Friday, November 6, 2009

Completely Missing the Point

You know what really grinds my gears?  "Writers" who publish articles on topics they clearly have no understanding of ... that's magnified even further when they write for a publication (physical or digital) that has a legitimately large reader-base.

I write this after careful consideration of an article a good friend of mine sent me the other day ... which made me just "WTF" all over.  His email went something like this:

So, a colleague forwarded me the URL of a slate article.   (copied below)
It got me thinking, especially the complaint about drupal blocking javascript.  
  1. Business schools seem to be churning out NYT readers.
  2. NYT readers also probably read the Washington Post and Slate.
  3. These readers likely believe everything written.
  4. These readers as C* people (CIO, etc.) have the typical "superior", "I know all" attitude.
  5. They read articles like this and see it as gospel.
This is why web app security is difficult to explain to the higher-ups ... after all, the experts at Slate tell us that Javascript is a 14-year-old technology and we shouldn't be blocking it on our website!

So ... I thought about it some.  So now I will tell you why I think Chris Wilson needs to stop writing about technology ... at least until he's learned a little about it.

First off, I'm not an open-source bigot; in fact, I'm not for or against open or closed source ... each has their merits and has their place in our very large technology world.  Second, I learned a long time ago that open source people are their own special breed and much like their closed-source counterparts have their unique quirks, nuances and such.  Lastly, I think this article is both inflammatory and misguided, and it misses the point entirely.  In fact, I think it's so misguided that I agree with my friend in his thought pattern on how this article actually can lead to less understanding of security concepts!  But me ranting isn't going to make my point on its own, let's analyze this article... follow along boys and girls.

  1. Chris must get paid for flowery language ... or his audience is just so much higher-brow than I because the first few paragraphs remind me of Bill Murray dropping C4 explosives into a gopher hole ... way, way over-done.  By the way, what "swing demographic" is he referring to?  I know many, many sites that are built on Drupal and none of the administrators I know (personally, mind you) would call Drupal "pocked with political landmines".
  2. Drupal knows best: First off, I'm thrilled Drupal doesn't trust end-users (particularly novice admins) with the ability to drop JavaScript into where it doesn't belong.  I mean, gee Chris ... it's only JavaScript right?  What could possibly go wrong?  By the way, high fructose corn syrup is really, really bad for our children and is the leading cause of childhood obesity...
  3. Drupal is impenetrable: I have to give Chris points for his Dennis Miller -esque humor here ... although I think he meant to say INS (Immigration and Naturalization Service) not the ICE (Immigrations and Customs Enforcement) ... right?  Anywho ... Drupal's steel learning curve isn't a bad thing kids ... it discourages people from the normal "click, click, click, I've got a site" mentality.  Holy crap, you have to know something do publish a website ... no way, Wayne!
  4. Drupal hates change: Nice dig on the farm bill ... I won't even dignify this point by rebutting it.
  5. Drupal is righteous: Yes, and they damn well should be ... they built the thing and they know better than you about how it runs and what the inner workings are.  I love the "Drupal doesn't break web site. People with Drupal break web sites" ... uhmm... yea, so?  See point 4.
Alright, here's why I really think this is an article worthy of the hall of shame and why Chris needs to go back and actually do some research.  If Chris had done some research, maybe gone over to's vulnerability database he would discover that Drupal has had 264 vulnerabilities since it's been tracked... and guess what - an overwhelming majority of those have been in add-on modules.  Drupal's core is actually, by my count (and someone please, correct me if I've misjudged here) pretty well secured.

Anyway ... that comment on 14 year old technology being blocked is the genius point here, from my reading.  For my money, it doesn't get any better than when someone says something like this:
"Should you, say, go completely rogue and try to add some Javascript in the body of a page—a 14-year-old technology that controls interactive components like buttons—the platform will have none of it."
demonstrates a clear contempt for the power of "14 year old technology like JavaScript" ... which by the way remains one the web's biggest vulnerabilities.

Some advice Chris ... think before you write ... and if you have no expertise - please don't make our jobs in InfoSec any harder by spreading stupidity in the ranks.

... hey, you were all thinking it, someone had to say it.

1 comment:

j.prost said...

Using his 14 year old logic there really was/is no real risk associated with the DNS vulnerabilities found this year. I mean DNS is quite dated and couldn't in a million years cause any issues. i mean everyone provided work arounds back in 2000 or something right?

While not a big Drupal fan, I think it's a quite bold to go out on routing like he did. I agree with the commenter's that asked why he didn't provide alternatives.