Author: Ipstenu (Mika Epstein)

Failure to Protect
Something I knew would come up after I posted about my ongoing harassment is the question “How do we fix this?”

Now, the cause of all this actually can be boiled down to two things:
1. A systemic failure of social services to help those in need
2. The overall lack of awareness of how tools are abused
I can’t really fix the first one. The world is broken on many levels and the fact that people in pain and anger have no help, and thus lash out in anger at me, at you, at people who write code, at people just trying to help … That’s all of us. We need health care (physical and mental). We need fair and equal pay. We need a living wage, not a minimum one where companies literally pay you that because they don’t have to treat you like a human.

That one is huge.

But the other problem? That’s why I posted.

How Can Code Be (Ab)Used?

When we write code, and this is pretty much all of us, we’re trying to solve a specific problem. Sometimes that problem is huge, with multiple layers and facets and complexities that make us look like a scene from “A Beautiful Mind.” If we’re lucky. Usually we look like this guy”

Regardless of how twisty-turney our code is, though, at the end of the day the question many of us forgot to ask is “What’s the worst thing someone can do with our code?”

Let me give you an example.

“What’s a bad thing someone can do with Akismet?”

Right? It’s an anti-spam plugin that checks via a closed-API (meaning, I have no idea how it works) so it’s not easy at all to abuse, you might think. Well, without any forethought, the very first thing that comes to mind is I could write a bunch of clearly spam comments, spin up my VPN, and use someone else’s email address to leave spam comments on a hundred or a thousand blogs. That would get the email flagged and they’d probably have to constantly struggle until they figured out why, if they ever could. All they’d know is their comments never show up. Give me a couple hours and I could automate that, set it out into the world, and reap the joy of annoying someone.

I’m fairly certain I just screwed up someone’s day with that, by the way. Sorry/Not Sorry friends over at Akismet. Because that’s my point. If Akismet has not already sat down and made a list of all the shitty, terrible, vile things someone could do with their product, they’ve failed to fully protect its users.

Disruption Makes Harassment

When we build to ‘disrupt’ we do so with the knowledge we’re breaking the system. Sometimes we’re breaking it stupidly, like “Uber is disrupting taxis!” really is “Uber figured out that people would rather know what they’re going to pay, and wanted an easy way to hail a gosh darn taxi in the first place! Let’s go!” And yes, I have a low opinion on the ideas to ‘revolutionize’ the bus system (spoilers? invest in public transportation, not privatization).

The thing is, we continue to attack a single, specific problem. Big, large, whatever, we’re solving a thing.

But the problem with this is our disruptions create opportunities for harassment.

Did you get a delivery from Instacart or DoorDash? They know where you live and what you eat. Those are all known risks of course. Could someone roofie my food or tamper with it? Sure! Now the solving of that falls onto the people who package the delivery. Restaurants will tamper-proof seal their deliveries, but that’s on them. What did DoorDash do? Nothing I can find. Instacart? Most of their stuff is pre-packaged, but if you get fresh fruits etc, gosh they could. It’s like those stupid Halloween rumours we heard growing up. None were true, but …

Uber received 235 reports of a rape occurring during a ride in the United States in 2018. Those are the numbers of reported cases, provided by Uber. Remember, rape is wildly underreported in the US (probably everywhere). Now think about all the information an Uber driver has on you? They know where they picked you up, they know where they dropped you off, and they know your name. And they can get your phone number.

All those great innovations? Actually yes. They’re really helpful to people! Calling a car to your door that’s more reliable than a Taxi? Hell yes! But they are incredibly easy to use to harass someone. Of course they require you to be in the same general location, but still. What are they doing to make us safer? What about the drivers? Someone I know quit driving because the guy wanted her to drop him off inside a super suspect parking lot. She dropped him off outside. He called her a four letter word that starts with a C.

