Warning: Constant ABSPATH already defined in /home/public/wp-config.php on line 27
Dealing With The Problem — Why Now?
On-line Opinion Magazine…OK, it's a blog
Random header image... Refresh for more!

Dealing With The Problem

by Bryan

In comments, Kryten mentioned ManageWP’s Vladimir Prelovac and his post: An Open Letter to the WordPress Community: Let’s Solve Security Once and For All.

Vladimir has pledged $10K towards a ‘white hat’ effort to find and fix weaknesses in the WordPress code, and to educate the community on security.

A worthy goal, if not totally attainable in the foreseeable future because of the nature of the WordPress code and the system under which it is developed.

He also notes something that is really annoying to me – I’ve been attacked twice in a month, but WordPress didn’t notify me of the threats, my host, NearlyFreeSpeech.net sent me an e-mail telling me about the problem and the steps they had taken to stop the attacks.

WordPress issued an update for the first problem, but there have been crickets concerning the second. I’m leaving the changed file permissions in place for both issues, because I don’t really trust the ‘fixes’. Things are a bit more complicated, but I don’t have to worry about those types of attacks.

The problem is the code of silence that surround exploits – nothing is said until after a patch is issued. That policy makes sense if the attack is discovered by a ‘white hat’ security researcher who notifies the software development team. No need to tell the ‘black hats’ about a possible weakness. But if the exploit is already being talked about by the ‘black hats’ the only people who don’t know about the problem are those most affected – the users.

You don’t want to yell ‘FIRE!’ in crowded theater … unless there is a fire because then people would really like to know about it.

8 comments

1 Kryten42 { 09.11.14 at 9:51 am }

Seems Vladimir has picked up a few pledges already. Including one to help kick it off in France. 🙂

Yeah, I liked what I’ve seen of NearlyFreeSpeech since you pointed them out to me a couple years ago. 🙂 They are no use to me for my Biz site, but they would probably be just fine for my WP blogs (though not the MU blogs). I did the numbers with their online calculator, being as realistic as possible for 12 Mth hosting of two WP blogs. It came to about $96/yr, with almost half of that being for MySQL ($40 for 4 dB’s). That’s pretty good really! 🙂 If I wasn’t now committed to Prometius (we have been doing a lot of work together now) I would certainly consider them seriously. 🙂 I know several hosters that could learn from them.

As for WP and the attitude to bugs generally, and security issues specifically… It reminds me very much of what I went through with Joomla! in ’09/’10, especially the extremely arrogant attitude of the Dev’s. At least the WP Dev’s are polite, mostly. I finally had enough and abandoned Joomla! I fixed 4 very annoying yet trivial to fix bugs in Joomla! by hacking the bad code in php files with zero help or support from the Dev’s, but a lot from the community. Two of the bugs had been in the core since the first release, and for several updates with no fix. And one was simply a stupid single line code mistake! I see this often. Too many developers have ego’s bigger than the moon and are so stubborn that if you find a bug, they will simply not hear you and rather do nothing than acknowledge they made a simple mistake!

When I issued the fixes to the Joomla! community, i always added this to the code and the attached document:

*sigh*… One more down… so many more to go!
Thanks to the Joomla! user community for their help and positive responses to this simple fix (though it was not simple to track down, especially without help from pathetic developers).

The Joomla! developers can drop dead; or learn to listen, learn to properly write and test code, and learn some humility. I shan’t hold my breath.

This is my second fix for an inherent (and fairly simple) Joomla! coding bug submitted freely to the Joomla! user community. The Joomla! developers may not use this without appropriate credit in the code and on the development forum and any related documentation.

There are no guarantees or warranties given or implied. Use at your own risk. E&EO.

