For more than a week now, I have been aware of a very serious security flaw in a popular WordPress plugin. When a security flaw is discovered, there are a number of steps that must be taken to defend against a malicious hacker exploiting the flaw.
- Secure affected sites against such an attack.
- Notify software developer of flaw and proof-of-concept demonstrating the exploit.
- Make Public Disclosure.
Later today, I will be making public disclosure. THIS IS NOT THE NOTICE.
When we discovered this flaw (Cheers Duncan Riley for reporting it to me), the first thing was to ensure that b5media was not vulnerable to this exploit. After a few days, I made the plugin author aware of the flaw and at the same time, gave him a time table to fix the flaw. That timetable was seven days. Today, at 5pm EST some point, I’ll be posting my findings and proof of concept.
To be clear, I could have easily posted the exploit details when I discovered it. Taking software security to heart and realizing that bugs happen (I’ve been programming for over six years now), I’d rather be told of the problem and allowed the chance to fix it rather than having thousands of potential hack victims.
He thanked me and has put in significant effort on a new version of the plugin, but it would seem that at this point, the plugin author would rather whine about not having his next version ready than to get the job done. Of course, as a plugin author, you own the problem. It’s your fault and it’s on your head if someone else gets hacked. At the end of the day, it doesn’t matter to the guy with the hacked blog that you go to high school and don’t have time in your day to take care of unpaid work. You put the plugin out there. Thousands like it and use it. And thousands of blogs could be hacked.
At the end of the day, security flaw details are released to protect the public by forcing the programmer to take care of business. If I were black hat, I could already be wreaking havoc on blogs and not tell the plugin author or anyone else how it was happening.
My advice to programmers: Quit getting defensive about your work. Do the work cleanly. When someone reports a bug, fix it. Even if it’s just a patched version of the same plugin. You can’t be blamed if you show due diligence. Sit on your ass and complain that someone is going to expose the flaw and you’ll lose credibility, your reputation and the reputation of your plugin will be tainted.
I’ll be posting the details of this flaw this afternoon as planned. Stay tuned.
{ 72 comments }
Jim 09.22.06 at 1:47 pm
Aaron:
Did you pay for the software? If not, and it’s freely licensed and without a warranty, I’m afraid you don’t have much of a leg to stand on. If it’s open source, you certainly can go in and fix it yourself — but you *can’t* compel the author to do what you may think is “the right thing,” regardless of what that is. That’s part of the catch with FREE software, including plugins.
By the same token, once it’s released into the wild, anyone can do whatever they want with it, including report flaws. The author may not like it, but they can’t control what other people do with code they made freely available.
It’s a free country, and it’s free software . . . if the guy won’t fix it, you’ll have to do it yourself.
– Jim
Jim 09.22.06 at 1:47 pm
Aaron:
Did you pay for the software? If not, and it’s freely licensed and without a warranty, I’m afraid you don’t have much of a leg to stand on. If it’s open source, you certainly can go in and fix it yourself — but you *can’t* compel the author to do what you may think is “the right thing,” regardless of what that is. That’s part of the catch with FREE software, including plugins.
By the same token, once it’s released into the wild, anyone can do whatever they want with it, including report flaws. The author may not like it, but they can’t control what other people do with code they made freely available.
It’s a free country, and it’s free software . . . if the guy won’t fix it, you’ll have to do it yourself.
– Jim
Jim 09.22.06 at 1:47 pm
Aaron:
Did you pay for the software? If not, and it’s freely licensed and without a warranty, I’m afraid you don’t have much of a leg to stand on. If it’s open source, you certainly can go in and fix it yourself — but you *can’t* compel the author to do what you may think is “the right thing,” regardless of what that is. That’s part of the catch with FREE software, including plugins.
By the same token, once it’s released into the wild, anyone can do whatever they want with it, including report flaws. The author may not like it, but they can’t control what other people do with code they made freely available.
It’s a free country, and it’s free software . . . if the guy won’t fix it, you’ll have to do it yourself.
– Jim
Jim 09.22.06 at 1:47 pm
Aaron:
Did you pay for the software? If not, and it’s freely licensed and without a warranty, I’m afraid you don’t have much of a leg to stand on. If it’s open source, you certainly can go in and fix it yourself — but you *can’t* compel the author to do what you may think is “the right thing,” regardless of what that is. That’s part of the catch with FREE software, including plugins.
By the same token, once it’s released into the wild, anyone can do whatever they want with it, including report flaws. The author may not like it, but they can’t control what other people do with code they made freely available.
It’s a free country, and it’s free software . . . if the guy won’t fix it, you’ll have to do it yourself.
– Jim
Aaron Brazell 09.22.06 at 1:52 pm
Jim,
Preciate your feedback here. When the author was notified of the issue he should have released a patched version of the existing plugin. Fixed. Instead he chose to press on with another version, and most of the issues I see with the new version are cosmetic. There were a few issues that I told him about and in subsequent beta builds he fixed. That’s great but for cosmetic issues, release the new vbersion and fix cosmetics later. Better yet, patch the first version which would have taken a line of code.
Sure, I can fix it, but why should I? I’m not releasing a fixed version. He, on the other hand, is releasing a flawed version. Free or not, that’s on his head.
Of course I can’t compel him, but the pressure will mount.
Aaron Brazell 09.22.06 at 1:52 pm
Jim,
Preciate your feedback here. When the author was notified of the issue he should have released a patched version of the existing plugin. Fixed. Instead he chose to press on with another version, and most of the issues I see with the new version are cosmetic. There were a few issues that I told him about and in subsequent beta builds he fixed. That’s great but for cosmetic issues, release the new vbersion and fix cosmetics later. Better yet, patch the first version which would have taken a line of code.
Sure, I can fix it, but why should I? I’m not releasing a fixed version. He, on the other hand, is releasing a flawed version. Free or not, that’s on his head.
Of course I can’t compel him, but the pressure will mount.
Aaron Brazell 09.22.06 at 1:52 pm
Jim,
Preciate your feedback here. When the author was notified of the issue he should have released a patched version of the existing plugin. Fixed. Instead he chose to press on with another version, and most of the issues I see with the new version are cosmetic. There were a few issues that I told him about and in subsequent beta builds he fixed. That’s great but for cosmetic issues, release the new vbersion and fix cosmetics later. Better yet, patch the first version which would have taken a line of code.
Sure, I can fix it, but why should I? I’m not releasing a fixed version. He, on the other hand, is releasing a flawed version. Free or not, that’s on his head.
Of course I can’t compel him, but the pressure will mount.
Aaron Brazell 09.22.06 at 1:52 pm
Jim,
Preciate your feedback here. When the author was notified of the issue he should have released a patched version of the existing plugin. Fixed. Instead he chose to press on with another version, and most of the issues I see with the new version are cosmetic. There were a few issues that I told him about and in subsequent beta builds he fixed. That’s great but for cosmetic issues, release the new vbersion and fix cosmetics later. Better yet, patch the first version which would have taken a line of code.
Sure, I can fix it, but why should I? I’m not releasing a fixed version. He, on the other hand, is releasing a flawed version. Free or not, that’s on his head.
Of course I can’t compel him, but the pressure will mount.
Jim Turner 09.22.06 at 6:18 pm
Let me play devil’s advocate here.
If you know of a flaw and a problem with a plugin, are you not under a duty to make it public that the plugin is flawed and can harm people? If you as the finder of the problem has knoweldge of the problem and chooses not to disclose that to the public then wouldn’t you have some negligence of making someone’s site vulnerable?
Just another view, I of course would never accuse you Aaron or doing something like that. I’m not a programmer and have no idea, but I would be upset if someone knew of a problem and withheld it to give a programmer to save face. And then my site was hacked as a result.
Jim Turner 09.22.06 at 6:18 pm
Let me play devil’s advocate here.
If you know of a flaw and a problem with a plugin, are you not under a duty to make it public that the plugin is flawed and can harm people? If you as the finder of the problem has knoweldge of the problem and chooses not to disclose that to the public then wouldn’t you have some negligence of making someone’s site vulnerable?
Just another view, I of course would never accuse you Aaron or doing something like that. I’m not a programmer and have no idea, but I would be upset if someone knew of a problem and withheld it to give a programmer to save face. And then my site was hacked as a result.
Jim Turner 09.22.06 at 6:18 pm
Let me play devil’s advocate here.
If you know of a flaw and a problem with a plugin, are you not under a duty to make it public that the plugin is flawed and can harm people? If you as the finder of the problem has knoweldge of the problem and chooses not to disclose that to the public then wouldn’t you have some negligence of making someone’s site vulnerable?
Just another view, I of course would never accuse you Aaron or doing something like that. I’m not a programmer and have no idea, but I would be upset if someone knew of a problem and withheld it to give a programmer to save face. And then my site was hacked as a result.
Jim Turner 09.22.06 at 6:18 pm
Let me play devil’s advocate here.
If you know of a flaw and a problem with a plugin, are you not under a duty to make it public that the plugin is flawed and can harm people? If you as the finder of the problem has knoweldge of the problem and chooses not to disclose that to the public then wouldn’t you have some negligence of making someone’s site vulnerable?
Just another view, I of course would never accuse you Aaron or doing something like that. I’m not a programmer and have no idea, but I would be upset if someone knew of a problem and withheld it to give a programmer to save face. And then my site was hacked as a result.
MKR 09.22.06 at 7:00 pm
Looks like he uploaded a fixed version.
MKR 09.22.06 at 7:00 pm
Looks like he uploaded a fixed version.
MKR 09.22.06 at 7:00 pm
Looks like he uploaded a fixed version.
MKR 09.22.06 at 7:00 pm
Looks like he uploaded a fixed version.
Karl Fogel 09.22.06 at 7:06 pm
Aaron’s procedure is pretty much the standard in open source, as far as I’m aware. When you find a security bug, you notify the upstream maintainers, and then have a conversation about dates — but if the author doesn’t commit to a reasonable date, it’s perfectly reasonable to give them a deadline by stating that you *will* publicize the flaw within X days.
This is reasonable because an author can always make a patch release of the latest released version. The author is not required to release an entirely new version of the software, complete with new features and other bugs fixed. In fact, releasing a patched version (latest release + security bugfix) is a good idea even if the author *also* releases an entirely new version. People should not be forced to upgrade everything just to get a security fix; they should have the choice of just getting the fix without any other changes.
