New Spring Design

Meta,

Time to come out of your RSS readers and visit the site. In celebration of Spring, Summer, the new domain, and WordPress 2.5 I’m launching a new version of Photo Matt / Ma.tt. Here’s a before and after picture:

Old and new ma.tt

A couple of functionality changes you’ll notice:

  • Thumbnails and photos are now much larger. (Especially photos, now 840px wide.) Imagine it like going HD, you’ll definitely enjoy it more on broadband.
  • I’ve brought back the photo tech details like aperture and focal length.
  • In addition to posts and asides, I’m now doing new post types: galleries, quotes, videos, and highlight photos.
  • You can now click on a photo to go to the next one, making  browsing galleries easier.
  • The header is a lot shorter, so you get to the content faster. You can’t say I have a big head anymore. 🙂
  • I’m starting to use the new taxonomy bits in 2.5 to tag people, places (geotagging), things, and concepts in the various photos. (More on this later, still a bit broken.)
  • This is the first iteration of this site that is powered entirely by WordPress. (I know, 5 years late. The cobbler’s children go shoeless!) Before it was a cobbled together set of PHP includes and software like Gallery. Now 100% WP.
  • Gravatars are much more prominent. I wonder if there’s a way to only allow comments from people with Gravatars? It looks so much better.
  • Name has changed from Photo Matt to Ma.tt, tagline is the same.

The fine design was executed by Nicolò Volpato, the same talented fellow who did the last design. My concept was to evoke Spanish talavera, inspired by my trips to Spain and Argentina and pottery at my parents’ house like this, this, and this. It was a lot of fun to work with Nicolò on and I already have a few ideas for Fall. 🙂

I’ve been noodling on the implementation for months now. Last night I had just arrived from New York and it turned out the Jay-Z/Mary J Blige concert in Oakland got postponed so I found myself with a bit of time on my hands and decided to tie up all the loose ends. There are still a ton of things broken like the photo border on portrait images, I still have 15k old photos to import, and you may see the old design on some older pages, but I wanted to get it out there. There are also some weird things, like Firefox seems to back the background image blurry while it’s razor-sharp in IE and Safari. I feel like I’ve seen that somewhere before.

Finally I’m hoping to release a lot of the work I did here, including a version of the old theme, the plugin + script I’m using to resize all my old images on the fly, the taxonomy stuff, and some core improvements to WP to make some of the things I’m doing here easier. (I got lazy and did some direct SQL queries, etc.)

On Sphere

Asides, , ,

Sphere has found a home at the prescient AOL, as talked about on their blog, GigaOM, and Techcrunch. Sphere is a great company and the folks who made this happen at AOL will look like rockstars as the team continues to execute on their vision of tying the web together through lateral navigation. Disclosure, as it says on my about page, I was an advisor to Sphere and we’re cousins in the True family.

SecurityFocus SQL Injection Bogus

WordPress

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:

Continue reading SecurityFocus SQL Injection Bogus

OpenID and Spam

Spam, Splogs

Magnolia is going to be restricting their signups to only OpenID users:

Why? Because 75% of new accounts being created there lately have been created by spammers using automated tools. Spammers took over Ma.gnolia. Now, the company is using OpenID as a system of 3rd party verified identity and using the superior spam blocking skills of services like Yahoo! and AIM to clean up the Ma.gnolia ranks. Spamfighting could be the incentive that puts many other vendors over the edge to leverage OpenID.

At best this is a Club solution, meaning it’ll be effective as long as Magnolia is not a worthwhile enough target or not enough people use the technique.

Anyone advocating that a Yahoo, Google, or AOL account is going to stop spam signups, sploggers, or anything of the sort is out of touch with the dark side of the internet. The going rate for a valid Google account is about a penny each. For $100 get a text file with 10,000 valid logins and passwords, and go to town. We used to require email verification to signup for WordPress.com, and the vast majority of splogs were coming from Gmail or Yahoo email addresses, hundreds of thousands of them. Myspace and ICQ are both good examples of completely closed identity systems with registration barriers but still overrun with spam.

Each of the big guys probably has an anti-abuse team larger than all of Magnolia fighting these spam signups, but it obviously hasn’t been effective. In theory you could blacklist OpenID providers but who’s going to block Google and Yahoo and even if they did they’re just pushing the problem outward, to the point where spammers eventually run their own identity providers, and if you think they won’t come from millions of unique registered domains look at your comment spam queue.

OpenID has a ton of promise for the web — let’s not hurt it by setting people up for disappointment by telling them it’s a spam blocker when it’s not. Regardless of registration, identity verification, or CAPTCHA, you still need something working at the content level to block spam.

Catching up on March

Asides,

March is almost over, but email-wise I’m just getting started. Between the travel, conferences like SxSW and WordCamp, the 2.5 release, and the wisdom tooth stuff I’ve got stuff backed up even from Febuary. I’m back home this week so I’ll be doing as much catch-up as possible. If you get a response to an old email from me, that’s why.