This morning, someone wrote up a rather alarming little article that made it to Digg and subsequently hit the Drupal newsfeed. "Drupal struggle with security issues," it read, and proceeded to point out the alarming number of security advisories (14) published by Drupal's security team in 2007.

While it's true that security holes are bad, only three of those fourteen were bugs in Drupal. 11 of the 14 were bugs in third-party addon modules found by the Drupal security team crawling through the hundreds of addons, hunting for secholes. One was a bug in the previous version of a third-party library used by an even older version of a third-party Drupal plugin module. Three degrees of separation from Drupal's actual code, but the Drupal security team still sent out an advisory so that Drupal sites that happen to be running it would be aware of the potential danger.

The article, basically, doesn't seem to get it. It even implies that the latest bug in a third-party module is part of Drupal's core Forms API:

A critical security flaw was found in the database administration module and in the Drupal Form API.

In fact, the security advisory makes clear that the problem lay in dba module not using Forms API to build its forms. Modules that DO use Forms API don't experience the problem that was found. Did the folks at BuildCMS not read the advisory? Or do they just not understand the differences?

The Drupal security team is a serious gang of nitpickers, and I mean that in the best possible way: I've been contacted by them about modules I wrote, just to answer questions about the intended purpose of several functions and how they were used in other areas. They had seen it in CVS, and wanted to double-check with me that I was only using certain APIs in the proper fashion to avoid potential secholes. And when they DO find problems in one of those third party modules, they generally try to work with the author to ensure that patches are released quickly. It's frustrating to see the monumental work they're doing for the community spun as 'a struggle with security.'

The article concludes with some silly FUD:

Community members are concerned Drupal, and start to wonder if security and documentations are left behind in an eager for new functionalities.

Aside from the stilted grammar, it's obvious that the author was phoning this article in. The security issues found by the secteam are universally cases of modules not using the existing secure APIs that are well-documented.

There are important security issues to be discussed in the Drupal community. There are sometimes high-priority security holes that are discovered and announced, along with fixes. There are important best practices for module developers to follow. And security IS an important consideration site-builders when evaluating third-party plugins, as with any other project that supports addon modules.

But spinning the security team's diligence in hunting down issues and broadcasting alerts as 'big changes are making things less secure, Drupal is struggling!' indicates that the writer of the article is either clueless, or more concerned about grabbing page-views than educating readers.

Rasmus is explaining how someone made a javascript trojan horse for webmail services that is capable of compromising your home firewall and turn your computer into a zombie. By reading email. It's been closed by Yahoo Mail, but I think I just heard everyone in the room gasp and shudder.

Rasmus' summary: "What this means is that you should never, ever click on a link."

Everyone laughed, but it was a nervous laugh.

He's going on to explain the essential nature of checking user input before you display it. The Drupal community has internalized the importance of that kind of filtering for a while, but there's still a large pool of folks that aren't familiar with the 'why' behind a lot of Drupal's more restrictive output management. It's good to see a speaker instilling some serious fear around the whole "Just whip out some code that does X..." approach.

Rasmus: "We should try to build software that, when it's badly configured, fails rather than exposing important information."

After explaining the huge frightening array of secholes that can be exploited, he popped up a "CMS Report Card" on all the CMS packages that are represented at the summit. Every single project had some sort of security hole. Drupal's was a bit esoteric, requiring Flash 8 and a copy of Internet Explorer.

Rasmus: "It's really hard to find a commercial CMS vendor whose site actually uses their product."

Interesting random bits: a bug in Flash 8, combined with IE, allows a flash author to inject arbitrary stuff into the HTTP header -- which doesn't seem like a problem, but the headers are often implicitly trusted, used for retrieving cookies, and even mapping requests to virtualhosts. What does that mean? An attacker, with a malicious Flash file, can grab arbitrary cookies, jump over to other virtualhosts on the same machine, etc.

Acrobat also has similar holes -- I didn't realize that Yahoo had ripped out pdfs from their site entirely in order to avoid that sechole.

Rasmus: "When I'm surfing around to find hackable sites, I love to find hand-rolled CMS systems. I know I can hack them in a heartbeat. If I see a site is running on Drupal, or Joomla!, or another CMS? I know there may be a hole, but as soon as they fix that hole, everyone using them is safe."

The lesson? Don't write your own CMS. You have better things to do with your life.

So it looks like Scooter Libby got orders to leak classified information to the New York Times. From President Bush by way of Cheney, according to his testimony.

Libby's participation in acritical conversation with Miller on July 8, 2003 "occurred only after the vice president advised defendant that the president specifically had authorized defendant to disclose certain information in theNational Intelligence Estimate," the papers by Special Counsel Patrick Fitzgerald stated. The filing did not specify the "certain information." --Fox News

In other words, this doesn't necessarily relate to the Plame leak. It is interesting, though, and raises a number of fascinating secondary questions. Specifically, the issue of leaking classified information, how it's justified, and whether it is ever acceptable. There are, I think, at least three distinct ways of looking at it:

1. Leaking classified information is always morally wrong, period, end of story, and should be punished.(The 'absolutist' position)
2. Leaking classified information is acceptable if
   1. it is used to expose wrongdoing,
   2. the damage done by the wrongdoing is greater than the damage done by the leak, and
   3. the person leaking the information is otherwise unable to stop the wrongdoing.

   (The 'whistleblower' position)

3. Leaking classified information is acceptable if the person leaking ranks high enough inthe government that their decision amounts to ad-hoc declassification. (The 'judgement call' position)

The conflicting cases of the Plame leak and the NSA surveilance leaks reveal the interesting schisms between these three views. Both Democrats and Republicans tend to use the rhetoric of the absolutist position. Based on what instances they choose to complain about, however, they seem to be motivated by the whistleblower and judgement call positions, respectively. I tend to favor the whistleblower position. Why? Allowing the 'judgement call' position to be adopted basically gives our elected officials the ability to use classification as a political weapon -- a poison pill-trap that only they are immune to. Documents can be classified, then leaked selectively. Those who attempt to learn the context -- and reveal potential lies of omission -- enjoy no such immunity and can then be prosecuted.

The 'whistleblower' exception works in the opposite direction. If restricted information is leaked by an individual seeking to 'right a wrong,' and the full context makes it clear that no wrong was in fact done, declassifying the document will reveal the truth. I can see a case being made for all three positions, but I think there's a much greater danger for abuse in both the 'absolutist' and 'judgement call' scenerios. Recognizing the danger of human corruption, and the lure of power-for-power's sake, has always struck me as an essential tenet of true conservatism.

EDIT: Gary Farber on Obsidian Wings offers some helpful clarification. It IS true that the President has complete legal authority over what is classified and what is not. In my mind, the fundamental question is not so much about legal authority but the moral, ethical, and democratic concerns raised by the use of classification as a tool of rhetoric. In the 'poison pill' case I mention above, the reason for shifting classification is not to preserve national security, but to to control the information landscape and thus the outcome of a national debate. Winners write history, and Classifying Authorities write the present, one might say.