The genie is not going back into the bottle. Nor should it.
Our jobs as journalists/media professionals are to figure out how better to make this impulse actually turn into something productive. I give Reddit a lot of credit for actually pitching in and helping. [...more]
Is every crowdsourced “let’s catch the Bad Guys” effort inherently doomed to wind up as a witch hunt?
For a while last week, as we were all caught up in the aftermath of the Boston Marathon bombing, I was cheered up a bit by the efforts of Reddit and 4chan to try to figure out what they could do to assist in a positive way. It seemed like they were doing all the right things, in a sincere effort to help law enforcement by crowdsourced the efforts to determine who had planted the bombs. Right up front, Reddit said that racism, trolling, idiocy of any kind would not be tolerated. They even had as a “sticky” post up at the top of the page, a notice reminded everyone of the sad story of Richard Jewell.
For a while, it seemed like they might actually be able to contribute something. That maybe having tens of thousands of sharp-eyed internet sleuths poring over the mountains of photos, videos, and eyewitness reports might lead to what the pros call “actionable intelligence.” Noted internet provocateur Jason Calacaniswent so far as to say,
“Twitter is where all the smart and important people in the world spend their time, which means instant coverage of these horrific events unfolds there in real time. Sure, there are spammers and idiots on Twitter, but smart people favor Twitter over any other social network by far.”
Yet folks say, ‘Don’t speculate’?!
Ummmm, that’s exactly what we need to do!
Sometimes the rules change. Sometimes dogma needs to be flipped: ‘Shut up and let the cops do their job’ in the case of a terrorist attack is EXACTLY wrong.”
But the apology today from Reddit makes it clear that whatever clear intentions we started out with, no matter the warnings posted to try to ward off the kind of unthinking, hysterical shaming/assumptions of guilt … at the end of the road, we wound up at the same old familiar virtual lynching tree.
Like two vast and trunkless legs in the sand, this is all that remains of the once-great campaign to find the Boston Marathon bombers.
A few years ago, reddit enacted a policy to not allow personal information on the site. This was because “let’s find out who this is” events frequently result in witch hunts, often incorrectly identifying innocent suspects and disrupting or ruining their lives. We hoped that the crowdsourced search for new information would not spark exactly this type of witch hunt. We were wrong. The search for the bombers bore less resemblance to the types of vindictive internet witch hunts our no-personal-information rule was originally written for, but the outcome was no different.
From 4chan to the front page. Not such a short journey, after all.
So what’s the real takeaway here? Well, the hard fact that I keep coming back to is that there were hundreds of thousands of people spending hours of their lives, obsessively poring over photos and videos. In some cases, this can lead to killers being found, mysteries being solves, and the innocent being set free.
In this case, it did not.
That does not mean that we should slam the door on crowdsourcing and leave everything to “the professionals.”
Look, we’ve got The People Formerly Known As The Audience no longer willing to sit passively and just let “news” wash over them. They want to be involved. They want to react. They want to DO SOMETHING. Send money, travel to New Orleans and man a bass boat with a rescue crew, build tents in Haiti, pepper their congressman with Tweets … whatever.
This generation grew up playing video games. You push the buttons on your digital device, and stuff on the screen in front of your face reacts. This paradigm is powerful. That’s why kids, including me, back in my [*wheeze*] youth loved playing them. They make you feel involved, empowered, in charge, filled with agency. Pick a phrase.
This genie is not going back into the bottle. No matter how much all the scolders tut-tut, the impulse of human beings to get off their asses and do something when they see something that moves them deeply, is going to continue. It will continue not just in the safe and societally acceptable channels of sending money/volunteering (and I think the mountains of teddy bears sent to the parents in Sandy Hook are misguided). This impulse is inevitably going to continue to play out in the digital realm, where we increasingly spend so much of our attentionshare.
Nobody really covered themselves in glory this past week.
The genie is not going back into the bottle. Nor should it.
Our jobs as journalists/media professionals are to figure out how better to make this impulse actually turn into something productive. I give Reddit a lot of credit for actually pitching in and helping.
“I own a hotel in Reno that was built back in the 60s. It’s old-school, so it has no air-conditioning. In the summer, to keep it cool, we open the doors to let the breeze flow through. The problem is, the mosquitoes also come in.
