Speak Stiltedly and Wear a Yellow Shirt

Beta of the day: QuickSilver β24 has been out for a while, but I missed it. The download is buried in their forums in accordance with QS’s current “drive potential users away” policy.
Statistic of the day: Infected Windows PCs Now Source Of 80% Of Spam (from Slashdot)

Daring Fireball reports that the latest Security Update (2004-06-07) closes the Mac hole completely. There goes our big vulnerability, and it never even got exploited. I’ll be keeping RCDefaultApp around for its handy file-type handling, but the days of running a real, leaky, hack-me-hard OS are over for my mac.

Just a few days back, Daring Fireball blogged an interesting “broken windows” theory of PC viruses and spyware:

My answer to question posed earlier — why are Windows users besieged with security exploits, while Mac users suffer none? — is that Windows is like a bad neighborhood, strewn with litter, mysterious odors, panhandlers, and untold dozens of petty annoyances. Many Windows users are simply resigned to the fact that their computers contain software that is not under their control. And if they’ll tolerate an annoying application that badgers them with pop-up ads, well, why not a spyware virus that logs every key you type, then sends them back to the creator? (That’s a real virus, by the way, Korgo, which hit Windows at the end of May and is spreading quickly.)

The Mac is like a good neighborhood, where the streets are clean and the crime rate low. You don’t need bars on your windows in a good neighborhood; you don’t need anti-virus software on the Mac.

I think the issue is even more basic than adware leading to viruses in the way that one broken window leads to many broken windows. If I were to make the broken window analogy, it would be the broken windows sold by Microsoft that lead to both adware and viruses. If you expect the OS to behave erratically - chewing up your files, popping up mysterious error messages, crashing, and requiring frequent reinstalls for no adequately explained reason - then you already have the bad neighborhood that makes adware and viruses seem natural. You didn’t watch your lovely block going bad as the crack-ho’s moved in - no, you bought a fixer-upper in the ‘hood with your eyes wide open.

That is to say, you tolerated the broken windows by paying Microsoft for them in the first place. Mac users demand a functional OS not by our postulated eternal vigilance (of which there’s neither need nor evidence) against spyware, but by buying a functional OS in the first place. We’ve moved out to the ‘burbs.

I’m having line break problems again here in WP 1.2. The fix that fixed 1.0.2 isn’t working as well as it did before. It still fixes the big problem of old Blogger line breaks in posts, but it messes up those posts in which I used MovableType’s “convert line breaks” option. (Maybe it did in 1.0.2 as well, and I somehow missed it.) Fortunately, I didn’t use MT linebreak conversion as much as I did Blogger, so I can go back and edit those posts easily.

The code to fix has moved to wp-includes/functions-formatting.php. Change function wpautop($pee, $br = 1) { to function wpautop($pee, $br = 0) {. This seems to cause some odd double-spacing inside pre tags, which I may try to fix in the future.

Lorem Ipsum of the day: The Motherlode can even generate Morse Code

Veronica asked me about FTP clients for the Mac. I’ve been using command line ftp since OS 10.1 - it’s free and reminds me of my misspent youth on SunOS. The first thing that sprang to mind was, of course, Transit (links are coming), but that costs money - I know because I stopped using it when my demo expired.

You never know when a new FTP client has come out (well, I do, but I’m speaking rhetorically here), so I tried Google and discovered…Pure Mac is back! Pure Mac isn’t an FTP client - it’s the ultimate index of Mac shareware. It used to be the site to visit to find Mac software, and then they stopped updating. But now it’s being revived and the FTP page is one of the ones that has already been updated.

So with the help of Pure Mac I was able to recommend - and download for myself - Cyberduck, a free FTP client for MacOS X (10.3 and above) with a very cool icon.

As long as I’m maccing, here’s a link dump:

• Security Cannot Be Spun, another hole essay from DaringFireball
• 12″ Powerbook vs. iBook: What’s a Mac fan to do?
• MacOSXHints on keyboard layout generators
• Tumult HyperEdit, a live HTML and PHP editor
• Fish - make your own virtual aquarium, if you can figure out the cryptic interface
• Various ways to eject a stuck CD
• Spending a year on a Mac - True Switcher Tales
• Did I mention that MT NewsWatcher was finally upgraded?
• MacOSXHints on recording HDTV with your Mac
• I’m pretty sure I mentioned Ecto, a blogging client
• I’m almost certain I mentioned LyX/Mac, but possibly not this LaTeX font tutorial

Despite my fears of the dreaded lost password problem, I upgraded to WordPress 1.2. I did, indeed, experience the Dread Problem, but deleting my wordpress cookies solved it for me. Others have not been so lucky. (I backed up the database before making any sudden moves, of course.)

