HackerOne Update

WordPress officially launched the WordPress bug bounty program on HackerOne May 15 of this year, almost six months ago. The goal was to leverage the tools HackerOne provides to improve the quality and consistency of our communication with reporters, and to reduce the time spent on responding to commonly reported issues in order to free our team to focus more time on improving the security of WordPress as well as our sites and other properties.

Success

Since that launch, we have paid out approximately $14,000 in bounties for thirty-nine unique reports – an average of more than $350 for each valid report – from twenty-two different hackers (researchers). This part is exciting! People are helping keep WordPress secure.

Struggles

It's amazing that we've been able to resolve these valid reports (not all were eligible for bounties, some were sent swag as a thank you), but there's more to the story. Those valid reports only account for roughly 16% of the overall reports. About five out of every six reports are invalid. These invalid reports still take time to process, test, etc.

Time is always valuable, but when working with a volunteer team it can feel even more so. Dealing regularly with invalid reports not only consumes a lot of time, but can also feel extremely useless – like a lot of work for no reason. We need to continue to focus on improving this process, but I'm extremely thankful to the people on the team that work to triage on HackerOne for us.

What Now

I would say that the program has been a success so far, so we want to continue it. We are actively working to address the biggest struggle we face, which are the invalid reports that take up so much time without yielding useful results. HackerOne offers some tools that we're trying to leverage to help.

  • Common responses – building up a repertoire of useful responses that can be easily sent to reporters takes time. We hope this will pay off in future time savings, as we no longer have to write the same basic response over and over.
  • Triggers – these allow us to automatically show one (or more) of our common responses to reporters as "Are you sure?" interstitials, based upon key words in the report. Adding some of these has helped and we hope to build a good collection of them as we go.
  • Reputation – HackerOne has both a reputation and a signal rating for all users. We can limit the ability to submit reports to only hackers with a minimum signal. There is a balance here. We don't want to miss out on valid reports, but we do want to reduce the noise.

We are also working with HackerOne to find other ways to might be able to improve our processes. Stay tuned!

The Open Web Matters

The internet is no longer a toy. It is no longer used only for fun or even simply for research. It is now an integral part of people’s lives, of businesses, and even entire economies. Comedian and science advocate, Bill Nye, was recently speaking about his new show Bill Nye Saves the World. Asked why he thought it was so important, he said:

I want clean water for everyone on Earth; renewably-produced, reliable electricity for everyone on Earth; access to the internet, or whatever the future of electronic information is, so that everybody in the world can participate in taking care of the planet.

Bill Nye to CNN

Water, electricity, and internet. It may sound crazy, but I would argue that the science guy is right. The internet is vitally important to the future of humanity. It needs to be protected, secured, and available. This cannot happen unless it is open.

History

CERN has restored a copy of the 1992 version of the site – the earliest copy researchers at CERN have been able to find.

The internet as we know it started around 1991. Tim Berners Lee, working with CERN, developed HTTP, HTML, and the first ever web browser. The internet was much more academic at that time and looked a lot like the pages of a research paper.

Around the same time, the Commercial Internet eXchange was trying to do something ground breaking. They were attempting to connect the various stand alone networks, mostly US governmental agencies, to allow traffic to be exchanged between them. The controversial thing at the time was that they wanted a no-settlement policy between the groups involved. We take this for granted, expecting to easily access any information or service on the web without caring where or how it’s hosted. Imagine an internet where this wasn’t the case. Where you could only access a small fraction of the available sites and services.

What if Amazon were on one network, Netflix another, Twitter and Facebook still another, and none of those networks would talk to each other without additional usage fees. Your sphere of information available to you would be incredibly different. Drastically limited. This is kind of Internet we could experience if we don’t keep the web open.

History of Modern Humans

Why is this so important? Why should I care?

To answer that we need to look at how the dissemination of information has affected the progress of humanity. Nine hundred years ago, in the early twelfth century, the French philosopher Bernard of Chartres spoke about the fast progress humans were making. He said that the moderns were like dwarves perched on the shoulders of giants (the Ancients) and thus were able to see more and farther than the latter. “And this is not at all because of the acuteness of our sight or the stature of our body, but because we are carried aloft and elevated by the magnitude of the giants.”

Never heard of Bernard of Chartres but the “shoulders of giants” phrase sounds familiar? Isaac Newton said the same thing over five hundred years later.

If I have seen further, it is by standing on the shoulders of giants.

Isaac Newton, 1675

It’s easy to see Isaac Newton as a giant. He gave us calculus and newtonian mechanics. We’ve used these as the basis for calculations to put people on the moon and to build skyscrapers that don’t fall over. The jet engine, a thing that in and of itself has forever changed the world, uses his principles and mathematics. Because people before Isaac Newton shared their knowledge openly with him, he was able to add to it and share that knowledge with future generations, who were able to leverage it to bring the peoples of our world closer in a way they never could have been otherwise.

