badlyDrawnToy

Last night I attended the Manchester Digital AGM. The primary reason for my attendance was to try to get my good friend, and collaborator, Stephen Greene, elected to the council. Having travelled in from Macclesfield I was little frustrated to discover that I couldn’t vote – I’m part of a Company membership, and only the Company gets a vote.

What I thought strange was the electoral process – there were no hustings. The emphasis for the evening was on the AGM, not the vote. Votes were cast at the beginning of the evening, so there really was little chance to get to know the candidates on the night. I guess the lesson learned for next year (particularly for Stephen) is that it is important to spend the next 12 months getting to know the movers and shakers in the Manchester Digital community, in time for next year’s election.

The AGM was my first attendance at a Manchester Digital event. I didn’t expect it to be too much of an opportunity to network – particularly as I made an early exit to watch Liverpool’s goalfest. But, it was a little frustrating this morning to awake and find that I had a new Twitter follower, who was also at the event, and had discovered me using TwitterSearch. Said new follower seemed as frustrated as I was that a chance to meet others had been wasted. To quote/tweet:

TweetDeck aided search reveals a number of tweeters attended the Manchester Digital AGM – but barely met any. Networking fail – grr.#mdagm09

Or to put it another way:

If a twitterer tweets and no one is around, does it make a noise?

Clearly not. Twitter’s weakness is that there is no real discovery mechanism. If I’m not already following someone, how do I discover them? I either find them on someone else’s network of followers, or I use hashtags.

HashTags are a great idea, but suffer from the same issue – discovery. How do I know what tag to follow? Case in point: Last night’s AGM was tweeted using the hashtags #manchesterdigital, #mdagm09 and #ManchesterDigitalAGM. Who decided which tag to use? Simple answer – the twitter author, at the time of their tweet.

Perhaps what is needed is a some sort of mechanism for establishing and discovering a hashtag before attending an event? Not sure. Many tags have a short shelf life, and are not always associated with events. But it would be good if I could visit, for example, the MDDA web site and discover a pre-established hashtag. Some sort of auto-discovery would be great ( think microformats, greasemonkey scripts). Or perhaps event organisers should simply publish a hashtag along with their event communications?

Now that I’m well and truly freelance, I’m hope attend MDDA affiliated events such as GeekUp and Northern Digitals. The people I know online, are mainly know to me by their username and avatar. I could be at the same event as them and not know they were there. I’d like to think that Twitter could come to my aid.

Think I’ll have another coffee, and see if I can come up with a solution to this organised chaos.

Tags: hashtags, linkedin, manchester digital, twitter

Some time ago, I provided a simple JQuery solution for replacing target="_blank" when writing Strict XHTML. However, one commenter recently pointed out that my solution does not work if the rel attribute contains more than one value e.g. rel="external nofollow"

Well, JQuery to the rescue again. A very slight modification to the Attribute Filter fixes this issue. The code now reads:

$(function() {
	$('a[rel*=external]').click( function() {
		window.open(this.href);
		return false;
	});
});

Notice the asterisk. This matches attributes that contain a certain value, as explained in the JQuery docs.

However, this isn’t the full redux. Thanks to the power of JQuery, we can identify external links without the need for the rel="external" attribute at all.

Assuming that all internal links are relative e.g. href="/contact", we can simply search for all hyperlinks whose anchor contains a fully qualified url, or more precisely starts with http e.g. href="http://some.site.com".

The final code now looks like this:

$(function() {
	$('a[href^=http]').click( function() {
		window.open(this.href);
		return false;
	});
});

And that’s the power of JQuery

Tags: JQuery, linkedin

At last, The Guardian newspaper has released a version for the iPhone (and other mobiles). And not before time. The regular website proves (to me) that you can pinch and zoom a page as much as you like, but it ‘aint easy to read and navigate on a mobile phone. It also showed how flaky Safari is on the iPhone – wait ages for a page to load only for the Javascript to cause the browser to commit suicide.

So, for a stress-free news catchup, try m.guardian.co.uk

Tags: iPhone, mobile, The Guardian

I spent several hours last week rescuing two WordPress blogs (this blog and GastroGrrl) that had both been exploited, and had become victims of nefarious spam links.

h2. WordPress Exploit

The exploit was remarkably clever. Only when Google’s search engine spider (googlebot) visited the site, did it include spam links at the footer of the page. The links were only visible when looking at the text-only version of the cached copy in google’s index. The reason I’d found the spam, was because the keywords showed up in the Google Analytics application, and GastroGrrl was no longer appearing in google’s index.

The exploits were a couple of files found on the web server – disguised as jpg and png image files – that were in fact malicious PHP scripts. The scripts went as far as adding a new user to the database.

I had no alternative except to completely reinstall both the WordPress application, and also the database. Twice. Not much fun.

The installs were up to date, though a few months ago, I was late in updating the software. Yesterday, WordPress announced another security update to version 2.6.5.

Along with the release, was a note that the version number had skipped from 2.6.3 to 2.6.5 due to a malicious, fake version of a 2.6.4 release existing online. Several months ago, an official WordPress download was hacked on the official servers, and exploits were widely distributed.

h2. Open Source Risk

Keeping open source weblog applications, like WordPress, up-to-date, can become quite an administrative overhead for those that manage client blogs. As weblogs have moved into the business/PR/marketing domain, many of those managing the blogs are not fully-fledged system administrators with the knowledge on how to secure their database or unix file permissions. This is a potential risk to the customer.

The problem is not limited to WordPress. OSCommerce, Drupal, Joomla – all popular open source applications – have all had exploit issues. This is not so much because the applications are poorly coded; it’s the nature of open source – anyone can examine the code. The more popular the application, the more likely it will be exploited.

In my work with Stan, when we discuss client requirements, we consider 3rd party open source solutions versus bespoke development. Much of the decision is based on the specific requirements, but increasingly, we also consider the security risk, and maintenance overhead.

A simple example is the ubiquitous CAPTCHA utilities found on web forms. They are an obvious target for spammers, who want to leave spam comments on weblogs etc. Open source CAPTCHA’s became a popular way to thwart such spam, and have become increasingly complex as they face a continuing battle with the spammers. In my opinion, this problem has now gone full circle. When applying a CAPTCHA solution to a web form, I choose *not* to implement a standard, open-source solution, opting instead for my own, less complex, easier to exploit, implementation. It may be easier to exploit, but who is going to bother?

Open source is great. My day-to-day development utilises numerous open-source applications. However, when a customer’s reputation is at stake, and indeed our client relationship, one has to ask the question – is open source software a risk to your business?

Tags: linkedin, open source, spam, wordpress