“Well, we had a night clerk. He was a little … strange. Like you’d pretty much expect from a guy who chooses to work the 2 a.m. shift. So he comes up with an idea to try to solve the mosquito problem. He goes out and gets a whole bunch of catfish and stocks them into the ponds surrounding the hotel, that were the breeding grounds for mosquitoes.
“A day later, I get a call from one of the managers. He’s freaking out – ‘There’s blood everywhere! Blood and meat and torn flesh in the hallways! Something terrible happened here! I gotta go!”
“And then he hangs up. I’m freaking out. Wondering if the Manson Family somehow got loose and went Helter Skelter all over my hotel.
“And then I get the callback. Turns out the catfish really didn’t feast on the mosquitoes the way it was planned.
“But the raccoons? They feasted on the catfish. They went into such a frenzy, they were running through the halls of the hotel, ripping apart and eating the catfish they were easily catching out of these ponds. Looked like a massacre.
“The manager says, ‘So we fire him, right?’
“I said, ‘Hell no! Give that man a raise! At least he tried to solve the problem. He didn’t sit around, waiting for someone else to try to solve things. He saw a need and he jumped in and tried to fix things.’
“Granted. His solution didn’t work. But at least he tried something new and different.
“And that’s how the award for ‘Best Failure’ was born.”
That, in a nutshell, is how I feel about not only the attempts by ordinary citizens to help find the Boston Bombers … but the fact that Reddit is trying to work out the acceptable rules for how to run a crowdsourcing project that adds value to the response to a tragedy. If nobody tries anything until we have it all perfect … then nothing will ever get done.
OK, this is really derivative, but I’m so impressed with the insight in this list that I’m shamelessly repeating it here. Go to BoingBoing. Click on the ads. Give them some money. They are good. I like BoingBoing. (Please, no DMCA notice for this…) To my journalism students – when you’re trying to construct a […] [...more]
OK, this is really derivative, but I’m so impressed with the insight in this list that I’m shamelessly repeating it here. Go to BoingBoing. Click on the ads. Give them some money. They are good. I like BoingBoing.
(Please, no DMCA notice for this…)
To my journalism students – when you’re trying to construct a compelling narrative, for a story that goes beyond “On Tuesday, the Board met for two hours to consider blah-de-blah…” you could do a helluva lot worse than use these rules to challenge yourself to come up with something that grabs the reader and makes them keep clicking the “Next” button at the bottom of your page.
From Aerogramme Writers’ Studio, via Adafruit. My favorite is #13: “Discount the 1st thing that comes to mind. And the 2nd, 3rd, 4th, 5th – get the obvious out of the way. Surprise yourself.”
These rules were originally tweeted by Emma Coates, Pixar’s Story Artist. Number 9 on the list – When you’re stuck, make a list of what wouldn’t happen next – is a great one and can apply to writers in all genres.
You admire a character for trying more than for their successes.
You gotta keep in mind what’s interesting to you as an audience, not what’s fun to do as a writer. They can be very different.
Trying for theme is important, but you won’t see what the story is actually about til you’re at the end of it. Now rewrite.
Once upon a time there was ___. Every day, ___. One day ___. Because of that, ___. Because of that, ___. Until finally ___.
Simplify. Focus. Combine characters. Hop over detours. You’ll feel like you’re losing valuable stuff but it sets you free.
What is your character good at, comfortable with? Throw the polar opposite at them. Challenge them. How do they deal?
Come up with your ending before you figure out your middle. Seriously. Endings are hard, get yours working up front.
Finish your story, let go even if it’s not perfect. In an ideal world you have both, but move on. Do better next time.
When you’re stuck, make a list of what WOULDN’T happen next. Lots of times the material to get you unstuck will show up.
Pull apart the stories you like. What you like in them is a part of you; you’ve got to recognize it before you can use it.
Putting it on paper lets you start fixing it. If it stays in your head, a perfect idea, you’ll never share it with anyone.
Discount the 1st thing that comes to mind. And the 2nd, 3rd, 4th, 5th – get the obvious out of the way. Surprise yourself.
