Since Six Apart launched Movable Type in 2002, we've watched as blogging has been adopted by businesses large and small, both start-ups and established enterprises. One of our favorite topics is the way blogging has allowed young companies to establish a distinctive voice in a timely and cost-effective manner that wasn't possible before, thereby creating a fresh influx of new ideas and quality content that is beneficial for everyone.

Such is the case with upstart blog Fashionista . Launched in January 2007, the site took aim at the insider world of fashion. With its striking design, stylish logo, and confidential tone, Fashionista quickly established itself as a reputable, if irreverent, voice. Each day, Fashionista's two assistant editors, Natalie Hormilla and Britt Aboutaleb, post everything from gossipy news about who got signed with which modeling agency to listings for hot sample sales, making the site a must-read for anyone interested in fashion, shopping and style.

"The success of the blog format has a lot to do with the personalities behind it," publisher David Minkin remarks. "Readers want to connect with real humans, not an editorial board." Built in Movable Type 4, Fashionista , hosts a lively community, where readers weigh in on everything from new trends to which starlet wore what on the red carpet. One of the most poplar areas of the site is Streetwalker , which depicts photos of everyday people on the streets of New York. Readers can also join the community and solicit the help or advice of others, such as: Where can I find a Gucci bag like this? or What lipstick did Lauren Conrad wear on the third episode of The Hills?

To help new visitors find their way around Fashionista, the site uses the Recommend plugin, which allows first-time readers to quickly see which articles have garnered the most buzz from the community. Another prominent area shows a list of the most recent comments. "People are always interested in what their peers are thinking," David says. "These areas allow them to quickly see what the community at Fashionista is like, and add their own voice to the mix."

The site maintains its cred by scooping other publications on hot stories - in March, the site reported that a model who had been widely reported as having a contract with Reebok did not in fact have a contract at all. Most satisfyingly, the site was recently mentioned in an article in AdAge. "When AdAge put Fashionista in the same sentence with Style.com, it felt like we had arrived," David says.

Less than two years after Fashionista launched, the site has a rapidly-growing readership and has attracted top-flight advertisers such as Nine West, Nordstrom, and Target.

"Big-name advertisers now understand that blogs are a powerful way to connect with their audience," David reports.

Building the Buzz at Brownstoner

Over the past few years, we've often heard the term "disruptive" used to describe the impact of blogging. More so than any other medium in the last century, blogging has enabled people to quickly and easily distribute information to a wide audience, often with dramatic results.

Nowhere is the term "disruptive" more apt than when describing Brownstoner, a blog that chronicles the real estate market in Brooklyn. When Jonathan Butler launched Brownstoner in the fall of 2004, he turned a keen eye to his new neighborhood and the changes and trends that were occurring on his doorstep.

As it turned out, his timing was impeccable: Brooklyn was poised on the edge of a sea change, as new buyers rushed in to grab bargains, and massive renovation and upheaval ensued. Jonathan's chronicles from "New Brooklyn" struck a nerve with longstanding residents, prospective buyers and speculators alike.

Jonathan chose Movable Type based on recommendations from established bloggers. "MT was the unanimous choice," he recalls. He engaged the design firm Apperceptive, now part of Six Apart, to create several customizations that would help the site stand out. One of the most useful additions was the integration of the Google Maps plugin, which allowed Jonathan to create a map-based archive of thousands of locationspecific posts.

Despite its sophistication, the site feels like a neighborhood get-together. A recent profile piece on the site in New York Magazine notes: "Brownstoner covers the whole borough...but it covers the whole borough as though it were one big block, where everyone has gathered to gossip on their stoops."

Today, Brownstoner is far more than simply a "real estate blog" - it is also home to an opinionated and vocal community made up of thousands of people with vastly differing opinions. The site receives several hundred comments per day, and the dialogue is a lively one.

