Monthly Archives: March 2019

WordPress Security (Or why you should code like a paranoid squirrel)

When I was at VIP we always argued for a very tough stance on security. To the point that we’ve been criticized for being over-zealous on escaping, permissions checking and nonce checks.

I understand many of the arguments made against enforcing late escaping. The one I understand and can empathize with the most is the one that goes something like: “If we just enforce rules without understanding the context, folks won’t understand why and when they really need to escape”. That’s a valid point, but I think it doesn’t work in terms of a large scale project. Be it your plugin or theme or even the WordPress project itself.

There’s often talk about two models of security. I’m sure they have better names but I call them the “Fortress” and the “Onion” model. The fortress being, that there is this one “moat” that protects the code. So internal functions for example can rely on the code being passed to them as being safe. The Onion model is kinda like if a paranoid squirrel wrote code. Every function should be suspicious of what it gets passed and doesn’t trust any other functions. I’m not sure where the squirrel fits in with my analogy to be honest, but I liked the thought of picturing a paranoid squirrel.

With that in mind, I would argue that the WordPress code base is currently not resilient enough to attacks as it often makes assumption about the data passed to it’s functions. A good example of this is the latest security release (5.1.1) that patches this: https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

The offending code is this:

foreach ($atts as $name => $value) {
     $text .= $name . '="' . $value . '" ';
}

Anyone who’s done work with the VIP team will quickly see that this code violates the policy of “Always Escape Late”.

We would of had you rewrite that as:

foreach ($atts as $name => $value) {
     $text .= esc_attr( $name ) . '="' . esc_attr( $value ) . '" ';
}

So you would think this is an easy fix right? Just replace all the instances where we’re not late escaping to escape late. But I suspect that if I were to go thru the codebase and change all instances flagged by the PHPCS WordPress ruleset (and the VIP ruleset). The patches would be rejected.

The thinking, from my experience and my assumptions, would be that this could break backwards compatibility. A noble cause indeed. There is something to be said to not touching code that doesn’t “need” to be touched. It’s quite easy to introduce bugs or unintended consequences when adding escaping. It’s also possible that the escaping wouldn’t help or, in a small subset of circumstances, would make things vulnerable.

All this being said, I know from having seen how the sausage is made that it’s much more complicated than what may be interpreted from reading this blog post. I want to make sure it’s clear that what I’m suggesting in regards to WordPress security is not actually as easy a solution as this brief post may make it out to be.

There are many smart people who are working on this and they have a challenging task. I suspect my experience with enterprise clients has coloured my opinion in preferring security over backwards compatibility. Very good arguments could be made that if folks do not have confidence in the automatic updates (because of broken backwards compatibility) it would leave more users at risk than patching code that _may_ be a problem in the future.

But one thing I think is clear. If the code proactively was written to late escape, no matter where the data is from, we wouldn’t be in this situation. Hence, for all new code that you write, think of being like a paranoid squirrel. It’ll make your job way easier in the long run.

I’m Joining the Canadian Digital Service (CDS)

I have big news to announce. I’m going to be joining the Canadian Digital Services starting March 25th.

Some of you may know CDS, others may know the other countries’ versions such as USDS and GDS.

CDS’s goal is to bring together skills and expertise to help the Government of Canada embrace new methods and tools to improve how it designs, builds, and delivers services.

If you’re like me, you may be at first skeptical of this being possible in government. As some of you may know, I spent a few years working in the Government and, like many, experienced some things that were sub-optimal.

I had many many great chats with folks at CDS. It made me believe in the vision that CDS has and that the folks there have the mandate to bring about change.

I’m very excited to be joining such an elite group of individuals working on one of the most important tasks – delivering government services that work.

If you want to read about some of the accomplishments CDS has already achieved, I suggest following their blog (sadly not on WordPress 😉 ). If you’re interested in joining me, CDS is hiring for many many roles.

Thoughts on Being Non-Monogamous

I suspect the title of this post might raise a few eyebrows. Even though I’ve been in non-monogamous relationships for the past 7 ish years, it’s often not something that comes up in conversation. We’re open about it, but given the contexts most people just assume that we’re monogamous. It’s the default position, especially if you have 2 heterosexual individuals who are married and identify as partners.

It’s interesting how actually prevalent non-monogamy is. Many couples have some sort of “loose” guidelines. For some, it’s just things like flirting, while others may have defined a hierarchical, non-hierarchical, or anarchy relationship model.

There’s something interesting that happens when you embrace non-monogamy. The required extra communication, the ability to talk about thoughts and feelings that are often taboo, having thoughts about someone else, wanting to flirt, feeling joy and excitement from being with others. These are all things that “regular” society says is bad. If you feel these things, then you’re doing relationships wrong. You then feel shame, disgust, or sadness at feeling them. You start to question your current relationship, even if it’s objectively great because well, if you feel those things, then surely something is wrong. This person can’t be “the one” if you have those thoughts or feelings.

It also brings about some introspection with regards to self confidence and jealousy. If you really start to dig down into it, often our thoughts, fears, feelings of jealousy, etc, are products of what we’ve been told are what makes “good” relationships. Clearly if our partner is enjoying being around someone else, that must mean we’re not good enough. Maybe we’re not “enough”, maybe they’ll leave us, maybe they were never that into you. If we examine it, I think we find that many of these are internal problems, problems with our thought patterns. If you truly have a good connection with someone, you should know, understand and be able to talk thru these things.

Many people make analogies to explain it. Just because I usually love vanilla ice cream doesn’t mean I won’t take chocolate once in a while. We can also compare it to our partner playing a video game by themselves or spending time with another partner. Would we be jealous of the video game? I would say no. (I can see someone saying that yes, they could be, and perhaps that is the case, but if so, I’d argue the video game is not the problem. If your relationship is so tenuous that spending time on another activity causes you pain, something deeper is probably wrong.)

