From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed

From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw.

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
ok,
it should now accept from anywhere to 47152 as ssh. i am doing
testing so that it works for sure.
your password is changeme123

i am online so just shoot me if you need something.

in europe, but not in finland?  

_jussi

...

I stayed up much too late last night reading the fascinating Anonymous vs Aaron Bar, HGary, HBGary Federal, Greg Hoglund, rootkit.com well researched and written articles on Ars Technica, mostly by Nate Anderson. (Fascinating at least to a software developer, particularly web developer.)

Start with “How one man tracked down Anonymous—and paid a heavy price“, then read “Anonymous speaks: the inside story of the HBGary hack” by Peter Bright. If you still want more also read “Spy games: Inside the convoluted plot to bring down WikiLeaks“, “Black ops: how HBGary wrote backdoors for the government” and take a look at Joseph Bonneau’s “Measuring password re-use empirically“.

Some high (or lowlights depending on how you see it) technical elements include:

• An email admin with an 8 letter all lower and number password used on many other sites.
• Custom CMS on two sites with unsalted password hashes.
• Custom CMS with non-complex SQL injection.
• Classic computer system access social engineering.

This is negligence at any company with sensitive customer data, but at a computer security firm this is dereliction of duty.

There there is the unsubstantiated public accusations that could result in severe USA federal criminal charges for the accused, and down right criminal behavior by a white hat security firm.

Aaron Bar for all his arrogance, ego and unethical behavior still comes across to me as the fall guy for a whole (small) computer security firm that had failed to take care of its own security, and has lost its moral compass.

And to make that happen, WordPress must be an easy to develop and design web publishing environment.

Stop! This is comparing apples and oranges. [WordPress] is a honed, refined blogging product that does one thing very well, whereas Drupal is a flexible, extensible CMS plus a huge set of tools for building websites, web applications, and integrating with other tools.
By “jam – Senior Wr….”, “The time is right for Drupal products“

It’s frustrating that competitors are still trying to pigeon-hole WordPress. The satisfying irony is that I expect WordPress’s use for non-blog sites is growing faster than the competitors.

Sure, we have biases. We are biases towards familiarity, usability, and not stressing people — letting people be awesome!

A leading example of what you can do with WordPress 3.0 CMS features is what CBS, with the help of VOCE Communications, have already created for nearing 200 CBS Radio and CBS Local properties. Sites like:

• newyork.cbslocal.com
• kroq.radio.com

There are countless other examples, but a few have been cataloged at wordpress.org/showcase/tag/cms/

Melody is a new WordPress competitor — bring it!

Based on Movable Type Open Source (MTOS), Byrne Reese writes “[the project's] focus initially is consciously not about features, but rather upon laying the groundwork through a well-documented set of processes by which future features and contributions can be made.” to live up to it’s tag line “Community Powered Publishing”.

The tag line seems to directly take aim at Movable Type for not being community powered, though in interview Byrne suggests that may be part of the overhead of Movable Type being an enterprise product.

From my position looking over the fence, I’m sympathetic to how the Movable Type community has suffered since “in 2008 [when] the hyper dedicated Movable Type product manager, Byrne Reese, was laid off from Six Apart”. Sure, the MT community isn’t just that one person, but he sure was a catalyst and one of the only open channels to the inners of Six Apart. Since then there doesn’t seem to have been anyone there for the developer community, or for me, as a member of another project, to collaborate with. Even Byrne’s own recent email to the MTOS-dev list asking “Who is the lead engineer of MTOS?” went unanswered. Here is that email:

“I hate to ask such a seemingly odd question, but I have recently had questions I wanted to address to the lead engineer of MTOS — offlist, but am honestly not sure who that might be right now. Who is the best person to address questions about governance and process to? Is there one?”

Mark Carey writes today on mt-hacks.com:

“Over two years ago, Six Apart, the creator of Movable Type open sourced the code for the core Movable Type application. While its was an exciting and bold move, the announcement and product naming choices were confusing to many — the differences between Movable Type Open Source and the Movable Type Commercial product and closed source add-ons sold by Six Apart weren’t easy to grasp, and some even disputed the newly open source nature of core application.”

Although Six Apart promised that they would  continue “fighting for openness” when they announced “Open Source Movable Type ” at the end of 2007, Melody is now the hope for a Movable Type-based openly developed product. The Open Melody FAQs includes:

“The community created Melody out a shared passion for Movable Type and a shared desire to see it flourish as a platform. We felt that the best and quickest way to achieve that goal was to create a product in which the community was inherently entrusted with a greater degree of control over its direction, communication channels and roadmap, and rewarded with more transparency and a greater sense of belonging.”

Serdar Yegulalp writes “To see a new way for the same framework to be improved, and to allow for feedback and suggestions that stem from my own use, is deeply heartening”

I’m very interested to see how the source code flows. The greatest gift of open source isn’t the right to fork, but the ability to merge.

Wih founding members and leadership including the likes of Byrne, Tim Appnel, Jay Allen , and Jesse Gardner, Open Melody is off to an incredible start. ((By incorporating as a US non-profit there commitment is beyond doubt — if only in surviving the painful process that the WordPress Foundation has recently come out the other end of.)) The web site looks great, and they’ve chosen open and friendly development tools.

What is good for blogging and open source is good for WordPress, and Melody seems very good for both:

• I’m eager to put my frustrations trying to collaborate with the often opaque Six Apart behind me, and collaborate through the Open Melody conduit.
• I can’t wait to see a leaner, more modular open source MT based product emerges that is also more feature rich — further confirmation of WordPress’s own approaches, and more good open source products are great for open source.

If you love blogging or open source, then Melody needs our love, participate! (hence this post)

It’s a free event, and if your work is any way related to the web, you will be missing out if you don’t attend. Register now before the event is full.

Besides, we need to support the grass roots Victoria tech scene — stop the Vancouver tech drain

Dave Olson points out that it’s “strategically scheduled for the same weekend as The Great Canadian Beer Festival”. So it seems safe to expect a good turnout from Drucouver. I know Boris Mann will be in attendance, and participating.

I hope to at least make an appearance. I’ll be looking for opportunies for WordPress collaboration. But me making it there is based on the whim of my baby son — and I won’t have it any other way.

If I wasn’t clear my video really is in no way a comment of the MT Pro product — I’ve never tried it. All the Six Apart teams are clearly very talented, so I’m sure it’s a great product. Though I’m pretty sure it won’t live up to “setting social networking free”.

Let’s break it down:

focus more on telling a story

People that know me, know that I’m all about the story that a product tells, and I think their video failed in the very way that he thinks they succeeded. I didn’t see a compelling story about the experience of Movable Type Pro. As my voice-over reflects, I saw a story that looked like any blogging platform and comments.

Both of us are extremely biased at opposites ends of the spectrum, so neither of us will get it right on this one. I would love to know the results of a diverse group of people each separately watching the video and sharing their reactions.

Honestly, we assume that that everyone else on the web will respond by copying great ideas, as they usually do. Hell, we want them to, so that more people can benefit from open communities on the web.

If you are familiar with Anil’s writing, you may end up with the conclusion, like I have, that he is actually obsessed with being first — or that is one of the SIx Apart key messages anyway. Maybe, it all started because he was Six Apart’s first employee. Check out the Movable Type blog, “A WordPress 2.5 Upgrade Guide” [sic] article for a bit of a taste. If you enjoy the flavor, a Google search will lead you across the Web.

Of any software spaces, blogging is one of the richest for borrowing from each other and providing a consistent experience to customers — everyone benefits from this! I’d like to think WordPress has had as many firsts as any blogging platform, but even if that isn’t the case, I’m much more interested in focusing on doing it well. An example is the TypePad iPhone app was an iPhone launch partner, but the WordPress iPhone app is much more popular, has more reviews, and is higher rated, and we are still busy fixing and improving it.

Until then, they’ve created a parody of our video.

So me spending a couple hours playing around with iMovie in my own time (my 1st time using it), somehow becomes the Automattic answer to MT Pro?! And as I mentioned, no link love, no mention of my name (Lloyd Budd) — very, very bad blogger etiquette. Is iMovie that good that Anil thinks it’s a first rate production? I don’t think so, listening to it again, it is clearly the crap job that I remember doing for my own amusement.

without having your it look like another Facebook or MySpace clone

Did I voice-over the wrong video? I’m pretty sure it was their video that started with Digg, Facebook and MySpace. I might have misspoke, but I thought it would be obvious that I was referring to having social features beyond commenting like those platforms.

Our long-held reputation for publishing highly scalable, “Digg-proof” pages.

That is one of Anil’s favorite sound bites. I know Anil can’t seriously be suggesting that a file based “cache” is a whole solution to being highly scalable.

The funny part is that substitute in WordPress and you have at least an equally true assertion, ‘[WordPress's] long-held reputation for publishing highly scalable, “Digg-proof” pages.’ The reason why this sometimes looks not to be true is because of WordPress’s popularity.

I would bet, with no hesitation, that WordPress sites are far more often dugg, and that unfortunately some of those sites dugg, like my own, are on inexpensive, shared hosted environments that aren’t Digg ready.

