Being that I’m fixed on the European keyboard layout (our enter key is double height with the backslash moved down next to Z) I had to order from Germany, specifically the guys over at getDigital.de

When the keyboard hadn’t arrived a couple of weeks later I headed off to the tracking link at DHL Germany.

As a customer all I’m interested in is:

• Where is the package now?
• When will I have it?

A good developer would understand and deliver this. Instead DHL present:

Everything here screams bad systems, poor understanding and disregard for the customer. They aren’t giving the customer what they want, they’re giving the customer a little of what they have and are not even reinterpreting the data from the customers perspective.

This isn’t untypical but neither of my questions have been answered and the item is over the delivery times so I need to go further. Hitting the contact button next to the “piece-number” takes us to:

Wow, so the primary point of contact for an international delivery is a number that can only be called from Germany. Useless.

So we can now choose a per-contact form or an investigation form. Okay, let’s go to the investigation form. Let’s try that.

Wow, DHL Germany really don’t have things under control here. Let’s flip over to DHL’s main site and take it from there.

First of all we need to chose our country, currently Canada… Now let’s enter the reference number we’ve been using on DHL Germany’s web site and “Shipment/Waybill not found”.

Okay, I’m a persistent fellow, let’s give DHL Canada a call and find out what’s going on… I give the reference number to the woman at the other end and “that’s too long”. Hmm, tell her it works on DHL Germany web site, she goes to the web site and tries it out and confirms it does but that it doesn’t work on their system. She tries a few searches on my name, from Germany to Vancouver, nothing, nada, zip and suggests I try contacting DHL Germany or the sender to get a “proper” reference number.

The real icing on the cake of course is the “About DHL” page states:

DHL Express offers seamless service worldwide.

I can see a very big seam here between Germany and Canada.

Expertise around the globe.

Not much use when the people with that expertise are sat behind a number you can’t call from outside their country.

One world. One express and logistics company.

But not one system or tracking mechanism.

[)amien

It’s unfortunate it happened when the site got some DotNetKicks and StumbleUpon love for Envy Code R but at least this isn’t a commercial venture losing money to such an incident – if it was I’d have a warm standby somewhere else – something many of ThePlanet’s commercial customers didn’t.

If downloads and images aren’t working for you then you’ll need to clear your DNS cache which may help the problem depending on the cache at your forwarder.

Windows ipconfig /flushdns

OS X Tiger lookupd -flushcache 

OS X Leopard dscacheutil -flushdns

This has skewed the FeedBurner stats so if you’re new here and take that as any measure of popularity it was 500+ last week :)

[)amien

New and changed

Manage files removed

The Manage > Files administration function has been silently removed despite still appearing in the on-line documentation.

If you don’t have FTP access this was the only way to modify your .htaccess and other important files without installing additional software. I can understand such a powerful function could be abused but an option to turn it back on or even a warning about its removal in the upgrade notes/read-me would have been useful.

Hopefully somebody will repackage the old functionality into a plug-in.

New look administration

I’m not sold on the new administration theme look but Dean J Robinson has crafted a plug-in called Fluency that refines the styling.

Generally usability in the administration user interface is better, the write post screen makes a lot more sense and the category & tag management is more logical.

Auto update plug-ins

I love this new feature, it shows you when a new version of a plug-in is available and then lets you automatically update. It isn’t without issue however, specifically it:

1. overwrites modified local versions without warning
2. may go wrong (it “upgraded” my wp-PostViews to wp-DBManager)
3. does not provide a roll-back or revert facility

Still it’s a v1 feature and I’m sure it’ll get some refinement in 2.6.

Compatibility

Live search broken (Redoable theme)

The Ajax-enabled live search is broken in Redoable although the normal search works. There have been no signs of an update in quite despite an un-patched HTML injection vulnerability.

Gregarious

This social bookmarking plug-in is broken in 2.5 and the author is too busy to fix it right now and the search for an alternative led me to Joost and his Sociable plug-in.

I’m not 100% happy with the output from Sociable right now but that can wait until my new theme is finished.

Other tweaks

These weren’t caused by the 2.5 upgrade but once you start messing with one thing there’s always that urge to fix other things you know aren’t right.