The comment sections at the end of each post are an important aspect of the conversation, but Jonathan has done one better by creating a Forums area, where people can post topics and receive feedback from the community. From sharing the names of trusted contractors to selling items from marble sinks to wooden doors, the forums reinforce a sense of cooperation and shared interest amongst neighbors. As to his role in fostering such a dynamic community, Jonathan says: "I try to be as transparent and straightforward as possible. Readers can smell B.S. a mile away." Jonathan views his role more as editor than expert, and calls himself "a starter of conversations."

His authentic approach appears to have struck a chord; today, Brownstoner receives about 1.3 million views per month. Just last month, the Historic Districts Council awarded the site their Friend of the Media award for 2007.

As the New York Magazine Article noted: "Butler's become not only a fairly wellknown blogger... but also a kind of virtual developer, someone who doesn't literally rebuild neighborhoods but who has the power to shape the way those neighborhoods are perceived."

Here at Six Apart, we aren't surprised whatsoever that a blog can accomplish so much - but we certainly are proud.

Today we are releasing Movable Type 4.01b and Movable Type 4.12. These are free mandatory security updates for all Movable Type 4.x users. These updates resolve a vulnerability which has not been exploited, but was reported to us by a third party on June 15 16 (correction). We have addressed the issue with these updates, and are providing new, fully-tested versions for all affected versions of Movable Type in all supported configurations. A detailed description of the vulnerability can be found below, but in short a cross-site scripting (XSS) vulnerability has been found in Movable Type's built-in search feature, which could be exploited by malicious parties to execute javascript without permission.

We have no record of a user having been affected by this vulnerability, and there are no known public exploits. The release candidates of Movable Type 4.2, currently in testing, Movable Type 3.36 and Movable Type Enterprise 1.5 are all unaffected by this issue. Here's the Update Advisor, which summarizes the issues found and provides a guide for updating your installation of Movable Type.

Movable Type Update Advisor: Version 4.01b and 4.12:

• Release Type: Security Release. The potential vulnerability has not yet been exploited in the wild.
• Mandatory? This is a mandatory update for all users of Movable Type 4.0 and later.
• Performance Implications: None.
• Plugins Affected: None.
• Templates Affected: No changes in your templates are required.
• System Requirements: This release has no new or additional system requirements.
  
• Licensing considerations: None. MT 4.01b and MT 4.12 are free updates for users of any version of MT 4.
• Upgrade Fatigue: No planned updates are scheduled until the release of MT4.2, which is currently in the final stages of release. There will be no further releases before MT 4.2 unless significant security issues are found which require additional 4.x releases. It has been 152 days since the last recommended update to MT4.

Downloads are available in your account for current customers or through the download page.

Downloads are available through the channel where you received Movable Type: Paying users can find the update by logging in to your Movable Type account, and users of Movable Type Open Source or the free personal license can get the update from the download page.

In addition to the updates to Movable Type 4.01b and 4.12 for MT4 users, we have issued updates to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should have already been contacted by your account representative about these updates.

A Commitment to Security

We take Movable Type's security very seriously, especially as we know many of you choose Movable Type for its security track record. In addition to issuing fixes to affected versions of Movable Type, we have also amended our development and testing processes internally to help better detect these types of vulnerabilities in the future. As InformationWeek just noted, Movable Type has "a fraction of the security incidents of its peers". That means we take this update, and all security concerns extremely seriously out of commitment to you as a Movable Type user, out of our desire to uphold our reputation, and out of responsibility to the entire web to try to ensure technology platforms are as secure as possible.

Detailed Description

When conducting a tag search in Movable Type, the application is not properly escaping the optional IncludeBlogs query string parameter. As a result, one could construct an exploit whereby a user could click on a link that conducts a tag search and unbeknownst to them also execute malicious javascript code embedded by the third party. Malicious javascript code could be used to transmit sensitive information about the user's active session.

Versions Affected

Only the following versions of Movable Type are affected by this issue.

• Movable Type 4.0, 4.01, 4.01a (Personal and Commercial)
• Movable Type 4.1 (Open Source, Personal and Commercial)
• Movable Type Community Solution 1.0, 1.0a
• Movable Type Community Solution 1.5
• Movable Type Enterprise Solution 1.0

All other versions of Movable Type, including the 4.2 release candidates, are not affected by this issue.

