K-Squared Ramblings

Photo: Old Balcony

06-16-07_1338.jpg, originally uploaded by Kelson.

This is a picture I took last summer of the balcony on our old apartment. I used it to test using Flickr’s email upload and blog-posting features to upload a picture straight from my phone.

Unfortunately, it needed cleanup. The title (and post slug) end up being the filename, which I suppose I can fix before sending, and the content seems to get posted twice. I suspect the phone is sending both formatted and plain-text versions of the message, and Flickr is reading them both.

Anyway, it’s not a bad picture, so I figured I’d leave it up instead of deleting the test post.

Announcing SpeedForce.org!

I’ve just launched SpeedForce.org, a companion blog to the website, Flash: Those Who Ride the Lightning.

Since I started adding news items to the front page of Ride the Lightning, it’s started to get a bit crowded. I thought about converting it to a del.icio.us feed, but then I realized it really ought to be a blog. There hasn’t been a major Flash-focused blog out there since Crimson Lightning shut down, so I figured I’d step in and fill the gap. And I could use the domain I picked up last year!

I’ll be posting Flash-related news there, including a weekly round-up of Flash comics, as well as articles that might not fit into the existing site structure, and (eventually) reviews as well. Some stuff that I would have posted here will end up on the new site. Certainly Flash news, but I may start shifting more comics-related commentary over there as well.

I’ll be refining the look and features over the next couple of weeks, and cross-linking it more into Ride the Lightning. I might keep the current theme with a few tweaks, or I might try to match Ride the Lightning, or I might build something else entirely.

So please, check it out and let me know what you think! I’m open to suggestions as to content, design, etc. And of course bug reports.

Watching Opera

My first post on Opera Watch is finally up: What Makes a Safe Browser?

It grew out of my rant on blocking IE6, which pulled in aspects of PayPal’s comments about blocking “unsafe” browsers. I had it mostly finished a month ago, but someone asked to review it before I posted it live, and he promptly got swamped by work on Opera Dragonfly. I finally got the go-ahead about 2 weeks ago, but I was caught up in packing, and then moving, and then unpacking.

Things are finally settling towards a semblance of normality, and with the recent change in how Opera treats EV certificates, I figured it was time to post the article before it became completely out of date.

Avatars!

Since Gravatar was bought by Automattic, the service has been a lot more stable. I had already re-enabled them on this blog before WordPress 2.5 came out with built-in Gravatar* support.

Not everyone has a Gravatar, though, so many comment threads just show the default icon, over and over. Not only does this look boring, but it misses out on the whole point of using an avatar: providing an easy at-a-glance visual distinction between each author.

When I first used Gravatars on this site, I set it up to use a giant first initial as a fallback. Now, I’ve been trying out two plugins that will automatically generate avatars for people who don’t have their own:

• Wavatars builds up cartoony faces using geometric shapes. Interestingly, it’s by Shamus Young, author of the screencap-based webcomic DM of the Rings and writer of Chainmail Bikini.
• WP_Identicon sounds like a Transformers faction, but produces a geometric pattern as inspired by Don Park’s Identicon, which built a similar image based on a visitor’s IP address. The same author also has one that generates cartoon monsters, which appears to be one of the earliest implementations of this concept.

These plugins will use a Gravatar if available, or else generate an image based on the commenter’s email address (if supplied). That means each comment by the same person should use the same image. Other blogs using the same plugins at default settings will come up with the same avatar for each commenter, as well. The images are stored in a cache, so each only has to be generated once.

Once I made sure both plugins worked, I showed the results to Katie. We ended up settling on Wavatars, since faces are easier to recognize than patterns. (Though the patterns are really cool!)

You can try out the automatic avatar by leaving a (relevant, please!) comment on any post. Or you can run over to Gravatar and set up an icon of your choice!

*What’s a Gravatar? The intent is to be a Globally Recognized Avatar. You upload an image to Gravatar and associate it with your email address. Then any site with Gravatar support will be able to display your image next to your posts. Right now it’s mostly used in blog comments, but it could easily be worked into forums, wikis, etc. The Gravatar Blog mentions other uses they’ve seen people apply it to, such as plugins for Thunderbird and the Mac OS X Address Book

Note: I did notice one important drawback to the WP_Identicon plugin: it’s very inefficient at generating the images. When I first visited posts with long comment threads, like Another One Bites the Dust (174 comments) and Songs Not to Play at a Wedding (87 comments), WP_Identicon took over a minute to generate all the icons and maxed out the server’s CPU. Sure, the images are cached, so it’s only really an issue when you first install the plugin (unless you get a lot more people commenting at once than we do here), but to compare, Wavatar on an empty cache finished the same posts in just 4 seconds and 2 seconds, respectively.

