I challenge *anyone* to try to inject into my site. I’ll even give them a bonus and give them access to their own site on my server to help them along.
.-= Philip M. Hofer (Frumph)´s last blog ..Frumph & Crew on TGT Webcomics tonight, 6pm PST =-.

Celebrate Life
Lorrette
.-= Lorrette´s last blog ..Good Blonde Jokes =-.

Hey Bro. great job man and thank you for letting everyone aware on security it is very important matter especially when your running a Business Blog. My blog been hacked before and it was a nightmare so I really appreciate you making your effort on this again thank you and way to go…

God bless you and yours,

Albert Hallado
.-= Albert Hallado´s last blog ..Need More Customers? =-.

I don’t expect everyone to agree with my personal option or like my choice of style used in the post but I feel sometimes that bold or italics simply don’t do justice to emphasize the point.

I do appreciate the time you took to provide such a detailed comment and obviously glad that my concern rings true for you as well. I know for a fact of hosts planning to provide mass support for WPMU to separate themselves and I see it becoming (higher priced) norm at some point.

It’s not quite so easy to ignore the possible incendiary nature of a single concept until the conversation has completed and the whole can be taken in context.

Several folk commenting here have chosen that 1st path & ignored the 2nd.

Any discussion involving security will include ‘scare tactics’ … it’s the nature of the beast. Security can only be evaluated _when it fails_. So, any rational discussion of security is likely to include a worst-case scenario. That’s not fear-mongering, it’s rational thought. Before we implement a security _solution_, we need to have a reasonable expectation of what to expect if it fails – what happens when the failsafe fails?

Andrea_R had several points, some of which violated the precepts of her own post on contributing.

Some time back, when I first became interested in password strengths, a casual search turned up four (4) of them, which produced four (4) widely variant strength judgements on the same eight (8) character password. So the question is how good is the validator? (TheSpotter, pay attention.)

Her 2nd & 3rd points have to do with privilege and elevation, an issue which WP has _addressed_, but not _resolved_.

The 4th point (as well as the 2nd and 3rd)? Don’t tell a developer/hacker that they cannot do something: they will take it as a challenge, do it, and publish it.

The 5th point is irrelevant to the post upon which you comment – the mention was of a possibility of hacking the server from within WP, not an aim, per se, of taking over the server.

The following paragraph containded several statements not germane to the discussion at hand – obfuscation & misdirection, whether intended or not. (Oh, yeah, she used caps to complain about caps .).

Andrea_S seems to have violated several precepts of her own recommended post:
precepts 1-3, although that is open to interpretation;
precept 7, to my mind, was definitely violated by the sftp/ftp comment and the closing paragraph.

(Follow your own advice, young lady .)

Then Philip M Hofer came up with an extraneous and totally invalid [grandfather] argument that a fault in the discussion has always been there. Does that mean it should remain? As for the analogy, although analogy is always suspect, _yes_ – if the umpire made an obviously bad call, chastise the umpire.

Although I have [cosmetic] complaints in regard to the post (TheSpotter, you have italics & bold capability – use them!), the meat of the post proposes a real concern. I disagree with a couple of the statements, but the overall concept registers as valid and true.

While WPMU has been around for a while, it has been in a very tightly controlled environment. This version of WP will release it into the wild, where control will be questionable, at best. The built-in safeguards are simply not adequate to the projected usage. A fairly simple SQL injection attack, while it might not work on http://wordpress.com, could be sufficient to take control of MU elements in the wild. From there, total control is a possibility.