Michael Herf - Comments

FriendFeed is the easiest way to share online. Learn more »

Michael Herf

Vivicap | PhotographyBLOG - http://www.photographyblog.com/news...

December 23 from delicious - Comment - Like - Share

slightly cheaper expodisc? - Michael Herf

Tudor Bosman

FreeBSD / ZFS box is up!

December 5 - Comment - Like - Share

Charles Nadeau, J. Abdul-Qahhar, Ozkan Altuner and 19 other people liked this

Now installing Samba and MediaTomb. - Tudor Bosman

38 more comments

Yay! Now clean up the office. :) - Jeanette Bosman

I'm doing the same thing this weekend. - Scott Ludwig

Does it have a time-slider equivalent? The integration into nautilus is a nice touch in opensolaris. - Eric Borisch

s/MediaTomb/Firefly/ as I wanted something that iTunes recognizes. - Tudor Bosman

8.94T: 5 * 2TB drives (- 40GB reserved for the root fs), raidz1. - Tudor Bosman

@Tudor What is Firefly? Got a link? - EricaJoy

http://www.fireflymediaserver.org/ although the site seems down at the moment. Search for "Firefly media server" (formerly known as mt-daapd) - Tudor Bosman

sweeet - Logan Lindquist

Also, I love the FreeBSD ports collection (which Gentoo tried to imitate). cd /usr/ports/devel/git; make install will fetch git, build it, and install it, and automatically deal with any dependencies as they arrive. - Tudor Bosman

Another option is pkg_add -r git which will install a binary package compiled with default options, and resolve dependencies. - Scott Ludwig from iPhone

Okay, nested dependencies work just fine until you find a package that depends on TeX. Why does my little storage box need latex and amstex and mkfontdir and dvips and...? - Tudor Bosman

Because you need PDFs of the documentation, of course! - Eric Borisch

In many languages, apparently. /usr/ports/print/latex-cjk/scripts/installt1enc.sh arb5sung arb5sung.ttf Bg5 Generating Type 1 subfonts arb5sung from arb5sung.ttf [Bg5 planes: 1-55]: - Tudor Bosman

This is apparently all caused by updating the freebsd-doc-en package, which regenerates all forms of documentation from scratch. - Tudor Bosman

One of my disks appears bad, hopefully it's the cable.ad8: FAILURE - READ_DMA48 timed out LBA=766744255 - Tudor Bosman

Yep, RMAing now. - Tudor Bosman

Two more disks are showing read errors, including the boot disk. This is not good at all. Maybe WD actually qualifies RAID-level drives, and rebrands the crappy ones (with bad sectors which auto-remap) as consumer-level. With auto-remapping turned off, errors start creeping in within days. - Tudor Bosman

I'll investigate this more, of course, by mounting the bad disks into a different machine and looking at SMART output, but so far it smells of a bad batch of drives. - Tudor Bosman

How hot are they getting? (It's in the SMART data) ... We had a fan go out on a drive tower (and the 'dead fan' alarm didn't sound -- wonderful) and we smoked at least three drives before figuring out what was going on. - Eric Borisch

Eric: While trying to stress the disks with a few dd commands running in parallel, I can't get them to heat up above 26 degrees Celsius. I'd say that cooling inside my box works well. The two newly failed disks have 5 UNCorrectable sectors each -- and that's just because the SMART buffer only remembers the last 5 errors. - Tudor Bosman

Maybe I just got a bad batch, but at this point I would recommend against using WD20EADS drives for anything. - Tudor Bosman

yeah, the EADS aren't so good. The ABYS series have been super reliable in comparison, but I don't think they go up to that many TB. - Private Sanjeev

incidentally the drives are physically different (the mechanicals are more vibration-resistant on enterprise drives), so WD doesn't just rebrand flaky drives. - Private Sanjeev

Any opinions on the new, 4-platter WD RE4 RAID edition drives? They're 2TB, expensive as hell, but there may be deals to be had. Alternatively, the Seagate Barracuda XT 2TB. - Tudor Bosman

I have a bunch of EADS drives (4x1TB, 4x1.5TB) and I haven't seen any problems. Might just be a bad batch. - Joe Beda ()

Currently leading the pack: Hitachi 7K2000. - Tudor Bosman

I only have experience with ABYS and EADS in production :(. - Private Sanjeev

I have 24 A7K1000s that have been going great for over a year. (Knocks on wood) - Eric Borisch

Okay, I ordered 5 7K2000s. Let's see how this goes. - Tudor Bosman

The box is back up with the 5 Hitachi 7K2000 drives. I copied all the data over again, and "zpool scrub" now completes without errors. I'll update this post after 2 or 3 days of burn-in. - Tudor Bosman

Hint: Read the man page. The "--batch" option to portupgrade is supremely useful. portupgrade -vaP --batch: upgrade all installed FreeBSD packages, prefer to use precompiled packages if available (-P), don't ask questions (use default configuration options). - Tudor Bosman

A few scrubs later, still zero errors, and normal smartctl output. I now deem the box ready for production use (that is, the main storage device in the Bosman household). - Tudor Bosman

Does anybody sell a BSD/ZFS raid box that is all ready to go? - Peng-Toh

For small boxes, you could consider a self-contained box like a MSI Wind PC ($139). - Scott Ludwig from iPhone

I mean something that comes with all software (BSD/ZFS) installed, an UI and no "hacking" required. Something for a non-techie. - Peng-Toh

my EADS results: 2/6 failed so far (free RMA replacement). no data loss though. - Michael Herf

Tudor: FWIW, random activity is much more stressful (and power consuming = heat producing) than the contiguous reads/writes you get from dd. Try bonnie++ or iozone if you'd like to really hit the system. Glad to hear you're up and running - ZFS is fantastic stuff. - Eric Borisch

Michael: Yes, I had 3 out of 5 EADS drives fail within a week. I returned all 5 and got Hitachi 7K2000. - Tudor Bosman

Peng-Toh: There's FreeNAS, http://freenas.org/, but I'd wait until they upgrade to FreeBSD 8, probably in a couple of months (the FreeBSD folks didn't consider ZFS to be production quality until FreeBSD 8.0). - Tudor Bosman

Michael Herf

40 Watt - Incandescent Bulb - "1910" Edison Style - FerroWatt 1910N Light Bulb - http://www.1000bulbs.com/Antique...

December 19 from delicious - Comment - Like - Share

The long-filament lights you see at restaurants and other venues are called "squirrel cage" because they have a long, bent filament. Introduced around 1910, these replicas produce 8.5 lumens/watt, which is high, because most produce 3. - Michael Herf

Gary Burd

Are there any good alternatives to evite? Specifically, is there a service that includes the event information in the email?

December 13 from Twitter - Comment - Like - Share

Michal Cierniak, Sheila Taylor, April Buchheit and 2 other people liked this

I've only used it as a guest myself, but one of my friends uses http://socializr.com , which includes time, date, and location in the email. - Ben Darnell

11 more comments

I think http://anyvite.com/ does. - Paul Buchheit

pingg.com is much better. - Michael Herf

Facebook does: http://www.facebook.com/apps... - Jesse Stay

I apologize in advance, but you've got to click on this link now. http://tinyurl.com/nttj8z - Kevin Fox

http://www.mypunchbowl.com - Karl Rosaen

I've used Anyvite and found it to be pretty good. I particularly liked that it included the event info in the email. - Ana

I like invitastic.com - Peyman

evitealternatives.com - Matthew Harris

Thank you for the suggestions. I find it amusing that there's a website dedicated to answering this question (thanks for the link Matthew). - Gary Burd

Aww, I posted the link first, in a roundabout way.. - Kevin Fox

Facebook is still my favorite event management tool - that app above (written by Facebook) makes it even better because I can see the event, add it to my calendar, etc. I also use another app that generates ical files of the events I've RSVP'd to and I add the ical file for that to my Google Reader as an additional calendar. - Jesse Stay

anyvite.com - James Polley

Michael Herf

dimmable CCFL - http://www.tbt.com.hk/cms...

December 10 from delicious - Comment - Like - Share

true dimming CCFL.... - Michael Herf

Michael Herf

Please stay away from OpenSolaris 128a. My machine isn't booting after trying to migrate to a de-dup'd pool.

December 8 - Comment - Like - Share

I'm sorry to hear that. I'm glad that I avoided it. I don't need deduping that bad! - Joe Beda ()

3 more comments

Booting again, but stuck at "Reading ZFS Config: *" - hope this resolves itself. - Michael Herf

Yuck! - Scott Ludwig from iPhone

I'm doing exactly this (zpool import after clearing the zfs cache): http://www.mail-archive.com/zfs-dis... - wish me luck in a few days. :) - Michael Herf

All ok now: the zpool import completed after a bunch of hours staring at the screen. Everything's back to normal. Advice: don't "zfs destroy" and reboot right after. - Michael Herf

Joe Beda ()

Crashplan hosted backup for $3.50/mo - http://www4.crashplan.com/consume...

