A lot of Windows worms on the Internet spread via email attachments. In the old days they were .exe files and nerds everywhere LOLed at the dummies who ran strange executables. Then the worms switched to .scr and nerds LOLed again but a bit more ruefully, explaining quietly how that filetype was an executable, too. And .com and .ocx and dummy don't you know Windoze? LOL.

This week's worm is Trojan.Pidief.A, a new joy. It's a .pdf attachment which exploits a bug in Adobe Reader's handling of mailto: URLs. LOL dummy, don't open PDF documents! Cuz if you do, Russian gangsters will install the Gozi trojan and steal your bank accounts. LOL.

You can't blame users for opening attachments; emailing PDFs is useful, good activity. The problem is the fundamental security model is broken. Email documents have to be interpreted in a restricted environment. There is no consumer computing platform today with a useful restricted environment.

Adobe bears special responsibility here for their software that's installed on every computer on the planet. Their broken, buggy software that results in your money being stolen by Russian gangsters. Adobe did get a patch out Oct 22, amazingly just one day before the PDF worm was disclosed. But given how awful the Reader upgrade experience is I suspect a lot of computers are unpatched.

  2007-10-29 16:12 Z
Ron Paul is the first serious presidential candidate promoted by the revolutionary new medium of email spam. From my mailbox today:
Google.com & Youtube.com Search: "Ron Paul"
Join The Revolution!

We Need A Real President That Will Restore And Protect
Americans! Stop The War! Protect Our Borders!
*********VOTE RON PAUL 2008************
I'm voting for the hYOtAz candidate.
  2007-10-29 15:44 Z
A few years back I mentioned Bitstream Vera Sans Mono, an excellent free monospace TrueType font. I install it on every computer I use for coding, terminals, etc. The whole font family is pretty useful, actually. The serif's a bit ugly but the sans is pleasant and it's great to have a free well hinted font.

But Vera development stopped at 1.10 and there's only spotty coverage outside of basic Western European scripts. So I was excited today to find the DejaVu fonts, an extension of Vera with more languages.

I just installed it and am glad to see modern Greek, better Georgian, Lao, Thai, and Cyrillic render in PuTTY. There's font support for Arabic and Hebrew too, but PuTTY wasn't happy going right to left. And there's even some math symbols and IPA!

Here's a test page with lots of screenshots.

  2007-10-29 00:19 Z
I stirred up some trouble with my post about TechCrunch misusing the term "off the record" or burning their sources. Some reactions: Brian Ford, John Gruber, JD Lasica, Scott Lawton, Dave Winer, even Valleywag. Nothing from TechCrunch themselves. I'd love to hear Arrington explain what "off the record" means to him. He's probably been too busy having off the record conversations in Hawai'i.

Most of the discussion has been about my provocation that "blogging is not journalism". Unfortunately it's a hackneyed discussion, my fault for using a false dichotomy to rile my readers (call it yellow blogging). Of course there's a continuum between stream of consciousness blogging and authoritative journalism and it stretches across media. Traditional journalists aren't perfect. And unsourced rumour blog posts can be amazing scoops.

What bothers me is when blogs do reporting in ignorance of decades of established journalism ethics and practice. Journalistic rules have value. How you treat a source is important; burnt sources stop talking. Authoritative sources make a story much stronger; otherwise you're just blogging rumours. And avoiding or disclosing conflicts of interest matters; if not, you appear biased. It's great that blogs are aggressively reporting rumours and stories. But please, bend the rules of journalism thoughtfully.

One advantage of the blog world is that bad reporting can be corrected by other blogs. Even so, I believe powerful blogs like TechCrunch have special responsibility to be careful in their reporting given their influence and appearance of authority. As Winer notes it's rare for someone in the tech world to publically criticize TechCrunch because of the threat of repercussion.

Thanks to Andy and Philipp for their discussions
  2007-10-26 17:17 Z
I wrote a rather strongly worded blog post against bnet, a c|net property. It looked to me like they were keyword spamming Google with business keywords, particularly when I got a garbage page as the #1 result for a search.

