>Some of these problems are inherent to PHP
Also the availability of eval() and base64 encoding and decoding functions in PHP were blamed for the problems. You can find these statements if you read through the whole thread.
> Some of these problems are inherent to PHP
You'd have to actually run the scripts embedded with real-life parameters in order to observe any malicious behavior.
in case you missed it: http://news.ycombinator.com/item?id=2129745
How will you detect that with a scan?
For example, in your Wordpress template, put the following snippet in:
<?php echo urldecode('%68%74%74%70%3A%2F%2F%67%6F%6F%67%6C%65%2E%63%6F%6D');
Okay. So how about looking for urldecode (a perfectly useful function, with uses not restricted to hacking)?
It's a game you're not going to win.
Wordpress themes are a double-edged sword--Wordpress became what it is today because of the flexibility that themes provide, but it comes at a cost. Other theming engines traded flexibility for security, and as a result aren't nearly as popular.
You're assuming that there is some supreme Rendering Engine which maps code to a single canonical output. In reality, every browser renders things slightly differently and a malicious script would take advantage of that (while rendering things "normally" for the scanner). See also: cloaking (http://en.wikipedia.org/w/index.php?title=Cloaking&oldid...)
It's just a matter of time before everything we currently consider "secure" is cracked; I reckon that eventually they'll have computers that can bruteforce 2048-bit encryption keys (and I've seen all of the theoretical calculations about the computing power needed to do that, so we don't need to repeat that here) in a day or less. That doesn't mean we shouldn't make the best of what we have at our disposal, whether that's encryption or detection techniques to catch at least some bad guys.
Scanning a piece of code to try and decide if it is "malicious" or not is essentially the halting problem, which is impossible to solve. As long as you have a system where you install third-party code you are screwed, no matter what the base language is.
It wouldn't be hard to design an HTML templating system that would never render the string "<script", to provide an overly simple example. Making such a system popular enough that malicious themes are an issue worth worrying about is left as an exercise for the reader.
Anti-virus and anti-spam applications can never be 100% effective either, but we use those because they're useful on occasions where they do work. Should we give those up altogether because, since the virus writers merely have to look up circumvention techniques, it's a waste of programmer time?
An automated scanner in core might temporarily relieve some of the current techniques of spammers but it would be trivial to vary obfuscation to evade any automated check, and I worry more about the false sense of security they would provide. A built-in automated checker would not make it safe for you to Google around random sites and install their software to execute on your server.
On the plus side, we now have over 1,300 themes in our official repository and every single one of them has been verified by hand.
TAC (Theme Authenticity Checker) isn't a bad place to start searching for malicious code: http://builtbackwards.com/projects/tac/
However, the only real solution to this problem is to run a limited set of extremely trustworthy plugins and build your own themes.
1) Anything linked outside of the domain.
3) Anything encrypted.
Let me know if I missed anything.
Do you scan the CSS for url() references outside of the domain?
Most of the time I use a Wordpress theme as a starting point, rewriting some parts and looking over all of the code.
Also, mentioned above, securing the theme against injections and XSS is important.
OSS doesn't mean somebody else audited it for you.
I understand the point you're making here, Patrick, but it does feel slightly hypocritical for you to deride something as "not fine" when it seems to suit your needs just "fine."
Is it shady? Yes.
Would I want it running on my server? Absolutely not.
Is the code running a backdoor that lets the attackers execute shell commands? We don't know.
Obfuscation like this could be used for any number of things. Themes sometimes have credits at the bottom (i.e., "This theme created by John Smith"): the obfuscation could be an attempt to keep people from finding/removing the credit. It can also be used to include shady backlinks to other sites. And as I mentioned before, it could be used to allow arbitrary code execution. It's all a matter of degrees, and it DOES matter which it is: one is dangerous and the others are just shady.
I think WP would be better off if it just automatically pruned these calls at the time of import, and if it breaks the theme, maybe the author should consider being more honest.
I'm not saying that there's isn't a difference between code that's merely obnoxious and code that's actively damaging, but rather that both should be discouraged whenever possible.
I was simply suggesting a more benign reason why this code might exist: I'm not defending it. ;)
What calls do you suggest Wordpress disallow though? Eval isn't the only way to execute a string as PHP code ;)
I'd like to see that same analysis now that you've brought it up just for the sake of pure curiosity. WP powers a good chunk of the blogosphere (including The New York Times website) out there now, and this kind of data could get some very good discussion going.