Give your characters opinions. Passive/malleable might seem likable to you as you write, but it’s poison to the audience.
Why must you tell THIS story? What’s the belief burning within you that your story feeds off of? That’s the heart of it.
If you were your character, in this situation, how would you feel? Honesty lends credibility to unbelievable situations.
What are the stakes? Give us reason to root for the character. What happens if they don’t succeed? Stack the odds against.
No work is ever wasted. If it’s not working, let go and move on – it’ll come back around to be useful later.
You have to know yourself: the difference between doing your best & fussing. Story is testing, not refining.
Coincidences to get characters into trouble are great; coincidences to get them out of it are cheating.
Exercise: take the building blocks of a movie you dislike. How d’you rearrange them into what you DO like?
You gotta identify with your situation/characters, can’t just write ‘cool’. What would make YOU act that way?
What’s the essence of your story? Most economical telling of it? If you know that, you can build out from there.
The “Follow/Unfollow Dance” builds your lists … but to what end? Social media whiz & Cheesehead Homie Erik Johnson writes powerfully about his experience with one of his intellectual idols. Viz: Every school had one. The kid who pretended to be your friend just to get something he wanted from you and then acted like […] [...more]
The “Follow/Unfollow Dance” builds your lists … but to what end?
Every school had one. The kid who pretended to be your friend just to get something he wanted from you and then acted like you’d never met. The user. Not the model you would build a business around and certainly not the model for a business social media strategy.
If you’ve been paying attention to the growing phenomenon on Twitter of people who want to bill themselves as thought leaders & social media experts following you & then unfollowing you a few weeks later after snookering you into believing there is a mutual interest, this sad saga will seem very familiar. I’m having my own issue with it myself – I’ve noted that a lot of the people that I follow don’t seem to actually be interested in connecting with me, other than to connect. I don’t get any follow-up conversation out of the connection.
I’ll admit it. I’m not as diligent as I should be in following/unfollowing and tracking everything that’s going on in the social sphere. Been spending a lot of time on content creation the past few months – writing books, creating lesson plans, wireframing sites, handling social media for other people … so yeah, mea culpa.
I turned to JustUnfollow to see if this would help.
JustUnfollow purports to help you keep track of whether or not you’re being gamed … and perhaps even to start gaming the system yourself (Not Recommended). I am dismayed, but not surprised, that services like this are becoming common & in-demand.
The service generates a DM that you can customize to say thanks to the people that follow you. It’s kinda filled up my DM column with these messages. As you can see, I tried to make the “Thanks” message a little less boilerplate sounding.
I get a steady stream of notifications as to who has followed me in Tweetdeck. This is handy, as the notifications often wind up in my spam folder in Mail. However, this is still something of an impersonal-feeling process, mostly because I’ve been slacking off on actually connecting with those who connect with me. My bad, people.
I had kinda hoped that this service would run in the background and keep some kind of order to my Twitter feed. And then, I got this little notification:
Apparently, I’ve been rude. Didn’t realize that I was doing so. I was buried under book deadlines, designing a multi-platform site for a client, and teaching a class. Still, I was negligent and I got called on it. Worse, it seems the solution I tried to impose has actually done the opposite from my intentions.
It appears that in trying to set up a system by which I rewarded people with at least a DM for following me, I somehow stumbled into a situation where that DM is seen as the very thing that I was trying to avoid. I probably need to go in and tweak the settings on JustUnfollow to make sure this doesn’t happen again. Also, I should probably use JustUnfollow to see if there is some chicanery going on with my Follow/Unfollow stats. I’m interested in connecting with journalists and New Media thinkers, to widen the variety and depth of the info-flow that I expose myself to.
However, I still struggle with taming the torrent. And yeah, I know that is ironic, given the stated mission of this blog. But The situation is not being helped by the amount of “Hey, are you really paying attention to me?” messages coming at me, especially when compared to the “Social Media Users” that are trying to get me roped into following them, just so they can boost their own Klout score.
Here’s what I wrote as a comment on Erik’s blog. And yes, I do recommend that you follow him.
