Category Archives: blogging

Kim Cameron hacked, commenters make fools of themselves

Kim Cameron has an amusing post on the aftermath of his blog being hacked and defaced over the weekend.

The reason for the hack: a security bug in WordPress. More proof of the problem posed by millions of apps out there on the internet with no update mechanism in place. Security fixes are made available, but not applied. WordPress has improved this somewhat by introducing an alert when you log-in to an out-of-date installation, but it needs to go further and provide something more automated. Personally I recommend the Subversion install, for those with command-line access; I used it for the 2.3.1 update and it worked well.

But I digress. The amusing part of Cameron’s post is his link to the comments on a news report describing the defacement. I believe in the value of comments, but some of the leading news sites are afflicted by knee-jerk commenters with time on their hands, who twist every post into another salvo in the OS wars. An news item about a Microsoft “security” expert being hacked seemed an ideal candidate (though I don’t believe identity is the same as security). “This is a shining example why you should host on Linux + Apache,” says one comment.

As Cameron observes, his site and blog is hosted by a third-party and runs on FreeBSD + Apache.

Conclusions? First, the thoughtless commenters on this kind of site are doing the community a disservice, by discouraging others with more interesting contributions.

Second, it shows what some have to put with just because of their association with a particular company.

Third, keep your WordPress patched.

Technorati tags: , ,

Matt Mullenweg’s less-is-better approach to software quality

Interview with Matt Mullenweg in the Guardian today. This was done at the Future of Web Apps conference. I enjoyed meeting him. He is open and articulate. I had not appreciated until now that WordPress.com took the opposite decision from Google over the issue of being blocked in countries such as China which are less permissive than the USA about what can be published. He found out that by blocking certain words and tracking certain people the site could be unblocked:

Google had the same decision, and they decided that being there was less evil than not being there, ultimately. For us, we decided that being there under those circumstances isn’t worth it. We’d rather not be there.

A blogging site is not the same as a search engine. It’s arguable that both sites made the right decision. Not easy.

I was also struck by Mullenweg’s espousal of an Apple-like minimalism in software design. He says WordPress has too many options. He was particularly critical of Open Office:

If you open up Open Office, look at the preference screen, there are like 30 or 40 pages of preferences. Stuff that you and I will never care about and should never care about.

I accept the main premise – software should just work. I understand the further implicit argument, that adding options tends to diminish software quality, by adding complexity to the code. But it would be interesting to analyze some of the options in, say, Open Office, and find out why they are there and who is using them. Is having all these options tucked away really a bad thing, or this really more about user interface design?

The curious silence of the IE team – Microsoft needs to rediscover blogging

There are huge numbers of Microsoft bloggers; yet in some important areas Microsoft seems happy to let its opponents make all the noise.

Internet Explorer is an obvious example. There is an official IE Blog, but you won’t find anything there about IE8, just occasional news of minor IE7 tweaks. The comments on the other hand are full of questions, many of them good ones that deserve an answer, or at least an acknowledgement that someone is listening.

I spoke to Microsoft’s Chris Wilson at the Future of Web Apps conference back in February, noting that he gave a “good bridge-building talk”. There have been other similar talks, but little of substance since then. Anyone searching the web for news of browser development and innovation will find little from Microsoft, lots from Mozilla and others.

This is not about Microsoft bashing. Rather, it is about web developers and designers who need to make stuff work. Having some idea about where Microsoft is going with its browser helps with that.

Microsoft needs to rediscover the value of high quality blogging that engages with the community. It is not just IE. Soon after the release of Office 2007 I was among those who reported on performance problems with Outlook. This blog still receives thousands of visits from users who search for why Outlook 2007 is slow. Where were the bloggers from the Outlook team? Months later there was a tech note and patch which helps a little, but Outlook 2007 is still slow and there is no real evidence that the company cares.

What about Open Office XML, viciously attacked by IBM and other sponsors of the rival Open Document Format? Brian Jones has a good marketing blog; yet I’ve seen relatively little technical blogging from the OOXML folk at Microsoft, in response to questions raised.

See also Dave Massy’s blog.

Technorati tags: , , , ,

Upgrading WordPress

This blog is now running on WordPress 2.3. The differences from 2.2 are minor from the user’s perspective, which strikes me as a sign of maturity: it was already very good. Unfortunately the team did not address my number one wish, which is paged comments – but I realise I am in a minority as the feature has only 8 votes at the time of writing. There is a plug-in, but it does not work well with the theme I use. I am not complaining though; WordPress is fantastic and I am a loyal user. I have started using it for longer articles as well as blog posts; it is effective as a simple content management system for this site.