Stephen Howard-Sarin, a VP working on BNET, was kind enough to write and explain that some of what I thought was spamming was actually a simple bug:

We had a Reuters story about PIMCO on BNET, and it got tagged like other content. But our contract with Reuters only allows us to keep a story live for 30 days. At the end of the period, we pulled the story but Google had index the story and the tag-listing page by then. So when you went to find it, you got a crappy error page.
Fair enough! I apologize for assuming malice in what was just a simple mistake. I'm still not wild about bnet's aggressive cross linking and keyword URLs but frankly if I ran a content site like theirs I'd be doing some of that too. For me the line is drawn at intentionally fooling search engines into sending traffic to you even when you don't have content. bnet wasn't deliberately doing that, so I withdraw the accusation of spamming.

Completely coincidentally, rumour has it that Google has recently altered its ranking algorithms for link weighting. I've got no idea what Google has done or if it would affect link structures like bnet's, but I note that today the lousy bnet page is no longer on the first result page. Maybe Google just got around to reindexing the page.

Many thanks to Mr. Howard-Sarin for being polite and professional. It's been a good reminder for me to elevate my own blog standards. I'm a bit embarassed at my use of the word "scumbag."

  2007-10-25 00:47 Z
I like TechCrunch, it writes interesting blog posts about stuff I care about. But it's a great example of how blogging is not journalism.

TechCrunch has a strange habit of blogging things where the only source is off the record. Ie, from today's Valleywaggish story about a manufactured MySpace scandal.

How old is he really? We first heard 40. We dug a little online and came up with nothing. But then we got a senior person at MySpace to talk to us about it off record at the Web 2.0 Summit last week: this person confirmed that he's really "36 or 37" and that MySpace has been trying to keep this quiet for some time.
Or a few weeks ago, about Google and Facebook
Notwithstanding that NDA, we've now spoken with three of the attendees off record to get an understanding of what Google is planning. Google's goal — to fight Facebook by being even more open than the Facebook Platform.

Anyone talking to media knows that telling a journalist something "off the record" means you're telling them so they know it. It's not going to stay secret. But it also clearly means that the comments aren't to be used a primary source. The point of "off the record" is to steer a journalist the right way so they can dig in deeper and get the real story from a real source, on the record. TechCrunch, though, just reports stuff "off the record" directly. Remember that next time you're being chummy at a party with Arrington.

Blogs are great for discussing current events, particularly shades and nuance from multiple angles. And I like juicy rumour sites. But real journalism has a strong code of ethics, a responsibility to source reports, and careful editorial review. TechCrunch isn't even trying to do that.

  2007-10-23 16:45 Z
I wanted to enjoy the new TV season of nerdy shows, I really did. But there's not a lot to love here.

The first season of Heroes was great fun, I even managed to get Ken to watch it despite his aversion to nerd TV. The fresh naive characters and the pleasure of self discovery were great. Sure, there was some scary bad stuff, but mostly it was joy to watch people learn their powers. Particularly Hiro. By contrast the second season is one giant bummer reel, lots of depression and scary crap and no joy. Hiro, the most fun character, is exiled to some stupid feudal Japan adventure that seems entirely irrelevant. The new character Monica is the only breath of pleasure in the new season, but then she's mostly about troubles, too.

But if Heroes is midly dissatisfying, the new Bionic Woman is horrible. There was some hope that Eick could use his Battlestar Galactica magic to retread another cheesy old scifi show. But terrible casting and stupid plots (Islamic terrorists in Paraguay? Really?) make for awful TV. The one clever thing in the game is an undercurrent of feminism and body ownership; if they can ever elevate that theme beyond an occasional throwaway line it might be sorta interesting. But first they need to fire their lead actor.

At least I still have Mad Men. The third season of Prison Break is sort of working, too.

  2007-10-23 16:12 Z
My home Linux server with all my files had a hard drive failure, but I happily came through mostly unscathed. Your hard drive is going to fail someday too. Backups and a rescue plan will save you, maybe these notes will help.

More inside ...

  2007-10-21 18:26 Z
c|net has always seemed pretty squirrely to me, what with the weird com.com domain name and the rafts of crappy articles crowding around the occasional good content. But c|net's "go-to-place for management" site bnet takes the cake.

