[17:04] <photomat1> let's get started
[17:04] <photomat1> <meetup>
[17:04] <photomat1> big turnout this week
[17:05] <photomat1> any particular reason?
[17:05] <lightdifference> spring break maybe?
[17:05] <stevecooley> all back to knowing what time to show up?
[17:05] <mdawaffe> We all come out for a good HTTP standards debate!
[17:05] <photomat1> word
[17:06] <photomat1> before we GET busy, anyone have any WP news or sorts to toss in?
[17:06] <ringmaster> Looking for insight on nonces, and who made up that silly word.
[17:06] <photomat1> anything happen this week?
[17:06] <photomat1> besides the easter wordpress.com massacre
[17:06] <lightdifference> photomat1: wp-community.org is lifting off the ground.
[17:06] <photomat1> lightdifference: sweet, that's good to hear
[17:07] <photomat1> who's involved with the project?
[17:08] <lightdifference> photmat1: NuclearMoose is leading, and I've been told to hush down about it until we get further.
[17:08] <TonySt> Lightdifference, NuclearMoose, Fightingfriends, fimion...
[17:08] <lightdifference> tunicwriter!
[17:08] <TonySt> And tunicwriter, yes...
[17:09] <photomat1> sounds quite groovy
[17:09] <lightdifference> and BigJibby
[17:09] <photomat1> one thing I would like to point out
[17:09] <photomat1> is Podz's suggestion on the wp-forums list, which I think is really cool
[17:10] <photomat1> basically a free WP installation service
[17:10] <photomat1> seems like a nice people to introduce people into the community
[17:10] <mumbles> wouldent that mean having there account details to do it with ?
[17:10] <Podz> could we have a bit of space on wp.net for that? Keep it away but also part of wp?
[17:10] <photomat1> Podz: sure
[17:10] <lightdifference> that would be quite cool.
[17:10] <Podz> cool :)
[17:11] <photomat1> any way I can support it, let me know
[17:11] <TonySt> That might be a security issue
[17:11] <Podz> mumbles, they give all their info. we install it for them
[17:11] <ringmaster> ...and steal their accounts to send spam. Perfect. I'm in!
[17:11] * Parts: BeauBright
[17:11] <Podz> TonySt, it's what many of us do anyway when we get emailed. doing this just makes it more public
[17:11] <mumbles> haha
[17:12] <photomat1> you guys are thinking like developers, not like users
[17:12] <mumbles> yeh ive done a few installs myself as well.
[17:12] <lightdifference> Podz: I can help out.
[17:12] <mumbles> for other people
[17:12] <mdawaffe> Podz: will you upgrade sites that you installed as well?
[17:12] <TonySt> Podz: Hm.... There best be tight control, then
[17:12] <lightdifference> the scary thing is when people IM to and offer to pay you to install OSS.
[17:12] <Podz> mdawaffe, doubt that - but it's all still being discussed on the list.
[17:12] <photomat1> we already have concepts of trust with each other based on how long someone has been around, how they contribute, etc
[17:12] <lightdifference> you*
[17:13] * mumbles wonders whats up with his user for the wiki
[17:13] <TonySt> photomat1: It's not who we trust, but who people say they are that i'm worried about
[17:13] <photomat1> anyway, the discussion is happening on wp-forums if any of you guys want to pitch in
[17:14] <photomat1> I think it's refreshing
[17:14] <photomat1> it's something I would have never thought of because my brain just thinks of all the edge cases, security, upgrades, hassles, legal stuff, etc
[17:15] <photomat1> which is idea-paralyzing
[17:15] <Podz> TonySt, true - that's the core issue but i think we've got it covered
[17:15] <stevecooley> OSS doesn't always mean "easy to install" :) wordpress happens to be extraordinarily easy to install...
[17:15] <TonySt> Podz: I'm just skeptical - I'm sure it'll all be fine and it'll work out great
[17:15] <stevecooley> some of those groupware OSS packages.... oof
[17:15] <lightdifference> *cough* mt *cough*
[17:15] <Podz> mt is easy :p
[17:15] <photomat1> as we get bigger and more experience, etc, we shouldn't lose that "startup" mentality that anything is possible
[17:16] * TonySt is now known as TonySt|Away
[17:17] <photomat1> okay, everyone put on your asbestos suits, let's talk about the birds and the bees, the GETs and the POSTs, and how blogs are created
[17:18] * westi|gone is now known as westi
[17:18] <photomat1> mdawaffe: want to start us off?
