How to Deal with Mean People

Some time ago I had the novel experience of being abused on social media by a member of the Joomla! community (novel for me anyway, although I think not that uncommon in the Joomla world). It was a bit of a surprise, mainly because I don’t normally bother much with social media.

But unfortunately one of my previous blog posts went unexpectedly viral and clearly annoyed this person. At the time I was a bit shocked and upset at his response. I did think about responding in kind, because actually I enjoy insulting people as much as the next person when they are the ones that start it. But really I could not foresee anything good coming out of exchanging insults with him.

Then I realised something important: I actually just did not care.

I regard this as real personal growth: there was a time when I was abnormally sensitive and probably would have been crushed at someone saying mean things about me. It’s a huge relief, to realise that actually I don’t really care very much any more about what people think or say about me.

What I mainly put it down to is this. I have had cancer twice in the last four years. That’s an actual problem, it is something that matters. I don’t bang on about it, because it is private, but dealing with it has been really tough. But I have, and I am OK.

By contrast, a civilly-challenged person abusing me on social media matters very little. I have no intention of identifying him by the way, I really am over it. I do not even feel any ill will towards him.

So my advice on how to deal with mean people is this: if you find yourself caring about what someone says about you on Twitter, Facebook, Reddit or whatever – just get a grip. It is not important. Go and do something that does matter: hug your children, or your spouse; take the dog on a lovely long walk; go out and have tea and cake with a good friend; paint a picture; play an instrument. Do anything that expands your life rather than contracts it.

There are a few people in the Joomla community who unfortunately seem to think that it is OK to indulge their own feelings of frustration by abusing others on Twitter and elsewhere. They are wrong, it is not. But they are like the mean kids at school, my mum always told me to just ignore them, and she was right.

 

Improving Quality Control in Joomla Code

Since writing my previous blog post, in which I explained how a coding error had protected older versions of Joomla from the serious security vulnerability which was patched in Joomla 3.6.4, my friend Bernard Toplak has been doing some research into how it came about that the coding error in the vulnerable user controller was fixed.

It seems that a user called lecoeurlou joined Github on 30 August 2015, submitted a patch for the faulty function call to $model->validate() to the Joomla CMS project that same day, which was accepted without question and has never had any activity on Github since.

You can see the activity here: https://github.com/lecoeurlou?tab=overview&from=2015-11-01&to=2015-11-30&utf8=%E2%9C%93

Now this may in fact be innocent, but to my mind it is at least possible that someone had noticed the potentially vulnerable controller in the code, had experimented with it and found the coding error. Then they realised that if they could quietly fix it, they could open up a critical vulnerability in one of the world’s most popular content management systems, which they could then exploit.

I think that the lesson is that there needs to be more quality control on patches submitted through Github, because unfortunately there clearly is scope for a malicious actor to wreak havoc.

Update

Since I wrote this yesterday, I have been astonished at the level of interest. I expected it to be read by a dozen people at most, and to provoke no reaction whatsoever. Instead it seems to have been read by several thousand people and to have annoyed quite a few of them.

But there was a serious purpose to the article: when something goes seriously wrong, then I think it makes sense to look at why it happened rather than burying our heads in the sand, carrying on as normal and pretending it can’t happen again.

I will deal quickly with a few of the points that have been raised:-

Firstly, I am definitely not trying to point the finger of blame at any individual. I have no idea whether lecoeurlou is an evil genius or just a helpful person trying to fix some code. The problem is that we have no way of knowing.

Secondly, I am not suggesting any kind of conspiracy. Frankly it hardly required a conspiracy. If the code patch was malicious, it was far more likely just opportunism.

Thirdly, yes I really did think of saying all this by myself, I am not being used by anyone.

I am saying it because I think that it matters. Open source software is a wonderful thing, and so is the Joomla project. I would like to see it thrive. But I think that is more likely to happen in the long run if we are honest with ourselves about what the problems are.

I don’t know what the solution is. I certainly don’t want to discourage anyone from contributing to an Open Source project, quite the contrary. But we are really kidding ourselves if we think that every single person who does so does it from the purest motives, because that I am afraid is just not human nature.

I think that these are issues that need to be discussed, and if I have upset a few people by encouraging that then I can live with it, though that was not the intention.

Joomla Security Release 3.6.4: Breaking the Code by Fixing It

Many people will have noticed (including a lot of bad guys) that there is a security release of the Joomla! content management system.

Previous versions contain a vulnerability which allows a malicious person to register a user account on a Joomla site by carefully crafting their own html form, even when user registration has been turned off, and also to manipulate the user group. This is done by accessing a vulnerable controller in components/com_users/controllers/user.php, which includes a register task that does not check the site configuration or properly validate the data.

The controller has been around since Joomla 1.6, so it has left a lot of people wondering if older versions of Joomla are vulnerable, such as 2.5 which is still widely used. In fact the good news is that older versions are not.

If you try to submit a crafted html form to a Joomla 2.5 site, you get the following fatal error:-

Warning: Missing argument 2 for JModelForm::validate(), called in components/com_users/controllers/user.php on line 114 and defined in /libraries/joomla/application/component/modelform.php on line 258 Fatal error: Call to a member function filter() on a non-object in /libraries/joomla/application/component/modelform.php on line 261

Or something similar depending on your exact version. The reason for this is that the user controller includes a coding error, it uses

$return = $model->validate($data);

 instead of
$return = $model->validate($form, $data);
so that it fails because the data object is null when the model is called to register the user.
Then in Joomla 3.4.4 someone helpfully fixed the coding error in the controller without asking themselves what on earth the controller was doing. I am sure they meant well, I think it would be unfair to blame only the person that fixed the code, these things are supposed to be tested. But still, it opened the CMS up to a serious vulnerability.

Web Security: An Example of How Not To Do It

Quite a few news sites are reporting this story at the moment, about hackers hitting online stores using the Magento E-commerce system: http://www.bbc.co.uk/news/technology-37643754. The reports seem to originate from this site https://www.magereport.com which has been set up to help owners of Magento sites scan for vulnerabilities in their store for free.

A nice idea you might think, and it is. The problem is that those behind the site don’t really seem to have given much thought about verifying who is doing the scan. Anyone can use it. It is easy to find sites that use Magento online, for example Googling ‘inurl:/checkout/cart/’ will bring up a nice crop. Then run the scan, it will bring up a nice handy guide to what vulnerabilities the site suffers from.

The makers excuse themselves by saying:

The MageReport tool only tells you what is wrong, not how to exploit it

However this is really not good enough in my view, once you know what the weaknesses are, it is the work of a minute or two to find the exploit online, my dog could do it.

The only way to protect against this is apparent to block the “magereport” user agent in the site robots.txt file, I would suggest that owners of Magento sites do this, but if site owners do not know that they have vulnerable software on their site, are they really going to know that they should do that?