The press isn’t getting Heartbleed

This is like a slow motion 9/11 — it really is that serious.

No one is alarmed. The companies that should be safing-up their servers are moving too slowly.

This is very much like the buildup to the war in Iraq when the media didn’t carry the real story.

Only this time there is a lot that we should be doing that we aren’t doing.

What we should be doing

  1. Locating and updating the vulnerable servers.

There is no number 2.

Changing passwords is security theater. It doesn’t fix anything if hackers have access to your passwords, they have access to the new ones too.

What we should be doing: Specifics

In a comment below, I outlined a plan. I thought it should be in the post itself.

  1. First, I think we need leadership. Then we need to have a surefire way to discover vulnerable servers. You have to figure the hacking community is working quickly to figure out how to do this, if they haven’t already done so.

  2. Then we have to enlist the help of users in discovering those servers.

  3. A simple feature added quickly to all the major browsers that lights up when you’re on a server that’s not secure. And that event goes into a database, and that information is quickly shared with the owner of the system, when they can be located (some are not going to be easily located).

  4. Then again, if we had some leadership we could just isolate those systems. Cut them off the net, so that they themselves can be damaged, but they can’t be used themselves to cause damage. Again I’m sure we’re falling behind the bad guys as we speak. Of course they aren’t running press releases. That’s probably the major reason the press isn’t carrying any of the urgent messages that need to get out there.

  5. A Kickstarter project, that was immediately funded to do this work would be a good sign. Then we have to get the Netcraft people involved, and Schneier, and maybe a few other organizations that are good at communicating with programmers — O’Reilly, the developer programs at the big tech companies — Google, Apple, Facebook, Amazon, Microsoft, Twitter, Oracle, IBM, Salesforce, etc. Stack Exchange, Hacker News, Slashdot.

  6. The goal is to develop a communication system, quickly, to help locate and fix the vulnerable systems. And then brace for what comes next.

Posted in Uncategorized | Leave a comment


  1. It’s a gender-specific putdown, like saying a woman is emotional, or a black person “uppity.”

  2. Not only is it rude, unfair, and a lot of other negative things, it also says that the accuser has no real objection to what the person is saying. If they did, why resort to an ad hominem attack.

  3. If you’re being lectured at, condescended to, how about walking away?

  4. The term is also wildly misused. How could a blog post be mansplaining? Yet I’ve heard it said many times that a blog post is. (You’re not cornered, you can always hit the Back button, and it’s not making any assumptions about gender of the reader, blog posts are read by people of all genders, races, ages etc.)

  5. Women do it too.

  6. I’ve read all the literature on it. No need to send pointers.

  7. If the term is a feminist ideal, to label a bad behavior so people can see it, it has backfired. The term is most often used to shut people up, to shame them.

Posted in Uncategorized | Leave a comment

Reading Ted Nelson on an iPhone

Yesterday I wrote I was doing stuff with XML-RPC, but didn’t say what I was doing.

I hit a conceptual stopping point on a user interface project I’ve been working on, inspired by Jay Rosen’s use of Fargo as a presentation tool in his talk last week in Austin. I needed to move from the UI to the machine room, to plumbing and wiring and some of it, in computer networking terms, quite ancient!

Sometimes that helps clear the mind, switching what kind of puzzle you’re working on. So if you hit a conceptual wall working on the user-facing stuff, switch gears and do some work on the plumbing.

My interest is in letting people use Fargo to edit whole WordPress blogs. So I started breaking the problem up into bits, and found that there really isn’t a whole lot to it. Fargo can already create WordPress blog posts, and edit them of course. All I should have to do is 1. create the data structure that Fargo creates, and 2. effectively fool it into believing it had created it too. And that led me to creating a WordPress-to-OPML utility app, in JavaScript, of course (I already have lots of stuff like that in the OPML Editor).

And that led me to various approaches for talking to WordPress from JavaScript clients, but I hit CORS walls, and decided that it would be better to put this code on a server, esp since I’ve mastered the setting up of new node.js apps on Heroku. At first I found several packages that use XML-RPC to communicate with WordPress. I smiled when I saw the MetaWeblog API calls from the late 90s in a node.js wrapper. I suppose that’s like reading Ted Nelson’s book on an iPhone. Amazingly it not only works, in both cases — but works really well! Some bits of technology move forward into the future, others don’t.

