Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Privacy Software

WordPress 2.3 Does Not Spy On Users [UPDATED] 229

Posted by kdawson
from the if-you-don't-like-it-fork-it dept.
Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."
This discussion has been archived. No new comments can be posted.

WordPress 2.3 Does Not Spy On Users [UPDATED]

Comments Filter:
  • Fork (Score:5, Insightful)

    by Spy der Mann (805235) <spydermann.slashdot@nOsPaM.gmail.com> on Tuesday September 25, 2007 @11:43AM (#20745111) Homepage Journal
    Cue OpenWordPress project appearing in Sourceforge in 5... 4... 3...
  • by nweaver (113078) on Tuesday September 25, 2007 @11:46AM (#20745165) Homepage
    So what does it send, according to the FA:
    The blog's URL
    A list of all plugins and versions
    A list of the $_SERVER env variables

    How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.

    Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.

    And the blog URL tells you who it is.

    Windows Update has to send far MORE intrusive information.

  • by Anonymous Coward on Tuesday September 25, 2007 @11:48AM (#20745205)
    Why can't they download a file with a list of "all updates" and check locally?
  • by Enlarged to Show Tex (911413) on Tuesday September 25, 2007 @11:50AM (#20745229)
    If the developer decides to insert malware, or other forms of code not acceptable to you, the GPL gives you the freedom to modify it to suit your own needs. If that means you have to fork the project, so be it - that's within your rights under the GPL.

    OTOH, the idea of using FOSS (good!) as a venue for spyware (bad!) is enough to make a guy's head explode...
  • by Anonymous Coward on Tuesday September 25, 2007 @11:50AM (#20745235)
    Windows Update has to send far MORE intrusive information.

    If you let it.
  • by Laebshade (643478) <laebshade@gmail.com> on Tuesday September 25, 2007 @11:55AM (#20745305)
    When I first read the summary, I was a little worried. Then I went and read the actual reply in the WordPress Hackers mailing list Matt posted, and I was relieved. He points out that the blog name and URI has been sent to services like Ping-o-Matic (wordpress-run service) for 4 years now. For those wanting to disable it, he even posts links for plugins that will disable the feature of the 'update checker'. Seems to me this slashdot article was posted by someone who wants to take WordPress down. Here's a part of his post:

    Your blog URL and version has been sent by default for 4+ years to every
    ping service in the world, including Ping-O-Matic, every time you make a
    post. Of course you can turn that off, just like you can turn update
    notification off, but statistically no one does.

    The only new information being sent by the update checker is PHP version
    and a list of plugins. If you don't like that feature, please install a
    plugin to disable it:

    http://wordpress.org/extend/plugins/disable-wordpress-core-update/ [wordpress.org]
    http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/ [wordpress.org]

    Of course don't forget the WP dev blog and planet RSS feeds, and most
    importantly the incoming links feed which ALSO transmits your blog URL.

    I would also recommend disabling the updates in Mac OS X, Firefox,
    Windows, Thunderbird, Adobe Photoshop, and any other third-party
    applications you have. As all of those are tied to your personal IP and
    not your server IP they have far more implications for privacy.


    As to what the summary refers to, where Matt suggests a person fork Wordpress:

    Moritz 'Morty' Strübe wrote:
    > It can.

    Your blog URL is completely harmless.

      > We only have your word for that. And sorry, that is not enough
      > for me. Especially if it does not have to be.

    If you don't trust wordpress.org, I suggest you do one of the following:

    1. Use different software.
    2. Fork WordPress.
    3. Install one of the aforementioned plugins.


    Again, he gives the solution to the original poster's complaint (Moritz 'Morty' Strube). If this Moritz is really concerned, he can fork and remove the new code that transmits this information - or if he isn't too concerned, just install the plugins matt suggested.

    This is making something out of nothing. Definitely nothing to see here, please move along.
  • by vux984 (928602) on Tuesday September 25, 2007 @11:56AM (#20745319)
    Matt Mullengweg is not being reasonable. He should simply make it an option. without requiring users to fork or install plug-ins or hack to overcome defective-by-design features.

    It should be easy to turn on and off.
    It should default to off.
    It can ask one time during the upgrade, or first login after the upgrade, to be turned on, with an explanation of what it does and why he thinks it can be turned on.

    There is no good reason the above cannot or should not be accomodated.
  • Re:well (Score:3, Insightful)

    by SamP2 (1097897) on Tuesday September 25, 2007 @11:56AM (#20745325)
    "one way to disable it is to go into the code and remove the offending portion."

    Or take the even easier path and set up your firewall to block all packets from this application.

    But neither of those options solve the underlying problem - the whole point of FLOSS is to prevent this from happening in the first place. If I have to take any extraordinary steps to secure myself against a free software application I'm using, if I have to go and turn an enemy into a friend through manual effort and each other user has to do the same thing (assuming they are even technically proficient enough to understand and modify the code), then that's a damn good sign it's time to fork the project and uproot the whole system once and for all.

    The community deserves better than to be preyed upon. Community scrutiny is a critically important point in FLOSS. I want to get a piece of software and KNOW it's been thoroughly tested for safety and security and anything REMOTELY resembling a backdoor has been removed and verified that it's removed. Yes, I can go and analyze each bit of the code myself, but the whole beauty is that (unless I'm testing a beta) I don't have to, because it should have been done by thousands of others already.
  • by kwandar (733439) on Tuesday September 25, 2007 @11:57AM (#20745345)
    Maybe I missed it, but it struck me that the developer's response was very civil, and well thought out. From the slashdot article you'd think he'd told the whole community to "fork off"?

    So - did I miss something, or did everyone else not RTFA?
  • Re:well (Score:3, Insightful)

    by GeckoX (259575) on Tuesday September 25, 2007 @11:57AM (#20745351)
    Not the right answer. Fork is better.