Joining Opera Watch

Daniel Goldman, who has been posting news about the Opera web browser at Opera Watch since 2004, has embarked on a new project that has kept him too busy for blogging full-time. So he’s launching the next phase of the blog as a group effort. And, I’m happy to say, he invited me to join as a contributor.

Thanks, Daniel, for the opportunity to be part of Opera Watch!

Now I need to think of something to write!

Link Laundering

With bloggers squashing obviously-spammy links* as fast as they can, comment spammers have evolved. (I think they’ve reached the level of slime mold now, rather than amoebas.) They’re trying to make their sites look like blogs. And I’m seeing two main techniques, one involving Trackbacks/Pingbacks, the other involving manual person-at-a-keyboard commenting.

Pingbacks and Trackbacks are two ways for one site to notify another that it’s linked to it, and provide an excerpt of the context. Essentially, they’re automated comments. You read a post on some other site, you write your own response, linking to the original post, and your blog software submits the equivalent of “Hi, I read your post, and it got me thinking. I ended up writing my own post over here…”

Where spam is concerned, the main difference is that with Trackbacks, the submitting site provides an exceprt, but with Pingbacks, all it submits is the URL. The receiving blog then retrieves the page and scans it for the link, building an excerpt from the context. The upshot of this is that Pingbacks automatically verify that yes, the site really did link to you, which meant that a lot of early comment spam was submitted using Trackbacks. The obvious response to that was to set up spam protection to verify links on incoming Trackbacks. And the obvious response by the spammers was to put up real links, at least long enough to let the victims verify them.

So now, a lot of trackback/pingback spam seems to come from sites running actual blogging software, but not really posting any content. Just “So-and so wrote an interesting post today” over and over, hundreds of times a day. Half the time they don’t bother to match the name to the actual link. This is the kind of spam that prompted my recent re-evaluation of spam plugins on this site.

Then there was the sneaky post I got on Thursday. It was a sort-of half-on-topic comment on a post about movies, and the author’s URL pointed to what appeared to be a blog about movies. OK, fair enough, but I was still a bit suspicious since it didn’t look like they’d actually read my post.

I skimmed the site looking for things like cobbled-together sentences, and an idea of how long it had been around. Then there was a random post about guitars, in a different writing style. I figured, okay, maybe they’re doing one of those paid-post things.

Then I moved the mouse cursor over one of the links.

It quickly became clear that every single outgoing link on the front page was pointing to ultimate - free - downloads - dot - com, whether it was a movie title, or an actor, or a song title.

At this point I’m not sure whether the site in question is simply an elaborately designed intermediary created to “launder” the links to spam sites, or whether it’s a legit blog that’s been hijacked by someone replacing their links. I looked around at some of the older posts and I do see links to Amazon and a couple of other sites.

*This is also why I’ve stopped using the Alternative Browser Alliance as my URL when commenting on browser-related blogs. Even though I’m making an on-topic comment, I don’t want people to take a look at the link, say, “Hey, this isn’t a person, this is some weird campaign thing!” and delete the comment…and worse, get a rep as a comment spammer. So these days I just link everything here.

K2R is 5 Years Old

I just realized that as of last week, this blog has been online for 5 years.

Crazy, huh?

This is the 1,398^th post. We’ve got 2,307 comments at the moment, including pingbacks. Typical traffic these days seems to run around 650-700 views on weekdays, 550-600 on weekends. Most of it seems to be people searching for images.

The top-viewed posts lately have been:

1. Songs Not to Play at a Wedding (Normally #2, but it got something like 3000 hits from StumbleUpon last week.)
2. Comic Con 2003
3. Philosophy of Time Travel
4. Creative Computer Names

Sneaky Spammer

Judging by a quartet of comments posted this evening, 3 of which slipped past Spam Karma, someone’s started outsourcing comment spam to India. (I’m serious, the IP addresses were assigned to Bharti Airtel and BSNL Internet, both ISPs based in New Delhi.)

They were posted quickly, as if they’d been composed in another editor and pasted into the form. More importantly, they were actually posted through the form, not just sending data directly to the handler. And most tellingly, the posters had gone to the effort to fill out the CAPTCHA that Spam Karma provides to allow human commenters to recover from a false positive.

