Ach! As soon as I read your post I could hear that single, clear voice singing "Non Nobis Domine". Clearly, it's been too long since I watched it.
The two other scenes that immediately come to mind are Branaugh's delivery of "We few, we happy few, we band of brothers;..." and "... And what have kings, that privates have not too,..."
In Kenneth Branaugh's Henry V there is one of the most amazing tracking shots ever filmed. It happens after the battle and starts when Henry picks up the dead boy. The next 5+ minutes are of him carrying the boy through the blood and gore of Agincourt to the soaring sounds of the Kyrie Eleison. It gives me chills just to think of it.
Admittedly it was only a/24 (called a C-net by us geezers), but I had had it since about 1992. That was back in the days you could get a C-net for the asking, and a B-net (a/16 to you youngsters) could be had without too much whining.
I got a nice note back from ARIN saying:
As the popular quote says, a journey of a thousand miles begins with a single step. 199.201.131.0/24 has been returned to the pool of available addresses - thanks!
Call me me weird, but the first thing I thought of when I read this was a specially reinforced ASR-35 Teletype (maybe ASR 33?) keyboard they had at Standford's Institute for Mathematical Studies in the Social Sciences (IMSSS) for Koko the gorilla. Although she knew Ameslan, they also taught her to use a keyboard with pictures on the keys (apple, ball, etc.). I only met her once and wasn't there when this happened, but the first time they showed her how to use the keys she apparently enthusiastically made her first key press... and pushed the key right through the bottom of the cast iron bottom of the teletype.
Uh, this issue is before the courts, not before some Congressional committee. Although I agree lobbyists have extraordinary influence on Congress, that means nothing when you are dealing with Federal Judges who are appointed for life. As both the Democrats and Republicans have found, most judges actually tend do their jobs based on the law and not based on the ideology of the President who appointed them. (And no, I don't want to argue about the Supremes because then I would just have to go Punch a Kitten.)
Google may, in fact, lose this one now that it is going back to be tried on the merits of the original claim. I'm sure that there will be lots of pretty charts showing the age demographics of Google and Google will be asked to explain how someone with Reid's tech cred (and 1.5 years at the company) suddenly became The Wrong Guy 4 days before the IPO.
Weirdly enough, in 1975 I suffered from real, honest-to-God clinical depression for over a year, and then went on to become (gasp!) a Scientologist. In some ways they did me more good than the shrinks at the VA hospital did, but then they (the Scientologists) started to get weird... I mean really weird.
Years before Hubbard's death in 1986, the "church" was exhibiting increasing signs of paranoia and absolutism — if you weren't 100% in agreement with every tiny thing that Hubbard had ever muttered, then you were a PTS (Potential Trouble Source) or even an SP (Suppressive Person: CoS equivalent of Spawn of Satan). This was very ironic because when I had first read Book One (ie. Dianetics - Modern Science of Mental Health) I was very impressed that there was an appendix that had an article by the inimitable Joseph Campbell that made a compelling argument against Proof By Authority. This was echoed in the "church" at that time by the catch phrase: "if it isn't true for you then it isn't true." Which was an idea that had real appeal for me right up to the point where it morphed into "if it's true for LRH then it's true for you, or else you are an SP." At sometime in the 70's/early 80's they dropped that particular appendix from DMSMH.
So I finally left the CoS in 1982 and, because even though I tried to leave quietly their "you can never leave us" attitude pissed me off, I even threatened to sue and got a fair percentage of my money back. (Try that nowadays!)
What's my point?
Depression is real, very real, but (at least in the 70's) the shrinks I had contact with didn't really know what the hell they were doing.
I actually got some good out of the CoS, but what they did for me then you can get from any good Cognitive Therapist today.
But their own organizational insanity ultimately caused me to become "fully causative" and declare my own version of OT... Out of There.
On a weird side note: Back in Palo Alto I actually knew Mimi Rogers (whose father, Phil Spickler, was the director of the Palo Alto Mission) when she was still married to Jim Rogers. This was several years before she became the first Mrs. Tom Cruise.
Actually it's just the opposite. It's like working in a candy factory and quickly getting completely bored/sick of the candy. I did one site where we were having problems with certain videos in different browsers and I swear to God that there was one clip of some really hot anal action that I got *really* sick of. After about the 3rd time I would watch about 5 seconds of it, see if the problem was manifesting, and then be back in the editor.
