Blogger Returns to New Orleans

Michael Barnett, the computer network administrator who barricaded himself in the central business district after the storm, has returned to New Orleans.

After his first week back, Barnett was extremely pessimistic about the city's condition:

It has been a week now, and I've had a chance to drive all around the city. All I can say is that this place is broken down. Crushed. Demolished. It is a moral lapse of the first order for politicians to keep telling people to come back. I am going to take some flack for telling the truth, but since that's what this blog is for, that's what I'm going to do. New Orleans is a wasteland. Sure, there are a lot of contractors out there trying to clean up, but it's barely making a dent.

Hurricane Katrina · 2005/12/14 · 12 COMMENTS · Link

Podcasting: You're Soaking In It!

Jewish lesbian shock jock Madge Weinstein kicked my "S" yesterday during a 10-minute rant about Adam Curry's role in podcasting:

You gotta realize, and I didn't realize this until I started getting more popular with my podcasts, when people blog ---- -- ----, did I spill my water? no -- when people blog ---- -- I'm resting the microphone on my fat, now. You're going to get mike noise, I'm sorry, and it's going to be all bad. This is bad. You know, it's all bad. When people blog things a lot of times they blog it because they think a lot of people will read it, and it's as simple as that. And I think that's what Rogers Cadenhead did, the man with the extra S ...

I've attached her rant as a podcast, naturally. The actual audio doesn't contain Arthur Fiedler's theme from The Longest Day. I added it to test my theory that all podcasts would sound better with patriotic background music.

Wikipedia · Podcasts · Podcasting · 2005/12/13 · 5 COMMENTS · Link

Podcasting: Accept No Imitations

Randall Stross, New York Times, July 3, 2005:

"Podcast" is an ill-chosen portmanteau that manages to be a double misnomer. A podcast does not originate from an iPod. And it is not a broadcast sent out at a particular time for all who happen to receive it.

Steven Chen, China Daily, Sept. 8, 2005:

The term podcast, a portmanteau of two words, broadcasting and iPod, Apple Computer's now ubiquitous music player is something of a misnomer, since such files do not need either an iPod or a portable MP3 player to be played ...

Wikipedia's podcasting entry, Nov. 30, 2005:

"Podcasting" is a portmanteau that combines the words "iPod" and "broadcasting." The term is a misnomer since neither podcasting nor listening to podcasts requires an iPod or any portable player, and no broadcasting is required.

Chris Noon, Forbes.Com article, Dec. 7, 2005:

A "podcast" is at once a portmanteau; derived from the words "broadcasting" and "iPod", and a misnomer; neither podcasting nor podcast listening requires an iPod, and no broadcasting is really required. Even so, portmanteaux and misnomers are not precluded from appearing in the dictionary; hence the word's selection as the Word of the Year by the New Oxford American Dictionary.

The next word of the year should be originality.

Journalism · Podcasting · Wikipedia · 2005/12/12 · 12 COMMENTS · Link

Congress Studies Cruise Ship Disappearances

On Tuesday, two Congressional subcommittees will hold a joint hearing on the subject of cruise ship disappearances and crimes that take place aboard the vessels.

My wife M.C. Moewe, a reporter with the Jacksonville Business Journal, spent six months tracking down information on cruise ship passengers who disappeared or went overboard, an elusive subject because most incidents happen in international waters or foreign jurisdictions. She found 12 passengers since 2000, including five within the preceding year. Though the majority are believed to be suicides -- anyone who looks over the rail of an oceangoing ship knows you could disappear forever in those waters -- clues suggest that a few, horribly enough, might be homicides.

Since then, the number has grown to at least 17, including Jill Begora, 59, a Canadian woman who vanished Saturday before the 2,100-passenger Royal Caribbean Jewel of the Seas arrived in Nassau, Bahamas.

Moewe will be traveling to Washington to cover the hearing. I'm hoping that when C-Span posts tomorrow's full TV schedule at around 5 p.m. today, the hearing will be one of the events they televise. I want to record for posterity the moment at which she became too big-time to associate with her husband the blogger.

I love reporters who poke around the byzantine bureaucracy of Washington, looking for overlooked stories while their peers are hanging out in the White House hoping the president gives them a nickname. I wanted to be I.F. Stone when I grew up.

Since her original story ran in June, Moewe keeps getting contacted about the subject. She's heard from four TV news producers, one family member of passengers, and two guests on ships where incidents occurred.

Tomorrow's hearing was called by Rep. Christopher Shays of Connecticut, who knew George Allen Smith IV, a 26-year-old honeymooner whose July disappearance from another Royal Caribbean vessel is being investigated by the FBI.

Journalism · Jacksonville · Florida · 2005/12/12 · 29 COMMENTS · Link

Mena Trott Declares Civil War

In a keynote address at the Les Blogs conference yesterday, Six Apart founder Mena Trott cut short her call for blogger civility to put a bleep in his place:

Who is dotBen? All day yesterday you've been an ------- to the people who've been in this town and I want to know why don't you, why, what the ----?

