Plugins: Double the Damage

Sit down for a fun ride in what I can only call … The plugin equivalent of Revenge Porn.

Player 1 forked a plugin from Player 2. Player 2 attempted to claim Player 1’s work as his own. Insanity occurs. And if you’re thinking it’s a simple case of he-said/he-said, it’s actually not. They both agree on a number of facts, but disagree on what the facts ‘mean.’ And it is hard to work around that.

I’ll start by introducing our players (not their real names):

  • Ken – an existing plugin dev who was already on thin ice for submitting the same plugin over and over, due to not reading emails
  • Andrew – a new (to us) dev who possibly stole code

Before The Drama

Ken. He’d been a plugin dev for a few years, but he’d always been a problem. Not worthy of an outright ban, but he’d had a number of cautions and warnings.

Ken’s biggest issue was his own head-in-the-sand arrogance, and a refusal to read. No, I’m serious. He had a history of not reading the emails, even when they were one sentence. This made his reviews take a hog’s age, and it made dealing with him something I had to psych myself up for.

I was already frustrated enough to leave a note in his user account about it. Ken would read subject lines only, if at all. It was maddening and he was on his last warning already about communication. To whit, if you cannot (or will not) communicate with people, why are you here?

Submission Wars

On Monday, doing the usual weekend clear-out, I started like always. See, I preferred to start with low-hanging fruit. I would reject the outright bad or incorrect submissions (like people submitting Akismet) and pend trademark issues. This is, if you’re wondering, why I ended up writing so many blockers for submissions. It took that morning ‘easy’ work from 2 hours to under 1! Doing that work takes little brain power, though it was always time consuming, and let me ease into the day.

That day, I ran into Andrew who had a trademark issue out of the gate. The name of his plugin started with ‘WoCommerce’. Yes, one O. Around then was when I’d just introduced the blocker on starting with ‘WooCommerce,’ and for the life of me, I don’t know why people see that they cannot use a trademark and decide it’s smart to ‘tweak’ the trademark.

Note: For the love of the flying spaghetti monster, DO NOT try to ‘get around’ a trademark issue with a clever spelling. The legal concept you’re violating is ‘intent to infringe’ and I have to tell you, Facebook has zero tolerance for that.

Back to the plot, I emailed Andrew and explained the plugin was pended due to trademarks. Also it’s Woo with two O’s.

Imagine my surprise on Tuesday when I saw the same plugin submitted with the same name typos and now a ‘Free’ at the end (because the original name was used). Now usually this happens when someone doesn’t fully read the email that says to reply with your code attached. Sometimes it’s two people with the same idea and, since we blocked multiple submissions, it’s often someone using two separate accounts to resubmit. Giving this new one the benefit of the doubt, I checked and saw it was an existing dev, Ken!

I downloaded this new plugin and then Andrew’s and compared. Guess what? Same code. The readmes, mostly, were different, but not in a good way. Ken’s was a half-edited version of Andrew’s, and Ken’s plugin headers also credited Andrew.

This means, whoops, Ken submitted a copy. That gets Ken’s rejected and Ken is told that either he stole this (bad) or he’s working with Andrew and resubmitted instead of following directions (also bad).

Meanwhile, I also emailed Andrew asking “Are you working with someone else and did you goof the reply?” Andrew replies promptly, with the new code, explaining a very odd story.

Andrew said that Ken will claim Andrew stole Ken’s plugin. He named Ken! I was stunned and kept reading. According to Andrew, he made a more complex plugin and had offered it as a patch, but Ken said no. Then Ken stole it back from him since, per Andrew, Andrew’s code was cooler. Furthermore, Andrew said Ken was likely to claim Andrew stole it from him (Ken) who sold the plugin, but not with Andrew’s features.

So this is already a bit of a mess as you can see. And no, Ken didn’t take it well, already ranting that we rejected his plugin.

Who Stole First?

My first thought had been that Ken was 100% wrong, and Ken had taken Andrew’s code. Now it looked like Andrew forked Ken’s plugin and Ken wanted to steal it back. Who is right in this situation?

I did my due diligence and confirmed Ken was selling a plugin that claimed to do the same thing. It was over $100 USD mind you, and that’s a lot for a 3 file plugin (including the readme). I was surprised that Ken’s version was riddled with security flaws not all found in Andrew’s version (no sanitization, no escaping, no nonces, trademark abuse, broken translations, etc etc). No one was going to pay $100+ for that! Also why would he not take Andrew’s fixes?

Since Ken had emailed claiming it was his work and I was wrong, I replied and pointed out his plugin submission was copying much of Andrew’s work. This means even if the core plugin was his, he would have had to credit Andrew. Oh and could we please see the original, premium, plugin to see what Andrew ripped in order to address that part.

