Dealing With The Problem
In comments, Kryten mentioned ManageWP’s Vladimir Prelovac and his post: An Open Letter to the WordPress Community: Let’s Solve Security Once and For All.
Vladimir has pledged $10K towards a ‘white hat’ effort to find and fix weaknesses in the WordPress code, and to educate the community on security.
A worthy goal, if not totally attainable in the foreseeable future because of the nature of the WordPress code and the system under which it is developed.
He also notes something that is really annoying to me – I’ve been attacked twice in a month, but WordPress didn’t notify me of the threats, my host, NearlyFreeSpeech.net sent me an e-mail telling me about the problem and the steps they had taken to stop the attacks.
WordPress issued an update for the first problem, but there have been crickets concerning the second. I’m leaving the changed file permissions in place for both issues, because I don’t really trust the ‘fixes’. Things are a bit more complicated, but I don’t have to worry about those types of attacks.
The problem is the code of silence that surround exploits – nothing is said until after a patch is issued. That policy makes sense if the attack is discovered by a ‘white hat’ security researcher who notifies the software development team. No need to tell the ‘black hats’ about a possible weakness. But if the exploit is already being talked about by the ‘black hats’ the only people who don’t know about the problem are those most affected – the users.
You don’t want to yell ‘FIRE!’ in crowded theater … unless there is a fire because then people would really like to know about it.
September 9, 2014 8 Comments
