is Moving

I’m switching my website software from Movable Type to WordPress, and moving to a new host.

The migration is expected to last from approximately 3 AM EST Monday until 4 PM EST Tuesday. The site will still be visible during that time, but comments will be disabled. (This is to prevent any new comments from disappearing in the move.)

This is not a site redesign, so you shouldn’t notice many differences. Even the commenting system is pretty much the same, though you’ll be able to use Markdown instead of HTML if you want to.

The conversion to WordPress was done by Automattic, who did an amazing job of getting all of the site’s customizations and complexities—this website is 17 years old—to work on a new platform. Automattic is also providing the new hosting on their Pressable service. I’m not sure I could have done it without them.

Hopefully everything will work smoothly.

Posted on September 5, 2020 at 8:01 PM89 Comments


Erik September 5, 2020 8:22 PM

Will the RSS feed move seamlessly? Or will the RSS URL be changing? Or will RSS no longer be supported?

Firitia September 5, 2020 11:14 PM

I am surprised. My understanding is that WordPress is one of worst web softwares when considering security. Am I wrong ?

(required) September 6, 2020 12:52 AM

WordPress with no plugins is reasonably secure, and, importantly, it gets frequent updates. It’s WordPress with plugins (especially third-party) that has a terrible reputation, because it’s easy to install bad plugins.

In part this is because the WordPress business model is to give away a bare-metal version and sell official plugins, which immediately causes people to go looking for unpriced alternatives to the official plugins – they judge only by the price criterion, which fixes their immediate problem. And, because some bloggers will “get a scare” and switch to paid plugins, WordPress effectively gets business from the bad plugin ecosystem, so they will never have a strong incentive to fix it. Nonetheless, if you just use the vanilla WordPress software, it’s not such a scary problem.

Clive Robinson September 6, 2020 4:37 AM

@ Bruce,

I share others concerns about the switch.

Whilst the base WordPress system does not overly effect client security that is not true of the plugins.

I for one do not want to have the troubles that the use of javascript and HTML5 gives rise to. Nor the myriad of security concerns they bring not just now, but will do considerably more so in the future[1].

Importantly not all of your blog readers have “First Class Connectivity” as it’s effectively unavailable to them in many parts of the world or too expensive. Thus they get penalized by “high bandwidth pages” which both javascript and HTML5 encorage and others abuse.

But I understand why you are moving and I’m keeping my fingers crossed it all goes well.

However one thought does occur, as you are having to pull all the links and comments etc into a standard form you could also build a stand alone archive that could be downloaded and put on a DVD etc for people to use as a standalone refrence for reasearch etc. Others have requested you consider this in the past and now might be an opportune time to do it.

After all each copy of this blog is one more step in securing it for all now and in the future. It also might be something some publishers might consider a benifit as an addition to any of your future books.

[1] What the heck the W3C thought it was doing with HTML5 I don’t actually know. What I do know is that something like 2/3rds of it’s improved “additional features” realy are major security concerns one way or another and apparently realy only benifit those who chose to collect data on us.

myliit September 6, 2020 5:47 AM



What could possibly go wrong? That’s my usual mode of thinking, given my limited knowledge, anyway.

Maybe If Biden and Harris win, they might want you to do some security/privacy/conversion consulting for the U.S. government, too.

C U Anon September 6, 2020 5:58 AM


“The migration is expected to last from approximately 3 AM EST Monday until 4 PM EST Tuesday.”

I guess ‘Labor Day’ will be a day of labor for some.

Who? September 6, 2020 7:54 AM

Hi, Bruce.

How does WordPress handle privacy? What will be logged? Do you really trust them, or they privacy policy?

Pau Amma September 6, 2020 8:30 AM

Seconding (or thirding, or whatever) the comments asking about the RSS URLs. Will they change?

Dave September 6, 2020 10:16 AM

Nobody changes blog platforms without sme careful consideration.
Hopefully, everything goes smoothly with minimal issues.

I’d never use php, t that says more about my lack of php skills than anything else. And rumors that wordpress uses plain FTP for updates.

