Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: wordpress

  • Plugins: Not Your Circus, Not Your Gold Mine

    Plugins: Not Your Circus, Not Your Gold Mine

    My friend Andrea M. once told me “Not my circus, not my monkeys” about a problem that was outside her purview, and I liked it so much, I kept using it. I’m sure someone else came up with it, but that’s where I learned it.

    Perry (not his real name) had a big problem understanding when something wasn’t his business, as well as when to accept the L.

    Authors and Managers and Committers

    Perry had an interesting history. He started out by emailing Plugins to complain about the language used on WordPress.org plugin pages. Specifically, he didn’t like that the pages say “Plugin Author” and thought it should be “Plugin Manager” and his reason?

    Being authorized to commit code and release versions does not make a committer an author.

    Now, the plugin team didn’t agree. As Otto would say “If you’re not capable of writing the code, then you should not have access to change it for the users.”

    Perry …

    […]

    Moreover, the authorship claim that you are forcing on your benefactors kills inspiration. You are not allowed to impose your own rules on people committed to make WordPress usable. We’re not your slaves, not your servants, not your employees. We’re forced to contribute because WordPress is the only game in town, and most people are likely to not want to publish otherwise.

    I’m asking you nothing but to be consistent: […]

    In response you sent me lies. And added insult over injury.

    […]

    There was a bit of a laugh held over ‘slaves’ and Plugins sent back that (a) we’re not going to change it and (b) if you really want to die on that mountain, here’s a link to META TRAC where you can open a ticket.

    Perry sent back links to academic discourse about authorship and concluded:

    After reading these articles, you’ll be able to understand that a maintenance programmer is not an author.

    As it happens, performing maintenance programming on code, where authorship is conferred by … wait for it … writing code means the person is, in fact, an author. This was something mentioned in those links.

    All plugins said was basically “Thanks but no, here’s Meta trac, knock yourself out.” Perry replied with some legal brouhaha, and pity was taken asking “Dude, do you want to file a legal complaint or a request to edit?” He apparently missed the links to meta in the previous two emails, but then said Meta was broken. Turned out his browser was so out of date, it was banned by WordPress.org to prevent bots.

    But that seemed to mollify him.

    On to the Circus!

    Two years later…

    Oh wait, no, there were a couple more weird moments. In one, he was upset someone used his real name on the forums. That was totally fair and we did clean it up for him, but pointed out that you have to give the forum moderators time. We’re all volunteers, after all.

    Finally we get to the story. It began with him asking us to merge accounts. In general, that gets you a finger waggle and a talking to about why multiple accounts are stupid with you’re one person, but this one went off the deep end real fast.

    He realized that having two accounts that shared code might make him run afoul of taking code without credit (i.e. copyright violations). I was happy for that level of self-awareness and honesty! And he was right! That is a part of why two accounts is stupid. But … Perry went on to explain that he used to be a part of a plugin (fake name “Gold Mining”, I’m watching Gold Rush right now) and left that project due to ‘ethical reasons.’

    Sure, I get that. I’ve done the same. I rage quit using a plugin when I learned the creator was angry WordPress had an ‘all female’ release (nb: That should have been an under-represented persons release, and they corrected the name in the second one, but that first one had a bad name).

    Perry’s email was mammoth and included layers and layers of quotes.

    Here’s what you need to know:

    1. Perry happened to be a support rep (not a developer) on “Gold Mining.”
    2. He emailed the people who actually owned the code to complain about how they ran things, and said he was going to work on other projects neener neener.
    3. The owner of the “Gold Mining” plugin accepted the resignation with a no-take-backies addition of “And if you aren’t quitting, you’re fired.”
    4. Perry accepted this, with a bit of vitriol .
    5. Perry emailed plugins to explain he was both AlsoPerry AND Perry, and his plugin was a legit fork and had code he write, he wasn’t stealing, but he was still helping out in the “Gold Mining” forum.
    6. Obviously his fork was closed because of confusion of above.

    If you’re wondering about the surprise of “his plugin was closed,” so was I. I looked into it and a reply was sent:

    1. Plugins literally does not give a shit about that interpersonal drama that happens in a group outside to WordPress.org (we do care if it’s people following others home to harass, but this was clearly not the case).
    2. Plugins has now documented he was both people, though, for his and our protection.
    3. If he really was fired/quit/left the “Gold Mining” project, walk the fuck away from their forums.
    4. His plugin was closed because he broke his email on his alt account and it bounced, which he actually knew!

    He replied with “Oh, I thought I was banned because of (all the reasons above) and not what you said.” And it went on for a long time … Okay? Who gives a shit. He could just say “That explains it, I’ll fix my email.” But no, no, it’s gotta be Dickensian.

    1200+ words.

    Plugins closed that rant email without reply. But you’re getting the idea here right? Every. Single. Email is this long.