Google Analytics

Whilst testing my site I found XHTML compliance was broken. It turns out that Joost’s Google Analytics for WordPress incorrectly rewrites the hyperlinks when they parent another element such as an image. Putting on my PHP hacking hat I managed to fix it by editing the plug-in and changing the last line of ga_parse_link to:

return '<a '.$matches[1].'href="'.$matches[2].'//' .$matches[3].'"'.' '.$coolBit.$matches[4].'>'.$matches[5].'</a>';

Subscriber counts

My feed subscriber counts have been bugging me for a while as they jump up and down seemingly at random. In fact, it can be traced down to two things:

1. If you base it on less than 5 days of activity you’ll get the weekend dip
   Solution: Count 7 days worth of individual subscribers
2. Google Reader etc. sometimes stop passing the subscriber count from time to time
   Solution: Use single most recent multi-subscriber header for each service/feed in the last 30 days

If you want to do the same you need to edit the Feed Statistics plug-in and change the how_many_subscribers function to:

$q = "SELECT subscribers, CASE WHEN subscribers = 1 THEN identifier ELSE CONCAT(identifier, feed) END AS ident FROM ".$table_prefix."feed_subscribers  WHERE ((subscribers = 1 AND
	date > '".date("Y-m-d H:i:s", time() - (60 * 60 * 24 * get_option("feed_statistics_expiration_days")))."' ) OR
	(subscribers = 1 AND LOCATE('###',identifier) != 0 AND
	date > '".date("Y-m-d H:i:s", time() - (60 * 60 * 24 * get_option("feed_statistics_expiration_days") * 3))."' ) OR
	(subscribers > 1 AND date > '".date("Y-m-d H:i:s", time() - (60 * 60 * 24 * 30 * 3))."' ) )
	ORDER BY ident ASC, date DESC";

This should help but it’s not ideal with individual readers counted more than once if they change IP and groups counted as one if they are sharing an IP/NAT.

[)amien

Oddly there are no emails about this in my inbox and I sure didn’t tell it to add one to my calendar. As there is no ‘Report Spam’ link for calendar entries I had to return to calendar view, delete it from there and hope nothing else shows up.

Digital Inspiration also wrote about this and provide a link to Google’s spam reporting page.

[)amien

Facebook’s search algorithm is the most bizarre search algorithm known to man.

If you know how to spell their name exactly and type it all in lower-case that works fine. As soon as you introduce a capital or partial then spacing, which letters are capitalised and the length of the match all seem to play their part in the bizarre matching process that never delivers what you would expect although does deliver the same results every time.

I’ll use my name as an example (~ indicates additional space character):

Damien Guard / damien guard

Finds me, two coast guards named Nick Zieser and Patrick Fernandez, a person called Romy Domingo and two groups that match on description. The other people have nothing in the “Matches” field to indicate why they were bought in but not too strange.

Damie guar

Finds me, Damien Guarnieri and Kyle Damien Guarco. This one makes sense.

damien guar / ~damie guar

Should return same as above but oddly excludes Kyle.

Damien Guar / damie Guar~ / ~Damie Guard / dami Guard~ / dami guar / dami guard / dami guar

No matches at all.

damie guar

Curiously only Damien Guarnieri. Worrying given that many people search with lower case.

damie Guar

Damien Guarnieri and Kyle Damien Guarco only. No sign of me.

dami gua

The above two plus Damian La Guardia but still no sign of me or Damian Guard.

Damie guard / damie guard / damie Guard / Damie Guard / damien Guar / ~damie Guar~

Just me.

dam guar

Finds a Damian Guard in Tulsa but nobody else.

~dami gua~

Includes most of the people mentioned here but excludes my partial-namesake Damian Guard.

Damia Guar

Finds Damian Guardia and Damian La Guardia which didn’t show for “Dami Guar” yet excludes Damian Guard again.

It’s likely a case of devs trying to be intelligent and ending up with a usability nightmare but until they get their act together be prepared to try all sorts of combinations for partial matching.

[)amien

Better yet you can actually enter your ICQ number in the user-name box, fill in your password and integrate your ICQ account although this is seemingly undocumented and likely just a result of the ICQ and AIM integration from some time back.

It’s not as comprehensive as the fantastic Mac-app Adium or the clever Meebo web-interface and doesn’t offer support for MSN Messenger like those two but it’s a great extra tool to have at your disposal when stuck behind a proxy needing to get hold of someone.