Unfortunately, I am locked in exactly this kind of dance myself on social media. As the number of Twitter followers you have starts to become a real badge denoting authenticity and authority, the incentives are there to “game the system.” I’ve tried to restrict my Twitter feed to only people that I actually can pay attention to; when in the early days, I went nuts and got up into the thousands, my feed was streaming so fast that I couldn’t actually get any value out of it. Which brought my efforts to the equivalent of spitting into a vast, anonymous torrent. I’ve got quite enough of that trying to engage in the blogosphere, thank you very much.
Whenever I see Twitter accounts with 40,000 followers and 40,000 following – well, I know that the person has devoted significant time to building a list and a presence. But it makes me wonder – will they actually respond to an attempt at conversation? Can they? Is it even possible with the flow from 40K people coming through HootSuite/Tweetdeck? I couldn’t do it with 1500.
And if the point of social media isn’t to actually have a conversation with people about something of mutual value … then what’s the damn point, anyway? Just start graffiti’ing up billboards and save the rest of us from the tricks and games, already.
At this point, I’d have to give JustUnfollow a Sip With Caution rating:
The blogging community is notoriously hard to please. Check out the vitriolic tweets directed at the poor victims who dared to sit onstage at the close of the NMX convention, talking about “Inventing the Future.” Check out the silvery television-headed robots: Despite the rather ugly tone at the end, there were some creative attempts at […] [...more]
The blogging community is notoriously hard to please. Check out the vitriolic tweets directed at the poor victims who dared to sit onstage at the close of the NMX convention, talking about “Inventing the Future.”
Check out the silvery television-headed robots:
Despite the rather ugly tone at the end, there were some creative attempts at serving the pajama-clad tech nerd lynch mob:
First, there were the somewhat shellshocked crew behind the counter at the BlackBerry booth. They were apparently laboring under the misconception that there are actually talented developers in the world that, given a choice, would pour their time and energy into creating an app for their platform.
If there is a clearer indication that upper management at BlackBerry is delusional and out of touch, I haven’t seen it.
The signs plaintively exhort the fictional mobile developers to “blog about it!” Not sure if publicly acknowledging that you’ve just wasted your time & effort on a platform that’s got one foot in the gave and the other on a banana peel should be seen as a complicated cry for help, or a confession of bad business judgement.
Next, the folks at Readz, promising “Simply Beautiful Tablet Publishing.” I’ve been grinding my mental gears on the various tablet-publishing solutions for the past two years, most recently with Atavist, iBook Creator, and the Adobe Digital Publishing Suite. What I’ve learned is that these tools promise much, but run headlong into the contradictions inherent in this chaotic new space.
For example, there are the crazy quilt screen resolutions, video formats and typographic specs. Ad then there’s the whole horizontal/vertical screen orientation layout problem. IBook Creator is particularly ugly and opaque on this issue — your layout will look fine one way, but flip the iPad the other way, and some elements will show up and others … won’t. No rhyme nor reason to it either.
Meanwhile, the InDesign files churned out contain such spaghetti code that you are directed to open them in Dreamweaver to clean up the CSS3 and HTML 5.
I’ll give Readz a spin, even though they inexplicably have “Wilson” the volleyball from Castaway as part of the booth decor.
I did like the quirky spirit displayed by the WordPress “Happiness Bar,” where they touted the fact that the WordPress platform is being used by everyone from giant corporations to “your dad’s book club.” The folks there were talking about vague plans for better ecommerce plugins.
If someone were to come up with an open-source PayPal, that would really rock a lot of worlds. The challenges would be enormous – whenever there’s money involved on the web, you WILL get haxxors. It’s inevitable. Then again, getting out from under a corporate monolith that is vulnerable to pressure (such as in the Wikileaks case) would be a step in the direction of international press freedom.
Next up, Raven. I’ve been looking at them for a while – they’ve been struggling for a long time, trying to compete with Radian6, Crimson Hexagon, et al. They seem to be engaged in a re-branding pivot, trying to go to the low-end blogger side of the spectrum, to sell us indie freaks the long-awaited way to monetize our audience(s).
They’re offering a 30-day free trial, and that alone differentiates them from the competition.
