Mac security hole site of the day: another fine hole recap from Daring Fireball
The power was out for five hours today, but you know, it could have been worse. (Thanks to MacNetJournal for the link.) The next date of disempowering has not been scheduled - blog services could fail at any time. In the last third-world country I called home, the power would go out whenever the wind blew. There’s a thunderstorm passing through at this very mo–
So many links have piled up on my Third World Watch here in Boston that I’m not sure how I’ll get through them all.
The road to May perdition all started when the Boston Globe published explicit pornography as news. World Net Daily found the Internet pron source of the alleged photos of GI’s raping Arab prisoners. The Globe had to apologize, though no heads rolled and they didn’t admit the real source of the images. Ironically, the Boston Herald rejected the photos as unsubstantiated and highly suspicious. (For those of you playing the home game, that’s like the New York Times falling for a scam that the New York Post sees right through.)
After all that the onset of gay marriage, complete with an ongoing flap between the governor and certain cities over marrying non-Massachusetts residents, was a drop in the bucket.
Then there was the title scandal, in which a couple of letter carriers stopped delivering mail to a JP housing project for fear of their lives. Service has been restored - much more quickly, the article mentions, than in Fall River where part of the city was cut off for weeks for similar reasons.
Now I hear that I may get carded for taking the T. My civil liberty to travel more slowly by streetcar than on foot without ID is about to be infringed. I can hear the conversation now:
“What do you mean, you’re going to South Station? You’re on a bus bound for Cambridge.”
“Really, officer, it’s the fastest way. The Green Line is no way to get downtown. If I catch the Red Line in Harvard Square–”
“I’m going to need to see some ID, ma’am.”
“Will my Shaw’s card do?” I wave the little keychain tag at the officer’s high-tech terrorist detection system.
“No. Can I see your license?”
“I tried to renew it, but the line at the DMV was three days long and then they asked for my social security card which I lost back in ‘93…”
“Mass liquor ID?”
“The line at the DMV was three days long–”
“Passport?”
“Do I need one to visit Cambridge?”
The officer sighs and moves on, before I get the chance to offer him my CVS Extra Value card.
And last but not least, the reason why I had to Boston-blog today: the power goes out tomorrow for three weeks. Initial warnings of this upcoming event came by automatic dialer and were phrased in terms of two half-hour outtages one weekend morning - I had to listen to the voicemail several times through before I figured out they meant the electricity (rather than phone, gas, water, or sewage). Since then, much scarier warnings have been posted all over the building. I admit, they don’t explicitly predict 3 weeks without electricity, but they’re phrased in such a way that if the power does go out for the entire 3 weeks, they can say we were warned.
It’s not the hardship it sounds, because we’re not allowed to have air conditioners anyway. If thing go awry, as they so oft do here in the third world, I may have to eat half a gallon of ice cream in one sitting - a hardship for which I’m well-prepared.
Fortunately, with WordPress I can blog ahead of time and it will publish my entries on its own. You may not even notice the interruption of blogging services.
Birthday of the day: Jerie - keep on shippin’!
According to the maker of Paranoid Android, the latest security update from Apple (2004-05-24) fixes Help but hasn’t fixed everything. Nevertheless, I was unable to get his sample malware to hack my mac. See his whitepaper on the hole for the examples.
Now that help: is fixed, I think I’ll disable afp:, ftp:, gopher:, disk:, and disks: with RCDefaultApp until I hear more definite info on the subject of protocol registration. I usually ftp from the command line and never use the other protocols. [Update:] I was wondering about telnet: and DaringFireball confirms that it’s a problem, but ssh: isn’t.
I’m sorry this mac problem has distracted me once again from my next Boston in the Third World post. I have to post my growing collection of links tomorrow, because… well, I’ll explain then.
Some timely Mac and blog links:
WMD of the day: See No Sarin, Hear No Sarin, Speak No Sarin
I’ve added my NetNewsWire subscriptions to the sidebar. I have 85 subscriptions, so I set the link list to bring up two or three at random from each category, plus a couple of fanfic links. I hope that suffices for anyone wishing to surf on.
[Update:] I also did a WP hack to display the list of recent posts. That shouldn’t require a hack but it does, at least in WP 1.0.2. It was - as all WP tweaks seem to be - frighteningly easy.