With the upgrade to 2.3 I have also converted to a Subversion install. This means I can do a Subversion update to grab the latest version, making it easier to stay current.

Matt Mullenwegg is speaking on WordPress.com architecture at the Future of Web Apps conference in London later this week. I will be there and blogging.

Technorati tags: , ,

Offline blog authoring with Word 2007

After writing a blog with Adobe’s Contribute, part of the new Creative Suite, I thought I should try the same task in Microsoft Word 2007. It’s quite a contrast. Word does not attempt to display the surrounding furniture of the blog, so it feels less cluttered than Contribute, and you get the benefit of Word’s proofing tools. The famous Office ribbon is reduced to three tabs: Blog Post, Insert and Add-Ins; ironically, the only add-in available is Adobe’s Contribute toolbar. It’s a comfortable editing environment, but it does not feel safe. For example, I can insert a WordArt text object, or shapes of various kinds, but it’s not clear what sort of code it will generate, and as with Contribute there is no easy way to view the HTML.

Another problem with Word is the lack of any Insert Tag option. A Technorati tag is just a hyperlink, so I could do this manually, but that is extra work in comparison to Contribute or Live Writer, which have Insert Tag built in. Word does offer an Insert Category button, but you can only select one category each time you drop down the list, whereas in Live Writer you can add multiple categories in one operation, by checking boxes.

I can see the appeal of blog authoring in Word for someone who is familiar with Office and does not want to learn a new tool, but this is my least favourite of the three tools I’ve been trying. So far I prefer Contribute for its features, and Live Writer for its focused design. I suspect Writer will remain the tool I actually use.

 

Offline blog authoring with Adobe Contribute

I generally use Microsoft’s Windows Live Writer to write my blog entries. It has a few annoyances, but I like it better than trying to type directly into WordPress. After installing Adobe’s Creative Suite 3 I noticed a new Contribute toolbar appearing in my web browser, including a Post to Blog button, reminding me that blog authoring is a feature of the new suite and that I ought to try it out. I opened Contribute and set up a connection to this blog; in fact, I’m writing this post in Contribute now.

As you would expect, Adobe has provided a sophisticated tool. Contribute sets up a template that lets you edit a blog entry within an editable area on a page that replicates the blog itself. It is more WYSIWYG than Live Writer. The editing tools are impressive too: along with basic HTML formatting, there is an Insert menu offering Flash, Video and PDF, a spell checker, a table editor, and an image editor with options to rotate, crop, sharpen, set brightness and adjust contrast. Inserting Technorati tags is easy, as is selecting categories from those I’ve defined.

Any complaints? Well, I miss the clean, uncluttered appearance of Live Writer. It feels a touch over-engineered. And if you want to inspect or edit the HTML code, you have to open the blog entry in Dreamweaver, which isn’t a great experience because you get the template as well as the blog entry.

It may sound strange, but Contribute does more than I need. I might use it for authoring WordPress pages, as opposed to blog entries, but otherwise I’m likely to stick with Live Writer. Unless Word 2007 can tempt me away; mini-review coming shortly.

,,,,,

Using WordPress pages

Yesterday I posted an article on Office Open XML which is too long for a blog entry. Rather than creating a separate HTML file I used a WordPress page entry. WordPress pages are authored in the same way as blog posts, but are not part of the blog itself; they “live outside of the normal blog chronology.” You can organize them into a hierarchy of pages and sub-pages; they are important because they make it possible to build an entire web site in WordPress, using it as a simple content management system.

Curiously the page template in many WordPress themes omits comments. This caught me out: I marked the page as enabled for comments, but no comment form appeared. I fixed this by adding the following line to page.php:

<?php comments_template(); ?>

I’m now happy with the result and will probably use WordPress for further longer articles. In fact, I’ve already added a further page, this being my blog archive. When I migrated from bBlog to WordPress, I left the old blog engine in place so as not to break existing incoming links. However, although the old entries were still in place, most were left with no index link; they were effectively invisible. The new archive page fixes this; you can see all the posts since I started blogging in 2003: errors, insights and all.