Where the Danger Lies

Isaac Newton built on the works of those that came before him. Everyone since has built on his works. Shared information make this possible. It is integral to humanity’s ability to make consistent and rapid progress forward. The internet is the single most effective information sharing tool in all of history.

The internet is the single most effective information sharing tool in all of history. #OpenWeb

Isaac Newton was able to stand on the shoulders of those that came before him, whose work he had access to. With the internet, access no longer needs to be a limiting factor. Distance doesn’t matter. The implications for the progress of humanity are both serious and exciting!

There are two things that we need to look at to understand the threats against this open dissemination of information that the internet provides – net neutrality and closed systems.

Net Neutrality

What is new neutrality? You hear the term used a lot, especially when people are talking about legislation affecting the internet, but what does it really mean? Net neutrality, or the the Open Internet rules, cover three basic things according to the FCC:

  • No Blocking. Broadband providers may not block access to legal content, applications, services, or non-harmful devices.
  • No Throttling. Broadband providers may not impair or degrade lawful Internet traffic on the basis of content, applications, services, or non-harmful devices.
  • No Paid Prioritization. Broadband providers may not favor some lawful Internet traffic over other lawful traffic in exchange for consideration of any kind—in other words, no “fast lanes.” This rule also bans ISPs from prioritizing content and services of their affiliates.

The dangers of all these really come down to the honesty, integrity, and motivations of the people enforcing these limitations. Blocking bad/inaccurate content or throttling services that are less important to give precedence to ones that are more so, both sound fine – but who makes that decision? What group of people can decide that certain information isn’t accurate? Can that control or influence the thoughts and understandings of whole generations?

Now involve money. What happens when companies are able to pay to control the flow of information? When one drink giant pays to limit access to accurate information about their competitors while spreading inaccurate information? Or when tobacco companies can interfere with the ability of people to discover the actual risks of their products?

Free and open access to information is absolutely critical to our freedom as a people. Taking away people’s ability to make their own decisions, whether by force or by limiting access to information, is wrong.

Closed Systems

Many people easily identify the risks in the loss of net neutrality, but most miss the threat posed by closed systems. A system that you use, feed data into, and rely on that is closed source and owned by a company, is a danger. Whether it’s Facebook, Twitter, or Instagram for your personal data or Shopify, Wix, or Salesforce for your business.

It’s not that these systems are bad, but they are certainly dangerous. When another company owns the platform you rely on, what happens when your goals or needs diverge from theirs? Companies controlling the dissemination of information is dangerous.

Companies controlling the dissemination of information is dangerous. #OpenWeb

What Can You Do?

When net neutrality legislation is on the table, take action! Inform yourself though, not all legislation is good. Spread the word about the dangers of a closed web. Vote with your dollars and your support. Use open platforms like WordPress and encourage others to do the same. Above all else be aware of the danger and watch for it.

Photo credit: Barefootliam.

In Support of Stronger Passwords – Not Secret Usernames

It’s a common security report. The details vary – sometimes they find usernames through CSS classes, sometimes they’re using enumeration, sometimes it’s from a REST API endpoint – but the real problem is that the underlying logic is flawed.

WordPress has taken the stance that usernames aren’t secret.

From our handbook:

The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.

Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.

Instead of attempting to hide a public identifier, WordPress attempts to encourage users to choose strong passwords instead, through both user interface as well as education.

Note that WordPress is not the only open source project to believe this. Drupal has similar arguments for the same thing.

Why? Because knowing a username doesn’t mean you’re halfway to compromising an account. Let me explain.

Knowing a username doesn't mean you're halfway to compromising an account. Click To Tweet

Usernames Are Public

A username is an identifier, a claim to who you are, much like your actual name. When I go to the bank to pull out cash I identify as Aaron Campbell, but then they want to verify that by looking at my drivers license or passport. That required verification is your password. I share my name with anyone, but they cannot have my verification documents. Those are mine.

Moving back to the internet, my username on Twitter is aaroncampbell and every one of my followers knows that. My username on Gmail and Facebook is aaron@xavisys.com and anyone that ever E-Mails me knows this – it even used to be on my business cards. You could discover my username on this site, but you don’t need to – it’s aaroncampbell.

Even if I didn’t have two factor enabled in all those places though, you wouldn’t be “halfway” to compromising any of those accounts. Users know they need good passwords but usernames are generally simple, easy to remember, and alphabetic or alphanumeric. To put it simply, they’re already easy to guess.

But wouldn’t keeping them secret still help? Wouldn’t having to guess both the username and password make it twice as hard? Shouldn’t WordPress help with that?

No, no, and no. And it all comes down to entropy.

