeling that particular day.
--
-Doug

http://literalbarrage.org/blog/
Jamie Holly
2007-09-24 13:42:54 UTC
Permalink
What makes this issue so big is the "secrecy" involving what it is doing.
Adding a simple warning, or even an opt-in/out method would entail minimal
coding. The resistance against that leaves some with a feeling that "well
maybe they are going to do something with this list of URLs". There is no
statement of privacy or anything. How is average Joe to be assured that WP
isn't going to sell this collection of URLs to spam services? Every other
mainstream service/application that collects any information makes sure the
end user knows about this and has a privacy statement to go along with the
service.

A golden rule of any product/service is that you *never* assume on behalf of
the consumer/end-user. Transparency is the key to trust. Also the strong
resistance to this transparency, given by Matt (who is more or less the
voice of WP), is actually making a stronger argument for this transparency.
When Matt said if you don't like it then "use another product, start a
fork", it really gave a sense that he has something personally to
profit/gain from this feature.

Now for a question.

I haven't looked into the code enough yet, but how effective will this
plugin to remove it be? You can't install the plugin until after you install
the product. By that time hasn't a check already been done, or does a wait a
predetermined amount of time after an install/upgrade to check for updates?

Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 8:34 AM
Subject: Re: [wp-hackers] Plugin update & security / privacy
Post by Matt Mullenweg
Post by Mark Jaquith
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't really
apply. Self-evident? Evident to whom? Evident for what purpose?
URLs are useful unique identifiers and in my opinion the best one to
use
Post by Matt Mullenweg
on the web. You can normalize them, organize them by domains and
subdomains, look for odd characters or paths, create stats by TLDs,
map
Post by Matt Mullenweg
them to hosting providers, use them as a basis for a crawl, and
associate them with WordPress.org profiles. MD5s are unique, but don't
have a lot of value beyond that, and even a capitalization or trailing
slash change will change the whole MD5. There are also things I think
we
Post by Matt Mullenweg
haven't imagined yet that could make URLs useful. Maybe a .org toolbar
that ties into your .org profile and makes it easy to manage multiple
blogs and tie them together. If by the time 2.5 comes around we're
still
Post by Matt Mullenweg
not doing anything useful with it then we can re-examine it.
I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just by
pre-computing the URL MD5s and comparing. So they would be different,
but not really better. You'd have to add a salt of some kind. We're
hours from the release arguing about a bikeshed that was checked in
over
Post by Matt Mullenweg
a month ago.
I think I agree with matt here. The main point is this is a bikeshed issue.
Post by Matt Mullenweg
From personal experience running the webservice for my version-check
plugin [1] I have had no complaints of issues with the fact that it sends
the blog url with every request.
1. Sending the url doesn't expose any private information.
2. We have been sending our urls out as pings for years without any issue.
3. Sending the url may allow Wordpress.org to do analysis of the user
base in the future - we should probably state this if and when it
happens.
In my view the best thing that could be done now is to document the API on
the front page of api.wordpress.org and point there from the release
notes.
[1] http://blog.ftwr.co.uk/wordpress/wp-version-check/
--
http://blog.ftwr.co.uk
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Aaron Brazell
2007-09-24 14:05:17 UTC
Permalink
This conversation is pretty moot at this point. For 2.3 anyway. Ya'll can probably cool your heels. Like it or not, today is 2.3 launch date and everything has been pretty much frozen for weeks as its all been about bug fixing. I'd highly doubt that even if you convinced Matt, that _anything_ would or could be done for 2.3. So... Save your arguments and energy for 2.4.

(This is my way of trying to end the argument peacefully)
(via Blackberry)
Aaron Brazell
Director of Technology, b5media
"A Global New Media Company"

web:: www.b5media.com, www.technosailor.com
phone:: 410-608-6620
skype:: technosailor

-----Original Message-----
From: "Jamie Holly" <***@earthlink.net>

Date: Mon, 24 Sep 2007 09:42:54
To:<wp-***@lists.automattic.com>
Subject: RE: [wp-hackers] Plugin update & security / privacy


What makes this issue so big is the "secrecy" involving what it is doing.
Adding a simple warning, or even an opt-in/out method would entail minimal
coding. The resistance against that leaves some with a feeling that "well
maybe they are going to do something with this list of URLs". There is no
statement of privacy or anything. How is average Joe to be assured that WP
isn't going to sell this collection of URLs to spam services? Every other
mainstream service/application that collects any information makes sure the
end user knows about this and has a privacy statement to go along with the
service.

A golden rule of any product/service is that you *never* assume on behalf of
the consumer/end-user. Transparency is the key to trust. Also the strong
resistance to this transparency, given by Matt (who is more or less the
voice of WP), is actually making a stronger argument for this transparency.
When Matt said if you don't like it then "use another product, start a
fork", it really gave a sense that he has something personally to
profit/gain from this feature.

Now for a question.

I haven't looked into the code enough yet, but how effective will this
plugin to remove it be? You can't install the plugin until after you install
the product. By that time hasn't a check already been done, or does a wait a
predetermined amount of time after an install/upgrade to check for updates?

Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 8:34 AM
Subject: Re: [wp-hackers] Plugin update & security / privacy
Post by Matt Mullenweg
Post by Mark Jaquith
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't really
apply. Self-evident? Evident to whom? Evident for what purpose?
URLs are useful unique identifiers and in my opinion the best one to
use
Post by Matt Mullenweg
on the web. You can normalize them, organize them by domains and
subdomains, look for odd characters or paths, create stats by TLDs,
map
Post by Matt Mullenweg
them to hosting providers, use them as a basis for a crawl, and
associate them with WordPress.org profiles. MD5s are unique, but don't
have a lot of value beyond that, and even a capitalization or trailing
slash change will change the whole MD5. There are also things I think
we
Post by Matt Mullenweg
haven't imagined yet that could make URLs useful. Maybe a .org toolbar
that ties into your .org profile and makes it easy to manage multiple
blogs and tie them together. If by the time 2.5 comes around we're
still
Post by Matt Mullenweg
not doing anything useful with it then we can re-examine it.
I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just by
pre-computing the URL MD5s and comparing. So they would be different,
but not really better. You'd have to add a salt of some kind. We're
hours from the release arguing about a bikeshed that was checked in
over
Post by Matt Mullenweg
a month ago.
I think I agree with matt here. The main point is this is a bikeshed
issue.
Post by Matt Mullenweg
From personal experience running the webservice for my version-check
plugin [1] I have had no complaints of issues with the fact that it
sends
the blog url with every request.
1. Sending the url doesn't expose any private information.
2. We have been sending our urls out as pings for years without any
issue.
3. Sending the url may allow Wordpress.org to do analysis of the user
base in the future - we should probably state this if and when it
happens.
In my view the best thing that could be done now is to document the API
on
the front page of api.wordpress.org and point there from the release
notes.
[1] http://blog.ftwr.co.uk/wordpress/wp-version-check/
--
http://blog.ftwr.co.uk
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
Doug Stewart
2007-09-24 14:22:07 UTC
Permalink
Post by Aaron Brazell
This conversation is pretty moot at this point. For 2.3 anyway.
For changes, yes, for end-user notification, no.

See: recent uproar over Microsoft updating Windows Update on machines
with autoupdated turned off for consumer reaction to third party
dinking with their stuff.
--
-Doug

http://literalbarrage.org/blog/
Jamie Holly
2007-09-24 14:21:57 UTC
Permalink
So that is also saying that if a security issue came up (hypothetical - your
database login information was obtainable), we would release 2.3 with it?
I'm sorry but security and privacy go hand in hand.

Since this is apparently going out as-is, my fix for clients that want the
update feature, but not their URL being sent is simple. I will be changing
it to send a different URL (perhaps photomatt.net - I mean since it doesn't
really matter).


Jamie Holly
http://www.intoxination.net
1.513.252.2919 | Skype:intoxination
-----Original Message-----
Sent: Monday, September 24, 2007 10:05 AM
To: WP Hackers
Subject: Re: [wp-hackers] Plugin update & security / privacy
This conversation is pretty moot at this point. For 2.3 anyway. Ya'll
can probably cool your heels. Like it or not, today is 2.3 launch date
and everything has been pretty much frozen for weeks as its all been
about bug fixing. I'd highly doubt that even if you convinced Matt, that
_anything_ would or could be done for 2.3. So... Save your arguments and
energy for 2.4.
(This is my way of trying to end the argument peacefully)
(via Blackberry)
Aaron Brazell
Director of Technology, b5media
"A Global New Media Company"
web:: www.b5media.com, www.technosailor.com
phone:: 410-608-6620
skype:: technosailor
-----Original Message-----
Date: Mon, 24 Sep 2007 09:42:54
Subject: RE: [wp-hackers] Plugin update & security / privacy
What makes this issue so big is the "secrecy" involving what it is doing.
Adding a simple warning, or even an opt-in/out method would entail minimal
coding. The resistance against that leaves some with a feeling that "well
maybe they are going to do something with this list of URLs". There is no
statement of privacy or anything. How is average Joe to be assured that WP
isn't going to sell this collection of URLs to spam services? Every other
mainstream service/application that collects any information makes sure the
end user knows about this and has a privacy statement to go along with the
service.
A golden rule of any product/service is that you *never* assume on behalf of
the consumer/end-user. Transparency is the key to trust. Also the strong
resistance to this transparency, given by Matt (who is more or less the
voice of WP), is actually making a stronger argument for this
transparency.
When Matt said if you don't like it then "use another product, start a
fork", it really gave a sense that he has something personally to
profit/gain from this feature.
Now for a question.
I haven't looked into the code enough yet, but how effective will this
plugin to remove it be? You can't install the plugin until after you install
the product. By that time hasn't a check already been done, or does a wait a
predetermined amount of time after an install/upgrade to check for updates?
Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 8:34 AM
Subject: Re: [wp-hackers] Plugin update & security / privacy
Post by Matt Mullenweg
Post by Mark Jaquith
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't
really
Post by Matt Mullenweg
Post by Mark Jaquith
apply. Self-evident? Evident to whom? Evident for what purpose?
URLs are useful unique identifiers and in my opinion the best one to
use
Post by Matt Mullenweg
on the web. You can normalize them, organize them by domains and
subdomains, look for odd characters or paths, create stats by TLDs,
map
Post by Matt Mullenweg
them to hosting providers, use them as a basis for a crawl, and
associate them with WordPress.org profiles. MD5s are unique, but
don't
Post by Matt Mullenweg
have a lot of value beyond that, and even a capitalization or
trailing
Post by Matt Mullenweg
slash change will change the whole MD5. There are also things I think
we
Post by Matt Mullenweg
haven't imagined yet that could make URLs useful. Maybe a .org
toolbar
Post by Matt Mullenweg
that ties into your .org profile and makes it easy to manage multiple
blogs and tie them together. If by the time 2.5 comes around we're
still
Post by Matt Mullenweg
not doing anything useful with it then we can re-examine it.
I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just by
pre-computing the URL MD5s and comparing. So they would be different,
but not really better. You'd have to add a salt of some kind. We're
hours from the release arguing about a bikeshed that was checked in
over
Post by Matt Mullenweg
a month ago.
I think I agree with matt here. The main point is this is a bikeshed
issue.
Post by Matt Mullenweg
From personal experience running the webservice for my version-check
plugin [1] I have had no complaints of issues with the fact that it
sends
the blog url with every request.
1. Sending the url doesn't expose any private information.
2. We have been sending our urls out as pings for years without any
issue.
3. Sending the url may allow Wordpress.org to do analysis of the user
base in the future - we should probably state this if and when it
happens.
In my view the best thing that could be done now is to document the API
on
the front page of api.wordpress.org and point there from the release
notes.
[1] http://blog.ftwr.co.uk/wordpress/wp-version-check/
--
http://blog.ftwr.co.uk
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Computer Guru
2007-09-24 16:15:31 UTC
Permalink
I think we're expected to unplug our servers, upgrade WP, install the
plugin, then plug them back in :-)

