Category: Rant

wordpress.com requires its registered user to login to be able to comment

When I try to comment on sites hosted on wordpress.com and I use my main email address I get a notice that says something like “The email being used is already registered with us, please login to your account”.

I guess that the idea is to try and prevent people from impersonating another commenters, but the implementation is an awkward one as it assume that everyone is an impersonator until proven innocent and add yet another step, for anyone not currently logged in to wordpress.com, in sending a comment. I wonder how many people just abort the comment at that stage, I know I have done it at least once.
It is also strange that you have to identify against wordpress.com when there are other identity providers like google, facebook and twitter which can also be used to verify the email address.

And all of this is because the idea behind the gravatar service, which is now fully integrated into wordress.com, is naive – you should not identify people by something which is a very public information like their email address period.

What could they have done better? This should have been an opt-in kind of service.I don’t think the chance of anybody trying to impersonate me is higher then zero and I am willing to take the risk in order to have easier life. In addition the best way to verify an email address is by actually sending an email to it and asking for an action to be made. Maybe something like “we detected that you are commenting on xxxxx, if it isn’t you, you can remove the comment by clicking the link yyyyy”. Sure there is a risk of spamming the email address that way, but it might be effective enough to reduce the impersonating attempts to zero.

great day for the users of the web: yahoo and google had smacked the adware maker babylon

It was reported that google will not renew its agreement with babylon, a report that sent babylon stock in the Israeli stock exchange to nose dived 70%. This came about a week after yahoo sent a message to babylon that it is extremely unsatisfied with the way babylon products behave.

Not sure what is babylon? babylon used to be the developer of a translation software which you actually had to pay in order to use. But at some point the people of babylon had discovered that the dark side has much better cookies and more money to offer then in the honest translation software business and they started to use their familiar and mostly love brand name to hijack browsers during their software install, and switch the search engine settings so that searches will go through babylon’s search engine which is just a proxy to google or yahoo search engines.
They made money out of these scheme because google and yahoo pays for each referal to there engines.

Since babylon made money from each search going through them, they made every effort to prevent the user from changing his search engine settings even after babylon was installed. If hijacking browser settings by itself is very annoying,making it so hard to uninstall made babylon be more of a virus developers then a legit software company.

Nothing is new here and one has to wonder why did it take google so much time to do something about it.

will conduit be the next one to be smacked?

John Scalzi on comments on website

It is nice to see that other people agree with my stand on comments, especially a web seleb like Scalzi

In a general sense, though, I think it’s well past time for sites (and personal blogs) to seriously think about whether they need to have comment threads at all. What is the benefit? What is the expense? Blogs have comments because other blogs have comments, and the blog software allows comments to happen, and I suspect everyone just defaults to having comments on.

read the (much much longer) rest

If you edit your config files via SSH then you should keep them in an inaccessible place

There is an exploit that can hit only those that know how to use linux to manage their site. Apparently linux editors store a backup copy of the file being edited in the same directory of the file. Therefor when a config file is being edited a copy of it is created, and since the names the editor gives to the backup files is predictable, and usually accessible as plain text from the web, all the data in the config is exposed at edit time. It is even worse if the editor failed to erase the backup after editing was finished.

Therefor you either should not edit config files locally, but transfer them over FTP, or put then in an inaccessible location (If wordpress is installed at the root directory you can put the config file at the usually inaccessible directory above it) or replace the config script with a script that read the config, or the secret parts of it from other location.

twitter got hacked, guess it is a bad idea to trust it in managing my online identity

The news are that twitter got hacked and up to 250k user accounts where compromised. I’m not a real user of twitter although I have an account, so I might be wrong but in my opinion no one will feel extremely sad if some of his mental farts will be deleted or changed. Content on twitter, by the nature of the service that focuses on real time updates, is just not important enough in the long run.

But…. twitter is also a leading identity authentication provider on the web. If my twitter account was compromised it means that for a while the hacker had access to all the sites to which I have registered with my twitter account. It is hard to generalize how much cascading damage can follow from the hacker using my account, but it is not nice to even think about it. Twitter didn’t disclose the nature of the information to which the hacker got access, but I truly hope they don’t have a log of the sites to which I authenticate myself using my twitter account.

What about letting the sender know that his message ended up in the spam queue?

The really annoying thing about spam is not that we are wasting our bandwidth to process it, but false positives – messages which our anti spam software decided they are spam while they where totally legit.This hurts is both as receivers and senders, we can never be sure if we haven’t missed a great business offer because it was marked as spam, or that the message that we sent asking for urgent help, from someone who should be inclined to helping us, was not ignored but lost cause it looked like spam.

In the email world you can at least ask for auto respond when the email was read. Not a great indication as it is impossible to know if the email was marked as spam or someone is impolite  or just can’t be bothered with clicking the button which will send the auto respond indication.

In the blog comment world, and contact pages we don’t even have that, you can’t even ask to be notified if your comment/contact message got into the read queue instead of the spam queue.

In the email world it is impossible to let the sender know if the email was declared spam because the sender part of the email is always spoofed by the spammer and if you will send to the “sender” an automatic message telling him  that his message was declared spam, you will bombard  unsuspecting people which don’t even know that you exist with this messages.

Websites are in better position as the HTTP protocol force you to send a reply, so why not send something like “sorry but my stupid and out of date anti spam software decided your comment is a spam” when a comment is declared as spam? spam bots will probably ignore it but legit commenter will know that they should not expect the comment to be published, and if they have to, they can try contacting the site owner by other means.

With the rate I get them, akismet might as well delete all spammy comments

About 4 hours ago I deleted 90 comments which akismet declared as spam, now I have 5 more spammy comments. At this rate of spam, there is no chance that I will be able to detect any false positive in the spam queue therefor I wonder what is exactly the point of having a spam queue. And this is on a new blog which should be low ranked for any interesting search term, am I just an anomaly or does more popular blogs getting even more spam?

This isn’t only a blog comments problem, most of the time if your mail gets into a spam queue on someones mail the chances he will notice it are very slim. I am lucky since I don’t receive much mail in english and I can quickly scan my spam for hebrew subject line and find false positives.

Over the last years we were conditioned to trust our spam filters. Maybe it  is time to take a step further and just configure them to delete anything that looks like spam and save as the need to manually delete it..

Contact form have to store the submitted information in the database as sending it in e-mail is not reliable enough

Run into a contact form problem on a client’s site. The result of sending a contact request via a form was an error message display to the submitter and no email was sent to the admin of the form.
It turned out that the admin email was misconfigured, a totally invalid address was used and the software that was handling the actual transmission first tried to validate the address and failed because it didn’t.

This can be looked upon as one more case of dumb user failing to copy&paste his own email address, but once you start thinking of it you realize that the main problem is not whether the address was correct or not, but that the indication was displayed to the submitter while the site admin didn’t know anything about it.

And even if everything was configured correctly, will the admin be guarantied to receive the e-mail? not at all. Between having problem in his own POP/IMAP server, spam filters that identified the mail as spam, server upgrade that resulted in misconfigured mailing component, and SMTP server configuration change (password for example) to which the admin was not notified about, the chances that right now someone is not getting a contact request that was submitted successfully is pretty high.

Yes, at least on the server side it is possible to log whatever errors you can when sending the mail to the internet fails, but who really bothers to read the error log if he doesn’t know that there is something wrong, and how will you know if even when a problem is detected it is displayed to the submitter instead of the admin?

Isn’t it much better to keep all the contact requests in the server’s DB, and notify the admin that he has new contact requests awaiting him? This way even if the notification had failed he will still be able to access the data, and as a bonus it will be accessible even when he can’t access his mailbox.

It is probably not as simple for commercial organizations in which the contact form submission is just the first step in a sale, and it is convenient to track it in your mailbox, but hopefully this kind of organizations have better CRM solutions then just using email.