November 30 from Bookmarklet - Comment - Like - Share

Nice! Not sure how they make the math work, but they are now competitive with the other consumer backup services there. I'll probably try this out soon. - Joe Beda () from Bookmarklet

17 more comments

I have a central file server that holds all my data. Most backup services assume you're backing up from a local disk. Do you know if they allow backing up from NAS device? - Brian

Not sure -- I'm going to do the same thing. Worse comes to worse you upgrade to their $5/mo family account to back up everything in your house. Still a good deal. - Joe Beda ()

The limitation I've hit in the past is that the backup client runs on a host and won't backup network mapped drives. - Brian

I'm so close to pulling the trigger on crashplan. I just wish they had a lightweight linux client that I could build for ReadyNAS. - Sean O'Connor

@Sean -- Are you happy w/ ReadyNAS? - Brian

Yes. - Sean O'Connor

This is why I've stayed away from packaged NAS solutions. You can't run custom stuff on them easily. And they don't seem to be a cost savings over building a box from the ground up. - Joe Beda ()

The savings is one of time. You can build a much better box for significantly less money, and I don't know that I'd shell out for the high-end ReadyNAS products. For a boring NAS with a zero-administration RAID controller, the low-end readyNAS is a good turnkey solution. Time I want to spend administering a file server at home: 0 hours / year. - Sean O'Connor

The crashplan client still uses too much CPU and RAM for me. They claim it's scheduled "idle" but my laptop still burns hot when it's going. - Michael Herf

Michael - we run cool as winter on laptops - if it's us burning your laptop up - something else is wrong - that's not normal behavior. We do use CPU .. but you can configure how much in settings (i.e. 10% / 10%) - Matthew Dornquast

You can control how much ram we use too, this is easy on linux. For instance, you can run it with a restricted footprint of something like 20MB of ram on linux, headless. Works awesome. - Matthew Dornquast

@Matthew -- Since you say "we can..." I assume you're speaking on behalf of CrashPlan. Does CrashPlan support backing up a NAS device? - Brian

Yes - we support backing up any NAS - steps required depend on OS. In terms of running "on" the NAS itself - that requires some work on your part. It has and can be done. We don't show you how. Lots of folks have asked to support readyNAS by running on it - we're not currently focused there. We do run on windows home server - if you are using that on top of your storage. - Matthew Dornquast

I've noticed that the "client" portion isn't that bad. However, the "daemon" portion does seem to be pretty memory intensive. On OpenSolaris, I've had it run out of heap (and get into a crash/restart loop that ate CPU). I fixed it by finding the startup script and gave it more memory. - Joe Beda ()

Matthew, any plans for a FreeBSD port? Now that ZFS is stable on FreeBSD 8, it is an attractive base system to use for data storage, and using crashplan to back up that data would be nice. - Scott Ludwig

Personally? I love BSD. Sadly, no plans at this time. I must say BSD 8 looks really really good. Huge kudos to them. We'll get there - lots of C code would have to be done to wire into realtime stuff on BSD. In theory, you could probably get our PRO Server going out of the box without our help on it. And PRO Client (Crashplan) would probably work in a non-realtime manner as well. So if once/day is ok - give it a try if you're so inclined. No official support available as yet however. - Matthew Dornquast

A CrashPlan module (or whatever they call them) for the ReadyNAS would rock. I'd shell out $$ for it. - Steve Lacey

I think it would probably require a third party to implement it. I think the crashplan guys write heavy java clients? That's a non-starter on the low-spec readynas models in widespread use. - Sean O'Connor

Michael Herf

Sandbox – plaintxt.org - http://www.plaintxt.org/themes...

November 30 from delicious - Comment - Like - Share

clean wordpress theme (not kubrick!) - Michael Herf

Jason Shellen

Nice! Seriously, that was in the roadmap in 2005. RT @googlereader: We're listening: favicons for your subscriptions, http://googlereader.blogspot.com/2009...

November 24 from Twitter - Comment - Like - Share

Daniel Rowley, Atul Arora, imabonehead and 9 other people liked this

Shellen? Must you always go back to the "hey I thought of that 4-5 years ago"? :) Just publish the 2005 roadmap and we can take a look. - Louis Gray

14 more comments

Louis ! I'm glad you said it and not me :P - Jenna Bilotta

Good point. I wonder what the statue of limitations are on that. (I'm also not really a cocky bastard, nor the sole author of that roadmap). - Jason Shellen

All of the above is true. I rib Jason because I care. :) - Louis Gray

Do we at least have the option to turn it off?? - Roberto Bonini

I dug up the "PM To-Do list - Stuff for Jason to do!" wiki page. One of the items is "pick a name", which has the brilliant suggestions "Google XMLSuckandBlow" and "Google BagItandTagIt" - Mihai Parparita

Shellen++ - Kevin Fox

@roberto it's off by default. - Jenna Bilotta

oooh mihai! send me the link! - Jenna Bilotta

nevermind! found it. - Jenna Bilotta

LOLZ that list is hilarious! - Jenna Bilotta

Wait! What's on my list? - Kevin Fox

I'm pretty sure Fusion was pretty high on this list. :) - Jason Shellen

Mihai, you are legally required to post that via FriendFeed or to a Google Spreadsheet/Doc. (waits) - Louis Gray

Other excellent options: "FeedBagz.com (available!)", "rss.shellen.com" and "Google XMLSpot" (vs. Blogspot). - Mihai Parparita

I'm well into ten years for "we tried that once". Four years is an eyeblink. :) - Michael Herf from iPhone

Kevin Fox

Experiencing my second Drobo data failure. Any advice for storing 1TB of data with high reliability and low access needs? S3 would cost $150/mo.

November 22 - Comment - Like - Share

jerobins, Mona Nomura, Jason Huebel and 12 other people liked this

Set up your own RAID? Mozy's good, too. - Jesse Stay

44 more comments

I'd hoped that Drobo would be more reliable than my own raid... - Kevin Fox

Can you swap out new hard drives in a Drobo? - Jesse Stay

I like Mozy, but I don't know how much I can trust a small company offering 'unlimited storage' for a low price. I feel it's more likely that in 10 years my 1TB drive in a vault will still be readable than Mozy will still be in business. - Kevin Fox

small? They're owned by EMC I thought. - Jesse Stay

Just buy a couple 1TB USB HD's and keep one as the working disk and the second as a mirror backup. If you are really paranoid, buy a third drive and do a periodic backup or sync to it and keep it off site. Use any number of automated backup or sync software packages set to run on a daily basis. - Jeff P. Henderson

Jeff, that's my inclination, mostlikely. Mirror or raid locally, off-site backups. Archives are my biggest concern. Terabytes of photos that don't need to be available, but can't be forgotten in a closet where hard disks go to fade away or obsolesce themselves (Firewire? What's that?). - Kevin Fox

Jesse, okay, so perhaps they're not small, but I doubt their 'unlimited' will support a terabyte or two, when their business tier charges $0.50 a gig per month (unclear whether that's per gig of added storage or per gig of total storage. S3 charges $0.15 per gig of total.) - Kevin Fox

You can swap out new drives in a Drobo. If one goes bad you can hot-swap it with a new one and pretty lights tell you when the new one is synced up. The problem is that I've never had it tell me that a drive's gone bd. It's always more fundamental problem like an inability to mount the combined volume or Disk First Aid (which Drobo recommends using) tells me the 'drive' is so messed up... more... - Kevin Fox

I have one of these: http://www.wdc.com/en... - Benjamin Golub

Whoops hit enter too fast. I have the 2TB one (advertising is false, 2TB = 1TB, 4TB = 2TB since you obviously want to use RAID 1 and the default is to use RAID 1). It has worked very well for me and I am more comfortable with it than a Drobo. Drobo uses some proprietary format, but this is just RAID and ext3 I believe. You can replace the drives very easily (no tools required) and it... more... - Benjamin Golub

A ZFS box? - Ken Sheppardson

Open Solaris + ZFS. Use ZFS snapshots to protect against accidental deletions. Use ZFS mirror to handle single disk failure. Run the zpool scrub command regularly to check for and repair bit rot. Use offsite backups to protect against a fire or other catastrophic event in your house. - Gary Burd

Not trying to dissuade you from the local solution (I think it's probably the best one) but just wanted to mention that the "unlimited" model is based on the assumption that only a few users really take advantage of it. I think it's safe to say they've done their modeling homework and arrived at an equation that provides a bottom line they feel comfortable with. This blog post from... more... - Jason Wehmhoener

Anyone have an OpenSolaris + ZFS tutorial aimed at the non-sysadmin? I love the idea of doing this for home backup, but I'm not a Solaris admin by day and wonder if it would be too much learning curve compared to a couple mirrored USB drives... The WD dual drive Benjamin linked to is super easy... - Jason Wehmhoener

I've been using backblaze, its mac client software is simple and solid. The problem with rotating local TB backup drives is of course non-automation + lazy developer = not up-to-date backups. - Micah Wittman from iPhone

For remote storage of pictures there is picasaweb. Prices are $256/year per terabyte (I think). - Scott Ludwig from iPhone

Kevin from your description it sounds like you had a drive integrity failure that your drobo didn't notice until you went to use it. - Scott Ludwig from iPhone