Gawker run a custom platform, not Wordpress.
I have entered a period in my life where I only trust static code. I write all content in a meta markup language, I run a static page compiler on the directory structure and upload the created html and resources to the server.
Somehow, I don't think the Wordpress app store is going to make much progress at Automattic. It will require them to put in considerable resources to policing the code than improving the core.
The other way is to have a the Wordpress core bootstrap allow only a whitelist of functions to be called, which would have the effect to severly curtailing the flexibility that is required by plugin/theme developers.
Mind you, these problems are there not just with PHP/Wordpress. You can have the same issues with Chrome/Firefox extensions, bookmarkelets and most of the add-on models where you are running code that has not been subject of a decent audit.
The trouble for Wordpress/PHP is the footprint they have on the web now, which makes them pre-Vista/7 days for Microsoft on the web. You could probably do similar nasty things with a fancy jQuery plugin, but it is much better bang for the for the buck for the evil guy to have a go at something that is so widely installed and used by a large number of people who would not know it even if you were to show them code that does nasty things.
On other hand, a certified/curated theme/plugin/app store for all ecosystems that follow the reactive model to policing add-ons is a great idea for a start-up. I have been amused that nobody's done it so far. I know there are directories, but they don't test/audit the apps. Someone should give it a shot.
I personally don't like to use software projects which aren't Free / Open Source (meaning that the full, unobfuscated source code is available and you are free to do what you like with it) - but I think it would be a stretch to say that distributing binaries or obfuscated code is automatically shady. You have to trust the person that makes the site, but asking someone to trust you is not synonymous with shady unless you then violate that trust.
Of course, if the sites are plagiarising other people's work without a license, including malicious code, or misleading people about what the code does or doesn't do, then there is a legitimate concern.
Better performance + security and you can use Textile!
Also, did the tone of the article bother anyone else? It made me cringe after every few phrases.
Yes, but if the "base64_decode" function is being used in the PHP code for the theme, chances are that it's being used to hide something.
Despite my warnings to users and trying to get Google to put that site into their security blocklist (never happened) I can now search for and find hundreds of sites that have these spam links from using those bad copies.
I actually worry more about the cheap but commercial modules, vs. the free/open source ones. With open source modules, chances are someone has perused the code looking for any signs of mischief. With the commercial code, often authored in another country, who knows?
Absolutely. It's common to all these programs because they all use the LAMP architecture, which includes PHP (eval() and base64_encode()) and an inability to securely partition the data (can't have multiple users in the DB).
At least Python, Ruby and Perl have those functions too. The problem is not related to PHP being able to eval(), it's:
1. Inadequate usage of PHP as template engine, where templates are coming from untrusted sources. Think of this as very extended case of non-sanitizing user input.
2. "Dancing bunnies"-type problem. A lot of users don't understand what they are doing. They are promised they would get a nice theme, so they install it.
> can't have multiple users in the DB
Wrong, it's perfectly possible. Unless you are stuck with some god-forsaken cheap crappy LAMP hosting.
Disclaimer: I don't like PHP at all, and I try to avoid it. Experts say, and I totally agree that there are a lot of various problems in LAMP ecosystem, but they lie in very different direction.
I thought so too, but in practice it doesn't work (I proposed it to them a while back).
Wordpress stores database credentials as globals. Even if you gave each plugin its own permissions, they could always go straight to the superuser account for that database.
PHP doesn't have a DB, and MySQL sure as hell allows multiple users.
Make every theme/plugin author create a private key to sign their releases. Their public key will be available on their profile page and via API. Wordpress will notify you if the public key for an author has changed or if a release signature doesn't match the public key.
Why is this not done?
(Also in other software that uses plugins and is updated easily over the internet.)
If you are a motivated attacker you can compromise a plugin author's PC or server and silently push a backdoor to a whole lot of people.
Signed releases are commonplace. It would make sense to require them in most plugin systems, especially those with central plugin repositories and lots of users.
It took me around 5 minutes to:
1) open footer.php
2) echo base64_decode('code')
3) take out all of the links and paste the rest of the code in the footer.
Anyway, just stick to wordpress.org/extend/themes - those themes are all under the scrutiny of the community and there's a group of peoe who are ramping up to do code reviews on them.
