This site was archived on 24 April 2012. No new content can be posted. The mailing list remains online and the site will stay in this archived state for the forseeable future. If you find any technical errors on the site, please contact Callum.

Author Archive for Callum

Sunsetting OpenCS

Friends, it’s time to move on.

CouchSurfing International Inc is now a for-profit business. It’s a shame, it had such incredible potential to become a truly democratic, inclusive, open platform. But it’s not. It’s a venture capital funded business. We all know how it got there, but that’s where it is. The dreams of an open and free CouchSurfing are now dead.

Let’s recognise that and move on with our lives. BeWelcome is the only viable alternative. So I say we archive the OpenCS site with a message telling freedom lovers to visit BeWelcome for open-source, democratic hospitality exchange.

In the spirit of do-ocracy, I will action this after 1 March unless I hear strong objections before then. That gives us a month to say our goodbyes, write our memoirs, and so on.

CouchSurfing has always been, and is now honest about being, a corporation.

Tougher registration settings

I receive an email every time somebody registers on this site. Most of the registrations I see are nonsense. So today I’ve tightened up the registration options, changed the math question to a CAPTCHA and required users to activate their accounts by clicking a link sent to them by email. Hopefully that will reduce the rogue registrations somewhat.

Interestingly, I haven’t see any spam from the nonsense accounts. They might be used in case a privilege escalation security issue is found in WordPress, so best to remove / block them I think. If anyone has any trouble registering, please post a comment here (you can do that without registering) and myself or another admin will create an account for you.

If you want to revert the changes I have made or have any other feedback, please let me know.

253 users deleted

I was doing some admin on the site. I deleted 253 users who had never written a post or comment. I assumed they were all spam. I have a list of their emails just to be on the safe side. As a result of a recent upgrade to WordPress 3.2, one user was unable to login with the error “ERROR: Invalid registration status.” If you see that error, or have any other problems logging in, please contact me or one of the other admins.

I’m planning to switch the site over to twentyeleven, the latest WordPress default theme. It supports mobile devices and has all sorts of accessibility stuff built in, so I think it’ll serve us to move over. Please feel free to share your thoughts in the comments here. If anyone strongly objects in the next 48 hours, I’ll consult the mailing list before taking any action.

Changes for new users

We had our first spam post on OpenCS today. Our WordPress settings allowed anyone to register and immediately publish posts. Until now, it was never abused (at least not that I noticed). Today it was. In response, I’ve switched all new users to have only “Subscriber” level permissions on the blog. I’ve also deleted the offending user and the post.

There’s no easy way to combat this type of spam. New user signups are pretty constant. We have a great deal of “spam” users already on the database who have not yet posted anything. Let’s hope they remain dormant.

If you have other ideas about how we can respond to the spamming, please contribute in the comments here. I’m happy to change the settings back if that’s the consensus. My feeling is that because this site is so quiet now, it’s ok that new users need to ask on the mailing list before they can write posts here. What do you think?

There is no change to comment settings. Comments work just as they did before.

Free software inspires changes on

DAN° released a script for Gresaemonkey that improves the profile page by adding statistics about references and other information. A key part of that, numbers of references, has now been included on

Thanks DAN° for your contribution. Maybe in time, CS Inc will include more changes inspired by external agitators.

Alaska blog archived

Just over 2 years after the last post, I’ve archived the Alaska blog. It’s now a static HTML site. No WordPress to update, no more comments or trackbacks. I’ve left the content for posterity. Oh, and this is post id 666, freaky! :-)

CouchSurfing password security vulnerability

Warning: If you get a username / password pop up on, click cancel, do not enter your username and password except on the CouchSurfing login page.

As of right now, I’m seeing this CSS file included on all pages. That file links to this image. That image returns a 401 authorisation denied error. That in turn causes the browser to request a username and password, the realm is given as “CS”. If a user enters their CouchSurfing username and password, that data will be submitted to

This is a serious security issues as many users are likely to enter their passwords without realising what’s going on.

As far as I can tell from a scan of the whois data and dns records, there is no connection between and It seems likely to me that this is a hack of some sort, either deliberate or accidental. I hope accidental. Either way, this is a significant issue and needs immediate resolution by CS Inc. I have notified Casey Fenton, Jim Stone and Chris Burley directly of this issue.

K2 theme upgrade and threaded comments

I’ve just installed K2 RC8. Previously we were using K2 RC6. I’ve also enabled threaded comments with the default options. So threads go up to 5 levels deep. Any of the admins on this site can change that setting if a consensus feels that it was a mistake. You’ll see new “reply” buttons underneath each comment. That allows you to reply specifically in response to a single comment, like some forum software.

Verification ticks on images

Today I noticed that a green tick now appears on the images of CouchSurfing members who have paid for verification. I notice these ticks on groups, I assume they’re all over the site. Wherever you see a thumbnail picture of a person, it marks who have paid and who have not.

This continues what Jim Stone started back in New Zealand all those years ago. A campaign to drive verification revenues ever higher. Given that you only need to pay once to become “verified”, CouchSurfing International Inc rely only on a continual stream of new members to make “donations”. If they can increase the percentage of people “donating”, more money for the coffers.

Perhaps we can subvert this new feature by framing our own profile pictures and adding a different symbol to donate that we opt out of the so-called “verification” system. We could even combine that with a real verification system based on the verification of actual identity and physical location. Food for thought… :-)

CS uses SphinxSearch

I read that CouchSurfing uses SphinxSearch to improve member search. The software is available under the GPL or a commercial license.

I mention this here in the interests of collating technical data on how CS is built.