[wp-trac] [WordPress Trac] #5066: Anonymize update checking

WordPress Trac wp-trac at lists.automattic.com
Sun Dec 13 23:19:06 UTC 2009 

#5066: Anonymize update checking
-------------------------------------------+--------------------------------
 Reporter:  zamoose                        |        Owner:  anonymous
     Type:  enhancement                    |       Status:  reopened 
 Priority:  normal                         |    Milestone:  3.0      
Component:  Administration                 |      Version:           
 Severity:  normal                         |   Resolution:           
 Keywords:  has-patch 2nd-opinion privacy  |  
-------------------------------------------+--------------------------------

Comment(by zamoose):

 Reposting a forum entry I penned over at WPTavern. Reposting it here for
 the "if it isn't in Trac, it doesn't exist" factor.

 A common complaint from those in favor the the status quo is: what harm
 could there possibly be in storing your URL? Allow me to give two examples
 to illustrate potential for harm.

 '''Military/Gov't Contractor blogging environment'''
 I don't know how many of you have worked for a military or US gov't
 contractor in the past, but one of their concerns when it comes to
 information disclosure is the revelation of employee names to third
 parties. Foreign intelligence officers (FIOs) from e.g. Syria, North
 Korea, China, Iran, etc. are always on the lookout for employee
 names/identifiable information so that they can potentially exploit that
 person as an intelligence asset, either via compromising their home (or
 work) machines with spear-phishing attacks or via direct physical
 surveillance. The vast majority of proprietary/classified information
 leaks come not through direct technological hacks/cracks but through
 social engineering and careful use of human factors (see Mitnick, et al.)

 In the event that a contractor is using WordPress internal to the company
 and employing custom themes or plugins whose authors (as is a good
 practice in the WP community) have identified themselves, the .org site is
 potentially storing said information in a way directly tied to the
 company. If WordPress.org inadvertantly discloses the information in
 question, either through human error on their part or through a security
 breach by FIOs, you now have exploitable humint on discrete employees
 working for said contractors.

 If it was widely known, this fact alone is enough to make most
 contractors' IT departments ban WordPress outright. At the very least,
 they will disable update checking in its entirety. Neither of these
 situations is particularly a good thing.

 '''Political Dissident blogging environment'''
 I referred to FIOs above. For hostile/totalitarian regimes, FIOs generally
 serve two purposes: exploitation of information from gov't interests and
 observation/intimidation of political dissidents.

 As in the gov't contractor example I gave above, if dissidents are using
 any custom themes or plugins, their information could be accidentally
 disclosed to FIOs which could either lead to direct physical danger for
 themselves (if they are living within the borders of an oppressive state)
 or, in the case of ex-pats with families that remain behind, danger for
 their families still under the sway of these states.

 Or, say a plugin was written that made your stylesheet go green in support
 of the protestors in Iran. If WP.org's data was compromised, Iranian IOs
 would have access to a comprehensive list of folks running said plugin
 (and a list of everyone using the Farsi locale) and thus be able to narrow
 their intelligence-gathering and intimidation efforts based solely upon an
 installed plugin.

 If you think I'm being paranoid here, please see the recent examples of
 Egypt and Cuba jailing political bloggers and the Iranian intelligence
 services threatening expats
 (http://online.wsj.com/article/SB125978649644673331.html?mod=WSJ_hpp_LEFTTopStories)

 (I'm not even going to get into the area of compulsory legal disclosure of
 the info -- i.e., a third party brings suit or attempts to get law
 enforcement to retrieve .org's data based upon discovery or a warrant.)

 It's not "just" a URL in these situations, it's real people whose real
 lives stand to be substantively affected in the event of a disclosure,
 unintentional or otherwise.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/5066#comment:34>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list