The first post in this series talked about the time when it all changed.
The perfect post to start the year off with is when it happened a second time.
The Return
One day, IRC pinged the support/forum mod email list to tell folks there was a new booking plugin (ReBooker Inc.) that would reinstall once removed.
While looking into that, the wp-forums folk noticed that all but ONE review was made by one of two IPs. One IP was the owner’s, the other was used by multiple accounts, the same age, with only the one post. Then #wordpress-sfd
, who was also poking at this, noticed “Hey, this plugin makes an admin account!” It was yanked from the repository and the author emailed.
This is when it gets weird.
All of that previous stuff was reported to the plugin review team, which is normal. But then one of the forums people helping me clean up pointed out that Rebooker looked an awful lot like Bookings Inc’s plugin.
I remembered that plugin, and I remembered good ol’ Liam! Liam had broken his contract, taken premium code, and gave it away for free on .Org. He was permabanned for that, especially since he did a shit show with fake emails.
Blame It On The Devs
It didn’t take a huge amount of time to figure out that ReBooker was Booking Perfection. Altered, yes, but you can’t change code that much. Still, before we banned we properly suspended ReBooker for the following reasons:
- Auto creating an admin account
- Reinstalling once removed (done via a backdoor they’d leave in MU plugins)
Of course while we were sorting out if the two plugins were the same, ReBooker came back and said “Oh we’re so sorry, we hired a 3rd party to do this for us and they were evil! We fixed it!”
That is a plausible story. And in fact it’s one that’s happened many times. Some people need to vet their devs better. At this time there was a rash of “consultants” who stole code (around this time a rather well known company had admitted to ‘stolen code’ and blamed an unchecked dev).
In fact … just the week prior, Plugins had heard that exact excuse from someone else. It happens, but not that often. Most large companies are smart enough to have a QA system and encourage honesty. If you’re not, get started on that.
But even if you believed the claim of a rogue dev, the claim of “we fixed it” is easily provable. Or in this case, disprovable. Not a single commit to SVN.
Never Interrupt Your Enemy …
… When they’re making a mistake.
Besides not updating SVN at all, they’d taken to hate-reviewing their competition. But their massive problem here was in their IP addresses. Or should I say, Liam’s IP address.
One person made a bunch of fake accounts to negatively review all other Booking plugins. The same person who had made all their commits. The same IP address. And no, it was not a VPN address.
First, we gave Liam a small opportunity to come around, by providing clear directions while we double checked he was, in fact, Liam.
You have not corrected any of the issues. Your plugin still creates an admin account when installed, and you have now begun “reporting” other competitors plugins by giving them disparaging comments in the forum.
If there is an issue with a plugin, email plugins[@]wordpress.org and provide explicit code or plugin guideline examples. We ask you not waste our time with frivolous or petty arguments with others.
Until your own code issues are corrected and checked in to our repository, we will not reopen your plugin. This is not negotiable. Fix the code. Make it safe and secure. Stop spamming the forums. That’s all you have to do.
You’d think this was simple, right? Just update and fix your damn code. Nope. Two days later, Liam emailed back to complain that he’d made changes and why didn’t we reopen, but again nothing was being pushed out.
Now it’s more clear today, but even back then we clearly told people “if your plugin is closed, pushed code won’t get deployed to your users.” We tell people that so they understand they can push code to SVN freely without fear of upgrading anyone before we’re all ready.
Take a Chance
At this point SVN still was not fully updated. They’d updated the readme, and a couple lines of code, but the plugin still auto-created an admin, and we were still doing the leg work to connect the ReBooker and Booking Perfection websites.
Since there was no need to re-review, Liam was emailed:
Understand that due to the severity of the issues with your plugin, it may be a few days before we have reviewed your plugin completely and replied. We ask that you be patient, and especially that you don’t email us every day asking for an update. We’re volunteers here, and we do this in our free time. If we determine we need to get a security expert to double check, this can take longer.
Keep in mind, Liam had been emailing multiple times a day asking the exact same thing – why wasn’t the plugin updated? Answer: Because Liam hadn’t updated!
I was starting to wonder if the story was true, that ReBooker had maybe hired Liam, and he was just doing all this shit on his own. But finally we had lined up enough code proof that ReBooker was totally a copy of Booking Perfection. We had to acquire the new version of Booking Perfection, but they were a line to line match in multiple places.
Here’s where I’m the asshole. I never told Liam I knew it was him. Instead, I emailed that it was something a little less.