The celebrations have been somewhat muted, but Mac OS X now has a real, live exploit. It’s not a virus or a worm but a security flaw in Help that can be exploited by a web browser. Like the recent trojan scare, the Help bug was discovered by a nice Mac user, not an evil hacker - unless someone exploits the exploit before Apple patches it, we still won’t have made a splash in the big world of PC viral malice.
Insecure.ws has an announcement about the problem, Jay Allen has a good discussion, and macosxhints [fixed link] goes into it as well.
Here’s the short form: Help will run any AppleScript you tell it to. Most, if not all, Mac browsers will pass the help: protocol to, not surprisingly, the Help Viewer. Here’s a (harmless) example: help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt.
There has to be a script somewhere for Help to run. Where would it come from? If you have Safari set up to automatically open disk images (.dmg files) it can come from there, but unfortunately there’s also a disk: protocol that Mac browsers can use to open a remote disk image. People have advised that you turn off the auto-open option and disable the disk protocol, or alternately that you chmod 000 Help or otherwise hack the misbehaving Help program.
It sounds like the best approach is to disable the help: protocol itself. That’s all I did - I didn’t bother with disk:. I hear you can use IE to change the help protocol’s behavior, but I did it by downloading and installing the MoreInternet pref panel, opening System Preferences, and changing the helper for the help protocol. I set the protocol to open TextEdit rather than Help. TextEdit will sit there and look confused when Safari passes it a help: request, but no harm is done.
If for some reason you want to undo this change - say, when Apple patches the problem, or to test the link above like I just did - you can find Help at /System/Library/CoreServices/Help Viewer.app when MoreInternet or IE asks for your new helper application. MoreInternet makes the changes live so you don’t have to reboot or close any browsers. I can’t vouch for the IE approach.
I promise I’ll move on from the tempest-in-a-template after this, but Mena asked for trackbacks on how people use MT and if I can’t forgive like Phil Ringnalda at least I can explain. So, in return for years of blogging pleasure, here is my story:
I used to have a single MT installation with three blogs, two users accounts, and one user. I used my real username on my main blog, and a fake user to create two demo blogs. The demos of my old MT styleswitcher and adaption to MT of a color rotating template are still running at my previous host. I’m not sure whether the fake user approach would violate the one-user rule, but in any event the real me is no longer active at that installation.
My main blog moved with me to my new host, and I also started a second blog here for updates on the ficml project. That second blog has two users, but for convenience I decided we would both post using my user account and with the username removed from the templates - making our posts the anonymous declarations of FicML. So am I one user with two blogs, or two users with two blogs?
But that is only the beginning of my accounting problems. As explained in a previous post, my free, non-commercial host runs a single MT installation for all resident bloggers. I have no idea how many of us there are. So the unbelievably nice guy who provides not just our MT installation but PHP, MySQL, bandwidth and other goodies for free might have to pay hundreds of dollars to upgrade to MT 3.0. He may be all the way off the pricing chart for all I know, yet with no income from us leeches to pay for MT.
I admit that at the time of my move I had doubts about putting my blog into someone else’s hands, but it turned out fine. I got MT (currently 2.661) and MT-Blacklist with no installation or upkeep hassles. I worried about backups, not about a sudden change in licensing that would make my two little blogs into a $700 commercial enterprise. Of course each blogger here at irth.net could run his own MT installation (since every one of us is a non-commercial user) - so what’s the difference, really, in having us all joined up into one big installation? The answer would appear to be $700 - the price for being an unbelievably nice web hosting service.
The folks at SixApart must find it hard to have made such a popular piece of software and yet have no income to speak of from it, but there’s not much money to be had in blogging to begin with. The application service providers (TypePad, Blogger, LiveJournal) get money out of only a portion of their bloggers - we MT users being the free end of the TypePad pricing spectrum - and those who pay for it are generally the more popular bloggers who have the ad income or the LJ fanbase to support their higher service levels.
Charging big bucks for MT, however, is not selling a high-end blogging service - it’s selling the right to be an MT application service provider. That’s a job most people do for love, not that they have a choice in the matter. What end-user will give their money to some upstart ASP who paid SixApart $700 when they could use TypePad instead? How do you attract paying customers from a non-paying user base? That’s the problem SixApart is trying to pass on to MT users.
I’m just not seeing the revenue stream here.