Talking about “it’s open source, you have the right to change the code, so don’t complain” misses the point. Aaron wasn’t complaining that he needed something from the author that the author wasn’t willing to give. Aaron had already fixed the bug in his copy! His post is about the appropriate way for the author to behave once notified.
An author who isn’t willing to behave that way (even though it’s easy, remember, because no one but him is insisting that he finish up his full rewrite in order to release the security bugfix) is simply doing the wrong thing. Yes, he’d be within his “rights”, but don’t confuse “right” as in “guaranteed societal freedom” with “right” as in “correct action in a given circumstance”. It’s a pity English doesn’t have two different words for these different concepts.
The objection that because this is open source, Aaron has no standing to pressure the author into doing the right thing is spurious. It reminds me of how people sometimes respond to criticism of something they’ve said by replying “I have my right to free speech!” Well, yes, no one was arguing that. They were arguing that the speech’s content is wrong, not that you shouldn’t have the right to say it.
Aaron has the right to pressure the author to do the right thing. The author has the right to refuse. But none of that changes what is “right” here!
-Karl
Karl Fogel 09.22.06 at 7:06 pm
Aaron’s procedure is pretty much the standard in open source, as far as I’m aware. When you find a security bug, you notify the upstream maintainers, and then have a conversation about dates — but if the author doesn’t commit to a reasonable date, it’s perfectly reasonable to give them a deadline by stating that you *will* publicize the flaw within X days.
This is reasonable because an author can always make a patch release of the latest released version. The author is not required to release an entirely new version of the software, complete with new features and other bugs fixed. In fact, releasing a patched version (latest release + security bugfix) is a good idea even if the author *also* releases an entirely new version. People should not be forced to upgrade everything just to get a security fix; they should have the choice of just getting the fix without any other changes.
Talking about “it’s open source, you have the right to change the code, so don’t complain” misses the point. Aaron wasn’t complaining that he needed something from the author that the author wasn’t willing to give. Aaron had already fixed the bug in his copy! His post is about the appropriate way for the author to behave once notified.
An author who isn’t willing to behave that way (even though it’s easy, remember, because no one but him is insisting that he finish up his full rewrite in order to release the security bugfix) is simply doing the wrong thing. Yes, he’d be within his “rights”, but don’t confuse “right” as in “guaranteed societal freedom” with “right” as in “correct action in a given circumstance”. It’s a pity English doesn’t have two different words for these different concepts.
The objection that because this is open source, Aaron has no standing to pressure the author into doing the right thing is spurious. It reminds me of how people sometimes respond to criticism of something they’ve said by replying “I have my right to free speech!” Well, yes, no one was arguing that. They were arguing that the speech’s content is wrong, not that you shouldn’t have the right to say it.
Aaron has the right to pressure the author to do the right thing. The author has the right to refuse. But none of that changes what is “right” here!
-Karl
Karl Fogel 09.22.06 at 7:06 pm
Aaron’s procedure is pretty much the standard in open source, as far as I’m aware. When you find a security bug, you notify the upstream maintainers, and then have a conversation about dates — but if the author doesn’t commit to a reasonable date, it’s perfectly reasonable to give them a deadline by stating that you *will* publicize the flaw within X days.
This is reasonable because an author can always make a patch release of the latest released version. The author is not required to release an entirely new version of the software, complete with new features and other bugs fixed. In fact, releasing a patched version (latest release + security bugfix) is a good idea even if the author *also* releases an entirely new version. People should not be forced to upgrade everything just to get a security fix; they should have the choice of just getting the fix without any other changes.
Talking about “it’s open source, you have the right to change the code, so don’t complain” misses the point. Aaron wasn’t complaining that he needed something from the author that the author wasn’t willing to give. Aaron had already fixed the bug in his copy! His post is about the appropriate way for the author to behave once notified.
An author who isn’t willing to behave that way (even though it’s easy, remember, because no one but him is insisting that he finish up his full rewrite in order to release the security bugfix) is simply doing the wrong thing. Yes, he’d be within his “rights”, but don’t confuse “right” as in “guaranteed societal freedom” with “right” as in “correct action in a given circumstance”. It’s a pity English doesn’t have two different words for these different concepts.
The objection that because this is open source, Aaron has no standing to pressure the author into doing the right thing is spurious. It reminds me of how people sometimes respond to criticism of something they’ve said by replying “I have my right to free speech!” Well, yes, no one was arguing that. They were arguing that the speech’s content is wrong, not that you shouldn’t have the right to say it.
Aaron has the right to pressure the author to do the right thing. The author has the right to refuse. But none of that changes what is “right” here!
-Karl
Karl Fogel 09.22.06 at 7:06 pm
Aaron’s procedure is pretty much the standard in open source, as far as I’m aware. When you find a security bug, you notify the upstream maintainers, and then have a conversation about dates — but if the author doesn’t commit to a reasonable date, it’s perfectly reasonable to give them a deadline by stating that you *will* publicize the flaw within X days.
This is reasonable because an author can always make a patch release of the latest released version. The author is not required to release an entirely new version of the software, complete with new features and other bugs fixed. In fact, releasing a patched version (latest release + security bugfix) is a good idea even if the author *also* releases an entirely new version. People should not be forced to upgrade everything just to get a security fix; they should have the choice of just getting the fix without any other changes.