Scott, the sad thing is that the Drobo *still* hasn't noticed. MacOS is the one telling me about these problems while the Drobo Dashboard thinks everything's peachy. I'd be tickled pink if Drobo threw up a red light and said 'this one drive is bad' because then it would be working as it should and I could just swap the drive with a new one and maintain data integrity, but as it is I'm probably screwed. - Kevin Fox

Even with something like RAID, ZFS, or a Drobo, isn't it possible for data to become corrupted without there being a problem with a drive? I.e. cant an app or the OS still just muck up a file? - Ken Sheppardson

ZFS snapshotting and scrubing goes a long way. I run a home opensolaris server. I love ZFS. Opensolaris is meh. I want to play with freebsd but don't have the time. - Joe Beda () from iPhone

How much time + money does it take to setup an opensolaris server with zfs and get everything working automatically? - Benjamin Golub from email

I did a box with 4 1.5T WD green drives and ECC RAM for ~1k. Set up time is a day or two. A few of us around here have done it and can help out. - Joe Beda () from iPhone

What filesystem are you using on the drobo? HFS+? I wonder if different filesystems have different levels of reliability: mine has been on ext3 for some time with zero dataloss. Knock on wood, of course. - Matt Mastracci

This looks interesting... "EON ZFS is a RAM based live/install image which runs from CD/DVD, USB or CF" -- http://sites.google.com/site... - Ken Sheppardson

You might consider one of the G-Drives/Raids: http://www.g-technology.com/product.... I have one and have been happy with it. No failures over 4 years. They have configurations for as much storage as you probably ever need, with various raid and connection options. - Cristo

This one is probably the best for your needs, as it allows for offsite backup: http://www.g-technology.com/product.... "G-SAFE features high-speed 3Gbit eSATA, FireWire 800 and USB 2.0 interfaces for universal connectivity to Mac's and PC's and two removable hard drives coupled with a sophisticated hardware RAID 1 (mirroring) engine designed to ensure 24x7 data protection. A... more... - Cristo

I'd start to be wary of standard RAID with today's drive capacities. The chances of a second drive failure while resyncing after a first are much higher now that they were with 500GB drives. Of course, if you keep a good backup of the storage it won't be an issue. Ref 1: http://hardware.slashdot.org/hardwar... Ref 2: http://labs.google.com/papers... - Matt Mastracci

raid mirroring is all I do... i also then use an online back up service (backblaze) to back up the data from the mirrored drives. Photos also get backed up to smugmug (but no raw photo storage) - Matt Ellsworth

i've been using a raid-5 Buffalo Terrastation for 4 or 5 years now with no problems... *knocks on wood* it's got 4 500gb drives in it and it's almost full - Chris Heath

Benjamin, Michael Herf wrote about his ZFS setup here: http://www.nerdblog.com/2009... I run OpenSolaris on an MSI Wind PC w/ two 1TB drives. The configuration cost $350 from NewEgg. It took me a couple of hours to figure out how to configure ZFS, setup snapshots and run scrub. - Gary Burd

Search my posts for zfs for a link on how to configure a mirrored root partition. It is a little complicated. My soln was more $ because of more ram, ecc, more CPU and 4 drives. I picked the motherboard mike herf lists on his blog. - Joe Beda () from iPhone

You can make a Linux RAID scrub weekly too - just schedule it ("echo check > /sys/block/md0/md/sync_action"). Also, the Intel SS4200E is $200 and apparently has EMC software: http://www.tomshardware.com/reviews.... Personally, I'm happy with ZFS, it's not too hard to learn the admin stuff. - Michael Herf

Also, Time Machine seems half-allergic to NAS. You can make it work but it fails randomly later. I guess you could try iSCSI and format HFS+? To fix this, you can also look for one of the RAID-1 enclosures that do attached eSATA and just plug a couple drives in. Not foolproof, but at least it supports Time Machine reasonably well (think one of my friends has the "Raidon" brand.) - Michael Herf

Michael, thanks for the ZFS writeup, really helpful. I like the idea of a really low cost, low power setup based on Atom. - Jason Wehmhoener

Be aware that the wind atom pcs aren't super low power. The chipset eats as much or more than the processor. I think toms hardware had a writeup on that. - Joe Beda () from iPhone

Adding one more thing to this mega-thread - you can do free remote backup between two of your machines, by putting the 2nd machine at a friend's house, then using CrashPlan: http://www.crashplan.com. Crashplan runs on OpenSolaris, for those of us using ZFS. The two machines connect using peer-to-peer networking. - Scott Ludwig

LACIE NAS drives are what we use - no failures in 3 years! AWS for critical offsite storage - Susan Beebe from iPhone

I think windows home server works with apple computers as well. - CJPhoto

Follow-up, for those interested: http://friendfeed.com/kfury... - Kevin Fox

Wouldn't JungleDisk "work" for that? Although I can see transferring 1TB of data over any Internet connection being painful and slow, not to mention a surefire way to exceed any bandwidth quota within any time period... - Tyson Key

Interesting, I almost went with Drobo for a new setup... instead, I decided to keep my ReadyNAS. Depending on what you find, I may be glad I waited as the ReadyNAS (crosses fingers) is solid. - Jason Silverstein

Having suffered partial loss with the WD raid units to a smoked controller, I'm likely to go w/ a zfs server, possibly async mirroring to an encrypted userfs mounting storage on a provider like dreamhost. - Scott Small from iPhone

Has anyone tried the OpenSolaris-based EON ZFS Storage? I played with it when it first came out on a vmware guest instance for a short while but never really got into it. The homepage is http://sites.google.com/site... and can browse their blog at http://eonstorage.blogspot.com. - imabonehead

EON looks pretty cool! - Jason Wehmhoener

Kevin, to be clear, are you saying the Drobo system itself is unreliable? That's worrying - LANjackal

John Resig

The new IE 9 features are looking great: http://blogs.msdn.com/ie... Videos over here: http://channel9.msdn.com/

November 18 from Twitter - Comment - Like - Share

Daniel Rowley, Lee, Itachi and 3 other people liked this

I note that one as the first time I seriously heard of IE9. - Claudio Cicali ♋

3 more comments

At #pdc09 Microsoft demoed the SunSpider and Acid benchmarks for IE 9. Looks like Microsoft has finally awake. Will it be too late? - Shakeel Mahate

Shakeel, it depends on how long they'll remain in "beta". They *have* to line up dev. cycle time with the other vendors one. - Claudio Cicali ♋

Finally, non-stupid type rendering in Windows? - Michael Herf

Actually I don't care what they do until there's a keyboard-accessible way to (a) copy the current URL, and (b) search. Firefox and Chrome have Ctrl-L and Ctrl-K. But Ctrl-L is stupid in IE. - Michael Herf

Michael Herf

I think Google finally knocked this one dead: 25cent/gb/year cloud storage! https://www.google.com/account...

November 10 from Twitter - Comment - Like - Share

Vlado Handziski, Piaw Na, Steve Lacey and Scott Ludwig liked this

I'm glad. I was embarrassed by $20/6GB under the old scheme. - Piaw Na

2 more comments

Time to check my isp's terms of service for uploads. - Scott Ludwig from iPhone

@Scott: Picasa's bandwidth scheduler ("Conserve Bandwidth") is actually pretty decent. Uploaded for 6months straight using it. :) - Michael Herf

Thanks for the tip. - Scott Ludwig from iPhone

Michael Herf

ZFS gets inline dedupe • The Register - http://www.theregister.co.uk/2009...

November 2 from Bookmarklet - Comment - Like - Share

Fun! - Michael Herf from Bookmarklet

Michael Herf

Exclusive VIO™ High–Power White LED Knocks Down General Illumination Barriers : LED Lighting : Lighting : Press Releases : GE Consumer & Industrial Press Room - http://www.geconsumerproducts.com/pressro...

October 19 from delicious - Comment - Like - Share

reasonably good White LEDs - Michael Herf

Michael Herf

Integrated Color Corp.: ColorEyes Digital Gelcard Kit - http://www.integrated-color.com/mm5...

October 14 from delicious - Comment - Like - Share

colored white balance card - software gels! - Michael Herf

joshua schachter

Judy Arrays Web Page - http://judy.sourceforge.net/

October 4 from delicious - Comment - Like - Share

Leo Laporte liked this

sparse dynamic arrays - joshua schachter

i read about this a couple weeks ago. complicated. i guess caches are complicated too. - Michael Herf

Dan Wallach

Inside the Password-Stealing Business - http://www.avertlabs.com/researc...

October 4 from Google Reader - Comment - Like - Share

Michael Herf and Tracy liked this

guess i'm glad chrome has its own HTTP stack. security through low market share :) - Michael Herf

joshua schachter

@skud http://stllug.sluug.org/meeting... (google "fvwm screenshot" + opened the toolbar and said before 1999-2000)

September 17 from Twitter - Comment - Like - Share

Man i miss those days. Back in college I made a physics engine for dragging and colliding windows. It even had a UI to change the physics constants. :) - Michael Herf

Michael Herf

cpratt: Dear Lazyweb: iPhone 3G: AMR-WB? - http://cpratt.livejournal.com/714320...

