The Community Ampflier

Twitter / O'Reilly OSCON: Chris Messina receiving "Be...

os-awardI am honored to be a recipient of this year’s Google O’Reilly Open Source Award for being the “best community amplifier” for my work with the microformats, Spread Firefox and BarCamp communities! (See the original call for nominations).

Inexplicably I was absent when they handed out the award, hanging out with folks at a Python/Django/jQuery drinkup down the street, but I’m humbled all the same… especially since I work on a day to day basis with such high caliber and incredible people without whom none of these projects would exist, would not have found success, and most importantly, would never have ever mattered in the first place.

Also thanks to @bmevans, @TheRazorBlade, @kveton, @anandiyer, @donpdonp, @dylanjfield, @bytebot, @mtrichardson, @galoppini for your tweets of congratulations!

And our work continues. So lucky we are, to have such good work, and such good people to work with.

Advertisements

Vulnerability in WP Super Cache v0.1

Twitter / Christian Heilmann: OK, supercache has fail. It allows you to even get to the root and create copies of every folder.

Sometime yesterday morning I logged into my TextDrive account to make some more changes to my blog template and noticed two odd folders in my blog root directory called rh4m4.t35.com and http://www.kolortavil.org. I believe that the folders were empty, but nevertheless, it was clear that someone had broken into my site.

I deleted the suspicious folders and quickly reviewed the changes I’d made the day before and realized that the culprit was probably wp-super-cache, a new WordPress plugin that I’d installed the night before. I went ahead and disabled and then deleted the plugin (taking care to delete the supercache folder in /wp-content/cache/) and notified Joyent customer support (transcript and notes here) and Donncha Caoimh, the developer. I also twittered about the incident.

Sometime later I saw that Stephanie Sullivan had replied to me letting me know that Tiffany Brown was having a similar experience (though with greater consequence) and a report in the WordPress forums. Both Kristie Wells from Joyent and Donncha got back to me, the former confirming my suspicion that it was some kind of PHP Injection vulnerability and the latter asking for additional information.

This morning I found Chris Heilmann’s post on the subject confirming my concerns:

…Checking the folders created I found the same two injection attempts Tiffany mentioned. The caching allowed code injected as txt urls via “i” or “s” parameters to be executed.

In my case I found that half my server was mirrored into the supercache folder in the plugin’s cache folder. Not good.

I was happy to see that my etc folder and other more interesting bits were not reached yet before I deactivated the plugin. Right now I am playing grepmaster to see if there are some injections left. My action: deactived and deleted all caching plugins and their cache folders (best via SSH as FTP is a PITA with so many files).

I’ve now been in touch with Barry from Automattic and have followed up with Donncha, who have both been very patient and helpful in parsing through my logs trying to replicate the vulnerability.

The most likely culprit is an unquoted ABSPATH in v0.1 of the plugin. According to Donncha, “The ABSPATH part of the WPCACHEHOME definition could possibly have expanded when it was being written to the file. Unfortunately it wasn’t quoted so that may have done strange things to other variables like $cache_path. Barry says that the problem, though annoying, is just a bug and was likely just a misdirected attack on potentially vulnerably Drupal sites and that it won’t do more than create some benign directories in a WordPress install. Fortunately v0.3 of the plugin seems to have resolved the problem; meanwhile you can download or checkout the latest development version that corrects the ABSPATH issue.

I’ve written up my experience so far and let others know to watch out for irregularities if they choose to install the wp-super-cache plugin. I’m actually going to give the latest version another go and will report any problems here should I experience any.

While I’m at it, I’d like to point out the important role that Twitter and personal blogs played in tracking this down; and that Joyent support, Barry from Automattic and Donncha himself all played supportive roles in resolving this issue.

Twitter hashtags for emergency coordination and disaster relief

I know I’ve been beating the drum about hashtags for a while. People are either lukewarm to them or are annoyed and hate them. I get it. I do. But for some stupid reason I just can’t leave them alone.

Anyway, today I think I saw a glimmer of the promise of the hashtag concept revealed.

For those of you who have no idea what I’m talking about, consider this status update:

Twitter / nate ritter: #sandiegofire 300,000 peopl...

You’ll notice that the update starts out with “#sandiegofire”. That’s a hashtag. The hash is the # symbol and the tag is sandiegofire. Pretty simple.

Why use them? Well, it’s like adding metadata to your updates in a simple and consistent way. They’re not the most beautiful things ever, but they’re pretty easy to use. They also follow Jaiku’s channel convention to some extent, but break it in that you can embed hashtags into your actual post, like so:

Twitter / Mr Messina: @nateritter thanks for keep...

Following the , this simple design means that you can get more mileage out of your 140 characters than you might otherwise if you had to specify your tags separately or in addition to your content.

Anyway, you get the idea.