Talking about “it’s open source, you have the right to change the code, so don’t complain” misses the point. Aaron wasn’t complaining that he needed something from the author that the author wasn’t willing to give. Aaron had already fixed the bug in his copy! His post is about the appropriate way for the author to behave once notified.
An author who isn’t willing to behave that way (even though it’s easy, remember, because no one but him is insisting that he finish up his full rewrite in order to release the security bugfix) is simply doing the wrong thing. Yes, he’d be within his “rights”, but don’t confuse “right” as in “guaranteed societal freedom” with “right” as in “correct action in a given circumstance”. It’s a pity English doesn’t have two different words for these different concepts.
The objection that because this is open source, Aaron has no standing to pressure the author into doing the right thing is spurious. It reminds me of how people sometimes respond to criticism of something they’ve said by replying “I have my right to free speech!” Well, yes, no one was arguing that. They were arguing that the speech’s content is wrong, not that you shouldn’t have the right to say it.
Aaron has the right to pressure the author to do the right thing. The author has the right to refuse. But none of that changes what is “right” here!
-Karl
Aaron Brazell 09.22.06 at 7:15 pm
I’ve posted the details.
Aaron Brazell 09.22.06 at 7:15 pm
I’ve posted the details.
Aaron Brazell 09.22.06 at 7:15 pm
I’ve posted the details.
Aaron Brazell 09.22.06 at 7:15 pm
I’ve posted the details.
Jim Turner 09.22.06 at 7:26 pm
Karl thanks for setting me straight on the standards for open source. I was merely trying to determine when I person that has found a bug and alerted the person thatr has shown the plugin, and that person is now aware. Isn’t it okay at that point to show the bug, even if the person that came up with the software has not fixed it? It alerts the rest that there is a bug, and they can then ask the developer if he has fixed. Why cover up the problem and pretend that it is not a bad bug? Tell the developer and the rest of the world to eliminate possible problems?
Jim Turner 09.22.06 at 7:26 pm
Karl thanks for setting me straight on the standards for open source. I was merely trying to determine when I person that has found a bug and alerted the person thatr has shown the plugin, and that person is now aware. Isn’t it okay at that point to show the bug, even if the person that came up with the software has not fixed it? It alerts the rest that there is a bug, and they can then ask the developer if he has fixed. Why cover up the problem and pretend that it is not a bad bug? Tell the developer and the rest of the world to eliminate possible problems?
Jim Turner 09.22.06 at 7:26 pm
Karl thanks for setting me straight on the standards for open source. I was merely trying to determine when I person that has found a bug and alerted the person thatr has shown the plugin, and that person is now aware. Isn’t it okay at that point to show the bug, even if the person that came up with the software has not fixed it? It alerts the rest that there is a bug, and they can then ask the developer if he has fixed. Why cover up the problem and pretend that it is not a bad bug? Tell the developer and the rest of the world to eliminate possible problems?
Jim Turner 09.22.06 at 7:26 pm
Karl thanks for setting me straight on the standards for open source. I was merely trying to determine when I person that has found a bug and alerted the person thatr has shown the plugin, and that person is now aware. Isn’t it okay at that point to show the bug, even if the person that came up with the software has not fixed it? It alerts the rest that there is a bug, and they can then ask the developer if he has fixed. Why cover up the problem and pretend that it is not a bad bug? Tell the developer and the rest of the world to eliminate possible problems?
Jalenack 09.22.06 at 7:39 pm
Hello hello,
I’m the author of the plugin at fault.
This has been a rough ordeal. Aaron notified me of the problem on Sep 15. I realize waiting a week is a long time for an essential fix.
I got caught at a bad time because the all-new-from-the-ground-up Democracy 2.0 was almost done. I wanted to avoid having to make an update to 1.2 when 2.0 was coming so quickly and upgraders would have to upgrade again in a couple days. It’s not a very strong argument. But anyways, I’ve released 2.0 now and it’s working for everyone who’s tested it so far. I’m fully expecting to release many fixes to it in the next couple days as people report on any potential problem.
I feel the accusations of laziness in this post are undeserved. I AM a junior in high school and I only have a limited time to work on the plugin. Today I spent all of my free period, lunch, and afterschool working on releasing 2.0. This past week I’ve put in an average of 5 hours a day working on the plugin and getting it tested around. My goal for 2.0 was to test it thoroughly (with lots of people involved) before I released a new version, so that I wouldn’t repeat the same problems of 1.x. Aaron’s pressure and this post made the posting rushed.
Jalenack 09.22.06 at 7:39 pm
Hello hello,
I’m the author of the plugin at fault.
This has been a rough ordeal. Aaron notified me of the problem on Sep 15. I realize waiting a week is a long time for an essential fix.
I got caught at a bad time because the all-new-from-the-ground-up Democracy 2.0 was almost done. I wanted to avoid having to make an update to 1.2 when 2.0 was coming so quickly and upgraders would have to upgrade again in a couple days. It’s not a very strong argument. But anyways, I’ve released 2.0 now and it’s working for everyone who’s tested it so far. I’m fully expecting to release many fixes to it in the next couple days as people report on any potential problem.
