mamamusings: May 18, 2004

elizabeth lane lawley's thoughts on technology, academia, family, and tangential topics

Tuesday, 18 May 2004

how i'm using movable type

Brava to Mena for starting a conversation by asking how people are currently using MovableType. Here’s my answer.

Here on mamamusings, I actually have one blog, with one author, which you’re looking at right now. This site would continue to qualify for a free license.

Misbehaving.net currently runs on TypePad, but we’d been considering a move off of it to a full MT installation because the spam problem has gotten out of control, and because the management of multiple authors there still leaves a lot to be desired—I’d like to be able to let other people in the group have the ability to manage the site without yielding control for all of my TypePad account, for example. We have ten authors on one blog, so that one would probably fall into the personal edition 10/10 category—except for the Google Ads, which bring in all of about $10/month. So right now, it would cost $120. If all the authors kicked in $12, that would probably work out about right. And at $10/head for new authors, we wouldn’t break anybody’s bank.

On lawley.net, there are two blogs, with two authors; one for my son Lane, and one for his best friend Jackson. My hope was to have a few more family members blogging there. Right now it would fall under personal edition, but I’m not sure it’s worth it to me to pay $70 for a tool that the kids use only occasionally.

On a domain that I set up for my kids’ elementary school, I had planned to set up blogs for any teacher who wanted one, so that they could use the blogs as tools for communicating with parents, students, each other, and teachers elsewhere. That plan is on hold pending more information about educational pricing. (And that one’s complicated because the blogs are strictly for teachers at a K-12 school, but I own the server and am not an employee of the school.) In that scenario, I expect we’d have a handful of teachers to begin, with a few more added each month as they saw what their colleagues were doing. I don’t want to have to continually monitor compliance with the license—“do we need another seat today?”—so I really hope there’ll be some kind of flat-rate unlimited use license for organizational contexts. If all the teachers (~30) decided to blog, we’d eventually be looking at ~$850 for the site (before discounts), which would probably be paid out of my pocket. I like my kids’ school, but I don’t have that kind of money to set something up for them.

And finally, on my RIT server, I’ve got eight weblogs. Five of them are from past classes, and they range from a one-author site (with just me as author) to a two-author site (me and a TA), to a 36-author site (with students having authoring privileges. One of them is the class I’m teaching this quarter. One is a research grant blog that has two authors (myself and Alex Halavais). And one is a blog for my current research project that has four authors (myself, my co-PI, and two student employees). I don’t even want to try to figure out what the cost would be under the current licensing, because it’s just too confusing.

Also, on all of those sites I regularly set up “test blogs” when I’m doing redesigns, so that I can test the new templates without messing up the production site. I’m going to assume (yes, I know what happens when you assume) that test blogs like that wouldn’t be included in any counts. But that I have to even think about that is vexing.

Posted at 11:35 AM | Permalink | Comments (2) | TrackBack (3)
more like this: on blogging

serious os x security problem

Final Update: The most comprehensive overview of both the problem and the solutions can be found on Daring Fireball I strongly suggest that you go there, rather than slogging through the comments below.

If you’re an OS X user, it’s extremely important for you to be aware of a security vulnerability that’s been identified by users but not acknowledged or corrected by Apple.

(Update: The problem appears to be specific to Panther—OS X 10.3—so if you’re running an earlier version of OS X you should be okay.)

(Update: Apparently the problem is not Panther-specific; most, if not all, OS X systems are vulnerable. See this comment on Jay Allen’s site for details.)

You can read about it on Jay Allen’s site (which is where I heard about it). Essentially, Mac browsers (including Safari, Mozilla, and Firefox) are all designed to launch the Help Viewer program when the help: protocol is invoked in a web link. Unfortunately, the Help Viewer program, in turn, is able to run scripts. What this means is that a malicious user can set up a page with an automatic redirect that runs a dangerous script. More details for the tech-minded can be found on this MacNN thread. And if you want a terrifying (but harmless) example of this, go to http://bronosky.com/pub/AppleScript.htm. It will launch Terminal and run a harmless du command—but it’s scary as hell to see that Terminal window launch and files start scrolling. (There’s also an advisory on the Secunia site, but it offers no helpful suggestions; just verifies the seriousness of the problem.)

If, like me, you just want to know how to fix this fast (since Apple has apparently known about this since February and hasn’t fixed it, it wouldn’t be wise to wait for their patch), here’s the approach to use.

  1. Download the freeware tool MoreInternet.
  2. From the disk image, run “install prefpane,” which will put the MoreInternet preference panel into your System Preferences panel.
  3. Open the MoreInternet panel, and select the help: protocol.
  4. Change the application it launches from the Help Viewer (which has the script-running vulnerability) to something benign. (I used TextEdit.) I used Chess, which, unlike TextEdit, gives me a clear visual cue that a page tried to invoke the help: protocol.
  5. Make sure it worked by going to the scary but harmless example.

Update: In my comments, Jay Allen points out that you should repeat steps 3 and 4 for the disk: protocol, as well.

Posted at 12:29 PM | Permalink | Comments (67) | TrackBack (33)
more like this: technology

comments problem fixed

I tried installing MT Blacklist yesterday, but had some problems with it. Didn’t realize that it had resulted in breaking comments entirely…Ted Pearson let me know about the problem this afternoon, and I’ve fixed it. (Thanks, Ted!)

Posted at 3:18 PM | Permalink | Comments (2) | TrackBack (0)
more like this: technology
Liz sipping melange at Cafe Central in Vienna