UNDERDOG of PERFECTION

Yesterday I got a curious, one-sentence email to the customer support address for my WordPress plugin with the subject “checkout” [sic].

Just wanted to confirm if everything went through.

The person had a weird* — but not too weird — name, and a Gmail address to match. I was immediately suspicious, but since there were no links in the email, I decided to give them the benefit of the doubt as just being a bad communicator, not a phishing attempt. I figured the worst I risked by replying was proving my email address was real, which… well, duh. So I tersely responded that there were no orders matching their name or email address.

This afternoon I got a reply:

I regret my mistake in not attaching the required files to my previous email, as I was unaware that our email system does not support large file attachments. With some assistance, I have now uploaded them to my OneDrive at [redacted] Sorry for the late response.

Don’t worry, I wasn’t stupid enough to click the link. I just blocked them and reported the phishing attempt instead. I’m glad my instinct was right, and I kind of wish I hadn’t felt the need to test it. I suspect I’m going to need to be extra vigilant about incoming emails for a while.

I definitely regret that — out of necessity — I replied with my real email address, but the support email for the plugin is just a forwarding address and can’t send email directly. Maybe it’s worth the $20/year it would take to change that.

*I feel compelled to explain what I mean by “weird,” because people can say someone has a weird name and basically mean something racist by it. That’s not the situation here. The surname was a very common English surname. The first name was the name of an animal that I have never heard used as a person’s name before.

I recently turned 51. There is no question at this point that more of my life is behind me than ahead. (If I live to be 102 I will be profoundly miserable, and profoundly miserable people rarely make it to 102.)

As I get older, I’m finding myself more and more just exhausted and exasperated with the goings-on of the world. Even if we didn’t have the one very big obvious own-goal Americans are dealing with at the moment, it just seems like so much stuff in life is a lot harder than it needs to be, for no real reason. But I don’t think it’s just the cynical perspective of my advancing age talking. The world really is getting worse.

There’s just broad stubbornness, cruelty, and lack of generosity. I’m not talking about charity even, just the basic generosity of giving your fellow humans a fucking break now and then. Don’t go out of your way to make things harder on those around you. Is that so much to ask?

Yesterday Apple announced the iPhone 16e, and I briefly considered trading in my iPhone 13 mini for one.

Bear in mind, the name I chose for my Personal Hotspot on the phone is “You can pry my iPhone 13 mini from my cold, dead hands.”

So, is the iPhone 16e worth abandoning that bold stance? Uh… no.

There are definitely some ways it’s better that I would appreciate: faster CPU, better battery life, USB-C port.

There are ways it’s “better” that are either irrelevant to me or actually a downgrade, from my idiosyncratic perspective: a larger screen (too big to reach across with one hand, and too big for my pocket), Apple Intelligence. (I suppose as a “techie” I should care, but I am utterly disinterested in AI in general, and in “Apple Intelligence” in particular.)

There are ways it’s clearly worse, but that I don’t care about, most specifically MagSafe. I like MagSafe in concept, but I don’t have a MagSafe charger and am indifferent about getting one.

And then there are ways it’s worse, that I very much do care about. Again, the size. My eyeballs would appreciate a bigger screen but no other part of me wants my phone to grow. Even the 13 mini is slightly larger than my ideal phone size.

But above all, the real deal-breaker, is the camera situation.

I am not heavily invested in the iPhone for high-end photography. Obviously I’m not, or I wouldn’t still be using an iPhone 13 mini. But I do shoot all of my YouTube videos on my iPhone, and there are two specific features of the iPhone 13 mini camera system that I use extensively: Cinematic Mode, and the 0.5x zoom, wide-angle lens.

The iPhone 16e lacks both of these camera features. Without them, I would be giving up too much.

Of course, I actually own two iPhone 13 minis. (I inherited my dad’s when he died.) So I could trade in my 13 mini and upgrade to the 16e for my day-to-day phone, while still using the spare 13 mini for shooting video.

I considered it. But… back to the size thing. I don’t want to carry a larger phone. So until Apple makes another small phone, or until it just stops working altogether (a far more likely scenario), you can pry my iPhone 13 mini from my cold, dead hands.

I was just mulling this over as I spent a few minutes looking at the monitoring tools I have running on the large number of websites I maintain, both for myself and my clients.

Unscrupulous types have plenty of reasons for trying to infect a website with malicious code, and they have tools that are designed to help them find websites that are ripe for exploit.

Specifically, there are telltale signs that a website might be running a particular platform, or they might just assume it’s a popular platform (*cough* WordPress *cough*) and run with that. Either way, they have lists of known exploits, and they just need to run a program that tries to find those exploits on a given website.

If they find one, jackpot.