September 16 from Bookmarklet - Comment - Like - Share

Codecs appear to be the reason the original iPhone sucks as much as it does for voice quality. Note also, Apple has disabled the diagnostic screen that shows you which codec the phone is using? ("Field test" during a call no longer has "Call Information"...) - Michael Herf from Bookmarklet

Steve "Daddy do it!" Lacy

Font Rendering comparison: Google Flip vs. Ubuntu 8.04 Firefox

September 14 - Comment - Like - Share

Joel Webber, Matt Ellsworth, tiracconto and Stephen Mack liked this

Enlarge to compare, and guess which is which. :) - Steve "Daddy do it!" Lacy

7 more comments

I prefer #2 - Dennis Gentry

Yeah, look at the lowercase "e" in the 1st one. - Steve "Daddy do it!" Lacy

So which is which? - Stephen Mack

I'm guessing the first one is Flip. I prefer the second one, especially for its rendering of guillemets. - Kevin Fox

It took me so long to even see the http://en.wikipedia.org/wiki... after you mentioned it. That's what your eye caught first? Wow. - Stephen Mack

Ok, so which is which? Normally, I would assume that the uglier of the two is Linux, because it always seems to work out that way :) - Joel Webber

Guillemets are a Google thing. After you're there for a while you notice them a lot more. :-) - Kevin Fox

Hinting on the body text looks terrible compared to Mac/Windows, though. Long live truetype patents. - Michael Herf

Prakash

Switching tabs in Safari 4 with shortcuts, just like in Firefox - Howto - Nothing new here - http://pugio.net/2009...

September 9 from Google Reader - Comment - Like - Share

AWESOME!! - Prakash

you mean you don't use cmd-shift-[ and cmd-shift-]? haha. - Michael Herf

peter

i have a 802.11 router in my house; is there a simple way to extend its range so the signal covers a wider area?

September 6 - Comment - Like - Share

If it's an Apple router, you can chain them. So you could just get another one or two. - Cristo

12 more comments

Its a linksys. - peter

That's exactly what I did. Replaced our Linksys 802.11n with an AirPort Extreme Base Station with AirPort Express upstairs to extend the range. - Akiva Moskovitz

AirPort Express can extend an existing network and is fairly cheap I think - Bret Taylor from iPhone

$99, I do believe. I'm glad I replaced our Linksys with an Extreme, though. I'll take Apple's AirPort Utility over Linksys' rubbish HTML interface. - Akiva Moskovitz

The Express also makes a great travel accessory. Not only does it give you hotel room wifi for multiple people, but it also charges usb devices. - Cristo

I have to buy more Apple stuff to solve this problem? I was hoping to build my own repeater using foil, a TV antenna and some coils. - peter

Linksys and others make repeaters. - MVB (Curmudgeon of FF) from iPod

You can get antennas that extend the range in all directions or directionally. - Jack (a.k.a. Jeber)

You might want an Airport Express anyway. We got one, not to extend the range of our wireless (we use a Linksys router), but to be able to play music from our laptops/ipods/iphones through our speakers. It works really well, certainly makes doing dishes more entertaining. - Benjamin Golub

Of course, if you want a really kickass music system, you need Sonos instead, and then install the speakers directly in the ceiling. (I'm hoping to have Peter convinced he needs a new house by the end of this thread ;) - Cristo

You might check to see if your router can run DD-WRT (http://www.dd-wrt.com) I think on some boxes you can crank the signal power up past the out of box settings. - Ken Sheppardson

You need antenna (yagi, etc.) -- your laptop has to be able to SEND from far away as well as receive. Higher power hacks only affect the signal sent out from your router. You can use a pair of high-power routers to make a bridge, but for an access point, you need a better antenna, so the AP can "hear" your laptop more clearly. - Michael Herf

I had been using the extender for a while but I've since switched to setting up multiple independent wifi networks all with the same SSID (but different channels) and it seems to work better. - Amit Patel

Robert Scoble

I don’t feel safe with Wordpress, hackers broke in and took things - http://scobleizer.com/2009...

September 5 from Scobleizer - Comment - Like - Share

carl morris, Tyson Key, Susan Beebe and 87 other people liked this

Well, if you have fixed the hole by upgrading; you should feel a lot safer now. I guess strong user adoption does bring the wrong kind of attention. - Anindya Chatterjee

174 more comments

Anindya: we're watching. Looks like they haven't gotten back in since the upgrade and some of the other changes we made. Knock on wood. - Robert Scoble

I'm very tempted to switch to a SixApart install. As a Perl programmer I'd be much more familiar with the backend. - Jesse Stay

Robert, btw, I'm sure between all your users you can find a backup. I have a bunch via Google Reader I could get to Rackspace to import for you. I'm sure others have even older entries than I have. Let us know if you want help restoring the old scobleizer.com! - Jesse Stay

robert - i can tell you this - you need to watch it like a hawk - when i thought i was safe - i wasn't - InsideTransit continues to get hit - and I still believe there is some patches and stuff that RS can do as well - the bigger issue is what's on the server - because that's where they put the shells and then they can do whatever they want. - Allen Stern

Not cool, hopefully things will work out. - Kim Landwehr

Jesse: luckily it was July and August, when I wasn't doing much blogging. No biggie. Thanks. Allen: yes, Rackspace Cloud has a security team now and they are actively looking at ways to make Wordpress safer for our customers. It really sucks getting hacked. Let me know if you find any other ways to protect the systems. - Robert Scoble

Robert: Yea getting hacked sucks. My early days with my blog aboutonlinematters.com I got hacked and luckily my ISP had a backup. Since then I have treated my Wordpress blog like any dev site - with a subversion repository and complete backup. But there are days... like today... when I think strongly about a platform like typepad. - Arthur Coleman

what i have found is locking down the files helps - but you need to ftp into your site and make sure that nothing has been edited or added - in my case, on all my sites, the hackers put files all over that were base64 files - and what they do is include them into WP or they just run them direct - nearly a full shell. i've asked RS to create a way so that i can be notified of any changes to files - they say it's too heavy to run. - Allen Stern

Robert, I just miss the traffic from your "You are SO Unfollowed!" article. (one of the casualties) ;-) - Jesse Stay

There's a lot of great info they deleted - I'm a little ticked they would be completely insensitive like that to prove a security flaw. It affected much more than just you. - Jesse Stay

Jesse: yeah, that's probably the one blog that I miss. It's also the one that got me to notice they deleted a couple of months. - Robert Scoble

Jesse: that still is cached over on Google at http://74.125.155.132/search... - Robert Scoble

No way "You are SO unfollowed" is out? I loved that one! :-( thanks for the cache Robert - Sofia @ SoMaFusion

If you have no time to take care of yuors blog, maybe it's better if you choose the pro offer from wordpress.com ( I think scobleizer.com can have the minimum requirement to stay there). - wolly

here it the VIP hosting http://en.wordpress.com/vip-hos... - wolly

wolly: it's not just about time, attacks come from all directions so you've gotta have a holistic approach to security. How many of you regularly change passwords and make sure they are really good ones? (Twitter got broken into not because of hacks, but because they didn't practice good password security). - Robert Scoble

It saddens me: it is morally reprehensible your hosting company convinced you to switch with the seduction of plugins and customization without emphasizing or handling the increased responsibility of upgrades. Your blog was not unique and not a special target, the worms sweep across millions of blogs indiscriminately and hit whatever is vulnerable. If your host is lax in upgrading, the... more... - Matt Mullenweg

that's true :-) I use password very strange and very verylong that I cannot remember and I use a service like clipperz.com to login. - wolly

wolly, Robert was hosted on WordPress.com for about 4 years -- he was actually the very first VIP. Although there were dozens of security updates to WordPress in that time, his blog never had a problem because it was always up-to-date. He only switched away a few months ago. - Matt Mullenweg

Ciao Matt :-) I didn't know that, so scoble come back to the light side :) - wolly

Matt: yup, that's true. I've learned my lesson. Running your own servers are a lot harder than just having them hosted on Wordpress.com. - Robert Scoble

To be frank, it completely breaks whatever trust I had in Rackspace. - Matt Mullenweg

But Matt, I've been talking with many blog owners, including at TechCrunch, and they say that Wordpress' updates break their custom plugins. That's why they don't upgrade immediately. So, sounds like Wordpress has a mess on its hands that the hosted version of Wordpress didn't have (I couldn't run a lot of plugins and video embeds and other fun things on the hosted version of Wordpress). So, to blame it on my hoster/employer (Rackspace) exclusively isn't really a good attitude either. - Robert Scoble

Robert, It happens. We were hacked too. My observations lead me to believe that this summer was the worst in a long time. Its a war and its going to be a war until the attitude towards hackers changes. Let's stop being fascinated in the least bit by how they do it (this goes towards Kevin Mitnick and his supporters- I don't ever want to pay good money to read about your scams on the... more... - Melanie Reed

Matt's got a point that with greater power (self-hosting) comes greater responsibility (more need to keep an eye on security), but I think to say that Scoble's blog was not a special target is a bit disingenuous. High-profile sites are always a higher-value target. - Rachel Luxemburg

Matt: I think you need to really look at all the damage that's being done to a wide range of sites, many of which are NOT hosted at Rackspace, before throwing more barbs. That's bull. Sorry. But I added a link to this conversation to my blog so people could see your point of view. - Robert Scoble