Applying the Fix

• Users of Movable Type 4.0, 4.01 and 4.01a can install the updated Movable Type 4.01b, or they can replace the file lib/MT/App/Search.pm file found in their distribution with an updated version.
• Users of Movable Type 4.1 and 4.1a can install the updated Movable Type 4.12, or they can replace the lib/MT/App/Search.pm file found in their distribution with an updated version.

Learn more about Upgrading Movable Type 4 in the MT documentation.

As always, thank you so much for choosing Movable Type and we sincerely apologize for the inconvenience of having to upgrade your software, and are committed to making such updates as infrequent as possible.

20x200: When Art Meets Commerce, An Industry Shifts

Here at Six Apart, we've always had one foot in the world of design and the other in technology, so it seems logical to us that a robust content management system like Movable Type can be used to create something beautiful - something that looks, well, nothing like a blog.

For those in an industry that prides itself on aesthetics and has long withstood digital innovation, that can be hard to imagine. Of the few industries that have resisted taking part in new media, none is more glamorous than Art. Long the province of whitewalled galleries and mysterious pricing schemes, art has historically been accessible only to a privileged few.

In 2006, when gallery owner and entrepreneur Jen Bekman had her middle-of-the night revelation that the Internet was a perfect vehicle for making art available to everyone, she was instrumental in ushering the art market into the digital age. Jen named the venture 20x200, and devised the following formula: each week, she would offer two limited-edition prints - an edition of 200 for $20, an edition of 20 for $200, and an edition of 2 for $2,000. The entire business would be conducted online.

To build out the 20x200 site, Jen enlisted the help of photographer and web consultant Raul Gutierrez. Both Jen and Raul had extensive backgrounds in technology; Jen's career included leadership roles and Netscape and Disney, while Raul, himself an accomplished photographer, had built and produced a number of successful websites.

When they decided to use Movable Type to build out the site, they agreed on one thing: it couldn't look like a blog. The entire 20x200 site was built in Movable Type, using multiple custom plug-ins and integrating Google Checkout to make buying simple. Every Tuesday and Wednesday, Jen sends a newsletter to the 20x200 mailing list, in which she announces that day's edition and discusses its context and relevancy within the art world. The newsletter acts not only as a sales tool, but also as a rich source of information for new and seasoned collectors alike.

The newsletter contains links that lead to the page on the 20x200 site where the edition is displayed. Next to each edition sits a real-time inventory number, indicating how many pieces remain.

Movable Type demonstrates its abilities as a flexible, powerful CMS, allowing 20x200 to easily manage their growing catalogue of artwork. The site uses many custom fields to enable administrators to enter data for each edition quickly and simply; fields such as artist name, artist statement and website URL are consistent across each entry, so that visitors to the site can browse artists and find facts with ease.

Less than a year after 20x200 launched, the site has been an unqualified success: over 14,000 prints have been sold to date, to a customer list that includes artists, celebrities and respected collectors from around the world. The site has become an important corollary to Jen's New York gallery, and a vital part of her ongoing mission to champion emerging artists.

When we talk about Movable Type, we often say: "you imagine it, we enable it" and 20x200 demonstrates that maxim - dare we say - artfully.

If you follow blogging news, you've undoubtedly heard a lot of concern recently about blogs on other platforms being hacked or blocked from search engines. Good news: Movable Type has a proven track record of having excellent security and an established reputation for fixing any known issues quickly. And that history of security is by design. We think there are some key things our community needs to know:

• We believe in making Movable Type secure out of our obligation to making the web better: Insecure web software can be a vector for spreading spam, viruses, and malware.
• Movable Type has the best security track record of any popular installable blogging software, according to the U.S. Department of Homeland Security's own reports.
• Movable Type security updates are prominently publicized on our Movable Type homepage, and through the application itself. Our team proactively contacts Enterprise and Community Solution customers if a security issue has been raised.
• Movable Type's security record is getting better, while other platforms are getting worse and seeing increasing numbers of reported vulnerabilities.
• When any issues have been found with Movable Type, they've typically been discovered through our own routine security audits, and fixed without ever having been exploited in the wild.

