Slashdot Mirror
WordPress 2.3 Does Not Spy On Users [UPDATED]
Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."
He can go fork himself.
Crow isn't very nutritious.
Cue OpenWordPress project appearing in Sourceforge in 5... 4... 3...
...But people are busy checking their posts from the "Sony DRM" thread last month to make sure they don't look like hypocrites.
telling users to 'fork WordPress'
Consider it done.
illegitimii non ingravare
PrivatePress
The world is made by those who show up for the job.
one way to disable it is to go into the code and remove the offending portion. couldn't be that hard to do. and once somebody does it and posts instructions, it gets even simpler. no reason to fork the project.
and wordpress isn't that complicated that this is something that no one but the most hard core will do. tons of wordpress users regularly go in and tweak it for their own uses. i haven't moved to this new versions with my site yet - i always wait a bit for things to shake out, and stuff like this is why. when i do upgrade, i'll just fix my install.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
So what does it send, according to the FA:
The blog's URL
A list of all plugins and versions
A list of the $_SERVER env variables
How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.
Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.
And the blog URL tells you who it is.
Windows Update has to send far MORE intrusive information.
Test your net with Netalyzr
Well if anyone is looking for an alternate upgrade path, I 'upgraded' my blog from Wordpress 2.2 to Pyblosxom and am really enjoying using it:
- its really light and fast
- I can edit posts in a text editor rather than a web based interface
- its in Python and very easy to customise
- theming far simpler, just rip your HTML template into a header and footer, rather than having to make 12 files with Wordpress.
Plug over... Move along...
My little Linux and tech blog
Why can't they download a file with a list of "all updates" and check locally?
Read the thread. This isn't a developer admitting to spying on users. This is debate over a new feature written to help you keep from getting your blog haxored. They are collecting server and plugin data to help you to keep your software up to date.
Matt Mullenweg is being very reasonable and reasoned in dealing with a small but vocal groups paranoia. In the same breath that he mentioned forking Wordpress, he also mentioned that another option is using a plugin that disables this behavior.
The submitter should be ashamed.
If the developer decides to insert malware, or other forms of code not acceptable to you, the GPL gives you the freedom to modify it to suit your own needs. If that means you have to fork the project, so be it - that's within your rights under the GPL.
OTOH, the idea of using FOSS (good!) as a venue for spyware (bad!) is enough to make a guy's head explode...
The second way that the open source model has won, is that users who disagree with the direction the application is heading in can now fork. In fact, the head developer of the project suggests it. I'm pretty confident that this will happen and happen fast. Given that people "fork" (some say hack/crack) closed source software all the time to leave out all of the "evil" modules (See Kazaa > Kazaa Lite > Kazaa Lite K++; and don't forget cracked Windows XP) forking an open source project to leave out all of the "evil" modules should be pretty easy. I'm no developer, but I could see this being as simple as taking the original source, commenting out/removing the bad stuff, and then redistributing.
"It's not whether you win or lose, it's how drunk you get." -- H. J. Simpson
As to what the summary refers to, where Matt suggests a person fork Wordpress:
Again, he gives the solution to the original poster's complaint (Moritz 'Morty' Strube). If this Moritz is really concerned, he can fork and remove the new code that transmits this information - or if he isn't too concerned, just install the plugins matt suggested.
This is making something out of nothing. Definitely nothing to see here, please move along.
Maybe I missed it, but it struck me that the developer's response was very civil, and well thought out. From the slashdot article you'd think he'd told the whole community to "fork off"?
So - did I miss something, or did everyone else not RTFA?
Since no had actually linked the Fork comment, http://groups.google.com/group/wp-hackers/browse_thread/thread/bdced7524fa79a18/f8b5bc6efc4a4005#f8b5bc6efc4a4005
> If you don't trust wordpress.org, I suggest you do one of the following:
> 1. Use different software.
> 2. Fork WordPress.
> 3. Install one of the aforementioned plugins.
The "fork wordpress" comment by Matt is taken out of context. See the link in the summary and do a ctrl+f search for "Matt Mullenweg".
As a rule spying on users shouldn't be a security concern as long as the person/corporation spying is honest, just and only concerned on improving their software and the user experience...
So... As a rule spying on users is always a security concern =P (name it WordPress or Windows Update).
Sigs are for morons... Wait a minute...
At a minimum, I don't see why sending this information is so "alarming", even if it's inappropriate. Are your $_SERVER env variables such a sensitive bit of information?
What I'm listening to now on Pandora...
It isn't what information they are looking at but how. If they want the information and it will make the software better, fine, but do they really have to go about it in such a sneaky and under-handed way? Even Microsoft allows you to control how your system is updated (I never let it run automatically; I prefer to know what it's trying to put on my system.). As to the "fork" comment, while I thin the generic blogging community will be clueless and have no idea what this is all about, this will drive the OSS community to develop a better version and they will wish the phrase had never been uttered.
GetOuttaMySpace - The Anti-Social Network
Gives new meaning to the term Web Monkey.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
For those wondering what the big deal is, I expect a lot of the reaction is fueled by memories of Mullenweg being caught google cloaking in 2005. Once someone loses your trust, you don't really want to share any data with them.
The versions it reports are for an autoupdate feature...
And everyone knows that this can done equally well by having the client request the current version number, and then the client can decide based on that whether an upgrade is needed. There is no reason for the server to need to know the version number to support an autoupdate feature.
and the $_SERVER and php/database settings are (I imagine) used to figure out what wordpress settings are common. How soon they can remove support for old versions of mysql and php, how many people use cgi instead of fastcgi instead of mod_php.