-----Original Message-----
From: wp-hackers-***@lists.automattic.com
[mailto:wp-hackers-***@lists.automattic.com] On Behalf Of Jamie Holly
Sent: Monday, September 24, 2007 4:43 PM
To: wp-***@lists.automattic.com
Subject: RE: [wp-hackers] Plugin update & security / privacy

What makes this issue so big is the "secrecy" involving what it is doing.
Adding a simple warning, or even an opt-in/out method would entail minimal
coding. The resistance against that leaves some with a feeling that "well
maybe they are going to do something with this list of URLs". There is no
statement of privacy or anything. How is average Joe to be assured that WP
isn't going to sell this collection of URLs to spam services? Every other
mainstream service/application that collects any information makes sure the
end user knows about this and has a privacy statement to go along with the
service.

A golden rule of any product/service is that you *never* assume on behalf of
the consumer/end-user. Transparency is the key to trust. Also the strong
resistance to this transparency, given by Matt (who is more or less the
voice of WP), is actually making a stronger argument for this transparency.
When Matt said if you don't like it then "use another product, start a
fork", it really gave a sense that he has something personally to
profit/gain from this feature.

Now for a question.

I haven't looked into the code enough yet, but how effective will this
plugin to remove it be? You can't install the plugin until after you install
the product. By that time hasn't a check already been done, or does a wait a
predetermined amount of time after an install/upgrade to check for updates?

Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 8:34 AM
Subject: Re: [wp-hackers] Plugin update & security / privacy
Post by Matt Mullenweg
Post by Mark Jaquith
Post by Matt Mullenweg
2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't really
apply. Self-evident? Evident to whom? Evident for what purpose?
URLs are useful unique identifiers and in my opinion the best one to
use
Post by Matt Mullenweg
on the web. You can normalize them, organize them by domains and
subdomains, look for odd characters or paths, create stats by TLDs,
map
Post by Matt Mullenweg
them to hosting providers, use them as a basis for a crawl, and
associate them with WordPress.org profiles. MD5s are unique, but don't
have a lot of value beyond that, and even a capitalization or trailing
slash change will change the whole MD5. There are also things I think
we
Post by Matt Mullenweg
haven't imagined yet that could make URLs useful. Maybe a .org toolbar
that ties into your .org profile and makes it easy to manage multiple
blogs and tie them together. If by the time 2.5 comes around we're
still
Post by Matt Mullenweg
not doing anything useful with it then we can re-examine it.
I don't think an MD5 would be significantly more anonymous either.
Anyone with a list of URLs could associate the md5 with a URL just by
pre-computing the URL MD5s and comparing. So they would be different,
but not really better. You'd have to add a salt of some kind. We're
hours from the release arguing about a bikeshed that was checked in
over
Post by Matt Mullenweg
a month ago.
I think I agree with matt here. The main point is this is a bikeshed issue.
Post by Matt Mullenweg
From personal experience running the webservice for my version-check
plugin [1] I have had no complaints of issues with the fact that it sends
the blog url with every request.
1. Sending the url doesn't expose any private information.
2. We have been sending our urls out as pings for years without any issue.
3. Sending the url may allow Wordpress.org to do analysis of the user
base in the future - we should probably state this if and when it
happens.
In my view the best thing that could be done now is to document the API on
the front page of api.wordpress.org and point there from the release
notes.
[1] http://blog.ftwr.co.uk/wordpress/wp-version-check/
--
http://blog.ftwr.co.uk
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Amy Stephen
2007-09-24 21:17:24 UTC
Permalink
Post by Jamie Holly
Transparency is the key to trust. Also the strong
resistance to this transparency, given by Matt (who is more or less the
voice of WP), is actually making a stronger argument for this
transparency.
When Matt said if you don't like it then "use another product, start a
fork", it really gave a sense that he has something personally to
profit/gain from this feature.
Now for a question.
I haven't looked into the code enough yet, but how effective will this
plugin to remove it be? You can't install the plugin until after you install
the product. By that time hasn't a check already been done, or does a wait a
predetermined amount of time after an install/upgrade to check for updates?
Jamie Holly
http://www.intoxination.net
Well, let's be fair, Jamie Holly. Matt is not just the voice behind WP, he's
actually put a bit of his back into it. I'm not aware of your contributions.
Would you mind a little sharing, even at the risk of self promotion?

I must say, it catches my breath to hear this accusation "it really gave a
sense that he (Matt) has something personally to profit/gain from this
feature." within FOUR WORDS of an admission that "I haven't looked into the
code enough yet."

*breath, Amy, breath!*

It is not uncommon to run into people who do not get the concept of "freely
offered." Open source is still so new, we are all learning the rules. Yes, a
fork is a legitimate choice and one should not take that as a negative
option. It's not like we are "forced" to use WordPress, lest anyone forget!

What isn't legitimate is for end users to develop a sense of entitlement
where we start to believe we have the right to call the shots and developers
must respond lickity split to what we say. They freely offer their code. We
can choose to use it. We can choose not to use it. If we like most of it,
but not all of it, we can even change it! We can even distribute our changes
to others. Get this - we can even charge for that distribution. I kid you,
not.

25 years in Information Technology and I pinch myself each and every single
day.

Now, I also want to warn against wandering into close proximately with
defamation
and libel <http://en.wikipedia.org/wiki/Slander_and_libel>. When ill intent
for personal profit is suggested, without evidence that such accusations are
actually true, one's reputation can be damaged. If such claims turn out to
be false claims, nearly every country in the world will find the victim was
defamed. In written form, the impact is considered to be more permanent by
the courts, resulting in a judgement of libel.

So, one must be very careful to not falsely accuse someone, and even then,
to never do so without having all of your ducks in a row - before committing
such an accusation to electronic form and distributing it broadly to those
on a mailing list and to anyone else who happens upon the Piper mail website
- whether that happens as a result of intentionally going to that site,
being linked there by others, or by scooping up the accusation in an
innocent Google search. Just try to delete it! There are Google archives,
too! Today, when we press send, it's forever!

Anyway, food for thought.

In closely, let me say, people often ask - how do we build more contributors
in our open source projects? As a "just off the top of my head" response,
might I suggest we not attack key contributors - at least so viciously?

Cheers!
Amy :-)
Travis Snoozy
2007-09-24 23:19:59 UTC
Permalink
On Mon, 24 Sep 2007 16:17:24 -0500, "Amy Stephen"
<***@gmail.com> wrote:

<snip>
Post by Amy Stephen
I must say, it catches my breath to hear this accusation "it really
gave a sense that he (Matt) has something personally to profit/gain
from this feature." within FOUR WORDS of an admission that "I haven't
looked into the code enough yet."
<snip>

Public opinion is what it is; that is the reaction you will get if you
hear someone is scooping up information without disclosure. While one
should "never attribute to malice what can be attributed to
[oversight]", users have been burned by all sorts of nasties, and are
sensitized to this sort of thing now.

Very few people know how their computers work. We rely on trust. When
that trust is violated, or _feel_ that it's violated... well, it's
upsetting.

<snip>
Post by Amy Stephen
What isn't legitimate is for end users to develop a sense of
entitlement where we start to believe we have the right to call the
shots and developers must respond lickity split to what we say. They
freely offer their code. We can choose to use it. We can choose not
to use it. If we like most of it, but not all of it, we can even
change it! We can even distribute our changes to others. Get this -
we can even charge for that distribution. I kid you, not.
Yes, but at a point, with all good OS software, it becomes owned by the
community just as much as by the authors. One should not forget that
their software is neigh unto nothing without users, for free or for
profit. Clearly we have some lack of communication flow between the
two, and it's caused some misunderstanding and discord.

<snip>
Post by Amy Stephen
In closely, let me say, people often ask - how do we build more
contributors in our open source projects? As a "just off the top of
my head" response, might I suggest we not attack key contributors -
at least so viciously?
Also, on the web, one tends to develop a rather thick skin. Without
such, it's hard to stay sane. I'm sure that said contributors are able
to take e-mails like this with the grain of salt it deserves. More
aggravating, at least in my perspective, is managing the relationship
with the community -- doing something wildly unpopular can cause
backlash leading to a "I'll take my ball and go home" reaction. Again,
this is why it's critical for everyone to communicate and be clear.


If I may suggest, can we stop and analyze what went wrong here? What
could we have done to made sure that this issue came out sooner? How
can we -fix- the process, so that this is less likely to happen again?

Also, with the 2.3 release looming, I think it would be nice to know if
this issue is blocking or not. I have seen no posts on the development
blog one way or another on the matter.



Yours truly,
--
Travis
Moritz 'Morty' Strübe
2007-09-24 23:28:39 UTC
Permalink
Post by Travis Snoozy
Also, with the 2.3 release looming, I think it would be nice to know if
this issue is blocking or not. I have seen no posts on the development
blog one way or another on the matter.
Matt clearly stated, and I'm to lazy to search the mail, that there will
be no changes whatsoever, and I'm free to change the software,
deactivate the whole function or start a fork.

Morty
--
strübe.de <http://xn--strbe-mva.de>

Diese Email ist signiert. Sollte Dein Email-Client keine Signaturen
unterstützen wird eine smime.p7s-Datei im Anhang angezeigt.

Meinen PGP/GPG-Key gibt es auf den üblichen Keyservern.
Travis Snoozy
2007-09-24 23:40:02 UTC
Permalink
On Tue, 25 Sep 2007 00:28:39 +0100, Moritz 'Morty' Strübe
Post by Moritz 'Morty' Strübe
Post by Travis Snoozy
Also, with the 2.3 release looming, I think it would be nice to
know if this issue is blocking or not. I have seen no posts on the
development blog one way or another on the matter.
Matt clearly stated, and I'm to lazy to search the mail, that there
will be no changes whatsoever, and I'm free to change the software,
deactivate the whole function or start a fork.
I was under the mistaken impression that the trac milestone had closed
for this; in fact, there are about 20 minutes remaining. That said, it
is the 25th in half the world right now, and there is no 2.3 release as
of yet. Thus, I feel the question is still valid, especially in light
of the fact that most everyone has had a chance to sleep on it.