Entropy

Password strength is usually referred to in terms of information entropy, measured in bits. The idea is that a password with 42 bits of entropy would be as strong as a string of 42 random bits. There can be a lot of complexity in calculating accurate entropy. Dictionary words (including ones in custom dictionaries built for the target), patterns, dates, and many other things can be used to reduce the raw entropy of a string. Best case scenario though, your password isn’t susceptible to any of those, in which case the raw entropy (H) can be calculated using this formula, where N is the number of possible symbols for each character, and L is the number of characters in the password:

H = log2 NL

Let’s calculate the entropy of my username of aaroncampbell. It’s 13 characters long (L) and each character has 26 possible symbols (N), giving ~61.1 = log2 2613. Keep in mind that in a real-world scenario, my first and last name, along with many other words specific to me, would likely already be built into a dictionary, making this number much lower.

Given a very short (too short), ten character random password of yZ3#8gPI^0, the entropy is ~65.7 (log2 9510).

Assuming that you can try to crack the username separate from the password, the combined entropy is ~126.8. If you instead increase the length of your password to 20 characters, it’s entropy alone would be ~131.4. All my passwords are 50 characters or ~328.5 bits of entropy.

The Best Solution

Don’t worry about your username, but do focus heavily on your password practices. Use a password manager like LastPass or 1Password. You cannot have good password practices without a password manager. Good passwords should be long – 50 characters is what I use; random – not a “random phrase” you use, but actually randomly generated using a large character set; and unique – only used in one place.

You cannot have good password practices without a password manager. Try @LastPass or @1Password. Click To Tweet

Bonus

If you really want to secure your account, use two factor authentication (2FA). Many sites offer this option, and I personally use it everywhere I can. I use Authy as my 2FA app because I think it’s the most user friendly. It allows me to rearrange things to fit my preferences, add it to multiple devices, and even backup and restore everything for when I change devices. You can also use Google Authenticator or LastPass Authenticator. To add 2FA to your WordPress website, you can use iThemes Security Pro (paid), which is what I use, or Two Factor.

Website Security – Simple Steps to Take

Website security is important. We all know it. For many though, it’s a topic they prefer not to talk or think too much about. They don’t really consider it in very many areas as they build or manage their site. Why?

Security is Scary

You know you want to be secure, so you start to check out this weird security thing. Brute force? You can handle that; good passwords, limit login attempts, maybe even two factor authentication. Then you suddenly become aware of cross-site scripting (XSS), SQL injection (SQLi), cross-site request forgery (CSRF), remote code execution (RCE), and potentially so many more that you’re simply terrified. You begin to buy into “ignorance is bliss”. But website security doesn’t have to be scary.

Website security doesn't have to be scary Click To Tweet

Security is Something You Can Handle

When you start to research website security it’s easy to become overwhelmed as you’re slowly exposed to all the various forms of attacks. Each can be nuanced, complex, and confusing. The good news is, you don’t need to know how every vulnerability works in order to increase your security. Many of them can be prevented by following some relatively simple best practices. With a little added effort and by making a few smart decisions along the way, you can drastically increase your online security.

A little added effort and a few smart decisions can drastically increase your online security. Click To Tweet

When most people think about securing their site, the first thing they think of is their password. And passwords are important. They aren’t where you should start though.

Security and Your Host

The security of your site needs to be managed all the way down “the stack”. The stack is all the software that sits on top of each other in layers to become your website. The tip of this is likely all you really interact with – WordPress and your plugins. Below that is your database, PHP, caching tools, web server software like Apache or nGinx, and an operating system. There’s probably also a firewall somewhere either inside that stack or outside as a separate appliance.

Every part of this software stack needs to be properly configured, managed, and continually kept up to date. It’s integral to the security of your website. It’s also a lot of work and quite complex. Thankfully, you don’t have to worry about it if you choose a good quality host and let them worry about it for you.

Consider security when you choose a host. If you haven’t checked to see that your host has good security practices, take the time to do so. If you haven’t yet chosen a host, make sure that security is one of the things you evaluate when you do.

Choose Quality Software

Most of you are here because you use WordPress. I’m obviously biased, but I think that was a good decision for security. The WordPress security team works very hard to make sure that WordPress is as secure as possible. However, WordPress isn’t the only software you’re using to run your site.

You need to make good decisions about what plugins and themes you use as well. Did you consider security as you selected your plugins and themes? Did you look into the security practices of the companies or developers behind them? Don’t expect to find plugins or themes that have never had a security issue, but do look for those that have handled them well and have implemented good security practices into their development processes. You want quality plugins and themes with reputable people or companies that stand behind them.

Take the time to consider other software you’re using as well. Are you using a reliable and reputable SFTP client? Are you running good virus protection software on your computer? With the pervasiveness of the Internet, many modern computer viruses work to harvest login details from websites and send them to someone for later use. Learning to think about security at every step of the way, getting into the “security mindset”, will really help. You’ll start to see places that you can increase your security that you had never before realized even affected your website.