In a burst of energy better spent elsewhere, I tweaked the blog style to match my site a bit better. I’m still not fully satisfied with it, but it’s close enough for the time being. And it was unexpectedly easy - unlike MT, WordPress has just the one template file, in simple HTML with some PHP floating around it. MT, on the other hand, had a zillion templates, each of which I had to wrestle to get it to match the main site style.
I did have some problems, but they were mainly a result of being too geeky for my own good. For example, my tab navigation is generated with PHP - my PHP was fighting with WordPress’s PHP over the variable $siteurl. I renamed my variables, but what I should have done was put a static copy of the navigation into the template. But there were so many things in there already that were dynamic and could easily have been static that my little nav tabs seemed like a drop in the bucket. I did hard-code the title of the blog, which hasn’t changed in years and really doesn’t need to be fetched from the database every time.
I’d offer my revised CSS for public consumption but since I both changed the WP template and integrated the CSS into my larger site style (jp_tab.css - body class “wpblog”), it wouldn’t be much use to the beginning WP user.
Weird link of the day: Mean Kitty for Veronica
I ought to be doing some Boston blogging now that two guys can get married in the state of Massachusetts, but the truth is that Jemima has been geeking while Rome burns. I figure as long as we’re redefining words here in Mass., I can rewrite some URL’s for you.
So, I have the usual geek MT file structure in my moveabletype directory (with an extra e for character):
moveabletype/index.html (the main index)
moveabletype/index.rdf (one of several RSS formats)
moveabletype/archives.html (the MT archive index page)
moveabletype/cat_anomaly.html (one of 20 or so category archives)
moveabletype/2001_09.html (one of 40 or so monthly archives)
moveabletype/2004/05/08/iq_by_state.html
(one of 900 or individual entries)
moveabletype/blogages/ (image directory for icons, etc.)
moveabletype/templates/ (template directory)
The new WordPress virtual file structure is a bit different:
wordpress/index.php (the main index)
wordpress/wp-rss2.php (the single RSS format)
wordpress/category/anomaly/ (one of 20 or so category archives)
wordpress/2001/09/ (one of 40 or so monthly archives)
wordpress/2004/05/08/ (one of 900 or so daily archives)
wordpress/2004/05/08/iq-by-state/
(one of 900 or individual entries)
So the question is, how do I redirect the first set of URL’s to the second set? I’ve seen advice out there for a few approaches involving PHP, JavaScript or mod_rewrite.
I decided to use mod_rewrite only rather than rebuild my thousand MT pages (never again!). I’ve been playing with it for a while now, and here’s my final answer:
If this blog is green, then you’ve made it to the fourth major revision of Speak Stiltedly etc., etc. Long, long ago on a server far, far away, my blog began in a wiki. It quickly moved to Blogger at Blogspot. In a minor change, I gave up Blogspot and started publishing to my webspace at Freeshell. Blogger was annoying, and after the umpteenth mangled post, I made the big switch and installed my own MovableType at Freeshell.
Next came a minor move to my lovely free host here at irth.net, where mine is just one of many blogs on their big blog server. And there’s the rub, for the sad news came out last week that MovableType will be charging the big bucks for MT 3.0 for all users running more than 3 blogs (upped to 5 this weekend) on their MT installations. You can follow the details on any geek blog - I’m way behind on this bit of /. fodder, which seems to have blown the Google outsourcing scandal right off the blogrolls.
Needless to say, I don’t expect my free host to pay hundreds and hundreds and a couple more hundreds of dollars so I can have a relatively insignificant update from MT 2.661 to MT 3.0. But I am a geek, so I can’t stagnate at MT 2.661 for the rest of my blogging life.
It was time for a change, anyway, so I took Mark Pilgrim’s tale of Freedom 0 to heart and installed WordPress. It’s a lot like MT, but it’s PHP based with no static pages. I was a little disappointed by the lack of staticicity, but it does seem to whip the pages out pretty quickly on the fly and seems cleaner all around.
On the down side, I had some troubles testing it on my Mac - I couldn’t get mod-rewrite to rewrite URLs (perhaps because WP didn’t have permission to write an .htaccess file), and the keychain choked on the beta I downloaded (RC1.2). At the moment I’m running version 1.0.2 with a slightly tweaked version of the wp new template. I was also tempted by Toni and Scandinavia (all from Alex King’s contest). When I get a chance, I’ll convert my MT blog style over to WordPress to get the navigation buttons back.
Some links that will help you join me and the other rats here on dry land: