The press isn’t getting Heartbleed

This is like a slow motion 9/11 — it really is that serious.

No one is alarmed. The companies that should be safing-up their servers are moving too slowly.

This is very much like the buildup to the war in Iraq when the media didn’t carry the real story.

Only this time there is a lot that we should be doing that we aren’t doing.

What we should be doing

  1. Locating and updating the vulnerable servers.

There is no number 2.

Changing passwords is security theater. It doesn’t fix anything if hackers have access to your passwords, they have access to the new ones too.

What we should be doing: Specifics

In a comment below, I outlined a plan. I thought it should be in the post itself.

  1. First, I think we need leadership. Then we need to have a surefire way to discover vulnerable servers. You have to figure the hacking community is working quickly to figure out how to do this, if they haven’t already done so.

  2. Then we have to enlist the help of users in discovering those servers.

  3. A simple feature added quickly to all the major browsers that lights up when you’re on a server that’s not secure. And that event goes into a database, and that information is quickly shared with the owner of the system, when they can be located (some are not going to be easily located).

  4. Then again, if we had some leadership we could just isolate those systems. Cut them off the net, so that they themselves can be damaged, but they can’t be used themselves to cause damage. Again I’m sure we’re falling behind the bad guys as we speak. Of course they aren’t running press releases. That’s probably the major reason the press isn’t carrying any of the urgent messages that need to get out there.

  5. A Kickstarter project, that was immediately funded to do this work would be a good sign. Then we have to get the Netcraft people involved, and Schneier, and maybe a few other organizations that are good at communicating with programmers — O’Reilly, the developer programs at the big tech companies — Google, Apple, Facebook, Amazon, Microsoft, Twitter, Oracle, IBM, Salesforce, etc. Stack Exchange, Hacker News, Slashdot.

  6. The goal is to develop a communication system, quickly, to help locate and fix the vulnerable systems. And then brace for what comes next.

Posted in Uncategorized | Leave a comment


  1. It’s a gender-specific putdown, like saying a woman is emotional, or a black person “uppity.”

  2. Not only is it rude, unfair, and a lot of other negative things, it also says that the accuser has no real objection to what the person is saying. If they did, why resort to an ad hominem attack.

  3. If you’re being lectured at, condescended to, how about walking away?

  4. The term is also wildly misused. How could a blog post be mansplaining? Yet I’ve heard it said many times that a blog post is. (You’re not cornered, you can always hit the Back button, and it’s not making any assumptions about gender of the reader, blog posts are read by people of all genders, races, ages etc.)

  5. Women do it too.

  6. I’ve read all the literature on it. No need to send pointers.

  7. If the term is a feminist ideal, to label a bad behavior so people can see it, it has backfired. The term is most often used to shut people up, to shame them.

Posted in Uncategorized | Leave a comment

Reading Ted Nelson on an iPhone

Yesterday I wrote I was doing stuff with XML-RPC, but didn’t say what I was doing.

I hit a conceptual stopping point on a user interface project I’ve been working on, inspired by Jay Rosen’s use of Fargo as a presentation tool in his talk last week in Austin. I needed to move from the UI to the machine room, to plumbing and wiring and some of it, in computer networking terms, quite ancient!

Sometimes that helps clear the mind, switching what kind of puzzle you’re working on. So if you hit a conceptual wall working on the user-facing stuff, switch gears and do some work on the plumbing.

My interest is in letting people use Fargo to edit whole WordPress blogs. So I started breaking the problem up into bits, and found that there really isn’t a whole lot to it. Fargo can already create WordPress blog posts, and edit them of course. All I should have to do is 1. create the data structure that Fargo creates, and 2. effectively fool it into believing it had created it too. And that led me to creating a WordPress-to-OPML utility app, in JavaScript, of course (I already have lots of stuff like that in the OPML Editor).

And that led me to various approaches for talking to WordPress from JavaScript clients, but I hit CORS walls, and decided that it would be better to put this code on a server, esp since I’ve mastered the setting up of new node.js apps on Heroku. At first I found several packages that use XML-RPC to communicate with WordPress. I smiled when I saw the MetaWeblog API calls from the late 90s in a node.js wrapper. I suppose that’s like reading Ted Nelson’s book on an iPhone. Amazingly it not only works, in both cases — but works really well! Some bits of technology move forward into the future, others don’t.

It was so gratifying to come back after having left the world of XML-RPC, basically when I started doing app development on top of Twitter, I was using it as a I used to use XML-RPC. Now I find not only has WordPress continued to support their XML-RPC interfaces, but they have enhanced them. I was expecting a long slog to get the connection working, but it happened so quickly, just a few minutes, that it threw me off-balance.

Now I’m working my way through various example websites. I have it completely working with my concord test site.

I’m looking at all the WordPress blogs I have close at hand to see if they work with the new utility. I hit some problems with the Rebooting the News blog, which brings me full circle back to Jay. There are problems, so I’m reading the old posts as I work through it. More memories. Funny how there’s a time for digging new holes, and then there’s a time for going back to see how the ones I dug years ago are doing. Happy to report, everything still appears to be there.

Posted in Uncategorized | Leave a comment

Old-time laptops

In the early-mid 80s the art of laptop computers was just getting started.

A picture named trs80Model100.gif

That’s a picture of the TRS 80 Model 100.

It ran Microsoft software, if I remember correctly — couldn’t run what we now call “apps.” But it had a little word processor and a BASIC interpreter, and could connect up to your desktop computer. I owned one, but never really used it. I was an Apple II guy at the time, about to transition to the IBM PC.

My first real laptop was the DG One. I was one of its early developers. Really made an impression. It was a real computer. Quite heavy, almost in what was then called the luggable category. The great thing about it was that it was not an almost-clone of the IBM PC, it was an exact clone. That meant it had lots of software. The near-compatible computers of the day all withered on the vine.

Posted in Uncategorized | Leave a comment

Weekend linkblog posts

I haven’t yet combined the linkblog feed with the main Scripting News feed. I want to give aggregator developers a bit more time to learn how to deal with title-less feed items. But if you’re subscribed to this feed, I wrote a few mini-essays on the home page yesterday that you might want to read. Here’s the link.

Posted in Uncategorized | Leave a comment

Podcast: What the Fuck!

I did a five-minute podcast with a revised idea of what the Internet is in light of what we’ve learned in the last week. It’s not anything like what we imagined it was.

What to do? See the title of this post for a suggestion.

I'm trying to think but nothing happens!

Posted in Uncategorized | Leave a comment

Interapplication communication in JavaScript

How are we going to do interapplication communication between apps written in JavaScript running on the same machine?

I use localStorage

The client app stores a string in known location. The server watches that location. When a string shows up, convert it to uppercase, delete the string, and store the new string in another known location.

The client app is watching that location, when a value shows up, it displays it for the user.

A limit

There is a limit — the two apps have to originate from the same domain, because only apps from the same domain can share space in localStorage.

Example app

The example app is in a GitHub repository.

Download the client and server and drag them into your browser.

Enter a string in the client. Click the Submit button. See the result.

Seeing is believing

Some people don’t believe this works. It does.

I’ve deployed it in a real-world app, and there have been no support issues.

And with this demo, you can see with your own eyes.

Posted in Uncategorized | Leave a comment