It’s been interesting to see how this has evolved over the years. A decade or so ago, the most common exploit I saw was silently infiltrating a WordPress site and injecting code into its pages, either via JavaScript or a 1-pixel iframe, that would load data from an external site or redirect the user’s browser to a scam site that would throw ads at them, infect their computer with a virus, run a keylogger, etc.

More recently, what I see most often — and it’s maybe because as a matter of course I run tools that block those aforementioned actions — is surges of fake e-commerce transactions for the cheapest item in a store. Clearly in those cases the scammers have gotten their hands on a list of stolen credit card numbers, and they’re testing to see if any of them are still active.

God, these people suck.

Anyway… the thing I was thinking about today was kind of a meta-level factor in all of this. It’s not just that the botnets only infect sites that haven’t been kept up to date and therefore are exploitable. It seems like they only even try to infect sites that are very low traffic, with rarely updated content, which correlates reasonably to the idea that the site owners may be neglecting their site and not running important software updates.

But how do they know these sites have low traffic? How do they know their content is rarely updated?

How do they know these sites even exist?

The big tech companies — and I’m thinking especially Google and Meta here — have amassed huge data sets about not just users and their behavior, but the websites users interact with. In short, if Google crawls a site on a regular basis — and if Google knows about a site, it crawls it, unless you specifically tell it not to — then Google has data on how often that site’s content is updated, and how much traffic it gets. (Traffic in relative terms, at least, in the form of click-through from Google search results. But traffic in absolute terms, if the site has Google Analytics running on it. Which a huge percentage of websites do.)

Google shares a lot of the data it collects. But it also doesn’t share a lot of the data it collects, and this is specifically the type of data Google does not make publicly available. Or sometimes even privately available to the site owners.

How do scammers get it?

I don’t have an answer. I don’t even have proof that they’re getting it. I just have my anecdotal observation that the scammers don’t even seem to try hacking into the sites I work on that get a lot of traffic and frequent updates. But they’re constantly prodding and poking at sites and servers that don’t see much other traffic.

Curious.

I don’t hate Squarespace. I’ve used it for a few sites. But I still strongly prefer building my own self-hosted WordPress sites, for a variety of reasons. But I think I just found the best one.

SaaS website builders like Squarespace have come a long way, especially in terms of letting you write your own code. But there are still some deeply ingrained, user-hostile lock-in elements to these platforms, and perhaps there’s no clearer example of this than the Asset Library in Squarespace.

As I write this, I’m in the process of migrating the website for a big band I play in from Squarespace to WordPress. The first step in the move, of course, is setting up a new WordPress site, and since I’m basically just trying to roughly recreate the single-page site we currently have (at least as a starting point), I need to download the assets for the current site: images and videos.

Squarespace has a very elegantly designed Asset Library section, where you can view and organize all of the files you’ve uploaded to your site. There’s just one thing you can’t do: download the files.

Um, what?

Yes… Squarespace offers no way to download the files from your Asset Library. Not in bulk, and not even individually. Seriously.

Sure, it’s not too hard to download the images. You can just drag them from your browser window to your desktop. Even if you drag the thumbnails, you’ll get the original full-sized image. That’s almost enough to make me not hate the experience. But then there are videos.

Video on the web is kind of weird. HTML5 has broad support for videos in an open way, just like with images. The problem is, the early web didn’t really support video because no one had the bandwidth for it, and by the time it gradually gained support — initially through proprietary plugins like Flash — the web had “matured” to a point where companies were trying to find ways to lock down their assets.

So again, even though HTML5 supports video, the way videos are presented on Squarespace, even in the admin, is through multiple layers of wrappers that obscure access to the actual files. Even if you view the raw source of the page, there’s no way to get the direct URL of the file. There is no way to download videos from your Squarespace Asset Library. At all.

Fuck.

Sorry… although my daily speech is liberally seasoned with profanity, I usually abstain from it here on the blog. But it is absolutely warranted here. Seriously, fuck Squarespace for preventing us from downloading our own files.

Their support forum has a thread where it’s spelled out quite clearly that they do not offer a means of downloading your video files. And their support staff spins it like this some kind of super-complicated functionality that they’d like to offer if only they could, but they just haven’t been able to achieve it yet.

Give me a break. They’ve put considerable resources into making it hard to download the files. It would be an order of magnitude easier to build a straightforward system that at least didn’t actively block you from directly downloading the files one-at-a-time.

Yes, some kind of bulk download feature would actually require them to do some development work. But simply allowing the browser to do what it’s designed to do with HTML5 video tags would at least give us a way to download the files individually.

So, make no mistake: the only reason you can’t download your video files on Squarespace is because Squarespace explicitly does not want you to be able to do that.

That’s reason enough for me never to choose to use their platform.

I guess I need to take back what I said at the beginning. I do hate Squarespace.