I'm not terribly familiar with Lua sandboxing, but a cursory overview suggests that absolutely nothing would prevent it from including similar nastiness if used in display code.
In any case, something like a website theme in any language, can always display HTML that is at least that hidden. So sure, kill base64_decode in php, but as long as you have a Turing-complete language which is at least moderately inevitable if you allow any logic in your templating system at all and you can implement the equivalent trivially.
If you completely neuter your templating system, then do something like include inline base 64 in CSS as image data, decode & exec using JS. Google's spiders will run JS now, unless I'm mistaken, so that's just as good from an SEO standpoint.
You're comparing apples and oranges here. You can run PHP in "safe mode", as many shared hosts do, to prevent shell access and disk access by PHP code.
The only problem here is one of misplaced trust (and perhaps WordPress allowing PHP in templates instead of using a dedicated templating language). People installing WordPress templates generally a) don't care where they come from and b) don't even read the source code, so this theme could probably include such links without any obfuscation and still successfully spread.
No, but the problem is that the spammy code is being obfuscated using eval() and base64 encoding.
> You can run PHP in "safe mode", as many shared hosts do, to prevent shell access and disk access by PHP code.
Sure, so why have other unsafe methods?
I agree that social attacks cannot be completely prevented through technical means, but there's no reason to make it easy.
edit: why the downvotes? Are these functions truly indispensable for this particular domain?
PHP is meant to be. OK, I'm cheating and saying how it ought to have been with the benefit of hindsight. But the next web language will hopefully take these experiences into account.
Basically for printing out some text on the website, it doesn't matter whether you're running
<? echo eval($encrypted_code) ?>
Sam Ruby made this same point, and he said it much better than I can hope to (he is responding to Matt Mullenweg in the comments):
"Those that contribute to PHP apparently feel the most pain concerning support of multiple versions. Yes, you can argue that they brought this upon themselves; but it is worth noting that at this point you are along for the ride. When I’m in similar circumstances, I tend to consider the karma implications of cursing the driver. In any case, some people who are along for the ride with WordPress happened to cross my path yesterday. Perhaps you are in a position where you can help them. To my eyes, I see a bug that was reported on WordPress 2.1, and the milestone on that defect is currently set to 2.3. Hopefully the users affected won’t have a tendency to kick, or scream, or rant too much."
There is another way to look at this. Microsoft has faced 30 years of criticism of its decision to promote features rather than security, a problem that began with DOS and lasted at least until Vista showed up.
That same type of criticism can and should be made against the WordPress team. They promote features to make the user experience pleasant, but their attitude towards security has been horrible.
What can they do? They can automate the test that Siobhan Ambrose does in the above article linked to by this thread. At the very least, WordPress can search a theme for Base64, so that when you try to activate the theme, you get a warning:
"These templates contain Base64, which may be masking malicious code. Do you wish to proceed?"
Again, it was the choice of the WordPress team to use PHP, so they must take responsibility for the choice of language. As Sam Ruby said, "It is worth noting that at this point you are along for the ride. When I’m in similar circumstances, I tend to consider the karma implications of cursing the driver"
More so, WordPress became popular because it was easy for designers to work with, and the WordPress team has certainly participated, and encouraged, the creation of a culture in which the promiscuous sharing of templates seems normal.
It is irresponsible of the WordPress team to ignore the security issues that this raises.
"If I were to run COBOL code from untrusted sources on my server you can forget about security."
That is why there should be a warning about untrusted code. Are you trying to let WordPress off the hook? Their attitude toward security has been horrible and they should be called out on it. I quote myself:
It doesn't matter if WordPress is written in PHP or COBOL, the team developing the software should make some attempt to address its many security flaws.
Please consider the odd use of the word "disrespectful" in this paragraph:
"It seems fundamentally disrespectful to users who are simply caught in the crossfire of a political power move their neither know or care about. PHP core has never shown any particular regard for its biggest apps, as evidenced by the above bug and others, so I’m not sure why we should go out of our way to promote their upgrade. PHP 6 sounds much more compelling."
That is Matt Mullenweg. Please note that his statement can be turned on its head. I could write:
"It seems fundamentally disrespectful to users to create software for them that has lots of fun features but no security."
"That is why there should be a warning about untrusted code."
What is the counter-argument, that WordPress should do nothing about the fact that the templates allow the execution of arbitrary code?