I’ve met one of the founders of Automattic. They don’t seem rich, but I really don’t know. They live a frugal lifestyle. 1 vehicle family. 1 cell phone.

Php experts can create very secure code. It is everyone else who writes crap code in php.

Rick September 6, 2020 10:25 AM

Hi, Bruce:

+3 re RSS feed: I hope that your RSS feed will continue to be available. Are you anticipating any changes in this regard?

Bri September 6, 2020 10:49 AM

+me re RSS. Please share the RSS link before you switch over or this feed is just going to go dark with no forwarding address for a lot of us. That would be sad.

Glenn September 6, 2020 11:57 AM

So does this mean you’ll be dropping the Google +1 button, which is a service that was turned off 1.5 years ago?

I sometimes wonder if this site is now ghost-written and Bruce hasn’t actually looked at it in years…

John September 6, 2020 1:26 PM

Good lucky with the move Bruce!

I’m surprised to see a lot of push-back from the comments, regarding switching. WordPress is like Windows in some regard, it’s taken a lot of abuse over the years – but it’s become a more robust product when configured correctly. And there are plenty of themes out there (including yours) which won’t required Javascript!

John September 6, 2020 1:48 PM

@Clive Robinson

W3C is not the authority over the HTML5 standard and hasn’t been since May last year (or though in reality they have been largely irrelevant to the HTML5 standard since 2007). A lot of people still misquote W3C as the authoritative body for HTML5, but it is in fact the WHATWG (Web Hypertext Application Technology Working Group).

HTML5 is a “living standard”, W3C at the moment largely takes a snapshot of the living standard and bundles a collection of features into a version number currently.

m.g. September 6, 2020 1:51 PM

I wish you the best!

I really don’t think you should have any problems. There are other well known popular computer security blogs that run on WordPress, and I myself am running a blog “successfully” on WordPress, occasionally on similar security topics as well as various other controversy, and it has stayed “up” performance-wise, upgrades are smooth, and it has not to date been “hacked” although I am a “Targeted Individual” and most of my visitors are enemies, spammers, and hackers; not my friends: I do not measure in terms of popularity.

MarkH September 6, 2020 2:49 PM

I wonder, might commenter “m.g.” have any connection to Matthew Green?

Given his outspokenness on blockchain — and outstanding crypto work in general — I shouldn’t be surprised to learn that Matt’s blog often has hostile visitors 😉

[Yes, Matt’s blog is on WordPress]

Marc Zorn September 6, 2020 3:44 PM

I recently spun up a blog using WordPress, and immediately regretted it. I was bombarded with email traffic congratulating me on my new blog and commending me for how good it looked. (It had only the equivalent of “hello world” at that point.)

There are so many scripts that report back to the WordPress mothership that I decided it was a major security risk.

I highly recommend reviewing all the WordPress scripts on the platform and disabling ALL non-vital communications from your site.

So much for a painless transition.


P.S. And for the record, I went back to MovableType.

m.g. September 6, 2020 5:40 PM


any connection to Matthew Green?

Absolutely not.

@Marc Zorn

… scripts that report back to the WordPress mothership …

P.S. And for the record, I went back to MovableType.

Some of these things depend on how much you want to host your own blog yourself, how much control over technical details you want or need for what you are doing, versus how much you want to “have it hosted” for you. WordPress is open source and some of your suggestions are reasonable security-wise, but Movable Type is closed source, proprietary, there’s no way of knowing what it reports to the mother ship.

Freezing_in_Brazil September 6, 2020 10:44 PM

I would only say that Banshee is a great blog framework, but then I am a nobody.

I wish you much success in the next phase of the blog!

Alien Jerky September 6, 2020 11:03 PM

Interesting how many people are giving security advice to the top guy who gives security advice.

Q September 6, 2020 11:33 PM

Perhaps it is all just a ruse.

The webserver might say is it using WordPress, but in reality it is using something else.

And all those wannabe hackers getting completely bamboozled when the usual WordPress hacks don’t work.