If you want to learn more, this intro to polyamory is very interesting. There are also great books on the matter such as: Opening Up (There are also many others).

If you have any questions feel free to post them in the comments or send me a DM.

Mental Health in the workplace

I got one of the best compliments Yesterday. Someone I worked with previously is interested in starting discussions around mental health at their new workplace because of how much it helped them when we worked together.

I mentioned a bit of what happened (most of this was not done by me, I was just one small part of the events that happened) and I thought it might be helpful to share here.

It first started with someone saying that during one of the company meetups they would have a 1h thing where people can just come and chat about mental health in a random room. There were a few people who showed up. We decided to create a private slack channel where people could just talk openly about mental health. Word of mouth started spreading, especially among people who were like “Well, it’s not really _that_ bad, I don’t have a diagnosis, etc etc”. We welcomed them all.

I (and I’m sure many others) had follow up conversations with folks who were mentioning going thru rough patches. Since I was quite open about it, often mentioning in the #watercooler channel if I was feeling depressed or anxious and taking a break, lots of folks send me DMs just asking me about it and just wanting to chat. Sometimes it was about them, sometimes about a loved one.

I’d ask them all if they wanted to join and convinced them that even if it “wasn’t that bad” they should join. At another team meetup I did a lunch thing where folks could come and eat lunch one day with others and chat about mental health (or just listen).

It was just to see others who were also working thru things. You didn’t need to talk or anything, you could just listen. I did a bit of an intro of why I think it’s important and some of the things I struggle with, a few other people spoke, some didn’t (but they often would send me a private message saying thanks later).

When I left, it’s one of the things people told me they appreciated the most. To have someone who they saw as senior and a leader talk about this. It made them feel like it was “okay” to feel that way sometimes.

I’ve started doing talks in workplaces about this as well, if you (dear reader) think it could be useful for your workplace, I’m always happy to give a talk. I don’t charge anything but I ask that the organization make a donation to Kids Help Phone. For some organizations, donations aren’t possible so I send an invoice and make the donation myself.

I’ve done this talk in workplaces and at conferences such as Confoo and the feedback has always been very positive:

“6/5 Sensitive topic explained simply and with humour”

“Great personal touch”

“Good energy, interesting perspective and personal anecdotes”

“Very good talk. Honest, straighforward, helpful.”

“Important topic presented in a funny manner”

Confoo 2016 feedback

Stéphane’s candid testimonial on mental health issues was truly engaging. With his great sense of humour and genuine presence, Stéphane puts his audience at ease, making participants receptive and open to tackle what can sometimes be a heavy topic. Having “just a regular guy” come in to share his knowledge of mental health, sprinkled with personal anecdotes, made us feel like we were having a conversion with an old friend. We learned lots of great tips and tricks to prevent or deal and were inspired to talk about mental health more openly.

Great talk, Stéphane, thank you!”

Gabrielle Michaud,
Immigration, Refugees and Citizenship Canada / Government of Canada

If you or anyone you know wants to chat about mental health, I’m always happy to listen.
Spoiler alert, I’m not a professional and will probably recommend you talk to someone a bit more qualified.

Belonging to political tribes

As you can see, my frequency of posts on the SNC Lavalin matter has declined. A bit because it seems like it’s not really that big of a deal. Ya it’s probably not the best thing to have done, especially moving Wilson Raybould out of that position, but in the scheme of things… shrug.

I’m concerned that perhaps my thoughts on it as biased because it’s “my tribe” and I’m just making excuses but I’m not sure. It does seem a bit overblown. I mean, would I of preferred if it hadn’t happened, yes. Do I think it’s sub-optimal and reflective of politics in general, yup. Will this change how I vote, probably not.

The “tribes” aspect is an interesting one. It reminded me of a blog post by Vincent St. Pierre about how you shouldn’t be a blogger. The problem is that many people, especially in politics assume that if you blog or tell thoughts that are not towing the party line, you’re not loyal and don’t deserve a job in politics. I understand the appeal of having folks who will toe the party line all the time even when not employed. You see it in many op eds written by consultants/lobbyists (which are often former staffers) who will probably go back to the ranks of political staff after making good money for a bit.

I’ve had a few people who mentioned to me that my analysis is interesting, but they don’t understand why I’d “burn bridges”. I understand the concern. I guess I don’t feel I’m burning bridges, I’m just talking about what I feel and how I understand things to be.

If someone doesn’t want me as part of their team because I speak my mind (publicly when not part of an organization, privately when part of an organization), then perhaps I’m not right for that job/organization.

I prefer having a nuanced conversation about topics instead of just hurling talking points to others. I understand that’s not something you can do when you’re working for a party, but as individuals, we should acknowledge when things are or were sub-optimal and really try to find common ground. We should dig into the root causes of issues and how we can fix them together.

As a friend recently said, “Elevate your discourse, you piece of shit”

Is this the hill you want to die on?

Maybe it’s just me, but that’s a question I’ve been asked quite a few times. It’s a loaded question really, the implication is that if you don’t change your mind, you’ll “die”. That it would be foolish not to change your mind.

For me, it’s often a matter of principle. It’s about doing what I think is right, it’s about not compromising on ethics or values, or just not going along with ideas or plans I don’t believe in. It’s about being authentic.

It’s never as if you really die, the consequence really if often something the lines of not being part of a group, ending a friendship or relationship, leaving an organization, or leaving a job.

Maybe it’s idealistic or optimistic, but I think perhaps we should choose to “die” on hills more often.