    Important note: See how plugins said to stop helping the plugin? Yeah, remember that. It’s important later.

    Oh and he never fixed his email so his plugin remained closed.

    Stop Poking the Bear

    Another 18 months or so have passed. I’d forgotten about this whole mess because, after all, I was processing hundreds of tickets a day, and anything that wasn’t active within a week fell out of my head. But also I kind of assumed he’d properly realized “I owe Gold Mining nothing!” and moved on.

    Oh. I can delude myself sometimes. Otto calls me an optimist.

    Perry emails and asks if we can transfer his version of the plugin from AlsoPerry to Perry and reopen. And I started to think “Sure, why not” and read the rest of his long email, which explained he was still helping out in the original “Gold Mining” forum and answering PRs on their GitHub!

    I wish I’d never taken psychedelics, I’d never drunk coffee and cocoa, I’d made no mistakes, and I’d always got at least one verse of the Bible each day.

    I would be very sad if I never had cocoa or coffee again, but to each their own.

    Plugins Team checked out the plugin, saw it was a 100% copy (not a fork) and explained that no, Perry, you cannot have it back unless you make it a real fork. Perry explained he didn’t have the technical chops to do that but we should let him have his own version anyway.

    The answer was no.

    So then he asked if he could have the original “Gold Mining” plugin, which the original authors (who were not him!) had closed on their own a few months before. Oh and he felt like a failure because it was closed.

    Our reply?

    1. No, you cannot have someone else’s plugin without their permission. Sometimes we’ll hand it over, but in this case it was patently clear the original owners didn’t want Perry to have it.
    2. The plugin was closed by the owner, we always respect that.
    3. “Gold Mining” was not Perry’s plugin. It never was. He never committed code, he never wrote a single fucking line. It was. Not. His.
    4. There was nothing Perry had done that was a ‘fail’ (except continuing to help in a place he knew he wasn’t wanted, and that was really only a ‘fail’ because he was hurting himself).

    Three days of emails followed.

    There was a weird claim that the original owners were asking Perry to support, and we asked if that was really the case. If so, we would go hit them with a fish on Perry’s behalf, because that’s abusive. But it transpired that no, no one had asked Perry to do anything at all, he just felt obligated.

    See I was stressing that we wanted to protect Perry. Right now, though, we had to protect him from himself, and he really kept hitting himself. The Catholic Guilt on this guy was massive and I couldn’t figure out how to get him to understand that the plugin was not his, and he needed to walk away for his own sanity.

    Perry replied with a Catholic Guilt ridden EPIC length email with quotes from emails years past which boils down to:

    • The Original Owner was doing this from revenge (‘this’ being leaving Perry’s access as a support rep – I removed him to settle that matter).
    • People still used the plugin (… yes? That happens).
    • Perry was obligated to help those people (FFS NO, how many times do we have to tell him this?).
    • Perry didn’t even know he was still a support rep until we told him in December when we had removed him.
    • Plugin closures can be reversed (yes, but not by someone who quit/was fired, buddy).
    • “So everything I do for [Gold Mining] now is both a sacrifice and a punishment.” (… God is in the tub).

    Plugins repeated “Walk. The fuck. Away.”

    It’s Monkeys All The Way Down

    A lot more emails followed.

    Like a lot, a lot.

    Perry kept arguing he had commit access and, in fact, I found out he did have access … five years ago. His access had been removed at least three years ago (we didn’t track plugin access being removed at the time).

    He also argued his removal was a mistake. Since all the devs were removed a day before the plugin was closed (by the owner, remember), we told him no, it was not. Clearly the owner knew what he was doing.

    Perry sent a lot more bible quotes.

    Finally he got an ultimatum.

    1. Perry was not permitted to host any plugin even remotely related to “Gold Mining”
    2. Perry was not permitted to post in the original “Gold Mining” plugin forums

    If he attempted either of the two, he would be banned.

    And that, my friends, is when it ended. He didn’t reply to that ultimatum, but at least he stopped emailing us daily.

  • Piracy and the GPL

    Piracy and the GPL

    Sé and I go back a while, so when she asked me if I’d like to come on WPwatercooler and talk about Piracy and the GPL, I said sure! I’m including the video at the end so you can see the whole conversation but … What got me interested was that she didn’t ask me about what I thought she would!

    The Hill I Die On Is Theft

    I always get people pissed off when I say this, but you absolutely 100%, without question, can steal GPL code if you mess with copyright law.

    I even went and asked ChatGPT for some fun:

    It would be considered unethical and potentially illegal to take GPL-licensed code and release it as your own work. The GPL requires you to respect copyright laws and the rights of the original authors. By claiming GPL-licensed code as your own without proper attribution or acknowledgment of the original authors, you would be violating both the terms of the GPL and copyright law.