Ismar September 7, 2020 1:20 AM

Having been involved in developing a few websites myself I would say that the move was required due to the exiting web server reaching its upper limits on serving the content to ever growing number of users.
It is also probably help with the site maintenance.
If so this are all good problems to have .
As far as the security of the WordPress based site goes, it all depends on what type of content is served , while the privacy aspect should be commented on by Bruce as he is the privy to the actual hosting arrangements.
Looking forward to seeing the new site up and running

Kazriko September 8, 2020 6:05 PM

The feed did change, but it had a redirect on it. My rss reader didn’t follow the redirect correctly though. Here’s the new feed link:

Personally, I use Jekyll for my blog hosting, but it’s a purely static solution and doesn’t support commenting by default.

Clive Robinson September 8, 2020 8:01 PM

@ Bruce, Moderator,

Well the move has happened, but not everything is the same…

There used to be links at the bottom of the page to the previous page and to the following page.

Which was a very usefull feature, but now appears “Lost in Translation”.

Also you now “require” an email address to post, which as I don’t have one means you are going to get some made up garbage in the correct format…

Which I sincerly hope you are not going to send email to, because it might accidently be a “real domain” as used to happen with the “” domain…

Also you’ve got a URL immediately above the Preview and Submit buttons… This is realy going to cause mobile phone users to curse you when they loose what they’ve typed in because they “fat finger” onto the URL insteaf of the submit button… (don’t say you’ve not been warned, it realy is an accident waiting to happen 😉

Clive Robinson September 8, 2020 8:12 PM

@ Bruce, Moderator,

A couple of other changes,

The 100 latest comments page appears to have lost it’s “crop” long comments function.

I know in the past lots of people wanted that “keep it short” option as it made using the 100 latest comments page a lot lot faster if you did not have to scroll through detailed thus long postings.

And a personal pet peeve you’ve got “smiley to emoji translation” turned on… On mobile phones those emoji’s look like “roadkill possum” 🙁

SpaceLifeForm September 8, 2020 10:38 PM

@ Bruce

There is a minor UX problem with form submission.

‘Preview’ should not change to ‘Write’ when trying to preview.

JackM September 9, 2020 4:41 AM

Just a security remark. How come you didn’t block requests like /?author= that give everyone main author login easily.
On the various WP sites I host, I see a lot of robots [trying to] finding the logins this way and then trying to brute-force (Bruce-force here maybe? ;)) no matter how “complicated” the login is.

I clearly do suppose you have all that is required to block brute force attacks on your site. I’m just curious about the fact that a security expert doesn’t disable it. On my side sometimes I keep it as a honey-pot.

It’s kind of a “feature” in WP I NEVER understood. Especially for that kind of blog where there is only one author.

Giving the login is part of the way to give access – even if clearly, finding the password is the hardest part.


Jakub Narębski September 9, 2020 7:07 AM

The move worked almost flawlessly; my RSS reader just have had last 5 entries marked as unread.

MarkH September 9, 2020 11:35 AM

My admiration, to whoever accomplished this … remarkably seamless, which I know took quite a lot of effort!

I got confused by the changed Preview function when I commented from my phone … on the computer, the font changes, but not on the phone.

But in general, it’s easy enough to use, even for a software engineer!

Me September 9, 2020 11:50 AM

I was going to ask about the RSS reader, then realized it was Wednesday, and that I got here with my RSS reader.

Truly humans are the weakest link in security and other things…

jones September 9, 2020 12:11 PM



Also good to change admin user ID from the default, rename wp-login.php and its /login hotlink, strip any code from the html header identifying the blog as WordPress, and, if you’re running multiple sites off the same hosting package, lock the .htaccess file of your install’s home directory by revoking write access for the owner. The free iThemes Security plugin also auto-generates site backups and can automatically lock or blacklist ip addresses after a certain number of failed login attempts (like the Linux pam_faillock)

Czerno September 9, 2020 1:48 PM

@Clive : «… might accidently be a “real domain” as used to happen with the “” domain…»

The domain name «.invalid» and all imaginable subdomains thereof are reserved for that use case. fwiw.

Clive Robinson September 9, 2020 3:29 PM

@ Czerno,

The domain name «.invalid» and all imaginable subdomains thereof are reserved for that use case. fwiw.

