Why Is Samuel “Otto” Wood Making Claims About Us That Don’t Match Reality?
When it comes to our full disclosure of vulnerabilities in protest of the continued inappropriate behavior of the WordPress Support Forum moderators we are certainly not above being criticized and any protest should be expected to have critics, but what we have found is that people are frequently criticizing us for things that are not close to true. For example, today during an email conversation with a developer of a plugin who incorrectly believed we had falsely claimed their plugin contained a vulnerability (and threatened to sue us over that) they wrote this in regards to our reason for full disclosing that vulnerability:
To further your pity party about yourself and being banned from WordPress.
Contrary to what keeps getting falsely claimed, we didn’t start our protest due to being banned, we were banned for our protest, which wasn’t unexpected and not something we are having a “pity party” over or any other similar reaction to.
The person that seems to be the source of the claim is the person that is basically in charge of the moderation of the Support Forum, Samuel “Otto” Wood. Who is somehow the person you are to contact if you have a problem with the behavior of the moderators, despite being one of the moderators himself. And he is also the person who apparently chooses most of the moderators, making it unlikely he has the proper distance from them to be able to properly handle complaints about them.
He is also one of the six people that run the Plugin Directory, more in that context yesterday we discussed his strange logic that you should never warn people about unfixed vulnerabilities and belief that “magic wizards” discover exploitable vulnerabilities in WordPress plugins. Not surprisingly he ignored the responses from people trying to explain why what he believes doesn’t match what is really happening in the real world (it is far from the first time he or one of the other people on the WordPress side of things seems to be unable to deal with the thought that someone disagrees with them). Instead he responded to another comment, again making claims about us that are not connected to reality:
Well, I’m going to say “greater than zero time”. Which is what he is complaining about.
Understand, the entire issue is that he wants to use the forums to post exploits publicly. Which we won’t allow. Simple as that.
I’m not going to argue for specific timelines, because that is silly. Every case is unique. But saying that we should allow him to post things to our forums, in public, without notifying the author in advance, welp, no sale, sir. Sorry if that upsets him, but the answer is still no.
You can argue specific details all day, but in the end, don’t post exploits in the forums. That’s pretty simple and easy enough for people to agree to.
We don’t post exploits at all, we do usually provide proof of concepts when we disclose vulnerabilities we have discovered or detail vulnerabilities discovered by others, but we do that on our own website.
Even if you want to call those “exploits”, we do that on our own website. This isn’t complicated to understand and yet he gets it wrong over and over.
With our protest we do full disclose of vulnerabilities on our website we then only try to notify the developer through the WordPress Support Forum about that disclosure. Here is an example of the message we leave when doing that:
Due to the moderators of this forum continued refusal to operate in an appropriate fashion we have started full disclosing security vulnerabilities and only notifying developers of those disclosures through this forum. That unfortunately means that we are writing this to inform the developer that there is a settings change vulnerability that leads to persistent cross-site scripting (XSS) in your plugin that has already been disclosed. If you have a problem with this type of full disclosure please contact the leadership of WordPress and let them know that the moderation of this forum needs to be cleaned up, since that is how these full disclosures will end.
For the moderators, please stop acting inappropriately. If you truly believed that “It does not serve anyone’s interests to inform users about the vulnerability before it is remediated.” then you have every incentive to stop acting inappropriately because you are the ones causing vulnerabilities to be full disclosed like this (seriously, the moment you stop acting inappropriately they stop), especially considering your inappropriate behavior is a decided negative for the WordPress community, even though you so far have shown an inability to grasp that or even be able to have a discussion with people trying to help you to understand that instead of shutting down the discussion. We know you are adults, so please start acting like it, instead of like children.
He can have an issue with that, but that isn’t using “the forums to post exploits publicly” and it would stop immediately if he just stopped the inappropriate behavior of the moderators. To use his word, “simple as that”, but instead he makes things up to avoid addressing what is actually going on.