    The GPL allows you to use, modify, and distribute the code, but it also requires that you maintain the integrity of the original license and give appropriate credit to the original authors. Failure to do so could lead to legal consequences, including potential copyright infringement claims. It’s essential to adhere to the principles of open source licensing and respect the contributions of others in the software development community.

    I expected the chat to be about that. It wasn’t. It was about the lovely grey area I spent a decade and a half in.

    Piracy is/n’t Theft

    The crux of Sé’s question was this: Is it piracy to get a copy of a premium plugin (one you have to buy to get) from someone else.

    The initial answer is ‘yes’ but then Sé laid out some amazing nuance.

    1. She’d already bought the code before
    2. She couldn’t buy the upgrade because the devs are in Russia (and sanctions)
    3. There was a workaround to pay an intermediary, but she felt it was sketchy
    4. She intended to migrate off the plugin, but needed the latest version to do so
    5. Someone she knew offered to give her a copy of the latest version

    Now, I worked for a bank before WP, and I can tell you that her workaround is what you do when you launder money. And if you did use that workaround, you run the risk of ending up on the FBIs sniff-list and they do not have any sense of humor about ignorance of the law.

    So now, would I still call it piracy? Actually … yes. I would. But it’s small scale and not actually a huge issue and really depends on the intent of the person who gave it to her, and what Sé did with it in the end.

    The Scale of Piracy

    There’s a constant battle going on between consumers and corporations. I’ll use an example close to my heart. The TV show Willow was a fun fantasy romp with silly flashbacks and messy magic. It wasn’t perfect, it wasn’t the greatest thing ever, but it was fun. Shortly after it got mid-to-low reviews, it was removed from streaming.

    There is no way to watch the TV series, except for piracy.

    Is it piracy if I had managed to download the videos beforehand and kept them for my own entertainment? Yes. Yes it would be. The same as how all of our mix tapes were technically piracy. Mixtape artists have been arrested under RICO charges for that!

    But the reality is that no one was going to waste time and kick in your door for making a mixtape and giving it to your sweetheart. They didn’t really care that much about it (and in some cases, like The Grateful Dead, encouraged it). It was incredibly hard to make money off mix tapes. I made copies of a CD I had bought in high school for friends, never sold ’em.

    Then came the internet and suddenly I could copy that CD into files and send them across the world! And you know what? People did. Suddenly the scale of what could be done with a pirated copy of a CD had skyrocketed.

    Obscure Monetization

    I pause here to quote from Cory Doctorow’s interview back in 2010, when he was asked why does he give all his books away for free?

    I give away all of my books. [The publisher] Tim O’Reilly once said that the problem for artists isn’t piracy – it’s obscurity. I think that’s true. A lot of people have commented: “You can’t eat page views, so how does being well-known help you earn a living as a writer?” It’s true; however, it’s very hard to monetise fame, but impossible to monetise obscurity. It doesn’t really matter how great your work is; if no one’s ever heard of it, you’ll never make any money from it. That’s not to say that if everyone’s heard of it, you’ll make a fortune, but it is a necessary precursor that your work be well-known to earn you a living. As far as I can tell, these themes apply very widely, across all media.

    As a practical matter, we live in the 21st century and anything anybody wants to copy they will be able to copy. If you are building a business model that says that people can only copy things with your permission, your business is going to fail because whether or not you like it, people will be able to copy your product without your permission. The question is: what are you going to do about that? Are you going call them thieves or are you going to find a way to make money from them?

    The only people who really think that it’s plausible to reduce copying in the future seem to be the analogue economy, the people who built their business on the idea that copying only happens occasionally and usually involves a giant machine and some lawyers. People who are actually doing digital things have the intuitive knowledge that there’s no way you’re going to stop people from copying and they’ve made peace with it.

    Cory Doctorow: Publish books free online

    There’s Piracy and There’s Piracy

    On the podcast, I mentioned a book I’d bought for school that was over $100 (this was in the mid 1990s) and, having bought it, I worked with a friend in the print shop to make copies for classmates and sold them at enough for me to break even. I think it was $5 a pop, and I would accept lunch instead.

    Piracy? Oh you betcha.

    Illegal? Again, yeppers!

    Immoral? ….

    Oooh now I brought up a dirty word.

    But it ties in to that intent I mentioned when I was describing Sé’s situation.

    If Sé or I took the copies of the book/plugin and sold them with the intent of making a profit, then yeah, we’re immoral shitbags. But that isn’t the case. I was trying to not go broke because of that stupid college textbook scam that’s only worse with DRM. Sé wanted to properly move off a plugin that she cannot use anymore.

    It’s all about that intent. As I said on the podcast, if you see someone sleeping in their car and it’s illegal where you live? No, you did not see anyone sleeping in their car. Did you see someone shoplifting diapers? No you did not. And if I have to explain why you didn’t see those things, you may be following the wrong blog.

    Those GPL Avenger/Nulled Shops

    I have to loop back to the GPL.