Sadly some people are under the delusion that,

“you can not possibly be on the Internet without having an email address”

It’s a stupidity I know, but they then “assume” that you are witholding information they think they are entitled to from them if you use the “invalid” domain and thus block your use of it (giving a misleading 503 error or similar).

Just the way some people who believe they are “entitled” behave, and it gets worse the bigger the organisation is…

As our host has pointed out in the past that sort of PII data they think they are entitled to is legaly toxic in ways most can not imagine. So you would think they would be thankful that you are “saving them from themselves”, but no they just get all diva-ish and throw their toys out of the pram…

I must admit that there are times where I’m tempted to send them a Punycode version of a rude word in the email address by replacing U with Ü and O with Ö then encoding it in Punycode just to see if it will break their system 0:)

Clive Robinson September 9, 2020 11:23 PM

@ Bruce, Moderator,

A couple of other issues.

Firstly due to the way that the “preview” button now works you can not use it to check and correct “formating” of html tags as you can not get back to make corrections.

Secondly when I’ve used the UL and /UL tags (as in my post above to @Czerno) they have not worked the way they did previously in the actual blog page.

Clive Robinson September 9, 2020 11:39 PM

But as Test 1 above shows it does not show up indented in the blog page.

I’ve not yet looked back through the old blog pages to see if the UL tag formating has been lost or not.

@ Bruce, SpaceLifeForm,

With regards “preview” button functionality, I suggest you change “the word in the button” from “Write” to “Re-Edit” or just “Edit” as that more correctly describes what it’s function has changed to.

SpaceLifeForm September 10, 2020 2:55 AM

@ Bruce, Clive

I’ll vote for “Re-edit”.

“Write” does not imply clearly that you are going back to the state
that shows “Preview” again.

Erik September 10, 2020 7:43 AM

The RSS URL I had been using stopped working. I didn’t think to save it before I updated my RSS reader, but it was not the one behind the RSS button now. The one behind the RSS button now seems to work.

Wesley Parish September 10, 2020 11:47 PM

Testing, testing, testing.

Freeze! This is Viami Mice!

Trust Me, I know what I’m doing
Willie, throw another cat on the barbie!

MarkH September 11, 2020 7:25 AM

Ok, this is getting weird.

I made a comment a few hours ago in which HTML superscripts showed fine in Preview, but appeared level with adjacent text on the updated page.

Twice now, I’ve tried posting test comments including Markdown footnotes (on this thread). When I clicked Submit, I saw the usual response with the goofy animation, but the test comments vanished into the “bit bin.”

Perhaps some more test and debug is in order …

MarkH September 11, 2020 7:28 AM

Test of HTML Super/Sub Scripts

π r 2

The foregoing shows proper super and subscripts in Preview.

MarkH September 11, 2020 7:31 AM

I just tried a Test comment with just one superscript and one subscript … Previewed fine, vanished on Submit

MarkH September 11, 2020 7:37 AM

Apologies for the string of comments. The apparent vanishing of two preceding comments was just a delay in page update … however, my earlier pair of more complex test comments never showed.

Above is my characteristic string of underscores, which in WordPress previews as a full-width ruler line.

I suspect that it might be this, which triggers the disappearance of comments.

MarkH September 11, 2020 7:49 AM

Finished testing for now …

I just tried a very short comment with a single Markdown footnote, which previewed fine and then disappeared on Submit.

Accordingly, I conclude that it’s the footnote(s) killing the test comments.

Squawk List:

• HTML sup and sub Preview as expected, but are not realized in the updated page.

• String of underscores Previews as a full-width “ruler” line, but does not show at all in the updated page.

• A comment containing one or more Markdown footnotes Previews as expected, but is discarded on Submit.

Clive Robinson September 11, 2020 10:38 AM

@ MarkH, Bruce, Moderator,

It is fairly clear now that the behaviour of the preview display which displays most HTML tags properly is not carrying forward into the page generation for the blog it’s self.

I’m guessing that the page preview is a seperate “plug-in” to the base system and has it’s own configuration.


It’s not just HTML tags that appear to work in the preview but not in the base system.

