The High Priests Of WordPress
I’m getting pissed at the apparent technical arrogance of the WordPress core developers.
First, the disclaimers. WordPress is a miracle product, that embodies everything that is wonderful about open source software. It lets ignoramuses like me do amazing things without understanding dick. To accomplish that, it needs technological high priests who keep the code base in order and moving forward. I get that, I appreciate that, on a daily basis I am glad those people exist.
And yet, motherfuckers: if you expect me to upgrade my software three times in less than one month, you have got to tell me why. You have got to tell me why it’s important, and you have got to do this in English words that a non-technical user can understand. Or I am going to start bitching and cursing your name.
Between various blogs I run, am responsible for, help people with, advise people on, or answer questions about, I estimate there are close to twenty WordPress installations that I am concerned with. So even the simplest update is an ordeal for me, because I have to do the same thing over and over in different places, plus I have to answer the same questions over and over from different people. And to this I can testify: When a new patch comes out, the very first question that anybody asks is “Why do I need this patch? What happens if I don’t patch it?”
And so, the first principle of releasing security patches is, if you want your users to cheerfully apply them without hating you, you explain why the patches are important. “This patch does XYZ and protects you from blah-blah, which would be bad; so we urge everybody to apply it ASAP.”
Now let me share with you the actual explanation that accompanied the last three WordPress patch releases:
November 30: “This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements.”
December 8: “This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.”
December 29: “[This release] is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES.”
Now the first two are at least complete; they’re low on detail, but they do at least indicate what the danger is that you are protecting against by making the patch. So if, for instance, you didn’t have any of the Author or Contributor users, you could rationally determine that the patch could be deferred until you had time to deal with it.
But this last one? It certainly sounds dire — “core security bug”, “HTML sanitation library”, it’s scary word salad anyway. But is it protecting against any actual attacks? Are people being hacked out there? Do we need to get this done right away? Is there a crisis? Or is this some obscure thing that some researcher figured out could theoretically be exploited by a man with a million smart monkeys if he had a thousand years to bash on our blogs? Is the HTML sanitation library something that kicks in when people enter comments? Or is it only to protect against malicious author-level users again? The patch info doesn’t say.
And worse yet, there’s no link in that “news blog” to a more detailed explanation. There should be, but there isn’t. We’re just being told “Do this; do it now; it’s necessary; trust us.”
That, to me, is infuriating. That’s the high priests of the technology getting arrogant, expecting compliance from the peasants without even bothering to do us the courtesy of explaining the doctrine.
Now, as it happens, if you’ve been around the barn long enough like I have, from their news blog you can sort of infer why this might be an important patch. HTML sanitation probably has something to do with code injection attacks, and it sounds like somebody has figured out some way in which somebody can inject hostile code into an input box somewhere on a WordPress install. If so, that’s really bad, and this patch really is vital. But you know what? If that’s true, people need to be told that, loud and clear. Not in 13 words of cryptic technobabble.
So anyway, all of this is what it is. It probably wouldn’t have been enough to trigger this rant. The open source product is great; the open source developers are contemptuous of us non-technical user-peasants, so they issue their edicts to us but can’t be bothered to explain why we should obey. That’s actually pretty normal in the open source software ecosystem; it’s tiresome but not outrageous.
What triggered the rant are the tweets I got when I dared to bitch about it.
@wordpress tweeted “Please update to WordPress 3.0.4, the most important security release of the year.”
There was a link to the so-called news blog with the 13 words of technobabble non-explanation.
I was annoyed, this being the third inadequately-explained upgrade in a month, and the worst-explained of the lot.
I tweeted “@wordpress GodDAMN I am tired of these “important” security releases that don’t ever explain why they are important or what is being fixed.”
What set me off are the two responses that triggered. One is from @wordpress, which is simply misleading and wrong:
“@ErosBlogBacchus If you follow the links in the tweets, the posts on our news blog explain the vulnerabilities, and what’s being fixed.”
That’s disingenuous, because there’s only the one post on the news blog, and it doesn’t explain the vulnerabilities at all. It speaks of a core security bug, but it doesn’t have a word to say about what’s vulnerable, what the attacks to fear are, or indeed whether there are practical attacks to be feared. In short, it’s utterly devoid of the information somebody needs to make an informed upgrade decision. It’s an authoritative-sounding “Trust us, do this right away” and I have no reason to disbelieve this source, but it’s extremely disrespectful to demand that level of trust while providing no useful information whatsoever.
So that annoyed me.
And then I got another tweet from a high priest, @nacin. His Twitter page says he’s Andrew Nacin, a WordPress core developer. So he’s one of the guys I have to thank for this wonderful product. But his tweet? Well, as politely as I can put this, it enhanced my annoyance level.
He wrote:
“@ErosBlogBacchus Our announcements are always going to be general. For the gritty, see http://bit.ly/fcecUN. It was an XSS flaw.”