Hashtags become all the more useful now that Twitter supports the “track” feature. By simply sending ‘track [keyword]‘ to Twitter by IM or SMS, you’ll get real-time updates from across the Twitterverse. It’s actually super useful and highly informative.

Hashtags become even more useful in a time of crisis or emergency as groups can rally around a common term to facilitate tracking, as demonstrated today with the San Diego fires (in fact, it was similar situations around Bay Area earthquakes that lead me to propose hashtags in the first place, as I’d seen people Twittering about earthquakes and felt that we needed a better way to coordinate via Twitter).

Earlier today, my friend Nate Ritter started twittering about the San Diego fires, starting slowly and without any kind of uniformity to his posts. He eventually began prefixing his posts with “San Diego Fires”. Concerned that it would be challenging for folks to track “san diego fires” on Twitter because of inconsistency in using those words together, I wanted to apply hashtags as a mechanism for bringing people together around a common term (that Stowe Boyd incidently calls groupings).

I first checked Flickr’s Hot Tags to see what tag(s) people were already using to describe the fires:

Popular Tags on Flickr Photo Sharing

I picked “” — the tag that I thought had the best chance to be widely adopted, and that would also be recognizable in a stream of updates. I pinged Nate and around 4pm with my suggestion, and he started using it. Meanwhile, Dan Tentler (a co-organizer who I met at ETECH last year) was also twittering, blogging and shooting his experience, occasionally using #sandiegofire as his tag. Sometime later Adora (aka Lisa Brewster, another BarCamp San Diego co-organizer) posted a status using the #sandiegofire hashtag.

Had we had a method to disperse the information, we could have let people on Twitter know to track #sandiegofire and to append that hashtag to their updates in order to join in on the tracking stream (for example, KBPS News would have been easier to find had they been using the tag) (I should point out that the Twitter track feature actually ignores the hashmark; it’s useful primarily to denote the tag as metadata in addition to the update itself) .

Fortunately, Michael Calore from Wired picked up the story, but it might have come a little late for the audience that might have benefitted the most (that is, folks with Twitter SMS in or around affected areas).

In any case, hashtags are far from perfect. I have no illusions about this.

But they do represent what I think is a solid convention for coordinating ad-hoc groupings and giving people a way to organize their communications in a way that the tool (Twitter) does not currently afford. They also leave open the possibility for external application development and aggregation, since a Twitter user’s track terms are currently not made public (i.e. there is no way for me to know what other people are tracking across Twitter in the same way that I can see which tags have the most velocity across Flickr). So sure, they need work, but the example of #sandiegofire now should provide a very clear example of the problem I’d like to see solved. Hashtags are my best effort at working on this problem to date; I wonder what better ideas are out there waiting to be proposed?

The story of exPhone.org

At FOO Camp, we held a session on Green Code and discussed various tactics for reducing power consumption by reducing (primarily) CPU cycles through wiser platform decisions and/or coding practices.

exPhone badgeSomewhere in the discussion we brought up the impending launch of the iPhone and it occurred to me that there really wasn’t any substantive discussion being had about what to do with the many thousands of cell phones that would be retired in favor of newer, shinier iPhones.

Thus the seed for exPhone.org took root and began to germinate in my mind — as something simple and feasible that I could create to raise awareness of the issue and provide actionable information for busy people who wanted to do the right thing but might not want to wade through the many circuitous online resources for wireless recycling.

I had a couple constraints facing me: first, I needed to get this done while Tara was traveling to Canada as I wanted it to be an [early} surprise birthday present. Second, I needed to get it done before so I could leverage the event to promote the site. And third, I had other competing priorities that I really needed to focus on.

exPhone Keynote LayoutI went about designing the site in Keynote (my new favorite design tool), relying heavily on inspiration from Apple’s section. I did a bunch of research and posted a lot of links to a Ma.gnolia group (in lieu of a personal set) and created a Flickr group at the same time. I of course also registered the associated Twitter account.

As I went about developing the site, I felt that I wanted to capture everything in a single page — and make it easy for printing. However, I brought my buddy Alex Hillman into the project to help me with the trickier PHP integration bits (his announcement) and he convinced me that multiple pages would actually be a better idea — not to mention compatible with my primary purpose of encouraging sustainable behavior! — and so we ended up breaking the content into three primary sections: Preparation, Donation and Recycling.

We riffed back and forth in SVN and things started to solidify quickly and we quickly realized that we should make the site more social and interactive. And, rather than build our own isolated silos, we decided we’d pull in photos from Flickr, bookmarks from Ma.gnolia and Delicious and use the groups functionality on Flickr and Ma.gnolia. This meant Alex simply had to toss the feeds into Yahoo! Pipes, dedupe them and then funnel the results in a SimplePie aggregator on our end to output the resultant feeds. It turned out that Pipes was, for some reason, not as reliable as we needed and so Alex ripped them out and ended up bumping up SimplePie’s caching of the direct feeds.