The one I liked best, from a technical perspective, was posted on Tall Ships of San Diego. The spammer had followed my link to the San Diego Maritime Museum, then followed that to a page describing one of the ships, the Californian, and generated a post by stringing together sentences from that page. The whole thing linked to a student loan site.

At first glance, it looked like a garbled, on-topic comment from someone who maybe didn’t speak English as their first language. That happens, and if it’s a legit comment, I leave it. In fact, I considered leaving the comment but deleting the author URL, until I looked up the ship. (It wasn’t one of the ships we toured on our visit, and I didn’t recognize the name.) As I looked at the ship’s profile, I started recognizing text from the comment. At that point it became clear what was going on, and I started looking at the other comments posted over the last few hours.

LJ Apology

To all three of you reading this via LiveJournal syndication, sorry for filling up your friends list with repeats. I changed the footer on the feed, and didn’t realize that LiveJournal will repost articles as new if there’s any change.

I guess this means I’ll have to be careful about things like fixing typos on the latest 15 posts.

LJ Feed

Interesting. Apparently someone has set up a syndication feed for this blog on LiveJournal: ksquaredramblin. I’ve been thinking about setting one up more or less since I joined LJ, but I resisted since I worried people might start commenting in two different places. I guess it’s a moot point now!

Fixing Feed Problems with WordPress 2.0.6 and PHP 5.2

Upgraded to WordPress 2.0.6 and now feeds are broken. At least, they’re broken in Firefox, IE7, and KDE (Konqueror & Akregator). Something seems to be interrupting the transfer, causing them to get a blank file. Oddly, they work fine in Opera, the LWP “GET” command-line utility, and Dillo (not that Dillo can do anything but display the source, but it gets the whole file.) Even more oddly, SeaMonkey seems to have no problems. You’d think Firefox and SeaMonkey would have the same issues. Also, I seem to be able to sometimes get it to work on reload.

Anyway, I’m working on it. If you read this site via RSS or Atom, and it is working, let me know (and let me know which feed reader you’re using). I suppose it could be cookie-related, though I’ve already tried clearing cookies. I’ve also tried disabling just about every plugin I use that does something to feeds or headers, to no avail.

Update: I think I’ve got it. By using the Tamper Data extension, I was able to determine that the 304 Not Modified status was not being set properly. Instead of actually issuing the 304 status, it would issue a 200 OK, then send a Status: 304 header later in the response. It never showed any problems on command-line GET or HEAD because they weren’t conditional. That’s also why forcing reload would work.

I looked into wp-includes/functions.php and found the status_header function. Then I looked at the following line:

@header("Status: $header $text");

In theory this should work. Traditionally, setting a “Status” header will replace the actual HTTP status. But that’s not how the PHP manual says to do it. They suggest issuing the actual header that the server would send: HTTP/1.1 304 Not Modified. I noticed that the header function in PHP has some optional parameters, including one to force the HTTP status. That felt a little cleaner than hard-coding the protocol (since an older browser might make an HTTP/1.0 request, and it should get an HTTP/1.0 response), so I changed the line to this:

@header("Status: $header $text", TRUE, $header);

It seems to have fixed the problem.

For the record, this is PHP 5.2.0 on Apache 1.3.37 using the mod_php interface.

Update 2: Simpler fix just removes the if.. statement and else… section so that it’s just the following:

@header("HTTP/1.1 $header $text");

Bug reported as Ticket 3528.

Read the rest of this entry »

Joined ComicSpace

Figured what the heck. I’m now on ComicSpace.

Because I need yet another site to suck up all my time.

It’s being described as MySpace for comics people—creators, fans, reviewers, etc.—though the feature set is pretty sparse right now. I’ve resisted MySpace itself partly because of a somewhat adversarial relationship with the site*, partly because I can’t stand looking at most MySpace pages, and partly because my friends are all on LiveJournal, so there’s really no compelling reason for me to go there.

And yet I’ve got profiles at LiveJournal, Slashdot, Opera, WordPress, Spread Firefox… Even eBay is adding blogging capabilities. Maybe I should bite the bullet and sign up for a Blogger account too. At least then I’ll be able to comment on Crimson Lightning.

*The culture at MySpace seems to encourage hotlinking images without asking. I’m still a writer at heart, so I consider the commentary to be as important as the images or more… and it really annoys me when people en masse just embed the images on their own site. Though I suppose it’s not as bad as the occasional “geniuses” on other forums who will hotlink an 800×600 or bigger photograph as their avatar, even though it only displays at 80×80. Damn kids, get off my lawn!