These facts show that Movable Type has a significantly different history than other platforms. But more importantly, they show that we're attuned to the concerns of the publishers and bloggers who rely on Movable Type to build their businesses and make a living. 

We're not saying our track record is perfect. But take a minute and review our last security update in January. We listed our history of issues ("It has been 116 days since the last recommended update to MT4 and 273 days since the last recommended update to MT3.") and we mentioned whether applying the security fix would affect templates, plugins or performance. (No, no and no.) There are dozens of reasons to upgrade to MT4, from unique reporting and management features to powerful community capabilities. But above all, you shouldn't have to worry that sharing your ideas with the world or wanting to publish for a passionate community means putting your site, and your reputation, at risk.

The Bottom Line

While we're proud of our work, and especially proud of our community's focus on security, you don't have to take our word for it: Look at the data provided by a neutral third party. In this case, it's the U.S. Department of Homeland Security's own National Vulnerability Database. We searched the vulnerability database since 2005 for Movable Type and for WordPress, and included the partial reports for this year. In the chart, a lower bar is better. The results speak for themselves:

We think it's inarguable that there's a dramatic difference in the security of these platforms. And, as we've demonstrated for nearly seven years, we're working every day to maintain Movable Type's excellent record of security.

Last week marked the launch of an exciting new free service from Six Apart: Blog It. Powered by Movable Type's sibling service TypePad, Blog It is a Facebook application that lets you post to your Movable Type blog (as well as most other common blogging platforms) from right within Facebook. But a demonstration shows this better than words ever could:

Best of all, Blog It makes it easy to use a social network like Facebook to alert and notify your friends when you've published something new, combining the power of Movable Type's publishing capabilities with the distribution and connection of a popular social network. In that way, Blog It acts as the perfect counterpart to Movable Type's exclusive Action Streams, the free plugin that brings all of your social networking activity to your Movable Type blog. All of this is part of a larger effort for the Movable Type platform, which encompasses these two-way connections with social networks, powerful new standards like OpenID and OAuth for connecting sites together, and rich integration with exciting new web services like Yahoo Fire Eagle.

As you might know, WordPress 2.5 is about to be released, and we wanted to encourage WordPress users to upgrade. To Movable Type.

The truth is, there are lots of good blogging tools out there, and they're all good at different things. But since upgrading from older versions to WP 2.5 can mean changes to your themes, plugins ("print your plugins list"!), and site, we thought we'd take a minute to explain why it may make sense to make those changes in Movable Type instead. For those people in the blogging community who've never taken a look, or who haven't seen MT in a while, you might just find some surprises.

Get Better Tech First

If you're into the technology of blogging, you've probably been hearing about technologies like Atom and OpenID for a while, and paying attention to newer innovations from Action Streams to iPhone interfaces to OAuth. But for things like Atom and OpenID, WordPress users have had to wait months or even years to get capabilities that Movable Type has pioneered. If you want OpenID commenting support on your blog today, Movable Type has had it built right in since the initial launch of MT4 last year -- we got a little bit of a head start there because Six Apart is where OpenID was invented. And we're not resting on our laurels; support for the newly-updated OpenID 2.0 specification is coming to MT shortly as well. Powerful new web services connected by OAuth are also right around the corner, letting you to keep control of your password without having to share it all around the web just because you want to try out a new web service on your blog.

This kind of stuff isn't new for us: Movable Type was the first an early blogging platform to support plugins at all. [Update: As always, we should have assumed Dave Winer got there first -- Manila had plugins much earlier.] MT was the first to have support for Creative Commons built right in. And it's not just that we participate within existing open source communities to create new standards like Atom, OpenID 2, and OAuth, we also work with companies all over the web to be partners on the OpenSocial project and [a totally non-evil implementation of] Facebook's Beacon on TypePad. Basically, we think that playing well with others makes for a better platform.

