WordPress 3.0 has just arrived on the scene — the thirteenth major release of the popular blogging software. It’s the result of six months of work from a total of 218 different contributors. You can download it now or upgrade from within your WordPress dashboard.

What’s new in 3.0? One of the best ways to find out is to try out the new Twenty Ten theme, which shows off many of the release’s (which is also called “Thelonius”) major new features, including custom backgrounds, headers, shortlinks, menus, post types and taxonomies.

Thelonius also features a lighter interface, more contextual help options, a boatload of bug fixes, bulk updates and much more. To learn more details about five of the most important updates, check out this brief and informative guide. This video from the WordPress team also explains some of the new features:

For those of you laboring on the backend, including developers and sysadmins, you might appreciate that MU and WordPress have finally merged. Now you’ll be able to run one or multiple blogs from the same installation.

Interestingly, the staff of WordPress/Automattic won’t immediately rush off to start work on WordPress 3.1. Founder Matt Mullenweg said his team will be taking some time to focus on things other than the core product.

“Over the next three months,” he wrote this morning, “we’re going to split into ninja/pirate teams focused on different areas of the around-WordPress experience, including the showcase, Codex, forums, profiles, update and compatibility APIs, theme directory, plugin directory, mailing lists, core plugins, wordcamp.org… the possibilities are endless… We think this investment of time will give us a much stronger infrastructure to grow WordPress.org for the many tens of millions of users that will join us during the 3.X release cycle.”

Are you excited to use the new WordPress 3.0?

The danger in creating an instant social network around email contacts, as Google Buzz does with Gmail, is that the boundaries between what is private and what is public are not always clear. One issue raised earlier today is that the people you follow and who follow you are made public by default on your profile page, but are based on people who you email the most in private. You can make these lists invisible, but it remains an opt-out process instead of an opt-in one.

It turns out there is another privacy flaw in Google Buzz that can expose private email addresses to everyone who follows you. Google Buzz borrows the @reply convention from Twitter so that if you want to reply to someone or direct a comment to them you simply put the @ sign in front of their name. Google autosuggests names from your contact list as you start typing. Normally, this doesn’t cause any problems if you select the Gmail account or chat name associated with that person’s public profile. It ends up posting their name, and not their email address.

But if you select a name or account that is not public, Buzz will fill in with their private email. For example, I wanted to direct a comment at TechCrunch writer MG Siegler, so I typed in “@mg” and up came three of his different emails. I picked his TechCrunch email, not realizing that his public profile is linked to a different Gmail account. What this means is that the 231 people following me on Buzz can all see MG’s private email address in my comment even if they had no direct connection to him before.  They can now send him unsolicited emails and spam galore.  Now multiply that type of potential exposure by the millions of people already using Buzz, and you can see why it is a hole that should be patched up quickly.

Google explains how all of this works, and here is their response:

Generally typing someone’s email address autocompletes with that person’s name and therefore their address is not visible to anyone. Only in cases when you don’t have access to a person’s name and there is no name to connect to that email address, the system will show that person’s address instead of their name. This is very rare, and only happens when:

• the person who’s address you’re typing doesn’t have a public profile OR
• they are not Following you and you are not connected via Chat.

The moment you post, it will be very obvious that the email address is publicly visible, and you can always edit and/ or delete that post.

Except that it is not rare.  Many of my contacts, including the ones using Buzz, have multiple email addresses.  When I type their name in Buzz to reply to them, the autosuggest box shows me all the different email addresses I have for them in Gmail, and doesn’t specify which of those are public or private.   When I typed in MG’s name, for instance, I chose the TechCrunch email because that is the one I use the most.  I had no idea that his Gmail address is the one linked to his public profile, and thus the one I should have used to protect his privacy.

In general that is a design flaw.  Google actually expects us to pick up on these things and protect each other’s privacy, rather than the other way around.  What happens when you inadvertently type in someone’s email address?  According to Google:

In this case, a person attempts to type an @reply using a contact’s email address, types out the email address, and then after posting sees the email address plainly displayed in the post. It is expected that after this, most people would understand that the email address will be visible to the viewers of the post. The user can edit or delete the post.

Sorry, but that is expecting too much from the average user, who probably wouldn’t even notice such a tiny detail.  It’s really up to Google to warn users or to make sure that only public names come up in the autocomplete.  How hard can that be? Instead, Google is telling us that it is our problem and we should be more vigilant using their product.

In the overall scheme of things, this is a small and fixable flaw for a feature that 80 percent of people may never even use.  But it is an example of what can go wrong when you inject private contacts into a public stream.  Google needs to be extra careful with details like this