[)amien

Akismet

Probably one of the most well-known plugins for WordPress this little wonder
screens all comments for spam using the Akismet web service. Get a key to access the service by signing up for a at WordPress.com and then configuring it in Plugins > Akismet Configuration.

Feed Statistics

I’m don’t want my subscribers in the control of a third party but I do like FeedBurner’s subscriber counts and analysis tools.

The Feed Statistics plugin provides a small subset of that functionality, the important one being a subscriber count which I now show in the sidebar. I went with a 3 day count configured from the Feedin WordPress admin.

Google Analytics for WordPress

There are a bunch of Google Analytics integration plugins out there but Google Analytics for WordPress apears to be the one currently using Google Analytics New Tracking Code ga.js instead of the old Urchin one. This actually uses a new URL and technique that hopefully won’t be blocked by so many viewers and also promises access to exciting new features as they become available…

Google Reader widget

I’m still in love with Google Reader especially since they added search to it (quite how they forgot that I’ll never know). One of the great things is that you can share your stories with your friends or better yet expose it as another RSS.

Google Reader widget adds a sidebar widget to show the stories you have chosen to share in your sidebar so no need for the annoying link-list posts (unless you need to add opinion or commentary of course). Configurable via Plugins > Google Analytics.

Gravatars2

Blog that don’t allow comments don’t get onto my Reader list without a fight. Without comments a post can’t be trusted – the author isn’t interested in any other opinions or thoughts.

Gravatar is a great site where you can register a picture with your email address so any site implementing Gravatars will show it next to your comments. In no time you’ll start recognising faces and pictures and decide if you want to check out their blogs too.

The Gravatars2 plugin puts those images next to the people who comment on your blog and can helpfully cache them locally for you given permission. It is configured from Options > Gravatars and the cache managed from Manage > Gravatar Cache.

Gregarious

Social bookmarking is incredibly popular through sites like Digg, StumbleUpon, Reddit, Delicious, Technorati, Windows Live Favourites or plain old email.

Gregarious takes care of providing links to submit your posts to these sites at the whim of a passing viewer. You can configure it in Options > Gravatars to choose the sites you want (I added DotNetKicks with a URL of http://www.dotnetkicks.com/kick/?url={url} ) as well as emailing you when a post is dugg and draw those famous little ‘n diggs’ yellow buttons.

Related Posts

Problogger’s Darren Rowse recommends interlinking posts to keep readers on your site and interested.

Related Posts automatically provides a list of likely related posts & pages based on keyword matching.

StatPress

Google Analytics is nice but the stats tend to lag a bit behind and sometimes you want to know what’s happening right now.

StatPress collects and reveals interesting real-time stats on Dashboard > StatPress including per-day & month counts of visitors, pageviews, spiders and feeds as well as recent hits, search terms and referrers. It also shows some visitor analysis and an interesting spy mode that shows recent visitors path through the site including how they got there.

My only complaints are that the MySQL database grows quite quickly and the analysis pages are slow. This is most likely caused by logging and analysis of raw data. Still it seems a lot less resource hungry that FireStats.

WP-PostRatings

An attempt to get quick feedback on what posts people are finding interesting and which aren’t with a simple star-rating next to each post.

Through no fault of it’s own WP-PostRatings has failed rather miserably here with few people wanting to click a star to rate a post. Will be dropped in the redesign.

WP-PostViews

Another visitor-retention seeking effort. By presenting the most popular content in the sidebar I’m hoping to entice people to look at a couple of other posts and hit the magic RSS subscribe button.

WP-PostViews records the stats and provides a method to get the post stats out you can put into your theme but most importantly comes with a widget to render a sidebar full of your most popular content.

[)amien

Hello Damien
You have received this email as a customer of our sister company, Friends Reunited.

Stared back at me from my inbox yesterday purporting to be from UK television company ITV. It was curious because I always de-select the marketing option. I visited Friends Reunited site to confirm the option was indeed off which it was. More interestingly it stated it would be for their own marketing messages, not third parties which their privacy policy clarified:

We, and (where relevant) our credit card processing agents, will not supply your personal data to a third party for commercial exploitation – thus, you can rest assured that we will not sell the lists of our Members’ email addresses to a third party; and

Yet here they are doing exactly what they claim not to.