When people put in “smilies” the base system apparently recognises them and tries to turn them into single extended charecter set emojis (squashed louse pictograms). Whilst it does it for both forms of the wink “; – )” and “; )” it does not do it for others instead it just swallows them and displays nothing.

This behaviour can be anoying if somebody puts up a “code fragment” as legitimate strings of source code can look like two or three character smilies.

P.S. I tried using “preview” whilst composing this post, but the button did not trigger anything.

Clive Robinson September 11, 2020 10:52 AM

@ Bruce, Moderator,

Another couple for the “snag list”.

Bruce posted a comment,

Which appeared with a yellow background in the thread which is how it used to work on the old blog software.

However in the 100 Latest Comments thread it appears with a white background as do all the other comments, which is not how the old blog software behaved.

Secondly when comments get truncated in the 100 Last Comments page the signifier of the truncation is very slight and does not stand out. Also the link to the rest of the comment which was an even bigger signifier is not present either. Thus it’s very easy to miss the fact a comnent has been truncated.

(sorry to keep finding alk these differences but it’s something that kind of goes wirh the territory with an upgrade in software versions let alone transfering to compleatly different software).

MarkH September 11, 2020 12:37 PM


I also encountered “emoji suppression” … it seems that an initial colon is a Markdown key, and needs a backslash prefix to appear literally.

Here’s a test:

:( :)

JonKnowsNothing September 11, 2020 2:36 PM

Do we need to have a login now? Or should we have a login for authentication? If you don’t have a login does the comment post as AnyMouse?

I have a “login” prompt before the comment area.

Also seems we need scripting enabled..

JonKnowsNothing September 11, 2020 2:51 PM

I was able to use “Subscribe to comments…” on windows (really old) but not in FireFox which tries to save a file somewhere…

It appears I will have to use FF to post. Of course the feeds and favorites formats are not the same (or maybe even compatible).


note: my first post showed up OK although I got a 409 page a bunch of times. like most I just kept punch the button hoping it would auto-fix itself …

Clive Robinson September 11, 2020 3:44 PM

@ MarkH, Bruce, Moderator,

I also encountered …

Yes it appears “markdown” is hiding things in the basic page presentation.

Have a look at my comment,

You will notice that there is a four entry list but only 3 and 4 are showing 1 and 2 are hidden…

This is because 1 and 2 were immediately followed by periods/full-stops which is Markdown to be converted into an HTML LI structure. Whilst I followed 3 and 4 immediately with commas which is not a basic markdown tag.

As a guess I would say the Markdown parser is recognising markdown tags, and they are getting removed, but for some reason the HTML generator is not working.

As a test I will but in a Markdown equivalent of an H1 headers (line of text underlined with equals)

Happy or Sad

If it’s working you should see the text string “Happy or Sad” as an H1 header. It displayed as expected in the “preview”.

JonKnowsNothing September 11, 2020 7:10 PM

In this post below, I had an HTML blockquote pair which worked. I also had an OL + LI list that did not number. The LI was properly paragraphed but with no preceding number. As others noted, the preview looked fine but the final post was splintched.

Still readable; if a bit harder to follow.

ht tps://
(url fractured to prevent autorun)

It also appears from DDG that Firefox does not have an RSS feed anymore. Flipping between 2 browsers is a PIT-A.

JonKnowsNothing September 11, 2020 7:28 PM

In the post mentioned above the visual output on the page looks like 2 blockquote pairs happened.

If you cut and paste the blockquote text into a rtf doc program the formatting is stripped. As is the OL LI formatting.

Looking at the page source shows the blockquote contains a P pair inside the blockquote section and the same for the OL section parts.

Note: I use Copy Paste a lot, to gather particularly interesting bits posted and have not had any previous formatting issues dropping it into an RTF doc. TXT docs are useful for stripping formatting but the above behavior for RTF leaves some formatting in place and losing other parts.

And that is up to whoever wants to fix it to decide what to do.

SpaceLifeForm September 12, 2020 12:54 AM

@ Clive

“Happy or Sad” appears as regular text to me.