Which is fine, but it should be an opt-in feature. Lots of people are happy submit their data for statistical purposes, but there is no reason anybody should -have- to if they don't wish to, or that the software should do it without telling them.
It would be bad enough if it was on by default without asking and you had to turn it off. Its ridiculous that you have to hack / fork / or install a plugin to get around it.
Tempest in a teapot.
Its bad design compounded by arrogance. It wouldn't be a tempest anywhere if they'd simply agreed that end users should decide what and how much information is sent to the mothership, and that software should err on the side of privacy.
Absolutely. However, you are assuming that I want my Wordpress installation to automatically update, and further that I am willing to give up a lot of sensitive information in order to get that done.
There should be a way to turn this feature off, plain and simple. There is no excuse whatsoever for forcing this down users throats. None. Yes, comment spam and other vulnerabilities are something that needs dealing with. Yes, many, many Wordpress users have the technical ability of Aunt Tillie, hence the 5 minute install. Yes, many of them will never update at all without an auto-update feature.
By all means, activate auto-updates by default. By all means, activate the logging by default. But what possible excuse is there for not allowing a competent end user, or indeed sysadm, to be able to easily turn it off? Simply laziness? Obstinacy? I suspect something else behind this debacle.
May the Maths Be with you!
Dear god, you know that your slashdot comments show your URL?!?? You'd better stop there!
Thank you Mr. Did-Not-Read-The-Fscking-Article.
Jason Lotito
Not true. There are two plugins that explicitly disable this functionality:
disable WordPress version check and disable plugin version check, both of which were mentioned by Matt in the thread above.
I wish I had a kryptonite cross, because then you could keep Dracula and Superman away.
Ironically, I was considering global site licenses of this product for our public relations agency. Thanks for dropping out of the running!
I hope you actually read the article, and put some consideration into it, and aren't basing a business decision on a flamebait Slashdot summary.
Quidquid latine dictum sit, altum sonatur.
Can you imagine the water cooler conversation about Pyblosxom? How the hell are they supposed to go back and google about it? That'd be like trying to google for the symbol that represents the artist formerly known as Prince.
I mean, really, WTF. They might as well have named it slakdfjalskdjflaskjdf!
Do daemons dream of electric sleep()?
And not only is it a troll, it's tinfoil haberdashery and skating _really close_ to Libel.
Actually RTFA Matt's reasoning gives the opposite impression of the summary. Fork the submitter and Kdawson for greenlighting this.
--
BMO
Why should someone have to install a plug-in to disable BASE FUNCTIONALITY? Shouldn't that be part of the base code?
What if someone has an issue with this information being transmitted? What if WP transmits the info before they are able to install the plug-in?
Guys, the issue here is not what info is being sent, it's that the information is being transmitted without asking for permission of the person running WP.
However, one of the best points brought up in the mailing list about what info is being sent is that someone now has the possibility of finding a sploit for a certain version of a WP plug-in, and can now obtain a list of all people (and their URL) running that version. (Think about that for a minute, scary!)
Matt's weak argument is that if everyone runs the latest version of WP and all plug-ins, there will be no insecure code out there. Uh huh, yah right. There's no zero-day exploits? There's no bugs that exist that are not known by the developers? There's nobody out there who makes money off finding these undisclosed bugs and then selling information about this bugs to the highest bidder?
Someone finds such a bug, gets a list of every WP site running a version with that vulnerability, and sells that to some malicious group, who then turns around and defaces a whole slew of WP sites overnight using this vulnerability. Guess how weak Matt's argument is going to look then? (And this is only one imagined scenario, there's probably several others.)
I don't use WP, but I definitely will not be in the future now that I've seen this nonchalant attitude towards anyone using their software.
They now are in the process of learning a lesson. Wonder how long it will take?
Anyway, i googled and found this link:
http://www.mitchelaneous.com/2007/09/19/9-wordpress-alternatives/
Now, my question is - how secure are they for you, sethawoolley? Which one would you choose?
This is likely to occur in version 2.3.1. In fact, I'm advocating for just such a change, in true Open Source fashion.
The problem here is less one of malice and more one of poor timing. The WordPress project has been trying to stick to a rigorous, rigid schedule for releases (see: Fedora Project, Ubuntu, etc.) and this issue cropped up about 1.5 days before release. You can argue that the release should have been held up (some on the mail thread did so) to put in this change, but Matt & Co. at Automattic, the ones with the keys to the candy store, decided to hew to the previously agreed-upon timeline.
It's not the decision I would have made, were I the "decider", but it is what it is.
As for me, I'll keep agitating to make it opt-in.
I wish I had a kryptonite cross, because then you could keep Dracula and Superman away.
I wish I had a kryptonite cross, because then you could keep Dracula and Superman away.
I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Canada's privacy law is pretty strict against the unauthorized sending in of personally identifiable information, especially one that sends it to an American server. There, the Patriot act allows the government to capture Matt's database. And the kicker, he is not allowed to tell you.
Up here, we (being the government) can't buy any software package that stores the data in the USA. I can only imagine the tens of millions of lost dollars in contracts because of the Patriot Act. I would of hate to have added Matt's awesome editor to that list. Rock on Matt!
Management is doing things right; leadership is doing the right things. - Peter F. Drucker