UStream was one of the big sponsors for the conference, and they (allegedly) worked to fatten the backhaul pipes so that the bloggers in attendance could all either upload live streaming video of themselves, or download everyone else’s livestreams. Which is kind of a strange thought-exercise: an entire conference room full of people all looking at themselves looking at each other on their ubiquitous tablets.
I’ve worked with clients over the past few years to use UStream to give their fanbase and users access to live events. Where it starts getting tricky is when you want to archive the events and make them available to the audience later, or even store them on your own site’s multimedia library.
Somehow, I expected more of a mad scientist’s lab, with chortling henchmen. Or hench-Americans, as I hear they prefer to be addressed…. It is always dangerous to give a group of bloggers (should that be “a flamewar of bloggers”?) a stage and a microphone, and dare them to get pretentious about predicting The Next Big […] [...more]
Somehow, I expected more of a mad scientist’s lab, with chortling henchmen. Or hench-Americans, as I hear they prefer to be addressed….
It is always dangerous to give a group of bloggers (should that be “a flamewar of bloggers”?) a stage and a microphone, and dare them to get pretentious about predicting The Next Big Thing.
UPDATE: the always irascible bloggers have deemed the event a FAIL because of the lack of interactivity. Also: keyboard pants?
Once again, I’m using the social media-aggregation tool Storify to work up a story using the Twitter feeds of reporters & protesters on the scene. This time, it’s in Tahrir Square, where the confrontations between the police and the citizens (fed up with the emerging military dictatorship) are taking a darker turn. <a href=”http://storify.com/DaveLaFontaine/tahrir-square-nerve-gas-rumors-cause-panic” target=”_blank”>View […] [...more]
It turns out that they were perhaps using some kind of new tear gas – one that is invisible, but that still stings like a sonofabitch. If you’ve clicked the link above, you were taken to a page of clinical data from autopsies of British soldiers killed by gas in WWI. Grim, grim reading. Basically, the gas causes chemical burns all over your body, and you die from choking on the ragged, torn-up lung tissue that you cough up as you drown in your own blood.
Yeah. Fun times. There’s a reason we as a species have reacted with horror at anyone using these kinds of chemical weapons ever since.
Anyway, the rumor mills flew into hyperspeed on Twitter & social media, and you could see the rise and fall of the meme (fostered by a Twitter account purportedly belonging to Mohamed El Baradei) of chemical weapons use.
Here’s a short audio file i recorded at the close of the Civic Media conference this week at MIT. I’d like to add my own thanks to the sentiments expressed herein; thus was a fabulous antidote to the general malaise afflicting so many of our traditional media brethren… http://audioboo.fm/boos/395702-final-thoughts-and-thanks-at-civic-media-conference-at-mit-media-lab [...more]
Here’s a short audio file i recorded at the close of the Civic Media conference this week at MIT. I’d like to add my own thanks to the sentiments expressed herein; thus was a fabulous antidote to the general malaise afflicting so many of our traditional media brethren…
How 'bout we make sure that the revisions to the basic document viewing and sharing software that pretty much everybody uses has "features" in it that check to see if you're working with anything that's been flagged as Top Secret, and then finks on you to The Man. [...more]
This is only an educated guess, but something has changed in the past month in those voluminous End User Licensing Agreements (aka EULAs aka “That dense small-font document that nobody bothers to read”), and it seems to be coming from Homeland Security.
It looked so friendly and inviting on my taskbar...
OK, I’ve got a few spare minutes and have been eating a high-fiber diet recently. Maybe it’s safe to scroll through and see if there’s anything particularly noxious about the rules governing how this App Store for my desktop Mac…
Good Christ, what’s this?
So the apps you’re serving up for me to use on my main computer, the one where I have the really important data stored, may just come with viruses, spyware and trojans. And in the next breath, I have to basically hold Apple harmless if they happen to sell me something that destroys my business? Hey, can car manufacturers and prescription drug companies get in on this kinda scam?
Can you imagine that? “Oh yeah, here’s your new heart medication. It may actually contain arsenic, other heavy metals or rat poison. We don’t know. We just shovel this stuff out the door. It’s on you. And if you happen to drop dead because of it, we ain’t responsible and you can’t sue us.” That’d go over well with all the peoplescreeching about Death Panels, wouldn’t it?
