[pLog-svn] some people are privacy crazed

Jon Daley plogworld at jon.limedaley.com
Wed Sep 26 10:03:51 EDT 2007 

 	Well, DNS poisoning can affect anyone, right?  redirect 
lifetype.net to your machine to announce a new version, and then redirect 
sf.net for the download (or change the link on lifetype.net to have a 
direct download from that server, instead of using sourceforge)
 	Once you are into DNS poisoning, you can't do much of anything on 
your computer that you can trust.

On Wed, 26 Sep 2007, Matt Wood wrote:

> Heh, you don't even need to compromise WP's webservice... all you need to do
> is poison the client's dns.
>
> That is kinda scary, good thing I used Lifetype! ;)
>
> On 9/26/07, Oscar Renalias <oscar at renalias.net> wrote:
>>
>> I saw that yesterday too, but I think that the issue was totally blown
>> out of proportions.
>>
>> If you remember, we've had a version notification system since LT
>> 1.2.4 but I think we did it the right way compared to the way WP is
>> doing it:
>>
>> - The "version check" functionality is currently not automatic, so
>> users need to actively visit the "plugin centre" and/or the "versions"
>> screens and click a button to receive information about the most
>> recent version and whether or not they should upgrade. I've
>> purposefully reserved the right to do this automatically in the
>> future, though (but it'll be opt-in or at least easy to disable)
>>
>> - Our implementation is built based on RSS feeds, so the bulk of the
>> processing is done on the client side. In the WP implementation,
>> they've got a web service that collects data from clients and informs
>> them whether they should upgrade or not. In our implementation, the
>> RSS feed just contains information about available versions and the
>> client figures out whether the user need to upgrade or not. Our
>> implementation is also more secure, as it does not require any PHP
>> code on the server side (imagine if WP's web service were to be
>> compromised!)
>>
>> Oscar
>>
>> On 9/26/07, Jon Daley <plogworld at jon.limedaley.com> wrote:
>>> If/when we add the thing that allows people to get a notification about
>> a
>>> new version available, we'll have to add a way to disable it, since some
>>> folks don't like their blog URL being sent to someone else.  And to
>> think
>>> I thought URLs were public, and the whole point of the internet was to
>>> have other people come to your site...
>>>
>>> http://yro.slashdot.org/yro/07/09/25/1632246.shtml
>>>
>>> --
>>> Jon Daley
>>> http://jon.limedaley.com/
>>>
>>> One only needs two tools in life: WD-40 to
>>> make things go, and duct tape to make them stop.
>>> -- G. Weilacher
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>

-- 
Jon Daley
http://jon.limedaley.com/

Proofreading is more effective after publication.
-- Barker

More information about the pLog-svn mailing list