Then again, I've never waited for a WordPress release before, so I may
just be overly-anxious. :)
--
Travis
Travis Snoozy
2007-09-25 00:10:21 UTC
Permalink
(Sending again, since the list appears to have eaten my first attempt.
I apologize if there's a double-post.)

On Tue, 25 Sep 2007 00:28:39 +0100, Moritz 'Morty' Strübe
Post by Moritz 'Morty' Strübe
Post by Travis Snoozy
Also, with the 2.3 release looming, I think it would be nice to
know if this issue is blocking or not. I have seen no posts on the
development blog one way or another on the matter.
Matt clearly stated, and I'm to lazy to search the mail, that there
will be no changes whatsoever, and I'm free to change the software,
deactivate the whole function or start a fork.
I was under the mistaken impression that the trac milestone had closed
for this; in fact, there are about 20 minutes remaining*. That said, it
is the 25th in half the world right now, and there is no 2.3 release as
of yet. Thus, I feel the question is still valid, especially in light
of the fact that most everyone has had a chance to sleep on it.

Then again, I've never waited for a WordPress release before, so I may
just be overly-anxious. :)
--
Travis

* As of the second sending, we are now 10 minutes past the milestone
closure.
Doug Stewart
2007-09-25 01:12:09 UTC
Permalink
Post by Travis Snoozy
* As of the second sending, we are now 10 minutes past the milestone
closure.
Too late - wp.org has a new graphic and the version.php version go
bumped -- looks like it's live.
--
-Doug

http://literalbarrage.org/blog/
Charles
2007-09-25 03:11:58 UTC
Permalink
Post by Moritz 'Morty' Strübe
Post by Travis Snoozy
Also, with the 2.3 release looming, I think it would be nice to
know if this issue is blocking or not. I have seen no posts on
the development blog one way or another on the matter.
Matt clearly stated, and I'm to lazy to search the mail, that there
will be no changes whatsoever, and I'm free to change the software,
deactivate the whole function or start a fork.
That was his response to me as well. I offered what I thought were some reasonable alternatives to ignoring the real issue:

- If you "need" this data for some amazing feature that's only in your head, then you need to open the kimono now. Otherwise, it just seems sneaky and underhanded.

- Be careful about suggesting that people fork WordPress for privacy purposes. It won't take much for a Cory Doctorow to lead the charge to "take back WordPress".

- Here's what people will want to see from you: "This is a good conversation. Yes, we should only be collecting information that's absolutely necessary to enable features, and even then on an opt-in basis. If there's ever a need to collect more, then we'll deal with that in an update rather than trying to pre-optimize for scearnios that we can only guess about now."

Whoever thought it was okay to push out 2.3 without resolving this privacy issue need to have the keys taken away. For the "real" products I'm involved with, that person would find a security guard with a box waiting for them in the morning.

I don't expect this question to be answered, which is sad.

-- Charles
Jamie Holly
2007-09-24 23:27:07 UTC
Permalink
I never said he was profiting or gaining from it - I said it "gives a
sense". Sorry but saying something makes me feel a certain way in no-way
constitutes libel or defamation. If that was the case then the already
over-crowded dockets in the courts around the U.S. will explode.

Oh and did you know accusing someone of defamation and libel can also be
considered defamation and libel (that is from my wife, who is a civil
defense attorney)?


So your standards means someone has to "prove contributions" in order to
raise concerns on an open-source product? Well in my 30+ years - now my head
is exploding. I guess John Doe can't complain to Chevy because of a problem
with his truck if he doesn't work for GM.

Yes I have contributed patches. Yes I have helped with tickets. Yes I try to
help out on WPMU forums. I will now be reevaluating the donating the limited
time I already have considering your "standards". I suggest others do the
same.
Post by Amy Stephen
In closely, let me say, people often ask - how do we build more
contributors
in our open source projects? As a "just off the top of my head"
response,
might I suggest we not attack key contributors - at least so viciously?
I'm sorry but you missed the entire point. When people are asking about
concerns (especially ones of security or privacy), a "key contributor"
should not respond by saying "fine go fork it or use something else". That
is exactly what occurred (and I think another developer even commented on
the tone of that statement). So attacking the people who also try to help
out, or use the product is a way to develop a community? Not in my book.


Jamie Holly
http://www.intoxination.net
Post by Amy Stephen
-----Original Message-----
Sent: Monday, September 24, 2007 5:17 PM
Subject: Re: [wp-hackers] Plugin update & security / privacy
Post by Jamie Holly
Transparency is the key to trust. Also the strong
resistance to this transparency, given by Matt (who is more or less
the
Post by Jamie Holly
voice of WP), is actually making a stronger argument for this
transparency.
When Matt said if you don't like it then "use another product, start a
fork", it really gave a sense that he has something personally to
profit/gain from this feature.
Now for a question.
I haven't looked into the code enough yet, but how effective will this
plugin to remove it be? You can't install the plugin until after you install
the product. By that time hasn't a check already been done, or does a
wait
Post by Jamie Holly
a
predetermined amount of time after an install/upgrade to check for updates?
Jamie Holly
http://www.intoxination.net
Well, let's be fair, Jamie Holly. Matt is not just the voice behind WP, he's
actually put a bit of his back into it. I'm not aware of your
contributions.
Would you mind a little sharing, even at the risk of self promotion?
I must say, it catches my breath to hear this accusation "it really gave a
sense that he (Matt) has something personally to profit/gain from this
feature." within FOUR WORDS of an admission that "I haven't looked into the
code enough yet."
*breath, Amy, breath!*
It is not uncommon to run into people who do not get the concept of "freely
offered." Open source is still so new, we are all learning the rules. Yes, a
fork is a legitimate choice and one should not take that as a negative
option. It's not like we are "forced" to use WordPress, lest anyone forget!
What isn't legitimate is for end users to develop a sense of entitlement
where we start to believe we have the right to call the shots and developers
must respond lickity split to what we say. They freely offer their code. We
can choose to use it. We can choose not to use it. If we like most of it,
but not all of it, we can even change it! We can even distribute our changes
to others. Get this - we can even charge for that distribution. I kid you,
not.
25 years in Information Technology and I pinch myself each and every single
day.
Now, I also want to warn against wandering into close proximately with
defamation
and libel <http://en.wikipedia.org/wiki/Slander_and_libel>. When ill intent
for personal profit is suggested, without evidence that such accusations are
actually true, one's reputation can be damaged. If such claims turn out to
be false claims, nearly every country in the world will find the victim was
defamed. In written form, the impact is considered to be more permanent by
the courts, resulting in a judgement of libel.
So, one must be very careful to not falsely accuse someone, and even then,
to never do so without having all of your ducks in a row - before committing
such an accusation to electronic form and distributing it broadly to those
on a mailing list and to anyone else who happens upon the Piper mail website
- whether that happens as a result of intentionally going to that site,
being linked there by others, or by scooping up the accusation in an
innocent Google search. Just try to delete it! There are Google
archives,
too! Today, when we press send, it's forever!
Anyway, food for thought.
In closely, let me say, people often ask - how do we build more
contributors
in our open source projects? As a "just off the top of my head"
response,
might I suggest we not attack key contributors - at least so viciously?
Cheers!
Amy :-)
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Kimmo Suominen
2007-09-24 15:09:59 UTC
Permalink
Post by Peter Westwood
3. Sending the url may allow Wordpress.org to do analysis of the user
base in the future - we should probably state this if and when it
happens.
I fail to see what such an announcement would help at such a late point
in time. Would there be a way for the end-user to retroactively have
their data removed, before it was used for such analysis? How would the
user know the data has actually been removed? Wouldn't it be stored on
backups etc.?
Post by Peter Westwood
From the developers point of view, I, too, can understand the desire to
gather all kinds of data for statistical analysis and other purposes.
However, as an end-user I'm not at all fond of the gathering of data
about me, especially without my knowledge or permission.

When the data has no obvious and solid need for being transmitted,
it feels even worse. As was pointed out in this thread, many other
update checkers do not send the software inventory and versions to the
Microsoft servers. It seems the only real reason for WordPress to do so
is to collect more information about the end-users.

The privacy-aware approach would be to send the minimum amount of
information necessary to perform the function at hand. The API is
already versioned, so if more information is needed in the future, it is
possible to do it in a manner that doesn't break old clients.

The update notification is such an important function that I'll still
be using it. I might not feel good about the information sent, but I'd
still use the service. I'm also waiting for my plugins to be approved
into the wp.org repository as that is the only way to provide update
notifications to their users. When there is no real choice ("use it or
lose it" is not a real choice), you'll find yourself putting up with
quite a lot.

Best regards,
+ Kimmo
--
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
Otto
2007-09-24 16:03:45 UTC
Permalink
In the interests of clarity, let's state exactly what's going on.

First case:
Every 43200 seconds (12 hours) or so, depending on when your site is
hit, the function will send a single HTTP request to
http://api.wordpress.org. It sends the following information:

WordPress Version
PHP Version
Locale setting (if there is one)
The Blog's URL

That's the main WordPress version check. It doesn't have anything to
do with plugins. Disabling it is easy, one line of code will do it:
remove_action('init','wp_version_check');


Second case:
Plugin update check. This occurs when you go to the plugin page and it
has not checked for updates in more than 43200 seconds (12 hours). It
also sends a single request to http://api.wordpress.org (different
script though) consisting of:
The Blog's URL
WordPress Version
Plugin names, url's, versions, etc. All the plugin info, basically,
including inactive plugins.

Disabling this is also easy, another one-liner:
remove_action( 'load-plugins.php', 'wp_update_plugins' );


WordPress and Automattic's privacy policies can be found here:
http://automattic.com/privacy/


Two things I have to say:
1. If the blog is set to "Private", on the privacy admin page, both of
these should be disabled. Why? Because the user will have expressed a
preference. Respect it.
2. There should be a link to the above privacy policy in the admin
pages, somewhere.

Given that WordPress has failed to do both of these, then yes, I agree
that this "feature" is subversive and will cause an outcry. Regardless
of *what* the information can be used (or not used) for, it's sending
out information without informing the user of that fact or disclaiming
what that information can and will be used to do. Furthermore, it has
no opt-out mechanism, especially when there exists a mechanism already
that allows the user to express such a preference.

These two simple things are really not optional. They must be added.
If you're collecting data, ever, then these are the absolute minimum.

So, there's my 2 cents.
Jamie Holly
2007-09-24 16:10:57 UTC
Permalink
Post by Alex Günsche
http://automattic.com/privacy/
One problem with that:

http://comox.textdrive.com/pipermail/wp-hackers/2007-September/014856.html

Matt said:

"I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to."