Two subsequent emails to their support team resulted in one stating they have switched my third-party emailing option off (there is no such option, they claim never to do it at all) and when I clarified this for them another stating:

All members comments and suggestions are noted and passed onto our management team for consideration.

Such blatent disregard for their own policies and European regulation should not be ignored. If you live in the UK and a UK company is spamming you then complain to the Information Commissioners Office.

[)amien

Part of the problem stems from the “back-to-basics” approach to rendering web pages, throwing out classes and controls for string-based libraries (primitive obsession) and helpers which do not encode HTML or even offer a concise simple syntax to do so.

MonoRail was one such project but they took feedback on board and addressed the issue although I was surprised it had got as far as release candidate 2 with such a serious oversight.

Other projects have been less reactive when advised of the problem and I can’t help but wonder if I am not getting the severity of the issue across. This isn’t just an annoyance but a real security problem.

Vulnerable code often looks like this:

myLabel.Text = Request.Form["Something"];
Response.Write(Request.Cookies["AddedProduct"]);
<%= myDataReader[0] %>
<? php echo get_the_title() ?>

For more ASP.NET examples check out 5 signs your ASP.NET application may be vulnerable to HTML injection.

Let’s start by considering the actors involved:

Visitor to visitor

If your site stores input from an external user (visitor) and displays it to another then you could be exposed to this scenario. Many sites do this although it is not always immediately recognised – an internet banking site does not seem an obvious candidate until you consider that you may put a textual reference on payments made to another person. If you know they use a vulnerable internet banking solution…

A worst-case scenario here would be that one visitor could steal another’s login credentials and exploit whatever rights that might give him – anything from posting messages to stealing funds.

Visitor to staff

Not all sites exchange data between users but if your site collects information from visitors chances are it presents this information to staff. Internal systems used to examine it are often considered less vulnerable which is a mistake. Remember *all* data provided from a user should be considered to be a potential avenue for a dangerous payload, e.g. even the language-accepts or user-agent strings.

When exploited internal systems can reveal information in bulk about the users, the system and the administration accounts used to manage it. Gaining access to these details brings all the privileges those accounts have to offer which can be catastrophic.

Staff to visitor

It is easy to forget that many frauds are perpetuated by people on the inside. A staff member given the ability to present text to the user via a website has the ability to modify any page that the content is presented on which if it includes a login page (perhaps for system status messages) then capturing login details to a server of their own choice is easy.

Security operators with access to reset (but not view) passwords would find this attack particularly enticing given that they do not need to reset the users account and therefore raise any awareness. An insider can perpetuated the fraud and may be in a position to further conceal it within the organisation.

Next steps?

I can envisage a sequence of steps that start with discovery of injectable systems through detection of script-enabled into form capture-and-forward and async logging of passwords through XmlHttp.

Detailing those steps would certainly raise awareness and help developers appreciate the severity of the issue but how do I make sure that information isn’t abused?

Disclosure is a double-edged sword but then you can’t have security through obscurity… I wonder how many crackers/black hackers already utilise these techniques for nefarious means.

.NET developers might like to check out the slides from the Web Application Security talk I gave at the Guernsey Software Developer Forum which demonstrates exploitable, exploits and safe alternatives for preventing HTML and SQL injection.

[)amien

Most free software project home pages consist of a brief description, a list of technical documents and a number of download options but fail to pitch their solution at all.

Today I found myself at the home page for Mercurial which describes itself as

a fast, lightweight Source Control Management system designed for efficient handling of very large distributed projects

The site fails to persuade me to use or even evaluate their product. They present no argument for using their product over non-distributed systems such as Subversion nor why I should choose their product over distributed systems such as Git (which has associations with Linus and Google).

Contrasting that experience to the home page for Perforce, a commercial (non-distributed) product for source control management, we see:

• “Why Perforce” – the 10 minute pitch that covers their unique aspects such as performance, high-availability databases
• A quote from customer Clive Maxfield at iDesign pointing out that Perforce handles more than just source code (binary files & assets)
• Videos showing Perforce in operation so you can see how the product works (and learn it at the same time)
• Links to comparisons with ClearCase (commercial offering) and Subversion (popular free software offering)

Just because your software carries a $0 price tag doesn’t mean it will sell itself. Evaluating software takes time and effort which could mean another open source or commercial software is chosen because either it works out cheaper or made a better case for its selection.