If a plugin is preventing you from upgrading (did it?) then let's figure out how to fix that plugin. All I can do in WordPress is build in the notices (your blog was asking you to upgrade for months) and the one-click updates for both core and plugins. I agree it's not your (Robert Scoble's) fault because I don't think you made the conscious decision to take on the increased responsibility. - Matt Mullenweg

Matt: the reputation around the Net is that upgrades on Wordpress break things. This wasn't a Rackspace recommendation. It's also a problem with all upgrades. I've gotten hosed by upgrades elsewhere. Look at all the people upgrading to Snow Leopard who are having things break. - Robert Scoble

Matt: TechCrunch hasn't upgraded its blog either and it wasn't hosted on Rackspace (at least not until a couple of days ago). - Robert Scoble

I'm not saying there isn't lots of misinformation around the net, I'm saying "how can I help your blog, please." If it's a plugin preventing you from upgrading, let me know the plugin and we'll fix it even if we didn't write it. That's the beauty of open source. - Matt Mullenweg

Robert -- Avoiding upgrades because they're annoying to deal with isn't a viable longterm strategy. - Rachel Luxemburg

they need to take care of Scoble's blog, well for he is a VIP and the smashing they would have would do a lot of damage to your customer base and otherwise, would they reply to an ordinary guy say like me? i think not,well wordpress/automattic is having their tough moments, hope things get well and they get their repute back - testbeta

Matt - you blaming Rackspace for security vulnerabilities in YOUR software platform is kinda like blaming Dell when a Windows box gets hacked. I think you are being irrational. - Rob La Gesse

Matt: in my case it was the REPUTATION of Wordpress's upgrades that was keeping me from upgrading. I was waiting to see what other people reported broke. I didn't realize the severity of the security problems. But, I am now upgrading automatically. So I'm fixed. But you still have a reputation problem. Lots of people are reporting things break when they upgrade. - Robert Scoble

Rob, I'm not blaming them. I'm saying it's the responsibility of any host, of any software, to stay up to date. If there was a SSH vulnerability on Robert's box I would say the same thing. Software updates are inevitable, there is no such thing as bug-free code, so staying up to date is a must. - Matt Mullenweg

Isn't all this open source code? If it's broken, why not fix it? Doesn't everyone have the responsibility to do that? It's not any one source's fault in that case. - Jesse Stay

Matt - I agree with you. So make Wordpress upgrades SAFE, automatic AND do some internal validation of plugin code to let users know they may be running something that is potentially insecure. - Rob La Gesse

Matt, agreed. Not when its turned out as fast as people are yelling for it. People can't have it both ways. - Melanie Reed

Matt: all Rackspace was providing to me was a Linux host. I was responsible for getting my upgades done on anything I ran on that system. But now we have a team making sure we're following best practices. That is NOT Rackspace's problem, though. That's like blaming Microsoft for a bug in Adobe software. - Robert Scoble

I never listen to the reputation, I always upgrade as a security upgrade is out, and if a plugin doesn't work or I deactivate it or I fix it. Security is much more important than a plugin and Matt knows how many plugins has my blog (when he looked my backend he was very sad ad he said that it was the first time for him to see so many plugin in a blog :-) ) To have a self host blog it's difficult and time expensive. - wolly

There are several very useful plugins specifically addressing security issues; and monitoring WP for suspicious activities (both on file and database level). Here are some articles with tips to harden your blog http://bit.ly/sZgh6 (delicious bookmarks). I only install plugins from authors from whom I know that they implement top level php; no breaking of upgrades on my 3 WP blogs has taken place (2.7-2.8-2.8.4) - Jeroen De Miranda

Yeah, plugin issues are the responsibility of the plugin developer, not Wordpress's. I don't see how this is Wordpress's or Rackspace's fault. - Jesse Stay

By the way, Matt, Sheamus, over on my comments on my blog, says he has the latest upgrades in place and he's still being broken into. You might help him figure out how the hackers are breaking in still. - Robert Scoble

Sorry, I was under the impression Rackspace had recommended you move away from WordPress.com and taken responsibility for the system. I was worried about your blog -- I emailed you about this in August but never heard back. It breaks my heart when someone's WordPress gets compromised. - Matt Mullenweg

I understand the feeling though - if people are still being broken into after being told a fix was made, especially if you're not a developer, that can be a little scary. I'd look to other solutions in that case if it were me, and it's no one's fault. It's just perception and fear, very valid fear. - Jesse Stay

I do believe there is a false sense of securty that WORDPRESS fosters by hosting plugins. I think many assume that because they download the pluging VIA Wordpress, and FROM Wordpress, it is somehow vetted. - Rob La Gesse

Matt: no. I wanted to move to my own install of Wordpress so that I could run many more plugins and start doing stuff other professional bloggers were doing. I am learning very quickly just how much work goes on behind the scenes to make sure my words were protected. - Robert Scoble

Once you've been hacked once if you don't clean up every trace (preferably a systems person does this) it's very likely something is left that allows the spammers to easily break back in, regardless of what version you're on. That's why the trouble with upgrading is worth it, it's much, much less than the trouble of fixing a hacked blog. - Matt Mullenweg

Jesse: yeah, at Microsoft when a box got broken into they wouldn't let you use it anymore. They forced you to reinstall it with all patches loaded. They assumed that it was compromised and that someone stuck a back door in somewhere. That's a lot of work too. - Robert Scoble

install either wp-backup or wp-dbmanager and configure database backup: every day; download to your local pc (or to a system other than your hosting provider); run a check once a month to see whether you can reconstruct the blog in case of calamity, That is my procedure; works fine. - Jeroen De Miranda

if a commoner gets hacked, then he should move to wordpress.com services or what? - testbeta

they should just make it not have any security holes! - Mark

Robert, if you like I'd be happy to host your blog for you (and I'm on Rackspace servers). I can keep it secure as well. I'd only ask some mention of SocialToo somewhere (or payment of some form in order to cover the cost of bandwidth). - Jesse Stay

I would also be able to keep it backed up for you. - Jesse Stay

So the take away messages are: 1) hosting services like Rackspace support the hardware and OS layer and you're are on your own for everything else, 2) maintaining your own website is difficult work, even for experienced IT professionals, 3) social media experts may not really know how to use the social media tools they are recommending, and 4) while hosted applications like Wordpress.com provide less flexibility, they take less effort and can be more reliable for the average small business. - Steve Wilhelm

I'll also install any plugins you're interested in trying - Jesse Stay

Jesse: in my case, I now have a team of the top security guys at Rackspace working on it and making sure my system is up to date and backed up. They also are learning a lot about this and other people who have had problems and are building a list of best practices. - Robert Scoble

This is eventually why I didn't go with Mosso. The service looks good, but you still have to manage your app yourself which opens you up to problems like you've experienced. It would be cool if they offered another layer of management on top so apps could be completely hands free. - Todd Hoff

the alternative (i.e. strong vetting of all plugins) would turn the whole WordPress ecosphere into something such as Ning.... only some 300 addons (as far as I know); little flexibility very intransparent how to get your addin accepted .... Not an attractive model for me.... - Jeroen De Miranda

Robert, excellent - just wanted to make sure the offer was out there. Maybe that could be a tiered service for Rackspace, although I'm not sure it's something Rackspace wants to get into. Bluehost barely makes any money off of that type of service. - Jesse Stay

Steve: I think that's a reasonable set of assumptions. The grass is always greener on the other side of the fence. When I was on Wordpress.com I was always jealous of blogs that were able to run the latest plugins and use the latest embed codes from various sites. - Robert Scoble

Robert, it's even more fun when you can customize the plugins and themes as a developer. :-) - Jesse Stay

@testbeta wrdpress.com is a very good choice if you don't have time or you don't know how to manage security on yors self hosted blog - wolly

wolly: that takes out the open source fun part ;) well i have nothing much to do on my blogs so i keep mine updated ;) - testbeta

I agree with you :-) but many people love blogging non update theirs blogs :-) - wolly

when my sites were hacked - a wordpress employee reached out to me- i dont remember her name but we sent a few emails - i could write for days about what happened to my 5 sites - my take is simple - i think the issues are a combo of rackspace (my host) and wordpress (my software) - i can tell you this - in 3+ yrs on drupal, i was NEVER hacked. and Matt is right - the real issue is that... more... - Allen Stern

Allen - what version of WP are you running today? - Rob La Gesse

2.8.4 on all of them - Allen Stern

Allen - good :) - Rob La Gesse

If there's a shell script on the same server as you, even if it's not your account, everything on that server is at risk regardless of the software or its version. - Matt Mullenweg

Matt - that is NOT true - Rob La Gesse

I would switch to a new server if I were infected at this point. - Jesse Stay

Properly configured, user space can be isolated and these scripts cannot cross-pollinate. - Rob La Gesse

It can be -- but publish a shell login on your server and we'll see. ;) The right answer is to scrub that sort of access. - Matt Mullenweg

Matt - that comment on the "shell script" is silly. What are you actually trying to say? - Robert J Taylor

Some sort of backdoor that allows a remote user to execute code -- it's super common. - Matt Mullenweg

rob/matt - that wsa one of the biggest issues with my RS account - i had all the sites together in one "client" so when they hacked one - they were able to move around with their shell script into all my other sites - now each site is in a sep. "client" so the damage can only hurt me on one site - and believe me it does hurt :( i believe insidetransit and centernetworks are hit in google - Allen Stern