The new version spontaneously reordered my categories, but this advice fixed the problem. I’m hoping to use the subcategory feature to organize my categories better, although it’s kind of flaky.

Note the new blog design. If it looks dull and grey, give it a minute. In a real browser, color will slowly trickle in. I’m using the colorpress script under a semi-transparent greyscale PNG background image to get the colors. Since Win/IE is a piece of aging junk that can’t handle transparency, the most you’ll see with it is some pretty text colors. I’m also seeing some wackiness with the tabs and post content in Mac/IE - the workaround is, as always, to use a real browser. Tell me, though, if Win/IE munges the entries as well. Thanks.

[Update:] With Seema’s help, the Win/IE flashing problem has been fixed and the floating comment box is more or less anchored in the right place. To fix the latter I reduced the number of columns in the textarea from 70 to 40. (I had to edit wp-comments.php by hand to do that. While I was in there I upped it from 4 rows to 6.) The stylesheet then resizes it to the correct size in real browsers. Mac/IE’s float bug is beyond my power to fix, but if you make the window narrow enough (just over the width of the tab bar), the blog will become legible.

This spam in a can blog entry was brought to you by WordPress and the Edit Timestamp checkbox.

I’ve converted Eric Costello’s old technicolor Blogger template to WordPress. Back in the days of MovableType I’d converted it to MT, which was much more of a headache. This switch was relatively painless. See the demo! Download the two required files: colorpress.css and colorpress.js. The instructions are simple and can be found at the top of either file.

As you can see, I’m not actually doing the trippy technicolor thing myself, but I converted it because I do want to incorporate a similar effect into the blog at some point. As I write this, it’s late, late at night, but if all goes well this blog entry will become visible tomorrow morning. Future canned blogging will also be labelled “spam in a can” because I like the way it sounds.

Birthday of the day: Jerie - keep on shippin’!

According to the maker of Paranoid Android, the latest security update from Apple (2004-05-24) fixes Help but hasn’t fixed everything. Nevertheless, I was unable to get his sample malware to hack my mac. See his whitepaper on the hole for the examples.

Now that help: is fixed, I think I’ll disable afp:, ftp:, gopher:, disk:, and disks: with RCDefaultApp until I hear more definite info on the subject of protocol registration. I usually ftp from the command line and never use the other protocols. [Update:] I was wondering about telnet: and DaringFireball confirms that it’s a problem, but ssh: isn’t.

I’m sorry this mac problem has distracted me once again from my next Boston in the Third World post. I have to post my growing collection of links tomorrow, because… well, I’ll explain then.

Some timely Mac and blog links:

• Unsanity has a user-friendly fix for the new Mac hole, called Paranoid Android.
• [Update:] Daring Fireball recommends RCDefaultApp over MoreInternet for Mac hole-patching.
• Phil Ringnalda does a comic reading of the new MovableType license.
• A classic MT rant: So long and thanks for all the trackbacks.
• WordPress releases a slightly less flaky release candidate. (I’m still waiting for the final release.)
• Ace of Spades is shocked when a Liberal Writer Almost Mentions Discovery of Sarin in Iraq
• [Update:] Google Groups Beta offers Atom feeds for newsgroups. It doesn’t look too useful for busy groups like ASC, but it’s perfect for slow ones like rec.humor.funny. Thanks to persistent.info for this and other links about converting NNTP newsgroups to RSS feeds.

WMD of the day: See No Sarin, Hear No Sarin, Speak No Sarin

I’ve added my NetNewsWire subscriptions to the sidebar. I have 85 subscriptions, so I set the link list to bring up two or three at random from each category, plus a couple of fanfic links. I hope that suffices for anyone wishing to surf on.

[Update:] I also did a WP hack to display the list of recent posts. That shouldn’t require a hack but it does, at least in WP 1.0.2. It was - as all WP tweaks seem to be - frighteningly easy.