Getting Sociable

I finally got around to setting up convenient links to a couple of social bookmarking sites. At first I resisted the idea, figuring regular users probably have bookmarklets or extensions that take care of it. But social networking sites have casual users, too, and posting a few small icons is a subtler form of self-promotion than putting up a giant banner that says, “Hey! Submit this #$!@ story to ____ now!”

I ended up using Sociable, a plugin for WordPress that already knows the right link formats for several dozen such sites.

Of course, since Sociable provides links for so many sites, the obvious question becomes: Which sites do I include? I don’t want to post all 25—that would just be a jumble of icons, hardly usable (never mind aesthetic!)

I settled on five to start with:

• del.icio.us is my online bookmark service of choice. I still manage a lot of bookmarks locally, but this lets me share a set between multiple browsers at home and work.
• Digg seems to be the leading service for actually sharing and discussing links these days.
• Fark wasn’t on my list at first, but then I realized that I make funny/weird posts here all the time. Some of them would fit right in.
• Reddit is new to me, but it popped up a couple of times when I went looking through sites that I read.
• Yahoo MyWeb I mainly added out of name recognition.

What social bookmarking sites (if any) do you use?

Offline in Crotheny

Sorry I haven’t posted much here lately. The main reason is that I’ve been re-reading Greg Keyes’ Kingdoms of Thorn and Bone series before picking up The Blood Knight. (I’ve also been spending time at the Comic Bloc Forums discussing the Flash relaunch.)

Re-reading The Briar King and The Charnel Prince both followed the same pattern: I read half of the book over the course of the week, then finished it on the weekend. I started the new book, The Blood Knight on Saturday morning and basically spent the weekend on the couch reading. About ¾ of the way in I realized acutely that, no matter how fast I read it, there would still be one book left when I finished.

It’s funny, when I first read The Briar King I didn’t like it much. I think mainly I was expecting something less steeped in medieval Europe (based on The Waterborn and The Blackgod). I picked up The Charnel Prince anyway, and liked it much better, and quite enjoyed The Briar King when I reread it.

One thing that’s unusual about this series is that there’s no Merlin figure. No Gandalf to show up in the first few chapters and explain what the Ring is, who wants it, and what has to be done with it. No Moiraine to explain who the Forsaken are, and what it means to be the Dragon Reborn. All the characters are pretty much figuring things out as they go. And they make mistakes—pretty nasty ones in some cases.

I’ve mentioned elsewhere that Greg Keyes and Neil Gaiman are the only authors whose work I will buy in hardcover, sight unseen. Looking at Keyes’ website, I realized that I actually own a copy of every book he’s published. There aren’t too many authors I can say that about.

Only 1½ years until The Born Queen…

Stupid Sysadmin Tricks: Blue vs. 6A

Remember how LiveJournal, TypePad, and related sites were down the other day? The official line was that “Six Apart has been the victim of a sophisticated distributed denial of service attack.”

It turns out that the DDOS wasn’t aimed at 6A, LJ, or any other part of their network. It was aimed at Blue Security, an anti-spam company, who decided to re-route their web traffic to their blog—a blog hosted on TypePad. So instead of their own site going down, it took out Six Apart’s entire network of millions of bloggers.

Classy move, guys.

I do admire Six Apart’s restraint in not pointing fingers themselves. If it had been my site (though in a way, I suppose it was, since I’ve got an LJ blog, even if I don’t update it very often), I would have been royally pissed off.

Sure, Blue Security didn’t launch the attack—but they did choose where to redirect it. Maybe they thought Six Apart would be able to handle it. Maybe they thought the attackers were targeting them by IP and not domain name. Maybe they were panicked and didn’t think. Maybe they thought things through, but 6A got bitten by the now-all-too-familiar law of unintended consequences. They could easily have pointed their domain name at empty IP space, or to localhost. Redirecting it to a third party was less like deflecting a punch and more like the “Do it to Julia!” moment in 1984, or the classic joke, “I don’t have to outrun the bear, I only have to outrun you.”

(via Spamroll)

Update: Additional articles at Computer Business Review and at Netcraft, and a Slashdot story.

Update 2: According to Blue Security, the DDoS was not targeting their website by name, and the DDoS didn’t attack their blog until after they had already redirected the website. So it looks like it was less a case of them redirecting the attack and more a case of the attackers chasing them.

*Sigh* Must remember to collect all facts before engaging in righteous anger.

Update 3 (May 9): Apparently “all the facts” as reported by Blue Security don’t add up… (via Happy Software Prole)