WordPress Needs to Take PHP Upgrades Seriously

WordPress powers 25% of the web. It is arguably the most influential open source PHP project, and claims a massive community and developer base. It's not handling PHP upgrades responsibly.

This is not a new issue. The push from the community for WordPress to raise the minimum required version of PHP has been happening for years. It was brought up again with Matt Mullenweg at WordCamp US 2015:

Matt's response, at face value, makes sense. The burden is on hosting providers to upgrade PHP, not users. The problem is that when something goes wrong because of an unpatched PHP exploit, or a business loses a customer because the site is too slow, the users will be the ones who pay the penalty. To that end, WordPress has a responsibility to inform users and encourage them to lean on their host to upgrade PHP.

This has become an even bigger issue with this recent announcement:

WordPress plugin developers have been able to take advantage of features in later PHP releases within their own code, and add dependency checking inside their plugin's code to make sure the server had a compatible version of PHP. The only disadvantage here—and likely the one the .org plugin repository is trying to prevent—is that users on older PHP versions download these plugins, only to be told upon activation that they aren't compatible. However, this seems like further opportunity for the community to encourage users and hosting providers to upgrade PHP. Actively preventing developers from modernizing their codebase is further evidence of WordPress' irresponsible behavior around PHP version dependency.

In the video above, Mullenweg refers to "the last time" WordPress forced a PHP version upgrade. That indicates part of the problem: there isn't a standard in the WordPress community for upgrading the minimum required version of PHP. The PHP project publishes an end-of-life schedule for each PHP release. It's clearly documented the exact date after which a version will no longer be supported. WordPress should adopt a standard based off of PHP's schedule. Give everyone a specified window of time from when a version of PHP is end-of-life, after which the next release of WordPress will no longer support that deprecated version of PHP. For example, PHP 5.4 was end-of-life on September 3, 2015. If the WordPress standard was 1 year of support for a release after it's end-of-life, then the next WordPress release after September 3, 2016 would require PHP 5.5 and later. Whatever that time interval is, it should be codified in WordPress' release cycle plan, so that everybody knows what it is, and can plan around it.

For a project of the size and impact of WordPress, the weight they carry can move the industry forward. WordPress is too big to ignore, so when they make a change the web reacts. With that kind of influence and power, it is not acceptable to let the lazy few hold back and put at risk the responsible majority.

Tags: matt mullenweg, php, wordcamp, wordcamp us, wordcamp us 2015, wordpress

No, Fingerprint Login Isn't "Better than Nothing"

This week we learned that 5.6 million people's fingerprints were part of the stolen data from OPM earlier this year. Samsung and HTC have come under fire for their (atrocious) implementation of fingerprint authentication that left fingerprint data unprotected on users' devices. Apple's Touch ID is arguably the most secure (and widely used) consumer fingerprint authentication system, but even it has flaws that have been exploited.

There's no such thing as bugless or unhackable software. NASA is one of the few organizations on the planet with the resources, time and requirements that can come close to achieving that goal, and I'd bet that even they discover bugs from time to time. With enough time and effort, any system created by man can be exploited. Given that, we should not be depending on our ability to keep secrets, but to render them obsolete and irrelevant once exposed. In other words, when sensitive information is lost, we need to be able to change it so the lost data is effectively useless.

If your password gets stolen, you can change it. If your fingerprints get stolen, you effectively have no recourse. The importance of this distinction cannot be overstated. You have no way to prevent that fingerprint data from being used or shared without your consent, yet you are still responsible for anything attached to that data - after all, they're your fingerprints.

Consider the weight that fingerprints carry in our society. If you're ever arrested for a crime, your fingerprints can be used as physical evidence against you. If you apply for a job with any sort of security clearance requirement, your fingerprints will be taken and kept on file (hence the OPM's possession of fingerprint records in the first place). We place a level of trust and authority in our fingerprints which is never bestowed upon almost any other form of identification for the same reason they are so risky for casual use: fingerprints are inextricably linked to their owner.

Let's come back to the criminal justice angle for a moment. Your fingerprints aren't just useful to forensics technicians with powder and tape lifting oily prints off of smooth surfaces. If you stand accused of a crime in the United States, you can be compelled to unlock your phone for the police if it's secured with your fingerprint - but not if you use a password or PIN. A password is something you know, which is protected by the 5th Amendment. A fingerprint is something you have, which is physical evidence and therefore not protected. By opting for the convenience of tapping once instead of four times, you have waived your right not to self-incriminate if your phone contains damning evidence.

Passwords are a terrible form of authentication. They're annoying, hard to remember, and dependent upon somebody else to keep them safe. Fingerprints may be easier, but depending on them can be far costlier.

Tags: 5th amendment, biometrics, cyber security, fingerprint, iphone

225 Years

Today, August 4, 2015, marks the 225th anniversary of the U.S. Coast Guard.

On this day in 1790, Congress created the Revenue Cutter Service on the recommendation of Secretary of the Treasury Alexander Hamilton. In 1915, the Revenue Cutter Service merged with the U.S. Life-Saving Service to form the U.S. Coast Guard.

The Coast Guard today has 11 missions spanning search and rescue, law enforcement, aids to navigation, and more. With fewer personnel than the New York Police Department, the Coast Guard does a lot in the average day.

I've been a member of the Coast Guard since 2008, and it's one of the best decisions I ever made. I've learned a ton, made great friends, and had awesome experiences I couldn't have otherwise had.

Happy birthday to my fellow Coasties. Semper P!

Tags: us coast guard, military