Takes a Digging, Keeps on Ticking.

Question: How should you greet the onrush of visitors to your site when you get onto the homepage of Digg or Reddit? Answer: Not with a Database Connection Error. A lot of people have asked us over the years, "Why does MT default to generating static web pages?", even though there's the option to publish fully dynamic pages. The reason is clear, as WordPress core developer and Automattic employee Donncha O Caoimh says, "[U]nder high load, serving static html files will always trump dynamic PHP requests." With Movable Type, the default settings have always been set so that you have a site that's reliable right when you're about to get the most traffic, without having to hunt down, install, or configure any plugins. So when a crowd of people come to your site, they can read what you wrote (and click on your ads, if you're into that sort of thing) instead of wondering what everybody was looking at.

A Dashboard That Measures Success

One of the biggest goals in redesigning our dashboard for Movable Type 4 nearly a year ago was to get out of the habit of merely listing a bunch of recent entries, comments, and pages. The truth is, you need those listing screens to manage your blogs, but on a dashboard that stuff just ends up looking like another inbox full of clutter to manage. So MT4's completely customizable dashboard has a powerful set of visual representations of your blog's behavior, from charts of the number of entries your authors have created to sliders that let you zoom in and understand why you got more comments on certain days. And of course there are lots of third-party plugins for the MT dashboard, to integrate statistics and information from third-party services like your number of FeedBurner subscribers.

Design Matters

Movable Type was the first blogging platform to use completely CSS-styled, standards-based templates by default, and since then we've worked like crazy to give smarter, prettier tools to everybody for customizing design. We have a strong belief that creating a theme or editing a design shouldn't require knowing PHP or figuring out whether parameters go in the order of "format, before, after" or "before, after, format". In fact, template tags shouldn't be writing HTML markup for you at all -- so in MT, they don't. And the tools for managing and customizing those designs look as good as the designs themselves, as you can see with the Movable Type Design Assistant. The Assistant is designed to help regular bloggers think about their blog's design with some of the insights and perspectives of a professional designer. And the StyleCatcher system built into Movable Type lets you install styles from repositories on the web, without having to manually upload a bunch of theme files to your server.

Plugins Are Good. Not Needing Plugins Is Better.

As the platform that first popularized blogging plugins, Movable Type has tons of them. But even better, there are a huge number of features that would require either the installation and configuration of a plugin, or moving to a completely different platform like WP-MU if you were using WordPress. Instead of wasting time trying to install all those plugins, and then keeping up with the inevitable security updates for them, or compatibility updates whenever you upgrade your software, you can use MT's built-in features and just worry about what you want to say. Some of the key features that are built in to MT that you might want to try out:

• Manage an unlimited number of blogs with one install
• Share templates and widgets across all the blogs in your system
• Easily manage tags
• Upload, manage, and tag any kind of files with a complete Asset Manager
• Lots more items that are still on the WordPress wishlist, like image resizing, searching of posts and pages, OpenID, a customizable dashboard, a better WYSIWYG editor, and more

And when you finally do want to do more with your site, in addition to all of the plugins which are available, you can also add in extensions to the platform like the Movable Type Enterprise Solution, for integrating with business-grade infrastructure, and Movable Type Community Solution, which enables features like user profiles, forums, Digg-style ratings, recommendations, and more.

Get Support Right From The Source

One of the signature features of Movable Type is perhaps the most hidden: Our excellent support. Instead of search around on Google for information that may or may not be out of date, or trying to figure out an obscure chat channel to get answers, paid users can simply file a help ticket and get access to the best support team in the business. It's just one more way to focus on what you want to say with your blog, instead of fighting with technology problems.

And Lots More To Come...