Social Media Makes Monsters

I’m sure I don’t have to list out the problems with social media. If someone harasses me, I block them, but they can make a new account and a new account and a new account. They can get a VPN and a fake email, and we’re always and forever behind the 8 ball catching and stopping.

Why do Facebook moderators have PTSD? Why do content moderators on YouTube have to sign a waiver agreeing that they know their job may case mental breakdowns, and it’s not YouTube’s fault?

And the answer here is because our solutions are HUMANS.

We disrupted communication, but we opened the door for harassment because there was little to no forethought put into how to protect anyone. In fact, I bet I know how the conversation went (spoilers? I had this conversation with someone):

“Hey, someone could make a hundred fake accounts all to call someone a jackass.”
“Yep. No point trying to stop that. We block ’em they’ll just make new accounts.”
“Yeah, good point. Okay, next item on the agenda? Bots!”

Oh yeah, Bots totally extended from that problem. I used to use something called Block Together to catch and block bots and spammers and harassers, but the fact that it shut down and Twitter never made anything better is … well it tells a story, doesn’t it? Can anyone tell me what Twitter’s done?

Well they, and Facebook, claim to be using machine learning to find and track abuse, but here’s the funny thing. I have a friend who has been permabanned from Twitter for telling someone to jump in a volcano. The claim was she was violent and sent a legitimate and plausible threat. About a volcano. Which she does not own. I mean, do any of us? it’s not even that it was a bad joke about suicide, it was flagged as a violent threat.

Want to know how that happens? It’s easy. She tells a man to shove it, he and his friends mob-report her, Twitter’s AI decides “Gosh, if all these people flagged her, it’s real!” and ban her. No appeals. Done. And this story is repeated over and over, that the AI caught something (people talking about black and white chess pieces was pretty recent), banned someone, and that’s the end of it.

All this is not to mention the ongoing racist and sexist biases of AIs, like how Asian people can’t use FaceID, or how Google’s AI labelled black people as gorillas? All of those things come down to the problem of people with biases (which is a systemic issue related to the failure of social services) building AIs and not thinking about the abuse therein (which is … an us problem).

To put this a different way, we’ve been fighting spam in email since email was born, and everyone still gets some in their inbox. If we can’t win with that? We’re never going to win with an AI and abuse.

Democratizing Abuse

Now, I’m going to say something controversial.

WordPress democratized abuse.

I’m not talking about WordPress.org and the forums and plugins and themes. I’m talking about your blog. If you have comments open, what’s to stop someone from leaving comments pretending to be you? Heck, if you have comments open, what’s to stop someone from leaving comments pretending to be ME? How do you ban someone from your site? How do you ban them from a network? How do you stop them from making an account or email one after another and using your contact form to be a jerk?

I have 10+ rather insane messages from a contact form that tells you that even for me, someone who is pretty much awesome at WordPress code, this is not easy. For a long time, you couldn’t filter contact form messages to block spammers on Jetpack. How long? Well I opened the ticket in 2014, so it was a long time until 2020, when someone else made a new ticket about.

Is all this WordPress’ fault? Absolutely not! I don’t have to have comments on most of the time, or a contact form. You’ll notice I have neither on most posts on this site, and it’s for a reason. Abuse and harassment. In fact, WordPress gives me the agency to both harass people via my blog (if I wanted to) and protect myself from the harassment by others. That’s a fun one when you say it out loud, ain’t it?

WordPress is a weapon, like all websites. When wielded by the good and just, it’s a weapon for good and justice. When it’s not? Let me just point out that there are a lot of ‘revenge porn’ type sites out there, powered by WordPress. And again, none of that is WordPress’ fault.

We built WordPress to make it easier to publish whatever we want, whenever we want. We build features and plugins and themes to share stories. Not all of those stories are good. Some of them are abusive. And while there are already laws out there about it, technology is a massive whole of lawlessness where the laws can’t be applied.

We’ve all heard “Guns don’t kill people, people kill people.” Some of you even know the common retort “Guns make it a heck of a lot easier, though.”

