Category Archives: oddhead blog

Oddhead Blog hacked… for the third time

My blog has been hacked yet again. For those keeping track, that’s infection number three. This latest exploit is very similar to the previous one. To humans arriving via browser (e.g., me), the site appears perfectly normal and healthy. Even upon clicking ‘view source’, nothing untoward is revealed. The <title> of my blog is, as always, Oddhead Blog.

However, when Google’s or Bing’s crawlers arrive to index my corner of the web, they see a different <title> altogether — Buy Cheap Cialis Online  — and immediately roll their eyes. (Actually even if you run 'curl', you’ll see the spam keywords.) The effect of the attack is a kind of reverse cloaking. Cloaking is the black-hat SEO practice of serving legitimate content to crawlers and spam content to people. Here, the spam content is shown to the crawlers and the legitimate content to the people.

Once the crawlers report this appalling information back to their respective mother ships, the search engines have no choice but to delist and demote my blog in their pagerankings. Right now, if you search for or within Oddhead Blog on Google, you’ll see how poorly the bots in Mountain View think of me:

Oddhead Blog hacked again: Spam titles in Google's cache 2012-04-27

You can hardly find any deep links into my blog by searching Google. For example, try searching for Bem+Wom, my invented term for “BEtter Mousetrap, Word of Mouth”. Even try “Bem+Wom oddhead blog”. You”ll find aggregators republishing my content, but no links to the original source, my blog, anywhere in sight. (Note to self: the Bing results for Bem+Wom are awful.)

Once again I am at a loss to understand my attacker’s motivation. Clearly it’s not to sell Cialis to my users, as they remain blissfully ignorant of any changes. The only benefit to anyone is to remove one relatively obscure blog from the search engine rankings and thus to move the attacker one slot up. Having a blog tangentially about gambling probably puts me into a shady neighborhood of the web, yet reverse-cloaking your competition (even if it can be somewhat automated and strike more than one competitor) seems like an awfully indirect way to improve one’s standing in Google. It’s also possible this is an act of pure vandalism.

So what should I do? Although I partly blame WordPress for writing insecure software, I may end up paying WordPress protection money to make this problem go away. I am seriously considering giving up on self hosting and moving my whole operation to’s hosted service, where presumably security is tighter, or at least it’s not my responsibility any more. My web hosting service, DreamHost, may also be partly to blame, yet I like the company and have been quite happy with them in many respects. Any advice, dear reader? Blogger? Try again and hope the fourth time is the charm? Should I be looking to ditch DreamHost as well?

Famous for 15 tweets

TV era: $quote = “In the future, everyone will be world-famous for 15 minutes”;
Search era: $quote =~ s/minutes/links/;
Social era: $quote =~ s/links/tweets/;

This month I’ve had five times more traffic than in any other month since I began blogging in Oct 2006, even during woblomo.

Why? I paid Paul Graham a compliment that struck a minor viral nerve, spreading through twitter, facebook, and blogs and sending over six thousand people my way on July 16 alone according to quantcast. Of course most have since dispersed.

Oddhead Blog traffic according to Quantcast July 2010

Power on the web flows backward through referrals to the sites that people begin their day with, the sources of traffic. Referrals from social media, unpredictable and bursty though they may be, are inexorably on the rise. As they grow, power will shift away from search engines, today’s referral kings. Who knows, this may embolden publishers to take previously unthinkable steps like voluntary delisting, further eroding the value of search. This has all been said before, perhaps best by Mark Cuban starting in 2008. It would be a blow to openness and hurt users, but would spark a fascinating battle.

Another meta note: I installed a new WordPress theme: Suffusion. It’s fantastic: endlessly configurable, bug free, fast, and well designed. I happened upon it by accident when WP 3.0 broke my old theme and I couldn’t be happier. Apparently written by a teenager, I donated to his beer, er, coffee fund.

World Blogging Year

First: I did it! A perfect 16 out of 31. I completed the (ok, my) World Blogging Month challenge to blog every odd day in the month of March.

Last year WoBloMo leapt out of the gates with five participants but I fell five hours short of the goal. As far as I know only Anthony and I returned for year two. He succeeded too according to official Australian Rules.

Again, I found the exercise worthwhile, clearing a number of items out of my queue, albeit mostly the easy and inane ones (c.f. the barking), and boosting readership.

In fact, I enjoyed it so much that I’ve signed up for World Blogging Year (WoBloYe). I will blog every odd day of every month at least through the end of 2010, starting today.

In fact I have formally pledged to stickk to my goal. Moreover, I am putting my money where my mouth is, PM-style. For every odd day of the month that passes blog-post-free I will donate $100 to my anticharity, the re-election fund for Don McLeroy. If I miss two deadlines in a row, my antidonation will double. Three missed deadlines in a row and it will quadruple, etc.

I’ve enlisted kibotzer’s help and you can follow my progress there. Wish me luck!

Update 2010/04/02: April Fools!