But looking at Ken’s bleak history, I realized this was going to be a big problem. Ken jumped right into the blame game and name calling, as I feared.

After a gut check with others and confirming it sure looked like Ken made a spite submission, I was leaning towards a ban. He was already replying in anger and now he was shouting that Andrew stole from him, but he refused to share the premium plugin lest I steal it. While I’ve received hundreds of premium plugins to do an ownership/copying check on, I have never kept them without buying them. Once or twice I found a plugin I’d pay for, and I did. But the rest I deleted them as soon as I can. Ken’s claim was we would take his code and host in on .org for free. Which… no.

Ken actually confirmed he did take Andrew’s ‘version’ of the code, but refused to credit because Andrew forked his code, and he didn’t have to credit since his was the original plugin. And anyway, Ken said he did it in order to hurt Andrew. This made it clear. He had made a SPITE submission.

In Ken’s email about being banned I said this:

After you submitted [plugin], which was clearly at least partly someone else’s work, we did some research on how you came to take that code and misrepresent it as your own. In doing so, we have determined that your actions were of an intentionally abusive nature. This behavior of yours is unwelcome here in our community.

Me in an email to Ken.

Andrew was given the benefit of the doubt as I tried to figure out if he really forked or not (remember I had not seen Ken’s original plugin yet!), but he too was flagged for possible naughty behaviour. The odds were he had a disallowed fork, and he was cautioned that if the plugin was a premium one, we couldn’t host it on .Org.

At this point, here’s where we are:

  • Ken charged over $100 for a piece of shit code.
  • Andrew (may have?) forked it because it’s shit and submitted it after Ken said he didn’t want it.
  • Ken submitted the same code as Andrew’s version.

Since Ken’s been a known bad-egg, was is now intentionally acting badly, and already started to rant, it was a no-brainer. Ken was a problem, Ken was acting hatefully and spitefully, and Ken had a bit of conspiracy paranoia going on.

What Did I Expect?

I did not expect over 40 emails over a week, ranting. Most made it pretty clear Ken only read the subject lines of the emails, and never the content.

First Ken claimed it was originally his, even though the version Ken submitted literally credited the other guy. Then Ken claimed he just copied the readme, but again, the code credited Andrew. It had the same formatting to boot. You can see where this is going right?

Next, Ken claimed he ‘accidentally’ uploaded the nulled version Andrew had posted to the web prior to uploading on .org … except Ken’s version has his partly rewritten readme. That is pretty weird. How does one upload a partly ‘corrected’ nulled version? The obvious answer is that he realized (as had I) that Andrew’s code was better than his and stole some of it! Actually a lot of it.

Ken’s argument became “I am releasing the basic version as a Albert is stealing my code!” And if you just went “Who the flying fuck is Albert?” so did I. Five emails from Ken came in, including claims we ‘stole’ his plugin.

Yes. The Plugins Team stole his plugin. How you ask? Well it transpired that Ken believed the plugins team, by accepting the submission from Andrew, had commited theft, even though we had not approved the plugin. It was in pending, at this point.

I suppose you could maybe argue someone attempted to use WordPress.org as a fence for stolen goods, or a money launderer. But since the Plugins team did not accept the goods, we stole nothing.

Where Are the Clowns?

At this point, Ken kept linking to his code (still too much money) and saying I should look at his code (not going to pay for it). Ken also said he’d sue if we didn’t reply to his emails (there were like 10 separate emails from the last time I’d replied, I was trying to catch up). He also claimed he wrote the plugin with two other guys, one of which was Albert! Our mystery guy!

Officially once you say the magic words invoking legal action, the Plugin team stops talking to you, save to point out we aren’t qualified for legal stuff and here’s the foundation’s contact. Keep in mind, Ken’s emails were minutes apart, so no one had a chance to reply even if we wanted to.

Naturally Ken went on to claim we were “in cahoots” with with Andrew and he would handle it from his legal team. Then he demanded we do the “right thing” and reinstate his account and host his code. Also he claimed Andrew was a scam artist who was harassing Ken. (Remember this, it comes back to haunt Ken.)

I said ‘no’ because it was damn clear Ken was operating in bad faith, not to mention he had a history and had been on a final warning at the start. This prompted Ken to claim he wasn’t warned, except he was. Not only was he warned, the read-receipts in HelpScout showed he’d opened the email! When that was pointed out, Ken said he’d not read the email, as he’d been asleep.

I found the hypocrisy of not reading emails while being pissed I was reading all before replying to be amusing.