"It doesn't matter if WordPress is written in PHP or COBOL, the team developing the software should make some attempt to address its many security flaws."
What is the counter-argument, that WordPress has no responsibility for the security flaws in WordPress?
Basically my point is this: every bit of software you run on your web server is a security risk. You shouldn't run themes, or any code, really that come from sources you don't trust unless you audit it completely. I don't think the blame really lies with PHP or Wordpress in this case.
"Yes, you can argue that they brought this upon themselves; but it is worth noting that at this point you are along for the ride. When I’m in similar circumstances, I tend to consider the karma implications of cursing the driver."
That is good, and necessary, advice for any software project.
Andrew van der Stock writes:
For some time, I’ve been worried about the direction of PHP. As many of you know, I helped write XMB Forum and now help write UltimaBB. XMB in particular is an old code base, and UltimaBB, a descendant from XMB. I’ve done a lot to protect that code base from attack, and luckily, we’ve been missed despite some doozy and silly security issues. After writing PHP forum software for three years now, I’ve come to the conclusion that it is basically impossible for normal programmers to write secure PHP code. It takes far too much effort.
PHP needs a proper security architecture, and support for newbie programmers. PHP’s raison d’etre is that it is simple to pick up and make it do something useful. There needs to be a major push by the PHP Development team to take this advantage, and make it safe for the likely level of programmers – newbies. Newbies have zero chance of writing secure software unless their language is safe.
Think about Logo for a minute. Logo can do some interesting things, but it is not a commercially useful language because it cannot do much. But it is an excellent teaching language. PHP is like Logo – it’s a simple and easy way to get into serious web development. It is possible to write large applications in PHP, so it is useful at that level. But it is inherently unsafe as it can do far, far more than Logo.
There are so many ways to break PHP that it is impossible for even experienced security professionals like me to code in it securely all the time. There are nearly 4000 function calls, and many of them have unintended consequences or have been inappropriately extended by something else.
Tim Bray put together a collection of links regarding criticism of PHP:
On that page, there is this from Dominic Mitchell:
"I’m in 100% agreement with you about the whole PHP thing. Every time I’ve looked at PHP, I’ve been unable to find out how they use placeholders in code that talks to the database. Yes, every database adaptor provides a quote function, but nobody uses it (consistently). And people wonder why PHP code is always full of security holes. It’s a real shame, as I can see that there’s a lot to like in PHP. But it really needs to clean its act up to appeal to people coming from other programming languages, instead of just people coming from dreamweaver. I actually heard David Heinemeier Hansson (sp?) talking about rails the other day. One of the key points he made is that it should be easy to do the right thing. That’s why Rails hits a sweet spot for me. But when you look at PHP, yes, it’s easy to code, but it’s not easy to do the right thing. That’s where it falls down."
The point that Hansson makes about Ruby is worth thinking about in the context of PHP security. Does PHP make it easy to write secure code? Does it help programmers do the right thing? The defaults in PHP, and the underlying assumptions of PHP, all tend in what direction?
Of those links, Jonas Maurus's post is also well worth reading:
Aristotle Pagaltzis sums up the underlying problem:
"All of these flaws are interconnected; the morass is simply the result of the language being a templating system that grew too big for its breeches. I don’t believe the problems can be corrected in any sensible fashion; PHP will always be a templating system, however much it may be straining against its clothes.
And let me tell you, it’s still a great templating system! If all you need is to write a web app that consists of two pages, running four queries over a five-table database, there is nothing that will get you up and running faster."
The question at hand isn't whether it's easy or hard for someone to write secure code in PHP (my opinion: it's not easy, but it's certainly possible). The issue brought up in the article is that a lot of the top search results for "Free Wordpress Templates" lead you to templates containing obfuscated code, some of it malicious. That isn't a language issue: as many people have pointed out to you, it's a consequence of running untrusted code.
My personal take is that this is a case befitting the quote "with great power comes great responsibility." That is, the people running Wordpress blogs need to be aware of the risks when they install plugins or themes. The Wordpress team has built tools into Wordpress that encourage people to download and update plugins and themes from Wordpress.org, which is seemingly more legitimate than these random sites (I'm not sure if there's a formal evaluation process for plugins/themes submitted there). Beyond that though, I don't think it's the fault of the Wordpress developers if people choose, whether out of ignorance or carelessness, to download and install random themes from the Internet. I mean, I don't blame Microsoft if I go searching for "free [software name]" and end up downloading a virus. ;-)
On the other hand, if you're running your own web application, you're responsible for it, just the same way you're responsible for your computer. As I said, I don't blame Microsoft if I download random software and that software does malicious things. Similarly, I don't blame Wordpress or Automattic if I download a random theme and it contains malicious code.