I feel the accusations of laziness in this post are undeserved. I AM a junior in high school and I only have a limited time to work on the plugin. Today I spent all of my free period, lunch, and afterschool working on releasing 2.0. This past week I’ve put in an average of 5 hours a day working on the plugin and getting it tested around. My goal for 2.0 was to test it thoroughly (with lots of people involved) before I released a new version, so that I wouldn’t repeat the same problems of 1.x. Aaron’s pressure and this post made the posting rushed.
Jalenack 09.22.06 at 7:39 pm
Hello hello,
I’m the author of the plugin at fault.
This has been a rough ordeal. Aaron notified me of the problem on Sep 15. I realize waiting a week is a long time for an essential fix.
I got caught at a bad time because the all-new-from-the-ground-up Democracy 2.0 was almost done. I wanted to avoid having to make an update to 1.2 when 2.0 was coming so quickly and upgraders would have to upgrade again in a couple days. It’s not a very strong argument. But anyways, I’ve released 2.0 now and it’s working for everyone who’s tested it so far. I’m fully expecting to release many fixes to it in the next couple days as people report on any potential problem.
I feel the accusations of laziness in this post are undeserved. I AM a junior in high school and I only have a limited time to work on the plugin. Today I spent all of my free period, lunch, and afterschool working on releasing 2.0. This past week I’ve put in an average of 5 hours a day working on the plugin and getting it tested around. My goal for 2.0 was to test it thoroughly (with lots of people involved) before I released a new version, so that I wouldn’t repeat the same problems of 1.x. Aaron’s pressure and this post made the posting rushed.
Jalenack 09.22.06 at 7:39 pm
Hello hello,
I’m the author of the plugin at fault.
This has been a rough ordeal. Aaron notified me of the problem on Sep 15. I realize waiting a week is a long time for an essential fix.
I got caught at a bad time because the all-new-from-the-ground-up Democracy 2.0 was almost done. I wanted to avoid having to make an update to 1.2 when 2.0 was coming so quickly and upgraders would have to upgrade again in a couple days. It’s not a very strong argument. But anyways, I’ve released 2.0 now and it’s working for everyone who’s tested it so far. I’m fully expecting to release many fixes to it in the next couple days as people report on any potential problem.
I feel the accusations of laziness in this post are undeserved. I AM a junior in high school and I only have a limited time to work on the plugin. Today I spent all of my free period, lunch, and afterschool working on releasing 2.0. This past week I’ve put in an average of 5 hours a day working on the plugin and getting it tested around. My goal for 2.0 was to test it thoroughly (with lots of people involved) before I released a new version, so that I wouldn’t repeat the same problems of 1.x. Aaron’s pressure and this post made the posting rushed.
Darren McLaughlin 09.22.06 at 7:47 pm
I went public with the SEO problem, without much contact with the author.
Why? Because I wanted the site owners to be warned about a potentially damaging situation. It’s their sites and they have the right to know.
Darren McLaughlin 09.22.06 at 7:47 pm
I went public with the SEO problem, without much contact with the author.
Why? Because I wanted the site owners to be warned about a potentially damaging situation. It’s their sites and they have the right to know.
Darren McLaughlin 09.22.06 at 7:47 pm
I went public with the SEO problem, without much contact with the author.
Why? Because I wanted the site owners to be warned about a potentially damaging situation. It’s their sites and they have the right to know.
Darren McLaughlin 09.22.06 at 7:47 pm
I went public with the SEO problem, without much contact with the author.
Why? Because I wanted the site owners to be warned about a potentially damaging situation. It’s their sites and they have the right to know.
Aaron Brazell 09.22.06 at 7:53 pm
In fairness to Andrew, after he pissed me off enough to write this post (which is a valid entry regardless of the flaw or author involved), he did do quite well in getting 2.0 out the door. I agree that 1.2 should still be patched in conjunction with 2.0 being released.
Aaron Brazell 09.22.06 at 7:53 pm
In fairness to Andrew, after he pissed me off enough to write this post (which is a valid entry regardless of the flaw or author involved), he did do quite well in getting 2.0 out the door. I agree that 1.2 should still be patched in conjunction with 2.0 being released.
Aaron Brazell 09.22.06 at 7:53 pm
In fairness to Andrew, after he pissed me off enough to write this post (which is a valid entry regardless of the flaw or author involved), he did do quite well in getting 2.0 out the door. I agree that 1.2 should still be patched in conjunction with 2.0 being released.
Aaron Brazell 09.22.06 at 7:53 pm
In fairness to Andrew, after he pissed me off enough to write this post (which is a valid entry regardless of the flaw or author involved), he did do quite well in getting 2.0 out the door. I agree that 1.2 should still be patched in conjunction with 2.0 being released.
Jalenack 09.22.06 at 8:21 pm
“after he pissed me off enough to write this post”
Hey whoa, that’s messed up. Releasing vulnerabilities should have nothing to do with personal enmity. It shouldn’t matter that I pissed you off.
What should matter is whether the WP community at large will benefit from your posting. And that, I think, is questionable. Posting in such detail only encourages people to go out and try to hack around. Users of the plugin can be sufficiently convinced to upgrade by saying there’s a “SERIOUS SECURITY FLAW” in 1.2.
Perhaps I’ll work on a patch to 1.2. As it’s open source, anyone could.