WordPress isn’t the harasser, but gosh it makes things easier. And if that doesn’t give you chills and nausea, you’re not paying attention to the world. It sure scares the snot out of me.

The Open Consequences Net

I have to preface this bit with the fact that I don’t believe in ‘Cancel Culture’ but I do believe in consequence culture. Do I think you should be ‘canceled’ for telling a single off-colour joke 5 or 10 years ago? Hell no. But do I think you should be canceled for telling multiple jokes, being a defensive jerk when called out on them, and showing your literal penis to people? Hell yes.

Actions have consequences. Or at least they should. And the problem we’re facing is that by making an Open Internet, which I’m in full support of, we failed to put in any way to enforce consequences. Everything is silo’d so I can ban you from site A or B, but not C or D. Worse, because you can make another email or get a new IP, I cannot permanently ban you forever, just from each account.

Basically? We built something so wild and free and open, we cannot contain or control it anymore.

Can We Fix It?

This is the part where I tell you how much I hated making this post.

See, I have no idea. Seriously.

Even if we make the internet ‘invite only’ (as if that was possible), it’ll still be abused. But I don’t think that means we should do nothing. I think we’re not doing enough to make it difficult and hard for abusers and harassers to get a foot in the door. We’re making it so the only way people can protect themselves is to simply not be social online. Given the pandemic, I suspect you can all see why that’s a flawed prospect.

Everything we need to do needs to be balanced. For example, it’s easy (and probably right) to say we need to begin to disrupt ‘anonymity’ but… What about people who can’t say who they are for fear of retribution? I immediately think of all those kids out there who are terrified for their ultra conservative, homo-hatin’ family members to find out they’re queer? They should be allowed to be anonymous and learn that there’s a world out there who loves them.

I do like to bag on Twitter and Facebook for their lack of nuance when it comes to handling harassment and abuse, but I am also a realist. At their scale? How the hell do you tackle things? The only answer is really to throw more humans at it which would make more jobs, but it’s some of the most soul destroying work you’re ever going to do. And they don’t see it as a beneficial investment, so they’re not going to pay the people who do this a solid wage, with great health care, rotating them in and out so they don’t flame out.

Proof? Okay. Read what happened to WangGuard.

WangGuard worked in two different ways: as an algorithm that I had been refining for 7 years, and which was getting better as the sploggers evolved, so that it was always one step ahead of them, and also as human curation, in which I reviewed many factors, among them sites of sploggers to see if their content, could improve the algorithm and make sure that it worked correctly both when it was blocking or not blocking a site. The great secret of WangGuard was this second part. Without it WangGuard would not ever have become what it was.
This human component is what I have been doing for 7 years, and also what has led me to close WangGuard (along with other considerations that are not relevant).
Why WangGuard was Closed by Jose Conti

And I have to agree with Jose, doing that job eats at your soul. The ‘fix’ is to change the world, and that’s just exhausting.

What Can We Do?

When you make a product, ask yourself “How can this be abused?” If you can’t think of anything, look around the room of the people you’re working with. Are they all from the same ethnic or socioeconomic background as you? Get people who aren’t. Get minorities in the room. Get PoC, get women, get queers, get kids. Get people who didn’t go to college, those who did, those with and without children, those from other nations. Get them and ask them “Hey, what’s the worst thing you could do to someone else with this?” Ask them “Do you see any flaws?”

And then? Listen to them. If women tell you “That’s going to make it impossible to stop people from sending us dick-picks” take it seriously. But for the love of Pete the Plug, take them seriously.

This means we are all going to have to accept when we’re wrong, when our ideas have flaws, and learn from those moments. It’s hard! We don’t want to hear our great idea is screwed up, but sometimes it is.

We’ll never change the world for the better if we cannot change ourselves.
16 June, 2021
Bad Actors: Block or Not?
So here’s a fun question… Say you’re being harassed or bothered by a single person. Do you block them?