Now I watch whale documentaries to get my jollies.... Wait! What?
I had such a bad experience installing 10.04 on a vanilla Dell laptop I wiped it and went back to 9.04. I don't know what they did to the install process, but the suckage meter was pegging.
Actually, that page is an excellent example of why you shouldn't use a display font for normal text. It immediately went on my list of What you don't want your site to look like websites that I show to my customers.
I'll second that opinion. With 37+ years in this ridiculous industry I've lost count of the number of Next New Things® that turned out to be... a yawn. People get invested with a particular way of doing/using/thinking-about things and they only move when the pain threshold of the Old Way gets too high, or the New Way is so clearly superior. Most of us have neither the time nor money to chase ever Shiny New Object that comes along.
My desktop mouse is classic example of this: I am still using a Microsoft IntelliMouse: it's wired, with a PS/2 connecter. Why? Because the damn thing fits my hand perfectly. I've been using mice since I worked at Xerox in the late 70's and I have never found another mouse that so perfectly fits my palm and fingers. I can leave my hand on it all day long and there is absolutely no fatigue because the fit is so good. And they last, too. I have two spares for when my current one (the 2nd one in about 8 or 9 years) wears out. I hate touchpads because they aren't nearly as much of a Fitt's Law device as the MS IntelliMouse is.
PLATO was where I learned to program. Where I learned how to write a couple of lines of TUTOR (back before they even had an FM to R) and then hit Shift-EDIT. That sent me through the "compilor" (their word, not mine) and straight into execution. As soon as I liked/didn't like what I saw, I hit Shift-EDIT again and I was back in the editor exactly where I had been.
This means that in 1973 I learned to work with an Edit-Compile-Execute-Edit cycle that was often measured in less than 10 seconds. It's a hell of a way to learn quickly.
You use IM? I was using Talkomatic in 1973. You use forums? Try Notes (and I don't mean Lotus), again in 1973. MMO Games? Dogfight (1973) or even Nova (1974) (I was the coauthor with Al McNeil). Touch panel? Been there, got the T-shirt (and I still have this bee stuck to my finger (that's a deep, deep PLATO old-timer's joke.))
Between PLATO in the early 70's, and Xerox in Palo Alto in the late 70's (where I was on the BravoX Project at ASD (think "Microsoft Word")), about 80%+ of the fundamental user interface and the foundations of networking (communications and social) were created. In some cases these functions not only haven't improved all that much, some of it is sliding back down hill.
That doesn't mean you need to kiss our ass or anything, but some people around here really need to understand that the world did not start when they were born. It makes me cringe to even hear me say it, but sometimes the arrogance of the young—many of whom cannot be bothered to read even the history of their own industry—really wears thin.
Helicopters can fly, but not because they have wings.
Don't stretch the meaning of words to the breaking point.
And don't think that your knowledge of flight technology in anyway represents the limits of that field.
Helicopters are "rotary-wing aircraft." They get lift just like a fixed-wing aircraft does, i.e. by passing an airfoil through a moving stream of air, thereby causing a drop in pressure on the top which results in lift. Fixed-wings get airflow by being pulled/pushed through the air by a propeller or jet engine, whereas rotary-wings use the engine to directly spin the airfoil to achieve airflow over the surface.
Sorry, but disk is free and RAID 5 has some really nasty rebuild times for large drives. It's also important to remember that RAID is for availability, not backup.
Our largish datasets (2-10TB) run on RAID 1 mirrors for availability and are fully rsync'd to a separate system (also mirrored) for backup. The stuff we really care about is further rsync/rsnapshot'ed offsite.
If you are only getting 90% from any OS you really should be shopping for a new OS. I've got flaky machines in my garage running Linux that regularly are up for 6 months or more at a time, and that includes dodgy power in my area.
Security? When I first sat down at a PLATO IV terminal in Jan 1973, you typed "s" to login as a student, and "a" to login in as an author -- no passwords. If you could guess a file name (called "lesson spaces") you could edit it. Al McNeil and I found any number of allocated-but-unused lesson spaces and just started poking and prodding the system. Al and I basically "guessed" the TUTOR language from looking at other people's code because there were no manuals available at that time (at least not in far off Chicago). But it was exactly because it was so easy to get into the system that we became hackers.