    Why? Well anything else is supporting this developers decision, albeit indirectly.

    He has every right to decide to do this, but users have every right to not use his code.

    Let him be right and eat crow at the same time.

    Ignorant bugger needs to learn a few hard lessons apparently.
  • by kwandar (733439) on Tuesday September 25, 2007 @11:59AM (#20745387)
    I agree. Matt Mullenweg based on what I read (and I don't use Wordpress or know Matt or anyone else there) was very reasonable, and laid out the reasons for this. Did the slashdot editor even read this?!
  • by Otter (3800) on Tuesday September 25, 2007 @11:59AM (#20745395) Journal
    At a minimum, I don't see why sending this information is so "alarming", even if it's inappropriate. Are your $_SERVER env variables such a sensitive bit of information?
  • Re:Who cares? (Score:3, Insightful)

    by vux984 (928602) on Tuesday September 25, 2007 @12:06PM (#20745495)
    The versions it reports are for an autoupdate feature...

    And everyone knows that this can done equally well by having the client request the current version number, and then the client can decide based on that whether an upgrade is needed. There is no reason for the server to need to know the version number to support an autoupdate feature.

    and the $_SERVER and php/database settings are (I imagine) used to figure out what wordpress settings are common. How soon they can remove support for old versions of mysql and php, how many people use cgi instead of fastcgi instead of mod_php.

    Which is fine, but it should be an opt-in feature. Lots of people are happy submit their data for statistical purposes, but there is no reason anybody should -have- to if they don't wish to, or that the software should do it without telling them.

    It would be bad enough if it was on by default without asking and you had to turn it off. Its ridiculous that you have to hack / fork / or install a plugin to get around it.

    Tempest in a teapot.

    Its bad design compounded by arrogance. It wouldn't be a tempest anywhere if they'd simply agreed that end users should decide what and how much information is sent to the mothership, and that software should err on the side of privacy.
  • Re:What Matt wrote (Score:5, Insightful)

    by GeckoX (259575) on Tuesday September 25, 2007 @12:06PM (#20745499)
    Well, shit, that's not even close to what was insinuated in the summary.

    Thanks for your flamebait kdawson, really mature and appreciated.

    WTF.
  • How is this information not necessary for a robust autoupdating/autonotifying infrastructure?

    Absolutely. However, you are assuming that I want my Wordpress installation to automatically update, and further that I am willing to give up a lot of sensitive information in order to get that done.

    There should be a way to turn this feature off, plain and simple. There is no excuse whatsoever for forcing this down users throats. None. Yes, comment spam and other vulnerabilities are something that needs dealing with. Yes, many, many Wordpress users have the technical ability of Aunt Tillie, hence the 5 minute install. Yes, many of them will never update at all without an auto-update feature.

    By all means, activate auto-updates by default. By all means, activate the logging by default. But what possible excuse is there for not allowing a competent end user, or indeed sysadm, to be able to easily turn it off? Simply laziness? Obstinacy? I suspect something else behind this debacle.
  • Re:Surprised/ (Score:3, Insightful)

    by KlomDark (6370) on Tuesday September 25, 2007 @12:32PM (#20745861) Homepage Journal
    Why should someone have to install a plug-in to disable BASE FUNCTIONALITY? Shouldn't that be part of the base code?

    What if someone has an issue with this information being transmitted? What if WP transmits the info before they are able to install the plug-in?

    Guys, the issue here is not what info is being sent, it's that the information is being transmitted without asking for permission of the person running WP.

    However, one of the best points brought up in the mailing list about what info is being sent is that someone now has the possibility of finding a sploit for a certain version of a WP plug-in, and can now obtain a list of all people (and their URL) running that version. (Think about that for a minute, scary!)

    Matt's weak argument is that if everyone runs the latest version of WP and all plug-ins, there will be no insecure code out there. Uh huh, yah right. There's no zero-day exploits? There's no bugs that exist that are not known by the developers? There's nobody out there who makes money off finding these undisclosed bugs and then selling information about this bugs to the highest bidder?

    Someone finds such a bug, gets a list of every WP site running a version with that vulnerability, and sells that to some malicious group, who then turns around and defaces a whole slew of WP sites overnight using this vulnerability. Guess how weak Matt's argument is going to look then? (And this is only one imagined scenario, there's probably several others.)

    I don't use WP, but I definitely will not be in the future now that I've seen this nonchalant attitude towards anyone using their software.

    They now are in the process of learning a lesson. Wonder how long it will take?
  • by Tom (822) on Tuesday September 25, 2007 @12:49PM (#20746127) Homepage Journal

    It should be easy to turn on and off.
    It should default to off.
    There are some times were default off is not useful.

    If windos auto-update would conform to those standards, we'd have a billion spam bots out there.
    Instead of the half-a-billion we have now.

  • by illumin8 (148082) on Tuesday September 25, 2007 @01:01PM (#20746281) Journal

    Your blog URL is completely harmless.

        > We only have your word for that. And sorry, that is not enough
        > for me. Especially if it does not have to be.
    LOL... I almost spit my coffee on the keyboard when I read this. I think some bloggers need to take off their tinfoil hat and step away from the keyboard... If you don't want anyone to find out your blog URL, then WTF are you doing blogging? Isn't the whole point for as many people as possible to find your blog URL?
  • I thought... (Score:4, Insightful)

    by WED Fan (911325) <(akahige) (at) (trashmail.net)> on Tuesday September 25, 2007 @01:02PM (#20746285) Homepage Journal
    I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.

Never try to teach a pig to sing. It wastes your time and annoys the pig. -- Lazarus Long, "Time Enough for Love"

Working...