I tried installing MT Blacklist yesterday, but had some problems with it. Didn’t realize that it had resulted in breaking comments entirely…Ted Pearson let me know about the problem this afternoon, and I’ve fixed it. (Thanks, Ted!)
If you’re an OS X user, it’s extremely important for you to be aware of a security vulnerability that’s been identified by users but not acknowledged or corrected by Apple.
(Update: The problem appears to be specific to Panther—OS X 10.3—so if you’re running an earlier version of OS X you should be okay.)
You can read about it on Jay Allen’s site (which is where I heard about it). Essentially, Mac browsers (including Safari, Mozilla, and Firefox) are all designed to launch the Help Viewer program when the help: protocol is invoked in a web link. Unfortunately, the Help Viewer program, in turn, is able to run scripts. What this means is that a malicious user can set up a page with an automatic redirect that runs a dangerous script. More details for the tech-minded can be found on this MacNN thread. And if you want a terrifying (but harmless) example of this, go to http://bronosky.com/pub/AppleScript.htm. It will launch Terminal and run a harmless du command—but it’s scary as hell to see that Terminal window launch and files start scrolling. (There’s also an advisory on the Secunia site, but it offers no helpful suggestions; just verifies the seriousness of the problem.)
If, like me, you just want to know how to fix this fast (since Apple has apparently known about this since February and hasn’t fixed it, it wouldn’t be wise to wait for their patch), here’s the approach to use.
Update: In my comments, Jay Allen points out that you should repeat steps 3 and 4 for the disk: protocol, as well.
Brava to Mena for starting a conversation by asking how people are currently using MovableType. Here’s my answer.
Here on mamamusings, I actually have one blog, with one author, which you’re looking at right now. This site would continue to qualify for a free license.
Misbehaving.net currently runs on TypePad, but we’d been considering a move off of it to a full MT installation because the spam problem has gotten out of control, and because the management of multiple authors there still leaves a lot to be desired—I’d like to be able to let other people in the group have the ability to manage the site without yielding control for all of my TypePad account, for example. We have ten authors on one blog, so that one would probably fall into the personal edition 10/10 category—except for the Google Ads, which bring in all of about $10/month. So right now, it would cost $120. If all the authors kicked in $12, that would probably work out about right. And at $10/head for new authors, we wouldn’t break anybody’s bank.
On lawley.net, there are two blogs, with two authors; one for my son Lane, and one for his best friend Jackson. My hope was to have a few more family members blogging there. Right now it would fall under personal edition, but I’m not sure it’s worth it to me to pay $70 for a tool that the kids use only occasionally.
On a domain that I set up for my kids’ elementary school, I had planned to set up blogs for any teacher who wanted one, so that they could use the blogs as tools for communicating with parents, students, each other, and teachers elsewhere. That plan is on hold pending more information about educational pricing. (And that one’s complicated because the blogs are strictly for teachers at a K-12 school, but I own the server and am not an employee of the school.) In that scenario, I expect we’d have a handful of teachers to begin, with a few more added each month as they saw what their colleagues were doing. I don’t want to have to continually monitor compliance with the license—“do we need another seat today?”—so I really hope there’ll be some kind of flat-rate unlimited use license for organizational contexts. If all the teachers (~30) decided to blog, we’d eventually be looking at ~$850 for the site (before discounts), which would probably be paid out of my pocket. I like my kids’ school, but I don’t have that kind of money to set something up for them.
And finally, on my RIT server, I’ve got eight weblogs. Five of them are from past classes, and they range from a one-author site (with just me as author) to a two-author site (me and a TA), to a 36-author site (with students having authoring privileges. One of them is the class I’m teaching this quarter. One is a research grant blog that has two authors (myself and Alex Halavais). And one is a blog for my current research project that has four authors (myself, my co-PI, and two student employees). I don’t even want to try to figure out what the cost would be under the current licensing, because it’s just too confusing.
Also, on all of those sites I regularly set up “test blogs” when I’m doing redesigns, so that I can test the new templates without messing up the production site. I’m going to assume (yes, I know what happens when you assume) that test blogs like that wouldn’t be included in any counts. But that I have to even think about that is vexing.
In SixApart’s response to the MT 3.0 feedback fiasco, Mena says:
One of the most valid comments we heard is that the personal licenses do not work well for many people who are currently using Movable Type. This surprised us because in a survey of 2500 people, a whopping 85% of respondents had 5 of fewer weblogs or authors. This help educate our final decisions about the weblog and author limits.
Who was it that thought that surveying 2500 random users of MT would be the best way to gauge user reaction?
You don’t just need to know what the random(user) thinks, you need to know what the opinion makers and change agents think—because since Movable Type users are all publishers, with audiences, those people will have an immediate impact on other users with their public reactions. More importantly, they made the mistake of thinking all blogs are the same. They’re not. My son’s one-author personal blog is qualitatively (not just quantitatively) different from Crooked Timber, which runs on the same software but has fifteen authors. Blogs based on my courseware templates are nothing like journalistic blogs. You need to know the different segments of your audience, and how their response to your ideas varies.
