Categories
Weblogging

Weblogging is for winners: backlash

Joi Ito recently wrote something about his weblog and the commentary he gets from people. He was concerned that the responses were making him wary of what he wrote, and this, in turn, was making him boring. Several people responded–over 90 comments at last count. Most were sympathetic.

One response in particular stood out, repeated over and over again in several weblogs: too bad weblogging has changed and how a person can’t even have a conversation now without one person or another writing a ‘negative’ comment or post. Not like in the good old days when all of this was so much more fun.

I’m reminded of people reminiscing over the good old days when they were a children, growing up in a small town. “We used to be able to play out in the streets after dark,” they’d say. “And never have to worry about being attacked or harmed.” Not like today, they’d say, sadly shaking their heads.

Yet the same sun that shines now, shined back then, forming the same shadows. Scratch the veneer of most of these “home towns” and you’ll find much of the same ugliness as exists today; except back then, people kept things quiet. When the wife with the bruised face and sore arm told people she fell down stairs, no one believed it–but no one would challenge it, either. The little girl of six who fell suddenly silent after a weekend being baby-sat by the 16 year old neighbor boy is just going through growing pains. The middle aged guy who drinks too much is treated with humor, or even affection.

People are people, and as such equally capable of noble sacrifice and petty want. All that time does is change the mode and means and maybe some of the rules.

Time also breeds familiarity. That old saying of familiary breeds contempt is rather extreme, but there is something about familiarity and its ability to polish away shiny newness.

Consider Joi. Years ago, people saw Joi as a person who was on easy terms with members of his country’s government, was wealthy and influential, and who attended prestigious events all over the world. Now, though, we’ve seen Joi as someone who makes mistakes, loses his temper, gets stealth disco silly and even, at times, veers more to the ‘petty’ side of the pendulum. Just like you and me, as a matter of fact. Except that, unlike Joi, no one was in awe of us when we started blogging.

Six months or two or four years ago, when we wrote something, people took it at face value and reacted–to the writing not to who we were. If we wrote something that moved people, they responded. Perhaps not as many people who would respond to Joi, but the emotional reactions would be the same. Conversely, if we wrote something that riled people up, they responded–and not always nicely.

Most of us who are reading Joi’s recent entry are scratching our heads and saying to ourselves, that’s the nature of the beast; except for Joi, it hasn’t been the nature of the beast. At least, until that old familiarity came along and buffed away some of Joi’s sparkle.

The same can be said for others, though for different reasons. Getting flack about trips now, when you didn’t a couple of years ago? Well, a couple of years ago, we hadn’t heard the complaint about airports and no Internet access for the 20th time. Neither had we seen so many photos of so many beautiful people–most of them eerily similar.

After a time, after so many trips to Spain or Japan or England, and so many glamorous or fun get-togethers, people just aren’t impressed. Damn, most of us are doing good not to be destructively envious.

(I am reminded of David Weinberger writing about an uncomfortable plane trip and how the person in front of him infringed into his space–lordy, I thought we were going to see a re-enactment of Joan of Arc, the reaction was that hot.)

As for others, well, a lot of folks have been given a pass on their writing for whatever reason. This is a state that cannot sustain itself, though, and eventually if they say something controversial, they’re going to get a strong response and no amount of their personal unhappiness about the state of affairs is going to change things.

I had a disagreement with Halley in her comments recently, which she has since written about in her weblog and at the Worthwhile Magazine weblog. At Worthwhile she writes:

Joi Ito started it over here. It feels like the better known you are as a blogger, the more people write nasty or critical comments about you, so you stop blogging about certain subjects — or stop blogging as frequently — or stop blogging completely. A number of us jumped on the subject.

I wrote about it here, but also did a little experiment — writing a very edgy piece about how alienated I feel in my kid’s school community of mostly married moms (I’m divorced), but I also wrote that blog post just to REMEMBER how it felt to let loose and express my opinions in my blog. It met with mixed results.

I also wrote that blog post just to REMEMBER how it felt to let loose and express my opinions in my blog. I would suggest that Halley check out another weblogger expressing his opinion and the reaction to same. And his wasn’t in the nature of a little experiment.

Halley implies that there is a correlation between being better known and people being critical of the person. Anyone who has been weblogging for any length of time knows that this is not the case. Your audience and your influence may be larger; you may get more voices clamoring in disagreement among all the nodding heads; but no matter what, no matter who, it all comes back to what we write and how we write it.

If anything what’s happened recently is that there’s a whole group of people who have been weblogging for years, but this is their first exposure to what weblogging really is: every difficult, entertaining, sometimes boring, all too often frustrating/silly/discouraging/enlightening/contentious bit of it.