And lo and behold… the bugs magically disappeared a few years later in v2.3! Of course, I got zero credit (as expected), but the community knows who was responsible (and I received several eMails attesting to that! Of course, I also received the expected hate rants from ass-kissers and ignorant fan-boys, who nonetheless used my fixes! Humans… They never fail to be predictable hypocrites!) Amazing, it only took them three years to fix a few single line code bugs! LOL

So no… I shan’t be holding my breath! 🙂

Oh, here Bryan… You may find this useful. Was just posted on the WPMU DEV blog:
Stop WordPress Comment Spam With These Pro Tips

2 Bryan { 09.11.14 at 7:54 pm }

Vlad’s concern is very much on target. My spam problems are centered around the fact that the guys behind WP-Spamfree stopped updating it and 3.92 broke it. It had been doing the job for years.

BTW the article just confirms my set up on comments. I have used those comment settings from the beginning and was trying his second recommended spam plugin suggestion when everyone got bounced as spammers.

The guys developing the WP core aren’t concerned with what happens to plugins when they start adding ‘features’. New features are nice. I don’t use any of them, but others may want them. It’s the same with themes. There aren’t any new three column themes that don’t waste space. I don’t need all of their features.

Coders, to be really good, need to find someone else to look at their code, because if you have been writing it, you often see what you intended to write instead of what is actually on the page. Reading it aloud helps a little, but you really need to have another set of eyes look at it. When you make a mistake you admit it, fix it, and move on. People will forget it. If you refuse to admit you made a mistake no one will ever forget it.

3 Kryten42 { 09.12.14 at 8:23 pm }

I’ve been testing the released WP 4.0 the past couple days (on my local tests server with CentOS 7) and I have to say, it does not deserve a full version number increment. It’s really 3.10, especially given that many of the changes were at least partly available in 3.9. Several of the ‘enhancements’ are really due to external library updates (such as TinyMCE, jQuery & MediaElement). Some of the recently touted enhancements, are plugins (such as the nice new WordPress Front-End Editor (which is actually still in Beta!) A new back-end feature “Plugin Beta Testing”, makes it a little safer and easier to test beta plugins on a live platform. Most changes are cosmetic (though welcome) in nature. The best two for me are the better editor and the better back-end plugin/theme management. They did enhance the API with some much wanted controls. I think they may have tightened up the code a bit also. It does seem a little faster and smoother, especially in the back-end. 🙂 Still, it really does not deserve v4.0 status!

Over all, it get’s a “Meeeeeh.” from me! 😉 😀

Marketing… where would we be without it? *sigh*

4 Bryan { 09.12.14 at 9:10 pm }

I’m waiting for 4.1, the bug release, because it should be out shortly.

It would be nice if there was an ‘old school’ branch for the traditionalist bloggers who eschew all the multimedia stuff. I’ll upgrade, but be really pissed off if the new version breaks any of the plugins I use.

Yes, the editor does tend to be weird at times and do things I don’t want done for unknown reasons, but I know about it and how to fix it.

5 Kryten42 { 09.13.14 at 4:15 pm }

Well… I give up! Abbott is definitely anti-Australian! Not only is he spending billions in USA, but now Japan!

283. Breaks election promise to build replacement submarines in South Australian shipyards, spending more than $20 billion on Japanese submarines instead – 8 September, 2014

It’s f***ing insane given that the Collins is regarded as possibly the best non-nuclear sub in the World! RAND Corp released a report that stated:

“It remains one of the most impressive diesel subs in the world because of its strenuous operating environment, the report said, despite contracts being rushed through in time for an election.”

And what? The USA would NEVER rush anything through for an election! LMAO The difference being, apparently, that in spite of that, the Collins worked!

The Collins submarines experienced a wide range of problems during their construction and early service life. Many of these were attributed to the submarines being a new, untested design, and were successfully addressed as they were discovered. Most systems and features worked with few or no problems, while the boats’ maximum speed, maneuverability, and low-speed submerged endurance were found to exceed specifications.

Anyway, my main beef is this: The ASC (Australian Submarine Corporation) originally held 60% of the shares in the Collins, with the rest split between US/Swedish and other Nations companies. Over the next 5 years, the ASC began buying back those shares, and it now owns over 90% (with other Aussie industry partners). This was to ensure that the fleet and future submarine would be kept wholly Australian. In 2003, ASC was awarded a 22 year contract to maintain the fleet, and develop the next gen sub. The contract was worth about $25 billion (2003 dollars). All the planning and billions spent over the past decade have just been tossed out because Abbott decided the new Sub would be built in Japan (without any tender process), and he plans to bring the commissioning date forward 5 to 10 years! The Collins was designed to have a full service life until 2025. Which means that the ASC shares are pretty much worthless now!