For most WordPress customers the dynamic, responsive experience is far more important than “Digg-proof”, but for those that do want to prepare for a digg storm, there are high quality plugins like Super Cache and Batcache and many others that suit your specific configuration and needs.

There is no question that WordPress is scalable, fact is WordPress powers far more of the web than Movable Type, both in terms of web pages served and web sites. Fact is Movable Type doesn’t even power Six Apart’s hosted TypePad, and to my great frustration is incompatible in numerous ways — wonder why there is no Movable Type app for iPhone anyone?

remedy some of the missing features in WordPress if you have enough free time to find the appropriate plugins

Talking out the other side of his face, Anil will point out Movable Type’s rich plugin and theme collection. I’m pretty sure, Pro has even been presented as plugins built on top of MT at one time — bundling.

Of course, there is a huge collection, much larger, of WordPress plugins and themes, and I haven’t heard complaints that it’s hard to find the appropriate plugin. The wordpress.org/extend/plugins gives you information about popularity, and the interface will continue to evolve.

This past weekend, during Matt’s “State of the Word” at WordCamp SF 2008 (video will be online soon!), spoke to how that experience will change and how the actually WordPress plugin usage data will directly help WordPress evolve, with top plugins are polished and integrated into WordPress.

prominent independent security researchers do warn, “[T]he abysmal security practices of WordPress plugin developers places the entire Internet at risk”.

Why pick on the plugin developers brother?

That’s on top of WordPress being one of top ten least secure applications around

Each of the most popular blogging and CMS made the list, as does Linux.

the Department of Homeland Security’s data showing WordPress having twelve times as many reported security vulnerabilities as Movable Type

Should I even touch this one? Since Anil discovered that Home Land Security site I think that has become his favorite. I think it’s more telling that the Department of Homeland Security, and many other US government offices use WordPress (conversation).

And Anil’s article is one of the worst security related articles I’ve ever read. No security expert, nor scientific minded person would sign their name on it with it’s broad, sloppy brush strokes.

There is shame. Security was part of Matt’s State the Word. I don’t know anyone in the WordPress community that is happy with our security history, but it’s getting better and so are our developers.

There is appropriate optimism. With each release I see more potential security issues being reviewed and, when genuine, fixed earlier in the release process. The foundation of WordPress is also being improved to make security mistakes more difficult.

No one justifies the security issues because of popularity, but the IBM’s paper does reflect with popularity comes scrutiny. The loudest message from the paper might be that the bad guys have moved their focus from Windows to open source and to the web.

It seems only in the last couple of years has web security come to the forefront of the industries collective mind, and we’re all learning a lot. All three “top ten”, WordPress, Drupal and Joomla are benefiting from each others improvements, and the larger PHP community is helping a lot.

If Movable Type was as popular, and under the same amount of scrutiny, I can’t imagine they would still be storing passwords as plain text.

I’m confident that WordPress’s security record will get better and better!

The great technology rests on top of world-class support, an incredibly talented professional services group, and a media services team that will help your site and your community succeed.

That last link there is a 404, and maybe that is meta irony there. All those links go to Six Apart services, as does one from earlier in Anil’s article “(We’ll even help you design it.)”.

This is probably the largest difference between Movable Type and WordPress. WordPress is community developed and support — world class.

I remember reading Anil’s comment on Josh Catone‘s Read Write Web article “Six Apart Gets Into Microblogging with Activity Streams“. Here Anil didn’t like that WordPress Prologue — actually that’s a great example of someone not getting the idea, the story — but what bothered me was his attitude towards WordPress plugin developers:

There’s also an important distinction that this is a key part of our platform, developed by the core MT team itself. That means that it’s not a PHP script somebody cobbled together on their own to try to make a lifestream, it’s a framework to actually help open up *all* of these services

I read that as disrespectful to independent developers, WordPress or otherwise.

I see the Automattic team as the WordPress guide. WordPress is completely community created and supported. Automattic takes on the big (scalability) problems that the community doesn’t have the resources for like: providing the free WordPress.com service and fuding usability testing of a new WordPress dashboard experience.

We work with our community, not compete with our community. The work Automattic does is open source, released under the GPL.

Though the WordPress Consultants list, wp-pro and WP jobs are pretty good tools, currently, I expect much of the WordPress professionals’ work through personal relationships in the community. I think this is one of our greatest opportunities as a community. If you agree (blog about it) get in touch with Toni.

I mentioned that the work Automattic does is open source, whenever possible (Akismet is an exception). This isn’t the case with Six Apart’s Movable Type. I’ve written at length, “Movable Type 200% Open Source!“, about the missed opportunity.

