TimThumb, Heroism and FUD

FUD is “Fear, Uncertainty and Doubt” and it’s a tactic used by people to scare you and make you jump into a decision that benefits them. This decision may not be a bad decision, but it’s not strictly to your own benefit, but theirs. Keep that it mind, it matters.

Recently it was discovered that there was a massive vulnerability in TimThumb (TimThumb is an image editing tool for your webapps). It had an honest-to-god Zero Day Vulnerability. I don’t use the code, and I don’t put it on any site I run, so I knew I was pretty safe. Still, I ran searches for timthumb.php on my entire server, made sure it was clean, and moved on. 1

The exploit primarily affected WordPress installs, because it was developed for WordPress in the beginning, but since then has grown to be used by many other apps, like Drupal and Joomla and even home-grown ones. It’s insanely cool, but it’s always had weird little problems (which is probably why it’ll never be included in the core code of those apps). Getting it to work at all on MultiSite was a pain, and when someone wrote a how-two, we gave her Tim Thumbs up! 2

Certain people leaped into action. VaultPress, which runs a backup service for WordPress users, sent out emails to everyone who had TimThumb. Then they went the extra mile and fixed 712 possible exploits for you. 3 They jumped up and said ‘We must fix things for people’ and did it. This was, indeed, Matt’s vision for VaultPress.

But then this other thing happened, and I’ll quote Matt:

It could have gone a lot of ways, but the incident brought out the best in the community. The core team sprang into action searching through the theme directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it. Mark Maunder, who originally discovered and broke down the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up. Forking is not usually ideal because it fragments the market for users but Mark soon connected with Ben Gillbanks, long-time WordPress community member, and they’ve teamed forces to release TimThumb 2.0, a collaboration that exemplifies Open Source at its finest. An updated plugin should be in the directory shortly.

Let me explain.  There was a problem with a popular tool that is used both in themes and on its own plugin (and probably others).  Mark found the problem, fixed it, and then re-wrote the tool.  Then, after Matt commented on his site that Forking is a last-resort, even though this was a ground-top rewrite, Mark agreed and talked to the TimThumb guy and together they fixed everything.  And now they’re a team.  No one made any money off that process.  People just did the right thing to make the web safer for all of us! 4

All of this was done in a way that the public knew about the problem without getting into an “OMGWTFBBQ!!!11!?” panic.  Was there some fear?  Yes, because you knew there was a problem and there was a possibility it could affect you.  Was there uncertainty?  Of course!  Again, could it affect you?  Was there doubt?  And this here is where we have a win for the Open Source community.  There wasn’t.  It was a straight up ‘This is what’s wrong, this is how to fix it.’

In so many ways, that’s how every business should work.  It could have been better, certainly, but when I compare this to how I get security alerts for our servers at work, I see nothing but room for improvement.  Right now, one person has the job to look for vulnerabilities that are published about anything we use.  If she sees one, she opens a ticket and says ‘Fix this ASAP!’  The problem is, to use a recent example, ownership of the fix.  We had a vulnerability with .NET, but as I read the whole doc, I sorted out that it only happened if your server was configured in a certain way so as to make a security hole.  Another quick check and I saw the server team had their own ticket ‘Fix this hole.’  So I closed my ticket and said ‘Will be resolved with Server Ticket 1234567.’   My ticket was reopened and I was told I did it wrong.  This was a problem with my application (I don’t ‘own’ .NET, I happen to be on the team who brought it into the company, however).  I pointed out it wasn’t that .NET was vulnerable, that it was the server.  They didn’t care.  My ticket has to be open until the problem is resolved, no matter what.  In the end, I turned off the feature that might, possibly, be vulnerable and got chaff for not doing it right.

When you compare that to the beautiful simplicity of Open Source communities, it makes you wonder how anything actually gets done?  We’re so afraid (fear) of being wrong or doing the right thing without the right approvals, we let the process hamstring us from fixing the problem.  We don’t know (uncertainty) what the right thing is anymore, so we do nothing.  And in the end, we’re not sure (doubt) if we’re of any use at all. 5  Plus, to make matters worse, they told the entire company about the security hole, so everyone knows, and they can see we didn’t close the tickets.  It’s a mess.

But really that’s not what FUD is about.  Nor is it what this post is about. Neither way is perfect, and both are flawed in different ways.

You see, what Open Source nailed in one was that we should be aware of the dangers, and work together to make it better, not feed the fires and run around terrified about what’s going on.  A little fear is a good thing.  It clears the arteries and is good for your heart.  If you’ve never had a moment where the blood drained out of your face because you made a mistake, you’re not trying hard enough.  We all live with uncertainty and doubt, too, and inherently these are not bad things.  What is wrong is allowing them to have complete control over your actions to the point of inaction or consistently making the wrong choice that you know is wrong.

Make the right choices.  If a bread stick is on fire in the toaster, take it out and make that extra step to sort out who put it in there.  Treat everyone as a team member, a fellow hero.  You see, if we give in to FUD, we cripple ourselves, much like corporate america does every day with miles of red tape.  But if we don’t, if we accept our fear and move forward, we can get past it and make better products for everyone.  And that’s a great goal.

If you think you, or a friend, may have been hacked, please go to Sucuri and run the free scan for your website.

Notes:

  1. Not relevant, I recently changed all my passwords on all my sites, and my servers, because I realized I’d used the same ones for about 6 years.
  2. Bad joke. BAD bad bad joke. Sorry.
  3. I know some people got shirty about it, since they didn’t want VaultPress editing their data. That isn’t the point here.
  4. Okay, that’s not the point either, but it needed to be made.
  5. I think my premature grey came from this job, and if I leave, the first thing I’m doing is dying my hair neon blue.
StudioPress Theme of the Month
Half-Elf? Try Half OFF WordPress ebooks!