This should be a simple answer, right? Obviously block. If you block, you don’t have to see them, they can’t get to you, it’s great. Except, as anyone who’s been harassed will tell you, if the person is particularly an asshole, they will make more accounts with which to try and contact you! I’m not joking when I saw my particular headache has used over 100 separate emails. Even if you report them to the email services as soon as possible, some will tell you “There’s nothing we can do to prevent abuse.”

That’s a different issue for another post. This one is … do I block or not?

The ‘dude’ in this story is an amalgamation of at least five separate men, all of whom did the same thing, and all of whom claim to be ‘woke’ feminists. No names are mentioned nor will they be, but I suspect they’ll see themselves…

The ‘splain Drain

There’s no way around this one, and some people I know on Twitter do this. If you block people on an account, they use another. I’ve blocked people for being perpetual mansplainers. Like someone who was offering advice on how to travel after it was mentioned a friend and I were going to a specific location he was familiar with. Now, you’d think “Oh but he meant well, right?” The problem was he had a history of un-thinking hot-takes. We were going to a specific convention (not WordCamp) and we knew we’d be working that con basically 12 hours a day, making notes, recording interviews, and so on. Our goal was not to to that town and party, it was work.

The advice? Lots of places to have fun, how to handle working conventions, etc etc.

Now. Anyone who actually knew us and followed our tweets knew that my friend and I had all that locked down. We’ve worked cons before, ones way the hell bigger than this one, and we knew how to handle ourselves. We knew how to optimize our packing, how to prioritize, and we were not asking for advice or help. Simply, we said we were excited to go to this event.

Again, you could think “Oh but he meant well.” The thing was, he took zero time to read the room. He didn’t scroll back and see the older tweets, he didn’t see any of the conversations prior. He saw one moment, and jumped in. All of the other comments were about who we were going to meet/interview, how nice it would be to be at a convention like that, tech talk about devices and charging and packing and carrying. We weren’t going to go to party, we weren’t going to go to fancy restaurants. We had jobs.

If you’re a woman in tech, you’re tired of that behaviour. Because now it’s suddenly your job to roll back, re-explain everything, and thank this person for their time but you’re good. And I have to tell you, it’s exhausting to do that over and over and over. I cannot begin to tell you how many times my reply to someone has been “Thanks, but per the discussion, we’re doing X. Please re-read the whole convo.”

It is an ongoing, perpetual drain that men (and yes, I do call out men here) jump in with ‘help’ without giving anyone the respect and time to actually read the freaking room. They don’t do the research, they don’t read the scroll back, they don’t even ask “Is this all sorted out or can I help?” They assume that you need help, and they believe they’re the one to do it.

Mute Them

I’m sure a lot of guys I know are pissed off at me right now, but guess what buddies? That’s why I mute a lot of you. Some women too, yes, and if a single one of you idiots jumps in with ‘not all men!’ I will escalate and block you, because the ‘all’ isn’t the point. The point is that a majority of men (especially in tech) do this. They are the Hero. The Saviour. The Champion. They can help YOU!

So when people, of any gender, jump into my timeline and offer advice where they clearly have not read a blessed thing, I mute them. The guy I’m talking about who mansplained? Wanna know what he did? He kept on explaining how he was trying to help. My friend told him “Thanks but no thanks.” and I didn’t reply at all, but he went on. So I blocked him. And that sucked, because he was someone I did like as an acquaintance. I’d even gave him asked-for advice to get a better job. He has one now, and I’m happy for him.

Anyway. Blocked him, moved on, and a couple years later he had yet another hot-take which was also entirely wrong. It really doesn’t matter what the subject was, but what matters is I was complaining about a stupid part of a contract that told me I was to do thing A in advance of a release but also not to do thing A until after the release.

So I complained about this on twitter, remarking how daft it was. One of the blokes I’d muted hopped on the reply-train to tell me that’s because I wasn’t really part of the process.