Lonely, too, at times. But unlike Jeneane, I’m not too shy to ask for comments.

Categories
Technology Weblogging

Rewriting metadata layer

I’ve decided that the current implementation of the metadata layer is unworkable. Too vulnerable, and becoming too cumbersome for developers to work with.

Additionally, since it has a significant overhead, and not everyone is interested in it, I’m pulling it out as an integrated component and adding it as a drop-in infrastructure that takes advantage of the plugin architecture, as well as adding some of my own extensibility hooks.

The advantage, aside from decreasing the size of the default Wordform install, not to mention removing a security vulnerability, is that the infrastructure can have different backend engines — not just RAP (RDF API for PHP), which I’ll still be using as the first semantic drop-in. This is a response for those who are interested in using Redland and its PHP interface, rather than RAP.

Just goes to show that for every cloud there is sunshine — the new infrastructure will be superior to the existing one, but I may not have pursued it if I hadn’t had problems with security–which is something I just won’t compromise on.

Categories
Weblogging

Wordform: Rewriting metadata lawyer

Recovered from the Wayback Machine.

I’ve decided that the current implementation of the metadata layer is unworkable. Too vulnerable, and becoming too cumbersome for developers to work with.

Additionally, since it has a significant overhead, and not everyone is interested in it, I’m pulling it out as an integrated component and adding it as a drop-in infrastructure that takes advantage of the plugin architecture, as well as adding some of my own extensibility hooks.

The advantage, aside from decreasing the size of the default Wordform install, not to mention removing a security vulnerability, is that the infrastructure can have different backend engines — not just RAP (RDF API for PHP), which I’ll still be using as the first semantic drop-in. This is a response for those who are interested in using Redland and its PHP interface, rather than RAP.

Just goes to show that for every cloud there is sunshine — the new infrastructure will be superior to the existing one, but I may not have pursued it if I hadn’t had problems with security–which is something I just won’t compromise on.

Categories
Technology

The open source dance

While I struggle with my own security demons, Thomas Waldegger emailed to let me know that the BugTraq security alert for WordPress has gone live. I am still getting requests for a patch file for this issue, and would rather that the WordPress team respond to these since the notice has gone public.

This alert does demonstrate how difficult it is to ensure that an application is secure. What happened is that the ping identifier that was sent with a trackback ping was not checked to ensure that it was, indeed, an integer. Based on this, a person could attach a separate subquery to the ping, and use this to, as Thomas put it, be able to re-construct values in the database.

This is something I never would have spotted myself, though I am now alert to the vulnerability. The only problem is that once you’re aware of one type of vulnerability, others are discovered.

You never stop dancing in the open source world. Even when your steps falter, you just got to dance. Most of the time, the crowd doesn’t even see your footwork; about the only time they do, is when you’re dancing out of tune.

Categories
Technology

Securing the form

Wordform’s metadata extensions require form elements with a minimum of a button to push — usually with fields to fill in. These form elements are incorporated into the general gen_metadata.php page, depending on which extension is currently being invoked.

The gen_metadata.php (see source) file accesses the extension directory and outputs a list of available extensions — similar to how plugins work in WordPress. When you click on an option, the file name and post ID is sent, using GET, back to the same page. This is valid REST, as all that’s happening at this point is a query.

The extension file, (see source for one of the extensions) is then included in the page. In this file is the form processing code, and the rest of the form elements necessary to access the appropriate metadata.

The form begins and ends in gen_metadata.php. This file also has several hidden fields for the filename of the extension, the post identifier and URI, as well as a secret token that is also added as a SESSION variable.

How the security for this is all set up:

The register globals variable is turned off, ensuring that I properly pull the values from $_POST or $_GET.

The update is handled through a form POST, so that a GET cannot be triggered by a bot accessing the page contents.

The original page, gen_metadata.php calls code that validates the person’s authentication to access the page, as well as start the session. With this in place, you have to be logged in to access the page.

To prevent a cross-site scripting (XSS) attack, in the metadata files a check is made to ensure that the script is actually included in the gen_metadata.php file located within the application’s admin directory. I then checked this myself using a spoof, as well as cross-site script, and the security worked.

Finally, today, I added a form security token. The code for this is added after the included extension script (so that the session variable is only reset after it’s used to test the validity of the post); the value is added to a form field that’s passed with the other data when the form is submitted.

Question to the PHP developers — what have I missed? What gaps did I leave. Where is the code more complicated, or less, than needed?

Feedback would be appreciated. I would prefer the kind in writing, rather than the kind I have been getting, which has been actual XSS attacks, usually every time I post to the Wordform weblog. These have become a bit wearisome.