Shellshock, Documentation, and a poorly chosen TLA

Lightning in a Bottle SEPTEMBER 26, 2014

Greetings from Sophia, Bulgaria! I'm here for WordCamp Europe, 1,900+ Pressers gathered together to geek out for the weekend. This is going to be a fun weekend. :) Before I dive into the festivities though, let's take a look around the ecosystem and see what is going on. 


Shellshock - A bad vulnerability without its own logo

System administrators around the world are spending their weekend patching servers as another major security vulnerability rocks the web. (Unlike Heartbleed, this one does not have its own logo, the marketing department is slacking.)  InfoWorld has a great write up titled "Four no-bull facts about the Shellshock Bash bug"

In barely the course of a day, word of the Shellshock exploit has reached Heartbleed-level proportions. But like any security hole du jour, it's easy to see only the hype and not the hard truth. Here are four of the most crucial details about Shellshock and its implications.

Give it a read, then go interupt your system administrator to see if she/he has patched your server yet. I know they will apprecaite your concern. If you host your websites with Panthon, ignore the above dire warning, we've got your back. We patched the entire system on Wednesday.

SIDE NOTE: Care to guess how many IoT devices you own that have Bash embedded? I bet your guess is low. 


Exploring The Picture Element Module (part 1)

Our friends at Mediacurrent are at it again; they are creating interesting content for designers and developers. This time, Mario Hernandez has written up his thoughts on HTML's new picture element.

Responsive Web Design or RWD, has come a long way since it was first introduced in 2010, and you would think that by now, given the popularity of the subject, all things have been sorted out and all questions have been answered. Not quite. RWD is a moving target that continues to evolve, but for the most part the majority of the techniques used to accomplish the goal of an adaptable website are unquestionable except one, images. 

If you've not explored the new picture element, give this article a look. is now forced SSL

Andrew Nacin has written up a short description of a project to improve

In the last week, we transitioned almost all of to load over SSL.

In the coming weeks, any redirects that are temporary will become permanent, and we’ll be adding HTTP Strict Transport Security (HSTS).

He gives a few tips for updating any scripts you may have that the move breaks.


The Process and Progress of Agile Design

Allison Manley of Palantir has written a post for their blog on Agile Design.

In my first year working at Palantir as a Project Manager, I’ve learned a lot about the Agile process in regards to development. I had worked with it from a distance at my previous job, but this was my first experience working with it on a consistent and immersive basis.

Even if you are not a designer, this is a good article to read. While you are there, leave her a comment giving your thoughts.


My First-Time User Experience (FUX) as a UX Designer

Over at Door3, Jorge Brake coins a most unfortunate sounding TLA to describe the first time a user experiences your product.

Like the first time you experience pretty much anything - a restaurant, a city, or a mobile app - entering a new industry can be exciting and equally daunting. First impressions can be lasting, causing you to quickly write off a restaurant or uninstall that new app you just downloaded. So, first-time user experiences (FUX) are an integral part of any user experience journey, and my first-time experience with UX Design has been no different. Below I compare basic FUX tips with my first-time experience as a UX Designer.

The buzzword aside, this is an interesting article worthy of the few minutes it will take you to read it.


We’ve moved the SVN and Trac firehose mailing lists to

The prolific Andrew Nacin makes his second appearence in this edition of LiaB with a quick piece describing another change over at

We’ve moved the SVN and Trac firehose mailing lists to, from the legacy If all goes well, we’ll move the rest of them over as well.

That sound you heard last week was the sound of Pressers' mailboxes filling up as rules designed to handle the flood of emails all failed in an instant.


How Much Documentation Is Enough?

Drupal developer Derek Reese weighs in on the important question "How much documentation is enough?"

Code is documentation? Slow down, speedy! However, documentation is simply a collection of documents, and a document is a written or drawn representation of thoughts. That is exactly what code is: a written representation of thoughts that we plan on CPU’s, and most importantly, other programmers, reading. That means the reverse can be true too: documentation is code.

What are your thoughts? 


Leveling-up with WordPress: Great videos for developers

If you have ever been to a WordCamp, you are probably aware that most sessions are recorded and posted on If you've yet to attend a WordCamp, you may not be aware of this fantastic resource.

WordCamps are a great place to jump-start your education in the world of WordPress development, or build upon your current skills to make even greater plugins and themes. Here are some recent videos from WordCamp Asheville and WordCamp Vancouver focused on how you can polish your development skills.

Pick a video and watch it over lunch one day. There are a lot of great topics and talks to choose from.


The anatomy of a security breach, and how to do good in a bad situation

Brian Krogsgard writes an excellent - if scathing - wrapup of iThemes's recent security breach.

On Tuesday, iThemes posted an announcement that they had suffered from a security breach of their website and servers. The attackers had reached the servers which stored customer information, including email addresses, IP addresses, full names, and yes, passwords.

iThemes was quick to notify customers via their blog, social media, and their full customer email list about the breach. Approximately 60,000 users were affected. They warned that passwords were vulnerable. In the second update, posted today, they gave more information about passwords, in response to many questions from users.

It turns out that passwords were stored in plaintext on iThemes’ server. That is, obviously, very bad practice.

Brian's writeup is fair and the criticisms leveled against iThemes are deserved. Regardless of other things going on, they knew that the passwords were stored in plaintext and prioritized other tasks over fixing this issue. One would expect better from a company like iThemes.


Finally, let's close with something a little different. My good friend Mr. Brandon Savage - recognized as a teacher of all things Object Oriented in the PHP community - has penned a great post for his blog titled "Making your development process suck less"

One of the easiest ways to start an argument in developer circles is to propose making a change to the development process. The means of developing applications is so crucial to the process of developing software that everybody has an opinion, and they’re convinced that their right.

Brandon offers good advice to developers and development managers alike. Give it a read.

Until next week!


Topics WordPress