John August

Geek Alert

What happened

Geek Alert, News

On Sunday morning, I woke up, fed my daughter, and read the Los Angeles Times. There was a good article about Joss Whedon’s Serenity, which managed to shoot in Los Angeles at a reasonable budget, largely because of smart planning.

Yet another reason to admire Joss Whedon.

I headed out the office to blog about this very article. But when I clicked over to johnaugust.com, I was alarmed to see that instead of the familiar brad icon, I was instead greeted by a colored screen and the text, “BunnySlippers ownz u.

I’d been hacked.

I’ve had my share of technological frustrations with the site over the years, with comment spam and servers going down. But this was different. This was the first time an individual had broken into the site and destroyed things. It was a defacement, like finding someone had spray-painted graffiti on your house.

But it was also more than that — this hacker had gotten into the system, and rooted around. For all I knew, he was still there, waiting for me to fix things just so he could mess them up again. How much had he really gotten to? Had he been able to trace back from the server to my home computer, my Amazon account, my PayPal?

I was pissed, but I was also unnerved.

Had it been my house, rather than my website, I would have called a locksmith to change the locks. The digital equivalent was changing the passwords, which I immediately did. I also shot off a support ticket to the web hosting company, asking if they could help me figure out what the fuck happened.

Then I started cleaning up.

I’m a big believer in the [broken windows](http://en.wikipedia.org/wiki/Broken_Windows) theory of policing, which stresses taking care of the small incidents of vandalism to forestall greater crime down the road. So the first thing I did was to replace the hacker’s splash screen with a simple “be back soon” page. (You can see it [here](http://johnaugust.com/sitedown.php).)

I then backed up my entire site, along with the database. From a quick look-through, it didn’t seem like any major damage had been done. I could have started the site up in a just a few minutes, but I was concerned that the same hacker could have brought the whole thing down again. I needed to know what he did.

I should explain now that the hacker’s name was not BunnySlippers. This is my [Josh Friedman-esque](http://hucksblog.blogspot.com) pseudonym for him, because I don’t want to give him the ego gratification of this long article using his chosen handle.

BunnySlippers sounds lame, so I think it fits.

I googled “BunnySlippers” and found he was listed on [Zone-H](http://www.zone-h.org/), a site that tracks defacements. It’s like a leader board for script kiddies. The ethics behind Zone-H are obviously questionable, but that’s not the issue here. What I quickly learned is that BunnySlippers had hit a lot of sites at exactly the same time as mine.

This was a huge relief. It meant that he wasn’t targeting my site out of some grudge or special interest. Rather, I just happened to have some vulnerability he was able to exploit. In all likelihood, he’d never even been to the site. He’d written a script that crawled around the internet, looking for a certain configuration to exploit.

But what was that vulnerability? I had a list of the other sites he’d hit, but they were all offline, like mine. But by using [archive.org](http://archive.org), I could pull up old versions of those sites. I quickly saw that most of them were using [WordPress](http://wordpress.org), the software that drives most of this site.

So I upgraded my WordPress installation to the most recent version. It was kind of painful. I’d held off doing it for a few months, because I knew it would break certain features, like comments and archives. (Although in fairness, the Archives were already pretty useless.)

In about an hour, I’d gotten the site working pretty well. There are still some significant things to fix, but it’s at least usable.

The question remains, will the site go down again? Maybe.

The truth is, I don’t think you can really stop someone who’s determined to hurt you. As I’ve learned from every horror movie, psychos are relentless. You shoot them, and they come right back — if not today, then in the unnecessary sequel. That’s part of the reason I’m not stomping my feet and cursing BunnySlipper’s name. Antagonizing him isn’t going to help.

With the help of my web hosting company, I’ve been able to learn a little bit more about my defacer, and how he did what he did.

Warning: From here, things get a little technical and jargon-laden. I’ll try to pretend I’m writing for CSI, where I immediately explain what the big words mean, even though the actual characters would never need to.

It turns out the weak spot was a file called “xmlrpc.php.” It’s a web service that helps move data, and is part of the standard WordPress installation. Its vulnerability had been [documented](http://blog.taragana.com/index.php/archive/php-xmlrpc-remote-code-execution-vulnerability-affecting-popular-blogging-and-cms-platforms-like-wordpress-1512-and-lower-postnuke-drupal-b2evolution-tikiwiki-etc/), but I’d missed it. BunnySlippers had used it to overwrite the file “index.php,” the main file which generates all the pages on this site.

By tracing BunnySlipper’s [IP address](http://en.wikipedia.org/wiki/Ip_address), we can see that he’s Brazilian. (Or at least, his computer is in Brazil.) Following other threads, I’ve found pages that suggest it’s not a single person, but a crew of three people. Hidden in a subdirectory of a German website, you can even see their logo.

Yes, logo. That’s where the graffiti analogy really comes back into play. This guy, or group of guys, isn’t trying to break into air traffic control, or steal money from a Swiss bank account. They don’t perceive themselves as malicious. It’s about getting the respect of others in their community, and recognition for their incredible computer skills.

But do they deserve it?

Using a known exploit to deface the start page of johnaugust.com isn’t such a feather in one’s cap. Other than wasting my Sunday afternoon, it didn’t really accomplish much. There was no political agenda, no artistic statement. It was just annoying.

It was graffiti. And now it’s gone.