It's hard to fairly judge the situation without seeing the events that led up to it, but that's never stopped me before. Trott showed courage giving a speech at the Six Apart-organized conference in front of screen that projected live online chat, a relatively new phenomenon called a backchannel, but I agree with the point Ben Metcalfe seemed to be making when dragged in front of the whole class -- you can't always be nice if you're being honest.

The comments Shel Israel made right before the confrontation are pretty funny in retrospect:

It's a different world now and it's a new way of expressing things. It's a much faster world we live in, so I guess we got to live with it and every story has two points of view and we have to listen sometimes to see what other people think.

Update: Here's a longer excerpt of Trott's speech (and the transcript), which she intended in part as a challenge to backchannel behavior:

I started to get incredibly nervous about appearing on this stage today. ... The main reason I was scared and I'm still scared, is that IRC backchannel. ... I've seen people make comments on these channels that they would never say to somebody's face.

Movable Type · Civility · 2005/12/07 · 31 COMMENTS · Link

Spammer Messes with My Headers

A few weeks ago, I mistakenly believed that I had closed a PHP mail form vulnerability that let spammers use my web server to send mail.

Another batch of penis enlargement and phentermine pitches were sent through my server last night, which I discovered when "rejected bulk e-mail" bounces found their way to me. A spammer exploited a mail script I had written that coded the recipient address like this:

$recipient = "info@ekzemplo.com";

I thought the script was secure because users couldn't change the recipient. As it turns out, there's another giant programming blunder in these lines of code:

$name = stripslashes($_REQUEST['name']);
$email = $_REQUEST['email'];
$subject = $_REQUEST['subject'];
$comments = $_REQUEST['comments'];

mail($recipient, $subject, $comments, "From: ".$name." <".$email.">rn" . "Reply-To: ".$email."rn");

As I learned last night, plugging user-generated fields into PHP's mail function leaves you susceptible to header injection, a technique that sends multi-line input to any field on a web form in the hope that each line will be interpreted as a mail header.

A spammer in Seoul, Korea, sent the following as the name field when calling the script:

to
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: transcribe
bcc: charleselegb@aol.com

The script interpreted each of those lines as a real e-mail header, so charleselegb@aol.com received an e-mail with the text "2977b873a006112f1567c66ac468690a", which I'm guessing is encrypted text that identifies my server and script. The spammer's running software that crawls the web and hits forms, noting any that successfully send mail back to a test account. A Google search for that e-mail address shows Charles has been busy.

I've written a function that removes multi-line input -- identified by newline and return characters -- and prevents a spammer from defining multiple e-mail recipients:

function sanitize_request_input($input) {
  if (eregi("r", $input) || eregi("n", $input)) {
    $input = "";
  }
  $input = str_replace(";", " ", $input);
  $input = str_replace(":", " ", $input);
  $input = str_replace(",", " ", $input);
  $fields = explode(" ", $input);
  return $fields[0];
}

The function's called on any single-line text field contained on a form -- using it on multi-line textarea input would wipe out the text. The fix seems to have deterred Charles, who thoughtfully tried the exploit a few more times after I uploaded the new script, so I am again declaring victory over net abuse.

This is part two in an ongoing series.

Security · Programming · Php · 2005/12/07 · 5 COMMENTS · Link

UserLand Frees Up Manila Servers

UserLand Software is discontinuing free Manila hosting, as I discovered last week when one of their users sought refuge on Buzzword.Com. Edit This Page shut free service on Dec. 1 and ManilaSites will do the same Dec. 31.

I can offer free hosting on Buzzword, but webloggers who are committed to publishing with Manila should be advised that I'm migrating the server to new software by May 1, 2006. A better long-term option for those folks is to subscribe to Weblogger.Com or UserLand.

(As an aside, if you're a fan of a long-running blog on one of those servers, this would be the ideal time to donate a year's hosting. Moving a weblog in a hurry is a huge pain in the ass.)

I've found in 18 months of running Manila that I'm genuinely bad at it. Server uptime has been lousy, because you have to know enough to counter the enormous amount of abuse that comment and referral spammers dish out on a weblog server hosting 3,000 users. Every month or so, I get another "it's not you, it's me" letter from a Buzzword user who wants to break up but is afraid to sound ingracious. The most recent were David Golding and Julian on Software, and I'm pretty sure that Craig Jensen wants to start seeing other people.

I have a fighting chance against net abuse on a Linux box running Apache, MySQL and PHP, because I've been hacking away on one for more than five years. I knew I had reached a significant milestone in my quest for m4d sk1llz last spring when Workbench survived 500,000 hits in two days.

Next year, Buzzword will become an ad-supported free weblog host running entirely on Linux and other open source software. WordPress has a new multi-user version that's currently being beta tested. I suspect it will be the publishing tool that I choose.

Sites that are still on Buzzword at the time of the upgrade next year will be automatically migrated, so publishers can see whether they should stick around. I moved a Manila weblog to WordPress this weekend for a work project and it was easy -- the software supports RSS 2.0 as an import format.

In the meantime, Buzzword users may experience outages of unexplained origin for indeterminate length.

Rss · Publishing · Php · Mysql · Manila · Linux · 2005/12/05 · 2 COMMENTS · Link

Read More Entries