Building the Buzz at Brownstoner

Over the past few years, we've often heard the term "disruptive" used to describe the impact of blogging. More so than any other medium in the last century, blogging has enabled people to quickly and easily distribute information to a wide audience, often with dramatic results.

Nowhere is the term "disruptive" more apt than when describing Brownstoner, a blog that chronicles the real estate market in Brooklyn. When Jonathan Butler launched Brownstoner in the fall of 2004, he turned a keen eye to his new neighborhood and the changes and trends that were occurring on his doorstep.

As it turned out, his timing was impeccable: Brooklyn was poised on the edge of a sea change, as new buyers rushed in to grab bargains, and massive renovation and upheaval ensued. Jonathan's chronicles from "New Brooklyn" struck a nerve with longstanding residents, prospective buyers and speculators alike.

Jonathan chose Movable Type based on recommendations from established bloggers. "MT was the unanimous choice," he recalls. He engaged the design firm Apperceptive, now part of Six Apart, to create several customizations that would help the site stand out. One of the most useful additions was the integration of the Google Maps plugin, which allowed Jonathan to create a map-based archive of thousands of locationspecific posts.

Despite its sophistication, the site feels like a neighborhood get-together. A recent profile piece on the site in New York Magazine notes: "Brownstoner covers the whole borough...but it covers the whole borough as though it were one big block, where everyone has gathered to gossip on their stoops."

Today, Brownstoner is far more than simply a "real estate blog" - it is also home to an opinionated and vocal community made up of thousands of people with vastly differing opinions. The site receives several hundred comments per day, and the dialogue is a lively one.

The comment sections at the end of each post are an important aspect of the conversation, but Jonathan has done one better by creating a Forums area, where people can post topics and receive feedback from the community. From sharing the names of trusted contractors to selling items from marble sinks to wooden doors, the forums reinforce a sense of cooperation and shared interest amongst neighbors. As to his role in fostering such a dynamic community, Jonathan says: "I try to be as transparent and straightforward as possible. Readers can smell B.S. a mile away." Jonathan views his role more as editor than expert, and calls himself "a starter of conversations."

His authentic approach appears to have struck a chord; today, Brownstoner receives about 1.3 million views per month. Just last month, the Historic Districts Council awarded the site their Friend of the Media award for 2007.

As the New York Magazine Article noted: "Butler's become not only a fairly wellknown blogger... but also a kind of virtual developer, someone who doesn't literally rebuild neighborhoods but who has the power to shape the way those neighborhoods are perceived."

Here at Six Apart, we aren't surprised whatsoever that a blog can accomplish so much - but we certainly are proud.

Today we are releasing Movable Type 4.01b and Movable Type 4.12. These are free mandatory security updates for all Movable Type 4.x users. These updates resolve a vulnerability which has not been exploited, but was reported to us by a third party on June 15 16 (correction). We have addressed the issue with these updates, and are providing new, fully-tested versions for all affected versions of Movable Type in all supported configurations. A detailed description of the vulnerability can be found below, but in short a cross-site scripting (XSS) vulnerability has been found in Movable Type's built-in search feature, which could be exploited by malicious parties to execute javascript without permission.

We have no record of a user having been affected by this vulnerability, and there are no known public exploits. The release candidates of Movable Type 4.2, currently in testing, Movable Type 3.36 and Movable Type Enterprise 1.5 are all unaffected by this issue. Here's the Update Advisor, which summarizes the issues found and provides a guide for updating your installation of Movable Type.

Movable Type Update Advisor: Version 4.01b and 4.12:

• Release Type: Security Release. The potential vulnerability has not yet been exploited in the wild.
• Mandatory? This is a mandatory update for all users of Movable Type 4.0 and later.
• Performance Implications: None.
• Plugins Affected: None.
• Templates Affected: No changes in your templates are required.
• System Requirements: This release has no new or additional system requirements.
  
• Licensing considerations: None. MT 4.01b and MT 4.12 are free updates for users of any version of MT 4.
• Upgrade Fatigue: No planned updates are scheduled until the release of MT4.2, which is currently in the final stages of release. There will be no further releases before MT 4.2 unless significant security issues are found which require additional 4.x releases. It has been 152 days since the last recommended update to MT4.

Downloads are available in your account for current customers or through the download page.

Downloads are available through the channel where you received Movable Type: Paying users can find the update by logging in to your Movable Type account, and users of Movable Type Open Source or the free personal license can get the update from the download page.

In addition to the updates to Movable Type 4.01b and 4.12 for MT4 users, we have issued updates to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should have already been contacted by your account representative about these updates.

A Commitment to Security

We take Movable Type's security very seriously, especially as we know many of you choose Movable Type for its security track record. In addition to issuing fixes to affected versions of Movable Type, we have also amended our development and testing processes internally to help better detect these types of vulnerabilities in the future. As InformationWeek just noted, Movable Type has "a fraction of the security incidents of its peers". That means we take this update, and all security concerns extremely seriously out of commitment to you as a Movable Type user, out of our desire to uphold our reputation, and out of responsibility to the entire web to try to ensure technology platforms are as secure as possible.

Detailed Description

When conducting a tag search in Movable Type, the application is not properly escaping the optional IncludeBlogs query string parameter. As a result, one could construct an exploit whereby a user could click on a link that conducts a tag search and unbeknownst to them also execute malicious javascript code embedded by the third party. Malicious javascript code could be used to transmit sensitive information about the user's active session.

Versions Affected

Only the following versions of Movable Type are affected by this issue.

