sniffing round Third World orphanages

Today, apparently, security holes are like Angelina Jolie having a baby.

Well, I’m not sure Ms. Jolie gets caught sniffing round Third World orphanages on a monthly basis quite yet, but it’s getting that way.

I’m past caring about exploits, I really am. I like to think that no script kiddie is going to attack my installs when all they have to do is google a vulnerable version and find some schmuck’s footer telling the world they’re still using 2.0. Seriously, who are these people who think shoving the release number in metatags is a good idea? It doesn’t get you traffic. It doesn’t help you when you’re trotting off to the forums with a problem (you can see it in the admin footer anyway, duh). If your readers care what version you’re using, then you need to think about why your writing is failing so miserably to hold their attention. The only people with any interest in this information are those who want to hack your blog. And you’re not even helping them out because they’ll get so much more of a buzz out of it if you make it slightly less easy for them.

🙄

(There is also much sly kicking of baby squirrels at said link, if you’re into that sort of thing. I await the inevitable ‘but we ARE open source now!’ protests in the comments.)

5 Comments »

  1. Alan said

    “You would think complete transparency of the problems (it was on our bug tracker and mailing list)”

    I don’t think that’s complete transparency. I mean, sure, technically they’re being honest and open, but WordPress isn’t just for the tech geeks anymore – I daresay a majority of WordPress’ user base these days doesn’t know what either of those things are, and if they did, in the case of the mailing list, I’m betting they wouldn’t be at all inclined to trawl through the flames and vitriol just for a tidbit about a bug in WordPress.

    You then face the problem that when they DO make an announcement on the official blog about a security problem it often gets overlooked because people spend exactly 5 seconds on the dashboard before flitting off to make a post, or check a comment or something. It’s a hard game to win.

  2. I just feel the following quote ironic:

    There are certainly things intrinsic to coding that can make software more or less secure, but all things being equal the software with the most eyes on it, which usually means Open Source, will be the most robust in the long term.

    For some unknown reason I can still remember the days when some people dare not whisper the word ‘security’ in public.

  3. adam said

    You then face the problem that when they DO make an announcement on the official blog about a security problem it often gets overlooked

    the most recent announcement is at least better in that regard, in linking the vulnerability disclosures, and making it obvious that this was a security release. but yes, those statements need to appear in the excerpt on people’s dashboards. bugfixes are only an addendum to patched flaws.

    re: sly kicking of baby squirrels, matt’s clarified a bit.

    the only advantage to showing off version numbers i can think of, is that where most people don’t read the dev blog, they do read their friend’s blogs. if they have a security conscious friend, they may notice an upgrade there. or a security minded friend may drop them a note, if they haven’t upgraded.

  4. adam said

    and i know you know that hiding version numbers in themes is security through obscurity (no security at all), but the proof is out there. there are other public facing pages that show version numbers.

  5. drmike said

    Ever platform has security issues. To say a platform shouldn’t or to state that one shouldn’t use a platform because of the outstanding security issues is just a joke and a lack of common sense upon the original poster.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s