Weirdly enough, 9 months later we (I was a Business undergrad, and Al was an Art undergrad) were teaching TUTOR to UICC profs who wanted to use it for their classes... and one of our students was Al's father, the head of the Physics department.
Sigh, yes, we do have mod_php and mod_python in the same server. Although I had a problem combining the two on another site (also a Django site, but with an osCommerce store (and, no, I didn't anything to do with that piece of crap)) and it turned out to be a problem with shared MD5 libraries (if memory serves, this was almost 3 years ago). Here I'm running it just because I like phpMyAdmin.
Now you've made me feel lazy and bad and I hope you're happy with yourself. Maybe I'll run an alternate Apache with mod_php, but only when I'm doing DB reorganization. Sigh.
I'm embarrassed to say that not only do I have a copy of this fsking thing, it's even under version control! Gack! This happened because the site owners upload images directly into the production server's/media directory and I periodically do an "hg add/media; hg push". I ain't doing that no more, Boss.
I sent a copy to you via your website. It is one very convoluted piece of crap. If you ever figure out exactly what this thing is doing I'd love a walk-through.
This is a dedicated server and has only three accounts with passwords, all of which are strong. Only 4 ports are open: 22 (SSH), 80 (HTTP), 443 (HTTPS), and 8000, which is where I do short runs of the Django development server. The dev server port only responds to a very short list of hardwired IPs. SSH disallows root logins. Apache is chrooted and uses suexec. This last wasn't true before and is quite probably the entry vector.
I mentioned tripwires. Since everything is under Mercurial VCS we can do several things to make sure nothing has changed. Without going into all of the details, suffice it to say that should something change on the server, alarms will go off. Even monkeying with the alarm mechanism will set off an alarm.
All of this will not keep a really determined Black Hat out, and I know that. But he won't pwn us for long before we know it and then can take steps to push back the tide once again.
We get so many 404s because of probes from random script kiddies that I tend to ignore that part of the daily log scan -- big mistake. (I have my own link checker so I know that all of the real URLs are correct and functioning.) It wasn't until the site owner said that we seemed to have dropped off the search results at Google that we knew something was wrong. I couldn't figure out why and spent quite a bit of time banging my head against random walls.
Although I had looked at the logs I was mostly looking for 500 errors. I finally started to focus on the 404s and little bells started going off when I saw a whole bunch of them for msnbot. And then I saw a whole bunch for googlebot. And then I noticed that they were all under our/media path. I immediately started checking all of the URLs that had 404ed and they all worked fine.
Google was also reporting that they were getting a 404 on our sitemap.xml. Shit! I tested it with their 'Test you URL' page and it worked, so I resubmitted it and... it 404ed! WTF? (I'm still not sure why this got snarled with sitemap.xml, but it was involved.)
I went and took a long, hot shower -- this is my place of refuge and deep thinking. The question was: what could cause all of these errors for the spider-bots, but not produce them for me or any normal human? I looked like a prune by the time it hit me: they weren't seeing the same pages/files I was. How could that happen? If this was a networking problem it would already be smelling like a firewall issue of some sort -- the unseen middleman.
I should mention here that this is a Django site, which means I'm pretty much all over the URLs coming in... except for/media, which are handled directly by Apache as static files. Apache... hmmm... !
Apache's.htaccess file is probably the single most powerful file on your website, and you don't even see it when you do an 'ls'. I popped into the editor and I almost crapped my pants:
Those address ranges, btw, are all for googlebot and msnbot, so this only fires if you are coming from one of those net blocks. The special google URL checker wasn't coming from one of those addresses which is why it worked.
The scary thing is that this code is correct except for one little detail.
The bots were getting 404s because the Black Hats got the path wrong. This isn't a normal PHP site and the topmost directory contains all of the Django stuff in one branch and all of the media in a different branch. Apache sees that topmost directory and it's where the.htaccess file lives, but the master.conf file has a specific <Location> rule that maps directly to/media, not/pop/media. If they had not made that error I don't know how long it would have taken to uncover this.
We still don't know how they got in. We changed all of the passwords and double-checked that we were up to date on all of the server code. There also are multiple levels of tripwires in place now so I'll know about any changes within minutes of it happening. And now we wait . . . .
Slashdot Mirror
Ad? What is this 'ad' you speak of?
Hmmm ... maybe I need to disable AdBlock Plus so I can better understand these strange words.
Ach! As soon as I read your post I could hear that single, clear voice singing "Non Nobis Domine". Clearly, it's been too long since I watched it.
