WordPress 2.3 Does Not Spy On Users [UPDATED] 229
Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."
Fork (Score:5, Insightful)
Guys, the information is all really essential... (Score:5, Insightful)
The blog's URL
A list of all plugins and versions
A list of the $_SERVER env variables
How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.
Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.
And the blog URL tells you who it is.
Windows Update has to send far MORE intrusive information.
Re:Guys, the information is all really essential.. (Score:5, Insightful)
Isn't this the point of FOSS? (Score:4, Insightful)
OTOH, the idea of using FOSS (good!) as a venue for spyware (bad!) is enough to make a guy's head explode...
Re:Guys, the information is all really essential.. (Score:1, Insightful)
If you let it.
This is SENSATIONALISM (not Sparta) (Score:5, Insightful)
As to what the summary refers to, where Matt suggests a person fork Wordpress:
Again, he gives the solution to the original poster's complaint (Moritz 'Morty' Strube). If this Moritz is really concerned, he can fork and remove the new code that transmits this information - or if he isn't too concerned, just install the plugins matt suggested.
This is making something out of nothing. Definitely nothing to see here, please move along.
Re:Breathless Hyperbole. (Score:4, Insightful)
It should be easy to turn on and off.
It should default to off.
It can ask one time during the upgrade, or first login after the upgrade, to be turned on, with an explanation of what it does and why he thinks it can be turned on.
There is no good reason the above cannot or should not be accomodated.
Re:well (Score:3, Insightful)
Or take the even easier path and set up your firewall to block all packets from this application.
But neither of those options solve the underlying problem - the whole point of FLOSS is to prevent this from happening in the first place. If I have to take any extraordinary steps to secure myself against a free software application I'm using, if I have to go and turn an enemy into a friend through manual effort and each other user has to do the same thing (assuming they are even technically proficient enough to understand and modify the code), then that's a damn good sign it's time to fork the project and uproot the whole system once and for all.
The community deserves better than to be preyed upon. Community scrutiny is a critically important point in FLOSS. I want to get a piece of software and KNOW it's been thoroughly tested for safety and security and anything REMOTELY resembling a backdoor has been removed and verified that it's removed. Yes, I can go and analyze each bit of the code myself, but the whole beauty is that (unless I'm testing a beta) I don't have to, because it should have been done by thousands of others already.
Where did he say to just go fork?! (Score:5, Insightful)
So - did I miss something, or did everyone else not RTFA?
Re:well (Score:3, Insightful)
Why? Well anything else is supporting this developers decision, albeit indirectly.
He has every right to decide to do this, but users have every right to not use his code.
Let him be right and eat crow at the same time.
Ignorant bugger needs to learn a few hard lessons apparently.
Re:Breathless Hyperbole. (Score:4, Insightful)
Re:Guys, the information is all really essential.. (Score:3, Insightful)
Re:Who cares? (Score:3, Insightful)
And everyone knows that this can done equally well by having the client request the current version number, and then the client can decide based on that whether an upgrade is needed. There is no reason for the server to need to know the version number to support an autoupdate feature.
and the $_SERVER and php/database settings are (I imagine) used to figure out what wordpress settings are common. How soon they can remove support for old versions of mysql and php, how many people use cgi instead of fastcgi instead of mod_php.
Which is fine, but it should be an opt-in feature. Lots of people are happy submit their data for statistical purposes, but there is no reason anybody should -have- to if they don't wish to, or that the software should do it without telling them.
It would be bad enough if it was on by default without asking and you had to turn it off. Its ridiculous that you have to hack / fork / or install a plugin to get around it.
Tempest in a teapot.
Its bad design compounded by arrogance. It wouldn't be a tempest anywhere if they'd simply agreed that end users should decide what and how much information is sent to the mothership, and that software should err on the side of privacy.
Re:What Matt wrote (Score:5, Insightful)
Thanks for your flamebait kdawson, really mature and appreciated.
WTF.
Re:Guys, the information is all really essential.. (Score:3, Insightful)
Absolutely. However, you are assuming that I want my Wordpress installation to automatically update, and further that I am willing to give up a lot of sensitive information in order to get that done.
There should be a way to turn this feature off, plain and simple. There is no excuse whatsoever for forcing this down users throats. None. Yes, comment spam and other vulnerabilities are something that needs dealing with. Yes, many, many Wordpress users have the technical ability of Aunt Tillie, hence the 5 minute install. Yes, many of them will never update at all without an auto-update feature.
By all means, activate auto-updates by default. By all means, activate the logging by default. But what possible excuse is there for not allowing a competent end user, or indeed sysadm, to be able to easily turn it off? Simply laziness? Obstinacy? I suspect something else behind this debacle.
Re:Surprised/ (Score:3, Insightful)
What if someone has an issue with this information being transmitted? What if WP transmits the info before they are able to install the plug-in?
Guys, the issue here is not what info is being sent, it's that the information is being transmitted without asking for permission of the person running WP.
However, one of the best points brought up in the mailing list about what info is being sent is that someone now has the possibility of finding a sploit for a certain version of a WP plug-in, and can now obtain a list of all people (and their URL) running that version. (Think about that for a minute, scary!)
Matt's weak argument is that if everyone runs the latest version of WP and all plug-ins, there will be no insecure code out there. Uh huh, yah right. There's no zero-day exploits? There's no bugs that exist that are not known by the developers? There's nobody out there who makes money off finding these undisclosed bugs and then selling information about this bugs to the highest bidder?
Someone finds such a bug, gets a list of every WP site running a version with that vulnerability, and sells that to some malicious group, who then turns around and defaces a whole slew of WP sites overnight using this vulnerability. Guess how weak Matt's argument is going to look then? (And this is only one imagined scenario, there's probably several others.)
I don't use WP, but I definitely will not be in the future now that I've seen this nonchalant attitude towards anyone using their software.
They now are in the process of learning a lesson. Wonder how long it will take?
Re:Breathless Hyperbole. (Score:3, Insightful)
It should default to off.
If windos auto-update would conform to those standards, we'd have a billion spam bots out there.
Instead of the half-a-billion we have now.
Re:This is SENSATIONALISM (not Sparta) (Score:3, Insightful)
I thought... (Score:4, Insightful)