Metablogging

Geek Alert, Meta

Now that there are several screenwriter-oriented blogs, I thought I’d take a moment to examine the six-degrees of separation quality among them.

Or perhaps I just want to revel in the fact that I’m the Kevin Bacon of screenbloggers.

**★ [I Find Your Lack of Faith Disturbing](http://hucksblog.blogspot.com/)**

This is how I met [Josh Friedman](http://imdb.com/name/nm0295264/): When I bought my house, my agent said, “Oh, hey, Josh Friedman lives down the street. You should knock on his door or something.” Like’s it’s Mayberry. But one day while I was walking my dog, I said what the hell, and introduced myself.

As it turns out, Josh and I grew up in the same town: Boulder, Colorado. He went to the cool high school downtown, while I went to the preppy high school up on a giant hill, literally looking down on the town.

Josh and I had the same agent starting out, sort of. Mine was an actual agent. His was the young woman who [answered the actual agent’s phones](http://hucksblog.blogspot.com/2005/08/one-day-at-time.html).

Josh lives in a bigger, fancier house than mine, covered with vines. (Like Madeline!) Actual famous people grew up in Josh’s house. Honest. Meanwhile, I sold my house to [Michael Rappaport](http://imdb.com/name/nm0001650/).

My moving had almost nothing to do with Josh and his monkeys.

I suspect Josh’s blogname for me will be some derivation of Ned Flanders, pesky do-gooding neighbor. Although it’s pretty egotistical to think he’ll ever write about me. (bashfully twisting foot.)

**★ [The Artful Writer](http://artfulwriter.com/)**

[Craig Mazin](http://imdb.com/name/nm0563301/) and I have the same agent. One day, my agent says, “One of my other clients has some questions about your website. Is it okay if I give him your number?” I say sure.

Craig calls. He asks about how I set up my site. He really wants to know how I got the brad graphic to float over on the right-hand side. (Answer: voodoo.) It’s only after a few minutes of conversation that he mentions that he’s at the hospital, because *his wife is in labor.*

Now that’s dedication. Or avoidance. It’s something.

To this day, I’ve never met Craig in person.

**★ [Man Bytes Hollywood](http://www.davidanaxagoras.com/)**

I first encountered David Anaxagoras’s site through a comment he’d left on a post. Apparently, he was significantly influenced by my site, but his layout and such is actually quite a bit smarter.

In fact, I stole these quotation marks from him. I have not poached his progress bars, but that’s only because I haven’t thought of anything worth charting.

I ended up meeting David when I spoke at his screenwriting class. He’s a good guy.

As for the other screenbloggers, I have no juicy dirt to spill. I only know them by their URLs.

New server on the way

Geek Alert, News

newsGood news for those readers frustrated by the all-too-frequent outages at this site: we’re moving to a new server, which will hopefully not flake out as often. If it does, I’ll change service providers. Again. Sigh.

There may be a little turbulence this week as the new server settles in. Caveat browser.

New videocamera

Geek Alert

Samsung CameraIn preparation for both the Charlie [press junket](http://johnaugust.com/archives/2005/back-from-the-charlie-press-junket) and my impending fatherhood, I bought a new videocamera. I already had a Sony DV camera, but small as it is, I never end up bringing it along with me. It’s overkill for what I want, which is mostly posting little clips on the web for friends and family.

I ended up buying the [Samsung SCX105L MPEG4 Sports Camcorder](http://www.amazon.com/exec/obidos/tg/detail/-/B0007QN8AG/), which, as the name implies, records to digital mpeg4 files rather than standard DV tape. The camera itself holds 40 minutes or so, but can be expanded with Sony Memory Sticks.

It feels really good in the hand. It’s a little fatter than an iPod, with a rubberized coating. The screen is bright and sharp, and the menus are intuitive, even if the controller is a little wonky. (It’s two-way, up and down, which doesn’t really work with the slide-show interface for navigating between clips.)

The video quality is fine. I wouldn’t shoot a feature on it, but you could certainly use it for an experimental short. I can’t find anything in the documentation to say how many frames/fields per second it records, but it definitely has that somewhat-stroby, [Saving Private Ryan](http://imdb.com/title/tt0120815/) feel to it.

Here’s a full-sized [clip](http://johnaugust.com/Assets/boarding.mov) (QuickTime, 7.6MB) that shows the look.

The sound is not great. The microphone is tiny, and the speaker is usually right under where I keep my thumb.

It doesn’t work natively with iMovie. Instead, you have to put the camera into USB 2.0 mode, dig through some folders, and yank out the applicable clips. (I’ll probably build an [Automator](http://www.apple.com/downloads/macosx/automator/) workflow to do that.) But you can then drag the clips into iMovie without any trouble.

Final Cut Express is more of a hassle. It wants to re-render the clips almost constantly. I’m sure there’s a way to pre-convert them to a more friendly format, but I haven’t really experimented with that yet.

So would I recommend the Samsung camera (or one of its tapeless compatriots)? Somewhat. The video is certainly better than you can get from a camera phone, which is the nearest real competitor. I strongly suspect Apple will come out with an equivalent product in the next year or so, with a better interface and better integration. But for now, it’s a promising idea that works surprisingly well.

To repeat: this is not the camera to buy to shoot your 18th century whaling epic. If you’re interested in using video for filmmaking, definitely check out Mike Curtis’s [HD for Indies](http://www.hdforindies.com/) blog, which covers all the mid-range cameras and issues in abundant detail.