Ask box messages appear to be arriving only sporadically. I have confirmation that one was sent today and I never saw it; there are probably others. I also assume this is not just tumblr out to get me and this is likely happening all over. (Super glad they delivered the Highlight This Post feature, though.)
I have no idea if their insipid, recent post-it note email thingy is also afflicted.
Anyway, caveat scriptor.
~ Your Freedom To Use Your Browser Is Under Attack ~
Tumblr’s Terms of Service hasn’t changed yet. So please read and help out!
The Tumblr staff recently requested feedback on updates they will be making to their policies. They specifically mention one of their goals is to prevent the promotion of self-harm. However, their updated Terms of Service includes something a lot less laudable.
Unable to find the required avenues to stop developers from creating and distributing browser extensions that enhance the way you use Tumblr and not getting enough of a response to their scary warning campaign, they now seem to be preparing the groundwork for coming after users of these extensions.
<snip>
As disheartening and awful as this is for users of Missing-e and similar, this actually has far larger potential ramifications. Tumblr is, by any measure, a major player in this space. What they do will be watched, and, if successful, probably copied.
They want to dictate what you do in your own browser on your own computer, the one in your home, after the data has been received there via the Internet provider you paid for. For the entire history of internetworking protocols, it’s been generally understood that once something goes out on the wire, it’s not under the sender’s control anymore. They have a different view.
Remember how agitated we got when Congress wanted to screw with how DNS worked? It’s about like that, except of course it’s a private company, not the gummint.
This is a bad one, gang.
UPDATE: tumblr has issued a clarification that they specifically do not intend to go after plugin users.
My name is John Scholvin and I have an anger problem.
Along with rugged good looks and luxurious, silvery hair, I inherited a vicious temper from my dad. I wish it could have been his jump shot or golf swing, but instead, it’s the ability to go from idle to redline in a couple of milliseconds.
I’ve been working on managing it for twenty years. My anger has damaged me personally and professionally. It’s something I have to be continually aware of to subdue. I’ve become pretty good at keeping it under control over the years. Part of it is probably just age and a natural change in my endocrine chemistry. Beyond that, I have techniques for quelling the rage when it rises, techniques which work well if I apply them early enough. That’s tricky: when it happens, it happens fast, and when it gets to a certain point, there’s no dialing back.
Oh man: 4 notes but only 3 whodunit bars. Someone’s in hidden tumblr purgatory.
Stop berating plugin developers and fix your shit, tumblr.
I attempted to discuss options through which we could work together on making Missing e something they would accept, but after initial positive statements, they seemed fairly averse to the idea. Their intent is for me to stop distribution of Missing e in any form.
On behalf of all who have developed software professionally, and of all who have led entrepreneurial efforts, I am profoundly embarrassed at what the staff of Tumblr is doing in this matter.
This has moved way past any sort of legitimate technical argument about use of their API and into the realm of sour grapes. Cutlerish made their product substantially better, for free, and their egos apparently can’t handle it. I see no other explanation for this petty vindictiveness.
Absolutely shameful. They’re a blight on my profession.
(via missing-e)
Disqus, run by the same kind of sharp minds that run tumblr, apparently changed their notification scheme and you have to verify your email address. I’d give you a link, but it’s (naturally) one of those sites where 700 javascript dialogs pop up and the URL has #! in it, so I can’t. You’ll have to log in at disqus.com and find your way.
I was wondering why I’d stopped getting emails after disqus comments were posted. TMYK.
That you can easily get single-spaced text
In the tumblr editing window
By hitting shift-return instead of return?
This is 100x easier than switching into the HTML editor and entering <br>’s all over.
Thought I’d share, esp. for those of you who post a lot of lyrics or poetry.
Game changer.
See, tumblr? Not that hard. They’ve been updating their facebook status all day. They also have a page up at getsatisfaction.
Total cost to their investors: $0.00
Total value to their users: huge, immeasurable.
You’re doing it wrong.
I looked around a bit to find out more about the security issue this morning. Since it’s clear that Tumblr will never, ever post any sort of information about what the fuck is going on when there are problems, I’ll engage in a little bit of armchair analysis and wild-ass speculation. I’m not an expert on this kind of web development, but I know a bit. Caveat lector.
So, the “security issue” looks like someone fucked up at tumblr and some of the server-side code that renders the site was displayed rather than executed. Maybe someone was fooling with the front end web server (Apache?) configs or something.
Some krafty kidz who saw this code then had the foresight to post it to github and apparently other places for posterity. (Or posterous. Heh.) So even though tumblr probably stopped showing it to randoms quickly, it was in the wild for good very soon.
My quick glance at it shows that there are a bunch of passwords and private API keys in there, stuff for Google Hosts, Amazon AWS, Facebook, Twitter, Captcha. This is the Major Bummer. I’m sure they changed those passwords and invalidated those keys quickly, and I am mostly inclined to believe their claim that this stuff is some distance from the database of production user passwords and profile info. This is an epic fuckup, no other way to describe it. It’s also as good an argument against hard coding your passwords and other critical config info into executable script code as you’ll ever see. Put that shit in a config file that has 0.00 chance of ever being rendered, fellas.
Beyond that, a bunch of their internal private IP addresses are exposed, which would only be useful to someone who had already penetrated the security perimeter, and someone who’d done that could find that stuff in other ways. There’s a little to be inferred about their architecture from the code itself, but it doesn’t look like rocket science to me. Looks like fairly vanilla CMS/bloggy goodness. Their load balancing scheme starting around line 395 appears pretty lame. This we already knew.
So, it’s pretty bad, but survivable. I’m guessing the problems uploading pictures this morning were because of the Amazon AWS keys being changed.
I’ll reiterate that this is 100% speculation, based only on my fairly quick glance of the assets that were compromised. But one outside nerd’s semi-informed opinion is better than anything we will ever get from davidkarp (nice password…are those your girlfriend’s initials?) and friends. Take it for whatever you think it’s worth.
One:
Two:
God dammit, it looks like I’m going to miss the karaoke night at #chsh. We got a chance to play at some CPD benefit thing up in Edison Park and I didn’t want to be the one to a) tell the band we should turn down a gig when we haven’t had a lot lately, and b) potentially disappoint a bunch of cops. So I’ll be singing that night but not at Blue Frog. I will, however, definitely be at the Main Event, probably hung over, certainly with fried vocal cords which I expect to be cooled and soothed by the chilled Stoli.
