Here's an interesting scenario that's really not that far-fetched... (The most astute readers will know why I say this.)

Imagine this...

BigEvilCompany has adopted weblogs internally--behind the firewall. They've installed MovableType on a few serves and encourage their employees to use it as a notebook, communications platform, etc. Bob, in the Business Development group, has been using his internal blog to track various things: competitors, possible acquisitions, recent discoveries, etc.

One day Bob has a great idea in the restroom and rushes back to his desk (after flushing and washing his hands, of course) to jot some notes on his weblog before he can pitch the idea to the board of directors. However, what Bob doesn't realize (or even understand, really) is that MovableType had TrackBack auto-discovery enabled. As part of that blog entry, he links to a post on Scott's Feedster blog (like I did just now). MovableType happily sends Scott's blog a TrackBack ping with the title and an brief excerpt of the entry (like mine did just now).

The title is: Feedster Acquisition and the excerpt starts out:

To better position ourselves against Google in the upcoming battle for RSS/weblog/news search, we should buy Feedster as soon...

Uh oh...

What just happened?

The basic thrust of Bob's blog entry has been relayed to Scott and all of Scott's readers. It's public. Panic would follow, but Bob doesn't realize what's happened until Scott e-mails him to half-jokingly ask what they're willing to pay.

The moral of this little story...

If you're using MovableType (or another TrackBack capable blog tool) internally, be smart about how it's configured. You really don't want it broadcasting your secrets to the world, do you?

Update: Dave Winer calls this a rant, but I really intended it as a warning. Does it sound like I'm ranting? Hmm. Oops.

Posted by jzawodn at December 09, 2003 07:36 AM

Reader Comments
# Wes Felter said:

This is something all the blog tools should pay attention to. It took a little work to convince Radio that I absolutely positively do not want to send any information to any server.

on December 9, 2003 08:28 AM
# Pat said:

Now why do I feel like there is a "real life" story behind this? ;-)

on December 9, 2003 08:29 AM
# rr said:

I have the same concerns about referrers, though they don't convey nearly as much info.

on December 9, 2003 08:55 AM
# kalyan said:

I agree with RR. Sometimes just looking at the apache logs can give out *loads* of info ;)

on December 9, 2003 09:04 AM
# Manish Jethani said:

Yeah, Jeremy, now can you tell us how *you* screwed up? ;-)

on December 9, 2003 09:46 AM
# Anil said:

I think maybe the larger point is about knowing how your software communicates in general, and it's an important point. (Maybe business versions of MT should have "quiet" defaults?)

But somehow this seems the same to me as people that want to send an email to Bob in accounting and end up sending the email to Bob at the competitor's office because they're both next to each other in the address book. And certainly, years before TrackBack existed, I had referrers that said something like http://companyname/2001/01/25/we_hate_anil.html and it didn't take me long to figure out who was linking to me and what they were saying.

on December 9, 2003 10:51 AM
# Ben said:

Movable Type actually does ship completely "quiet" by default, in that all of the outward-reaching features--TrackBack auto-discovery, and pings, etc--are turned off by default.

But the point this brings up is that we think TrackBack auto-discovery needs some work, as well, and we're planning on adding an (probably optional) intermediate step between saving the post and the pings being sent--a page with a list of all of the posts that will be pinged, and the ability to turn off the pings you don't want to send. This will be as transparent as possible, of course. The idea is to make it a lot more obvious, both for experienced and not-so-experienced users, what effect their action of posting will have.

on December 9, 2003 10:39 PM
# xian said:

I used to see a lot of referrers from inaccessible intranet addresses. I assume these are the ones that now read "Not your business!" or some such.

on December 9, 2003 11:43 PM
# Alden Bates said:

It's the new definition of rant (any blog post longer than three paragraphs)...

on December 10, 2003 12:02 AM
# LC said:

no rant. just a warning...but from experience?

on December 14, 2003 06:17 AM
Disclaimer: The opinions expressed here are mine and mine alone. My current, past, or previous employers are not responsible for what I write here, the comments left by others, or the photos I may share. If you have questions, please contact me. Also, I am not a journalist or reporter. Don't "pitch" me.


Privacy: I do not share or publish the email addresses or IP addresses of anyone posting a comment here without consent. However, I do reserve the right to remove comments that are spammy, off-topic, or otherwise unsuitable based on my comment policy. In a few cases, I may leave spammy comments but remove any URLs they contain.