Why, Blog, Why?

My blog software has some neat built-in stat reports that i can use to see, among other things, how people got to this site. It's funny to see how often the same search term shows up in the logs (Google searches for "sweet msg" are among the most common on this blog for some reason. Note that Sarah gets a lot of "earthy crunchy mama" search referrers). However, when a legitimate search term does show up, indicating that perhaps someone found something on the blog that they felt was useful, I have no indication of whether said surfer got anything out of their visit here, or whether they have any intention of coming back. They are lurking in the shadows, stealing my thoughts and leaving nothing in return.

So, to you, dear lurker sir, I ask that, should you find anything useful on this site, let me know via the comment form on whatever article you've wound up at. It will spur me to write more, and let me know who's out there.

Preface:
I've been paying attention to the Mboffin blog since I discovered it way back in September of '05. I have often wanted to comment on the content, but Dylan's blogware requires registration in order to comment. This is a chronicle of my attempts to register and the frustration that it has caused. As you'll see below, alerting him to the problems is actually the greater problem. I'm posting this here hoping that he finds it via an ego search, or perhaps you know him...

Dear MBoff,

Hello, love your blog and want to comment many times. BUT...

Tried to register once like a year ago. Used the name Xangelusx. Either I entered the email address wrong or something else went kludgey, but I was never able to log in. To compound matters, your contact form was only open to registered users, so I was SOL.

Now, love the FNE post. Want to tell you as much. I'm adopting it whole heartedly for that matter (I never ever LOLed, really. Though I did FNE at your FNE post (you were right)). So, signed up again. Username ChrisBloom7 (tried to reuse xangelusx but it is still considered "taken"). Got through the registration process, got the emails, got activated, tried to login - bam-o, haiku-error land. Tried again, same thing. Clicked forgot password link, got the email, reset password (same as before), tried to log in again, same error. Me thinks there is something wrong with your login form. I typically use complex passwords (including at the least numbers and upper/lower-case letters, often a special character, almost always at least one space (in this case: numbers, upper/lowers and a space, 11 chars total)) so I wonder if that is the problem. I will try a "simple" password to see if that works, but thought you should know that I really loathe your registration system at this point.

Sardonically,
Chris Bloom

PS: BTW, your webmaster@ address, listed in emails and your website, is busted. Loathing turning to utter disdain.

Hi. This is the qmail-send program at xxx.xxx.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<webmaster AT mboffin.com>:
x.x.x.x does not like recipient.
Remote host said: 550 unknown user <webmaster AT mboffin.com>
Giving up on x.x.x.x.

PPS: Your accounts@ email address is busted too. Utter disdain turning to passionate hatred

Hi. This is the qmail-send program at xxx.xxx.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<accounts AT mboffin.com>:
x.x.x.x does not like recipient.
Remote host said: 550 unknown user <accounts AT mboffin.com>
Giving up on x.x.x.x.

PPS: Tried that "simple" password thing and still no dice. Passionate hatred turning to miming Darth Vader-esque jedi-choke thingy aimed your way.

My brother Todd alerted me to a bug on my comments form. It's fixed now (with help from the b2evolution team). Sorry to any of you that tried leaving comments before and couldn't get the form to work.

In my last post I mentioned that one of the problems leading up to the hack attack this week was "too loose server settings". That statement in fact couldn't have been more inaccurate, and I wanted to clarify:

The server itself was so secure as to have prevented a minor blog hack from becoming an all out zombie spam server. The folks at Hit Catcher, who are long-time friends of ours and who graciously host this blog and a few other of our projects, had the foresight some time ago to lock the server down in every possible way.

The problem that I was alluding to was then not in regards to the server itself, but more to a loose setting within the PHP scripting engine that runs on the server and powers this blog software. It was as much an oversight on my part as anything, as I could have and should have taken extra steps to tighten the settings within my own hosting account. I hope this clears up an otherwise inaccurate claim.

We're back online after almost 48 hours of down time. In short, our blog was h4x0red by some effing schwags who exploited a bug in the blog software. I think I was ground zero, or at least I was the first to report the issue in the support forums. The b2evolution developers were great though and had a patched version up within a few hours of my initial report. To be fair, it wasn't the blog software itself that was buggy but rather a combination of a vulnerability in an add-on file and too loose server settings PHP settings. Both have been fixed and I think we're safe for the moment. The funny thing is that I saw a bunch of activity in my logs that should have told me something was up - odd search referrals for specific text related to the blog software itself. But I ignored it, so shame on me. (Or as George W. would say "There's an old saying in Tennessee — I know it's in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can't get fooled again.") Not that I would have known where they would strike, but perhaps a few preemptive IP bans would have reduced the blow. Anyways, luckily they only affected the blog files themselves and not the actual database which would have really sucked.

I have a lot more I want to write about, but I wanted to be in bed about 2 hours ago. But just so I don't forget, up next: Why I'll never buy another McAfee product again; our visit to Pine Hills Waldorf school tomorrow; and our best visit to the photographers yet! Maybe a bonus post summarizing the Internet Basics class I've been co-leading at work.

TTFN