@ JonKnowsNothing

You may want to try ‘Feeder’ or ‘Brief’ plugins.

Your mileage may vary. Posting via FF.

Clive Robinson September 12, 2020 2:36 AM

@ SpaceLifeForm,

“Happy or Sad” appears as regular text to me.

And that’s the problem…

Type a string into the edit box, then underneath it a string of “=” this is standard Markdown for a title or H1 HTML tag.

If you look at it in preview it will as expected be an H1 tagged title looking about four times the size.

But when it gets to the normal blog display it appers to lack any tags.

So Markdown appears to work fine in the preview box but not in the main blog page display…

Not my type September 12, 2020 10:07 AM

Actially, I’ve always liked and preferred the pre- word processor, typewriter, style, with plain text markings, which the input to Markdown basically uses. It encourages minimalist composing ie as simple as possible but no simpler, and looks clean and is easily grasped. There is nothing lovelier than the well organized monospaced page, with Greek letters and math symbols as an addition. The use of fully rendered type is only appropriate for things like books. Otherwise it lends a spurious air of authority and completeness. There is a reason the graduate thesis was done on a typewriter. One could comsider going further and back to the ancients and eliminating punctuation and most markings.

PS I am surprised there appears not to have yet been a comment by Etoin Shrdlu.

Anders September 12, 2020 12:04 PM

Not so smooth after all.
While all the other stuff is working
perfectly, i can’t see the preview without

I can post but can’t see the preview. Not normal.

Also, i’m not happy at all to see the
in my noscript site list.

Anders September 13, 2020 7:15 AM

Aah, and now i can’t any more post plain text
urls, wordpress completes them automagically
and puts there http(s):// prefix.

Not nice.

Anders September 13, 2020 7:18 AM

And problems continue…

409 Conflict

This site is currently unavailable.

Website owner? If you think you have reached this message in error, please contact support.

MarkH September 13, 2020 10:23 AM


I haven’t understood the “URL fractured” business … I am not aware of any browser which opens links without a click (or other selection action) by the user.

If I discover such an “autorun” monstrosity, I’ll be careful not to use it.

Anders September 13, 2020 10:57 AM


Problem is that url contains actually from 2 part,
visual, what you see and the actual one.
Those 2 can be same but also can and often are different,
when we are dealing with phishing attacks.

Therefore if url is “clickable” you must constantly
monitor that it leads to where it advertises.

As a proof on concept i constructed here url that
looks like our host’s site, but actually leads to EFF.

When people here copy/paste my plain text urls, they will be
sure where they leads to…

Singapore Noodles September 13, 2020 11:51 AM

The URL completer sometimes adds http rather than https.

Completion doesn’t seem to occur if the www prefix is not part of one’s text. If that plain text is copy/pasted into the browser, the url will be completed by the browser itself, so one gets most of the best of all possible worlds.

jcb September 13, 2020 2:19 PM


I haven’t understood the “URL fractured” business … I am not aware of any browser which opens links without a click (or other selection action) by the user.

The “URL fractured” thing is associated with vice, pornography, and “hacking” in some computer-illiterate people’s minds, a vulgar way to build excitement and deny web rank to the blog owners. The intended effect on the reader is somewhat like a habitual gambler standing in front of a slot machine with a fresh roll of quarters still in the brown paper wrapping.


Therefore if url is “clickable” you must constantly
monitor that it leads to where it advertises.

You hover over it with the mouse and look at the URL that shows up in the gray bar at the bottom corner of the screen; on a mobile device, you long-press on the link to view the URL if you are unsure whether you want to visit the link and load the page or not.

You don’t need to “constantly” monitor it if you aren’t actively clicking on every available link.

Unwanted “ads” are something you can usually block, but most people don’t get that excited if for example ads for ladies’ underwear or men’s razors or other stuff show up and they’re not interested.

JonKnowsNothing September 13, 2020 5:13 PM

@MarkH @jcb @Anders


I haven’t understood the “URL fractured” businessdeny web rank to the blog owners

There are posts in the blog archive that explain the reason behind breaking URLs.

There are good reasons to do so.