I ran into bnet researching the PIMCO Distressed Mortgage Fund. Their page is the first hit on Google and promises "White papers, case studies, technical articles, and blog posts." Only the page actually has no content on it, just list after list of keywords and a bunch of ads.

Searching around it's clear there are a lot of keywords bnet is spamming: hedge funds, mortgages, currency, management, etc. In fact, bnet seems to have a keyword stuffed URL for just about any valuable business search term. Some of the links even lead to crappy boilerplate articles, the sort of text that just barely passes a Turing test without actually informing the reader. And lots of ads and outbound links.

These kinds of ad farms are pretty common on the Web and Google's generally good at filtering them out. I guess c|net had a good enough reputation that Google was fooled into trusting the URL and description meta tag. That won't last. I always wonder about the engineers who work on these spam projects. Aren't they ashamed?

Update: it seems I was wrong and bnet wasn't intentionally spamming. Please read this update.
  2007-10-19 23:42 Z
After my hard drive failure adventure I bought a second hard drive for the sole purpose of backing up a complete copy of everything via rsnapshot. I was worried it'd be too slow for my 165 gigs of crap, but it's not too bad even on my not-terribly-fast IDE disks.

The first backup of 165 gigs was slow; 3 hours of rsync. But incremental backups of everything take just 5 minutes. 2.5 minutes of cp -al to make a historical snapshot and 2.5 minutes of rsync to update the primary backup. The incrementals are about 250 megs. Most of that are a couple of giant logfiles that get appended to on every email; rsnapshot has to back up the whole file.

  2007-10-19 21:50 Z
They're serious about the MP3 store. I just found they're offering a 20% referral fee for all sales via links from Amazon Associates. That's about $2 an album. Some music blog somewhere is about to get very wealthy. And Apple must feel a little nervous. Big play.
  2007-10-17 16:41 Z
Oh weighted companion cube, you were a wonderful companion. Your weight held down many buttons for me. Your cubiness blocked the bullets from my delicate flesh. And you asked nothing in return. I'm sorry I betrayed you, would you like a nice piece of cake?

Portal is a really impressive little game.

  2007-10-15 01:24 Z
CUPS is good software. It's a suite of printer management software for Unix. And on my new Debian install it couldn't be simpler to get things working. A real improvement on twenty years of Unix print software nightmare.

My only confusion was where to start; Google searches suggested it'd be scary and hard. It's not, you just install CUPS and connect to http://localhost:631/. Note it has to be localhost because Debian doesn't listen on TCP/IP by default; use ssh port forwarding if you have to.

Once I got to the webapp I clicked the "add printer" button and smiled as it autodetected my old parallel port printer. Gave it a name, told it what kind of printer it is, and voila; postscript printing. The coup de grâce was that Samba magically found my new CUPS printer, which means my Windows machine can print to the printer too. I spent three days making that work last time I set up a printer.

Easy to configure Unix software; who woulda guessed?

  2007-10-13 19:02 Z
Why does my iGoogle start page randomly lose some of my bookmarks from time to time? They come back eventually, but it's an awfully bad bug.
  2007-10-07 19:02 Z
If you were visiting California from afar and wanted to have a food and wine adventure in the Napa Valley you might think COPIA would be worth a visit. Don't bother, do something interesting instead.

The mistake we made was thinking COPIA would be like a museum with interesting exhibits to visit. It's not. It's more like a visitor's center, a big open space with some mediocre interpretive plaques showing you Our Friend the Farmer. Or in this case Our Friend the Brand Identity with ample space for wine labels, food packaging, and other contemporary logomark bearing flat objects. Boring.

I think maybe the place works better in its second role as a neutral meeting and educational space for the wine industry. They had a series of scheduled wine tastings every day that looked pretty good and more structured than boozing it up down Highway 29.

Lunch at their restaurant Julia's Kitchen was fantastic; both the chef and pastry chef were quite impressive and naturally there's a great wine selection. But there's so many places to go for beautiful scenery, food, and wine in Napa that COPIA can't compete. It's too bad, it'd be great to have a wine museum destination in California.