[17:18] <mdawaffe> Some traffic on wp-hackers has set off the old POST v GET
[17:19] <photomat1> a thread that was started because of someone complaining about the referrer check
[17:19] <mdawaffe> I like the idea of doing hardcore security checks on POSTs and offering confirmation prompts on GETs
[17:19] <mdawaffe> yes
[17:19] <mdawaffe> but it's a separate (tough related) issuue
[17:19] <photomat1> I think it's interesting that they weren't complaining about security, but rather the user experience
[17:20] <photomat1> and the thread got obsessed with security
[17:20] <mdawaffe> Yes - I wholly agree - that's why I tried to spin it off just now into a new (correlated) thread
[17:22] <mdawaffe> Here's what I mentioned on hackers: http://comox.textdrive.com/pipermail/wp-hackers/2006-April/005777.html
[17:23] <photomat1> my main concern is around the experience
[17:23] <photomat1> underscored by the fact
[17:23] <photomat1> that the stupid mail approve comment confirmation has been driving me bonkers since it was added
[17:23] <mdawaffe> but maybe hackers is the better place for that discussion. I just wanted to point out exactly what photomat1 pointed out already: the difference between needing security and needing a good interface (both important)
[17:23] <mdawaffe> ha :) blame me for that one, photomat1
[17:24] <photomat1> grr :-p
[17:25] <photomat1> for almost any situation, we can think of something that COULD happen to compromise security
[17:25] <photomat1> the problem becomes when fixing something appears attainable, we all want to code up a storm to block that hole
[17:25] <photomat1> even if it may compromise what was previously a smooth flow
[17:26] <photomat1> there is a conceit that users are idiots and we must protect them from every possible flaw or attack
[17:26] <photomat1> but I think the cookie auth part of the thread was telling
[17:27] <photomat1> not using sessions, etc, was a deliberate decision
[17:27] <mdawaffe> which part? that WP is "inherently insecure" and has been since its inception?
[17:27] <photomat1> we're vulnerable to man-in-the-middle attacks, but so are most applications in the world that don't use SSL
[17:27] <mdawaffe> (a statement I don't give two bits to)
[17:28] <mdawaffe> I consider that a non-issue
[17:28] <mumbles> how hard would would it be to get ssl and wordpress playing nicley ?
[17:29] <mdawaffe> I do think, however, that a "good flow" can be maintained while still blocknig all the holes. We just have to get smart. Perhaps Mark and Owen's ideeas will do just that.
[17:29] <photomat1> mumbles: we have a plugin that does it
[17:29] <mumbles> really? goes to google
[17:29] <photomat1> secure-admin
[17:30] <mdawaffe> http://dev.wp-plugins.org/browser/secure-admin/
[17:30] <photomat1> it's what we use on wp.com, it also encrypts everything on the cookie level as well as using SSL
[17:30] <ringmaster> I think that our ideas are sound. We could even take it a step more toward your (mdawaffe) idea, and make ALL of the solutions pluggable, so whichever one was irritating your client could be removed.
[17:30] <photomat1> but WP.com is very much an edge case
[17:31] <mdawaffe> photomat1: I think the encryption is handled by a different plugin. (true?)
[17:31] <photomat1> just an include, which I believe we include
[17:31] <photomat1> the encryption part is pluggable
[17:31] <photomat1> ringmaster: then we'd end up mostly where we are now
[17:31] <mdawaffe> right
[17:32] <mdawaffe> ringmaster: I like pluggable
[17:32] <ringmaster> But with "Are you sure?" questions when all of the detection methods fail.
[17:32] <photomat1> why not have a plugin for people who are paranoid?
[17:32] <photomat1> one step below SSL
[17:33] * TonySt|Away is now known as TonySt
[17:33] <photomat1> and to complement it, a plugin for people who don't give a dang which turns our built-in referrer check off
[17:34] <skeltoac> Don't forget the plugin that denies access to everyone forever after activation.
[17:34] <mdawaffe> photomat1: turn off the referer check and perhaps some of the confirmations as well. That way, core is shipped with tight security, and plugins are available to loosen or batten down the hatches
[17:34] * Joins: rboren
[17:34] <ringmaster> Well, it's really not about paranoia. It's about accessing the admin from clients that don't send the referer for some reason.
[17:35] <photomat1> ringmaster: I don't think that's that many people
[17:35] * Joins: indranil
[17:35] <ringmaster> Anyone behind a restrictive proxy. Anyone with crappy old Norton Firewall configured oddly (like, half of them).
[17:35] <photomat1> there were vague references to mobile proxies and such
[17:36] <ringmaster> Not that I disagree with the number you suggest, just that the current user experience for them is poor, and it seems kind of needless.
[17:37] <photomat1> what if we allowed the referrer to be blank?
[17:38] <ringmaster> Then accessing through throse proxies would permit the attack that checking the referer tries to prevent.
[17:38] <skeltoac> Graceful degradation
[17:38] <photomat1> but there's so few of those people it doesn't really matter
[17:38] <photomat1> relative to the # of people using wordpress, the amount the referrer thing comes up is pretty low
[17:39] <mdawaffe> (hence the plugin suggestion)
[17:39] <skeltoac> We could treat the most destructive actions slightly more aggressively, such as deleting posts.