It was so gratifying to come back after having left the world of XML-RPC, basically when I started doing app development on top of Twitter, I was using it as a I used to use XML-RPC. Now I find not only has WordPress continued to support their XML-RPC interfaces, but they have enhanced them. I was expecting a long slog to get the connection working, but it happened so quickly, just a few minutes, that it threw me off-balance.

Now I’m working my way through various example websites. I have it completely working with my concord test site.

I’m looking at all the WordPress blogs I have close at hand to see if they work with the new utility. I hit some problems with the Rebooting the News blog, which brings me full circle back to Jay. There are problems, so I’m reading the old posts as I work through it. More memories. Funny how there’s a time for digging new holes, and then there’s a time for going back to see how the ones I dug years ago are doing. Happy to report, everything still appears to be there.

Posted in Uncategorized | Leave a comment

Old-time laptops

In the early-mid 80s the art of laptop computers was just getting started.

A picture named trs80Model100.gif

That’s a picture of the TRS 80 Model 100.

It ran Microsoft software, if I remember correctly — couldn’t run what we now call “apps.” But it had a little word processor and a BASIC interpreter, and could connect up to your desktop computer. I owned one, but never really used it. I was an Apple II guy at the time, about to transition to the IBM PC.

My first real laptop was the DG One. I was one of its early developers. Really made an impression. It was a real computer. Quite heavy, almost in what was then called the luggable category. The great thing about it was that it was not an almost-clone of the IBM PC, it was an exact clone. That meant it had lots of software. The near-compatible computers of the day all withered on the vine.

Posted in Uncategorized | Leave a comment

Weekend linkblog posts

I haven’t yet combined the linkblog feed with the main Scripting News feed. I want to give aggregator developers a bit more time to learn how to deal with title-less feed items. But if you’re subscribed to this feed, I wrote a few mini-essays on the home page yesterday that you might want to read. Here’s the link.

Posted in Uncategorized | Leave a comment

Podcast: What the Fuck!

I did a five-minute podcast with a revised idea of what the Internet is in light of what we’ve learned in the last week. It’s not anything like what we imagined it was.

What to do? See the title of this post for a suggestion.

I'm trying to think but nothing happens!

Posted in Uncategorized | Leave a comment

Interapplication communication in JavaScript

How are we going to do interapplication communication between apps written in JavaScript running on the same machine?

I use localStorage

The client app stores a string in known location. The server watches that location. When a string shows up, convert it to uppercase, delete the string, and store the new string in another known location.

The client app is watching that location, when a value shows up, it displays it for the user.

A limit

There is a limit — the two apps have to originate from the same domain, because only apps from the same domain can share space in localStorage.

Example app

The example app is in a GitHub repository.

Download the client and server and drag them into your browser.

Enter a string in the client. Click the Submit button. See the result.

Seeing is believing

Some people don’t believe this works. It does.

I’ve deployed it in a real-world app, and there have been no support issues.

And with this demo, you can see with your own eyes.

Posted in Uncategorized | Leave a comment

Dropbox tone-deaf? Hardly

TechDirt has a story calling Dropbox “tone-deaf” for adding Condoleezza Rice to their board of directors, given that she played a central role in creating the surveillance state that we now find ourselves in. (Yesterday Ed Bott said the same on Twitter. I argued with him. A more detailed version of the argument follows.)

Tone-deaf is an interesting idea. Literally it means that someone can’t carry a tune. Using it as a metaphor for a company, I think they’re saying they have an integrity issue. Dropbox seems to be a company we can trust to fight the government on our behalf. Hiring Rice seems contrary to that and to the interests of its users. They aren’t what they say they are, therefore they’re tone-deaf.

But it’s only tone-deaf if you were expecting a different tune. I think it’s refreshingly honest and open. It tells the users that it’s very important for Dropbox to have a way to communicate with governments at a very high level. Someone has to rep the company at meetings that are now taking place regularly where new rules are being created to govern the Internet. Private rules that we may not know anything about.