@Scobleizer I'm sticking with @wordpress it doesn't worry me that much, plus I always update and have backups of db and site emailed to me - Justin Yost

Allen - that was within one user space though. So what I stated above still stands true. - Rob La Gesse

Allen and Robert are big enough that if they had a problem they could contact us and we'd help them, though as far as I know neither did, but I worry a lot more about smaller folks who get hit in the same way. The knowledge for how to properly clean up after a hack is more systems than software and not widespread. - Matt Mullenweg

As Allen mentioned above, he did have a conversation with Wordpress. - Rob La Gesse

matt - thanks for putting me in the same category as robert! *blush* - i did reach out to you - and your security guy was helping me big time - it seemed to turn out that the WP Contact Form 7 was the thing that caused it to start - i didn't document it all online because the security guy wanted time to get the plugin developer to fix the upload hole. - btw his name was mark jaquith and he was great - Allen Stern

So why not some scheme where Wordpress vets a plugin and "blesses it" - perhaps a small charge for this service? As long as Wordpress is advertising plugins on the dashboard I think there ample reason to hold Wordpress to some level of accountability for those plugins - Rob La Gesse

rob - that's what i told mark - they should offer that service for a tiny fee - stamp a "certified" stamp on it. - Allen Stern

Just updated all my sites, doesnt look I was hit. - sean percival

sean - no one would hit you - they know you would lala all over them - Allen Stern

sean - happy for you! - Rob La Gesse

I've read almost all of the comments here, not hearing these mentioned once: Robert did not backup, kept the default 'admin' username and failed to update. These are three of the most basic security measures out there. Not blaming it on Robert, because we all fail on this sometimes, but these basics really are important! - Abounding Media

http://twitter.com/markjaq... warning of Mark in April - kept me away from WP contact form 7 - Jeroen De Miranda

Abounding: yup. And the lesson here is don't host your own version of Wordpress unless you have a security team making sure you're doing it right and backing up (something I never did on Wordpress.com, by the way). Oh, and Twitter taught us that even if you do all of that you've gotta make sure you pick great passwords and think through ways that social hacks could be done to get into your accounts. - Robert Scoble

I've written a much longer post on this: http://wordpress.org/develop... - Matt Mullenweg

http://markjaquith.wordpress.com/2008... some great tips of Mark Jaquith on writing secure plugins - I use these and other tips when scanning the PHP code of new plugins that I intend to use (before deploying them) - Jeroen De Miranda

Jeroen, thanks for posting that. I've had phishers getting into one of my WP installs recently, but couldn't tell which plugin it was. I deactivated two plugins, including CF7, the other day, and haven't had any more problems. And a shoutout to Ryan Boren on the WP dev team for helping me to de-infect. - John Craft

Robert: Welcome to the world of web development for impatient users and disgruntled hackers - Melanie Reed

http://wordpress.org/develop... great post of Matt Mullenweg about WordPress security! - Jeroen De Miranda

john - the CF7 is what killed me a few months ago - it's because the form allows uploads even if you don't actually have them on - i believe they patched it but i have not gone back there. - Allen Stern

anybody know if a little smily face appearing in the lower right hand corner of ones footer is a sign of a compromise on a self hosted wp blog? - Richard Reeve

John, your are welcome! SQL injects attacks specifically exploit data entry fields used by the plugin; one should at least scan the PHP code of these plugins, and look at what kind of escape functions are used around handling of the data entry. - Jeroen De Miranda

"it's because the form allows uploads even if you don't actually have them on" - wow. That's bad. - John Craft

Richard is wp-stats smily :-) - wolly

"anybody know if a little smily face appearing in the lower right hand corner of ones footer is a sign of a compromise on a self hosted wp blog?" - if you didn't put it there, it probably is. In your admin go to appearance, theme editor, and read the footer.php file. - John Craft

Richard - are you using the WordPress.com Stats plugin? - Andre Natta

some plugins worth considering to install are: wp-exploit-scanner, wordpress file monitor, WP security scan, anti virus - Jeroen De Miranda

I don't understand why people are worried about a plugin breaking when it comes to upgrading WordPress. If a plugin does break, disable it for the time being. I rather have a secure installation of WordPress running and would worry about fixing the plugin afterwards. - Jason Hansen

Hmmmm . . . I run WP Stats, but see no smiley face. - John Craft

ah...thanks folks...stats it is. phew...so I'm not paranoid... - Richard Reeve

There appears to be some a-holes who can break into wordpress blogs very easily. I'm not sure at this point that the new Wordpress Thesis blog that I'm interested in getting is safe either. There is some security issues with Wordpress and their incompetence to fix the problem is growing every year. They keep coming out with new versions to replace the old versions yet they still have a problem. This is serious guys. - Jeunelle Foster

The problem with WordPress is that it forces you to upgrade. Imagine if Microsoft forced everybody to upgrade to Vista/Windows 7 in order to get their security holes plugged. WordPress should release security patches for the current and at least for the previous version. - Nikolay Kolev

They dont force you to upgrade. If you dont want to patch, you can leave it at the current version ( but with a risk ) - Kashif Khan

Where's the patch for the 2.7 version then? - Nikolay Kolev

Their versioning strategy bumps up numbers even for patches . And how many versions behind should they support ? - Kashif Khan

Many of the WordPress security issues are not coming from the WordPress itself, but from the poorly written WordPress plugins. I think it would be nice if Automattic starts an "Automattic Certified" program giving blog owners the peace of mind they need. Every hacker can upload a plugin at WordPress.org, advertise it as something great, bloggers install it, see that it's nothing as advertised, uninstall it, but the WordPress instances are already hacked. - Nikolay Kolev

Plugins are open source and free and nobody (well, with some exceptions) would pay to get their free plugin certified. The only way to do this is by having a community review process, based on some credibility score and voter authority system where 1,000 fake hacker accounts won't, for example, outweigh Matt's or Mark's votes. - Nikolay Kolev

part of the problem is the cry wolf syndrome - if i updated every day wordpress had a security problem i'd want to be salaried on the payroll :D Wordpress needs some sort of alert notification - twitter or something that indicates if there's an update AND the severity and if its severe enough sends it to my phone. - mal

let me play the other side of the coin - i've been using vbulletin for my forums for probably more than 5 years - and it's never once been hacked - why is this - is it because it's paid? is it just more secure? would love to get some input on why wordpress seems to be the attacker's gold. - Allen Stern

@allenstern because it pays back better to have wp hacked - A.T.

Another devil - I have clients using Expression Engine for years (with plugins) and haven't had a problem either. Checking security sites, EE has had very few vs the many with WP and some with Drupal. Matts suggestion that one hosts with him to avoid problems and keep updated just isn't in the cards for business sites. Just too many vulnerabilities with WP over the years for me to recommend it. - PXLated

i can tell you that within 2 days of moving from drupal to wp, my sites were hacked - all of them - and it made me seriously question the move - the reasons i moved were because wp is a bit easier to edit/code than drupal and because the admin panel in wordpress is awesome compared to the crap panel in drupal - i wrote up a whole post about why i moved - i'd like to see matt write a post about their qa and security procedures for their releases - Allen Stern

Alen, once Drupal 7 get released, you may actually go back. :) - Nikolay Kolev

Robert - If I were you I'd move away from Wordpress and fast. Its security record is dire and has been for ages. Other solutions are a lot more stable, whereas Wordpress seems to have security bugs every second week. Why anyone puts up with it is really beyond me. I moved to MovableType and haven't had to worry about caching issues or security problems - Michele Neylon

#somethingpersonal WP calls you "technical evengelist", Robert. When you say «Yes, I didn’t have a backup. I should learn to do backups» I call you a mediawhore. Nothing TECH-NI-CAL, just bulled ego. Learn Security, Performance, Reliability, you ignorant piece. - Капитан Сильвер Буллет

Robert - "the reputation around the Net is that upgrades on Wordpress break things" I'm sorry but that's just not true, I use many many plugins across about 20 sites and I've only ever ONCE had a plugin break during a WP upgrade. - John O'Nolan

Definitely check if Google Reader has your lost posts - as of a few months ago, it didn't handle deletes very well :) - Michael Herf

This recent wave of WordPress incidents shows the negative side of using open source software. Matt says that there are many people looking into WordPress' source code, but the problem is that probably half of those people have malicious reasons for doing so. - Nikolay Kolev

@Matt - why not have a module that adds *automatic* upgrades? The one-click update feature is very nice, but zero clicks is better. With a decent snapshot/rollback system you could update most people securely right away--email them and let them rollback if something breaks. - Michael Herf

@robert: we might be able to help you recover the lost blog posts if you want. Google Reader has an archive of them and we helped another blogger in the past recover her losses. Let me know if we can help. - Edwin Khodabakchian

@matt when do you start to care about poor people unlike robert... who can't afford *VIP* i am willing to pay $25+ per month of course with my adsense ads :} - Imran Jafri