Since our original account on the Support Forum was stuck in moderation our messages would never have to have been shown. Our intent with those messages is to make the moderators make a choice between allowing people to know that they are causing these full disclosures or the developers not knowing about the disclosure. Of course they could contact the developers or the team running the Plugin Directory themselves, but what we have repeatedly seen over the years is, unconnected with anything involving us, they haven’t done that. Meaning that vulnerabilities that are known about are not being fixed, which is part of the inappropriate behavior of the moderators. One such example where that has continued with our full disclosures, is an authenticated persistent cross-site scripting (XSS) in the plugin WP Google Maps, which hasn’t been fixed in the two weeks since the disclosure. Today we saw a hacker probing for usage of that plugin, so it could now be being targeted.
Considering that he is also one of the moderators and is someone that acts inappropriately enough that someone wrote the following about him related to his interactions in the Support Forum, he seems to have an interest in lying about what we are doing, so that he can continue to act inappropriately.
Some people, no matter how long they’ve been in the project or how important stuff they gave to it, should never be allowed to answer reviews in .org. They lack the minimal sensitivity to understand and speak to a human. I’m not saying they aren’t great, I’m just saying they aren’t fit for it. Therefore, they shouldn’t be there, where you have to understand a lot of different people, with different troubles using which, for some, are essential and at the same time complex tools to master.
But considering he believes in things like “magic wizards” and he keeps getting things completely wrong, while claiming that when he got something very wrong that it is “very simple and obvious” that he is right, its seems reasonably possible that he isn’t going through that level of thought, which seems like a good reason he shouldn’t be in the positions he is and should be replaced with someone that can appropriately handle themselves, handle reality, and get the moderation of the Support Forum cleaned up so these full disclosures can stop.
I do appreciate the fact that with these full disclosures I can be more proactive about security rather than just hope for the best as preferred by Matt and the Mulletwigs. I wouldn’t be sad if these full disclosures are here to stay.
The only “flaw” I can see in your way of protesting is, that contacting the author through the forums, where you already know that you’re going to be deleted/banned/blocked, is expected to fail. So in reality, Otto isn’t that wrong in this point – you’re not properly contacting the author before releasing the POC (which I appreciate to see, since it allows me to estimate the impact to a higher degree).
The question remains, is there a simple way to contact plugin authors when we find vulnerabilities in their plugins. From my last experience with a plugin that got removed from the repository, I can’t say so. I think WordPress should ask plugin developers to provide a means of contact in case of a security emergency. Or provide some kind of system to at least leave a message for the author “on the record” that won’t be removed. Maybe we can work towards reworking the plugin repository to be able to handle these kinds of cases? I really dislike the overly simple “plugin got removed” thing, without specifying a reason…
He isn’t right, since he claims that we want “to use the forums to post exploits publicly”, which isn’t what we want at all. What we want is the inappropriate behavior of the moderators to stop, until then we are doing a protest that involves us only notifying the developers of the disclosures through the forum, but even then we are not using the forum to post exploits publicly. If the moderators stopped acting inappropriately we would be contacting developers directly, as we had done for years before we started the protest. He has the power to fix this, but for whatever reason he instead is making things up to excuse not doing that.
If you look at the Theme Directory they have a “Report this theme” button on each theme’s page, which takes you to a page to report an issue, though it didn’t lead to any action in the situation we used it. So it isn’t like it hasn’t been thought that a better approach is needed, the problem seems to be the people in charge are not interested in fixing problems like that, seeing as Samuel “Otto” Wood is also the WordPress.org Admin and would have the power to make changes like that with the Plugin Directory. That is a part of the problem here as there are problems like this that could have been fixed long ago, but you can’t even discuss them on the forum, much less will they get addressed.
The lack of information on why plugins are removed is intentional, even though it has been explained by many people over many years that it doesn’t make sense. Trying to discuss that is the sort of thing that has actually led to a topic getting closed, which is a good example of the inappropriate behavior of the moderators (in that case involving the person also in charge of the Plugin team).
Made a post in support of your efforts on wptavern.com and it got filtered or they just simply removed it. Figures since I’m pretty sure one of the staff at wordpress.org owns wptavern. I have watched the moderation team over a year ban and remove comments, cherry picks and closes anything related to constructive discussion on the horrifyingly rated Gutenberg. Switched to classicpress.
Matt Mullenweg owns the WordPress Tavern.
J,
I’ve been following the wptavern.com discussion and I noticed there was at least one supportive comment (with a large number of “likes”) that simply disappeared later on. (I’m not sure if that was yours or someone else’s.)