This is not a post meant to frighten people, or to claim that WordPress is bad or dangerous. WordPress and tools like it are very helpful for letting non-geeks design and deploy websites. What's rotten here is not the tech, but the human behavior we see when money is all that matters.
Earlier this month, a large-scale attack was executed, turning hundreds of thousands(!) of websites into spammer and scammer playgrounds. Several people have written very good articles about what happened and what to do about it on a technical level, including Austin Grinder.
The short story is this:
- Useful stuff gets built by enthusiasts, and used by many.
- Business buys out original developers, and takes over as maintainers.
- Business injects spammer and scammer exploits into many unsuspecting sites.
- The exploits go live, and the business gets their dirty money.
- Everyone else is left to clean up the mess.
It almost looks like a pattern. That's because sadly, it is. Online waters, once friendly and clear, can and regularly do become mucky cesspools.
But before I drill into that, let's look at the early steps in this process.
Many independent web developers have contributed to their ecosystem over the years by developing WordPress plugins. Some of these are wildly popular - because they perform an important job, or solve a niche problem, or just plain look cool. As often happens these days, some of those developers got bought out, and control over those plugins passed to new hands. The geeks who had created something useful got paid, the new owners got a long list of users/clients right out of the gate, and the operators of all the sites which made use of those tools and plugins didn't even need to know or care that anything had changed.
On paper, that looks like win-win-win. It's exactly what would be expected in a capitalist society. A six-figure sum was paid for a collection of software plugins. Serious money to a lot of us, but a modest investment by most measures. All legal, all normal. Business as usual. So far, so what.
Well, the new owners didn't share the original developers' goals of helping people by providing useful functionality. The new owners looked at all those thousands of deployments, and saw a different kind of opportunity. The plugins were all updated to contain specifically-designed exploitable security holes.
Let me repeat that: A business paid six figures for a variety of website plugins, and then turned them all into poison, on purpose.
Once adoption of the "upgraded" versions was widespread, the trap was sprung. Masses of people (who were guilty of nothing more than using popular software to put up their websites) saw their home pages and blogs converted into attack vectors for scams, predatory advertising, all the worst scummy nonsense the modern internet can deliver.
The money was made, the investments have paid off, and the perpetrators are now off to their next scheme. Meanwhile, all the site owners and maintainers are left picking up the pieces, assessing the damage while scrambling to put things right again. The plugins which had been so useful for so many, were left disabled and blacklisted for safety reasons.
New projects now spring up to replace what was lost, with hopes of learning from the mistakes of the past. But the too-trusting design of WordPress plugins (a legitimate technical criticism) was not the real failure here. The failure was human. Someone decided that making a quick buck mattered more than the trust and goodwill of hundreds of thousands of their fellow humans. Someone legitimately purchased a portfolio of popular, helpful software projects, with the intention of ruining them for their own short-term gain. We can re-architect server software all we want, but this kind of thing is going to keep right on happening as long as being awful to one another (read: business as usual) is normalized.
This time, the buyouts and exploits led to spammers and scammers and data thieves reaching huge audiences by means of many hijacked websites. But all too often, a change in ownership which occurs when a passion project becomes a business asset leads to more subtle forms of exploitation. I've witnessed the same exact pattern play out over plenty of acquisitions/buyouts. Big or small, I've seen it over and over. A useful thing takes off and helps people, then the new owners come in, and once all the money is milked out, once whatever made that thing special and useful to begin with has been melted down and turned into quarterly earnings and executive bonuses, the husk is abandoned. Then, the leeches (usually a private equity group) are off to ruin the next thing, and the next.
Before wrapping up, let's count the ways in which this kind of thing damages society's norms:
- "Lots of people use this, I can trust it" may not be great policy, but most of us don't have the time or expertise to study changelogs and patches for every little behind-the-scenes tool. At some point, we all have to trust someone or something.
- "I worked hard on this, it's mine to sell" is a valid decision. Selling out usually presents itself as a positive opportunity. Why would anyone buy something just to destroy it?
- "New versions are available, I should upgrade" is drilled into us, and even forced upon us in some situations.
One rotten business decided to violate all of these social contracts and more, just by living out their own:
- "I got mine, screw everyone else."
As I said at the beginning, I don't hold this against WordPress or its ilk. But, growing up alongside personal computing and being hands-on with the internet since its early days has given me a sense of where the cesspools like to grow, and how to get things done while avoiding the sludge.
At the end of these posts, I'm supposed to offer my solution. And I do think that there is a lot to be gained by minimizing server-side code, and by using a diverse set of specialized tools instead of popular one-size-fits-all solutions. But as I've been saying, the failure in these cases is more human than technical. So I'll offer up one final quip of a societal contract, one that's always true, whether anybody else believes it or not:
- "I'm pulling for you. We're all in this together." Attribution and thanks to Red Green, a fellow tinkerer.
So, if you're looking to put up a website, or to rebuild one which has let you down, you know where to find your digital handyman. I'll keep you out of the muck.
No comments:
Post a Comment