Charles Eicher's Radio weblog contains 13 entries in a row blasting UserLand Software and Dave Winer. If it weren't for WinerLog, this would be a new world record.

Eicher has a right to be angry about his banishment from the customer support discussion board -- all paying customers of Radio Userland need to be able to read that board, even if they've been prohibited from posting there, because it contains a lot of essential support information. Some of his other beefs seem more like a product of berserker rage than flaws with Radio Userland.

Contrary to Eicher's claim, the public listing of directory folders is not a security hole. Apache can be configured to allow directory listings or disallow them, and the default for many versions of Apache is to allow them. On Radio Community Server and most of the other UserLand machines, directory listings are allowed.

Personally, I disallow directory listings on my own Apache server and am glad the Python Community Server is also set up to disallow them. However, I wouldn't call it a security hole to use a configuration option in Apache that has been the default for years (and may even be the default now). Many Web publishers want their directories to be available to the public.

As for the claim that public directory listings enable anyone to "steal your entire blog," I have bad news for Charles: I stole his entire blog this morning by visiting it with Internet Explorer 6. The whole thing's in my browser cache now. (I could also download the entire site using wget and have the same directory structure he does without using any directory listings.)

At this point, Eicher would be better off hosting his Radio weblog on someone else's server (such as this one) and taking his concerns about Radio Userland to the Script Meridian mailing list, an independent forum for UserLand users where the issue of editorial "censorship" can be avoided entirely. Some companies will allow themselves to be "deliberately needled" in their customer support forum, as Eicher admits he did. I think it's beyond debate at this point that UserLand isn't one of those companies. Even if you don't use Radio Userland's free Web hosting, I personally think it's well worth the $40.

Comments

I appreciate your serious response to my issues. If only Dave could respond the same way. I will respond to your comments on my blog.

I have produced a lengthy response to your comments, but weblogs.com is down again, so I will post it here.
---
A Response To Mr. Rogers Cadenhead
Mr. Rogers Cadenhead has produced a thoughtful response to my remarks about Dave Winer and Userland, and it deserves a serious response. Unfortunately, my remarks deserve a response from Dave Winer, but if he does not respond, his customer service issues will continue unabated. So for now, I will continue to condemn Dave for his lack of integrity and honesty, and respond fully and completely to those people like Mr. Cadenhead who display those qualities that Dave lacks.
Rogers (may I call you Rogers? Your name is unwieldy to type) agrees that I have a right to be angry for being banished from the support boards. But he asserts that Userland was right to prohibit users from "needling" them in their support boards. What he fails to realize is that Userland and I have a contract and they are contractually obligated to provide me full access to their support board. There are no contractual terms that allow Dave to unilaterally abrogate any terms of contract unless I do something illegal. Yes, I've scrutinized Dave's EULA far more closely than he ever has.
Rogers also asserts that my criticisms are more the product of "berzerker rage" than legitimate criticism. Alas, you are being manipulated, Dave has edited the context and censored my messages to make it look this way. When I first was hit by the server outage, I posted a messages notifying them of the outage, and I clearly stated that I was enraged but I would not comment further until I had calmed down. Yes, I am enraged, and I continue to be enraged. But I think it is fairly clear that I am able to suppress the expressions of my feelings sufficiently to allow a civil dialogue about bugs. But when Dave started editing the context to support his world-view, and posted defamatory lies, the gloves came off. If Dave acts in such a deceitful manner, then I will make it clear to the world what he is doing. And I will have plenty of legitimate reasons to disparage him for his lack of integrity and his deceitfulness. This is the line Dave crossed but I did not, Dave turned this problem from a simple bug report into a public relations nightmare.
Rogers also disputes my assertion that open Apache directories are a security hole. Yes, in some sense this is a judgement call. It would have been easy for Userland to say this was a deliberate design decision, when I first called this problem to their attention. But they completely refused to even acknowledge that they have read or even considered my request for more security. I remarked that Dave has closed the directories on his own personal server, so apparently Dave believes this is a security hole. Yes I am aware there are tools like wget that can steal my blog despite closed directories. But open directories make it easy, and help people identify masses of content they want to steal. I went to much trouble to locate documentation on how to prevent another problem with open directories, parasite web pages stealing graphics. I am not creating graphics to decorate the entire web, I want people to see my graphics in the web page as I designed it. I think it's pretty clear that I have legitimate reasons for desiring tighter security. If they stand behind their open directories because they have a legitimate reason for doing things this way, I'm ready to hear it. But it will be hard to support that position when Dave himself enjoys this protection when his customers do not. And it will be extremely hard to defend the use of default settings on a production server. I can't believe you, Rogers, would support Userland's open directories when your own servers are closed. It seems you agree with me, but are unable to express it.
Yes, ultimately this all boils down to a problem with Dave. But it has become clear that when you buy a Userland product, you are not buying software, you are buying Dave. It's all about Dave. Everything. Microsoft, Macromedia, IBM, Sun, they're all about Dave, he is the tail that wags the dog in the web services world. Dave needs to get off his high horse and start dealing with the things that earn people's respect. If you have no respect for your customers, you will never earn the respect of your peers. And your company will die a natural death.
The problem with Dave reminds me of a conversation I had with one of my customers, a major defense contractor's Human Resources director, back at the peak of the late 1980s boom in personal computers. I was astonished to discover that his HR department now refused to hire any candidates with Computer Science degrees, even for computer programming jobs. He asserted that the company had so many problems with socially maladjusted computer geeks that they preferred to locate well balanced candidates with Liberal Arts degrees and train them in-house even if it took years to bring them up to speed. He claimed that the disruptions caused by these primadonna CS geeks caused the company to declare all CS geeks economically unviable as employees. I investigated this situation over the next few years, and discovered there were many companies that had policies of completely prohibiting their technical people from talking to customers. These policies were implemented because the maladjusted geeks always antagonized the customers and brought the company into disrepute. The rise of professional customer service agents (for good or ill) is largely an outgrowth of this problem.
So you can see the reasons why Dave is unable to handle customer service issues in a manner that is respectful and civil. And it is only natural for customers to revolt when they are treated in this manner. But this is Dave's World, we just live in it.

I don't have a copy of the Radio Userland license, so I can't comment on whether it is permissable under the license to keep you off the Radio Userland discussion board.

As a general principle rather than an interpretation of the license, I think it's wrong to deny you the ability to read messages there, and Winer told me in e-mail today that you can still read all the messages posted to the board here:

http://groups.yahoo.com/group/radio-userland/

I'm not making a judgment about whether you should have been banished. I just think it is within the rights of someone hosting a discussion site to decide who can post messages. That's one of the reasons I recommended Script Meridian's mailing list: There's no need to subject yourself to editorial decisions you disagree with when alternate forums exist.

As for Apache and public directories, my guess is that the Qube box hosting Scripting News was configured by default to disallow directory listings and Dave never changed it. It's hard to call the guy a hypocrite for opening Radio Userland weblog directories when he has more than a dozen machines on the Internet with public directories that also can be browsed. Maybe he just prefers public directories.

I agree with you that disallowing directory listings is better, but others clearly disagree, based on the large number of sites that don't close them. That's why I think this is a user configuration issue rather than a security issue.

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).