But where does HomeSec come in? Read this and see if you don’t feel ghostly fingers clenching around your throat:
You agree that Apple has the right, without liability to you, to
disclose any Registration Data and/or Account information to law
enforcement authorities, government officials, and/or a third party, as
Apple believes is reasonably necessary or appropriate to enforce and/or
verify compliance with any part of this Agreement (including but not
limited to Apple’s right to cooperate with any legal process relating to
your use of the Service and/or Products, and/or a third-party claim
that your use of the Service and/or Products is unlawful and/or
infringes such third party’s rights).
OK, maybe that’s just Hollywood, the MPAA and the RIAA again … what’s this?
You also agree that you will not use these products for any purposes
prohibited by United States law, including, without limitation, the
development, design, manufacture, or production of nuclear, missile, or
chemical or biological weapons.
I’m not even going to get into all the creepy spyware language in Apple’s EULA, that basically says that they are going to record everything you do while online, match it up with your GPS data and whatever kinds of interactions you make on Facebook, blogs, Twitter, e-mail, chat, etc., and then bundle all that information together and sell it to the highest bidder. Plow through it yourselves, lazybones.
Next up was having to install/upgrade Adobe Reader so I can look at pdfs of reconciled accounts from Quickbooks (part of the joys of running your own shop – gahhhh!). By this time, I’m kind of in a state. I mean, like everyone else who’s gone from the CompuServe/Prodigy days of online to today’s web, I expect a certain level of monitoring of what I do online, and know that this is the price I have to pay for free (well, other than the damn escalating high-speed Time-Warner cable bill) access to all kinds of amazing content created & curated by geniuses all over the world. Maybe I’ll look at Adobe’s EULA. I don’t really expect much other than the usual boilerplate legalese.
Well, how bad can it be, really? I mean – pdfs, right? It’s just a basic document structure for people to …
The Software may cause your Computer, without additional notice, automatically to connect to the Internet and to communicate with an Adobe website or Adobe domain for purposes that may include providing you with additional information, features, and functionality. Unless otherwise specified in Sections 14.2 through 14.6, the following provisions apply to all automatic Internet connections by the Software:
14.1.1 When the Software automatically connects to the Internet, an Internet protocol address (“IP Address”) that is associated with your current Internet connection is sent to an Adobe website;
Adobe may deliver in-product marketing to provide information about the Software and other Adobe products and Services, including but not limited to Adobe Online Services, based on certain Software and Adobe Online Services specific features including but not limited to, the version of the Software, including without limitation, platform version, version of the Software, and language. For further information about in-product marketing, please see the “help” menu in the Software;
Your software is going to wake up in the middle of the night, dial the mothership, rat me out and then start serving ads into the middle of whatever I’m doing?
OK, is there anything about…?
…any end user who you know or have reason to know will utilize them in the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, and sounding rockets, or unmanned air vehicle systems (each, a “Prohibited Use”), or (c) any end user who has been prohibited from participating in the U.S. export transactions by any federal agency of the U.S. government (each, a “Sanctioned Party”).
Guys. If I could use Flash Catalyst to make a space launch vehicle, I’d be kicking it James T. Kirk-style on my own moonbase right now, doncha think?
Great. Anything else?
This just keeps getting better and better. So once again, you’re going to monitor what I do, turn it over to whomever you want, and somehow feel it necessary to put in a big scary paragraph about espionage and misuse of data?
Who owns your data? And I don't mean this guy...
I don’t remember all this garbage showing up in the earlier EULAs software/hardware companies crammed down our throats. Maybe I just wasn’t as observant. But it appears that someone has been having some very intense, shall be say, meetings with internet/software companies in the past month or so, with an aim towards making sure that if We The Users step out of line, there exists all manner of heavy-duty legal agreements by which to come down on our heads. All that alarmist verbiage about nukes & nerve gas can only come from a gummint agency that’s paid to be paranoid & fearful.
And what’s been on their minds lately? Oh yeah – Mr. Assange and his cohorts peeking under their skirts. How best to head this off next time around, before any of the 500,000 or so minions with Top Secret access get frisky? Hmmm … how ’bout we make sure that the revisions to the basic document viewing and sharing software that pretty much everybody uses has “features” in it that check to see if you’re working with anything that’s been flagged as Top Secret, and then finks on you to The Man.