    Officially, technically, 100% the GPL says that the code you write and release under the GPL is free for anyone to do whatever they want. And if you make changes, you have to release it under the same license.

    Now, if you’ve spent any time in the WP world, you’ve run into sites that offer the same expensive plugins as you’ve seen for sale, but cheaper and ‘nulled’ (which means they no longer phone home to momma for your license). And technically under the GPL, that’s allowed. But I argue this:

    1. The intent here is to circumvent legitimate, available purchasing
    2. There is no assurance the code has not been tampered with
    3. It’s a dick move

    Can plugins been overly expensive? Yes, absolutely. I saw one for over $500 and it was not worth it. But you’re not paying for the plugin itself, you’re paying for security, support, and maintenance.

    (Off Topic: I mentioned how cool it is when someone releases free back ported security fixes for premium plugins – I wish it was easier to do and everyone could do it, but it’s really freakin’ hard! Still, the easiest way would be “find all people with expired licenses and email them the latest release of the last branch they paid for, free of charge”. Easier said than done.)

    The other problem is that by giving away the plugin, you may have broken the purchasing agreement. You know the one? Don’t rip off the tags on this mattress? Well first of all, the GPL actually supports people selling code (they’re not stupid, people gotta earn a living), and they’re of the Doctorow approach — watch your price point, convert the free users to paying one with value.

    The value most plugin shops offer is support and updates. They’ll patch your plugin until they go out of business. And they’re clear about how you’re not paying for software, you’re paying to have it sent to you:

    You can charge people a fee to get a copy from you. You can’t require people to pay you when they get a copy from someone else.

    Frequently Asked Questions about the GNU Licenses

    So what do I mean by a purchasing agreement? Well it’s your license agreement. I pay for YoastSEO, and from them I get a license. If I break the terms of that agreement, they have the right to sever my license and no more updates for me.

    Those nulled/GPL Avenger sites are regularly playing with fire, and most have to make purchases with disposable credit cards and shuffle things around in order to not get caught. Once they’re caught, they’re banned and blocked and someone figures out how to catch them ahead of time next time and prevent sales in the first place.

    Piracy is Nuanced

    The reality of all this is piracy is an incredibly nuanced situation.

    Pirate Radio Stations use airwaves they didn’t pay for and play music they have no license to. But at the same time, they might be the first way you hear a certain song that inspires you to go out and buy the album.

    Sharing Cory Doctorow’s books for free takes money from him, but how is that different than using the library or loaning your favorite book to a friend? The goal isn’t to make money, it’s to share joy.

    Asking a good friend for a copy of a premium plugin so you can test it out is, in my eyes, much the same. Asking for a copy so you can update and move off it is also fine.

    When you start working at scale to actively block people from making a living (like if I took all of Doctorow’s books, printed, and resold them) then you’ve crossed my line about what is ethical piracy and what is just being a jerk.

    Don’t be a jerk.

    And remember, they’re more like guidelines.

    WPwatercooler

    Watch me on the world’s most influential WordPress Podcast, talking about piracy, GPL, copying books, and money laundering.

  • Plugins: Offsite Help (vulgar)

    Plugins: Offsite Help (vulgar)

    Warning: This post includes vulgarities and sexual threats to my family. They’re all talk and nothing more, but it’s gross.

    There’s a forum guideline that a lot of people don’t like. At its heart, it’s simple: if you’re going to use the forums, use the forums and help people in the forums, don’t send them off to your private site.

    The reason being, people will likely find their question in Google Search and come to WordPress.org. Logically their answer should be there. It’s not an uncommon guideline, and in fact I’m pretty sure StackExchange also has that. Keeping the answer local ensures the data remains available and people don’t get all DenverCoder9 on the world.

    Our buddy, Henry (you know the drill, not his real name), ran afoul of this around the same time he submitted his first plugin. Henry was replying to people with directions to ask via his LinkedIn account. The forum mods warned him, a couple times, and then flagged his account. A flagged account can still submit a plugin, and I noticed the flag when he submitted.

    Naturally I went to see what was going on.

    Unclear on the Concept

    Henry admitted to using LinkedIn as a way to solicit for work on .org, with the ultimate goal of getting support for his plugin (yeah) via that. Why? Because he needed a way for his users for his newly submitted plugin to get in touch with him. And as it unfurled, he had no clue WordPress gave you free forums for your plugins.

    Now, that we can also move past. People can’t know what they don’t know. But before the Password Reset team gave him the all clear, they wanted to be sure he understood what was wrong, and they asked “Hey, do you get WHY telling people to go to your linked in for help is bad?”

    The Reset Team knew that you have to ask people that, otherwise you get replies like Henry’s which was “I know what you’re saying and I agree with you.” The thing is, that is not a real confirmation so they asked it a little differently.

    Can you please tell us “Yes I understand that X is not allowed here.” changing X for what actually is the heart of the issue?