Great Password Practices

Everyone knows that it’s important to have good passwords, but what makes a password good? A good password is long, random, and unique.

How long should a good password be? I tell most people that it should be a minimum of twenty characters. All of mine are at least fifty unless the site or service has a lower limit (which usually leads to me whining lots and often reaching out to them to discuss better password practices).

What do I mean by random? Well…I mean random. Not a snippet from a poem you like, not a favorite verse, not a seemingly random combination of things you know or easily remember, and not a pattern on the keyboard. The best passwords are completely randomly generated.

Unique means that the password is only used in one place. The password to log in to my website is different from the one for my E-Mail, which is different from the one for my computer, which is different from the one for my back, etc, etc. I don’t use the same password in two places and neither should you.

How can I possibly have that many different fifty character passwords that are completely randomly generated? Do I have a super human mind? Not at all. I use a password manager. You can’t have good password practices without a password manager. I use LastPass. Lots of people love 1Password and it’s a great option as well. I don’t care which you use, but you need to use one.

Passwords should be long, random, and unique. You need a password manager to do it right. Click To Tweet

This is one of those areas where you have to put in that added effort I mentioned. A password manager will take some time and effort to set up and get used to using. Eventually though, you’ll probably find that it makes things easier not harder. It’s a fantastic investment into your online security.

Two Factor Authentication

When you try to log into your site you fill in a username field. On this site for me, that’s either my E-Mail address or “aaroncampbell”. That’s me saying “I’m Aaron”. My site wants proof of that though, as it should. There are three basic ways you can prove you are who you claim to be.

  1. Something you know – A password for example. With your bank this might be a PIN. As a kid with a fort, it was a code word.
  2. Something you have – For your car, house, hotel room, etc this would be your key. “Let me in if I have this.” For your website this is probably your smartphone with an app on it.
  3. Something you are – Many phones are starting to support fingerprint access for example. Some data centers use retina scans.

Two factor authentication (2FA) simply means that in order to verify you are who you claim to be you must supply proof from at least two of these groups. For websites this is almost always something that you know – your password, and something that you have – your phone with an authentication app on it. I use Authy because I think it’s the most user friendly. It allows me to rearrange things to fit my preferences, add it to multiple devices, and even backup and restore everything for when I change devices. You can also use Google Authenticator or LastPass Authenticator.

There are two plugins that make easy to add 2FA to your WordPress website.

  1. iThemes Security Pro is a paid plugin that also does many other great things for your site. If you want to invest a little money in the security of your site, invest in your host and in this plugin.
  2. Two Factor is a free plugin by George Stephanis that adds two factor authentication to your site simply and effectively.

Like your password manager, some additional effort is required for setup and to get used to it. However, the added effort here will continue forever. Every time you log into a site you use two factor authentication on, it will take you an additional fifteen to thirty seconds. It is absolutely worth it though. Using multiple factors for identity verification increases security so much that it’s honestly hard to quantify.

Bonus: Once you get used to using two factor on your WordPress website, start using it everywhere else too. I use it on GMail, Github, Slack, Amazon AWS, Mailchimp, Mandrill and more!

SSL Certificates

Encrypt all data sent between your website and the computer or device that’s accessing it with an SSL certificate. It’s the thing that changes the URL from http:// to https:// and adds a lock and/or a green color to the URL bar of the browser to let the user know they are browsing safely.

SSL Certificates add a visual cue to browser bars, reinforcing a user's security

At this point, there’s no reason for any site to not have an SSL certificate. They used to be quite expensive but cost is no longer an excuse. Many hosts offer them for free and the ones that don’t offer them cheaply. Often you can install them yourself through your control panel, but if you can’t opening a ticket with your host should take care of it.

Is Security Really That Important?

People want to know “why would anyone want to attack my website?” They think that because they don’t process credit cards or store personal information, that no one would care to hack into their site.

It’s not if you get attacked, but rather how you prevent it from being successful.

There are two basic types of attacks that try to compromise sites.

Targeted attacks are the kind that people tend to think of first. A person or persons work to compromise a specific site for some sort of payout. Often they’re trying to get credit card numbers, identities, etc. They want a good payout and put in a concerted effort to get it.

The second, and far more prevalent, are scripted attacks. Programs written to crawl the internet and try to compromise sites. Pushing for sheer numbers they look for simple to break passwords, out of date software with vulnerabilities, and other known weaknesses that can be exploited in an automated way. Instead of a large payout from one targeted site, the script attacks hundreds of thousands or millions of sites, compromises thousands, and makes a little bit from each. These attacks aren’t only more prevalent, but are indiscriminate. Anything attached to the internet will be attacked. It’s not if, but when.