The two other scenes that immediately come to mind are Branaugh's delivery of "We few, we happy few, we band of brothers; ..." and "... And what have kings, that privates have not too, ..."
Sigh ... time to dig out the DVD.
Let's go for the really long takes.
In Kenneth Branaugh's Henry V there is one of the most amazing tracking shots ever filmed. It happens after the battle and starts when Henry picks up the dead boy. The next 5+ minutes are of him carrying the boy through the blood and gore of Agincourt to the soaring sounds of the Kyrie Eleison. It gives me chills just to think of it.
Admittedly it was only a /24 (called a C-net by us geezers), but I had had it since about 1992. That was back in the days you could get a C-net for the asking, and a B-net (a /16 to you youngsters) could be had without too much whining.
I got a nice note back from ARIN saying:
As the popular quote says, a journey of a thousand miles begins with a single step. 199.201.131.0/24 has been returned to the pool of available addresses - thanks!
You can medicate ed with Viagra.
What you really want is TECO FTW!
Actually, it is "law", which is shorthand for mu-law. (I tried to use the HTML entity for mu but Slashdot's system ate it.)
Call me me weird, but the first thing I thought of when I read this was a specially reinforced ASR-35 Teletype (maybe ASR 33?) keyboard they had at Standford's Institute for Mathematical Studies in the Social Sciences (IMSSS) for Koko the gorilla. Although she knew Ameslan, they also taught her to use a keyboard with pictures on the keys (apple, ball, etc.). I only met her once and wasn't there when this happened, but the first time they showed her how to use the keys she apparently enthusiastically made her first key press ... and pushed the key right through the bottom of the cast iron bottom of the teletype.
I don't know if this applies to toddlers. :-)
Uh, this issue is before the courts, not before some Congressional committee. Although I agree lobbyists have extraordinary influence on Congress, that means nothing when you are dealing with Federal Judges who are appointed for life. As both the Democrats and Republicans have found, most judges actually tend do their jobs based on the law and not based on the ideology of the President who appointed them. (And no, I don't want to argue about the Supremes because then I would just have to go Punch a Kitten.)
Google may, in fact, lose this one now that it is going back to be tried on the merits of the original claim. I'm sure that there will be lots of pretty charts showing the age demographics of Google and Google will be asked to explain how someone with Reid's tech cred (and 1.5 years at the company) suddenly became The Wrong Guy 4 days before the IPO.
Weirdly enough, in 1975 I suffered from real, honest-to-God clinical depression for over a year, and then went on to become (gasp!) a Scientologist. In some ways they did me more good than the shrinks at the VA hospital did, but then they (the Scientologists) started to get weird ... I mean really weird.
Years before Hubbard's death in 1986, the "church" was exhibiting increasing signs of paranoia and absolutism — if you weren't 100% in agreement with every tiny thing that Hubbard had ever muttered, then you were a PTS (Potential Trouble Source) or even an SP (Suppressive Person: CoS equivalent of Spawn of Satan). This was very ironic because when I had first read Book One (ie. Dianetics - Modern Science of Mental Health) I was very impressed that there was an appendix that had an article by the inimitable Joseph Campbell that made a compelling argument against Proof By Authority. This was echoed in the "church" at that time by the catch phrase: "if it isn't true for you then it isn't true." Which was an idea that had real appeal for me right up to the point where it morphed into "if it's true for LRH then it's true for you, or else you are an SP." At sometime in the 70's/early 80's they dropped that particular appendix from DMSMH.
So I finally left the CoS in 1982 and, because even though I tried to leave quietly their "you can never leave us" attitude pissed me off, I even threatened to sue and got a fair percentage of my money back. (Try that nowadays!)
What's my point?
On a weird side note: Back in Palo Alto I actually knew Mimi Rogers (whose father, Phil Spickler, was the director of the Palo Alto Mission) when she was still married to Jim Rogers. This was several years before she became the first Mrs. Tom Cruise.
Actually it's just the opposite. It's like working in a candy factory and quickly getting completely bored/sick of the candy. I did one site where we were having problems with certain videos in different browsers and I swear to God that there was one clip of some really hot anal action that I got *really* sick of. After about the 3rd time I would watch about 5 seconds of it, see if the problem was manifesting, and then be back in the editor.
Now I watch whale documentaries to get my jollies. ... Wait! What?