Right now I’m just going to get a breath of fresh air. No negative reports of democracy 2.0 have come in yet ;)
Jalenack 09.22.06 at 8:21 pm
“after he pissed me off enough to write this post”
Hey whoa, that’s messed up. Releasing vulnerabilities should have nothing to do with personal enmity. It shouldn’t matter that I pissed you off.
What should matter is whether the WP community at large will benefit from your posting. And that, I think, is questionable. Posting in such detail only encourages people to go out and try to hack around. Users of the plugin can be sufficiently convinced to upgrade by saying there’s a “SERIOUS SECURITY FLAW” in 1.2.
Perhaps I’ll work on a patch to 1.2. As it’s open source, anyone could.
Right now I’m just going to get a breath of fresh air. No negative reports of democracy 2.0 have come in yet ;)
Jalenack 09.22.06 at 8:21 pm
“after he pissed me off enough to write this post”
Hey whoa, that’s messed up. Releasing vulnerabilities should have nothing to do with personal enmity. It shouldn’t matter that I pissed you off.
What should matter is whether the WP community at large will benefit from your posting. And that, I think, is questionable. Posting in such detail only encourages people to go out and try to hack around. Users of the plugin can be sufficiently convinced to upgrade by saying there’s a “SERIOUS SECURITY FLAW” in 1.2.
Perhaps I’ll work on a patch to 1.2. As it’s open source, anyone could.
Right now I’m just going to get a breath of fresh air. No negative reports of democracy 2.0 have come in yet ;)
Jalenack 09.22.06 at 8:21 pm
“after he pissed me off enough to write this post”
Hey whoa, that’s messed up. Releasing vulnerabilities should have nothing to do with personal enmity. It shouldn’t matter that I pissed you off.
What should matter is whether the WP community at large will benefit from your posting. And that, I think, is questionable. Posting in such detail only encourages people to go out and try to hack around. Users of the plugin can be sufficiently convinced to upgrade by saying there’s a “SERIOUS SECURITY FLAW” in 1.2.
Perhaps I’ll work on a patch to 1.2. As it’s open source, anyone could.
Right now I’m just going to get a breath of fresh air. No negative reports of democracy 2.0 have come in yet ;)
Aaron Brazell 09.22.06 at 8:27 pm
No personal enmity at all, Andrew. I alerted you I’d post this a week ago and you gave me a hard time when I kindly reminded you this morning. Like I said, this particular post (not the detailed vulnerability one), has value in it no matter what flaw or what chunk of code. It’s why I post this stuff.
Aaron Brazell 09.22.06 at 8:27 pm
No personal enmity at all, Andrew. I alerted you I’d post this a week ago and you gave me a hard time when I kindly reminded you this morning. Like I said, this particular post (not the detailed vulnerability one), has value in it no matter what flaw or what chunk of code. It’s why I post this stuff.
Aaron Brazell 09.22.06 at 8:27 pm
No personal enmity at all, Andrew. I alerted you I’d post this a week ago and you gave me a hard time when I kindly reminded you this morning. Like I said, this particular post (not the detailed vulnerability one), has value in it no matter what flaw or what chunk of code. It’s why I post this stuff.
Aaron Brazell 09.22.06 at 8:27 pm
No personal enmity at all, Andrew. I alerted you I’d post this a week ago and you gave me a hard time when I kindly reminded you this morning. Like I said, this particular post (not the detailed vulnerability one), has value in it no matter what flaw or what chunk of code. It’s why I post this stuff.
Jalenack 09.22.06 at 8:37 pm
Darren,
It was quite a shock when someone else (oh yeah, it was Aaron) sent me a link to your blog. You made no concerted effort to let me know about the problem. I never got a good response about how to fix the problems. And now, I’ve implemented nofollow in 2.0. I have a feeling that’s not a full solution. But I’m not an SEO expert, and I don’t know what is a good solution. If you or anyone could let me know, I would really like to be sure for Dem 2.0.
And Aaron, I just read over our emails together. You did tell me I you would post in one week. I completely didn’t register that line. I had no idea you had put me on a track. Of course, I have no one to blame but myself. Sorry.
I’m not trying to make enemies with anyone here. What you two have found are indeed grave problems with Democracy. It’s just been very frustrating to see all these posts arise without any chance for review or discussion.
We’ll get over it though. Democracy 2.0 is a step in the right direction. It’s not perfect yet. But it’s all I have to offer right now. What’s past is past.
Jalenack 09.22.06 at 8:37 pm
Darren,
It was quite a shock when someone else (oh yeah, it was Aaron) sent me a link to your blog. You made no concerted effort to let me know about the problem. I never got a good response about how to fix the problems. And now, I’ve implemented nofollow in 2.0. I have a feeling that’s not a full solution. But I’m not an SEO expert, and I don’t know what is a good solution. If you or anyone could let me know, I would really like to be sure for Dem 2.0.
And Aaron, I just read over our emails together. You did tell me I you would post in one week. I completely didn’t register that line. I had no idea you had put me on a track. Of course, I have no one to blame but myself. Sorry.
I’m not trying to make enemies with anyone here. What you two have found are indeed grave problems with Democracy. It’s just been very frustrating to see all these posts arise without any chance for review or discussion.
We’ll get over it though. Democracy 2.0 is a step in the right direction. It’s not perfect yet. But it’s all I have to offer right now. What’s past is past.