P.S. In all seriousness, read that New York Times article about Don McLeroy. It’s one of the scariest articles I’ve read in a long time. It’s about how ultra conservatives on the Texas board of education are rewriting history and science according to biblical and republican dogma, and how standards in that enormous state can dictate what gets printed in textbooks nationwide. They’ve done things like add Newt Gingrich and delete Edward Kennedy as significant Americans. They’ve banned classic children’s books by Bill Martin Jr. because they confused him with a different Bill Martin, author of “Ethical Marxism”.

It is the most crazy-making thing to sit there and watch a dentist and an insurance salesman rewrite curriculum standards in science and history. Last year, Don McLeroy believed he was smarter than the National Academy of Sciences, and he now believes he’s smarter than professors of American history.

Recovering from swine’s infection (my blog, that is)

Odd head hackerFor the second time, a hacker (in the swine sense of the word) broke in and defaced Oddhead Blog. Once again, I’m left impressed by the ingenuity of web malefactors and entirely mystified as to their motivation.

Last week several readers notified me that my rss feed on Google Reader was filled with spam (“Order Emsam No RxOrder Emsam Overnight DeliveryOrder… BuyBuy…”).

The strange part was, the feed looked fine when accessed directly on my website or via Bloglines. Only when Google requested the feed did it become corrupted, thus mucking up my content inside Google Reader but not on my website.

(Hat tip to Anthony who diagnosed the ailment: calling curl yielded clean output, while the same request masquerading as coming from Google, curl -A ‘Feedfetcher-Google; (+; 10 subscribers; feed-id=12312313123123)’, yielded the spammed-up version.)

In the meantime, Google Search had apparently deduced that my site was compromised and categorized my blog as spam. Look at the difference between these two searches. Nearly every page containing the query terms, no matter how tangential, takes precedence over in the results. [2009/06/23 Update: This is no longer the case: Apparently Google Search has reconsidered my blog.]

So began a lengthy investigation to find and eradicate the invader. The offending text did not appear anywhere in my WordPress code or database. Argg. I found that my plugins directory was world-writeable: uh oh. Then I found a file named remv.php in my themes directory containing a decidedly un-automattic jumble of code. Apparently this is an especially nasty bugger:

I’ve never seen a hack crop up with the tenacity of “remv.php” tho. Seriously, it’s kind of scary.

I’m still not sure how or even if an attacker used remv.php to corrupt my feed in such a subtle way. I decided on surgery by chainsaw rather than scalpel. I exported all my content into a WordPress XML file, deleted my entire installation of WordPress, reinstalled WordPress, then imported my content back in. I restored my theme and re-entered some meta data, but I still have many ongoing repairs to do like importing my blogroll and other links.

The attack was clever: a virus that sickens but does not kill the patient. The disease left my web site functioning perfectly well, making it less likely for me to notice and harder to track down. The bizarre symptom — corrupting the rss feed but only inside Google Reader — led Chris to wonder if the attacker knew I was a Yahoo! loyalist. That seems unlikely. I don’t think I have enemies who care that much. Also, the spammy feed appeared in Technorati as well. Almost surely I was the victim of an indiscriminate robot attack. Still, after searching around, I couldn’t find another example of exactly this form of RSS feed “selective corruption”: has anyone seen or heard of this attack or can find it? And can anyone explain why?

What did I learn? I learned to listen to Chris and not make him mad. 🙂

I also found a bunch of useful WordPress security tips, resources, and plugins that might be useful to others including my future self:

March is World Blogging Month (WoBloMo)

I’m planning to take the World Blogging Month (WoBloMo) challenge in March. Join me!

The goal is simple: blog at least every other day from March 1 to March 31. Post something — anything — on every odd day of the month and you win. Skip any day not divisible by 2 and you lose.

Many bloggers already write every day or nearly so. More power to them. For the rest of us, who blog infrequently and spend copious time arguing with their inner editors, ludicrous and artificial pretenses can be a good thing.

WoBloMo resembles the write-a-novel-in-a-month contest NaNoWriMo and other timed artistic challenges prefaced on the idea that quantity and quality can be friends. By suppressing the Spock-like perfectionist inside you, you can bring out your inner Kirk and “just do it”. Agonizing over details always has diminishing returns and sometimes, perversely, can make things worse. Or so the theory goes. You be the judge once (if) my WoBloMo fountain erupts.

Added 2009/02/26: Full disclosure.

Intelligent blog spam

As I alluded to previously, I seem to be getting “intelligent spam” on my blog: comments that pass the re-captcha test and seem on-topic, yet upon further inspection clearly constitute link spam: either the author URI or a link in the comment body is spam.

Here is one of the most clear cases, received on January 9 as a comment to my post on the CFTC’s call for proposals to regulate prediction markets:

Date: Fri, 9 Jan 2009 01:28:01 -0800
From: Matt.Herdy
New comment on your post #71 “A historic MayDay: The US
government’s call for help on regulating prediction markets”
Author : Matt.Herdy
Thanks for that post. I’ll put a note in the post.