 

Technorati tags: , ,

Blogging is on the brink of a new phase

Washington-based Pew Research Centre has published a 160,000 word report on “the health and status of American journalism.” Although it is US-based much of it is relevant worldwide, particularly in the online realm; in fact, among the publications covered are bbc.co.uk and The Economist.  

Much food for thought here. The online business model remains uncertain; the report suggests that advertising is not enough and speculates that:

…news providers [will] charge Internet providers and aggregators licensing fees for content.

which strikes me as highly speculative; I don’t see ISPs wanting to pay for online content though I suppose aggregators might. The report doesn’t say how well the subscription model is working for sites like nytimes.com. I am sure subscription works well in niche areas like high-end business reports, but is it ever going to be a major source of funding for general news?

As for blogging, the report says that blog creation has peaked but that blog readership is growing – see Steve Rubel’s summary to get the picture. Blogs are an increasingly tempting target for PR and vulnerable to manipulation. Here’s an interesting comment:

Blogging is on the brink of a new phase that will probably include scandal, profitability for some, and a splintering into elites and non-elites over standards and ethics. The use of blogs by political campaigns in the mid-term elections of 2006 is already intensifying in the approach to the presidential election of 2008. Corporate public-relations efforts are beginning to use blogs as well, often covertly. What gives blogging its authenticity and momentum — its open access — also makes it vulnerable to being used and manipulated. At the same time, some of the most popular bloggers are already becoming businesses or being assimilated by establishment media. All this is likely to cause blogging to lose some of its patina as citizen media. To protect themselves, some of the best-known bloggers are already forming associations, with ethics codes, standards of conduct and more. The paradox of professionalizing the medium to preserve its integrity as an independent citizen platform is the start of a complicated new era in the evolution of the blogosphere.

The highlighting is mine. I reckon this is spot-on.

WordPress hacked: where do we go from here?

WordPress founder Matt Mullenweg reports the bad news:

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

This is truly painful and highlights the inherent risk of frequent patching. I haven’t seen any estimates of how many websites installed the hacked code, but I’d guess it is in the thousands; the number of WordPress blogs out there is in the hundreds of thousands. Ironically it is the most conscientiously administered installations that have been at risk. Personally I’d glanced at the 2.1.1. release when it was announced, noted that it did not mention any critical security fixes, and decided to postpone the update for a few days. I’m glad I did.

Keeping up-to-date with the latest patches is risky because the patches themselves may be broken or, as in this case, tampered with. On the other hand, not patching means exposure to known security flaws. There’s no safe way here, other than perhaps multi-layered security. All the main operating systems – Windows, OS X, Linux distributions – have automatic or semi-automatic patching systems in place. Applications do this as well. We have to trust in the security of the source servers and the process by which they are updated.

Having said that, there are a few things which can be done to reduce the risk. One is code signing. Have a look at the Apache download site – note the PGP and MD5 links to the right of each download. These let you verify that the download has not been tampered with. Why doesn’t WordPress sign its downloads?*

Next question, of course, is how WordPress allowed its site to be hacked. Was it through one of the other known insecurities in the WordPress code, perhaps?

I’m also reminded of recent comments by Rasmus Lerdorf on how PHP does not spoonfeed security. There is a ton of insecure PHP code around; it’s a obvious target for hackers in search of web servers to host their content or send out spam.

*Update: See Mullenweg’s comment to this post. I looked at the download page which does not show the MD5 checksums. If you look at the release archive you can see MD5 links. Apologies. Having said that, why couldn’t the cracker just update the MD5 checksum as well? This is mainly a check for corrupt rather than hacked files. The PGP key used by Apache is better in that it links to the public key of the Apache developers. See here for an explanation.

Perhaps this is a good moment to add that the reaction of the WordPress folk has been impeccable in my view. They’ve acknowledged the problem, fixed it promptly, and are taking steps to prevent a repeat. Nobody should lose confidence in WordPress because of this.

 

Technorati tags: , ,

A WordPress flaw: no paged comments

A snag with the most wonderful WordPress is that comments to a post are not broken down into pages. With over eighty comments and climbing fast, this post on slow Outlook 2007 is getting slow to load. Fitting, I guess, but I’d rather it performed better. I looked in vain for a WordPress option to split the comments into pages. I did find this plugin, but although it works it looks bad with the theme I’m using. I suppose a few hours hacking would fix it. I reckon a paging option should be built into WordPress as it will always be a problem on heavily commented posts.

 

Technorati tags: ,