    While that certainly is annoying to get in an email, it also gives Henry the chance to say “I understand linking to LinkedIn isn’t allowed here” and they could then elaborate “Can you confirm you understand that linking to any off-site location for support isn’t permitted?” Then you have their word and can use it against them when they screw up again.

    Again With My Mom…

    Instead of that, or some kind of annoyed “Bitch I understand!” reply, Henry showed his own ass.

    Can you please send me your contact that I can personally talk to you?

    Then I will let you know better. If you have guts then please do it.

    And listen if you want to enable my account then do it otherwise keep it in your asshole.

    And I am here with your mom in my bed. So I am very busy with her. If you want to help then my child you can.

    I saw that, blinked, rejected the plugin and banned his account with a ‘blah blah your behavior ain’t welcome.’

    Then he followed up:

    Even your father can’t stop me son of a bitch. Just try your best and I will fuck your asshole my entire life my dick. Just ask your mom how much see enjoy it. Your whole family will enjoy it.

    I will fuck your plugin team as well. Just suck my dick motherfucker. You and your team is a loser. Motherfucker.

    Asshole your mom’s pussy is very juicy and she loves my cum into ger mouth. Call her and ask that who am I. She is definitely tell you my illegal son.

    And you my boy can’t stop me. I will fuck your ass daily now.

    And finally this gem:

    Come my little boy take your daddy’s dick into your mouth. Suck it nicely and take it to your throat.

    So you can see why the ban stands.

    Annoying But Necessary

    I want to stress, I absolutely understand how annoying it is to be asked “Do you really get it?” but any time you’re asked that? You 100% need to step back and think.

    Why is someone asking you in that way?

    Why are they pushing you about something?

    The answer is because you are behaving in a way that makes them doubt you do, in fact, understand the issue. And when that happens, you should reply with what you actually understand.

    “Sorry, yes, I understand that linking to an off-.org site for support isn’t permitted, and I get a forum of my own for my plugin, for free.”

    If Henry had replied with that? All would be well. But he instead took the repeat ask as an offense instead of a request for clearer information. When you’re not clear to the people asking you something, they 100% will ask again in different ways, to try and make sure.

    Why do we do that?

    So you don’t make the same mistake.

    Henry, though, well, you can’t help that.

  • Plugins: From Banned to Back

    Plugins: From Banned to Back

    How about a nice story?

    WARNING: This post repeats some offensive terms being thrown at people, but it ends happily.

    There once was a developer, let’s call him Doug, who put a large donation request that could not be removed on the control panel of their plugin without editing the code. No way to click-and-dismiss. It was just there, like an albatross.

    The plugins team pulled the plugin and told Doug why. Sounds normal, right?

    Actually not. Here’s a hit list of things Doug said to actual users in the weeks surrounding the closure:

    • retarded
    • loser
    • feeble minded
    • idiot
    • ‘too dumb to exist’

    I think you get the idea. There were also some good ‘your mom’ digs. And by good I mean “Dude, what is wrong with you?”

    Where’s the Back?

    I think most people can suss out why he was banned. The guy had a really bad month and just took it out on everyone under the sun.

    Well. A few years later… No, wait, let me loop back.

    Three months later, Doug made some fake accounts on WordPress.org to shill his (closed) plugins. Those were removed, and I pinged him to point out he was banned, and please stop.

    No reply to that for another couple years. Then, out of the blue, Doug submitted … a new plugin. I hesitated and thought that, since it had been almost 4 years, maybe he was different. So I emailed him and outright asked if this was going to be a repeat of the same shit.

    Doug replied that no, he had gotten some much needed mental help and was ashamed of his past. He did not ask for those old posts to be removed, but promised he would not pick fights or call names. He just wanted to make plugins.

    It was sincere, folks.

    You really can read an email and see that sometimes, and this was one.

    His plugin was approved, and he’s been perfectly fine ever since.

    That’s it?

    There is a magic to an apology and Doug actually understood it.

    1. You actually understand what you did and why it was wrong.
    2. You sincerely apologize.
    3. You take full responsibility for your actions.
    4. You focus on the effect your actions had, not their intent.
    5. You take steps to make things right.
    6. You don’t ask to be forgiven.

    Oh I know that last one made a bunch of heads turn on a swivel.

    Pretty much every ‘How to apologize’ gets into asking for forgiveness.

    The problem with that is you start focusing on the wrong thing. The point of an apology is not to be forgiven, it’s to heal the wound you caused in someone else. Seriously, you don’t apologize to make you feel better, though if you’re a decent human it will do that anyway. No, you apologize because you hurt someone, and that was wrong.

    Doug shared emails where he’d contacted the people he’d insulted and told them he was sorry. He did that without be asked.

    That was it. He was sorry. He didn’t ask, or expect, to be forgiven, he understood he’d hurt people and it was wrong. He made steps to never be that guy again.