Repeat that meme above, eh. Signed contract. Told I was supposed to to X for the process, but also not to do it… And if you’re wondering “Mika, didn’t you block him?” yes, yes I did. He used another account to contact me with another bad take. A 100% incorrect take, born of his own ignorance about the subject matter and the contract. I replied, correcting his assumption (and at that time not realizing who he was).

The next reply from him was that he actually had understood but he wanted to say something ‘different.’ At that point I thought ‘this sounds like one of those guys …’ and I looked at the account. Oh yes, it was. But I thought maybe he was redeemable, maybe he’d changed, and I asked him if he had any experience or expertise in this area at all (it’s not WordPress related). That reply was the nail in the coffin. He said it was a joke, he offered to explain the joke, and he said I knew who he was, and his credentials were available.

Right. I replied, told him the joke wasn’t funny and if it needed to be explained, it was a bad joke, and I muted him.

My thought process was as follows:
1. Someone who always replies with ‘jokes’ isn’t someone I feel like listening to.
2. People who reply constantly with ‘jokes’ aren’t listening to me in the first place, they’re listening for bullet points they can joke about.
3. The ‘it was a joke’ defence suggests it wasn’t a joke, he knew that, and he’s hurt I called him out.
4. Anyone who tells me his credentials are online, and yet flat-out cannot be bothered to correct his assumptions about mine is disrespectful.
5. I already blocked his personal account.
Why not block?

Well. As you can see from this story, I had already blocked him and he was using a secondary account to follow me and comment on things. Did I know, prior to the conversation, that he was in charge of that account? Not at all. I had no reason to look. Now that I have looked, I see his feed is still filled with low-key racism and ignorance all over the damn place. He probably doesn’t even see that, and if he figures out this post is talking about him, he’s probably livid.

But again, this isn’t about Mr. Mansplainer, it’s about why I didn’t block him right away. I muted him.

I didn’t block him because I don’t want to encourage him to make a third account (or use another one he already has) to try and talk to me. I just don’t want to hear from him.

And that is a decision that women online make every day. We recognize that blocking people just makes them madder and that sometimes they jump around and use more accounts to be jerks. It’s happened time and again to me, I’m sure it will again, and it’s why I heavily mute people all the time.

Amusingly enough, I’ve been blocked by a couple people I’ve muted, one of whom screamed murder because I didn’t accept his DMs. I don’t accept DMs from anyone I don’t follow for a reason: I’m tired of people being assholes. So it wasn’t personal, John Doe, but way go.

Okay but … How can I mute on my site?

You mean comments and contact forms? Good question!

First? Turn off comments and remove your contact form. You don’t need them most of the time. If you do want them, for the love of the flying spaghetti monster, use the comment moderation tools! In WordPress go to Settings > Discussion. Now, add in their info. Twitter handles and emails go directly into the Disallowed list. First names (especially if they’re common) go into the moderation list.

But this is also where I’m kind of a bad person. See, if I have someone who is a jerk in emails and I know they may use a contact form, but as I’ve been saying since 2014, you should be able to blackhole their messages. By blackhole I mean their emails should appear to be sent, but you never see them.

In short? They’re treated like spam. This sometimes has the side effect of them being flagged as spam elsewhere, which is why I’m kind of a bad person, but to be honest I don’t care at this point. I want them to go away.

The downside to this is a lot of plugins don’t have a way to do this. I have spent a lot of time writing code for Contact Forms that actually blocks people (or spams them) when they’re people I’m done wasting my time with. I do think more contact forms need to make this a built in option. “Use your Disallowed lists to block …” but that is a different conversation.

How can I make sure I’m not muted?