Jalenack 09.22.06 at 8:37 pm
Darren,
It was quite a shock when someone else (oh yeah, it was Aaron) sent me a link to your blog. You made no concerted effort to let me know about the problem. I never got a good response about how to fix the problems. And now, I’ve implemented nofollow in 2.0. I have a feeling that’s not a full solution. But I’m not an SEO expert, and I don’t know what is a good solution. If you or anyone could let me know, I would really like to be sure for Dem 2.0.
And Aaron, I just read over our emails together. You did tell me I you would post in one week. I completely didn’t register that line. I had no idea you had put me on a track. Of course, I have no one to blame but myself. Sorry.
I’m not trying to make enemies with anyone here. What you two have found are indeed grave problems with Democracy. It’s just been very frustrating to see all these posts arise without any chance for review or discussion.
We’ll get over it though. Democracy 2.0 is a step in the right direction. It’s not perfect yet. But it’s all I have to offer right now. What’s past is past.
Jalenack 09.22.06 at 8:37 pm
Darren,
It was quite a shock when someone else (oh yeah, it was Aaron) sent me a link to your blog. You made no concerted effort to let me know about the problem. I never got a good response about how to fix the problems. And now, I’ve implemented nofollow in 2.0. I have a feeling that’s not a full solution. But I’m not an SEO expert, and I don’t know what is a good solution. If you or anyone could let me know, I would really like to be sure for Dem 2.0.
And Aaron, I just read over our emails together. You did tell me I you would post in one week. I completely didn’t register that line. I had no idea you had put me on a track. Of course, I have no one to blame but myself. Sorry.
I’m not trying to make enemies with anyone here. What you two have found are indeed grave problems with Democracy. It’s just been very frustrating to see all these posts arise without any chance for review or discussion.
We’ll get over it though. Democracy 2.0 is a step in the right direction. It’s not perfect yet. But it’s all I have to offer right now. What’s past is past.
Karl Fogel 09.22.06 at 9:08 pm
Jalenack,
Don’t feel too bad — I think this pain is something everyone goes through the first time they release a piece of software that turns out to have a security hole (I learned it via an early version of Subversion, though it was a bit easier because I wasn’t the only maintainer, i.e., the only person able to make an official-sounding release as a source people already trust).
I strongly recommend making a 1.2 release that is exactly 1.1 plus the bugfix (it would have been better to do that first, really). For a careful site administrator, upgrading and closing a security hole are two distinct things, and they usually want the choice to do one but not the other, conveniently. I say “conveniently” because, sure, anyone can get the patch and apply it themselves… But in practice, people are counting on the maintainers to make this stuff easy. That’d be you :-).
Um, at the risk of pontificating even more: here’s some material on security announcements and releases that may be helpful:
http://producingoss.com/html-chunk/publicity.html#security
http://producingoss.com/html-chunk/release-lines.html#security-releases
Good luck,
-Karl
P.S. Jim, to answer your question: I think the key thing is giving the maintainer(s) a window of time to make a security release. Since a security release is, by definition, just the most recent public release plus the security fix, it should never take more than a day or so to put one together. Since the discover of the bug usually understands that the maintainers are volunteers and may not check their mail within 24 hours, though, a typical window size is 5 days to a week (I’ve seen as low as 3 days). Of course, you should also go public with the flaw! But by waiting until the maintainers have had a chance to put together a patch and a release, you can include links to those things in your announcement of the flaw. That way no one’s helpless: the moment they see the news, they also see a solution, and they’re not stuck improvising.
This method has proven to be a good compromise between going public immediately and sitting on the discovery forever, I think.
Karl Fogel 09.22.06 at 9:08 pm
Jalenack,
Don’t feel too bad — I think this pain is something everyone goes through the first time they release a piece of software that turns out to have a security hole (I learned it via an early version of Subversion, though it was a bit easier because I wasn’t the only maintainer, i.e., the only person able to make an official-sounding release as a source people already trust).
I strongly recommend making a 1.2 release that is exactly 1.1 plus the bugfix (it would have been better to do that first, really). For a careful site administrator, upgrading and closing a security hole are two distinct things, and they usually want the choice to do one but not the other, conveniently. I say “conveniently” because, sure, anyone can get the patch and apply it themselves… But in practice, people are counting on the maintainers to make this stuff easy. That’d be you :-).
Um, at the risk of pontificating even more: here’s some material on security announcements and releases that may be helpful:
http://producingoss.com/html-chunk/publicity.ht...
http://producingoss.com/html-chunk/release-line...
Good luck,
-Karl
P.S. Jim, to answer your question: I think the key thing is giving the maintainer(s) a window of time to make a security release. Since a security release is, by definition, just the most recent public release plus the security fix, it should never take more than a day or so to put one together. Since the discover of the bug usually understands that the maintainers are volunteers and may not check their mail within 24 hours, though, a typical window size is 5 days to a week (I’ve seen as low as 3 days). Of course, you should also go public with the flaw! But by waiting until the maintainers have had a chance to put together a patch and a release, you can include links to those things in your announcement of the flaw. That way no one’s helpless: the moment they see the news, they also see a solution, and they’re not stuck improvising.
This method has proven to be a good compromise between going public immediately and sitting on the discovery forever, I think.