Now, the truth is, we're far from perfect. There are still a lot of times when MT installation takes a lot more than five minutes, though we're working on fixing that. (But of course, having a lot fewer security updates means you're not updating your blogging software all the time, so it can even out.) And MT can import all of your WordPress entries, comments, pages, and content with no problems. Right now, our whole developer community is focused on improving the raw performance of the core platform. But there are also still tons of new features we want to add to the platform as soon as possible. Whether it's adding support for OpenID 2.0, OAuth, or OpenSocial, making the application faster and more responsive, or working with the community to bring users new themes and plugins, we're 100% focused on our responsibility to continue to invent the future of blogging.

Movable Type is a blogging platform that's reliable, innovative, beautifully-designed and full-featured.  Having spent years being both inspired and humbled by the creativity of the blogging community, we'd also like to point out that Movable Type might just be the right platform for a blogger like you.

Movable Type is well-known for letting you easily build beautiful websites, but what may not be as obvious is that your Movable Type skills can help you build a successful career.

• Maintaining and extending several Movable Type and PHP-based Web sites featuring science and biology-oriented content
• Managing a junior staff member who's primary foci are end-user support for a staff of 15-30 and Web site maintenance
• Serving as IT Department liaison to Department Managers (3-5) in the headquarters office, working to understand needs, propose effective solutions, arrive at consensus, and implement
• Manage (and assist with management of) relationships/contracts with vendors supporting technology infrastructure for the headquarters office, and vendors assisting with technology project implementation
• Assuming responsibility for technology infrastructure maintenance and growth for non-IT staff

Seeing the maintenance of a Movable Type publishing infrastructure as the first responsibility in a job description shows the transformation that's happened. We've come a long way from "I hope the new IT hire knows a little bit of HTML, too." And whether you're interested in hanging out with scientist at AIBS, or working for a major media company, or bootstrapping an up-and-coming new blog network, we're working to make sure that having "Experience with Movable Type" on your resume is something that distinguishes you from the rest of the field.

This week marked a quiet, but significant, milestone for the world of journalism done through blogs: Joshua Micah Marshall’s work on his widely-acclaimed Talking Points Memo was awarded a George Polk Award for Legal Reporting.

The Polk awards are astutely described by Will Bunch of the Philadelphia Daily News as “the Golden Globes of American Journalism” on his Movable Type-powered blog. But the New York Times’ Noam Cohen points out that Marshall’s win, and indeed his team’s work as a whole, offers a decided contrast to the hoary old cliché of the blogger as a pajama-clad guy with a more attitude than ideas.

To scores of bloggers, it was a case of local boy makes good. Many took it as vindication of their enterprise — that anyone can assume the mantle of reporting on the pressing issues affecting the nation and the world, with the imprimatur of a mainstream media outlet or not. And most reassuringly, it showed that fair numbers of people out there were paying attention.

At Six Apart, we’ve always believed that blogs are nothing more, and nothing less, than a new medium, native to the web and nimbler than the ones that preceded it. That means that, even though people have been falsely debating “blogs vs. journalism” for the better part of a decade, the truth has always been that this is just another medium in which a great journalist can do great work.

We’re thrilled that a distinguished member of our community has set this precedent. We know that it’s only a matter of time until similar honors, such as the Pulitzer  Prizes, understand that it’s not the choice of medium that makes a work legitimate, but rather the efforts of those who care about sharing their ideas that define a work. And we build tools like Movable Type with the hope that they can be one small part of helping talented teams like the TPM staff achieve work that not only is on par with, but indeed can even eclipse, the best journalism in the world. Though it’s an infinitely smaller tribute in comparison to a Polk award, we’d be remiss if we didn’t mark the moment by naming Talking Points Memo as a Movable Type Featured Blog.

One footnote: As Joshua Marshall himself noted after his win, a big part of why he’s been able to do so much with Movable Type is due to the help of an incredible team that typifies what the MT community is capable of: Apperceptive. He says, “[T]hey come with our strong recommendation. And if you’re looking for people who do this kind of work I’d be happy to answer your questions about our experience.” And as fellow MT blogger Jason Kottke notes, Apperceptive is “the little engine that runs a large chunk of the professional blogosphere”. So our congratulations as well to the team that helps MT power some of the biggest sites in the blogosphere.