Make it Hard on Them

Attacks on your site will happen. You can drastically improve your security, and thus your ability to fend off these attacks, by following these best practices. They’re not overwhelming. They are all things you can do.

  • Use a Security Conscientious Host – Keeping the stack your site is built on secure helps keep your site secure.
  • Choose Quality Software – Starting with WordPress is great, but also look at your plugins and themes as well as software on the computers you use to build or access your site.
  • Use Great Passwords – Great passwords are long, random, and unique. You can only do this correctly with a password manager.
  • Use Two Factor Authentication – Two factor authentication will use something you know (password) as well as something you have (your smartphone) to verify you are who you claim to be. This is a massive leap forward in the security of your user account.
  • SSL – Every site should have an SSL certificate. Inexpensive or even free, SSL certificates encrypt all data sent between your website and the computer or device accessing it.

 

Open Source Got Me Started

I started writing computer code about 26 years ago in 1991. At that time it wasn’t easy to teach yourself how to code. The Internet existed but not in the way we know it now. It was much smaller, contained far less data, ran at much slower speeds, and the first graphical browser didn’t even exist until two years later. So how did nine year old me learn? Open source.

Games Get Me

Windows didn’t gain popularity for another year or so. MS-DOS 5.0 released that year though, with a couple life changing games. Nibbles was a classic snake game where the snake grows with each thing it eats and you work to avoid running into obstacles, the wall, or yourself. Gorillas was a turn based combat game of sorts, featuring banana throwing gorillas on a skyline. I played both games as most nine year olds might, bordering on obsessive, but it was the mathematics in Gorillas that really caught my interest.

Screenshot of Gorillas game
The original Gorillas in action. I admit it, I’m feeling quite nostalgic

Each player took turns entering an angle and a velocity. Their gorilla would then throw an exploding banana accordingly. The goal was to hit the other gorilla, although the city scape could get in the way. You might have to explode though a building to get your opponent, or throw extremely high and hard to get the right angle to hit them without hitting a piece of the environment. Creativity was a part of it, but it was the numbers that really made it what it was to me.

After a while though, the novelty wore off some. I got surprisingly good at judging angles and velocity and fewer and fewer people wanted to play against me anymore. That’s when a fun game became life changing.

Open Source

Screenshot of the Gorillas open source code
This is what you saw each time you played the game. “Press Shift+F5” to play was as user friendly as it got.

Gorillas and Nibbles were both written in QBasic, which is sort of a combination of the BASIC programming language, an IDE, a compiler, and an interpreter. Meaning you could write code in QBasic and it was capable of executing it right there inside the editor. As a curious nine year old I scrolled down to look at the code that powered the game that I enjoyed so much. And I learned.

There’s no way that I could have written either of those games at that time in my life. It took months before I could even convince my parents to take me around to book stores in search of resources. But I learned a lot from the code itself. I broke a lot of things, but succeeded in making the bananas behave differently, adding invisible obstacles, spawning the gorillas inside the buildings, and more. It was practically intoxicating! The POWER! It hooked me completely. Because of open source.

Leveling Up

In the early nineties I got into BBSs. First just logging into them to play “door games” (sorry young people, you’re going to have to Google some of this yourself) and eventually running my own. One of my favorite games was a MUD called Legend of the Red Dragon (L.o.R.D.). Being highly competitive, I found value in tracing through the code of the game and the in-game modules to find the secrets and tricks to be able to level up faster. My ability to understand code was now an asset to ten year old me.

I learned a scripting language called “lady” in order to build my own modules. Existing modules, and their code, were my teachers. My BBS started to stand out as I added my own unique tweaks to a popular game. Enough that my parents noticed. And were none too happy with having three phone lines in our house, all of which were constantly busy. My leveling up in games through code didn’t end though.

Chip’s Challenge was all the rage when I was twelve. My seventh grade class went nuts over it. It was a puzzle solving game wherein you overcame obstacles to collect keys. When you completed each level you were given a code to write down. You could use that code to start up where you left off. Everyone was in on the challenge and the codes were proof. I immediately tried to turn to the source code as a solution and was horribly disappointed to find out that I couldn’t.

Open source had been so amazing, but it took a closed source application to really make me appreciate it. In order to do what I thought should have been easy, I had to learn about hex editors, earn codes manually, and use each new code I earned to slowly reverse engineer a compiled file. I was the first of my class with a full set of codes, but I was also now enamored with open source software. And it was a closed source game that pushed me that way.

My Mentor

For anyone that knows what hex editors are or what it takes to reverse engineer compiled code, that last bit might have sounded a little crazy. For those of you that have no idea what any of that is, the correct response is roughly “how could you learn how to do that as a twelve year old in 1994!?” The answer is that I had a mentor now. The summer before seventh grade, my parents connected me with the person that ran the computers for the school union I was in.

