Radio Free Meredith

Readers of this blog may recall a situation I refer to as the Next Jackass Problem. In brief: if you find yourself doing something particularly clever or esoteric in your code, you'd better be damn sure you document it thoroughly -- not only why you did it, but what you did and how, so that the next jackass who has to maintain your code can understand it, because 99% of the time, the next jackass is you, six months later.

I've run into an interesting (as in "may you live in ~ times") variant on this, which I call the Last Jackass Problem: when you're supporting a legacy library/OS/what-have-you, and there's a nice way to handle it with the current tools but no nice way to do so with the legacy ones.

In this case, I needed to programmatically tell iTunes to open a file. This is presumably pretty easy in Leopard, thanks to the magic of the Scripting Bridge. However, I'm also supporting Tiger, which does not have this magic. Happily, there's appscript, a nifty event bridge which encapsulates all the gory Apple Events foo that talking to scriptable apps requires. So presumably, if you have a file path, you can do the following:

ITApplication *iTunes = [[ITApplication alloc] initWithName:@"iTunes.app"];
[[iTunes play:filePath] send];

This programmatically constructs a reference to iTunes to which you can send commands, then constructs a command to play the file at filePath and dispatches it. Easy? Should be. Except for one thing: on OS X, there's more than one type of path: POSIX paths and HFS paths. POSIX paths are the ones anyone who's spent five minutes with UNIX should know: /path/to/file.ext. HFS paths are the old-school ones that you probably haven't seen unless you've been playing with Macs for a long time or actually use AppleScript: Macintosh HD:path:to:file.ext. And at least under Tiger, some scriptable apps expect HFS paths. (iTunes is one of them. I hear Finder is, too.)

Unfortunately, there does not seem to be any straightforward Cocoa way to convert POSIX paths to HFS paths. But you can tap into the guts of Core Foundation and do the following:

NSURL *ref = [NSURL URLWithString:filePath];
NSString *converted = (NSString*) CFURLCopyFileSystemPath((CFURLRef)ref, kCFURLHFSPathStyle);

That looks like a lot of typecasting, and frankly, for two lines of code, it is. Happily, though, it's safe: NSURL and CFURL are toll-free bridged for no-hassle conversion, as are NSString and CFString (what CFURLCopyFileSystemPath returns).

Nota bene: I have not actually tried the Scripting Bridge approach to this problem. I sincerely hope it silently converts POSIX paths to HFS paths where necessary, in order to prevent headaches of this sort. (chanson, any remarks there?) But for those of you doing any kind of Cocoa-based application scripting without the help of the Scripting Bridge, at least now you know. (And do please document your code for the next jackass.)

When it's been a publicized vulnerability since at least 2003, but nobody's had the good sense to actually pay attention to it, you assholes.

Avi Rubin on the Christopher Soghoian fake-boarding-pass generator kerfluffle:

RUBIN: When we find a security vulnerability, we think about how to publish that information responsibly, and what information we may need to omit. When we find an exploit, the first thing we do is have a meeting about who to tell and how.

Avi, this is all well and good if you're talking about a brand new exploit that nobody's ever imagined before, or even if you combine a few old attacks in a new and unexpected way. But Christopher Soghoian only did one new thing: he implemented an attack which had only been described in theory, even though that attack was already easy enough for the average thirteen-year-old with a MySpace to pull off in practice. Now it's easy enough for the average kindergartner. You cannot possibly give a convincing argument that our nation's security is under appreciably greater risk from the grade-school age bracket than it was last week. Nor, I believe, can you give a convincing argument that terrorists who have the technical savvy to coordinate dozen-man attacks haven't figured out how to edit a webpage or hire someone who can.

No, this is a matter of practice getting better press than theory. I'm willing to believe that not a single one of the 535 members of the U.S. House and Senate was reading Crypto-Gram back in August 2003 and that none have happened across Schneier's article since. I'm less willing to believe that no member of Congress reads Slate magazine, which covered the same issue last year -- especially since Sen. Charles E. Schumer (D-NY) issued a press release about the loophole a mere six days after the Slate article came out. But theoretical attacks make people's eyes glaze over, especially people who can't be bothered to learn anything about the systems which make those attacks possible. If people have to do actual work to see that the emperor has no clothes, most of them will gladly continue to believe whatever the emperor wants them to think. Soghoian reduced the process to "push button => naked emperor," and now people are scared of something they should have already been clamouring about for the last three-plus years.

Keep this one in mind, all you academics out there. By and large, you don't care about whether your work ever gets implemented or not, as long as it works out on paper. But the Christopher Soghoian incident should stand out as a reminder and a warning: your work is only going to affect the rest of the world if someone puts it into practice. That someone might be you, or it might be somebody else's grad student; it's up to you to decide who's going to get the recognition.

Assuming, that is, it's the kind of recognition you want.

enochsmiles: No, I'm not going to blog Hello World in Brainfuck. I'll write something new.
maradydd: You could do RSA in Brainfuck!
enochsmiles: ...Damn you.

(The conversation quickly devolved into a discussion of Brainfuck vs. Brainfuck-C and the difficulty of looking at so many dashes.)

maradydd: I was thinking about those sig files that have RSA in four lines of Python.
enochsmiles: It'd be a little big for that.
maradydd: You could turn it into ASCII art!
enochsmiles: Move over, Vipul!