Twitter is dangerous. Enforced brevity can cause people to leave out important nuance. But this tweet struck me as completely out of touch with the non-coder folk who actually install and use WordPress.
First of all, I’m not complaining that the announcement was “general”; I’m complaining that it didn’t have any information in it that I could use to determine whether the security patch was important to my situation. It assumed knowledge that I did not have, and was utterly worthless to anybody who didn’t have some idea what “HTML sanitation” might be important in accomplishing.
Second, go click that link in his tweet. Gritty? I’ll say. There’s code at that link, and that’s all. Utterly worthless when responding to a complaint about inadequate patch information for non-technical users. I say unto the priest “Your sermons in Latin, they are pretty hard to follow” and he answers me in Latin. Now you’re just fucking with me, right?
Likewise the last sentence in the tweet. “It was an XSS flaw.” Oh, nice. That would be useful…if I had ever fucking heard of XSS before this very moment. Which I haven’t.
Dudes, you’re smart, you’re working on a great product, you’ve made it so simple that even non-coders can install it and use it and modify it with themes and plugins. But at the end of the day, security patching is the one place where you can’t just demand compliance and say “Trust us.” You’ve got to sell your patches. You’ve got to explain them. You’ve got to come down from your Mount Olympus, put down the incense burner, and explain in terms that mean something to us why we should once again risk breaking everything from themes to plugins, for the third time in a month.
It’s annoying. It’s painful. It needs more than 13 words and a link to some code.
Seriously.
Shorter URL for sharing: https://www.erosblog.com/?p=6330
First thing’s first: Yes, it’s a major security patch. Yes, you should apply it immediately. Yes, everywhere. Seriously.
Can this be used to get into somebody’s blog? Yes, in theory. XSS exploits are finicky and tricky to implement if you don’t know the secret. But yes, it is entirely possible. Yes, I know how to do it. No, I’m not telling. :)
And no, I don’t think anybody’s done it on a live site yet, except possibly in testing.
Now that that is out of the way, there is a bit of a fine line they have to walk here. Do you reveal all the details and include exactly how to hack somebody’s blog with this? No, of course not. But how do you communicate that it is a critical issue without revealing why it’s critical?
The last 2 security patches were relatively minor by comparison. I think the wording they used in those demonstrates that pretty clearly. In this one, they certainly tried to get across the seriousness of it, but without revealing too much. Even the patch itself is non-obvious, unless you know what you’re doing.
Basically, they want everybody to patch before it starts getting exploited. Which it will. It’s just a matter of time.
ALL WordPress blogs need to upgrade immediately, period.
And if you’re already running 3.0.3, there’s virtually zero chance of this breaking anything. The only change is to fix the flaw, and there will almost certainly be no impact to any themes or plugins. None of that code changed, it’s just the kses library that got a fix.
I maintain a bunch of blogs, and my updating finger is red and throbbing. What I really liked, was, amongst all the update NOW!!!!! messages was one lauding the merry makers of WordPress.
I totally agree. Awesome, awesome blogging product, but waaaay too many security updates. What happen, Microsoft take ’em over?
– Guy Sez
Thanks, Otto.
I know it was possible to infer much of what you say from what they wrote. But the problem is, a wink and a nudge is not sufficent when dealing with non-technical end users.
And even if people are fully upgraded, we’ve all suffered so many rounds of “the latest WordPress upgrade broke my plugin, and that plugin author is gone, so now my blog is permanently broken” that we’re gunshy. So when advising somebody else, saying “well, reading between the lines, this sounds like a major deal” isn’t enough. If I can’t say with some specificity what the threat is, they’re going to say “Fuck that, I’m not gonna do it.” Which is the exact opposite effect from what is needed.
There’s such a thing as being too subtle. And this was/is.
If they are needful, they are needful. I can deal.
What chaps my ass is the lack of info by which a non-technical user can make an informed decision on a patch-by-patch basis.
I’m not sure I understand your doubt. You are supposed to apply *every* patch, unless you want to put your safety at stake.
Even if a patch doesn’t look relevant to you, all security researchers will apply it and consider only the updated version in their analyses. Unpatched versions are effectively abandoned, so please, pretty please, keep your blog updated.
If you want to talk about wordpress horrific security record and how the official guide encourages a bad setup (they don’t even tell you what stuff should be read-only!), then there is a lot to say.
Bye, hope you will stay safe.
You are confused.
It’s not about whether the patch needs to be applied, it’s about convincing end users.
Basic “best practices” aren’t good to convince lots of people who only know that when they have done updates in the past to working blogs, it has broken things that weren’t broken.
These people demand to know “what is so important about this patch that I need it?”
And if you can’t answer that question, they won’t patch and they won’t let me patch for them.
So, a patch that doesn’t come with enough information to answer that question is a failed and pointless patch.
what in God’s name is a sanitation library…whatever it is, I hope I have one:)