If you’ve gotten this far, and you’re angry or you think I’m an asshole for blocking you or posting ‘about’ you, first you should know this: this post is actually about five separate guys. So if you’re seeing ‘you’ in this, you’re not alone, and I’m probably not the only person who wrote you off. Here’s my advice:
1. Think before you reply. Read the tweet/post, look at the other replies or the followup posts. If you’re not sure, err on the side of respectful caution.
2. Stop all ‘hot takes’ and ‘joke’ replies unless you know the other person really well.
3. If you met someone at a WordCamp or chatted online, you DO NOT actually know them really well! You are causal acquaintances.
4. If someone tells you ‘that isn’t a funny joke’ you reply “Sorry.” and shut the hell up.
5. If you have to explain the joke, you screwed up, it wasn’t funny, and you’re the one in the wrong.
6. If someone blocks your account do not use a second account to get around it.
7. If you’re super mad that someone disagreed with you, walk away. You don’t owe them your time.
8. If you’re blocked, don’t ask why you’ve been blocked.
Now once in a while people will hit me up and ask why they were muted/blocked. I’ve replied to one of them, and that was because I took one look and thought “Hang on, I like him! What the hell?” And I looked and found out my old block tool had caught him for retweeting someone I’d blocked (he was explaining why the other guy was a dingus). I’ve turned that off.

And I know someone is thinking “Wait, you said don’t ask.” Here’s the thing, that person I unblocked? Did not ask! He just pinged in another venue and said “Hey, I read about your dad dying and I wanted to say how sorry I am. You always talked about him so kindly. I would have tweeted but apparently I’m blocked. I’m sorry for whatever I said.”

Isn’t that nice? It caught my attention. I looked, I unblocked. Because that was someone who acted like a human, didn’t expect a goddamn thing from me, and wanted to treat me like a human.

It’s tragic that acting like that is rare.
12 May, 2021
Vulnerability Reports Miss The Mark
Lately I’ve been getting a lot of ‘vulnerability’ reports.

I use the term loosely because the reality is these are not actually serious vulnerabilities. A couple months ago I started getting a lot of weird reports like this:

A FLAW FOUND ON YOUR WEBSITE!
Website Security Vulnerability Notification
Hello, a security researcher reported a security vulnerability affecting [your] website via [company] coordinated and responsible disclosure program:

Those can be super scary! Is there really a massive issue?

No. But I know why it feels that way. And frankly I think a lot of these people are targeting the wrong group. Let’s get into it.

Scare Tactics

In the case of all the ones I got, there was only one that I felt actually was. But first, here’s what people reported:
- The PHPInfo Page was public
- Directory indexing
- People can list users (aka User Name disclosures) via the REST API
- Your xmlrpc is showing
- Incomplete SSL Protection
- Your email records allow spoofing/DMARC compliance
The last one? Absolutely an issue. I thanked that person and kicked them some money. But the others? They’re issues, but they’re also incredibly minor! Heck, this user name listing ‘vulnerability’ does not take the following into consideration:
1. It’s on a site where every author has a page
2. We have an ‘about us’ page that lists everyone anyway
3. Strong passwords are enforced
4. We have a firewall
The only way I could really improve that would be to enforce 2FA, which I’m contemplating for admins. But that begs the question… is this a vulnerability?

Okay, let’s ask why does this work? It’s known that WordPress has a REST API. This API can be used to list public information about registered users. Now the API does ‘expose’ the user data for everyone who’s authored a public post that is shown in the REST API. Posts and pages and some custom post types included. If the user hasn’t authored posts, you won’t have permission. So again, we’re only able to list public authors. Okay.

Could that be bad? Sure. In the same way having a front door could be bad if someone kicked it in. But ‘security’ isn’t why I would ever consider blocking that. We literally list all the authors publicly already. If someone wants to use wp-json to grab them, cool. It only shows public information we displayed already, after all.

Why would I consider blocking? To ensure stability. That is, people hammering my site to find out that I’m not user #1 on HalfElf (surprise!) makes my site slower. But… I have a firewall and Mod_Security, and IP Tables, which means if you hit my site enough, it’ll block you. Also a lot of stuff is cached, like it should be. Which means this is not a ‘vulnerability’ but more of a ‘best practice notice’ in my opinion.