• Movable Type 4.0, 4.01, 4.01a (Personal and Commercial)
• Movable Type 4.1 (Open Source, Personal and Commercial)
• Movable Type Community Solution 1.0, 1.0a
• Movable Type Community Solution 1.5
• Movable Type Enterprise Solution 1.0

All other versions of Movable Type, including the 4.2 release candidates, are not affected by this issue.

Applying the Fix

• Users of Movable Type 4.0, 4.01 and 4.01a can install the updated Movable Type 4.01b, or they can replace the file lib/MT/App/Search.pm file found in their distribution with an updated version.
• Users of Movable Type 4.1 and 4.1a can install the updated Movable Type 4.12, or they can replace the lib/MT/App/Search.pm file found in their distribution with an updated version.

Learn more about Upgrading Movable Type 4 in the MT documentation.

As always, thank you so much for choosing Movable Type and we sincerely apologize for the inconvenience of having to upgrade your software, and are committed to making such updates as infrequent as possible.

20x200: When Art Meets Commerce, An Industry Shifts

Here at Six Apart, we've always had one foot in the world of design and the other in technology, so it seems logical to us that a robust content management system like Movable Type can be used to create something beautiful - something that looks, well, nothing like a blog.

For those in an industry that prides itself on aesthetics and has long withstood digital innovation, that can be hard to imagine. Of the few industries that have resisted taking part in new media, none is more glamorous than Art. Long the province of whitewalled galleries and mysterious pricing schemes, art has historically been accessible only to a privileged few.

In January 2007, when gallery owner and entrepreneur Jen Bekman had her middle-of-the night revelation that the Internet was a perfect vehicle for making art available to everyone, she was instrumental in ushering the art market into the digital age. Jen named the venture 20x200, and devised the following formula: each week, she would offer two limited-edition prints - an edition of 200 for $20, an edition of 20 for $200, and an edition of 2 for $2,000. The entire business would be conducted online.

To build out the 20x200 site, Jen enlisted the help of photographer and web consultant Raul Gutierrez. Both Jen and Raul had extensive backgrounds in technology; Jen's career included leadership roles and Netscape and Disney, while Raul, himself an accomplished photographer, had built and produced a number of successful websites.

When they decided to use Movable Type to build out the site, they agreed on one thing: it couldn't look like a blog. The entire 20x200 site was built in Movable Type, using multiple custom plug-ins and integrating Google Checkout to make buying simple. Every Tuesday and Wednesday, Jen sends a newsletter to the 20x200 mailing list, in which she announces that day's edition and discusses its context and relevancy within the art world. The newsletter acts not only as a sales tool, but also as a rich source of information for new and seasoned collectors alike.

The newsletter contains links that lead to the page on the 20x200 site where the edition is displayed. Next to each edition sits a real-time inventory number, indicating how many pieces remain.

Movable Type demonstrates its abilities as a flexible, powerful CMS, allowing 20x200 to easily manage their growing catalogue of artwork. The site uses many custom fields to enable administrators to enter data for each edition quickly and simply; fields such as artist name, artist statement and website URL are consistent across each entry, so that visitors to the site can browse artists and find facts with ease.

Less than a year after 20x200 launched, the site has been an unqualified success: over 14,000 prints have been sold to date, to a customer list that includes artists, celebrities and respected collectors from around the world. The site has become an important corollary to Jen's New York gallery, and a vital part of her ongoing mission to champion emerging artists.

When we talk about Movable Type, we often say: "you imagine it, we enable it" and 20x200 demonstrates that maxim - dare we say - artfully.

If you follow blogging news, you've undoubtedly heard a lot of concern recently about blogs on other platforms being hacked or blocked from search engines. Good news: Movable Type has a proven track record of having excellent security and an established reputation for fixing any known issues quickly. And that history of security is by design. We think there are some key things our community needs to know:

• We believe in making Movable Type secure out of our obligation to making the web better: Insecure web software can be a vector for spreading spam, viruses, and malware.
• Movable Type has the best security track record of any popular installable blogging software, according to the U.S. Department of Homeland Security's own reports.
• Movable Type security updates are prominently publicized on our Movable Type homepage, and through the application itself. Our team proactively contacts Enterprise and Community Solution customers if a security issue has been raised.
• Movable Type's security record is getting better, while other platforms are getting worse and seeing increasing numbers of reported vulnerabilities.
• When any issues have been found with Movable Type, they've typically been discovered through our own routine security audits, and fixed without ever having been exploited in the wild.

These facts show that Movable Type has a significantly different history than other platforms. But more importantly, they show that we're attuned to the concerns of the publishers and bloggers who rely on Movable Type to build their businesses and make a living. 

We're not saying our track record is perfect. But take a minute and review our last security update in January. We listed our history of issues ("It has been 116 days since the last recommended update to MT4 and 273 days since the last recommended update to MT3.") and we mentioned whether applying the security fix would affect templates, plugins or performance. (No, no and no.) There are dozens of reasons to upgrade to MT4, from unique reporting and management features to powerful community capabilities. But above all, you shouldn't have to worry that sharing your ideas with the world or wanting to publish for a passionate community means putting your site, and your reputation, at risk.

The Bottom Line

While we're proud of our work, and especially proud of our community's focus on security, you don't have to take our word for it: Look at the data provided by a neutral third party. In this case, it's the U.S. Department of Homeland Security's own National Vulnerability Database. We searched the vulnerability database since 2005 for Movable Type and for WordPress, and included the partial reports for this year. In the chart, a lower bar is better. The results speak for themselves:

We think it's inarguable that there's a dramatic difference in the security of these platforms. And, as we've demonstrated for nearly seven years, we're working every day to maintain Movable Type's excellent record of security.