My criticism of the WordPress team follows the same logic as the criticism of Microsoft. Since Microsoft came up with an OS that had a lot of security flaws, it was reasonable for people to criticize Microsoft for those flaws. And since the WordPress team is producing software that also has flaws, it is reasonable to criticize the WordPress team for the flaws in the software they produce.
The only concrete charge you bring forth here is to the practise of using string concatenation for sql parameters. Since v. 5.1 (Which is something like 5 years old .. in Internetyears, that's one century), PDO has been the default db-access layer, and it supports bound parameters.
Oh, and I've seen plenty of unescaped string concatenation in Rails apps too. It's a developer issue - not a language issue.
The (painful) solution is to throw away current templating approach, and use some template engine instead. A bit less painful solution would be a compiler from some restricted language to current PHP-based templates, and declaring current approach deprecated, warning users of problems and highly discouraging them from using any untrusted PHP code.
What can they do? At the very least, they can automate the test that Siobhan Ambrose does in the above article linked to by this thread.
Ideally, at some point soon they will recognize some of the dangers that arise from using such an easy-to-set-up language as PHP, and they will recognize that they appeal to a largely non-technical audience, and they will start taking some responsibility for their choices, and their success.
In what way? You don't seem to understand how useless black-list codescanning is, a competent malicious programmer will find ways around those in minutes.
> Ideally, at some point soon they will recognize some of the dangers that arise from using such an easy-to-set-up language as PHP
Dangers such as?
"Dangers such as?"
I find it hard to believe that you do not know the dangers. Please google "php sucks" or "php security" and you will discover thousands of articles that address what I referenced above when I wrote "the dangers that arise from using such an easy-to-set-up language as PHP".
I also just posted a long comment up above in this thread, where I post quotes from several articles that have described the insecurity and disorganization that PHP makes so easy to achieve. You can view it here:
But PHP has more than a few security bugs: in many ways PHP is fundamentally flawed. The program, whose initials originally stood for Personal Home Page, was designed without much thought given to security. Many of the PHP features that make it really easy to write a Web application also make it really difficult to write one that's secure.
All of this matters just now because Stefan Esser, the founder of the Hardened-PHP Project and the PHP Security Response Team (which he recently quit), has threatened to make March the "month of PHP bugs." By that, Esser means that he is going to be releasing a series of security bugs in March that show the world just how unsecure PHP actually is.
What's driving Esser is both a desire to make PHP more secure and a good touch of anger and resentment at the current PHP developers who have taken many of his security patches and incorporated them into the program without giving Esser any credit. You can read more about his motivations in his blog entry and in the interview that he did with Security Focus.
How will this affect users of the Web? Well, a recent "Month of Bugs" project aimed at Apple identified a number of security problems that the company was apparently unaware of, but it didn't result in any serious worms or threats to Apple users. This month of PHP bugs might be a similar bust. On the other hand, Apple was able to push out a fix to these problems using the Mac OS Software Update feature. PHP has no such feature, and many ISPs run kind of elderly (and buggy) versions of the program.
For example: http://api.rubyonrails.org/classes/ActiveSupport/Base64.html
Yes, it's possible to do, but much harder than eval'ing a string in the resource file.
The examples from this article are all essentially malicious third-party code. No language will save you from that.
None of these suggestions are worth a damn until the WordPress team acknowledges that WordPress security is a major problem, one that should be a top priority for them.
"Wordpress grew out of b2"
That is simply a less direct way of saying what I wrote:
"The WordPress team has decided to work with PHP"
You phrase things in a passive voice so it seems as if no human made a conscious decision to work with PHP. In fact, the history of WordPress, like the history of any software project, is the history of active humans making conscious decisions.
You also write:
"At the time LAMP was pretty much all there was"
I'm not sure what you mean by that. At that time, a loud chorus of people were praising Zope, written in Python. Microsoft had ASP. The most popular blog platform, at that time, was MoveableType, written in Perl. There was a ton of free software available in Perl. And there was a whole of lot of projects happening in the world of Java. There were many choices. You seem to be re-writing history to make it sound as if the WordPress team had no choice but to use PHP.
