Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [wp-hackers] List etiquette

  • To: wp-hackers@xxxxxxxxxxxxxxxxxxxx
  • Subject: Re: [wp-hackers] List etiquette
  • From: Roy Schestowitz <r@xxxxxxxxxxxxxxx>
  • Date: Fri, 21 Apr 2006 01:21:00 +0100
  • Delivery-date: Fri, 21 Apr 2006 01:21:02 +0100
  • Envelope-to: s@schestowitz.com
  • In-reply-to: <4447E1FD.4070106@mullenweg.com>
  • References: <D0252C90757CBC4B8BC938A72BEDDF9DF98077@dsimail.drbsystems.com> <4447C4B9.2040900@ryanduff.net> <4447C83C.2090801@metalab.unc.edu> <4447E1FD.4070106@mullenweg.com>
  • User-agent: Internet Messaging Program (IMP) H3 (4.0.3)
___/ On Thu 20 Apr 2006 20:33:17 BST, [ Matt Mullenweg ] wrote : \___

Elliotte Harold wrote:
I disagree. Security by obscurity is at best 1 out of 2. Because you
posted the proof of concept I was able to analyze it, understand it,
and figure out how to protect myself against the attack despite a
huge amount of misinformation that continues to be thrown around on
this list. If you hadn't posted the proof of concept, I still
wouldn't understand exactly what the problem is or how to prevent it.

Yes, but the main responsibility of developers is not to Elliotte Harold. Your selfish interests do not coincide with the WP community.

I think this reply is a bit harsh (phrasing that was chosen in haste is
probable), but I tend to agree with the general idea. Protecting oneself
based on a description is something that only a puny userbase cares for, to
say the least.

I also missed your patch on Trac.

Publishing line-by-line exploits or details about security
vulnerabilities when we do a release would help crackers far more
than our general user base, which is overwhelmingly non-technical. We
get flak about it, but frankly I care far more about our non-savvy
and more vulnerable users than security-blinded idealists.

People aspire to get some merit for discovering bugs and reporting them. By
making reports non-public and offering no bounty, you are likely to deter
the required behaviour. Look at them vulnerabilities that are auctioned in
eBay. I am not suggesting that Autommatic should reveal its pocket.

This is not "security by obscurity," our source code, SVN diffs, and
Trac tickets are entirely public, it's just common sense of trying to
help your users more than script kiddies.

Security can also be attained by excess and 'noise'. Trac would be hard to
follow and script kiddies won't bother.

Firefox has a very similar approach.

It does, but let's not pretend that WordPress is on par with Firefox, or
even Apache (pertaining to a previous discussion/rant sparked by Skippy).

Best wishes,


Roy S. Schestowitz
http://Schestowitz.com  |    SuSE Linux    ¦     PGP-Key: 0x74572E8E
 1:10am  up 43 days 14:53,  6 users,  load average: 0.30, 0.61, 0.72

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index