So that privacy policy does not apply to Wordpress.org


Jamie Holly
http://www.intoxination.net
Post by Alex Günsche
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Andy Staines
2007-09-24 16:36:14 UTC
Permalink
Personally I don't care that much but isn't this actually illegal in
some countries? I'm pretty sure it is here in Europe...
Andy
Post by Otto
In the interests of clarity, let's state exactly what's going on.
Every 43200 seconds (12 hours) or so, depending on when your site is
hit, the function will send a single HTTP request to
WordPress Version
PHP Version
Locale setting (if there is one)
The Blog's URL
That's the main WordPress version check. It doesn't have anything to
remove_action('init','wp_version_check');
Plugin update check. This occurs when you go to the plugin page and it
has not checked for updates in more than 43200 seconds (12 hours). It
also sends a single request to http://api.wordpress.org (different
The Blog's URL
WordPress Version
Plugin names, url's, versions, etc. All the plugin info, basically,
including inactive plugins.
remove_action( 'load-plugins.php', 'wp_update_plugins' );
http://automattic.com/privacy/
1. If the blog is set to "Private", on the privacy admin page, both of
these should be disabled. Why? Because the user will have expressed a
preference. Respect it.
2. There should be a link to the above privacy policy in the admin
pages, somewhere.
Given that WordPress has failed to do both of these, then yes, I agree
that this "feature" is subversive and will cause an outcry. Regardless
of *what* the information can be used (or not used) for, it's sending
out information without informing the user of that fact or disclaiming
what that information can and will be used to do. Furthermore, it has
no opt-out mechanism, especially when there exists a mechanism already
that allows the user to express such a preference.
These two simple things are really not optional. They must be added.
If you're collecting data, ever, then these are the absolute minimum.
So, there's my 2 cents.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Otto
2007-09-24 17:19:55 UTC
Permalink
Don't have any idea about legality. But unless the wordpress.org devs
are in europe, I don't think it makes any difference.

Anyway, one thing that does bug me is the non optimized state of the
plugin checker. I mean, look at all the crap it sends:

data:object(stdClass)(2) {
["plugins"]=>
array(15) {
["akismet/akismet.php"]=>
array(5) {
["Name"]=>
string(7) "Akismet"
["Title"]=>
string(71) "<a href="http://akismet.com/" title="Visit plugin
homepage">Akismet</a>"
["Description"]=>
string(354) "Akismet checks your comments against the Akismet web
service to see if they look like spam or not. You need a <a
href="http://wordpress.com/api-keys/">WordPress.com API key</a> to use
it. You can review the spam it catches under &#8220;Comments.&#8221;
To show off your Akismet stats just put <code>&lt;?php
akismet_counter(); ?></code> in your template."
["Author"]=>
string(80) "<a href="http://photomatt.net/" title="Visit author
homepage">Matt Mullenweg</a>"
["Version"]=>
string(5) "2.0.2"
}


Why on earth would the description ever be needed? The Author and
version and such I can understand.

The reason it's doing this is because it's simply sending everything
returned by get_plugins(), which is understandable for a first draft,
but this really should have been cleaned up before release. For my
site, it'll be sending a 30k or more of data, needlessly.

Well, until I hack it not to do that, of course. Still, it's fairly
ridiculous to roll with this without fixing up the obvious silly bits.


-Otto
Post by Andy Staines
Personally I don't care that much but isn't this actually illegal in
some countries? I'm pretty sure it is here in Europe...
Andy
Post by Otto
In the interests of clarity, let's state exactly what's going on.
Every 43200 seconds (12 hours) or so, depending on when your site is
hit, the function will send a single HTTP request to
WordPress Version
PHP Version
Locale setting (if there is one)
The Blog's URL
That's the main WordPress version check. It doesn't have anything to
remove_action('init','wp_version_check');
Plugin update check. This occurs when you go to the plugin page and it
has not checked for updates in more than 43200 seconds (12 hours). It
also sends a single request to http://api.wordpress.org (different
The Blog's URL
WordPress Version
Plugin names, url's, versions, etc. All the plugin info, basically,
including inactive plugins.
remove_action( 'load-plugins.php', 'wp_update_plugins' );
http://automattic.com/privacy/
1. If the blog is set to "Private", on the privacy admin page, both of
these should be disabled. Why? Because the user will have expressed a
preference. Respect it.
2. There should be a link to the above privacy policy in the admin
pages, somewhere.
Given that WordPress has failed to do both of these, then yes, I agree
that this "feature" is subversive and will cause an outcry. Regardless
of *what* the information can be used (or not used) for, it's sending
out information without informing the user of that fact or disclaiming
what that information can and will be used to do. Furthermore, it has
no opt-out mechanism, especially when there exists a mechanism already
that allows the user to express such a preference.
These two simple things are really not optional. They must be added.
If you're collecting data, ever, then these are the absolute minimum.
So, there's my 2 cents.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Moritz 'morty' Struebe
2007-09-24 17:37:13 UTC
Permalink
Post by Otto
[..]
The reason it's doing this is because it's simply sending everything
returned by get_plugins(), which is understandable for a first draft,
but this really should have been cleaned up before release. For my
site, it'll be sending a 30k or more of data, needlessly.
Who cares about 30k every 12 h if your average page load is 100K?
IMHO stuff like this isn't that important.

Cheers
Morty
Andy Staines
2007-09-24 18:16:22 UTC
Permalink
Actually the WP devs DO need to worry about it and it does make a
difference. It matters not where the code originated they could still
find themselves on the receiving end of a legal case IF it is illegal
and someone decides to make an issue out of it. They should at least
consult someone with knowledge in the field. Cases like this can get
very messy and generate lots of bad publicity. I'd be surprised it
it's legal in the USA.
Post by Otto
Don't have any idea about legality. But unless the wordpress.org devs
are in europe, I don't think it makes any difference.
Moritz 'morty' Struebe
2007-09-24 18:24:11 UTC
Permalink
The GPL covers this. You should sometimes read the license for the code
you use:

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Post by Andy Staines
Actually the WP devs DO need to worry about it and it does make a
difference. It matters not where the code originated they could still
find themselves on the receiving end of a legal case IF it is illegal
and someone decides to make an issue out of it. They should at least
consult someone with knowledge in the field. Cases like this can get
very messy and generate lots of bad publicity. I'd be surprised it
it's legal in the USA.
Post by Otto
Don't have any idea about legality. But unless the wordpress.org devs
are in europe, I don't think it makes any difference.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Jamie Holly
2007-09-24 18:33:33 UTC
Permalink
Applicable by law being the key phrase there. If I create a program that
sends me back your bank information I can still be prosecuted for it because
it is against the law - GPL license or not.

I asked an attorney who I do work for about this. She sent me this link. It
is somewhat outdated, but does have some really good information regarding
this (and similar) issues:

http://library.findlaw.com/2002/Jan/1/241484.html


Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 2:24 PM
Subject: Re: [wp-hackers] Plugin update & security / privacy
The GPL covers this. You should sometimes read the license for the code
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Post by Andy Staines
Actually the WP devs DO need to worry about it and it does make a
difference. It matters not where the code originated they could still
find themselves on the receiving end of a legal case IF it is illegal
and someone decides to make an issue out of it. They should at least
consult someone with knowledge in the field. Cases like this can get
very messy and generate lots of bad publicity. I'd be surprised it
it's legal in the USA.
Post by Otto
Don't have any idea about legality. But unless the wordpress.org devs
are in europe, I don't think it makes any difference.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Jamie Holly
2007-09-24 18:37:11 UTC
Permalink
OOPS and don't mean to respond to myself, but she just sent me another
email.

http://www.llrx.com/features/opensource.htm

Number 10 is of particular interest:

10. Treat Open Source Policy as a Team Game. It has become very clear in the
last few years that IT policy should not be made in a vacuum. Consider the
privacy example. Companies that left privacy policies to the IT department
or the legal department quickly found that "standard language" had enormous
implications for the marketing department, executives, sales staffs and
others. Nothing turned out to be simple or standard until all constituents
got involved and worked through the ramifications. Similarly, Open Source
usage, especially if development projects are contemplated, creates a wide
range of legal and business issues that should not be handled in isolation.
Theory has to meet practice to get the best results. If the lawyer only
looks at the legal issues and the CIO looks only at the IT issues, you
increase the likelihood of finger-pointing when an unexpected, but quite
predictable, bad result occurs. No one, especially me, likes the idea of yet
another committee meeting, but Open Source is a good example where time and
effort spent on the front-end will pay off substantially over the
alternative of cleaning up potentially messy and expensive situations in
which you may one day find yourself.



Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 2:34 PM
Subject: RE: [wp-hackers] Plugin update & security / privacy
Applicable by law being the key phrase there. If I create a program that
sends me back your bank information I can still be prosecuted for it because
it is against the law - GPL license or not.
I asked an attorney who I do work for about this. She sent me this link. It
is somewhat outdated, but does have some really good information regarding
http://library.findlaw.com/2002/Jan/1/241484.html
Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 2:24 PM
Subject: Re: [wp-hackers] Plugin update & security / privacy
The GPL covers this. You should sometimes read the license for the code
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT
WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED
BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Post by Andy Staines
Actually the WP devs DO need to worry about it and it does make a
difference. It matters not where the code originated they could still
find themselves on the receiving end of a legal case IF it is illegal
and someone decides to make an issue out of it. They should at least
consult someone with knowledge in the field. Cases like this can get
very messy and generate lots of bad publicity. I'd be surprised it
it's legal in the USA.
Post by Otto
Don't have any idea about legality. But unless the wordpress.org
devs
Post by Andy Staines
Post by Otto
are in europe, I don't think it makes any difference.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Bas Bosman
2007-09-24 18:49:33 UTC
Permalink
First of all, I personally don't have any issues with the current
implementation, but the legal discussion is another issue.

The license quoted says: UNLESS REQUIRED BY APPLICABLE LAW

Here in the Netherlands we have the "Wet Bescherming Persoonsgegevens"
which translates to "Law for the protection of personal details". *1

It states:
- If personal information is stored it must be opt-in.
- You have to publicly inform what you intend to use the data for.
- ...

And your blog URL would be considered a personal detail according to that
law.

IANAL, but my feeling is that the current implementation would be illegal
here in The Netherlands.

Regards,
Bas Bosman (Nazgul)

*1 http://www.justitie.nl/onderwerpen/opsporing_en_handhaving/wbp/
Post by Moritz 'morty' Struebe
The GPL covers this. You should sometimes read the license for the code
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Post by Andy Staines
Actually the WP devs DO need to worry about it and it does make a
difference. It matters not where the code originated they could still
find themselves on the receiving end of a legal case IF it is illegal
and someone decides to make an issue out of it. They should at least
consult someone with knowledge in the field. Cases like this can get
very messy and generate lots of bad publicity. I'd be surprised it
it's legal in the USA.
Post by Otto
Don't have any idea about legality. But unless the wordpress.org devs
are in europe, I don't think it makes any difference.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Andy Staines
2007-09-24 19:00:11 UTC
Permalink
Where in the GPL? I don't see it?
It says nothing about data harvesting without consent.
Anyway - this is my last input on this. I was simply trying to be
helpful. I can imagine someone here in Europe having a field day in
the courts and press with this one should they so wish.

