Month: August 2025

Still Stymied (Aug 11, 2025)

Construction work can be fun and satisfying. Fiddle with power tools for a while, and get something you can see and touch. Most careers don’t give that kind of quick feedback.

Programming is even better. Whip out some code, and a few minutes later there’s a button that does something useful. Plus, less risk of knee pain, back pain or tinnitus.

There are times our staff gets into a groove, and cranks out huge piles of code in a day or week. It usually happens while working with familiar tools, and in familiar code.

The opposite is being stymied. It’s a weird word so I looked up its origins: Scottish circa 1850, when an opponent’s golf ball is between yours and the hole.

Our staff has been stymied for a few weeks, while working on the release setup for Mac apps. Progress is painful and slow. The latest barrier is in code signing: Apple’s system to make sure an app file hasn’t been tampered with. It worked for us one time. But when we build a final version of the app, the codesign command says it’s already signed, and does nothing. Then the codesign checker command says it’s not signed. Baffling. We’re trying it now on a different computer to see if it works better there. Apple’s developer support also had some suggestions.

When stymied, often it helps to do something else for a while, and come back with fresh eyes and fresh enthusiasm. That has happened a lot since last November. First we were stymied by Android, then iOS, then Windows installers, then Mac. There have been many half-hour work days followed by a retreat to something more mindless.

It will be nice to get back to more productive programming, but we still need to finish Apple setup so users can try the new app. Once code signing works, we still need to make a provisioning profile, then submit the app to Apple for malware testing. That way you’ll get a less scary message from GateKeeper when you install the app.

At least we now have simple 1/2/3 instructions, to make future releases easier. It’s mostly just putting files in the right places, and pasting the right command-line text.

Dennis Kolva
Programming Director
TurtleSoft.com

 

 

 

DDOS (Aug 1, 2025)

Not much progress this week, because we suffered from a DDOS (distributed denial-of-service). It’s a website problem caused by a botnet: many thousands of user machines that downloaded something malicious (probably years ago). Now they connect to the Internet and do whatever a bad actor tells them to do.

For unknown reasons, someone decided to take us down. 30,000 different desktops and phones kept sending complex database requests to the shopping cart at SmartKnives.com. The server that runs both of our sites could not keep up with the load. Everything became painfully slow, or stopped working entirely. The worst part was total loss of email for a week.

CloudFlare has an easy way to block DDOS attacks, but it didn’t work. This attack used direct database requests, rather than regular page views, so they got past the safety checks. I guess it’s a vulnerability in the Prestashop cart system that we use. Prestashop has many other flaws, and we’d love to replace it some day with something more sturdy. If and when that exists.

Because the attack continued, diagnosing and fixing the problem took forever. Each step required a five minute wait. Sometimes it would time out, and needed to start from the beginning. We finally had to shut the cart down for a few days while we looked for a solution.

The answer was a WAF (website application firewall). It examines incoming requests, and routs the bad ones to an error page. The text-matching is not perfect, but it catches about 95% and that’s good enough for now.

This is only the third time we’ve had serious website troubles. The first happened about 20 years ago, when Turkish hackers found their way into the local ISP hosting TurtleSoft. They replaced our home page with their banner, but otherwise did no harm. The second was when a different hacker totally wiped all files at the same local ISP. We were almost done with the transfer to a different hosting company, so that wasn’t too bad either.

Back in the Aughties I spent a lot of time looking at raw website traffic. Part of it was SEO (search engine optimization): tracking what users typed in to find us. Part of it was because we spent a couple thousand monthly on pay-per-click advertising, and wanted to see whether it actually worked. Nope. Almost all the traffic was from old machines in 3rd world countries, click-farming for a living.

It appears we will need to be more vigilant, and watch raw traffic more closely from here on out. Whomever doesn’t like us (or Prestashop) may find other ways to be a nuisance.

Dennis Kolva
Programming Director
TurtleSoft.com