I spent that whole summer learning under him. I continued to work with him through all of junior high. Even then, much of my learning happened from “open source”, although in most cases it was his source code. I learned the basics of Novell Netware scripting, more BASIC, C, and more. All by having the chance to look at various sources of code and ask him questions.

Back to Open Source

As the Internet became more ubiquitous, I pushed back into open source. It was easier now. In 2000 I started developing websites for money and used only open source platforms. I knew better now. I knew that the easiest way to have the control I wanted was to be able to view and modify the code. In 2005 I made a pivotal decision; I moved to WordPress development. In 2007 I started to contribute back to the project. It hooked me again, and I’ve been happily contributing to and advocating for open source ever since.

Twenty six years later and I still love open source. More than ever. 💗

The Difficulties of Security Disclosure

Security is ever a game of balance. Ease of use against safety is the one I find myself thinking about most often; locks on your door inconvenience you with having to get out your keys, long and unique passwords necessitate working with a password manager, two factor requires additional equipment and steps. Most often adding security impacts ease of use in some negative way. Finding the balance here is important.

But security isn’t a single balancing act. Many of the decisions we must make require finding the right balance. Each requires thought and consideration, as well as a clear set of priorities. Especially when it comes to disclosing vulnerabilities. Every situation is going to be unique, but knowing the right questions to ask will help. The time to think through these questions is now, hopefully long before you are faced with them.

Should This Vulnerability Be Disclosed?

Yes.

Disclosing the vulnerability is best for your users. It builds trust. It’s also the best thing you can do for the future of security. Hopefully other people can learn from your issue and not have to face the same one themselves.

“But, it’ll make us look bad!” You’ll look worse if someone else discloses it and you were hiding it. No security is perfect. Every company I’ve talked to that has owned up to a security issue has ultimately seen increased trust from their users.

“But it’s fixed now and no one was affected.” That’s fantastic! Well done! You should let people know how well you handled it.

“But if we make it public, people will try to exploit it!” Now we’re getting somewhere. This shouldn’t be a question of if, but of when. And deciding when to disclose can be tough.

When Should We Disclose?

Who would have thought a four-word question could be so complex and hard to answer? There is so much to consider. How do you balance what’s best for your users and your own reputation (spoiler: What’s best for your users is best for you)?

To figure this one out, you’ll need to answer a couple additional questions.

How Serious is the Vulnerability?

Objectively rating the severity of an issue can be tough, but considering these three things will help:

  • Discoverability – How likely is it someone could discover this and begin to exploit it?
  • Exploitability – Is this easy to exploit? Can attackers script it? Does it require authentication or social engineering?
  • Reach – How many are affected by this?
How Can We Best Protect Our Users?

It might be that you can protect your users by giving them time to update to a secure version before disclosing. The worst thing about disclosing is that you can not only disclose to the “good actors”. When you put the information out there, it’s available to the well-meaning as well as those with more nefarious intentions.

While waiting can give users time to upgrade, remember that if the issue is discovered and exploited before your users know about it, you have ultimately put them at a disadvantage.

How Detailed Should the Disclosure Be?

Yet another balance to be found. This one between informing your users and giving instructions to the potential exploiters.

Make sure to include enough information for your users.

  • Help them understand how severe the issue is. Hiding the severity doesn’t help them.
  • Let them know what risk they face.
  • Give them steps to follow to protect themselves.

This is not a how-to. Do not include enough information for people to be able to easily exploit. Make them figure that out on their own.

What Did I Do Wrong?

Ask yourself this last question after everything has settled. Maybe a week or two after the actual disclosure, sit down and assess how it went. Revel in the successes, but admit the mistakes. Use them to tweak your processes for next time.

Case for the REST API Endpoints

The Open Web and a History Lesson

For this to make sense, you first need to understand how I view the web right now. The internet has become a foundation that a huge percentage of humankind rely on. I think that our future is as dependent on technology, the internet being a key piece of that, as our recent past has been dependent on scientific foundations. I truly believe that the future of all people will be better if this key piece of our technological foundation is freely available to all, able to be used for any purpose, and not controlled or excessively influenced by any particular person or group.

I gave a short talk recently in Phoenix, where I said this very thing, and it came with a small history lesson that bears repeating.

Robert Hooke was a scientist in the late 17th century. Many of you might vaguely remember his name from your junior high science class. He’s the guy that looked at cork under a microscope and discovered that plants, and much more, are made up of cells.

Isaac Newton is a name you probably remember better. We all picture an apple when we think of him, right? Something about gravity? The truth is that Isaac Newton gave us a lot. He invented calculus, discovered many things about light including that white light is made up of many other colors of light, and in his principia he gave us laws about gravity and motion.

In a letter from Newton to Hooke in 1675, Newton famously said:

If I have seen further, it is by standing on the shoulders of giants.