On 07:24 PM | Mon 24 Sep 07, at 07:24 PM | 24 Sep 07, Moritz
Post by Moritz 'morty' Struebe
The GPL covers this. You should sometimes read the license for the
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Post by Andy Staines
Actually the WP devs DO need to worry about it and it does make a
difference. It matters not where the code originated they could
still find themselves on the receiving end of a legal case IF it
is illegal and someone decides to make an issue out of it. They
should at least consult someone with knowledge in the field. Cases
like this can get very messy and generate lots of bad publicity.
I'd be surprised it it's legal in the USA.
Post by Otto
Don't have any idea about legality. But unless the wordpress.org devs
are in europe, I don't think it makes any difference.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Otto
2007-09-24 19:44:02 UTC
Permalink
Post by Andy Staines
I'd be surprised it it's legal in the USA.
IANAL, but I assure you, it's legal here.

For that matter, it's most likely legal there too. It's not personal
information in any meaningful sense of the term. It's publicly
available information, anybody looking at your blog can see it in
their address bar.

You might have a case with "the plugins you're running", but not with
the blog URI.
Joost de Valk
2007-09-24 19:46:02 UTC
Permalink
I agree there, I for one don't think that would be illegal under
Dutch law, and I've had to work with that law quite often...
Post by Otto
Post by Andy Staines
I'd be surprised it it's legal in the USA.
IANAL, but I assure you, it's legal here.
For that matter, it's most likely legal there too. It's not personal
information in any meaningful sense of the term. It's publicly
available information, anybody looking at your blog can see it in
their address bar.
You might have a case with "the plugins you're running", but not with
the blog URI.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Joost de Valk

@: ***@joostdevalk.nl
W: http://www.joostdevalk.nl/
Jamie Holly
2007-09-24 20:08:01 UTC
Permalink
This has taken an interesting turn. There is not just a legal question, but
also an ethical one.

I would much rather bet on the fact that no one here can say with absolute
certainty that sending the URL is or isn't legal, than staking a position of
saying it is or isn't. Think Microsoft. They have tons of attorneys that sit
there and think "well this is legal", and we know how that has ended up for
them in numerous anti-trust cases. Assuming certainty in the law is asking
for trouble.

There is an ethical side to this. Most people won't know this is sending the
URL. If they happen to find out down the road, then they are going to wonder
what else is being sent (should average Joe user have to learn PHP and dig
through source code to figure this out?). In 30+ years of software
development, I have always practiced full disclosure. Every company I have
worked for also engages the same policy where user identifying data
collection is involved.

Now being self employed and having 11 clients that I take care of Wordpress
installation for (and at the advice of my attorney), I have sent out emails
alerting them of this collection of information. Not saying that it will
turn into a legal battle down the road, but it is better to err on the side
of caution (Three already have said they don't care. Four have said they
don't want to upgrade - including two that have asked me about other
platforms. Still waiting to hear from the other four, but I won't upgrade
them until I hear from them).

Having said that, I still strongly believe this information must be
disclosed in installs/upgrades. Does anyone seriously believe that a person
will stop installing Wordpress (after creating a DB, uploading files, etc)
just because they have to check a box saying "I agree to allow Wordpress.org
to collect statistics about my installation" (In better verbiage of course)?
If that is the case, then Wordpress is seriously hurting in the
user-friendly aspect.


Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 3:44 PM
Subject: Re: [wp-hackers] Plugin update & security / privacy
Post by Andy Staines
I'd be surprised it it's legal in the USA.
IANAL, but I assure you, it's legal here.
For that matter, it's most likely legal there too. It's not personal
information in any meaningful sense of the term. It's publicly
available information, anybody looking at your blog can see it in
their address bar.
You might have a case with "the plugins you're running", but not with
the blog URI.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Computer Guru
2007-09-24 20:40:16 UTC
Permalink
-----Original Message-----
Sent: Monday, September 24, 2007 11:08 PM
Subject: RE: [wp-hackers] Plugin update & security / privacy
staking a position of saying it is or isn't. Think Microsoft. They
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Enough said.

Does anyone here seriously believe Microsoft gives a damn about *you* personally and personally identifying info?
If Microsoft were to start silently and without warning begin recording even NECESSARY info and sending it at regular intervals to Redmond, do you think they would use that info to personally identify anyone or let that data be leaked anywhere? The obvious answer is no f*****ing way.

But if Microsoft were to start doing such a thing, there would no end to the litigation, lawsuits, and complaints. Businesses WOULD stop using it, in the blink of an eye if they feel they've really been violated. And governments - do you think the CIA would appreciate the fact that their OS of choice is "spying" on them? Imagine the litigation and class-action lawsuits to follow...

So why is it ANY different for WordPress? Being open source isn't a "Get out of jail free" card, is it?

The latest versions of Windows and Office have a "consumer improvement" program that sends periodic data to MS, *WITH* a guarantee that no personally identifying info will be sent, AND a button you can press to see ALL info being transmitted. What's more, it's OFF by default (as in opt-in). And of course, they have one hell of a privacy policy.

Sure, I love and respect WP and the team. I know you guys won't misuse this info, and so do many people out there too. I always opt-in to these programs, because a developer I know the importance of statistics. But the fact of the matter is, it's stupid, reckless, and just plain un-thought-through to secretly send data back to WP/Automattic/whatever-the-hell-it-is, *ESPECIALLY* without even an opt-OUT button and most definitely without a privacy policy. I've got to say, what the hell were you guys thinking?

This is the INFORMATION age. Information reigns king. It's valuable, yes. But trust is even more valuable. WP is a piece of open source community software, and decisions like this need to be done in the open with tons of feedback - not with a bit of code slipped in under the radar with no warning or discussion and absolutely no way of disabling it by default.

Just think about it. I haven't heard a _single_ argument that gives a real /reason/ for what's being done (no, "it's harmless" isn't a valid excuse). If it were ANY other for-profit company, each and everyone one of you would be screaming up and down. So why is WP an exception? Like I said before, Open Source isn't a carte blanche that lets you do whatever the hell you please, it's just a frikkin license - and doing this kind of stuff assuming that everyone would forgive you just because you're not a Microsoft/Google/Apple/eBay/Whatever doesn't just not get you off the hook but gives open source a really bad name if that's the excuse.

The golden rule: "Do unto others what you would have them do unto you"

If someone can give me a SINGLE good reason why it's OK for WordPress to do this whereas it's not for anyone else, I'm all ears. But just think: "what if it was Microsoft" and see what happens.

Every day I see a blog post about "OMG <INSERT BIG COMPANY HERE> is using WP!!! WE PWNZ THE WORLD!!!" Cool.
Great. But what are all those big companies going to think when they realize you're effectively spying on them???


Computer Guru
NeoSmart Technologies
http://neosmart.net/
Otto
2007-09-24 20:58:06 UTC
Permalink
I fail to grasp your argument. The reasons for the data being sent are
straightforward and obvious, to notify the blogger about upgrades
being available for both WordPress and plugins. With all the security
issues lately, and so many people bitchin' about WordPress having
security problems, then keeping people in the know about upgrades is
an important thing to do.

I agree that not having an option to turn it off is an oversight. And
I agree that not having a stated privacy policy is ridiculous. But the
facts cannot be disputed.

For the record, matt has stated that the backend doesn't store
anything whatsoever. It uses the data sent to check for updates to the
given bits. That's it. In theory, it could use the same information to
keep a count of the installed WordPress base and what versions are
being run, for statistical reasons. For now, it doesn't do that.

As for discussion, this has been discussed on trac for *years*, there
was plenty of discussion and debate about it. #1476 springs to mind.

Look, as matt correctly pointed out, this sort of information is not a
security risk. Nobody not wearing tinfoil on their head would
reasonably have objections to this information being available.

The legitimate complaints are:
- No opt-out method built in
- No privacy policy
- Poor implementation from an optimization perspective.

Jumping up and down and going OMG IT SENDZ DATA OH NOEZ! doesn't help
things. It doesn't send any data that could be used against you.
Really. And they're not even saving it on their end. And it is, in
fact, easily disabled with two lines of code or a simple plugin, if
you're of the tinfoil hat variety.

But more to the point, don't be over-exaggerating things. I'll
certainly be putting in some patches to correct the deficiencies that
I see in it, and with any luck, they'll make it into 2.3.1. Hopefully
matt and such will step up and consider a wordpress.org privacy policy
and perhaps a mod for the installation to notify the user will make it
into the release as well.

This is not a world-ending problem. Okay? Version 2.3 isn't a security
release, so if you don't want it, don't install it yet.

-Otto
Post by Computer Guru
-----Original Message-----
Sent: Monday, September 24, 2007 11:08 PM
Subject: RE: [wp-hackers] Plugin update & security / privacy
staking a position of saying it is or isn't. Think Microsoft. They
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Enough said.
Does anyone here seriously believe Microsoft gives a damn about *you* personally and personally identifying info?
If Microsoft were to start silently and without warning begin recording even NECESSARY info and sending it at regular intervals to Redmond, do you think they would use that info to personally identify anyone or let that data be leaked anywhere? The obvious answer is no f*****ing way.
But if Microsoft were to start doing such a thing, there would no end to the litigation, lawsuits, and complaints. Businesses WOULD stop using it, in the blink of an eye if they feel they've really been violated. And governments - do you think the CIA would appreciate the fact that their OS of choice is "spying" on them? Imagine the litigation and class-action lawsuits to follow...
So why is it ANY different for WordPress? Being open source isn't a "Get out of jail free" card, is it?
The latest versions of Windows and Office have a "consumer improvement" program that sends periodic data to MS, *WITH* a guarantee that no personally identifying info will be sent, AND a button you can press to see ALL info being transmitted. What's more, it's OFF by default (as in opt-in). And of course, they have one hell of a privacy policy.
Sure, I love and respect WP and the team. I know you guys won't misuse this info, and so do many people out there too. I always opt-in to these programs, because a developer I know the importance of statistics. But the fact of the matter is, it's stupid, reckless, and just plain un-thought-through to secretly send data back to WP/Automattic/whatever-the-hell-it-is, *ESPECIALLY* without even an opt-OUT button and most definitely without a privacy policy. I've got to say, what the hell were you guys thinking?
This is the INFORMATION age. Information reigns king. It's valuable, yes. But trust is even more valuable. WP is a piece of open source community software, and decisions like this need to be done in the open with tons of feedback - not with a bit of code slipped in under the radar with no warning or discussion and absolutely no way of disabling it by default.
Just think about it. I haven't heard a _single_ argument that gives a real /reason/ for what's being done (no, "it's harmless" isn't a valid excuse). If it were ANY other for-profit company, each and everyone one of you would be screaming up and down. So why is WP an exception? Like I said before, Open Source isn't a carte blanche that lets you do whatever the hell you please, it's just a frikkin license - and doing this kind of stuff assuming that everyone would forgive you just because you're not a Microsoft/Google/Apple/eBay/Whatever doesn't just not get you off the hook but gives open source a really bad name if that's the excuse.
The golden rule: "Do unto others what you would have them do unto you"
If someone can give me a SINGLE good reason why it's OK for WordPress to do this whereas it's not for anyone else, I'm all ears. But just think: "what if it was Microsoft" and see what happens.
Every day I see a blog post about "OMG <INSERT BIG COMPANY HERE> is using WP!!! WE PWNZ THE WORLD!!!" Cool.
Great. But what are all those big companies going to think when they realize you're effectively spying on them???
Computer Guru
NeoSmart Technologies
http://neosmart.net/
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Computer Guru
2007-09-24 21:13:09 UTC
Permalink
-----Original Message-----
Sent: Monday, September 24, 2007 11:58 PM
Subject: Re: [wp-hackers] Plugin update & security / privacy
I fail to grasp your argument. The reasons for the data being sent are
straightforward and obvious, to notify the blogger about upgrades
being available for both WordPress and plugins. With all the security
issues lately, and so many people bitchin' about WordPress having
security problems, then keeping people in the know about upgrades is
an important thing to do.
I guess I mustn't have been very clear: I have no problem per-say with what's being sent, only how it's done and what's said about it.

