Ask box messages appear to be arriving only sporadically. I have confirmation that one was sent today and I never saw it; there are probably others. I also assume this is not just tumblr out to get me and this is likely happening all over. (Super glad they delivered the Highlight This Post feature, though.)
I have no idea if their insipid, recent post-it note email thingy is also afflicted.
Anyway, caveat scriptor.
My name is John Scholvin and I have an anger problem.
Along with rugged good looks and luxurious, silvery hair, I inherited a vicious temper from my dad. I wish it could have been his jump shot or golf swing, but instead, it’s the ability to go from idle to redline in a couple of milliseconds.
I’ve been working on managing it for twenty years. My anger has damaged me personally and professionally. It’s something I have to be continually aware of to subdue. I’ve become pretty good at keeping it under control over the years. Part of it is probably just age and a natural change in my endocrine chemistry. Beyond that, I have techniques for quelling the rage when it rises, techniques which work well if I apply them early enough. That’s tricky: when it happens, it happens fast, and when it gets to a certain point, there’s no dialing back.
Oh man: 4 notes but only 3 whodunit bars. Someone’s in hidden tumblr purgatory.
Stop berating plugin developers and fix your shit, tumblr.
Disqus, run by the same kind of sharp minds that run tumblr, apparently changed their notification scheme and you have to verify your email address. I’d give you a link, but it’s (naturally) one of those sites where 700 javascript dialogs pop up and the URL has #! in it, so I can’t. You’ll have to log in at disqus.com and find your way.
I was wondering why I’d stopped getting emails after disqus comments were posted. TMYK.
Your messages and drafts are all still there, they’re just not convenient.
Go to your tumblelog: http://www.tumblr.com/tumblelog/scholvin, where you substitute your tumblr name for mine, of course, and you’ll see the more familiar buttons on the right side: messages, drafts, followers, queue, etc.
If you have more than one tumblr, you have an easy way to click to it right on the top. If not, it looks like you’ll have to enter the URL, maybe bookmark it for now. Hopefully they’ll fix that.
Kind of a bummer that tumblr is borrowing Facebook’s model for rolling out UI changes, but not borrowing their model for building an ass-kicking server-side farm. They’re doing it wrong in two dimensions.
Edit: Cutlerish is going to have a couple of long hacking days in front of him. Maybe he can address this problem if (when) tumblr won’t.
Edit 2: Actually, it looks like you can get there without typing. That icon with three dots and three rectangles should drop down to give a list of all the tumblrs you own…those are links to the tumblelogs. Poor icon and label design.
That you can easily get single-spaced text
In the tumblr editing window
By hitting shift-return instead of return?
This is 100x easier than switching into the HTML editor and entering <br>’s all over.
Thought I’d share, esp. for those of you who post a lot of lyrics or poetry.
Game changer.
I looked around a bit to find out more about the security issue this morning. Since it’s clear that Tumblr will never, ever post any sort of information about what the fuck is going on when there are problems, I’ll engage in a little bit of armchair analysis and wild-ass speculation. I’m not an expert on this kind of web development, but I know a bit. Caveat lector.
So, the “security issue” looks like someone fucked up at tumblr and some of the server-side code that renders the site was displayed rather than executed. Maybe someone was fooling with the front end web server (Apache?) configs or something.
Some krafty kidz who saw this code then had the foresight to post it to github and apparently other places for posterity. (Or posterous. Heh.) So even though tumblr probably stopped showing it to randoms quickly, it was in the wild for good very soon.
My quick glance at it shows that there are a bunch of passwords and private API keys in there, stuff for Google Hosts, Amazon AWS, Facebook, Twitter, Captcha. This is the Major Bummer. I’m sure they changed those passwords and invalidated those keys quickly, and I am mostly inclined to believe their claim that this stuff is some distance from the database of production user passwords and profile info. This is an epic fuckup, no other way to describe it. It’s also as good an argument against hard coding your passwords and other critical config info into executable script code as you’ll ever see. Put that shit in a config file that has 0.00 chance of ever being rendered, fellas.
Beyond that, a bunch of their internal private IP addresses are exposed, which would only be useful to someone who had already penetrated the security perimeter, and someone who’d done that could find that stuff in other ways. There’s a little to be inferred about their architecture from the code itself, but it doesn’t look like rocket science to me. Looks like fairly vanilla CMS/bloggy goodness. Their load balancing scheme starting around line 395 appears pretty lame. This we already knew.
So, it’s pretty bad, but survivable. I’m guessing the problems uploading pictures this morning were because of the Amazon AWS keys being changed.
I’ll reiterate that this is 100% speculation, based only on my fairly quick glance of the assets that were compromised. But one outside nerd’s semi-informed opinion is better than anything we will ever get from davidkarp (nice password…are those your girlfriend’s initials?) and friends. Take it for whatever you think it’s worth.
One:
Two:
God dammit, it looks like I’m going to miss the karaoke night at #chsh. We got a chance to play at some CPD benefit thing up in Edison Park and I didn’t want to be the one to a) tell the band we should turn down a gig when we haven’t had a lot lately, and b) potentially disappoint a bunch of cops. So I’ll be singing that night but not at Blue Frog. I will, however, definitely be at the Main Event, probably hung over, certainly with fried vocal cords which I expect to be cooled and soothed by the chilled Stoli.
No hard feelings. Just, “shit.”
Maybe that’s the word after all. Shit.