When a project isn’t interested in new users that signals it could be a “pet-project” written for the challenge and not to address a real need not met by existing solutions. Until these projects reach a certain level of maturity, and some never do, users can expect to take a back seat in an uncomfortable ride.

So if your project wants users, pitch it.

[)amien

My dashboard shows that in the last 30 days I have directly earned 66,691 credits (made that number of impressions) and have been awarded 11,502 bonus credits and 3,473 referrer credits.

In return BlogRush have imprinted my last 12 blog posts (actually 11, one repeated, see below) and have sent a whole 15 visitors my way… that’s 1 visitor per 4,400 impressions which is mediocre by any measure. I get more hits than that in a month from leaving a couple of off-the-cuff comments on blog posts I’ve read elsewhere.

Apart from the mediocre conversions, some of the other problems include:

Uncontrolled spending of credits

BlogRush highly favours publicising the most recent articles regardless of hotness.

In my case it keeps putting out the More Silk Icons post despite only having 3 visitors for the 12,832 impressions whilst the older article on object initializers hasn’t got any new impressions despite getting 1 visitor for just 301 impressions.

If you have a glut of credits from a successful peak and you would rather hold on to your credits for the next post…well, tough, you can’t.

This forces you to change your posting schedule to meet your BlogRush credit balance.

Random capitalisation of post titles

It seems that BlogRush randomly changes the case of titles. Some examples include:

• Calculating CRC-64 in C# and .NET > Calculating Crc-64 In C# And .net
• AnkhSVN (Visual Studio Subversion integration) on Vista > AnkhSVN (visual Studio Subversion Integration) On Vista
• Droid font family courtesy of Google & Ascender > Droid Font Family Courtesy Of Google & Ascender
• Show Package Contents in Mac OS X > Show Package Contents In Mac Os X
• SQL Server replication blocking on clean-up job > Sql Server Replication Blocking On Cleanup Job
• Dissecting a C# Application – Inside SharpDevelop > Dissecting A C# Application – Inside Sharpdevelop

There seems to be no pattern behind it at all.

Duplication and random ignorance of content

My incredibly popular Droid Sans Mono great coding font post (42,000 hits in a week) doesn’t turn up on my BlogRush list at all.

Conversely my SQL Server replication article is treated as two different articles as I revised the title/URL.

Poor matching of content

Whilst they have introduced more specific categories my blog continued to show very unrelated posts – the whole simple categorisation system just doesn’t work especially when half the people haven’t revised from the more generic categories not have had any reminder or deadline to do so.

Something that worked off a posts tags would have been much better.

Filling the space

For now Google’s AdSense is taking the place rendering text adverts although for the default landing page it has no content for me. This apparently occurs if you are:

• Not indexed (definitely am, check out Google’s searches)
• Serving certain unspecified bad-words (every individual article gets adverts so not that)
• Nothing in your geographical region (see above)

I can only imagine the combination of words across certain posts when presented on the same page is hitting some magical figure. I hope talking about AdSense doesn’t mess it up further!

I doubt this widget will last very long – last time it was on for 3 months and earned me a whopping $9.

Ideally the site would move somewhere that can take being hit by the front page of DaringFireball again – that’s twice the sudden influx of users has knocked the site off. The first time my home DSL couldn’t take the strain, this time UHHosting kindly switched my site offoff for a couple of hours because I was “using too much CPU” – I have only WordPress, MySQL and a bunch of plug-in’s installed of which I have temporarily sacrificed FireStats, StatsPress and Gravatar2 at the sysop alter in order to keep my home online.

I have been toying with either renting a dedicated 1U server or co-locating one I buy. The latter was more tempting until I discovered that you only get 0.5 amps which is 120W for a whole server which means mirrored disks and a Core 2 chip are out…

[)amien

Windows Live Writer has finally been released but refuses to install on Windows x64 (64-bit) despite the promises made in the release notes of the previous beta. In fact it has an incredibly confusing installer.

This is especially annoying considering it’s such a great tool and that the new version finally supports a UK spell checker.