The net never was as open and liberal as it seemed to us. That’s what we learned from Snowden’s leaks. Every large tech company is quickly becoming part of the governmental structure of the world. Eric Schmidt, for example, travels with a former aide to the US Secretary of State. I’m sure at times when he meets with world leaders he’s carrying messages for our government and vice versa.

That’s the reality. Dropbox could have tried to hide it from users, but they chose not to. That appears to be in harmony with other tech companies. We may not like the song they’re singing, but it’s not tone-deaf.

Posted in Uncategorized | Leave a comment

Secret may be the next thing

Twitter and Facebook

Twitter and Facebook are part of my “rotation.” When I take a break from work, I go to each to see what’s up. It’s a habit, like checking email was a decade ago. I check even though there’s usually not much there of interest.

I don’t have any early-days memories of Facebook, because I wasn’t part of its early adopter crowd. But I was there for the beginning of Twitter. And I remember what an eye-opening experience it was. All of a sudden the lives of the people I related to on the web were opening up to me. I could see where people go, even learn about their families. But then the experience got diluted, as I followed more people, and more people, strangers, talked to me as I tweeted. The experience re-formed into a sort of social media haze, people promoting this and that. Although we don’t call it spam, that’s really what most of what’s on Twitter is.


I tried Napster in the winter of 2000, found nothing there of interest, but I was looking for a specific song on June 18. Father and Son, by Cat Stevens. (It was Father’s Day.) I had just heard it on the radio, and wanted to hear it again. Back then, if you can believe it, this was a problem. Unless I had a song in my personal collection of CDs I had bought at a record store, the best I could do was wait until it came on the radio again. Then I had a thought — maybe it’s on Napster. It was. That, and everything else. In the period between my first and second visits, the system had boomed with people of my age, and now our music was there too. It was an amazing experience to be able to browse old tunes the way I browsed the web. I wrote about it, a lot. The experience of music had been transformed. People were talking about music in the supermarket and airports! This was new.

Father and Son still reaches inside me to find the confusion that reigned between my father and myself when I was younger. I’m 58 now, but the Dave-of-17 is still very much alive inside, and is moved by that song. “From the moment I could talk I was ordered to listen.” That’s the power of a new medium, in this case, Napster.


Now it may be Secret’s turn. True, there’s no API, and no web client. It’s not politically correct. It’s possible that there can’t be an API for a service that tries to deliver anonymity. I don’t know. All that said, I’m having the kind of experience with it that I had in the early days of Napster and Twitter. I’m learning things, meeting people and hearing things from them they could never say if we knew who they are. Sure there’s a lot of the first time thrills that come from saying nasty shit about people we all know. I’ve even read nasty shit about me. Big deal. The first time people used SimCity they destroyed the built-in cities. That’s fun for an hour or so, then you try building a city, and that was fun (for me at least) for years.

Secret is not in my rotation yet, I have to remember to check it. But when I do, it gives me lots to ponder, makes me want to ask questions, and gets me thinking about who else is in this world, and how different some of them are from me. Sure the stories are probably mostly fiction, but this is what people dream about — their fantasies. Who they would like to be. They do something no one can afford to do on their blog or on Twitter or Facebook, they show vulnerability. And that’s interesting, and in Internet communities, new.

PS: There are cats all over this piece. The logo of both Secret and Napster are cats. And Cat Stevens wrote the song that got me into Napster.

Posted in Uncategorized | Leave a comment

Question for Mac devs re Heartbleed

I’ve been writing about Heartbleed on the home page of Scripting News today.

I have a question for Mac developers. If you are creating an app that uses SSL, do you implement it yourself or do you call a system routine?

I’m sure you see what I’m getting at. If you’re a developer that depends on an operating system vendor’s implementation of SSL, and they’re taking time to update it, does that leave your services open?

I’m asking about the Mac because I use Macs. I’m wondering for example if Dropbox has a security issue because the Mac has one. And Chrome, and whatever else I’m using that communicates securely with a server.

I’m also guessing that Google has their systems secured because they were the ones who initially reported the vulnerability.

Posted in Uncategorized | Leave a comment