The fact that the response to the new licenses surprised them so much says volumes about how little they understood their users. And what’s astonishing about that to me is that in this industry, there’s really no excuse for not having ongoing conversations with your market, about all aspects of your product or service. There should be no big surprises in a weblog-enabled company.
What I hate about all of this is that I know the people involved, and I know this wasn’t motivated by greed or malice or contempt for their users. I know that. But the whole thing is clearly a consequence of poor communication with users, something that SixApart has been criticized about in the past. (While writing this, I received a trackback ping to my M2M post on the subject from Chuq Von Rospach, who makes some similar points on the communication issue.)
While they may have learned from this (and their quick response yesterday would indicate that they have), it doesn’t really matter much at this point. I’ve been following the ripples from the initial outrage, and the major impact has been for people to be shaken out of the inertia of not wanting to change software packages. The response isn’t “I’ll never pay a cent for software,” it’s “if I’m going to pay for software, I’d better shop around a bit and make sure I’m getting the best bang for my buck.” Or “I don’t like surprises, and I’d rather have a tool where things won’t change so unexpectedly.”
As a result, people who would never have thought seriously about changing programs (myself included) are now downloading and playing around with alternatives. And with people like Shelley Powers and Mark Pilgrim not only leading the way but also providing tips and tutorials on how to follow them, that genie can’t ever be stuffed back into the bottle.
Am I willing to pay for a high-quality software package that does exactly what I want? Of course. But like Jennifer over at ScriptyGoddess, I’m a lot less likely to pay for one that’s still going to require me to do a lot of tweaking to get it to do what I want. And in order to get me to feel good about paying for a new version of something when the older version was free, you’ve really got to make it more, not less attractive. They might have had less backlash if they’d changed the pricing without adding restrictions. Or if they’d added restrictions on commercial licenses and not personal licenses. As it is, they gambled big based on poor research, and lost not only customers, but also good will.
And while I’m grateful for the promise of significant educational discounts, I think the decision not to publish that information publicly is a mistake. If you force people to come after you for the information, you’ll lose some of them—particularly when there are other tools that they can explore instead. The most important users for them to target in education right now aren’t the institutional purchasers—for them, hundreds of dollars (or even thousands, if the software is important) is not an issue. It’s the individual teachers and students who serve as change agents in their organizations. If you put barriers in front of those early adopters, they’ll simply go elsewhere. And the timing of the change was awful in that regard, given that so many competitors are emerging right now with viable alternatives.
I really don’t want to switch away from MovableType—I’ve got a huge amount of time and energy invested in learning its ins and outs. But I’m nervous now, and far more aware of the precarious position that dependence on commercial software puts me in. So while I won’t jump ship just yet, I’m preparing some lifeboats, and testing the waters in them. I don’t want to surprised like this again.
—
Update: Christina Wodtke has an eloquent piece about why she’ll probably move her site off MT. I’m collecting a lot of the “why I’m considering a switch” posts over on del.icio.us, as well. It’s interesting to me to see how people are thinking out loud about their options.
It’s not easy to find much “hard” information on what just happened with MT licensing (SixApart’s web site is far from a masterpiece of information architecture), so I’ve mostly been reading commentary on various blog posts. (I found out about it because of a trackback from scribblingwoman to my MT courseware post.)
It’s not clear to me if the new charges will apply to users of pre 3.0 versions of MT. If so, that means everyone using my courseware for more than one class—including me—is pretty much screwed. And since I’m not willing to pay a licensing fee of $150 to use MT for the handful of family members on lawley.net, this probably will result in my migrating both my personal and my professional weblogs to another platform. (Let me add that I am willing to pay for MT; I’m just not willing to pay that much.)
From what I can see, regardless of how it all shakes out in terms of licenses and wording, this was a major screwup by SixApart in terms of communication and respect for their users. I’m deeply disappointed. And since I genuinely like and respect the Six Apart team—especially Anil and Joi, who I know well and think of as friends—I’m doubly surprised by the clumsiness of this move. As Simon Phipps points out, the response to Mena’s post announcing the changes is a sobering demonstration of the power of trackback to make unhappy customers’ voices heard. I imagine that a lot of companies will take this as a cautionary lesson about the negative impact of corporate blogs and the conversations they foster. I’m also disappointed by the company’s failure to quickly respond to the outcry from their user community—the longer they stay silent on this, the more likely it is that they’ll lose formerly committed users to competitive products.
Meanwhile, however, courseware users need not panic…I’ll probably spend some time next month looking at WordPress and TextPattern (which seem to come highly recommended by bloggers whose viewpoints I trust) to see if I can create one or more new versions of my courseware on those platforms (I can’t imagine it would be that difficult to migrate the courseware).
I’ll also add a Creative Commons license to the courseware templates and documentation, so that if anyone else wants to shift them elsewhere, they can.
—
Update: I’ve heard from Anil that there will be a very reasonable educational license provided, and that details will be announced soon. Once that happens, I’ll write more about the future of MT courseware and my educational use of the product. I know Six Apart is committed to encouraging educational uses of their products, so I’m hoping that the educational license(s) they announce will be fair and appropriate.
Support the blog:
Buy Tupperware