@robert by the way you made one of the worst choice to move away from wordpress.com i think it wasn't price issue rather you wanted to be brand *ambassador* for rackspace which was only possible if you host your blog on their damn servers... if i get enough visitors i would switch to wordpress.com vip without taking 2nd breathe........ - Imran Jafri

I run just a few plugins, and research and vet them first. And upgrade to new WP versions within a week. Look, attacks happen, running self-hosted can get complicated. But this is true with any software or OS - Bob Morris (polizeros) from iPhone

Nikolay, it's always better to have more people looking at the code, because a bug that's been found is better than a bug that hasn't. WordPress used to get almost no security problems and people thought it was because it was coded differently, when in fact it was coded far worse than it is today it just didn't have enough users to make it worthwhile to target. Also where many... more... - Matt Mullenweg

Nikolay: I would also push back against your assumption that using Open Source software equals less security. Microsoft Windows and OS X are both closed source and both have security holes - there is a competition each year to help MS and Apple find them and fix them. Both Apple and Microsoft came away with security holes to fix this year. So just because it's open source doesn't... more... - Tim

that's what you get for the fun of installing and hosting your own installation, instead of using "the cloud". - Ihar Mahaniok

Robert - I recommend WP S3 Backups for backing up your database to off-site storage. Amazon S3 is a great place to host backups of your Wordpress database and is relatively inexpensive. You *always* want backups *off* the server so in case the server is compromised, the backups are still clean. This plugin works like a charm, is automatic and could have saved you. Cheers! - Scott Jarkoff

anybody know of a test that can be done to see if a wp blog has been compromised? Has a few strange user subscriptions about a week ago...but not noticing any thing else...I did upgrade weeks ago, but soon enough? - Richard Reeve

bug exploits keep security IT folks in their day job, sad but true. - Jim Posner

In IT it keeps me busy but the reality is if you update your software on a regular basis you can minimize these from affecting you. - Rob Cairns

Robert, any chance archive.org has some of your old blog posts? Google Cache? - drew olanoff

Matt, another thing to note is that Wordpress.com is often blocked in China (even if you have your own custom URL like scobleizer.com). There are advantages to NOT being hosted by Wordpress.com although your point about increased responsibilty for keeping up with security patches is still valid. - Elliott Ng

Drew: yeah, but what do I do? Just republish them? - Robert Scoble from iPhone

Sure why not. Scoble's best of. Reason why I hate stuff on the net sometimes is good stuff gets lost. - drew olanoff

Give a try to the "WordPress Database Backup" plugin for WordPress and you'll receive regular backups on your email - Francois Lamotte

Robert, You can get all of your lost blog post html out of Google Reader. I'm not exactly sure how to link Disqus back, maybe it's as simple as re-adding the old posts with the same title/date i.e. Url (I don't use it). Yet another reason to use FULL RSS feeds (instead of summary). See RSS isn't dead.. it's now a backup tool too! (http://ff.im/7JrlC) - Chris Myles

Wordpress is a great blogging tool. It is however the largest target now - much like how Windows gets a crap-top more virii because it's the most used system. Someone used Drupal as am example of security... well I'm sure if Drupal was anywhere near the scale of usage Wordpress is you'd see hacks for that too. - Gregory Wild-Smith

Robert: Just repost them with the dates set to the original dates they were posted. Simple, and no-one will ever know ;) - Gregory Wild-Smith

I have always had a bad feeling about Wordpress. YMMV. - Gordon Joly from twhirl

Robert It could be a Rackspace problem and Not a Wordpress Problem. They might to increase there security on the Rackspace!!! You should checck into that!! - Paul

One of the reasons I waited 2 years to switch from MovableType to WordPress was due to the security issues. I felt that the track record improved over the past year and moved 11 sites over. I can say this I employ a very extensive back up scheme but still worry about it. The ability to upgrade with a single click of a button has made it much easier to upgrade, but I always worry which plugins are going to break as I use a lot of plugins. - Todd Cochrane

It's interesting to me to see the number of people who are "afraid" to implement a security update because it might break a plugin. I wonder if these are the same people who don't run system updates on Mac or Windows because it might break SIMBL or some other haxie. Your core = your core... without it you're smoked. Case in point: Scoble. If your plugins aren't working after an update, let the author know and request an update, but BY ALL MEANS don't ignore security upgrades. - Kevin Donahue

hmm... I think that a lot of this conversation is missing something. Most software security updates are usually tested in hosts and thus delayed in their own releases by at the minimum of a week's time usually. This is due to hosting internal testing of patches before rolling it out to all servers. Now, whether or not RS actually performs these types of procedures, I don't know... but I... more... - Ben Hwang

First: I keep my blog up to date. Always. Fuck plugins, I decided that when I made the decision to use WP for my blog that updates would be a priority, only because of all the security issues that I remember from the early early days. Having said that, I have to agree with Robert that the perception with WordPress, despite all the work with auto-updates and in-blog notification is STILL... more... - Christina Warren from iPod

I am spending the day finally making a back-up of my web space, then the upgrade. - Sebastian Keil

you are right to not feel safe: when you are on the dominant platform, holes get taken advantage of really fast. At least it being open source you know it will also get plugged fast - Joelle Nebbe (iphigenie)

"what do I do? Just republish them?" - Robert, you can set the published date to the original July or August date in the "new post" form. Where it says "publish immediately," click "edit". - John Craft

I couldn't disagree more that the reputation is that an upgrade will break a plugin. How many plugins reach into the Wordpress core and screw around with it? Less than 5%? Any examples of plugins that broke w/ 2.8.4? - beersage

Somebody hacked into my WordPress blog earlier this year as well. It was a bummer because I was working on a draft copy of a blog post that was very rough and had not been edited and they published it. I was on vacation shooting in Chicago and didn't figure it out until several hours after they'd already published it. Fortunately they didn't seem to do anything malicious other than... more... - Thomas Hawk

@Robert: "[Rackspace] are learning a lot about this and other people who have had problems and are building a list of best practices." Is it possible this list is something RS might share? - John House

@Matt Mullenweg: I do like WordPress (even though we had a public argument with you and another Automattic employee on TechCrunch a while ago) and I am a passionate supporter of open source software - don't get me wrong. But sometimes open source code makes it a bit easier for hackers! For example, one hacker hears about an exploit and without communicating with others, finds the hole independently by just looking into the source code and starts exploiting it on his own. - Nikolay Kolev

Gregory Wild-Smith Bingo! - Melanie Reed

Social Media Club blogs got hit as well as several of our personal blogs (still sorting it all out). We try to keep up on most upgrades, but every time we do, simple plugins (like the Event calendar) break. Seems silly, but we have hours of work after each upgrade to try and keep everything intact, and sometimes, we end up downgrading until the 'essential' plugins catch up, which... more... - Kristie Wells

I have 2 wordpress blogs. One on my own domain and one at wordpress central. Still can't get my head around their upgrade gymnastics - may just stick with eBlogger after all. - Houseofmax

i don't know what will happen in times to come but from the existing platforms, i love wordpress and i am not going anywhere, but that doesn't matter for wordpress right? ;) - testbeta

Robert, at the end of it is just only your bloody laziness in upgrading that led you here :) Jokes aside, please at least be honest and say you didn't upgradede twice... :p. - Matteo Flora

Nope. I upgraded to 2.8.4 as soon as it was out but the hackers had already broken in. - Robert Scoble from iPhone

The fact that WordPress is currently being exploited doesn't mean that other platforms are immune. For example, the recently discovered XSS issue with Ruby on Rails makes not only blogs, but every unpatched site a target. So, the only issue I'm having is forcing us to upgrade to a new major version without much time to do proper testing (I'm not talking about personal blogs here). I... more... - Nikolay Kolev

So Techdirt was hacked a bit ago. See their reaction: http://www.techdirt.com/article... it is the reality of owning a web site guys - ANY software is hackable if someone really wants in. - Adam Singer

@Robert: as I see it Wordpress is as vulnerable as any other web app. Upgrading does good, but preemptive security does more and better. I know Matt and he knows I'm in awe with him and Automattic but simply spoken I DON'T TRUST WORDPRESS as I don't trust any other software. A little WebApp Security Firewall (or at least a little .htaccess rules for admin and preemptive locking of... more... - Matteo Flora

i find it interesting, and depressing that people are blaming Rackspace, they're blaming Wordpress, they're blaming Robert, but no one, *no one* seems to be willing to blame the only, ONLY people who deserve blame: the evolutionary failures that attacked Robert's blog. - John C. Welch

Thanks to your post, I found backdoor Admin in my own blog (created yesterday apparently). Promptly deleted it, upgraded blog and took other measures, which I blogged about - Adi Rabinovich

@Matt Mullenweg: "so staying up to date is a must. - Matt Mullenweg" You gave the birth to one of the coolest piece of free software on the net, also your community is strong an love-full, you can do some PRs listening to Scoble that is crying, but you couldn't do anything better than you did. Take it easy man, all your competitors still suck. (PS. also a cleaning utility to understand better if everything is ok on our hosts would be cool ;-) - righini riprova

Matt: What does a user need to provide, in order to be considered for a VIP wordpress.com account? - Jim Connolly

caveat operator - Mike Chelen

Take technology out of the picture. Something bad happened by some bad person. Happens every day... it's called crime. If a bad person got into my house because I had a weak lock or left my door unlocked, what do people usually say? "That bad person shouldn't have done that!"? Well, sure, but bad people do bad things... nothing we can do to stop them other than make it harder or... more... - Chris Hearn

I would simply like to reiterate the point that if you're going to put free open source software on a rented web server, you need to either know how to administer it or hire someone to do it for you. Neither Rackspace or Wordpress are to blame here. We discuss this with our clients all the time who view web development as a one off expense, then get upset when their site is hacked because it wasn't maintained. - JP Maxwell

One more point, I think there are way too many false lines drawn over aras of responsibility - "I'm systems, not a PHP programmer. I'm a PHP programmer, not a Javascript person. I'm a designer, not a programmer or a systems person." If you are a WEB developer or responsible for maintaining hosted WEB applications, you need to know a bit about it all. It simply isn't sufficient to demarcate your knowledge sphere and point your finger at the other guy. - JP Maxwell

Wow ! - ★ Soner Gönül

Michael Herf

Federal Housing Finance Agency - House Price Index - http://www.fhfa.gov/Default...