[17:39] * Joins: ian6
[17:39] <stevecooley> and changing the admin password?
[17:40] <skeltoac> Other than deleting my posts, I don't care about AYS or ref checks.
[17:40] <ringmaster> What do the Ajax deletions do now to prevent those cases? Just referer checks?
[17:40] <photomat1> we could put some sort of logging on WP.com to see how often the check_admin_referrer die gets triggered, and what is being sent when it does
[17:40] <photomat1> ringmaster: they have an embedded cookie check
[17:40] <mdawaffe> stevecooley: changing passwords is already done with a POST. It's "safer".
[17:41] <stevecooley> ah, ok, thank you :)
[17:41] <ringmaster> photomat1: Could this be employed to work with regular admin requests?
[17:41] <photomat1> if we required JS, yes
[17:41] <ringmaster> Bah.
[17:41] <mdawaffe> ringmaster: only with JS, and it's not as "tight" as check_admin_ref()
[17:42] <photomat1> the only reason it's done is because we have to turn c_a_r off on those
[17:42] <photomat1> because IE never sends a referral or something
[17:42] <mdawaffe> because AJAX is magic, as I recall
[17:42] <photomat1> there be dragons here
[17:43] <skeltoac> You know, we could replace ALL of our AJAX work with iframe-targed forms and probably wind up much happier.
[17:43] <skeltoac> But that's a tangent.
[17:43] <photomat1> iframes do weird things to the IE throbber and mess up the back button
[17:43] <lightdifference> iframes are so...2000.
[17:44] <skeltoac> Damned back button.
[17:44] <mdawaffe> iframes have a clear lack of "named after a greek hero"
[17:44] <skeltoac> </tangent>
[17:45] <photomat1> we have a couple of issues
[17:45] <photomat1> 1. the referrer check doesn't work if they get something into the admin section
[17:45] * Quits: gsnedders
[17:45] <RandyWalker> You've never heard of Iframes, a mortal son of Zeus? He had the power to open doors to anywhere!
[17:46] <photomat1> 2. when the check fails, it does so in a fairly abrupt way, and that could be improved even though it only affects a small number of users
[17:46] <photomat1> 3. we should rip everything out and put in a new submission auth system
[17:46] <photomat1> there's also a 4 floating around
[17:46] <photomat1> which is like 3 but for every page load (re: gfmorris)
[17:46] <stevecooley> RandyWalker++ ... i think I saw that guy in the matrix 3
[17:47] <RandyWalker> lol
[17:48] <stevecooley> er, matrix 2... bad geek!
[17:49] <mdawaffe> 1 seems simple: KSES and some extra filtration on comments and drafts OR convert a few key things to POST
[17:51] <mdawaffe> 2 Can we offer a confirmation dialog on referer failure as many have suggested? Essentially build something out of the available globals?
[17:52] <photomat1> 2 could be as simple as a non-die screen
[17:52] <mdawaffe> 3: I say just add some actions for pluggability (but I still lean toward the POSTify the lot camp)
[17:52] <photomat1> something with a logo and more text
[17:52] <ringmaster> Yeah, just replace the die() with something nicer that remains persistent.
[17:55] <mdawaffe> And convert all check_admin_referer(); //do stuff to if ( check_admin_referer() ) { //do stuff } ?
[17:55] <photomat1> still a die, just a nicer one
[17:56] * Quits: indranil
[17:59] <photomat1> the most productive suggestions are basically around making the experience better for those folks who don't send referrers
[17:59] <photomat1> if we can reach that goal without breaking compatibility, editing every form in WP, or compromising our current level of security
[17:59] <photomat1> then we've save ourselves a lot of time and complexity
[18:00] <photomat1> but I may be overestimating how complex ringmaster's or mark's implementations would be, haven't seen any code yet
[18:01] <ringmaster> I think in any case, the review of the possibility of the change has been worthwhile for determining whether the next course of action is useful.
[18:01] <photomat1> true
[18:04] * Joins: facet
[18:07] <photomat1> alrighty, let's wrap it up
[18:07] <photomat1> any more topics before we close?
[18:07] <skeltoac> bbq
[18:07] <mumbles> apart from the one i added
[18:08] <mumbles> how about making error_bot announce when the meetup should be?
[18:08] <photomat1> that'd be cool, who runs it?
[18:08] <skeltoac> io_error
[18:08] <TonySt> io_error
[18:08] <mumbles> ie a |meetup comand that would tell you how long till the next meetup
[18:08] <mumbles> io-error i think
[18:09] <mumbles> ill ask him the next time he comes online in #wordpress
[18:10] <photomat1> cool, sounds like a good idea
[18:10] <photomat1> arlighty
[18:10] <photomat1> alrighty even
[18:10] <photomat1> thanks everyone for coming out today
[18:10] <photomat1> see you all on the interwebs
[18:10] <photomat1> </meetup>