Ha! The irony is thick here at classy.dk today. It was only a few hours ago that I wrote that I had yet to see a malicious Moveable Type plugin, so that the lack of a security model in software like MT was not yet a problem. And now that I'm catching up on my K5 I learn that actually a free weblogging service was actually used maliciously just recently. It's not quite an attack via server side software, being a case of bad HTML filtering in comments instead, but it strikes awful close.