A 12-step program to get your blog so’s it can go out in public again …when last we left the hacked blog, it had managed to delete the phony users and admins, and the permalinkspam was gone. Jump ahead to last week, when I noticed that my Google AdSense boxes were always full of creepy […] [...more]
A 12-step program to get your blog so’s it can go out in public again
…when last we left the hacked blog, it had managed to delete the phony users and admins, and the permalinkspam was gone.
Jump ahead to last week, when I noticed that my Google AdSense boxes were always full of creepy advertising for boner pills. I have been playing with all kinds of plug-ins lately, trying to find something that will work well to “mobilize” this site. I wondered if any of them had done something to my header, so I clicked on “View page source” to see …
Great. Just great.
Time to move to the next step in the program:
8. Made a list of all the plug-ins and started deleting them one by one
One of the really good rules for trying to fix something going heinously wrong on your computer is to start backtracking. Figure out what the last thing you did was, and try to undo it.
In this case, it was the plug-ins. I figured maybe someone had either gotten hacked, their plug-in was the way for a ‘sploit (hacker-speak for an “exploit” — a vulnerability in the software that they can worm their way through) to get into my scrupulously up-to-date blog. So I cacked all the plug-ins, and the next morning, opened up the Dashboard to find that the evil code was back in the header file.
9. No amends – only more evil code in the header
This happened two more times. It was time to start going through the PHP code line-by-line to try to figure out what the hell was going on. I used the editing tools that are integrated into the Dashboard on WordPress — to little avail.
I was starting to really wonder if the infection had reached the core PHP server, which would be epically bad news. I fired up my FTP program and started going through the library files. And there, I worked the next step:
10. I inventoried the files in the php-admin folder and admitted I had missed some pieces of the infection
I had to go through all the images for my blog postings, month by month, to find these little files. Even so, I damn near missed them – except that their edit dates were out of step with the dates that I uploaded the images.
Deliberately misspelled -- but fiendishly close enough to actual words so that you might just miss them.
Check it out – they spelled “footer” as “fotter.php” so that it kinda blends in, but won’t break the blog. Like any good parasite, it knows that if it kills the host, then the blog won’t be up and functioning, and the little baby tapeworms won’t get to feast on the ill-gotten pharamaspam revenues that come from the links stuffed into my blog.
I also found a .gz file deep in a totally separate subdirectory under my wp-admin folder. I won’t show you the screengrab of that one, since it has some other identifying information in it. But again, as you look through all your folders and subdirectories, just keep an eye out for something that looks like it doesn’t belong. Think of the method that astroners use to find comets: they alternately flash big pictures of the sky, and look for the little dots that are strobing. Those are the points of light that are in slightly different positions from one frame to the next.
Look for files that are wildly differing in size than they should be. If you do open them up, do it in a Text reader – not a Word document. Word probably won’t execute the Java code if it’s just pasted into a page as pure text, but man, with this stuff, it pays to be careful.
11. Prayed and meditated that I had at long last, cleansed the scourge from my blog
At this point, I’ve spent more than three days in all, fine-tooth-combing my blog and all the associated PHP, HTML and image files, folders, subcategories and god knows what all. I’m beat. Either I’ve gotten it or I haven’t, and it’s time to call in someone who is better at this than me.
And then on Sunday – I opened up the blog in my browser and hit “Page Source” … CLEAN!
And now for the last step (and I have tried to keep these steps at least vaguely in line with the instructions for AA and other 12-step programs):
12. Having had a blogging awakening, I try to carry this message to other bloggers, and practice the following principles with all my WordPress installs
I hope you’ve managed to get some learnings out of this strange screed. I know the presentation has been a bit quirky, and to be honest, about halfway through I realized I was pretty much beating the metaphorical dead horse into goo. But the point of all this is that I could have avoided all this pain, not had about 6 months of blog postings tainted and probably really awful Google page-rankings, if I had just kept the site properly updated.
