On Sphere

Asides, , ,

Sphere has found a home at the prescient AOL, as talked about on their blog, GigaOM, and Techcrunch. Sphere is a great company and the folks who made this happen at AOL will look like rockstars as the team continues to execute on their vision of tying the web together through lateral navigation. Disclosure, as it says on my about page, I was an advisor to Sphere and we’re cousins in the True family.

SecurityFocus SQL Injection Bogus

WordPress

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:

Continue reading SecurityFocus SQL Injection Bogus

OpenID and Spam

Spam, Splogs

Magnolia is going to be restricting their signups to only OpenID users:

Why? Because 75% of new accounts being created there lately have been created by spammers using automated tools. Spammers took over Ma.gnolia. Now, the company is using OpenID as a system of 3rd party verified identity and using the superior spam blocking skills of services like Yahoo! and AIM to clean up the Ma.gnolia ranks. Spamfighting could be the incentive that puts many other vendors over the edge to leverage OpenID.

At best this is a Club solution, meaning it’ll be effective as long as Magnolia is not a worthwhile enough target or not enough people use the technique.

Anyone advocating that a Yahoo, Google, or AOL account is going to stop spam signups, sploggers, or anything of the sort is out of touch with the dark side of the internet. The going rate for a valid Google account is about a penny each. For $100 get a text file with 10,000 valid logins and passwords, and go to town. We used to require email verification to signup for WordPress.com, and the vast majority of splogs were coming from Gmail or Yahoo email addresses, hundreds of thousands of them. Myspace and ICQ are both good examples of completely closed identity systems with registration barriers but still overrun with spam.

Each of the big guys probably has an anti-abuse team larger than all of Magnolia fighting these spam signups, but it obviously hasn’t been effective. In theory you could blacklist OpenID providers but who’s going to block Google and Yahoo and even if they did they’re just pushing the problem outward, to the point where spammers eventually run their own identity providers, and if you think they won’t come from millions of unique registered domains look at your comment spam queue.

OpenID has a ton of promise for the web — let’s not hurt it by setting people up for disappointment by telling them it’s a spam blocker when it’s not. Regardless of registration, identity verification, or CAPTCHA, you still need something working at the content level to block spam.

Catching up on March

Asides,

March is almost over, but email-wise I’m just getting started. Between the travel, conferences like SxSW and WordCamp, the 2.5 release, and the wisdom tooth stuff I’ve got stuff backed up even from Febuary. I’m back home this week so I’ll be doing as much catch-up as possible. If you get a response to an old email from me, that’s why.

WordCamp Dallas and WordPress 2.5

Asides, ,

The talk this morning at WordCamp Dallas was quite enjoyable. The audience here is very sharp and on-point, there was a ton of participation and great questions. They also had delicious Rudy’s BBQ for lunch, which I nibbled at as much as I could. Also (roughly) concurrent with the talk we released WordPress 2.5. Funnily because I kept the edit screen for the announcement open from stage the concurrent editing protection prevented anyone else fom publishing the post! Andy told me after I was done and I pushed the button, but it’s good to know the feature works. 🙂