    And you know what? He never has been Asshole Doug again. But he is a rare bird.

    Doug’s story always reminds me, when I’m the asshole, that I need to be sincere when I apologize. It’s a good lesson for all of us.

  • Plugins: Scams, Fans, and Plans

    Plugins: Scams, Fans, and Plans

    This is another oldy.

    Back in 2012, I ran into a submission that I positively dare you to tell me what it does:

    This plugin can be used to turn any WordPress powered site into an automated forced matrix recruiting system for any business opportunity. Even if opportunity is not set up as a matrix, such as a unilevel program you can use this system to create a downline that is structured like a matrix for it.

    I was lost.

    Classic "Confused woman" meme with a confused woman looking at complex mathematical formula.

    The key words for you:

    • matrix
    • recruiting
    • unilevel
    • downline

    I think some people just went “Oh, shit.”

    Give Up?

    This person submitted an MLM recruiting plugin! Their website (which is long gone) got even better, and actually had MLM in the URL. And it was from the website that I confirmed this is an MLM plugin, but not just that…

    [PluginName] is the only WordPress plugin which will allow you to build an expanding forced matrix recruiting system to build any network marketing or MLM downline, with no web design or programming knowledge required.

    Hey look! It outright says MLM!

    Now, my personal feelings about MLM being scams aside, there are a couple ways you could make a legit MLM-ish plugin for WordPress.

    It’s not a secret I think MLMs are vile and prey on the people who are least equipped to spot them. They promise you money, but it’s all a pyramid scheme and the only way to get money is to trick more people just like you. It’s inhumane.

    But the heart of the issue with this plugin was, as it turned out, collecting data from visitors to pull into the list of suckers people to contact. And no, not in any ethical, moral, or even legal way at all.

    None of it was opt-in.

    GDPR folks would have a heart attack if they saw that code.

    The plugin was rejected and told we don’t want to host MLM schemes that track users without consent (hold on to that part please). It also tracked everything it could from the site admins. Meaning, if you installed it, all your data are belong to them.

    Classic "Zero" meme from the late 1990s - "All your base are belong to us"

    Again, GDPR and privacy folks are screaming. I was screaming.

    The author replied:

    I beg to differ, this is not MLM, this is a recruiting system which can be used for MLM or really any other business someone wants to promote just like programs which promote affiliate sales.

    It’s not an MLM, it’s just something that can be used for MLM and is intended to be used to make an MLM.

    Oh did I mention the demo site says “Are You Ready To Finally Make It In MLM?”

    And besides, they totally missed the point of collecting data without consent being an issue.

    MLM = Adult Content?

    No one replied to his reply as it got a little weird and hateful real fast.

    Later on the creator posted on their own site that clearly Matt Mullenweg hated things. Also, and this made me interested, he said this with regards to being called an MLM:

    I was floored, and then when I thought about it more I became appalled that my plugin was basically being categorized in the same league as an Adult or Offensive plugin by WordPress.org as there is only one reason in their guidelines (number nine) that they could use to ban this plugin…

    MLM’s Website

    Some points here:

    1. We actually allow adult plugins as long as the content posted in the directory isn’t pornographic itself (read – we allow plugins that let you embed from pornhub)
    2. Anyone who thinks an MLM isn’t offensive probably is in one
    3. We told them it was the collecting data sans consent

    Now this was a while ago, so what was back then?

    The plugin must not do anything illegal, or be morally offensive. That’s subjective, we know. Still, if we don’t like it for any reason, it’s gone. This includes spam, for whatever definition of spam we want to use.

    Guidline circa 2012

    Yeah, now I remember why I worked hard to update those. But still, tracking users without their consent is always going to be an issue, and this scam is part of why we pushed to add that sort of thing to the guidelines.

    We Didn’t Say That

    Again I (personally) feel MLMs are morally offensive — and scams.

    But we did not say ‘adult.’ He did. We said “illegal” (regarding the tracking) or “morally offensive” (regarding the scam itself) and while that is incredibly subjective, an MLM is a pyramid scheme. Meaning, the person at the top gets more money the more people ‘buy in’ and the only way for the next person to get money is … get more people to ‘buy in.’

    But it’s really telling that the creator jumped right to “Offensive can only be adult!” and not “offensive can be a ponzie scheme.” We don’t like black-hat SEO, we don’t like MLMs.

    Could one work?

    Could there, somewhere out there, be a version of this that the directory might accept?

    Yes!

    We call those mailing lists and affiliate programs, but there is a critical difference. Those are being used to collect CUSTOMERS. This MLM was collecting ‘partners’ and without consent. So basically they were collecting marks for the con.

    […] isn’t my plugin just a tool like any other plugin?  I am not promoting a specific company, it is purely a tool to allow users to be more successful in the company  they have chosen to promote.