Alex put in extra effort on the Flickr integration side, creating an exPhone user account on Flickr and setting up email posting to make it super simple to get your photos of your exphones on to the site. All you have to do is take a photo of your exphone and email it to myexphone@exphone.org with a subject like this: tags: exphone, ‘the make and model of your phone’ (yes, the make and model should be in single quotes!). We’re kinda low on photos on there, so we’d love for you to contribute!

Lastly, I’ve gotta give props to The Dude Dean for his SEO tips. I’m typically not a fan of SEO, but I think when applied ethically, it can definitely help you raise your relevance in search engine results. We’re nowhere in sight, but I’d love to get up in the cell phone recycling results.

I’ve written this up primarily to demonstrate an evolving design process (Keynote to HTML to SVN prototyping to iterative launch) and the use of existing technology to build a simple but rich web application. By leveraging web services via various APIs and feeds, Alex and I were able to build a “socialized” site will little original development where most of our efforts were focused on content, design and behavior. I also made sure to mark up the site with microformats throughout making it trivial to add the organizations I mentioned to your address book or reuse the data elsewhere.

I like the idea of “disposable web apps” or “single purpose apps” that provide useful information, useful functionality or simply reuse existing materials in a novel or purposeful way. I’m also thrilled that Alex and I cobbled this thing together from scratch in a matter of three days. Yeah, it’s not a long-term, high value proposition, but it was great fun to work on and is something concrete that came out of that discussion at FOO Camp.

I of course welcome your thoughts and feedback and invite you to add your own stories, links or photos to the site!

A different kind of net neutrality: Carbon Offsetting Web 2.0

Flickr Green

A couple months ago I had an idea that I’ve wanted to socialize since, but had only taken to doing so behind the scenes. Things being as they are, I’ve had little time to really advance this cause further, other than push it on a few friends who, so far, have reacted quite positively.

Prompted by Jeremy Zawodny’s post about Yahoo going carbon neutral and in support of Chris Baskind’s month-long effort to get high quality environmental links added to his Lighter Footstep group, I thought I’d finally write this up to see if it draws any interest.

The idea is rather simple and requires but one piece of support infrastructure that fortunately my fellow citizen coworker Ivan Storck is already hard at work on (more about that later).

So what’s the idea? Well, quite simply, it’s a web service that you use to offset the carbon footprint of your customers using your app. This would be mostly beneficial for larger services, but it’s my belief that every little bits counts!

For freemium services like Basecamp WordPress and Last.fm, providing an option for paying members to add $1/month to their bill in order to offset their use of your web service is where it begins. In exchange for this contribution, they would get a special distinction within the community, like a green avatar or badge to denote their carbon neutral status:

Last.fm Green

Now, this might seem like a trivial incentive, but then you might also be surprised to learn that the number one reason that people pay to upgrade their Flickr accounts is not because they need more storage or unlimited uploads, but instead because they want that tiny little PRO label next to their name. Offering a similar incentive on social networks — and making “offsetting cool” becomes a way to propagate this behavior, ultimately working towards completely offsetting the entirety of Web 2.0.

Now, those of you who have read up on or know anything about the power that servers draw will quickly be able to recognize that $1 month to offset a single user account is going overboard, given that it technically only costs a few cents per month to power most people’s individual use of social networking sites. And while you wouldn’t be wrong, you’ve hit on an interesting social component of this campaign: those who want to offset can do so, and in doing so, won’t just be offsetting their footprint, but some their neighbors as well, in an act straight out of Caterina Fake’s culture of generosity. So it’s not so much about offsetting one’s personal use, but on offsetting at a social level — and that this good deed is reflected a user’s avatar or badge means that anyone can effectively “upgrade” themselves to carbon neutral status — once they get annoyed that all their friends have “leveled up” and they haven’t. Meanwhile, those who have upgraded as a proactive choice can feel reassured that their influence is affecting those around them to make similar decisions, even if for different reasons — in the end, the result doubleplusgood.

So, about that API that I mentioned. It’s important to realize that 1) we’re in the early stages of and the 2) not all carbon offsetting funds are created equal (this is something I’m becoming evermore familiar with as we move to certify Citizen Space as a green office). Therefore, Ivan (who I mentioned and who also runs Sustainable Marketing and Sustainable Websites) has begun work on an API that will allow companies to purchase carbon offsets in bulk based on the actual amount of power consumed in something like a server farm evnironment (where power measurements are fairly easy to come by). Once initiated, the purchase will likely take place through one of Ivan’s affiliates based here in San Francisco called 3 Phases. In any case, we’re in the beginning phases of making this happen, but if you’re interested in helping or in offsetting your customers’ usage, leave a comment or drop me a note and we’ll see if we can’t push this work forward.

Likewise, if you can think of other ways to minimize the environmental footprint of your webservice or web office, blog about it and let others know! We’re doing what we can to create green coworking spaces and the more success stories we come across, the better.