Profile picture
Scott Arciszewski @CiPHPerCoder
, 30 tweets, 5 min read Read on Twitter
I've drafted several blog posts in the past week and scrapped them all. None of them feel important enough to write about, let alone publish.
This isn't coming from a position of writer's block. This is coming from a position of empathy. Time is precious, and I hate to waste anyone's.
Application security: I don't know whether it's better classified as "poorly understood" or "underappreciated".
But when you look at information security as a whole, it's woefully underappreciated, even if you count all the vendor bullshit and cold sales calls.
There wouldn't be a need for sales/marketing to cling to buzzwords and manufacture hype if the world at large already appreciated what we do for them.
And then when you encounter situations like @Equifax, the insult compounds atop the injury.

"Nothing we do matters, egregious acts of negligence that harmed millions of us are met with no real consequences."
So if that's true: What does matter? This isn't a rhetorical question.
In application security land, I've been fighting for years to improve the PHP ecosystem. I even rewrote most of libsodium in PHP (as insane as that sounds) just so WordPress (which pathologically refuses to bump their min PHP version) could sign their updates.
I probably still would've written sodium_compat regardless, however, I wouldn't have included PHP 5.2 support if it weren't for WordPress.
Why? Because it's a huge fucking threat to the stability of the Internet.

You try blocking a DDoS that consist of ~27% of the websites on the Internet.
Imagine circa-2012 Anonymous getting their hands on enough 0days (or getting lucky and discovering enough misconfigurations) to get into the update server for WordPress and poisoning the update file with their malware.

That's a very basic supply-chain attack.
I don't particularly care about WordPress as a product. I do care about all of the people that depend on it directly, and the fact that they're a single popped server away from being a source of disaster for the Internet.
WordPress's automatic update feature can be a boon for security: It stops 1day vulnerabilities from being massively exploited by skiddies.

However, as implemented today, it's far too dangerous to ignore. And ignore is exactly what WordPress has been doing.
Not only did I rewrite a cryptography library to help solve this problem, I also wrote the patches to the WordPress core that would use this library to add code-signing (the first step in making their infrastructure not a single point of failure).

Proof: core.trac.wordpress.org/ticket/39309
I did all of that, and was met with silence. Others have come forward with suggestions for stoking a fire under the butts of the people who have the power to make decisions, I point to instances where I did what they suggest months/years ago with no positive outcome.
The reason WordPress hasn't solved this problem isn't because it would be a huge time/personnel demand on their end. The solution is on their public issue tracker, ffs!
The reason is simple: They don't give a shit.

And we can't afford to not give a shit about WordPress in return. They're too big to fail, and I don't envy anyone who ever has to clean a botnet of that magnitude.
What can we do?

Other than apply economic pressure to Automattic (the company that employs most of the WP org core committers, paid for by WP com, and has the lion's share of the political power over the WP org community), I'm fresh out of ideas.
It bears repeating and emphasizing:

The work was done for them.
The fucking work was done for them.
The work was fucking done for them.
There are other options, of course, but those are criminal, so don't even think about doing any of them. Just, NO.
It's really hard to write about topics as banal as "how type-safety relates to software security, with examples in PHP" when this Sword of Damocles hangs over us all, and the fools propping it up remain silent.
#39309 remains unfixed. As long as this is true, but Automattic's revenue continues to grow, every network on the Internet should consider itself at risk.
I think I've done everything I can do.

I'm going to stop trying and caring so much about what happens to WordPress, even if a disaster is impending due to a sleeping conductor.
Instead, I'm going to focus more of my time and energy on getting CMS Airship v2 ready to release. If anyone wants to help make this into a viable and seamless replacement for WordPress, let's knock their market share down a few pegs.
I'm not an artist, nor am I skilled at UI/UX. If you know much about these subjects, chances are you're far better than myself.

Please consider making Airship less ugly. github.com/paragonie/airs…
On the milestone for version 2:

- MySQL/MariaDB support
- Seamless migration and data imports from existing blog platforms (including WordPress)
I've suspended any notions of a set "release date" in favor of making sure it's ready for production when the time comes.
CMS Airship might not be able to make a large dent into WordPress's terrifying market share, but for anyone who migrates, your safety and privacy will always be priority #1, and not take a backseat to a shiny WYSIWYG editor.
Looking elsewhere in the PHP ecosystem for mistakes to avoid, I seek to create a culture that fosters personal growth and diversity.

Such a culture precludes indulging in behavior like this: medium.com/valley-of-the-…
If you've read this entire thread, thank you for bearing with me. I have a lot of work before me, but I'd like to think that at the very least my effort won't be wasted (as it is with WordPress).
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Scott Arciszewski
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!