GDE Peekaboo.

Apple are always hiding things. They love to hide things. When they get found out they retreat and go hide somewhere else.

The marvelous way Cupertino play with Unix hard links will go either to history or to Ripley's Believe It or Not. Right now they've got a new method like no other: they mark their secrets with an inode of zero. So the file system thinks the entries are scheduled for deletion and leaves them alone.

But they're not scheduled for deletion. Apple are playing tricks with Unix. Showing disrespect as always. Some day they'll get their comeupppance.

Until then you can use GDE to play hide and seek with them to see what they're up to. GDE compares different ways to access directories - not the files in them but the actual bits and bytes, fanboy. There are two common methods and right as rain they never match up. Not on Apple Unix systems at any rate. Haha.

So GDE crunches around and shows you the sore thumbs. Like in this screenshot of a Tiger root directory. Where you see them trying to hide the hard links again. Fools. They're also hiding two journal files the same way - with comparable results.

Rootkit!

It's almost like having a rootkit on your box. But not quite. Yet GDE will tell you if files are being cloaked - and thus can give you a clue whether you've been rooted or not.

By more than your operating system vendor that is.

See Also
GDE-FAQ
GDE Screenshots
Getting Around HFS+ Private Data