Karl Fogel 09.22.06 at 9:08 pm
Jalenack,
Don’t feel too bad — I think this pain is something everyone goes through the first time they release a piece of software that turns out to have a security hole (I learned it via an early version of Subversion, though it was a bit easier because I wasn’t the only maintainer, i.e., the only person able to make an official-sounding release as a source people already trust).
I strongly recommend making a 1.2 release that is exactly 1.1 plus the bugfix (it would have been better to do that first, really). For a careful site administrator, upgrading and closing a security hole are two distinct things, and they usually want the choice to do one but not the other, conveniently. I say “conveniently” because, sure, anyone can get the patch and apply it themselves… But in practice, people are counting on the maintainers to make this stuff easy. That’d be you :-).
Um, at the risk of pontificating even more: here’s some material on security announcements and releases that may be helpful:
http://producingoss.com/html-chunk/publicity.ht...
http://producingoss.com/html-chunk/release-line...
Good luck,
-Karl
P.S. Jim, to answer your question: I think the key thing is giving the maintainer(s) a window of time to make a security release. Since a security release is, by definition, just the most recent public release plus the security fix, it should never take more than a day or so to put one together. Since the discover of the bug usually understands that the maintainers are volunteers and may not check their mail within 24 hours, though, a typical window size is 5 days to a week (I’ve seen as low as 3 days). Of course, you should also go public with the flaw! But by waiting until the maintainers have had a chance to put together a patch and a release, you can include links to those things in your announcement of the flaw. That way no one’s helpless: the moment they see the news, they also see a solution, and they’re not stuck improvising.
This method has proven to be a good compromise between going public immediately and sitting on the discovery forever, I think.
Karl Fogel 09.22.06 at 9:08 pm
Jalenack,
Don’t feel too bad — I think this pain is something everyone goes through the first time they release a piece of software that turns out to have a security hole (I learned it via an early version of Subversion, though it was a bit easier because I wasn’t the only maintainer, i.e., the only person able to make an official-sounding release as a source people already trust).
I strongly recommend making a 1.2 release that is exactly 1.1 plus the bugfix (it would have been better to do that first, really). For a careful site administrator, upgrading and closing a security hole are two distinct things, and they usually want the choice to do one but not the other, conveniently. I say “conveniently” because, sure, anyone can get the patch and apply it themselves… But in practice, people are counting on the maintainers to make this stuff easy. That’d be you :-).
Um, at the risk of pontificating even more: here’s some material on security announcements and releases that may be helpful:
http://producingoss.com/html-chunk/publicity.ht...
http://producingoss.com/html-chunk/release-line...
Good luck,
-Karl
P.S. Jim, to answer your question: I think the key thing is giving the maintainer(s) a window of time to make a security release. Since a security release is, by definition, just the most recent public release plus the security fix, it should never take more than a day or so to put one together. Since the discover of the bug usually understands that the maintainers are volunteers and may not check their mail within 24 hours, though, a typical window size is 5 days to a week (I’ve seen as low as 3 days). Of course, you should also go public with the flaw! But by waiting until the maintainers have had a chance to put together a patch and a release, you can include links to those things in your announcement of the flaw. That way no one’s helpless: the moment they see the news, they also see a solution, and they’re not stuck improvising.
This method has proven to be a good compromise between going public immediately and sitting on the discovery forever, I think.
Jalenack 09.22.06 at 9:26 pm
Good feedback coming in. Just released a fix for the SEO problems mentioned above.
Jalenack 09.22.06 at 9:26 pm
Good feedback coming in. Just released a fix for the SEO problems mentioned above.
Jalenack 09.22.06 at 9:26 pm
Good feedback coming in. Just released a fix for the SEO problems mentioned above.
Jalenack 09.22.06 at 9:26 pm
Good feedback coming in. Just released a fix for the SEO problems mentioned above.
Carol 09.23.06 at 3:01 pm
I’m amazed that a group of adults would get nasty with a highschool kid. Nice. :p
Carol 09.23.06 at 3:01 pm
I’m amazed that a group of adults would get nasty with a highschool kid. Nice. :p
Carol 09.23.06 at 3:01 pm
I’m amazed that a group of adults would get nasty with a highschool kid. Nice. :p
Carol 09.23.06 at 3:01 pm
I’m amazed that a group of adults would get nasty with a highschool kid. Nice. :p
Aaron Brazell 09.23.06 at 3:27 pm
Who invited the woman to the party? :p
Aaron Brazell 09.23.06 at 3:27 pm
Who invited the woman to the party? :p
Aaron Brazell 09.23.06 at 3:27 pm
Who invited the woman to the party? :p
Aaron Brazell 09.23.06 at 3:27 pm
Who invited the woman to the party? :p
Carol 09.23.06 at 4:13 pm
LOL — I invite myself. You haven’t figured that out by now?
:: douses the crowd with a cloud of estrogen ::
Carol 09.23.06 at 4:13 pm
LOL — I invite myself. You haven’t figured that out by now?
:: douses the crowd with a cloud of estrogen ::
Carol 09.23.06 at 4:13 pm
LOL — I invite myself. You haven’t figured that out by now?
:: douses the crowd with a cloud of estrogen ::
Carol 09.23.06 at 4:13 pm
LOL — I invite myself. You haven’t figured that out by now?
:: douses the crowd with a cloud of estrogen ::
Comments on this entry are closed.