We are not comfortable with the established of your behavior on WordPress.org. There is enough similarity with both code and behavior to lead us to believe that your plugin is one that was written by someone who already had their code removed from the repository due to breach of contract. As you claim to have hired a third party to write this, it’s entirely possible they did this, however as it stands, we cannot re-open this plugin.
You are free to continue running your site and making the plugin available on that site or elsewhere. All we can control is what plugins we allow in the plugins directory, and we won’t be allowing yours […]
See? I intentionally misled him to think the only issue was “the consultant you hired” and how it made the plugin unable to be hosted on WordPress.org.
The Poison Tree
Liam took that lump and was quiet for three more days. Then he asked if there was any way he could come back. Going with the ruse, I replied that they could never submit another booking related plugin because there would always be the risk of them using Booking Perfection code, which was a GPL violation. For the protection of the directory, no.
So he tried to appeal to empathy.
If you find anything which is not good or which is causing problems, i would say we are very happy to change that, but directly putting us out of business is not good.
Signed?
Liam.
Note: We only closed their plugin on .org. They’re free to run their own shitty business if they want to, and while it was harder to self host and deploy back then, it was totally possible. Today the email actually gives practical advice on doing that, just so people get that we’re not trying to ruin their business, but we cannot host them.
I emailed back no, and Liam replied.
It will cause a deep loss to us and all of the hard work is drained. I would request you to please give us a chance to prove ourselves. We have done nothing wrong or morally offensive which cause any problems to anybody.
Sock puppetry, forced admin accounts, bad code, and lying? They offended me. There were six more pleading emails, one a day, until collectively the Plugins team told him he was banned.
Mistakes Were Made
The reason Liam was banned (again) was only in small part because of multiple emails. It was more the content of them. At no point did Liam even remotely comprehend that the code was the issue. We were trying hard to push that aspect since I believe telling someone “you’re the dipshit we banned last year” only encourages people to be bigger assholes.
He made a new submission in the Plugin Repo, was rejected and told “Dude, we can tell it’s you. Stop.” Of course, while waiting for approval, he made more false allegations to other plugins (and yes, each one was checked just in case), used another forum account for more sock puppetry and fake reviews, and then was blocked.
Then he made another plugin and tried a third time.
The best part about all this is he keept emailing plugins, asking to restore his plugin.
So let’s recap. So far he has:
- Submitted someone else’s plugin and had it removed by use
- Resubmitted the plugin, making it different enough we didn’t notice right away, with a different domain and IP, but with a massive security hole (which is how we realized he was the guy from 1) and had THAT removed
- Spammed the forums with fake reviews of his own plugins via sockpuppet accounts
- Spammed the forums with fake reviews of OTHER plugins, mainly competitors, citing them spuriously for errors that don’t exist (including, but not limited to, claims of using their own jquery – Like we can’t QUICKLY check for that!)
- Made even more sock puppet accounts to submit the plugin
- Continually emailing plugins, asking us to reconsider because they’re not doing anything wrong, and by gum, those other plugins are breaking rules too (not)
- Complained we’re ‘hurting his reputation and business’
Two days later they came back and upped his game to attempting to impersonate me (not plugins!) by sending emails ‘from’ the plugins team.
This Shit Again?
That was the final proof we needed to identify Liam was … Liam.
Subject: Offline Message from Mika Epstein: We have found both your plugins
http://wo…
From: Zopim
To: xxx-removed
Date: Mon, 22 Apr XXXX 07:22:26 -0000
Message-ID:
Reply-To: Mika Epstein
From: Mika Epstein
URL: http://redaced.com/
We have found both your plugins
http://wordpress.org/extend/plugins/redacted-1/ and
http://wordpress.org/extend/plugins/redacted-2/
to be same and you are using multiple a/c’s to handle it yourself over
our domain. Unfortunately, we wil be banning you now from WordPress.
—-
Zopim http://www.zopim.com
Most of the emails were sent at 1am my time.
Zopim, now owned by ZenDesk, was never the service we used to send emails. And that sounds nothing like our emails. Also? I never put my name in the subject lines.
But Liam, being an idiot, didn’t realize that his actual email address was in the email headers. I laughed a lot.
Liam was banned again, and we spent another week just rejecting and blocking and banning before we finally slapped an IP ban on him for a month. That seemed to either wake him up, or he wasn’t capable of bypassing it and gave up.