Plaidophile

So, somehow some pretty insidious malware got onto my site. From what I can tell it was installed via an old upload exploit in WordPress, on schadenfood.org (now offline since it's not like I was ever doing anything with it anyway). I did a bunch of forensics on it, and found that while the initial infection was probably just done by automated script, someone actually left a pretty thorough backdoor that allowed pretty much complete access to my whole Dreamhost account (files, shell, and so on).

Unfortunately, Dreamhost's logs don't go back far enough to find out how it was installed, and the backdoor script didn't keep a log so I have no idea what they did during the time leading up to the addition of the SEO spam crap that clued me in to its presence (because of a random happenstance that happened to make me aware that it had been installed at around 6 AM today). I have the IP address of the system that was used to access the backdoor, and I know that over the last few days they'd been accessing it repeatedly, but all of the commands are hidden in a POST request, so I have no idea what exactly they did.

I did go through and find every spot that they'd added additional exploit code, and of course I'm changing what passwords were visible in some way through the account files. Unfortunately, they had access to a couple of sensitive and important files that I was keeping in a private WebDAV share, and I'm feeling very sick to my stomach, especially with not knowing if they ever found the directory it was kept in. (I am, of course, moving all that stuff to my own personal NAS now, and deleting the WebDAV share.)

Fortunately, the only account password they'd have had access to directly was my database password, which I generate randomly and keep unique, and it's not a big deal for me to change it again. There's also a single spot where my OpenID password was viewable as an md5 hash (and it turns out that said hash is findable in some of the various md5 lookup tools out there), so of course I've changed that too.

HOWEVER: One of the bits of malware I dissected did appear to have the ability to generate a full table dump of my entire database (I don't know if this function was ever activated), and you should be aware that phpBB 2 (like I use here) uses unsalted MD5 password hashes. So you should probably change your forum password here, and anywhere else that you use the same password. Sorry. :( (I'd upgrade to phpBB3, which finally fixes that issue, except that it will break all of the commentary functionality on my site if I do. I should look to see if there's at least a salted-md5 patch for phpBB2 floating around out there though. I've been meaning to do that forever but of course now that's squeezing my buttocks after I've farted, as the Japanese saying goes.)

I have, in the meantime, removed ALL the goofy webservices that I'm not using anymore, and hoping that the ones I still do have installed (because I, you know, use them) are secure. I should definitely check for security updates on what's left, at least. Also, do a full audit on all of my custom PHP scripts because who knows what's lurking in those.

tl;dr: The site was hacked, your password may be compromised, and the hack was directly targeted enough that I'm feeling violated and am probably going to have my identity stolen or something now.

I'm just not able to keep any interest in Google+, for the same reasons that I can't keep any interest in Facebook. Having longer posts doesn't necessarily make things better; instead it makes it seem like I really must read everything, which turns it into an overwhelming burden, and inline comments make it feel like even more of a firehose of information. I like how Twitter is a place where I can just share quick simple notions and links to fuller bits of content. I like how the fuller bits of content are hosted on my own site where I and others can find it easily, rather than quickly being buried in piles and piles of comment replies to Felicia Day and Wil Wheaton. I like how Twitter is just a bunch of messages that people pass along and there's no expectation that everything is seen.

I feel like Google+ is in an uncomfortable middle ground between mass-messaging and blogging, with the disadvantages of both but the advantages of neither. I felt the same way about Facebook. Also, the fact that Google has their hands in ALL of my data, with potentially disastrous consequences, makes their overbearing "real name" policy even more upsetting.

Basically, I still miss blogs and don't feel like G+ or Facebook do anything to help communication - they just do what Twitter does, but longer, and with more overwhelming crap to sift through, and an expectation that you do sift through it all.

That said, Hangouts are pretty neat. It would be nice if it were a completely separate product that were based on Jabber or the like, though.

Nice to know you guys are on top of things, and are registered Apple developers so that you can receive pre-release GM builds of upcoming operating systems so you aren't blind-sided by major operating system upgrades that people have known about a year in advance. Oh, wait.

What is it about pro audio vendors that makes them think it's okay to hold off on updating their software for major changes to their customers' platforms?

It's not just you guys, of course. Native Instruments and MOTU are even worse. At least you guys continue to support your products more than two months after they come out. But still.

I mean, sure, I could just hold off on updating my OS until the driver gets updated, except that this doesn't help me with the new Mac I just bought for my studio, because I'd been waiting to upgrade until Lion came out because Apple was withholding hardware upgrades until that happened. I'm not going to have any way to NOT run Lion on it. I guess I'm just going to have to use a cheap USB audio interface in the mean time.