Redirection. As Anders points out, it is easy to create a redirected link. It is way easier to build a redirected link if you are using TinyURLs like Video links.
Redirection by altered spellings. Aside from my broken keyboard, it is not uncommon to find links with altered spellings. baa.xx Besides the visible alterations, unicode and emoji coding and some cross languages tables have been used where the link says “GOOD ONE” but the actual link is an amalgam of odd characters depending on your installed font and language to render the appearance of “good letters”.
You might not want to click it to verify. A broken URL is just text. You can see what it is and what it does. You can (well could) copy+paste it into a your preferred archival system or editor for later or you can directly paste+go in a browser. There’s no obfuscation about what the link is or does.
No browser does… Behind most browsers are ad engines, parsers and pre-fetchers and renders. These parse the content and collect links found. In the case of many business systems invisible ID tags are strewn about the page marking areas read and collecting events and are embedded in images. Such history links are collected by A LOT. Some of it drives “you might be interested in …” ads but some of it can endanger people where their legal system is less flexible.
Deny web rank to the blog owners and or the use as salacious linkage… If you are harvesting URLs (foreground or background) to pass along – that’s one more reason for not providing a freebee at the feed trough.
There is no mandatory reason to break URLs. They are handy but they are misused and unsecured. They are a prime source for spear-phishing. Although now there are techniques that do not require you to do anything at all to get pwned.
In the USA there are URLs that are legal-honeypots and even having knowledge of them can and will get you into a legal minefield.
Breaking URLs is a polite thing to do.   Good morning, Goodbye and Thinking of the other Guy.

JonKnowsNothing September 13, 2020 5:20 PM

The above post Previewed fine and posted as a wall of text. It was hand numbered not using OL and had a blockquote pair and a few line breaks BR.

Looks like some WP packages are missing…

Anders September 14, 2020 1:21 AM


“You hover over it with the mouse and look at the URL that shows up in the gray bar at the bottom corner of the screen; on a mobile device, you long-press on the link to view the URL if you are unsure whether you want to visit the link and load the page or not.”

Actually no. In Unicode character set there are characters that are visually similar to the ones in standard ASCII but their code points are different. Nowadays it’s possible to register domain with Unicode characters. You hover your mouse over the link, you visually see that it’s similar but it can still lead you to some totally different place.

So to be sure you copy url, then paste it to some PURE ASCII environment, then you see if there’s any other characters than
pure ASCII, then you copy the text again and then you paste it to browser.

JonKnowsNothing September 14, 2020 3:37 AM

I made a post in another thread and got the dreaded 409 error. Punched submit a few times still got 409 error. Went back to WRITE page and made a small text change and hit submit again.

System posted both versions…. /facepalm

JonKnowsNothing September 14, 2020 4:11 AM

@Anders @jcb

personal anecdote:

Way back in the misty past of “small computers” pre-IBM PC and CharlieC ads, in the days when one had subscriptions to computer programming magazines because they had articles and source code printed in them and all you had to do was type it and save to your favorite cassette tape recorder or if you were really buff with loads of lolly, you might have a floppy drive. You might have to wait for several editions to get the full source listings. Of course, these programs rarely worked first time, so you had the super fun of debugging the code and waiting for editorial posts with fixes.

I got this way kewl source for a star-trek vs klingon grid shooter. You would put in a coord and “fire” and maybe hit one. Similar to “submarine” games. This one had some nice graphics and a tiny bit of animation. I was lucky to have a color system and color monitor so I was very keen to get that code to run.

The problem was that the source didn’t look like normal “source code”. It used long sentences of English words like: “back dog plate garden”. Trying to fix the running marquee wasn’t easy ’cause you couldn’t figure out if the error was in the “ck” or “gar” part of the code. Word substitution sometimes worked like changing it to “back plate garden dog” but other areas it didn’t.

It was all ASCII on the top but not underneath.

Richard September 20, 2020 6:34 AM

Please repost with the times in EDT instead of EST. We are on EDT. I always struggle to remember whether to add or subtract and hour from EST to get to EDT. And then, often the writer actually meant EDT, so doing the conversion arrives at the wrong time.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.