Either way, though, he was up and reading things now, and yet still hadn’t read the other email. This goes back to longstanding issues with him not reading. But hey, Ken claims he did read the chat logs and knows exactly who Andrew is (or Albert).

Ken went on. Andrew was harassing him, stole from him, was a racist, tried to hack his site and so on. Also WordPress.org would be enabling him and we needed to stop hosting his code.

I had not approved Andrew’s plugin and pointed that out. We didn’t host it. And when a plugin is rejected, the zip is deleted so we don’t have it anymore.

There Is a Point

All of that said, I absolutely DID take Ken’s claim seriously! Yes, Ken was an angry and vengeful man, but theft isn’t okay! So I pointed out (again) that Ken needed to email the code of his premium plugin to the plugins team. I had zero intention of signing up since I was sure he’d take that information to abuse/harass me.

Finally he sent the code, and guess what?

Andrew’s code was not the same.

The code was not even close, except for one page, which had some of the same security issues as Ken’s plugin (most were fixed), and that means this was what would normally be considered a legitimately different fork. Even if you just compared Andrew’s code to the license-checked-removed code of Ken, there were distinct differences (some worse, some better).

The problem, however, is that it was a fork of a premium plugin that was non GPL (same as the previous post). WordPress.org couldn’t host it.

But before we could reply, there were another 10+ emails. Yeah, 10.

After threatening to sue WordPress, Ken finally broke down and gave us the whole deal from his side. According to Ken, over and over, the real story is as follows:

  • Ken charged $100+ for his plugin.
  • Andrew bought and stole his plugin by putting a nulled version up for download a null software site. He linked to it.
  • Andrew used stolen credit cards to buy the plugin in the first place.
  • Ken did not take anyone’s code.
  • Andrew was a racist.

The problem with that story is:

  1. The post on the nulled site did not match the timeline. It was made after the plugin submission, which was over the weekend.
  2. Ken’s submission literally said “Yadda Yadda Plugin Written By Andrew LastName”
  3. The code Ken (eventually) shared as his version was totally different save for one page (the settings page).

Also we had no evidence that Andrew was anything other than a frustrated dev who just wanted the code to work without conflicts (Ken’s really didn’t), and was mad that Ken blew him off.

Now. I do give people the benefit of the doubt, but that changes once people jump up and want to sue you. Not to mention Ken’s version of events didn’t pass the sniff test.

Andrew forked Ken’s code, and Ken retailed by stealing Andrew’s.

I (Don’t) Know The Law!

At this point, we moved into lawyer stuff. Ken named his lawyer and I looked him up. He was a personal injury lawyer based out of California (Ken claimed to be from somewhere in the midwest). But hey, maybe he side hustles? The lawyer also does corp law counselling, which maybe would have helped Ken, if he had a leg to stand on.

This prompted Ken to claim a judge would rule in his favour as WordPress.org didn’t follow “details” and didn’t investigate any copyright claims. I knew that was unlikely. A judge would say “They didn’t host the code, they rejected it. They’re not at fault here. They didn’t steal your code.”

He went on to talk about how he had to read 26 emails (he sent all of them!) and proved his plugin was older (not in doubt at the moment). Ken continued, because the code wasn’t allowed to be forked (GPL), and a judge would certainly agree.

He was wrong. Since I had rejected Andrew’s code already (because it was a fork of a premium plugin), I was sure we’d been in the clear. We had, in fact, agreed with Ken and did the right thing by rejecting Andrew’s plugin. And yes, I told Ken that.

Ken replied and shared private information which actually … hurt his argument. In the “evidence” there was a bunch of screenshots of chats where in Ken called Andrew a “stupid [racial-slur] scammer” and a “dumb fucker” which frankly even if Ken’s right about theft, that’s not how you handle things.

Remember how I said the racism thing would come back? Ken was the racist. He had some more slurs that made me feel a bit ill in his messages to Andrew who, at worst, told Ken he was a dumb bitch. Not nice, but nowhere near the level of Ken’s insults, and none were racist.

The End Results

Ken remains banned. He’s got anger issues and doesn’t understand how to play well with people. He has since asked to come back with a new account and was told no. But also:

We will, at this point CONFIRM with you that we’re not hosting the code submitted by anyone else either, so don’t worry about that.

We won’t allow anyone to host your code here.

Plugins team via Email to Ken

After that he asked to make a third new account and was told no, mostly because he jumped to suing.

As I mentioned, Andrew’s submission was rejected as it’s a fork of the premium plugin by Ken, and we don’t allow that. Andrew read the email and said nothing in response, which is fine.

I still have no idea who the hell Albert is.

%d