[)amien

Like many bloggers I recently added the BlogRush widget to my site. The idea is simple:

• Register at BlogRush (it’s free)
• Add the JavaScript widget code (Get Code)

This will then:

• Present visitors to your site with 5 links to other blogs per impression
• For every widget impression yours will be shown somewhere too

The problems started with the dashboard which was basic, then slowed to a crawl then finally gave minimal information and an assurance that a great replacement was on the way. That replacement was scheduled for ‘this week’ last Monday and not a word except:

This is a MAJOR update. The service is not even 30 days old, yet we’re about to release more changes than most Internet start-ups do in their first 6 months.

Or put more succinctly the service is almost 30 days old and you still can’t see if we’re doing what we promised.Google Analytics can track referrers and all go via widget.blogrush.com (you can’t tell which Blog sent a browser your way) and I’ve had 2 referrals out of 3,50 in the last 30 days putting it 112th in my referrer league. Analytics also tells me my site has had 11,800 impressions in that time although curiously StatPress informs me it is about 3-5 times this.Either way it’s rather disappointing on both fronts. It goes to prove that a great idea needs a great implementation which reminds me of Rojo’s failed roll outs which led me to switch to the then-inferior Google Reader which is now much more successful.I wonder if many people are blocking analytics.google.com. Does anyone else have such a large disparity between log/hits and Analytics? I thought it might be feed readers or crawlers but StatPress lists those individually.[)amien

Yes, I’m house-hunting again after my estate agent failed to mention (claimed to be ignorant of the fact) that all the lovely fields and views from my proposed home were already marked as a target housing area by the States of Guernsey as part of their Urban Area Plan (PDF, 5Mb).

These sites were set in 2002 and number just five. I wonder how long these people would last in IT if they took such an active disinterest in their field?

[)amien

Here are my notes on the experience.

Spam

Akismet is good but I prefer the invisible captcha that Subtext was using. I’ve gone from dealing with 1 rogue spam a month to 1-2 held for moderation a day.

View counts

The WordPress import format doesn’t deal with view counts. I wrote a query against Subtext to list them, a query in MySQL to identify article numbers then manually executed

UPDATE post_meta SET meta_value = meta_value + 123 WHERE meta_key = 'views' AND article_id = 456

For every article replacing 123 with Subtext’s view count and 456 with the WordPress article id. As my blog was previously on Blogger.com which doesn’t provide view counts they are a year or so lower than reality.

Preserving links

I chose a custom permalink format of /blog/%year%/%monthnum%/%day%/%postname% which gives http://damieng.com/blog/2007/10/01/first-of-october for posts. This is similar to the old format of http://www.damieng.com/blog/2007/10/01/first-of-october.aspx but obviously has the file extension and www dropped. Apache’s .htaccess file made redirecting the old links a breeze which was important to me as my blog suffered big drops in Technorati and Google when I last moved from Blogger.com to Subtext. The required lines to achieve this, redirect /blog/ and keep the RSS going were:

RedirectMatch permanent ^/blog/archive/(.*).aspx$ http://damieng.com/blog/$1
RedirectMatch permanent ^/blog/$ http://damieng.com/
RedirectMatch permanent ^/blog$ http://damieng.com/
RedirectMatch permanent ^/blog/rss.aspx http://damieng.com/feed
RedirectMatch permanent ^/blog/Rss.aspx http://damieng.com/feed

Editing

The default editor is fast and for the most part okay although it lacks the ability to change from the default paragraph tag to headings, preformatted blocks, blockquotes etc. It also very annoyingly tries to be helpful by turning carriage returns into new paragraphs which would be fine if it was clever enough to leave <pre> blocks well alone.

Steve suggested FCKeditor which is very slow at initialising on my machine and also tends to really mess up my HTML :(

Going forward

There are still a number of things I want to do including further deviating from the Redoable theme. Lightening up the look somewhat perhaps with some soft gradients and alternative typefaces will go a long-way. I’ll also want to do a proper logo at some point as soon as I can decide what it should look like.

Being that WordPress is a higher visibility target Phrixus suggested hiding the wp-admin directory as an extra level of protection against automated vulnerability/brute-force attacks which I shall also try.

I need to speak to GrinGod about the download counting mechanism he mentioned too.

The original Blogger.com content from a year or two ago will be phased out/removed as it would appear it dilutes my page rank having almost-identical content elsewhere not to mention messing up traffic stats etc.

[)amien