Movable Type 3.33, and associated FTP problems

Movable Type 3.3 badge-type thingSix Apart have just released a new version of Movable Type (3.33) which contains several patches for a bunch of potentially nasty security holes. Given the problems I had upgrading to 3.3 in the first place, I wasn’t exactly relishing the idea of another install, but security comes first.

And, just like last time: HTTP 500 server errors as soon as I tried to log back in afterwards.

It looks like my problem isn’t related to Movable Type at all, though, but instead to the FTP upload process. I had grabbed the .zip version of the movable type package, unzipped it locally, and then uploaded all the individual files to my web server. My FTP client is FileZilla, and the server is running NcFTPd. With FileZilla set to use multiple simultaneous connections (for a faster upload) it would occasionally transpose the contents of two files.

This is very ungood. Not only does this lead to the obvious failure situation where an app doesn’t work because its internals are screwed up (the HTTP 500 server errors I was seeing), but there’s also the possibility of a silent failure, where everything still appears to work, but all is still not well. For example, a file containing passwords could be swapped with a simple HTML file so that they become publicly readable (and Google-able).

Curiously, the transposing of files doesn’t seem to be entirely random. When I first noticed the phenomenon, I tried re-uploading the pair of files that had been switched, and they ended up switched again. It was only when I dropped back to using a single connection (menu: Queue -> Use multiple connections) that the upload worked properly.

A quick search on Google showed that although this is uncommon, it’s not an entirely unknown problem. A few people have mentioned this happening with FileZilla (here and here, for example), but this also seems to be an occasional problem with CuteFTP, too: see this forum post.

The fact that the problem shows up on multiple clients makes me wonder if it’s the server that’s at fault. Alternatively, both CuteFTP and FileZilla could be using a very similar, but subtly wrong piece of code to do multiple simultaneous uploads. Very curious. But at least knowing what has gone wrong will make me feel much more at ease when the next MT upgrade comes around.

Beyond funny

hard diskAfter two dead disks last month, another one died on me this evening. This time it was the 400GB external drive I have attached to my Mac Mini. The data on it wasn’t critical, fortunately. I’d been loading it up with ripped DVDs from our collection, so the only thing I’ve really lost is time.

That, and my cool. Data loss FREAKS ME OUT at the best of times. Losing three disks in the space of a month has practically got me hyperventilating.

Windows security alert: WMF vulnerability

In case you haven’t come across this already, a new and highly nasty Windows security flaw has been uncovered in the last few days, and it is being actively exploited to infect Windows machines with rootkits and who knows what else. The flaw can be exploited by merely looking at a particular kind of image (a .wmf file) in Internet Explorer any browser or your mail client. It can even be activated without being viewed, if it happens to get indexed by something like Google Desktop.

I’ve been tracking news about it over on the F-Secure blog. Fortunately, there is a temporary patch available. If you’re running any form of Windows from 2000 upwards, you need to follow these instructions and install the patch right now. The patch doesn’t cover earlier versions of Windows, but the flaw is present in them, too. In fact, it has been there since Windows 3.0.

I don’t normally go into a flap about security issues, but this one has particular resonances with the short story “BLIT” by David Langford, which describes a fractal image that is “incompatible with human neural input”, and can kill you just by looking at it.

Sometimes I look forward to the day when I can access the cybersphere via a hardwired neural connection…and sometimes I just plain worry.

Second best

If you’re feeling a bit technical, you might be interested in a new blog I’ve just started: Second Best. I’ll be using it as a place for writing about my professional interests, i.e. web standards, usability and accessibility, and software development.

If you don’t care, that’s okay, too.