August 30 from delicious - Comment - Like - Share

where the ofheo went - Michael Herf

Andy Baio

Ars Technica on how ICANN killed domain tasting - http://arstechnica.com/web...

August 15 from Waxy.org Links - Comment - Like - Share

Peng-Toh, bob and Amit Patel liked this

from 17 million withdrawn domains in June 2008 to only 58k last month [via] - Andy Baio

Good. We need less spam. - Michael Herf from iPhone

Michael Herf

Next Bubble to Burst Is Banks’ Big Loan Values: Jonathan Weil - Bloomberg.com - http://www.bloomberg.com/apps...

August 14 from Bookmarklet - Comment - Like - Share

One of many: "in an easy-to-read chart, the company divulged that the loans on its books as of June 30 were worth $22.8 billion less than what its balance sheet said. The Birmingham, Alabama-based bank’s shareholder equity, by comparison, was just $18.7 billion. So, if it weren’t for the inflated loan values, Regions’ equity would be less than zero. Meanwhile, the government continues to classify Regions as “well capitalized.” - Michael Herf from Bookmarklet

Lorna Herf

Mac Picasa permanently deletes file off network disk. After I hit Cancel. No. Don't Do That. Mac Picasa now permanently deleted off disk.

August 14 from Twitter - Comment - Like - Share

zfs to the rescue. Ugh. - Michael Herf

Bindu Reddy

Google revenue must have increased by a few 100 million now that they moved the ads closer to the search results. Ah what fun... Just move elements around on a page and sit back and watch the money roll in. Next step - merge search results and ads :)

August 12 - Comment - Like - Share

Phong (Paul) Vo, Jen (SquirrelGirl), David H. Chu and 11 other people liked this

I actually like this better from a UI perspective. On big monitors, you really couldn't even see the ads. Seems logical to have them within the view of the search results. (I am one of the people who actually finds the ads useful for commercial queries since they tend to be spam-free and generally high quality) - Bret Taylor

9 more comments

True the ads almost disappeared on big monitors. I actually would be OK if the ads were merged in with search results (as long as they are marked clearly and they are good quality.). I am just marveling at how easily Google can increase revenue/profits. - Bindu Reddy

Easily? - Adewale Oshineye

Adewale, well relatively easily.. i.e. they don't have to come with the next billion dollar product to make another billion dollars. You can tweak ads forever - improve quality, change background-color, promote more ads to the top, change parameters of the auction model, blah blah and make the next billion dollars... Yes it takes forever to push these changes but in the larger scheme of things it's not too bad. - Bindu Reddy

It would be easy to just increase revenue. What is hard is to make ads appropriately visible when you want to see them without being in your face when you don't want to see them. People are smart -- users ignore banner ads because they've proven useless over time -- so if you just make ads more visible, without regard to their utility, it's doubly self-defeating. Very tricky business. Congrats to team who does hard analysis to get it right. - Daniel Dulitz

Oh yes definitely. Congrats to the team! Again I am not suggesting that this was super-easy to do. It is easier that having to invent a whole new product that makes money. - Bindu Reddy

Feels crowded. They could have left a slightly larger gutter there. - Michael Herf

Seems like a great anecdotal case for usability folks...is there actual data on the revenue impact? - jeff hammond

Jeff, I don't believe that kind of data is publicly available. Google won't share that information with us. - Bindu Reddy

Thats a lot of opened tabs... - Joshua

well, this is a change to the RHS ads, not the TOP ads....TOP ads drive a ton of the revenue... or you could just serve up ONLY ads, like this! http://search.aol.com/aol... - Maneesh

Bret Taylor to Bret's feed, Jim Norris

Scalien - Keyspace (distributed key value store) - http://scalien.com/keyspace/

August 12 from Bookmarklet - Comment - Like - Share

arda, Chip Ramsey, Robert Scoble and 27 other people liked this

Looks interesting, have been investigating a lot of these systems lately just out of curiosity, but most have not met my expectations. This one is new, but I plan on checking it out. - Bret Taylor from Bookmarklet

11 more comments

Anything in cluster form is great. Servers, Breakfast cereals etc. - CannonGod

Did you ever have a look at Tangosol Coherence? They were around before even memcached got popular, with a clustering solution with very flexible partitioning strategies, and the ability to run queries on the cluster. The continuous query functionality is pretty cool for real time stuff: http://coherence.oracle.com/display... Of course, the fact that it's written in Java might turn some people off. - Ray Cromwell

Bret, have you looked at redis, and or Tokyo Cabinet? - Nick Halstead

Nick: I love Tokyo Cabinet. It is not a distributed key value store, though - it just runs on one machine. There is a huge difference, and unfortunately most of the open source projects in this area don't actually work (largely demo quality from my tests). - Bret Taylor

Of course, Oracle bought Tangosol, but their original product was great. I don't know how much it costs now, but some of Tangosol's competitors were good too. - Ray Cromwell

Note that it's under the AGPL (Affero Gnu Public License), so you can't use it for closed-source web services. - Jim Norris

Oh: good point, Jim. Nevermind. I will not be checking it out. - Bret Taylor

Bret, http://opensource.plurk.com/LightCl... gives distribution + persistance to Tokyo + REDIS, definitely check out redis if you have time, although its still early days they have key/value + the values can be sets + queues, and all operations are atomic. Redis is also very easy to hash across servers. - Nick Halstead

Re: AGPL. I recently looked at mongodb because apparently I'm not alone in thinking this whole space is fascinating (though it is not distributed key-value store). Anyway, their description of AGPL seems to be that it is possible to write a closed source web service against it so long as you give your changes to the server back to the community. However, I think this is enabled by the fact that they release their client library as Apache. Does that sound consistent with other people's understanding of AGPL? - Kelly Norton

Apache driver license looks safe to me except for the C++ driver. Not sure how that one avoids AGPL... - Michael Herf from iPhone

@Michael - You're right. Looks like the C++ driver is AGPL. I have to admit, I don't see how anything could really escape the viral nature of the AGPL. The site claims that there are drivers available from third parties under different licenses, but that would seem to violate AGPL. I think it's probably best to stay away from anything AGPL. - Kelly Norton

Here's a blog that surveyed some distributed key/value stores: http://www.metabrew.com/article... - Ray Cromwell

bob

CANCELLED: Depeche Mode 'Tour of the Universe 2009' Tickets at Shoreline Amphitheatre, 8/12/2009 - SF Gate - http://events.sfgate.com/mountai...

August 11 from Bookmarklet - Comment - Like - Share

Luca Sofri, Mathew™ one of a kind and Alex Scoble liked this

"CANCELLATION UPDATE: Depeche Mode has been forced to cancel their scheduled appearance on Wednesday, August 12th at the Shoreline Amphitheatre in Mountain View, California due to doctor's orders that lead singer Dave Gahan be on complete vocal rest for 48 hours. Because of their busy schedule, a new Bay Area date will not be rescheduled this year." - bob from Bookmarklet

14 more comments

http://www.livenation.com/edp... - bob

:( - bob

Nooooooooooooooooooooooooooooooooooooooooo!!!!!!!!! - Paul Buchheit

yeah, thats all kinds of lame :( - bob

Shellen? You sold just in time. - Michael Herf

I wonder if Dave Gahan is another angry ff user, and this is his way of getting back at me? ;) - Paul Buchheit

or his dr - bob

I guess we should have gone to the Toronto show. Are there any nearby, non-canceled shows? - Paul Buchheit

LA is not yet cancelled http://www.livenation.com/artist... - also las vegas - bob

I don't think anyone in CA who doesn't work for Facebook or FriendFeed could afford the ticket prices anyway :P - LANjackal

i think lawn seats for the MV show were pretty reasonable :P - bob

They are in Denver @ Red Rocks August 27th. Just sayin. - Clare Dibble

:( - Alex Scoble

They have been having the worst luck ever so far on this tour. - Sam Harmon

I almost got tickets for that show. It was going to be a b-day present for the hubster. 200 miles over the mountains and a night in Mt. View. Somehow, something told me to get him something else, instead. - Helen Sventitsky

Michael Herf › Comments