I'm sorry, but even notifying people about upgrades doesn't stop their installs from being insecure. The sheer number of posts on Planet and everywhere else aren’t that different from anything...

And there are a million ways of doing this without sending any info (getting the remote version and *locally* comparing it and seeing if an update is needed), but that's not my point.

My ONLY point is with the lack of a visible option to disable this functionality, and why someone seems to think it's OK for WP to do this silently and secretly and it's not for other companies/software/organizations. (and, no, just because you can name someone else that does it doesn't make it OK :-)

Computer Guru
NeoSmart Technologies
http://neosmart.net/
Jamie Holly
2007-09-24 21:42:37 UTC
Permalink
Very simple patch attached:

http://trac.wordpress.org/ticket/5066#comment:4

Rundown:

If option check_updates is not set then no checks will be done. The nag screen asks the user (with manage_options permission) to select if they would like this feature enabled or not. It links to the privacy options page (where I put the option). Selecting yes or no will make the nag go away. I didn't separate options for core and plugins. That can easily be 2.3.1 or 2.4, but this quick and simple patch should be easy to get into 2.3 and help curve any problems.

I also included a little paragraph under the option saying what will be sent to the server to insure full transparency.

Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 5:13 PM
Subject: RE: [wp-hackers] Plugin update & security / privacy
-----Original Message-----
Sent: Monday, September 24, 2007 11:58 PM
Subject: Re: [wp-hackers] Plugin update & security / privacy
I fail to grasp your argument. The reasons for the data being sent are
straightforward and obvious, to notify the blogger about upgrades
being available for both WordPress and plugins. With all the security
issues lately, and so many people bitchin' about WordPress having
security problems, then keeping people in the know about upgrades is
an important thing to do.
I guess I mustn't have been very clear: I have no problem per-say with
what's being sent, only how it's done and what's said about it.
I'm sorry, but even notifying people about upgrades doesn't stop their
installs from being insecure. The sheer number of posts on Planet and
everywhere else aren’t that different from anything...
And there are a million ways of doing this without sending any info
(getting the remote version and *locally* comparing it and seeing if an
update is needed), but that's not my point.
My ONLY point is with the lack of a visible option to disable this
functionality, and why someone seems to think it's OK for WP to do this
silently and secretly and it's not for other
companies/software/organizations. (and, no, just because you can name
someone else that does it doesn't make it OK :-)
Computer Guru
NeoSmart Technologies
http://neosmart.net/
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Jennifer Hodgdon
2007-09-24 22:17:13 UTC
Permalink
Post by Jamie Holly
http://trac.wordpress.org/ticket/5066#comment:4
Just a note: the Milestone is set to 2.4 on this report, so there is
very little chance it will be noticed for 2.3.
--Jennifer
--
Jennifer Hodgdon

Poplar ProductivityWare * www.poplarware.com
Web Databases/Scripts * Modeling/Analysis/Palm OS Software
Jamie Holly
2007-09-24 22:27:24 UTC
Permalink
LOL thanks. I had set it to 2.3 and still had that tab opened - just forgot to submit it. This has definitely been a Monday.

Jamie Holly
http://www.intoxination.net
-----Original Message-----
Sent: Monday, September 24, 2007 6:17 PM
Subject: Re: [wp-hackers] Plugin update & security / privacy
Post by Jamie Holly
http://trac.wordpress.org/ticket/5066#comment:4
Just a note: the Milestone is set to 2.4 on this report, so there is
very little chance it will be noticed for 2.3.
--Jennifer
--
Jennifer Hodgdon
Poplar ProductivityWare * www.poplarware.com
Web Databases/Scripts * Modeling/Analysis/Palm OS Software
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Moritz 'Morty' Strübe
2007-09-24 22:48:09 UTC
Permalink
Post by Jamie Holly
http://trac.wordpress.org/ticket/5066#comment:4
If option check_updates is not set then no checks will be done. The nag screen asks the user (with manage_options permission) to select if they would like this feature enabled or not. It links to the privacy options page (where I put the option). Selecting yes or no will make the nag go away. I didn't separate options for core and plugins. That can easily be 2.3.1 or 2.4, but this quick and simple patch should be easy to get into 2.3 and help curve any problems.
Yea and turns update checking off. It's stupid to turn of a whole
feature just because you don't want it to do something it doesn't need
anyway: transmit the url.
Otto
2007-09-24 21:40:38 UTC
Permalink
I'm sorry, but even notifying people about upgrades doesn't stop their installs from being insecure. The sheer number of posts on Planet and everywhere else aren't that different from anything...
Well, this is much more intrusive, for one thing. Also it's much more
specific. And it's considering plugins as well, which is nice, since a
lot of plugins were recently found to have security issues too.
And there are a million ways of doing this without sending any info (getting the remote version and *locally* comparing it and seeing if an update is needed), but that's not my point.
Agreed, but Matt already addressed this in his thread, and I actually
agree with him on the reasoning there. It's possible to make it
smarter in one place instead of having to distribute your
intelligence. I tend to like having my servers do things too instead
of my clients. But that's just my opinion, of course.
My ONLY point is with the lack of a visible option to disable this functionality, and why someone seems to think it's OK for WP to do this silently and secretly and it's not for other companies/software/organizations. (and, no, just because you can name someone else that does it doesn't make it OK :-)
I agree with the need for an option, but I'm inclined to say that the
lack of it is an oversight, not an evil conspiracy. The functionality
shows that it has other deficiencies as well, and I think that lack of
this is more because they wanted to get working functionality out the
door and start getting blogs upgraded and making them more secure.
WordPress has been receiving a *lot* of criticism for being insecure
lately, a lot of which is somewhat unfounded. Getting the installed
base up to date would relieve a lot of that.

Anyway, if that's all your reaction is to, then I'd say you're
over-reacting somewhat, or at least it seems that way when you put it
into ASCII. ;)

-Otto
James Thomas Snell
2007-09-24 20:58:11 UTC
Permalink
I just joined this mail list about three hours ago - but I think I've
already seen enough to feel inclinded to say:

It seems perfectly acceptable to me to collect unpersonalized stats ONLY IF
the blog administrator manually enables such functionality. Perhaps it's
already been suggested, but why not add a step to the upgrade.php script
that provides an unchecked check box asking the admin to check it if they
wish to donate statistics? Perhaps this functionality could be accessed as a
plugin that can be controlled at the admin's will?

Sorry if I'm jumping in too soon here, I really don't have the time to go
back through the log of the previous messages. But maybe that there is a yet
to be made suggestion.

Cheers friends,
JT
Post by Computer Guru
-----Original Message-----
Sent: Monday, September 24, 2007 11:08 PM
Subject: RE: [wp-hackers] Plugin update & security / privacy
staking a position of saying it is or isn't. Think Microsoft. They
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Enough said.
Does anyone here seriously believe Microsoft gives a damn about *you*
personally and personally identifying info?
If Microsoft were to start silently and without warning begin recording
even NECESSARY info and sending it at regular intervals to Redmond, do you
think they would use that info to personally identify anyone or let that
data be leaked anywhere? The obvious answer is no f*****ing way.
But if Microsoft were to start doing such a thing, there would no end to
the litigation, lawsuits, and complaints. Businesses WOULD stop using it, in
the blink of an eye if they feel they've really been violated. And
governments - do you think the CIA would appreciate the fact that their OS
of choice is "spying" on them? Imagine the litigation and class-action
lawsuits to follow...
So why is it ANY different for WordPress? Being open source isn't a "Get
out of jail free" card, is it?
The latest versions of Windows and Office have a "consumer improvement"
program that sends periodic data to MS, *WITH* a guarantee that no
personally identifying info will be sent, AND a button you can press to see
ALL info being transmitted. What's more, it's OFF by default (as in opt-in).
And of course, they have one hell of a privacy policy.
Sure, I love and respect WP and the team. I know you guys won't misuse
this info, and so do many people out there too. I always opt-in to these
programs, because a developer I know the importance of statistics. But the
fact of the matter is, it's stupid, reckless, and just plain
un-thought-through to secretly send data back to
WP/Automattic/whatever-the-hell-it-is, *ESPECIALLY* without even an opt-OUT
button and most definitely without a privacy policy. I've got to say, what
the hell were you guys thinking?
This is the INFORMATION age. Information reigns king. It's valuable, yes.
But trust is even more valuable. WP is a piece of open source community
software, and decisions like this need to be done in the open with tons of
feedback - not with a bit of code slipped in under the radar with no warning
or discussion and absolutely no way of disabling it by default.
Just think about it. I haven't heard a _single_ argument that gives a real
/reason/ for what's being done (no, "it's harmless" isn't a valid excuse).
If it were ANY other for-profit company, each and everyone one of you would
be screaming up and down. So why is WP an exception? Like I said before,
Open Source isn't a carte blanche that lets you do whatever the hell you
please, it's just a frikkin license - and doing this kind of stuff assuming
that everyone would forgive you just because you're not a
Microsoft/Google/Apple/eBay/Whatever doesn't just not get you off the hook
but gives open source a really bad name if that's the excuse.
The golden rule: "Do unto others what you would have them do unto you"
If someone can give me a SINGLE good reason why it's OK for WordPress to
"what if it was Microsoft" and see what happens.
Every day I see a blog post about "OMG <INSERT BIG COMPANY HERE> is using
WP!!! WE PWNZ THE WORLD!!!" Cool.
Great. But what are all those big companies going to think when they
realize you're effectively spying on them???
Computer Guru
NeoSmart Technologies
http://neosmart.net/
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Moritz 'Morty' Strübe
2007-09-24 23:17:22 UTC
Permalink
Has all been talked through on the stats collecting thread (not this
one). This one started, because I looked into the code yesterday because
I wanted to make sure my plugin works alright with the update system.
I pretty much gave up on this discussion. My minimum goal was to at
least md5 the URL or remove it, as it isn't needed - it works fine
without the URL.
I'm just a little plugin-dev - and it seems like I am the first one to
notice, although this is a long announced feature. Are there core devs
on this list? Or is it matt, some plugin-devs and the people who treat
php4 vs php5 as a religion? Or are there so few people really caring
about their privacy and security?
And I have to state this again: I would have had no, well much less a
problem with this whole thing if the URL would have been transmitted
separate to the version and the plugin data. It no ones business that I
have the admin-porn plugin running, which shows a beautiful woman on
every admin page. Just as well that nobody needs to know that I'm
running the old version of plugin xy.
Yes, you can do a brute force, but it's a hell lot more efficient (as
Matt pointed out) if you have a nice list of domains to attack.