With the release of Movable Type Pro, I think Six Apart’s current approach is bad for open source and actually dilutes open source. It seems others share my opinion, as on every thread there seems to be an open source advocate upset about MT Pro not being open source.

At first I was excited to see that the open source information was now on MovableType.com’s download page:

But then I realized the game this table plays is that the open source version isn’t good enough for “Bloggers”, only freetards like myself. I’m pretty sure, I’ve also read Six Apart telling people that the open source version isn’t tested or supported (but it’s the same software without some plugins, promise).

First, we set publishing free. Next up, social networks.

Actually, the WordPress community can take that first credit (not that I’m obsessed with 1sts) by creating the most popular installed blogging software, and it being open source. I don’t know about the next up, but there are many contenders, and WordPress and BuddyPress communities would be honored to be among them.

If I wanted to use Movable Type Pro for a social network with that Six Apart’s pricing it would probably be a social network of one. Anyway, without it being open source, it won’t be setting any one free, just making it a little easier to disobey the boss.

And that is why I think, Anil, people are so excited about BuddyPress, because it is among the real possibilities of setting social networking free.

our lead by planning to provide some of these abilities for WordPress in a collection of plugins that you should be able to assemble around Christmastime or so

There are so many reasons why I don’t know whether to laugh or cry.

Anil Dash has been pissing all over the web calling BuddyPress vaporware. See his comments at:

• CNET Webware “Movable Type, WordPress becoming social platforms“
• Mashable, “Six Apart Provides Social Networking Capabilities with Movable Type Pro“

Where I come from, vaporware is a derogatory term. It’s clear that he doesn’t like WordPress BuddyPress being part of the conversation.

BuddyPress isn’t vaporware, a community is developing it today. You can download the code today. It is open source today!

I get emails and IMs from friends that have checked it out and are already grooving on where it is going.

Collection of plugins

That is just a packaging issue, and packaging issues are easy.

Christmastime or so

This coming from a key member of the team that made a press release seven months before the open source flavor of Movable Type — well over a year, if a public bug tracker is an important detail to you. The community will decide when the code is ready to be called a product.

Wow, this is way long. I’ll wrap it up here.

I didn’t find the Movable Type Pro introductory video well done or sincere, hence the parody. Am I really so bad for poking fun at the competition? Does the tension date back to Six Apart not being invited to the Blogger and WordPress dance off?

I read with interest Adam Freetly’s Top 10 WordPress CMS Plugins and the discussion around it on weblog tools collection and other sites. It is a great list of plugins, but I have a problem with one of the plugins on the list, or the claims that people make about it anyway:

Google Sitemap Generator – The biggest benefit of using wordpress is the manual labor you save because the software already knows where all of your content is. This Plugin submits a comprehensive index of your site to google, yahoo, MSN Live, and Ask.com every time you update your site. It’s a huge boost to your site’s SEO. by Arne Brachhold

In my experience working with numerous clients, I’ve seen no benefit of having a site map, and the claim that it provides a huge boost to your site’s SEO is hollow.

If it does provide such a boost surely many people would have data to support this. I’ve seen nothing that supports these claims to my satisfaction.

Looking at sitemaps.org, the site sponsored by Google, Yahoo, and Microsoft for this topic, the front page reads (emphasis mine):

Sitemaps are an easy way for webmasters to inform search engines about pages on their sites that are available for crawling. In its simplest form, a Sitemap is an XML file that lists URLs for a site along with additional metadata about each URL (when it was last updated, how often it usually changes, and how important it is, relative to other URLs in the site) so that search engines can more intelligently crawl the site.

Web crawlers usually discover pages from links within the site and from other sites. Sitemaps supplement this data to allow crawlers that support Sitemaps to pick up all URLs in the Sitemap and learn about those URLs using the associated metadata. Using the Sitemap protocol does not guarantee that web pages are included in search engines, but provides hints for web crawlers to do a better job of crawling your site.

Reading more of the limited material on the site, the scenarios where a site map is most helpful is for a site where the content isn’t well linked, ie a bot can’t spider through all of your content. Sites where this is a problem are fundamentally broken, and you should look to change your information architecture or web site software (CMS). WordPress doesn’t suffer from this problem.

Sure, the search engines (Google in particularly) loves as much data as you will feed them.

As I said, in my experience a site map has provided no benefit to web traffic. In fact, people would scream blue murder if it, because search engines would be requiring sites to be constructed in a special way, instead of web site creators focusing on their content, and search engines focusing on returning the most relevant results.

I have tested Arne Brachhold’s Google Sitemap Generator and it is an excellent, well written plugin. No question about that. But it is still one more think that has to be installed, configured, maintained, and is not without overhead.

I’m filing this one, SEO alchemy.