The celebrations have been somewhat muted, but Mac OS X now has a real, live exploit. It’s not a virus or a worm but a security flaw in Help that can be exploited by a web browser. Like the recent trojan scare, the Help bug was discovered by a nice Mac user, not an evil hacker - unless someone exploits the exploit before Apple patches it, we still won’t have made a splash in the big world of PC viral malice.

Insecure.ws has an announcement about the problem, Jay Allen has a good discussion, and macosxhints [fixed link] goes into it as well.

Here’s the short form: Help will run any AppleScript you tell it to. Most, if not all, Mac browsers will pass the help: protocol to, not surprisingly, the Help Viewer. Here’s a (harmless) example: help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt.

There has to be a script somewhere for Help to run. Where would it come from? If you have Safari set up to automatically open disk images (.dmg files) it can come from there, but unfortunately there’s also a disk: protocol that Mac browsers can use to open a remote disk image. People have advised that you turn off the auto-open option and disable the disk protocol, or alternately that you chmod 000 Help or otherwise hack the misbehaving Help program.

It sounds like the best approach is to disable the help: protocol itself. That’s all I did - I didn’t bother with disk:. I hear you can use IE to change the help protocol’s behavior, but I did it by downloading and installing the MoreInternet pref panel, opening System Preferences, and changing the helper for the help protocol. I set the protocol to open TextEdit rather than Help. TextEdit will sit there and look confused when Safari passes it a help: request, but no harm is done.

If for some reason you want to undo this change - say, when Apple patches the problem, or to test the link above like I just did - you can find Help at /System/Library/CoreServices/Help Viewer.app when MoreInternet or IE asks for your new helper application. MoreInternet makes the changes live so you don’t have to reboot or close any browsers. I can’t vouch for the IE approach.

(more…)

I promise I’ll move on from the tempest-in-a-template after this, but Mena asked for trackbacks on how people use MT and if I can’t forgive like Phil Ringnalda at least I can explain. So, in return for years of blogging pleasure, here is my story:

I used to have a single MT installation with three blogs, two users accounts, and one user. I used my real username on my main blog, and a fake user to create two demo blogs. The demos of my old MT styleswitcher and adaption to MT of a color rotating template are still running at my previous host. I’m not sure whether the fake user approach would violate the one-user rule, but in any event the real me is no longer active at that installation.

My main blog moved with me to my new host, and I also started a second blog here for updates on the ficml project. That second blog has two users, but for convenience I decided we would both post using my user account and with the username removed from the templates - making our posts the anonymous declarations of FicML. So am I one user with two blogs, or two users with two blogs?

But that is only the beginning of my accounting problems. As explained in a previous post, my free, non-commercial host runs a single MT installation for all resident bloggers. I have no idea how many of us there are. So the unbelievably nice guy who provides not just our MT installation but PHP, MySQL, bandwidth and other goodies for free might have to pay hundreds of dollars to upgrade to MT 3.0. He may be all the way off the pricing chart for all I know, yet with no income from us leeches to pay for MT.

I admit that at the time of my move I had doubts about putting my blog into someone else’s hands, but it turned out fine. I got MT (currently 2.661) and MT-Blacklist with no installation or upkeep hassles. I worried about backups, not about a sudden change in licensing that would make my two little blogs into a $700 commercial enterprise. Of course each blogger here at irth.net could run his own MT installation (since every one of us is a non-commercial user) - so what’s the difference, really, in having us all joined up into one big installation? The answer would appear to be $700 - the price for being an unbelievably nice web hosting service.

The folks at SixApart must find it hard to have made such a popular piece of software and yet have no income to speak of from it, but there’s not much money to be had in blogging to begin with. The application service providers (TypePad, Blogger, LiveJournal) get money out of only a portion of their bloggers - we MT users being the free end of the TypePad pricing spectrum - and those who pay for it are generally the more popular bloggers who have the ad income or the LJ fanbase to support their higher service levels.

Charging big bucks for MT, however, is not selling a high-end blogging service - it’s selling the right to be an MT application service provider. That’s a job most people do for love, not that they have a choice in the matter. What end-user will give their money to some upstart ASP who paid SixApart $700 when they could use TypePad instead? How do you attract paying customers from a non-paying user base? That’s the problem SixApart is trying to pass on to MT users.

I’m just not seeing the revenue stream here.