Morty (Who is more sad then frustrated)

P.s.: Before anyone asks where to get the admin-porn plugin. You may add
it here: http://wordpress.org/extend/ideas/
Post by James Thomas Snell
I just joined this mail list about three hours ago - but I think I've
It seems perfectly acceptable to me to collect unpersonalized stats ONLY IF
the blog administrator manually enables such functionality. Perhaps it's
already been suggested, but why not add a step to the upgrade.php script
that provides an unchecked check box asking the admin to check it if they
wish to donate statistics? Perhaps this functionality could be accessed as a
plugin that can be controlled at the admin's will?
Sorry if I'm jumping in too soon here, I really don't have the time to go
back through the log of the previous messages. But maybe that there is a yet
to be made suggestion.
Cheers friends,
JT
Post by Computer Guru
-----Original Message-----
Sent: Monday, September 24, 2007 11:08 PM
Subject: RE: [wp-hackers] Plugin update & security / privacy
staking a position of saying it is or isn't. Think Microsoft. They
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Enough said.
Does anyone here seriously believe Microsoft gives a damn about *you*
personally and personally identifying info?
If Microsoft were to start silently and without warning begin recording
even NECESSARY info and sending it at regular intervals to Redmond, do you
think they would use that info to personally identify anyone or let that
data be leaked anywhere? The obvious answer is no f*****ing way.
But if Microsoft were to start doing such a thing, there would no end to
the litigation, lawsuits, and complaints. Businesses WOULD stop using it, in
the blink of an eye if they feel they've really been violated. And
governments - do you think the CIA would appreciate the fact that their OS
of choice is "spying" on them? Imagine the litigation and class-action
lawsuits to follow...
So why is it ANY different for WordPress? Being open source isn't a "Get
out of jail free" card, is it?
The latest versions of Windows and Office have a "consumer improvement"
program that sends periodic data to MS, *WITH* a guarantee that no
personally identifying info will be sent, AND a button you can press to see
ALL info being transmitted. What's more, it's OFF by default (as in opt-in).
And of course, they have one hell of a privacy policy.
Sure, I love and respect WP and the team. I know you guys won't misuse
this info, and so do many people out there too. I always opt-in to these
programs, because a developer I know the importance of statistics. But the
fact of the matter is, it's stupid, reckless, and just plain
un-thought-through to secretly send data back to
WP/Automattic/whatever-the-hell-it-is, *ESPECIALLY* without even an opt-OUT
button and most definitely without a privacy policy. I've got to say, what
the hell were you guys thinking?
This is the INFORMATION age. Information reigns king. It's valuable, yes.
But trust is even more valuable. WP is a piece of open source community
software, and decisions like this need to be done in the open with tons of
feedback - not with a bit of code slipped in under the radar with no warning
or discussion and absolutely no way of disabling it by default.
Just think about it. I haven't heard a _single_ argument that gives a real
/reason/ for what's being done (no, "it's harmless" isn't a valid excuse).
If it were ANY other for-profit company, each and everyone one of you would
be screaming up and down. So why is WP an exception? Like I said before,
Open Source isn't a carte blanche that lets you do whatever the hell you
please, it's just a frikkin license - and doing this kind of stuff assuming
that everyone would forgive you just because you're not a
Microsoft/Google/Apple/eBay/Whatever doesn't just not get you off the hook
but gives open source a really bad name if that's the excuse.
The golden rule: "Do unto others what you would have them do unto you"
If someone can give me a SINGLE good reason why it's OK for WordPress to
"what if it was Microsoft" and see what happens.
Every day I see a blog post about "OMG <INSERT BIG COMPANY HERE> is using
WP!!! WE PWNZ THE WORLD!!!" Cool.
Great. But what are all those big companies going to think when they
realize you're effectively spying on them???
Computer Guru
NeoSmart Technologies
http://neosmart.net/
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
strübe.de <http://xn--strbe-mva.de>

Diese Email ist signiert. Sollte Dein Email-Client keine Signaturen
unterstützen wird eine smime.p7s-Datei im Anhang angezeigt.

Meinen PGP/GPG-Key gibt es auf den üblichen Keyservern.
Kimmo Suominen
2007-09-23 22:16:00 UTC
Permalink
Post by Mark Jaquith
Post by Matt Mullenweg
I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people
knowing there is an update and actually updating just doesn't
happen, and this is a necessary first step. If the only "trade-off"
is sending an ALREADY PUBLIC blog URL to wordpress.org, then great!
Back up a minute. Why is the blog URL needed? The update
notification functionality works fine without it. You don't need it
for statistics purposes -- wp_hash('update-notification') 's output
would be just as unique. How do users benefit by sending their blog
URL? I think the onus is on us to show why it is necessary or
beneficial. If we can't, it shouldn't be there.
Thanks, Mark -- I think that is the correct question.

And the same question should be asked about the other data that is
sent. Why are the plugin versions sent to the server? It should be
enough to send the plugin filename and/or name, so the server can
return a list of current versions. The client (WP) can then figure
out which plugins need updating.

Best regards,
+ Kimmo
--
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
Matt Mullenweg
2007-09-23 22:32:49 UTC
Permalink
Post by Kimmo Suominen
Why are the plugin versions sent to the server? It should be
enough to send the plugin filename and/or name, so the server can
return a list of current versions. The client (WP) can then figure
out which plugins need updating.
The system was designed to keep the client side as light as possible so
the heavy lifting can be done on the server side, allowing us a lot more
flexibility and agility in adapting the service as it gets rolled out
and evolves.

For example right now nothing is done with regards to localization, but
because of the data being sent and the lightness of the client side we
could introduce that feature in the future without having to update
every install of WordPress in the world. This philosophy has worked very
well for Akismet over the past 2 years. I believe it is also the best
approach for WordPress.

Today the server does basically nothing, no logging, no analysis, no
stats, it's just designed to be as fast as possible since I don't know
what type of impact 2.3 is going to have on api.wordpress.org. In the
future, however, I think there is a lot of room to grow it, particularly
once we take updates to the next step and allow people to
upgrade/install things with one click from their dashboard.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
Omry Yadan
2007-09-23 19:21:15 UTC
Permalink
Post by Matt Mullenweg
Post by Kimmo Suominen
Why are the plugin versions sent to the server? It should be
enough to send the plugin filename and/or name, so the server can
return a list of current versions. The client (WP) can then figure
out which plugins need updating.
The system was designed to keep the client side as light as possible
so the heavy lifting can be done on the server side, allowing us a lot
more flexibility and agility in adapting the service as it gets rolled
out and evolves.
some heavy lifting, comparing versions.
with Akismet the server actually provide a dynamic service to the
client, here all it needs to do is to tell it the latest version.
it can be as simple as storing a static file on the server.
Post by Matt Mullenweg
For example right now nothing is done with regards to localization,
but because of the data being sent and the lightness of the client
side we could introduce that feature in the future without having to
update every install of WordPress in the world. This philosophy has
worked very well for Akismet over the past 2 years. I believe it is
also the best approach for WordPress.
Localization of what?


I feel like I am wasting my time trying to convince you, but here are my
arguments anyway:
1. you have stated yourself that you don't need the url.
2. the url breaks the anonymity of the request, and many people will not
like it at all. most will only find about it once it blows up - and by
then they will feel installing a plugin to prevent it is like closing
the stable after the horses ran away.
3. it will blow up because bloggers are one most privacy aware
populations, and I give it less than a week from the official release
date. also expect a "Wordpress is spying on users" article on Slashdot
(This is not a threat, just an attempt to predict the near future).
4. you can't compare this to sending blog url (and version, why?!) to
technorati because people opt-in to send that information, and it's
required to provide them with the service they are receiving.
5. you can't compare it closed source programs with high opacity, that
may or may not send system information regularly. the reasons are that
people does not know what they send (binary/encrypted protocols, no
source) and that the companies cover their asses with the EULA. (so in a
way the users agree).

Omry.
Christian Höltje
2007-09-24 04:49:26 UTC
Permalink
Okay. Let's take a look at the situation.

I'm going to recap, please point out errors.

SITUATION:
Currently, 2.3 sends the bloginfo('home'), the plugin name, and the
plugin version # to api.wordpress.blah

The only thing currently being used by api.wordpress.blah is plugin
name and possibly the version number (but just for a simple string
check?).

However, having the server doing a version number check is actually
powerful because the plugins have version numbers all over the place
and api.wordpress.blah could actually track the chronological order to
figure out what's newer than what.

The URL currently servers no purpose. It could possibly do something
in the future, but I'm not clear what.

IMPACT:
The ACTUAL ability for a cracker to break into your blog is not
increased at all by collecting this information, assuming it was
somehow made available to malicious people.

However, the ability for a hacker to get a nice list of people who
haven't upgraded to the latest security fixed plugin foo is increased
by this. Which makes api.wordpress.blah a seductive target.

There is also the perceived security risk, which is unrelated to the
actual security risk. As we can see just from the very limited
audience on this mailing list, the perception is that there is an
increased risk for blog owners.

There is a reputation or privacy risk as well. The plugins
that a blog runs may or may not be detectable externally. However, it
is the blog owner's choice to advertise what plugins they have.

Finally, there is perception of a privacy invasion. Again, from just
this limited audience we can see that there are privacy concerns.

SUGGESTIONS:
I would suggest that this feature be off initially. It can be turned
on by the admin if they wish. It should not send a URL, though I
think generating and storing some sort of UUID, and using that instead
of the blog URL is probably the best compromise.

CLOSING NOTES:
I want to point out that there has been a thread about a collecting
wordpress statistics. It overlaps a lot of the concerns for this
feature. It was never proposed that this feature would be anything
other than opt-in.

Ciao!
--
He's turned his life around. He used to be depressed and miserable. Now he's miserable and depressed.
-- David Frost

The Doctor What: Kaboom! http://docwhat.gerf.org/
docwhat *at* gerf *dot* org KF6VNC
Kimmo Suominen
2007-09-25 11:25:26 UTC
Permalink
Thank you for including this info in the WP 2.3 announcement:

Our new update notification lets you know when there is a new
release of WordPress or when any of the plugins you use has an
update available. It works by sending your blog URL, plugins, and
version information to our new api.wordpress.org service which then
compares it to the plugin database and tells you what the latest and
greatest is you can use.

Now I feel I can simply translate that without worries about disclosure
on that front.