Anyway, even if you were right, would that lessen their responsibility for creating software that is serious about security?
ASP, Zope... Java? Part of why WordPress exists is so people don't have to concern themselves with high level frameworks/setups.
You can blame all of WordPress's issues on the language it's written in, but that's a bit of a red herring. WordPress is the largest blog engine in terms of overall deployment; MoveableType (and others) have had their own share of security vulnerabilities, but WordPress sees it more due to their massive install base. Most other blog frameworks and engines tend to benefit from "security through obscurity".
While PHP is a flawed language, yes, it's certainly not the core issue here. Anything done in this article could be pulled off in another blog engine with relative ease, especially considering this is people who don't really program and are installing/running arbitrary code.
"Woah there, Captain 'Death to PHP'."
I can not imagine what would cause you to write this. I use PHP in almost all of my work. All of my major websites are written in PHP. However, I do try to take security seriously. The small regard that the WordPress team has shown for security is unacceptable.
To point out that the WordPress team had language options in no way implies that I disagree with the language they chose, it simply shows that their choice was a conscious choice over which they must take responsibility. I was responding to a comment that implied that the WordPress team had no power to make a choice other than what they made.
I am curious, too, that you would criticize what I wrote, yet you offer no criticism of "At the time LAMP was pretty much all there was." The sentence I was responding to was flatly, factually wrong.
"Absolutely none of those projects, even the ones written in Perl, were as easy to set up as WordPress was (and still is)."
That is one of the problems that arises naturally from the use of PHP - it is easy to set up. As such, you end up with a lot of non-technical people using it. And that is one of the biggest reasons why special attention should be paid to security -- the fact that WordPress is the kind of software that appeals to a crowd that is largely non-technical.
"At the time LAMP was pretty much all there was. For the time their decisions were reasonable."
At no point did I suggest that their choice was unreasonable. However, I have suggested that they made a choice, that is, a conscious decision, and one where they had several options. Like any human being who makes an uncoerced decision, they have a responsibility for the decision they have made. In creating the WordPress software, the WordPress team must take responsibility for for any flaw in WordPress, regardless of what layer that flaw arises from. Again, I would quote the very good advice that Sam Ruby gave to Matt Mullenweg:
The statement that ""At the time LAMP was pretty much all there was" is simply wrong -- flatly and factually incorrect. There were options. But the WordPress team built WordPress using PHP. I see nothing wrong with that decision, but having made it, the WordPress team must accept all the consequences of that decision.
The underlying issue is the poor security in WordPress. The team in charge of WordPress has not shown a great concern for security. We must criticize them for giving security such a low priority. They need to change their attitude.
I could have qualified it better, certainly. "At the time LAMP was the dominant platform and almost every shared host offered LAMP and only LAMP, a condition which has only in the past 3 years begun to change".
> The underlying issue is the poor security in WordPress. The team in charge of WordPress has not shown a great concern for security. We must criticize them for giving security such a low priority. They need to change their attitude.
And I do. Some of the bugs that get closed are astonishing. Wordpress is developed without automatic tests, security fixes are never backported (you always have to upgrade -- getting new features that might have new bugs -- to get the fix), the focus of effort is almost exclusively on new features and not on closing issues in the tracker (though this seems to be improving).
That puts the responsibility where it belongs.
If one person "misreads" you, it's their problem. If everyone "misreads" you, it's your problem.
All the same, I'm happy to explain myself at greater length, and I've made some attempt to do so in this thread.
Still, you raise an interesting issue. It is rare to see anyone on Hacker New write "I'm not sure I understood you, could you please clarify what you wrote?" What is more common is to downvote a comment. A request for clarity might advance the conversation, whereas a downvote tends to bury a conversation. Among friends who trust each other, the more common reaction would be "Could you clarify that?" So downvoting becomes, in some sense, a measure of the distrust on HN, or, at least, a measure of the maximum level of good faith we are willing to extend to one another when reading one another.
The thing that surprises me is that the tendency to bury a conversation is so strong, as opposed to the desire to extend a conversation.
I predict that Matt Mullenweg will be here within minutes to be all cheerful and helpful. Hello Matt!
edit: I realise it's a snide remark, but I've been running Wordpress sites since 2005 and I have an excellent storehouse of corrosive hatred built up at this point.