And finally … FFS why are you telling individual site owners this!? If you really think it’s a security issue, take it up with WordPress!

How Do You Stop Them?

Well, generally you fix the ‘issues.’ Even if you think it’s full of shit, you fix it. So okay, what do we do?

PHPInfo? Locked it down. I use it for regular checks of other things. If you’re not, just delete it.

Directory Indexing? I put this at the top of my .htaccess (and yes, you should, I’d removed it for some tests):
```
### Prevent Directory Browsing ###
Options All -Indexes
```
XMLRPC? I said “Nope, not gonna change.” Because I use the WordPress iOS App.

SSL? You’ll want to check your setup on things like SSL Checker or Immuniweb or SSL Labs. I found SerpWorx’s tool to be invaluable for spelling out what was missing. The easiest by far was SecurityHeaders.com. For that, I ended up adding this to my .htaccess:
```
### Extra Security
<IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
	Header always set Expect-CT "max-age=7776000, enforce"
	Header set Referrer-Policy "same-origin"
	Header always set Permissions-Policy "geolocation=(); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);"
</IfModule>
```
The one thing I left out was Content-Security-Policy because that one is crazy complex and needs a lot of testing since a lot of content on the site is remote and needs special rules.

Email/DMARC? That took a lot longer, and I had to talk to my email provider to sort it out. But you can run your domain through the MXToolBox checker and see what you’re missing. It’s going to make you cry. Email sucks.

Okay but I wanna hide users!

I hear you. You can do this in .htaccess:
```
### Block User ID Phishing Requests
<IfModule mod_rewrite.c>
    RedirectMatch 301 ^/wp-json/wp/v2/users(.*) /about-us/

	RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
	RewriteCond %{QUERY_STRING} author=\d
	RewriteRule ^ /about-us/ [L,R=301]

    RewriteCond %{QUERY_STRING} rest_route=/(.*) [NC]
    RewriteRule (.*) /wp-json/%1 [L,R=301,QSD]
</IfModule>
```
Now. This means on that site if you go to example.com/?author=1 you will not go to someone’s page. But if you go to example.com/author/ipstenu/ you still would. Which IMO points out how stupid that ‘vulnerability’ is. Yes, I am aware you can see the authors. Oooooh. You’re supposed to!

Conclusion?

A lot of those vulnerability emails are bullshit. I politely reply “Thank you for your concern however we are not blocking access to that because the API is used by other things. It’s considered to be public knowledge anyway.” I may end up writing a form letter.

And the sucky thing is that one of the sites that collects all that stuff relies only on the reporter to determine if it’s resolved. Both issues they have for the domain in question? 100% resolved. But they say ‘unpatched’ … probably because I told both reporters I’m not paying them.

I added this to my profile:

We do not accept reports of basic WordPress functionality, such as the Rest API being active, the use of xmlrpc.php, the enumeration of users, etc. Those are an acceptable risk. Please don’t bother reporting them, they should be addressed with WordPress directly, not end users.

By the way. The bug bounty program that keeps emailing me? Uses WordPress. And guess who’s site has /wp-json/wp/v2/users available to list all their public authors? Yeah. Because it’s not a goddamn major issue.

I know someone’s gonna point out it could be a major issue. Sure. Like having a window means your house or car could get broken into. That doesn’t mean you remove all the windows!
29 April, 2021
Gravity Forms and Disallowed Keys
Recently Gravity Forms was added to a site I work on. Now, I’ve never used it before, so I was hands off (except for changing the email it sent to) and I know pretty much nothing at all about it. But what I do know is that there’s a real jerk out there who’ll spam it, given a chance.

Unlike other contact form plugins out there, Gravity Forms comes with built in free integration with Akismet! But, like pretty much every other plugin out there, it does not integrate with my disallowed keys.