    Except they’re not promoting. I actually remember the code. It was basically scraping every ounce of information it could from visitors and the site admin and using it to general a list of marks they could use to build up their pyramid.

    I can understand them not wanting something morally offensive such as plugins which support pornography or other sub-culture pursuits…

    Actually we do allow most of those. As long as they’re not vulgar or actively harmful. I’m sure LGBTQ+ is a ‘sub-culture’ to this person.

    […] to single out the BUSINESS of MLM/Network Marketing and related services seems like a real failing, on their part, of their users.

    Maybe if the business was ethical I’d feel worse. Instead, I think it was the right call.

  • Plugins: When it Restarted

    Plugins: When it Restarted

    The first post in this series talked about the time when it all changed.

    The perfect post to start the year off with is when it happened a second time.

    The Return

    One day, IRC pinged the support/forum mod email list to tell folks there was a new booking plugin (ReBooker Inc.) that would reinstall once removed.

    While looking into that, the wp-forums folk noticed that all but ONE review was made by one of two IPs. One IP was the owner’s, the other was used by multiple accounts, the same age, with only the one post. Then #wordpress-sfd, who was also poking at this, noticed “Hey, this plugin makes an admin account!” It was yanked from the repository and the author emailed.

    This is when it gets weird.

    All of that previous stuff was reported to the plugin review team, which is normal. But then one of the forums people helping me clean up pointed out that Rebooker looked an awful lot like Bookings Inc’s plugin.

    I remembered that plugin, and I remembered good ol’ Liam! Liam had broken his contract, taken premium code, and gave it away for free on .Org. He was permabanned for that, especially since he did a shit show with fake emails.

    Blame It On The Devs

    It didn’t take a huge amount of time to figure out that ReBooker was Booking Perfection. Altered, yes, but you can’t change code that much. Still, before we banned we properly suspended ReBooker for the following reasons:

    1. Auto creating an admin account
    2. Reinstalling once removed (done via a backdoor they’d leave in MU plugins)

    Of course while we were sorting out if the two plugins were the same, ReBooker came back and said “Oh we’re so sorry, we hired a 3rd party to do this for us and they were evil! We fixed it!”

    That is a plausible story. And in fact it’s one that’s happened many times. Some people need to vet their devs better. At this time there was a rash of “consultants” who stole code (around this time a rather well known company had admitted to ‘stolen code’ and blamed an unchecked dev).

    In fact … just the week prior, Plugins had heard that exact excuse from someone else. It happens, but not that often. Most large companies are smart enough to have a QA system and encourage honesty. If you’re not, get started on that.

    But even if you believed the claim of a rogue dev, the claim of “we fixed it” is easily provable. Or in this case, disprovable. Not a single commit to SVN.

    Never Interrupt Your Enemy …

    … When they’re making a mistake.

    Besides not updating SVN at all, they’d taken to hate-reviewing their competition. But their massive problem here was in their IP addresses. Or should I say, Liam’s IP address.

    One person made a bunch of fake accounts to negatively review all other Booking plugins. The same person who had made all their commits. The same IP address. And no, it was not a VPN address.

    First, we gave Liam a small opportunity to come around, by providing clear directions while we double checked he was, in fact, Liam.

    You have not corrected any of the issues. Your plugin still creates an admin account when installed, and you have now begun “reporting” other competitors plugins by giving them disparaging comments in the forum.

    If there is an issue with a plugin, email plugins[@]wordpress.org and provide explicit code or plugin guideline examples. We ask you not waste our time with frivolous or petty arguments with others.

    Until your own code issues are corrected and checked in to our repository, we will not reopen your plugin. This is not negotiable. Fix the code. Make it safe and secure. Stop spamming the forums. That’s all you have to do.

    You’d think this was simple, right? Just update and fix your damn code. Nope. Two days later, Liam emailed back to complain that he’d made changes and why didn’t we reopen, but again nothing was being pushed out.

    Now it’s more clear today, but even back then we clearly told people “if your plugin is closed, pushed code won’t get deployed to your users.” We tell people that so they understand they can push code to SVN freely without fear of upgrading anyone before we’re all ready.

    Take a Chance

    At this point SVN still was not fully updated. They’d updated the readme, and a couple lines of code, but the plugin still auto-created an admin, and we were still doing the leg work to connect the ReBooker and Booking Perfection websites.

    Since there was no need to re-review, Liam was emailed:

    Understand that due to the severity of the issues with your plugin, it may be a few days before we have reviewed your plugin completely and replied. We ask that you be patient, and especially that you don’t email us every day asking for an update. We’re volunteers here, and we do this in our free time. If we determine we need to get a security expert to double check, this can take longer.

    Keep in mind, Liam had been emailing multiple times a day asking the exact same thing – why wasn’t the plugin updated? Answer: Because Liam hadn’t updated!