I had such a bad experience installing 10.04 on a vanilla Dell laptop I wiped it and went back to 9.04. I don't know what they did to the install process, but the suckage meter was pegging.
Actually, that page is an excellent example of why you shouldn't use a display font for normal text. It immediately went on my list of What you don't want your site to look like websites that I show to my customers.
I'll second that opinion. With 37+ years in this ridiculous industry I've lost count of the number of Next New Things® that turned out to be ... a yawn. People get invested with a particular way of doing/using/thinking-about things and they only move when the pain threshold of the Old Way gets too high, or the New Way is so clearly superior. Most of us have neither the time nor money to chase ever Shiny New Object that comes along.
My desktop mouse is classic example of this: I am still using a Microsoft IntelliMouse: it's wired, with a PS/2 connecter. Why? Because the damn thing fits my hand perfectly. I've been using mice since I worked at Xerox in the late 70's and I have never found another mouse that so perfectly fits my palm and fingers. I can leave my hand on it all day long and there is absolutely no fatigue because the fit is so good. And they last, too. I have two spares for when my current one (the 2nd one in about 8 or 9 years) wears out. I hate touchpads because they aren't nearly as much of a Fitt's Law device as the MS IntelliMouse is.
I rarely wish for mod points, but I almost sprayed coffee on my monitor reading this one. +10 Funny!
PLATO was where I learned to program. Where I learned how to write a couple of lines of TUTOR (back before they even had an FM to R) and then hit Shift-EDIT. That sent me through the "compilor" (their word, not mine) and straight into execution. As soon as I liked/didn't like what I saw, I hit Shift-EDIT again and I was back in the editor exactly where I had been.
This means that in 1973 I learned to work with an Edit-Compile-Execute-Edit cycle that was often measured in less than 10 seconds. It's a hell of a way to learn quickly.
You use IM? I was using Talkomatic in 1973. You use forums? Try Notes (and I don't mean Lotus), again in 1973. MMO Games? Dogfight (1973) or even Nova (1974) (I was the coauthor with Al McNeil). Touch panel? Been there, got the T-shirt (and I still have this bee stuck to my finger (that's a deep, deep PLATO old-timer's joke.))
Between PLATO in the early 70's, and Xerox in Palo Alto in the late 70's (where I was on the BravoX Project at ASD (think "Microsoft Word")), about 80%+ of the fundamental user interface and the foundations of networking (communications and social) were created. In some cases these functions not only haven't improved all that much, some of it is sliding back down hill.
That doesn't mean you need to kiss our ass or anything, but some people around here really need to understand that the world did not start when they were born. It makes me cringe to even hear me say it, but sometimes the arrogance of the young—many of whom cannot be bothered to read even the history of their own industry—really wears thin.
Try the fish.
It's rare, but sometimes I wish I had an extra mod point or two.
Helicopters can fly, but not because they have wings. Don't stretch the meaning of words to the breaking point.
And don't think that your knowledge of flight technology in anyway represents the limits of that field.
Helicopters are "rotary-wing aircraft." They get lift just like a fixed-wing aircraft does, i.e. by passing an airfoil through a moving stream of air, thereby causing a drop in pressure on the top which results in lift. Fixed-wings get airflow by being pulled/pushed through the air by a propeller or jet engine, whereas rotary-wings use the engine to directly spin the airfoil to achieve airflow over the surface.
Sorry, but disk is free and RAID 5 has some really nasty rebuild times for large drives. It's also important to remember that RAID is for availability, not backup.
Our largish datasets (2-10TB) run on RAID 1 mirrors for availability and are fully rsync'd to a separate system (also mirrored) for backup. The stuff we really care about is further rsync/rsnapshot'ed offsite.
Disk. Is. Free.
If you are only getting 90% from any OS you really should be shopping for a new OS. I've got flaky machines in my garage running Linux that regularly are up for 6 months or more at a time, and that includes dodgy power in my area.
Security? When I first sat down at a PLATO IV terminal in Jan 1973, you typed "s" to login as a student, and "a" to login in as an author -- no passwords. If you could guess a file name (called "lesson spaces") you could edit it. Al McNeil and I found any number of allocated-but-unused lesson spaces and just started poking and prodding the system. Al and I basically "guessed" the TUTOR language from looking at other people's code because there were no manuals available at that time (at least not in far off Chicago). But it was exactly because it was so easy to get into the system that we became hackers.
