Comments on: WordPress Plug-In – TweetBacks “Considered Harmful”

By: Cheri Sigmon, CISSP

Cheri Sigmon, CISSP — Mon, 09 Mar 2009 06:58:04 +0000

Interesting thread… esp’ly this convo about “responsible disclosure.” As an information security professional, we discuss this often and we do have fiduciary and ethical responsibilities that an average “consumer” would NOT.

Therefore, Dave has no obligation to discuss a perceived security vulnerability with the developer FIRST. He CAN if he wishes, but the 1st step is to *contain* potential risks.
Hope it works out OK; plugins often equal attack vectors.

Cheri

By: Herb Stalk

Herb Stalk — Wed, 18 Feb 2009 04:33:37 +0000

Great catch! Probably saved a lot of people a lot of headaches

By: Sheila

Sheila — Tue, 17 Feb 2009 20:43:10 +0000

First of All, Daiv, I love your blog. I don’t think you did anything wrong or punitive what your post, It’s FREE. Just like any product/service free or paid for, there are going to be good reviews and bad reviews.
It’s your Blog and you can post anything you want. If you want to do a review on something you found faulty, why should you take YOUR time to call the developer. They should not have sent it out without first beta testing it with friends/family. My husband always beta test something before sending out to the world and we always go back to it and make sure it’s working properly even after it’s sent out to the world to use.

I know that we have tried to contact a developer on a product/service that had a flaw and do you know that I spent “4″ Freakin hours trying to get through to them, not to mention all the emails, Waste of my time to help someone out. So what ever!
Can we say REVIEW and that is exactly what you did, you reviewed a product/service.
They need to fix it and get over it.
Just because of the smart asses that commented against you, I will NEVER use that plugin and I will let others know to not use it either.

By: Scott Allen

Scott Allen — Fri, 06 Feb 2009 21:36:13 +0000

@Guillermo: If we were dealing with a car I would agree, but when there is a potential security issue, the procedure has to be different.

By all means disable what you feel is the problem. You own the site, you are free to do as you please. But when dealing with a potential security flaw, you have to contact the developer first and give them a few days to investigate and if fix it if the problem is legit. By posting before doing that, you give unethical people several days head start to exploit the issue before the developer can fix it. This causes more problems because then a LOT more people can get exploited. I would say if the developer didn’t respond after a couple days (and you’ve made a thorough attempt to contact them), then by all means post about it. Otherwise the post should wait to come until the developer has had a fair chance to fix it.

Like I said, security issues are different than other kinds of problems with web apps.

By: Guillermo

Guillermo — Fri, 06 Feb 2009 18:40:43 +0000

You did the right thing. I’ve been in the developer’s position before, and my initial response was
similar to his; but the fact of the matter is this: This is the real world. If you were in a Ford, and your wheels came off without warning, you’d be within your rights to complain to the entire known world before even sending as much as a tweet to the company.
Developers (again, myself included) want to be taken seriously, and want for their industry to be taken seriously, but many aren’t mature enough for the sort
responsibility and scrutiny that comes with creating a product. So… don’t worry. Daiv still rawks.

By: Kyle Reddoch

Kyle Reddoch — Fri, 06 Feb 2009 02:17:31 +0000

Okay, I have now uninstalled the Tweetback plugin for WP…

Thanks for the advanced warning again!

By: So Much More Than A Mom

So Much More Than A Mom — Fri, 06 Feb 2009 02:17:13 +0000

I can’t even begin to imagine how anyone could take offense to anything in this post.

By: JenniferBhalaHansen

JenniferBhalaHansen — Fri, 06 Feb 2009 02:10:45 +0000

I was about to use tweetback. Not any more. Thanks for the warning

By: Stephen

Stephen — Thu, 05 Feb 2009 21:32:45 +0000

I am as befuddled as you and others at the response of the developer here.

While I’m very happy that you’ve both made contact with one another and that this will likely be very productive, I can’t see how the average blogger – one who’s NOT a tech geek, in my case – would be obligated to track down the developer and start “talking tech” about the issues behind it. (I’m so low-tech, I use blogger, actually)

As a consumer, I simply consume. The creator of a product is responsible for flaws in their products or services, and, on occasion, suffers bad publicity about it, as they surely did when you recommended NOT to install this particular version of the plug-in.

The customer should never be made to feel that its his or her job to hunt down the developer and for THEM to apologize for a flaw in THEIR product.

I think someone’s got that backwards if they feel otherwise.

@nhprman on twitter

By: Dr. Gianmichael Salvato

Dr. Gianmichael Salvato — Thu, 05 Feb 2009 20:37:31 +0000

Thanks, Daiv. I think it’s patently ABSURD that anyone suggest that you were being “punitive”. Like it or not, when the author of a plug-in releases a plug-in with vulnerabilities, they are culpable for the vulnerability.

There was nothing malicious or unprofessional about your post. You provide a valuable b2b service and I’m certain I am not the only one who hopes you’ll continue, undaunted.

– Gianmichael
@gianmichael on twitter