    I was starting to wonder if the story was true, that ReBooker had maybe hired Liam, and he was just doing all this shit on his own. But finally we had lined up enough code proof that ReBooker was totally a copy of Booking Perfection. We had to acquire the new version of Booking Perfection, but they were a line to line match in multiple places.

    Here’s where I’m the asshole. I never told Liam I knew it was him. Instead, I emailed that it was something a little less.

    We are not comfortable with the established of your behavior on WordPress.org. There is enough similarity with both code and behavior to lead us to believe that your plugin is one that was written by someone who already had their code removed from the repository due to breach of contract. As you claim to have hired a third party to write this, it’s entirely possible they did this, however as it stands, we cannot re-open this plugin.

    You are free to continue running your site and making the plugin available on that site or elsewhere. All we can control is what plugins we allow in the plugins directory, and we won’t be allowing yours […]

    See? I intentionally misled him to think the only issue was “the consultant you hired” and how it made the plugin unable to be hosted on WordPress.org.

    The Poison Tree

    Liam took that lump and was quiet for three more days. Then he asked if there was any way he could come back. Going with the ruse, I replied that they could never submit another booking related plugin because there would always be the risk of them using Booking Perfection code, which was a GPL violation. For the protection of the directory, no.

    So he tried to appeal to empathy.

    If you find anything which is not good or which is causing problems, i would say we are very happy to change that, but directly putting us out of business is not good.

    Signed?

    Liam.

    Note: We only closed their plugin on .org. They’re free to run their own shitty business if they want to, and while it was harder to self host and deploy back then, it was totally possible. Today the email actually gives practical advice on doing that, just so people get that we’re not trying to ruin their business, but we cannot host them.

    I emailed back no, and Liam replied.

    It will cause a deep loss to us and all of the hard work is drained. I would request you to please give us a chance to prove ourselves. We have done nothing wrong or morally offensive which cause any problems to anybody.

    Sock puppetry, forced admin accounts, bad code, and lying? They offended me. There were six more pleading emails, one a day, until collectively the Plugins team told him he was banned.

    Mistakes Were Made

    The reason Liam was banned (again) was only in small part because of multiple emails. It was more the content of them. At no point did Liam even remotely comprehend that the code was the issue. We were trying hard to push that aspect since I believe telling someone “you’re the dipshit we banned last year” only encourages people to be bigger assholes.

    He made a new submission in the Plugin Repo, was rejected and told “Dude, we can tell it’s you. Stop.” Of course, while waiting for approval, he made more false allegations to other plugins (and yes, each one was checked just in case), used another forum account for more sock puppetry and fake reviews, and then was blocked.

    Then he made another plugin and tried a third time.

    The best part about all this is he keept emailing plugins, asking to restore his plugin.

    So let’s recap. So far he has:

    1. Submitted someone else’s plugin and had it removed by use
    2. Resubmitted the plugin, making it different enough we didn’t notice right away, with a different domain and IP, but with a massive security hole (which is how we realized he was the guy from 1) and had THAT removed
    3. Spammed the forums with fake reviews of his own plugins via sockpuppet accounts
    4. Spammed the forums with fake reviews of OTHER plugins, mainly competitors, citing them spuriously for errors that don’t exist (including, but not limited to, claims of using their own jquery – Like we can’t QUICKLY check for that!)
    5. Made even more sock puppet accounts to submit the plugin
    6. Continually emailing plugins, asking us to reconsider because they’re not doing anything wrong, and by gum, those other plugins are breaking rules too (not)
    7. Complained we’re ‘hurting his reputation and business’

    Two days later they came back and upped his game to attempting to impersonate me (not plugins!) by sending emails ‘from’ the plugins team.

    This Shit Again?

    That was the final proof we needed to identify Liam was … Liam.

    Subject: Offline Message from Mika Epstein: We have found both your plugins

    http://wo…

    From: Zopim

    To: xxx-removed

    Date: Mon, 22 Apr XXXX 07:22:26 -0000

    Message-ID:

    Reply-To: Mika Epstein

    From: Mika Epstein

    URL: http://redaced.com/

    We have found both your plugins

    http://wordpress.org/extend/plugins/redacted-1/ and

    http://wordpress.org/extend/plugins/redacted-2/

    to be same and you are using multiple a/c’s to handle it yourself over

    our domain. Unfortunately, we wil be banning you now from WordPress.

    —-

    Zopim http://www.zopim.com

    Most of the emails were sent at 1am my time.

    Zopim, now owned by ZenDesk, was never the service we used to send emails. And that sounds nothing like our emails. Also? I never put my name in the subject lines.

    But Liam, being an idiot, didn’t realize that his actual email address was in the email headers. I laughed a lot.

    Liam was banned again, and we spent another week just rejecting and blocking and banning before we finally slapped an IP ban on him for a month. That seemed to either wake him up, or he wasn’t capable of bypassing it and gave up.