I understand there being some brokenness and some beta-quality nature to various things when the OS actually comes out, but for a professional-audio hardware company to not be willing to get a single ADC developer license so that they can be prepared and be ready with SOME sort of driver upgrade when the OS itself is in beta - much less after it's actually been released to retail - is just ridiculous.

Apple is VERY GOOD to developers when it comes to keeping them ready for major OS changes. You guys really dropped the ball, and now I'm going to think twice about buying another PreSonus product in the future.

The MPAA and RIAA are at it again. Here is the letter I am sending via that page's form:

I am a constituent and I urge you to reject S. 978, "A bill to amend the criminal penalty provision for criminal infringement of a copyright".

This bill is overly-broad and only serves to further cater to the monopolistic practices of the big media cartels who operate as part of the RIAA and MPAA. It further erodes the rights of artists set forth under the fair use doctrine, and provides a chilling effect on free expression and active participation in common culture. It does not protect the interests of the RIAA or MPAA, and will only be used to criminalize everyday activities.

Further, given that RIAA members have copyrights on specific renditions of silence and other fundamental sounds, as well as songs containing every word known to every language, it is likely that they could use this to stifle creative free expression even from those who aren't infringing on the bill, simply because any new song written by a non-member could be shown to be infringing on SOME property. Or are the courts capable of determining whether the two-second silent pause in any random YouTube video originated from track 65 of Blur's "Modern Life is Rubbish?" Could any use of the word "bird" be construed as infringing on the composition rights to about half of the early Beatles catalog?

I urge you to reconsider this bill, and all others like it.

I wrote a couple of short stories for Machine of Death. David Malki! said it's perfectly fine for me to post the stories on my own site in the meantime, so here they are: KILLER BEES HARD VACUUM

It's been a while since I've posted anything about my wrists. I've mostly had them manageable, although my left wrist still hurts quite a lot much of the time. But based on a couple of people asking me specifically for what I've been doing for my wrists (hoping it would help them as well), here's some quick, non-professional, I-am-not-a-doctor-or-ergonomoist things I've found that help:

First, exercise with negative resistance is very helpful. Negative resistance is where you're working against a force (such as walking down a steep hill). The best device I've found for negative resistance on the arms is the Powerball gyroscopic exerciser; I got mine (which I'm very happy with) from NSD Powerballs, but there are a bunch of other ones on Amazon that I haven't tried. They're a bit hard to learn how to use at first but it's worth the effort.

Another important thing is to take typing breaks and to stretch during them. These days I use RSIGuard, which costs $65 (and has a 45-day trial). On Windows and Linux there's Workrave which is nearly as good (although it doesn't track actual usage/strain and its stretches aren't nearly as comprehensive or well-designed). The least-terrible free RSI timer I've seen for MacOS is TimeOut, although it's pretty bad (which is why I eventually broke down and bought RSIGuard). During these typing breaks is a pretty good time to use the Powerball.

A good ergonomic setup is also very important. Most keyboards are way wider than they need to be (pushing the mouse further away than is really comfortable), and most keyboard trays suck badly. I use Apple's wireless keyboard and trackpad (which also work with Windows with a bit of effort, and also in Linux) and instead of a keyboard tray I use Ikea's DAVE laptop desk, which is nicely height-adjustable, easy to place in a comfortable spot, and pretty much stays wherever you put it. It's way better than any of the $300 professional keyboard trays I've used.

Finally, when I sleep, I usually wear a wrist brace. I like ACE's TekZone ones; they're much more comfortable than any of the others I've tried, and are easy to adjust to be tight without being constricting. They're available on amazon although I'd recommend going to Walgreens or CVS or whatever so that you can size them properly.

Of course, I'm not a doctor or an ergonomist or whatever, so if you have access to a professional ergonomist definitely take advantage of it.

it is a lot easier t o keep inmiscible identities separate on the Internet if you keep thm completely separate from real life as well. I am apparently bad at both, judging by how many of my former coworkers have recently added "fluffy critter" to their circles on Google+. I mean, it was okay when it was the people who I'd let know about it to begin with (and I mean if ucblockhead hadn't known me online I'd have never had the job to begin with), but I'm not quite sure how I feel about apparently everyone else in the office knowing now too. Sigh.

Oh well. I've long felt that it's not so bad having people who actually know me actually know ME - it's the other direction I've always felt important to avoid (people trying to link my online self to my offline self in a way that makes it easy for people to know my real name which is not actually my real self). I hate people judging me by my resume and my picture and my legal name as if those are any more valid than the self I have discovered within.

I guess either direction is potentially problematic because I hate the idea that people would judge me unfairly based on stereotypes from one set of interest, and I'm still paranoid with the whole "You'll never get a job if people know about you!" thing that people have been parroting for years, despite clear evidence to the contrary.

Basically I'm complicated.