When WordPress or other software does a critical release – for God’s sake, download and update it. The thing is, when they do a major release and bugfix, they have to publish exactly what bugs they are fixing. Which is like a paint-by-numbers for the hackers out there. They know exactly where and what the hole in the software was, and can start churning out botcode to take advantage of updating sluggards (like me).
Well, I have seen the light. no more slacking off on updating – and no more willy-nilly experimentation with fancy plugins on a site that I use for my business.
A 12-step program to send your out-of-control blog to rehab If your blog has been hacked, your first indication is when it starts acting like it’s in the late stages of particularly noxious drug addiction. Your once mild-mannered blog is a now a nasty Hollywood tart, reeling around, blowing toxic breath in random stranger’s faces, […] [...more]
A 12-step program to send your out-of-control blog to rehab
At this point, you can either choose to slaughter and revive your blog (i.e. delete everything and do a clean re-install), or roll up your sleeves and start hunting down the rogue bits of code that are turning your blog into Britney/Lindsay/Paris. No matter what, you should back up your WordPress blog by using the WP-DB-Backup plugin.
However, there is no guarantee that even if you go for the nuclear option, that the virus snippets won’t have wormed there way somewhere into your database, and will just pop up again (which is what they did to me – repeatedly) when you restore from the backup. This is why I reluctantly armed myself with some PHP manuals and started digging around in the guts of my blog.
If your blog has been infected for a while, it may have already affected your Google page rankings; in some of the links above, you’ll see that they started getting de-listed by Google because they looked to the bots like pr0n0 spammers. It can take quite a while to recover from that; the whole thing reminded me so much of the by-now ubiquitous Hollywood paradigm of getting clean & sober that I broke it down into a 12-step program.
Step 1: Realize that we have a problem; then admit that we are powerless over what our blog is doing, and that is has become unmanageable
The first notice I got that some of the WordPress blogs that I use (and administer for others) had been hacked was when this strange code started showing up in the permalinks.
Kinda strange, right? Looks at first glance like some little bug with the extended permalinks function...
Usually, when you choose long permalinks, that’s to give Google’s bots the chance to find & index your content correctly. But no prob, I thought: just go on in to Edit Post mode, and delete the code and re-save it.
Curious. I saved it with the real permalink and it turned up with some strange gobbledygood at the end anyway. Wonder if that’s having any kind of effect on the blog. Better check it in Google Reader.
Step 2: Come to believe that we are going to have to take serious action to restore the blog to sanity
Holy Sh-Nikes! Where did this come from?
Man, you never want to see this associated with your blog. This is screaming sirens, flashing lights, all spelling out "VIRUS ALERT!"
If you don’t get a jolt of adrenaline at seeing something like this where your blog contents are supposed to be, you don’t understand the gravity of the situation. This kind of pharmaspam is absolutely deadly; it usually comes from Eastern European hackers, and it means that the infection is serious.
One of the first things that I found was a long thread about how hackers register themselves as users.
Sure enough, look at the number of users. Also look at the number of admins.
Step 4: Made a searching and fearless inventory of the renegade users
I went through page after page, hoping that I would be able to figure out which were the responsible, decent users, and which ones were the identities of the various spambots that were using my blog like a passed-out sorority girl in Satan’s frat house.
A lot of them were easy to spot – they had the various names for the erectile dysfunction drugs as their “@blahblah” addresses.
5. Admitted to ourselves that we had been remiss in updating the blog
OK. I admit it. I was afraid to update the blogs because we’d installed some customized plugins, and I didn’t want to have to futz with them if they broke. Saved some real time, eh? Now I was spending hours going through my blog(s) trying to figure out what had happened.
As you can see, I started this whole process back when WordPress was still at revision 2.8.4. Oh, the shame!
6. Became entirely ready to get rid of these freeloaders
Cry havoc! And set loose the delete function!
7. Ruthlessly removed the false admins
These were where the hackers put their admin identities. All the way down at Z, where I had to trudge through hours of checking and deleting the other users to get to them. While I was in here, the hackers were trying to get back in to add more users. It was a race to see who was faster...
I couldn’t believe that the hackers were trying to add more users to the pile, to slow me down. I managed to delete enough of them to get down to the Z’s, where their admin identities were hidden. And then I deleted those. Success!