And the best part is, we’ve been standing on the shoulders of people like these since. Much of modern medicine can be traced back to an understanding of the cell. Similarly, our world has been made smaller through things like air travel, where modern jet engine technology could not exist without calculus or the principles of force that Newton gave us.

Because of this, society as a whole has been able to make consistent and rapid progress forward. People don’t have to start over. They don’t have to rediscover the cell or create calculus, and can instead pick up where others left off and move forward from there.

So what the heck could this possibly have to do with the REST API endpoints in WordPress?

We’ve built something that has the potential to be a tool for others to use. It’s part of the height of our proverbial shoulders. It may not have the far reaching effect that calculus has had, but it does have the chance to do things that we can’t currently imagine. Newton probably didn’t imagine the Boeing 777 either.

If we don’t offer these kind of modern tools, built into WordPress, to allow people to build the future of the Internet, then we risk them using similar tools offered by closed solutions from Facebook to Medium.

It’s going to be a lot of work. Not just to merge, but to keep up, improve, and generally manage for the future. But it will be worth it. To push forward the open web. To help make sure that people can pick up where we left off and keep making progress.

Joining GoDaddy as a Full-Time WordPress Core Contributor

Today is my last day at iThemes. It’s been a great two years, and I’ve learned a lot. I’m very appreciative of my time here and I will absolutely miss all the people. If you haven’t checked out iThemes or had the chance to meet Cory, Matt, or any of their amazing team, you definitely should.

So, what now?

Well, the title here kind of gives it away. I’m excited to say that I’m officially joining GoDaddy as a full-time WordPress Core contributor. I start there on September 6th, and am excited to help push WordPress forward with the full support of a company like GoDaddy behind me.

But why?

I honestly can’t remember when I first started using WordPress. I think it was sometime in 2004, because it was before Kubrick became the default theme. And it was certainly before we had things like WYSIWYG editing, which came along in late 2005 with the WordPress 2.0 release.

But while I can’t remember exactly when I started using WordPress, I remember very clearly when I started contributing to WordPress. It was June 12, 2007. That was the day that I opened my first ever bug report for WordPress, uploaded my first ever patch, and had my first bit of code put into the WordPress codebase. Yep, it all happened on one day!

Aaron's First Ticket

The feeling that I got from that was amazing. I loved that I’d just made a small impact on a group of people, most of whom I didn’t even know. I started to slowly ramp up my involvement in the project. I contributed more and more, and got involved enough to really get to know the people. By 2009 I was traveling to WordPress events, and by 2011 I was speaking at them regularly.

I’ve become very passionate about the WordPress project and the community that has built up around it. For a long time I’ve wanted to do more; to contribute more often and to take a more involved role in pushing the project forward. So when GoDaddy talked to me about bringing me on as a full-time WordPress core contributor, I was excited.

What does that mean?

Basically, I’m going to be working to make WordPress better and GoDaddy is going to pay for it!* There are a lot of massive benefits to this, including being able to have very consistent reliable time that can be counted on by release leads, being able to reliably take on projects that span releases, and being able to work on some of the less fun areas that are generally more neglected by volunteer efforts. I think that this kind of dedicated support from companies whose businesses are heavily invested in WordPress is extremely healthy for the project as a whole, and I’m ecstatic to get the chance to do this.

* For those that don’t have experience with open source software development, or don’t understand the pervasiveness of WordPress, this is going to be confusing. You’ll have to ask me to explain it all over coffee some time.

Migrating from Mandrill to SendGrid

Recently The Rocket Science Group, the company behind both Mandrill and MailChimp, decided to change things up. They decided to roll Mandrill, their transactional E-Mail service, into MailChimp as a paid addon available to paid MailChimp accounts only. A lot of people freaked out or got really upset, most of them focusing on the fact that many people who were using Mandrill for free or close to it, were going to have to start paying at least $40 per month. That’s $20 per month for a MailChimp account, which they might not even have a use for, and $20 per month for the lowest tier of the Mandrill transactional email addon.

I was upset too. Not because of the additional cost, but because of the way Mandrill users were treated. An email went out to all Mandrill users on February 24th, mandating that all existing users needed to have a paid MailChimp account set up and connected to Mandrill by April 27th. That gave nine weeks.

Nine weeks isn’t a lot of time, and Rocket Science knew this. Is it enough time to set up a MailChimp account, link it to your Mandrill account, and pay them the extra money every month? Yes. Was it enough time to research an alternative, set up an account elsewhere, rewrite all your transactional email code to use a new API, train users to use a new interface at this new solution, test all the new code, and deploy? Not really. At least not in many cases.

However, that’s exactly what I did. Not because I was upset at the extra monthly cost, but because I didn’t like being treated like that.

I started with some simple research to find alternatives. As it turned out, plenty of other people were doing the same research and posting their findings, which greatly simplified the process. What I found is that since my usage was pretty straight forward, almost any of the available alternatives would work for me. I ended up choosing SendGrid.