Unbelievable!

6 Bryan { 09.13.14 at 8:11 pm }

First he chases the Toyota jobs out of Australia and now he’s destroying the ship-building industry. Someone needs to remind me why ‘conservatives’ are supposed to be good for business.

The only people prospering under Abbott’s policies are the extraction industries. You can’t base your economy on exporting raw materials if you want to survive in the long term, because they are finite, and when they run out you are screwed.

The agricultural sector is dealing with climate change and as one of the major grain exporters in the world the bad weather interfering with Australia’s grain harvest is going to raise food prices worldwide. Meanwhile, Abbott has no policy directed at climate change because it might impact the coal exports.

Does anyone believe that voters will figure it out before the next election? I’m personally doubtful.

7 Kryten42 { 09.15.14 at 2:04 pm }

I started to reply 4 times over the past couple days. Then I got very angry and gave up. For the first time since the 80’s… I wish I was still a sniper. I’ve even been thinking about black market contacts I used to have…

This should give you some idea about what Abbott cares about:

276. Unemployment hits highest level in 12 years – 7 August 2014
272. Axes the carbon tax with no viable policy to address climate change or Australia’s emission targets – 17 July, 2014
251. Excludes Australian shipyards from a major new contract, sending jobs offshore and threatening the industry in Australia – 05 June, 2014
246. Abolishes funding for Building Australia’s Future Workforce — Connection Interviews and Job Seeker Workshops and the Experience+ Career Advice initiative – 13 May, 2014
220. Cuts Australian Research Council funding – 13 May 2014
201. Scraps a range of grant programs aimed at funding innovation and start-up businesses, including: Australian Industry Participation; Commercialisation Australia; Enterprise Solutions; Innovation Investment Fund; Industry Innovation Councils; Enterprise Connect; Industry Innovation Precincts; and Textile, Clothing and Footwear Small Business and Building Innovative Capability – 13 May 2014
137. Spends $12.4 billion on new fighter jets whilst claiming a budget “emergency” and preparing to make big cuts to health and welfare – 23 April 2014
136. Abolishes the research and development tax incentives board – 11 April 2014
125. Cuts 400 jobs from the industry department – 25 March 2014
120. Cuts hundreds of jobs at the CSIRO – 14 March 2014
119. Reopens 457 visa loopholes to allow employers to hire an unlimited number of workers without scrutiny – 12 March 2014
115. Introduces legislation to allow people aged between 17-24 years old to work for half the minimum wage and be exempted from all other work rights including health and safety laws and protections should they be injured at work – 26 February 2014

and there is much more!!

Oh! But he did do this:
126. Brings back the awards of knights and dames which were abolished in 1986 – 25 March 2014

Fuck me!

And we have these also…

131. Imposes fees and charges on people who become bankrupt – 1 April 2014

249. Takes money from the Royal Commission into Institutional Responses to Child Sexual Abuse and gives it to the Royal Commission into the Home Insulation Scheme – 28 May 2014

And much more of that also!!

He needs to be removed. And very soon!

8 Bryan { 09.15.14 at 5:24 pm }

Their budget problems are going to kill them. The price of iron ore has fallen off the cliff, so their budget projections are now worthless. China’s building boom is over and that is affecting ore prices and oil prices. The tax revenue isn’t there, and you can’t save enough to make up the losses if you eliminate all social services, despite what they may claim.

This is Abbott’s problem, caused by Abbott’s policies.

Ignoring the UN’s climate conference is not going to endear him to the Pacific island nations who are already annoyed for a lot of other reasons. Spending money on attacking ISIS is not going to cheer up the folks at home, who don’t see the need to get involved in another Mideast war.

People are starting to notice that after a year things are getting worse, not better, and the next election is probably closer than he wants to admit. You can at least change governments without waiting a specific length of time if the government can’t do its job.