Weirdly enough, 9 months later we (I was a Business undergrad, and Al was an Art undergrad) were teaching TUTOR to UICC profs who wanted to use it for their classes ... and one of our students was Al's father, the head of the Physics department.
+1 Dead on!
My kingdom for a mod point!
Sigh, yes, we do have mod_php and mod_python in the same server. Although I had a problem combining the two on another site (also a Django site, but with an osCommerce store (and, no, I didn't anything to do with that piece of crap)) and it turned out to be a problem with shared MD5 libraries (if memory serves, this was almost 3 years ago). Here I'm running it just because I like phpMyAdmin.
Now you've made me feel lazy and bad and I hope you're happy with yourself. Maybe I'll run an alternate Apache with mod_php, but only when I'm doing DB reorganization. Sigh.
I hate this shit.
I'm embarrassed to say that not only do I have a copy of this fsking thing, it's even under version control! Gack! This happened because the site owners upload images directly into the production server's /media directory and I periodically do an "hg add /media; hg push". I ain't doing that no more, Boss.
I sent a copy to you via your website. It is one very convoluted piece of crap. If you ever figure out exactly what this thing is doing I'd love a walk-through.
Good points.
This is a dedicated server and has only three accounts with passwords, all of which are strong. Only 4 ports are open: 22 (SSH), 80 (HTTP), 443 (HTTPS), and 8000, which is where I do short runs of the Django development server. The dev server port only responds to a very short list of hardwired IPs. SSH disallows root logins. Apache is chrooted and uses suexec. This last wasn't true before and is quite probably the entry vector.
I mentioned tripwires. Since everything is under Mercurial VCS we can do several things to make sure nothing has changed. Without going into all of the details, suffice it to say that should something change on the server, alarms will go off. Even monkeying with the alarm mechanism will set off an alarm.
All of this will not keep a really determined Black Hat out, and I know that. But he won't pwn us for long before we know it and then can take steps to push back the tide once again.
God, I hate this shit.
We get so many 404s because of probes from random script kiddies that I tend to ignore that part of the daily log scan -- big mistake. (I have my own link checker so I know that all of the real URLs are correct and functioning.) It wasn't until the site owner said that we seemed to have dropped off the search results at Google that we knew something was wrong. I couldn't figure out why and spent quite a bit of time banging my head against random walls.
Although I had looked at the logs I was mostly looking for 500 errors. I finally started to focus on the 404s and little bells started going off when I saw a whole bunch of them for msnbot. And then I saw a whole bunch for googlebot. And then I noticed that they were all under our /media path. I immediately started checking all of the URLs that had 404ed and they all worked fine.
Google was also reporting that they were getting a 404 on our sitemap.xml. Shit! I tested it with their 'Test you URL' page and it worked, so I resubmitted it and ... it 404ed! WTF? (I'm still not sure why this got snarled with sitemap.xml, but it was involved.)
I went and took a long, hot shower -- this is my place of refuge and deep thinking. The question was: what could cause all of these errors for the spider-bots, but not produce them for me or any normal human? I looked like a prune by the time it hit me: they weren't seeing the same pages/files I was. How could that happen? If this was a networking problem it would already be smelling like a firewall issue of some sort -- the unseen middleman.
I should mention here that this is a Django site, which means I'm pretty much all over the URLs coming in ... except for /media, which are handled directly by Apache as static files. Apache ... hmmm ... !
Apache's .htaccess file is probably the single most powerful file on your website, and you don't even see it when you do an 'ls'. I popped into the editor and I almost crapped my pants:
Those address ranges, btw, are all for googlebot and msnbot, so this only fires if you are coming from one of those net blocks. The special google URL checker wasn't coming from one of those addresses which is why it worked.
The scary thing is that this code is correct except for one little detail. The bots were getting 404s because the Black Hats got the path wrong. This isn't a normal PHP site and the topmost directory contains all of the Django stuff in one branch and all of the media in a different branch. Apache sees that topmost directory and it's where the .htaccess file lives, but the master .conf file has a specific <Location> rule that maps directly to /media, not /pop/media. If they had not made that error I don't know how long it would have taken to uncover this.
We still don't know how they got in. We changed all of the passwords and double-checked that we were up to date on all of the server code. There also are multiple levels of tripwires in place now so I'll know about any changes within minutes of it happening. And now we wait . . . .