The actual development wasn’t particularly interesting.  The APIs are different, as you would expect, so all the code needed to be changed but was ultimately similar enough to be pretty simple.

One of our hangups came with tags. In Mandrill we used tags to label various kinds of E-Mails, what server the E-Mail was triggered from, etc. We use those to help us track where deliverability issues occur, as well as to help us track down bugs when they happen. The problem was that SendGrid didn’t have these. Luckily, SendGrid DOES have what they call “Unique Arguments“. Basically, they let us do the same thing, adding in our own unique key/value pairs, with the only downside being that their web app doesn’t give you much in the way of working with those (like viewing all bounces with a specific value for one of the arguments).

And that seems to be the only real downside so far. The web app for SendGrid doesn’t seem to be quite as powerful or fully functional as the one Mandrill has. Having said that, delivery, responsiveness, speed, etc all seem completely on par. I’ll happily give up the zoomy UI though, if they’ll treat their customers with a little more respect.

Being Understanding in this Digital Age

This has been an interesting week for me. I’ve worked every day from a hospital room. To try to keep a very long story somewhat short, my grandma was in the ER Sunday, the experience was bad and they dismissed her rather than taking the time to actually figure out the problem. This resulted in her being BACK in the ER (a different ER; fool me once and all that) as 12:30am Monday morning, getting admitted to the hospital a few hours later, and being under acute care ever since.

It’s rather severe. She’ll likely be in the hospital another week or two, but the prognosis is starting to look up.

It’s been incredibly hard on my immediate family. My grandpa has severe Alzheimer’s, and while there are many things he cannot remember, he never seems to forget that his wife of nearly 68 years is in the hospital. Not for even a second. Unfortunately, he can’t stay at the hospital with her all day every day, because he needs to have some routine to help keep him on track. This means that my dad has been taking care of grandpa, and playing shuttle service to bring him to the hospital every day and take him back home every evening.

Emotions have been high as well. Everyone here cares about my grandma greatly, and that can cause logic to be clouded by emotion, making everyone a little more touchy and on edge. Especially when things weren’t looking so good.

So what does all this have to do with being understanding? Well, that comes down to some of the communications I’ve received this week. The ones from people that have no idea where I’m at or what I’m going through.

They tend to start out innocent enough. Someone asking me about one of my WordPress plugins, possibly sending me a product or service they’d like me to review, or even sending me a legitimate work proposal.

Unfortunately, any of those kinds of things that came through this week have been summarily ignored. I’m not sorry about that. None of those things are important enough to take even a few minutes of attention away from my grandma and what she’s going through. I suppose I could have responded with some short blurb explaining what was going on, but I stand by my actions as being perfectly acceptable. And yes, I’d ignore them all again (and probably will for at least another week).

Receiving, and ignoring, those messages didn’t bother me at all though. Like I said, they didn’t know where I was or what I was going through. The frustration really started yesterday (or more accurately last night), when I started to open and read some of the more recent messages. Some of then had taken on an angry tone; “if you don’t care about this, then…”, “You’ll never get my work if you don’t respond”, or “People said you were reliable, but I guess they were wrong.”

Just how fucking important do you think you are?

Not that I need to justify myself, but I think pointing out my internal responses to these statements helps underline how ludicrous they really are:

  • It’s not that I don’t care about whatever it was you were writing about, I just don’t care enough to put it above my family. Deal with it.
  • I don’t want your work anyway. Even if I was looking for work, working for an impatient, self-important, pain in the butt, isn’t my idea of fun.
  • I’m glad to hear people said I’m reliable. Right now, my family finds me incredibly so. I’m glad that me not responding to you in 48 hours gives you the right to judge me differently.

The truth is, we’ve all come to expect a level of accessibility that I think has become unreasonable and unsustainable. Technology has made it so that most of us, myself included, walk around with our E-Mail, Twitter, Facebook, etc in our pocket. We tend to check it habitually, and therefore respond quickly. Often within minutes or hours.

The problem is that, as we all know, doing something consistently builds expectation. People now expect a response within an hour, think themselves patient if they wait half a day, and feel like you’re purposely ignoring or slighting them if it takes longer. The distance the electronics place between us makes it easy to never take the time to think about where the person on the other end of your communication is, what they’re doing, or what they’re going through.

I have to think that not a single one of these people would have barged into my grandma’s hospital room to give me their message, expecting me to stop dealing with family and put my attention on them. Yet essentially that’s what they asked of me.

Expectations of availability have gotten out of control. When do they afford us time for ourselves? When do we get to focus on something so important that we don’t want to be bothered?

Try to remember that even though there is often technology between you and someone else, it’s still a person you are dealing with. A person that has to go through the same kind of crap as you sometimes. Be understanding.