Best regards,
+ Kimmo
--
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
Mark Shields
2007-09-25 17:02:33 UTC
Permalink
Post by Kimmo Suominen
Our new update notification lets you know when there is a new
release of WordPress or when any of the plugins you use has an
update available. It works by sending your blog URL, plugins, and
version information to our new api.wordpress.org service which then
compares it to the plugin database and tells you what the latest and
greatest is you can use.
Now I feel I can simply translate that without worries about disclosure
on that front.
Best regards,
+ Kimmo
--
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
This e-mail thread found it's way onto slashdot, by the way. As usual,
there's a lot of spin.
http://yro.slashdot.org/article.pl?sid=07/09/25/1632246
--
- Mark Shields
Matt Mullenweg
2007-09-25 17:23:16 UTC
Permalink
Post by Mark Shields
This e-mail thread found it's way onto slashdot, by the way. As usual,
there's a lot of spin.
http://yro.slashdot.org/article.pl?sid=07/09/25/1632246
It's shocking how inaccurate that is. If anyone has a few spare moments
to drop some sanity in that discussion it would be a big help. It was
obviously written by someone with malicious intent toward WordPress.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
Doug Stewart
2007-09-25 17:34:28 UTC
Permalink
Post by Matt Mullenweg
Post by Mark Shields
This e-mail thread found it's way onto slashdot, by the way. As usual,
there's a lot of spin.
http://yro.slashdot.org/article.pl?sid=07/09/25/1632246
It's shocking how inaccurate that is. If anyone has a few spare moments
to drop some sanity in that discussion it would be a big help. It was
obviously written by someone with malicious intent toward WordPress.
Trying to add some signal to that noise (no mean feat on Slashdot these days):
http://yro.slashdot.org/comments.pl?sid=307899&cid=20745559
http://yro.slashdot.org/comments.pl?sid=307899&cid=20745777
--
-Doug

http://literalbarrage.org/blog/
ozgreg
2007-09-24 05:50:14 UTC
Permalink
I can see both sides of the fence here and I agree with Matt is be nice to have a set of statistics but I feel fundamentally we need to give the blogger the ability to opt in on sending statistics rather than just blindly sending those statistics regardless of how benign they are..

We all know the history of other applications that have sent statistics silently back without allowing opt in (or out).. and the backlash those other applications had to face, lets not go down this road..

------------------------
WPG2 Installation, Operation & FAQ Documentation (http://wpg2.galleryembedded.com/)




-------------------- m2f --------------------

Gallery2 Embedded Forums (http://www.galleryembedded.com/forums/)
-------------------- m2f --------------------
Viper007Bond
2007-09-24 06:12:23 UTC
Permalink
I think an opt-in method would be a very bad idea. It'd nearly negate the
whole purpose of the feature as the majority of noob users would never turn
it on.

However, I full heartedly support an opt-out feature as well maybe a notice
the first time checking. Simply put, the default should be to check, but it
should be easy (easier than a plugin) to disable it.
Post by ozgreg
I can see both sides of the fence here and I agree with Matt is be nice to
have a set of statistics but I feel fundamentally we need to give the
blogger the ability to opt in on sending statistics rather than just blindly
sending those statistics regardless of how benign they are..
We all know the history of other applications that have sent statistics
silently back without allowing opt in (or out).. and the backlash those
other applications had to face, lets not go down this road..
------------------------
WPG2 Installation, Operation & FAQ Documentation (
http://wpg2.galleryembedded.com/)
-------------------- m2f --------------------
Gallery2 Embedded Forums (http://www.galleryembedded.com/forums/)
-------------------- m2f --------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Viper007Bond | http://www.viper007bond.com/
Omry Yadan
2007-09-24 06:19:18 UTC
Permalink
This is exactly why I said in the "automatic user feedback" thread that
we should not tie version check with statistical gathering.

those are to different functions, with different importance and
characteristics.

version check should be turned on by default, statistics gathering
should be opt-in.

the fact that they somewhat overlap and that it's tempting to merge them
does not mean it's a good idea to do so.
Post by Viper007Bond
I think an opt-in method would be a very bad idea. It'd nearly negate the
whole purpose of the feature as the majority of noob users would never turn
it on.
However, I full heartedly support an opt-out feature as well maybe a notice
the first time checking. Simply put, the default should be to check, but it
should be easy (easier than a plugin) to disable it.
Post by ozgreg
I can see both sides of the fence here and I agree with Matt is be nice to
have a set of statistics but I feel fundamentally we need to give the
blogger the ability to opt in on sending statistics rather than just blindly
sending those statistics regardless of how benign they are..
We all know the history of other applications that have sent statistics
silently back without allowing opt in (or out).. and the backlash those
other applications had to face, lets not go down this road..
------------------------
WPG2 Installation, Operation & FAQ Documentation (
http://wpg2.galleryembedded.com/)
-------------------- m2f --------------------
Gallery2 Embedded Forums (http://www.galleryembedded.com/forums/)
-------------------- m2f --------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Viper007Bond
2007-09-24 07:50:23 UTC
Permalink
Let me refine what I said:

I think version check shouldn't be able to be turned off without a plugin.
It's just too important that a user keeps up to date. But for those fringe
cases, plugins handle it nicely.

As for the statistics, I think it should be opt-out not opt-in. I think the
_vast_ majority of users, including me, realize there's no harm in sending
along WP details and/or more likely, just don't care (all the noob users out
there). For those who do care for some reason, valid or not, a simple check
box would do the trick and avoid any negative... press (right word?) on the
matter.

We definitely don't want to make this seem secretive IMHO.
Post by Omry Yadan
This is exactly why I said in the "automatic user feedback" thread that
we should not tie version check with statistical gathering.
those are to different functions, with different importance and
characteristics.
version check should be turned on by default, statistics gathering
should be opt-in.
the fact that they somewhat overlap and that it's tempting to merge them
does not mean it's a good idea to do so.
Post by Viper007Bond
I think an opt-in method would be a very bad idea. It'd nearly negate
the
Post by Viper007Bond
whole purpose of the feature as the majority of noob users would never
turn
Post by Viper007Bond
it on.
However, I full heartedly support an opt-out feature as well maybe a
notice
Post by Viper007Bond
the first time checking. Simply put, the default should be to check, but
it
Post by Viper007Bond
should be easy (easier than a plugin) to disable it.
Post by ozgreg
I can see both sides of the fence here and I agree with Matt is be nice
to
Post by Viper007Bond
Post by ozgreg
have a set of statistics but I feel fundamentally we need to give the
blogger the ability to opt in on sending statistics rather than just
blindly
Post by Viper007Bond
Post by ozgreg
sending those statistics regardless of how benign they are..
We all know the history of other applications that have sent statistics
silently back without allowing opt in (or out).. and the backlash those
other applications had to face, lets not go down this road..
------------------------
WPG2 Installation, Operation & FAQ Documentation (
http://wpg2.galleryembedded.com/)
-------------------- m2f --------------------
Gallery2 Embedded Forums (http://www.galleryembedded.com/forums/)
-------------------- m2f --------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Viper007Bond | http://www.viper007bond.com/
Omry Yadan
2007-09-24 07:19:47 UTC
Permalink
instead of repeating myself, please read my comments in the thread
"Automatic feedback from users"
Post by Viper007Bond
I think version check shouldn't be able to be turned off without a plugin.
It's just too important that a user keeps up to date. But for those fringe
cases, plugins handle it nicely.
As for the statistics, I think it should be opt-out not opt-in. I think the
_vast_ majority of users, including me, realize there's no harm in sending
along WP details and/or more likely, just don't care (all the noob users out
there). For those who do care for some reason, valid or not, a simple check
box would do the trick and avoid any negative... press (right word?) on the
matter.
We definitely don't want to make this seem secretive IMHO.
Viper007Bond
2007-09-24 09:31:50 UTC
Permalink
Huh? What "thread" are you referring to?
Post by Omry Yadan
instead of repeating myself, please read my comments in the thread
"Automatic feedback from users"
Post by Viper007Bond
I think version check shouldn't be able to be turned off without a
plugin.
Post by Viper007Bond
It's just too important that a user keeps up to date. But for those
fringe
Post by Viper007Bond
cases, plugins handle it nicely.
As for the statistics, I think it should be opt-out not opt-in. I think
the
Post by Viper007Bond
_vast_ majority of users, including me, realize there's no harm in
sending
Post by Viper007Bond
along WP details and/or more likely, just don't care (all the noob users
out
Post by Viper007Bond
there). For those who do care for some reason, valid or not, a simple
check
Post by Viper007Bond
box would do the trick and avoid any negative... press (right word?) on
the
Post by Viper007Bond
matter.
We definitely don't want to make this seem secretive IMHO.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Viper007Bond | http://www.viper007bond.com/
Omry Yadan
2007-09-24 08:55:47 UTC
Permalink
look here:

http://comox.textdrive.com/pipermail/wp-hackers/2007-September/thread.html
Post by Viper007Bond
Huh? What "thread" are you referring to?
Post by Omry Yadan
instead of repeating myself, please read my comments in the thread
"Automatic feedback from users"
Doug Stewart
2007-09-24 11:16:58 UTC
Permalink
This functionality, and the way to disable it, should be mentioned in
the official 2.3 release information in 40pt. bolded, underlined,
italicized text, as even the APPEARANCE of untoward behavior should be
avoided. Doing sneaky stuff behind the scenes that has more face
value for the software provider and not for the software user has
already happened once in the history of WordPress and it's not a
specter I think anyone wants to conjure up again any time soon.

Full disclosure is the way to go, plus a link in slightly smaller text
pointing end users to Ideas and Kvetches so we can track end users'
reactions to this feature.

It would be terrible if this went "undisclosed" and then "leaked" to
sites that already have an anti-WP stance who could very well scare
users off of upgrading or even using WP in the first place.

At least that's how I see it.
--
-Doug

http://literalbarrage.org/blog/
Kevin
2007-09-24 14:04:07 UTC
Permalink
I would suggest that you get a basic understanding of what you are talking
about BEFORE you deride people's security concerns. Even Microsoft has made
Auto update both Opt-IN, and non-server side. They even tell you where on
your computer update info is stored so you can wipe it off if you want/need
to.

Anything which is "automatic" needs to spell out exactly what it is doing,
and if you are storing MY data on your server, then you have the
responsibility to disclose what you are doing to safeguard that data. You
aren't even encrypting the data transmission from my WP install to your
server, why should I believe you are doing anything to safe guard it once it
is on the server.

Go do some research on PII (Personal Identifying Information). The IRS has a
good primer on it:
http://www.irs.gov/irm/part1/ch08s05.html

Your home address and phone numbers are PII, even though they are publicly
available. The same is true of my blog URL and plugin information.

This really is the type of thing you have to make as public as possible
before hand. This should have been discussed by the entire WP community (we
are a community right? This isn't just your personal play toy right?) before
line one of code was written.

As Matt mentioned a few emails ago, this was brought up as an issue the day
before the release. You know why? Because once again WP has not involved the
community directly.

Also, remember that SENDING the data is only a small part of the issue here.
The real issue is the storing of the data. Obvious security issues aside
(the second you store my information, it IS a security issue, whether you
believe the data is valuable or not), the simple fact that you can then use
that information for any purpose you want (since there is no TOS/EULA
associated with it) at any point in the future is a problem.

Kevin
<http://technogeek.org/>
Loading...