  2007-10-07 18:17 Z
The new Amazon MP3 store is awesome. $0.89 or $0.99 a song, $9 or so an album, and simple MP3 files with no DRM or iTunes nonsense. The MP3s come with great ID3 tags and excellent quality 256kbps encoding (sometimes VBR). The downloader app is even decent; I think it's there to make life simple for people who aren't download experts.

This store is it, folks. We've been whining for years that buying music online sucked and we got better results stealing it. Well, that's not true anymore. If Amazon sells a piece of music there's no advantage to stealing it other than thieving something for free.

Proper respects to Warp Records whose online store Bleep has been selling unencumbered MP3s for almost four years now. Bleep is awesome but it has a limited catalog. Amazon will be the big time.

Update: one wrinkle, the Amazon MP3 version of M.I.A.'s album Arular is a bowdlerized copy. The word fuck is radio-edited out in "URAQT" and "Dash the Curry Skit". Why am I being treated like a child? Presumably this is the label's fault, not Amazon's.

Update 2: thanks to rjrjr I see Amazon has now updated the store, offering both kiddie and normal versions.

Update 3: thanks to Amazon support for letting me "exchange" the album. Of course you can't really return a download, but they made an exception for me.
  2007-10-02 21:52 Z
Handy tip for Amazon associates; you can redeem gift certificates before you buy something. Just go to your Amazon account page and click on apply a gift certificate. Paste in the code and bingo! Instant credit.

I've been an Amazon associate since 1998 or so. All I do is link to things from my blog. The payments have always been pretty small but since I'd link to Amazon anyway, why not get paid? The most popular purchase this year is nose hair trimmers, about one purchase a week and $0.90 in my pocket. Good grooming and enough change for a half cup of coffee all at once!

I don't even recognize about half of the items I get payments for. It's not random shopping; the payments are almost all from direct links. A long time back I released a Blosxom Amazon plugin with my referral code built in by default; I wonder if someone's blog is the source of the purchases I don't recognize?

  2007-10-02 21:29 Z
One of the replayability features in Halo 3 are "skulls", special doodads hidden in obscure places in the various levels for you to find. Finding them is fun in itself and once you've found them you can use them to unlock modes that make the game harder. I can't imagine finding these on my own, so I went online to Halo 3 Planet, Team Xbox, and Hushed Casket to find them. Here's a list of their basic locations, spoilers ahead.

More inside ...

  2007-10-02 01:30 Z
I'm uncomfortable with the ethics around "conversational marketing." It's way too easy for bloggers and online community members to pass off paid-for advertising as personal opinion. And without clear ethical standards like in journalism, too many people are following the money.

The clearest example of this kind of sleazy advertising is Federated Media's people ready campaign for Microsoft. Remember the day when the phrase "people ready" started showing up in ads spouted by bloggers you read? All paid advertising. My respect for Michael Arrington, Om Malik, Fred Wilson, and Matt Marshall as citizen journalists went down a bit that day. I hope most of these folks just didn't think very carefully about their participation. Some recanted and FM's people ready site is now offline. An embarassment buried?

At least "people ready" showed up in clearly marked banner ads. What's scarier are when community members inject advertising in their blogs and forum posts without appropriate disclosure. Draper Fisher Jurvetson funded PayPerPost is a whole business walking this shaky ethical line. Publicis Modem is in the game, too, I just got spammed by "Tracy" who is "reaching out to me" to participate in a "viral international buzz campaign". Yuck. Even my Warcraft guild is infected by conversational marketing: a Federated Media contest for HP computers is driving buzz for those products on my guild's forums and in-game chat. It's irritating.

Of course, deceptive advertising works. Paying people to talk about your brand does increase brand awareness. But it makes me lose a little respect for the community members who shill for advertisers. It's not the worst thing someone could do, but it's a little tacky. Seeing people talk about HP computers in my game today felt like the day I saw the Green Card spam show up on Usenet. Advertising is fine. Deceptive advertising that pollutes our online communities is not.

  2007-10-01 18:18 Z