1. It’s nothing new. The CFTC will just formalize the current
status quo.
2. We are prisoner of the CFTC regulations and the US Congress’
distaste of sports “gambling”. As for the profitability of prediction
exchanges in that strict environment, I don’t see how you can deny that
HedgeStreet went bankrupt even though it was well funded. Isn’t that a
hard fact?
3. You’re right, but all “pragmatists” should follow a business
plan and make profits. See point #2. Pragmatists won’t make miracles.

<a href=””>Removing stretch marks</a>

At first blush, the comments seems to come from a knowledgeable person: they refer to HedgeStreet, an extremely relevant yet mostly unknown company that’s not mentioned anywhere else in the post or other comments.

It turns out the comments seem intelligent because they are. In fact, they’re copied word for word from Chris Masse’s comments on his own blog.

Chris Masse’s page has a link to my page, so it could have been discovered with a “link:” query to a search engine.

Though now I understand what this spammer did, I remain puzzled exactly how they did it and especially why.

  1. Are these comments being inserted by people, perhaps hired on Mechanical Turk or other underground equivalent? Or are they coming from robots who have either broken re-captcha or the security of my blog? (John suspects a security breach.)
  2. Is it really worth it economically? All links in blog comments are NOFOLLOW links anyway, and disregarded by search engines for ranking purposes, so what is the point? Are they looking for actual humans to click these links?

In any case, it seems an intriguing development in the spam arms race. Are other bloggers getting “intelligent spam”? Does anyone know how it’s done and why?

Update 2010/07: Oh, the irony. I got a number of intelligent seeming comments on this post about SEO, nofollow, economics of spam, etc. that were… promoting spammy links. I left them for humor value though disabled the links.

Quantcast, Scribd, and the two-minute web service signup

I joined the quantcast audience measurement service. It took about two minutes to sign up and initiate tracking. I’m impressed with the ease of use, the utility, and the inroads the company has made in the year or so since former Yahoo Mike Speiser first showed it to me.

Looks like I’m getting about 1000 visitors a month, roughly 3/4 that of Chris, 1/6 of Robin, 1/10 of Lance, 0.00079% of my employer, and 0.00073% of my employer’s frenemy.

I also joined the scribd document hosting service (“Youtube for documents”) and used it to embed a PDF in my previous post. Again, from signup to service took a matter of minutes. (I think scribd could be great for hosting my publications which are in need of both a content and interface update.)

Probably there’s some sort of business axiom here, probably already blogged and book-ed: the two minute rule of successful web services.

26 comments released from purgatory

Sorry folks, I just released 26 comments from purgatory where they had been sitting for as long as 58 days. All pending comments have now been approved and posted. I’ll try to go through them soon and respond where appropriate.

About two months ago I changed my WordPress configuration and it turns out that comments were piling up for moderation without email notification, and I failed to spot the growing queue until now.

Since I’m using re-captcha and have turned off trackbacks, I shouldn’t need to moderate comments going forward, so I’ve turned off moderation (fingers crossed).

The Economist makes up

Here’s an update on my fractured relationship with The Economist magazine.

To my pleasant surprise, Alan Press, Vice President of Marketing & Circulation at The Economist actually posted a comment on my blog agreeing to cease and desist their renewal scare tactics!

We agree, the language is bad. We are discontinuing the use of this letter going forward, and will replace it with a message that makes clear how much we value readers like you.

(I didn’t notice the concession at first, as his comment got stuck in my Akismet spam folder for several days.)

I thought this was a stand-up gesture. I temporarily felt all warm and fuzzy about the good old days when The Economist and I first met. In all seriousness, I do appreciate the public comment and the prompt/effective action.

So are we getting back together?

That’s none of your business!

In any case, I’m happy to see blogplaining/freedbacking actually have an effect.

"You don't post enough"

I‘ve been blogging for about 33 weeks and this is my 31st post. Of those, I’d say roughly 12 are meals1 and 19 are snacks. So I’m clocking in a bit below one post per week, 1.5 meals per month.

If you feel that’s too few, or if you have any other comments or recommendations let me know. I’ll see what I can do. Without satisfied readers I’m just a tree falling in the woods 0.94 times a week.

In the meantime, if you’re craving more, you’re welcome to subscribe to the RSS feed of my shared bookmarks.2,3 There you can track me goofing off — er, conducting vital industry research. My bookmarking pace is closer to daily and I try to annotate each site with a revealing sentence or two.

Here’s an example of what the feed looks like in bloglines.4

1A meal requires some non-trivial amount of preparation on my part and digestion on yours. Hint: this post is not a meal.
2My shared bookmarks also appear in the two My Web Bookmarks widgets on the right hand column of this page.
3Christmas asks why I use My Web instead of No good reason except that I started using My Web first and I’m happy with it. By now I’ve invested enough effort in My Web that I don’t care to switch. Someday My Web,, and Yahoo! Bookmarks should play nice. UPDATE 2009/02/04: I’ve now switched to delicious.
4Looks like there are two blogliners subscribed to my bookmarks and 44 subscribed to the Oddhead Blog main feed.