I’m a big proponent of not reinventing the wheel, and I strongly feel that being able to block someone from comments and contact forms should be a done deal. I opted to mark people who do this as spam, instead of a rejection, so they will never know if I ever saw their email or not. This is a questionable use of the spam settings, but at the same time, it’s been a rough couple of years.

The Process

Since the disallowed_keys list contains emails and words, the first thing I wanted to do was strip out everything that wasn’t an email or an @-domain — that means foobar@example.com is a valid entry, and @spammers-r-us.com is a valid entry, but foobar on it’s own is not. I run through my disallowed list, add everything valid to an array in a new variable.

Before I can pass through the email, though, I need to remove any periods from the username. You see, Gmail allows you to use foobar and foo.bar and fo.o.b.a.r all as the same valid username on your email. Yes. all those would go to the same person. To get around this, I remove all periods and make a clean username.

Also I have to consider the reality of jerks, who do things like foobar+cheater@example.com — Gmail allows you to use the + sign to get clever and isolate emails, which I use myself to track what sign-up spams me. At the same time, I don’t want people to get around my blocks, so I have to strip everything following the plus-sign from the email.

While I’m doing this, I’ll save the domain as it’s own variable, because that will allow me to check if @spammers-r-us.com is on my list or not.

Once I’ve got it all sorted, I do an in-array: if either the exact (clean) email is in the array, or the exact @-domain is in the array, it’s spam and I reject.

The Code
```
add_action( 'gform_entry_is_spam_1', 'my_spam_filter_gform_entry_is_spam_1', 10, 3 );

function my_spam_filter_gform_entry_is_spam_1( $is_spam, $form, $entry ) {

	// If this is already spam, we're gonna return and be done.
	if ( $is_spam ) {
		return $is_spam;
	}

	// Email is field 2.
	$email = rgar( $entry, '2' );

	// Build a list of valid emails & domains from disallowed_keys
	$disallowed_emails = array();
	$disallowed_array  = explode( "\n", get_option( 'disallowed_keys' ) );

	// Make a list of spammer emails and domains.
	foreach ( $disallowed_array as $spammer ) {
		if ( is_email( $spammer ) ) {
			// This is an email address, so it's valid.
			$disallowed_emails[] = $spammer;
		} elseif ( strpos( $spammer, '@' ) !== false ) {
			// This contains an @ so it's probably a whole domain.
			$disallowed_emails[] = $spammer;
		}
	}

	// Break apart email into parts
	$emailparts = explode( '@', $email );
	$username   = $emailparts[0];       // i.e. foobar
	$domain     = '@' . $emailparts[1]; // i.e. @example.com

	// Remove all periods (i.e. foo.bar > foobar )
	$clean_username = str_replace( '.', '', $username );

	// Remove everything AFTER a + sign (i.e. foobar+spamavoid > foobar )
	$clean_username = strstr( $clean_username, '+', true ) ? strstr( $clean_username, '+', true ) : $clean_username;

	// rebuild email now that it's clean.
	$clean_email = $clean_username . '@' . $emailparts[1];
	
	// If the email OR the domain is an exact match in the array, then we know this is a spammer.
	if ( in_array( $clean_email, $disallowed, true ) || in_array( $domain, $disallowed, true ) ) {
		$return = true;
	}

	// If we got all the way down here, we're not spam!
	return false;
}
```
Of Note…

Before you use this yourself, you will need to customize two things!
1. gform_entry_is_spam_1 is actually the specific form I’m checking. Form ID 1. Customize that to match your form ID.
2. $email = rgar( $entry, '2' ); — you may have noticed I put ’email is field 2′ as a note above it. That’s because email is the second field on form 1, so I hard grabbed it. If yours is different, change that.
Also … I actually broke this out into two files, one that just checks “Is this a spammer?” and the Gravity Forms file, so the latter calls spammers.php and checks the email against the is_spammer() function. The reason I did that is because I need to run this same check on Jetpack’s contact form. Both call the same function to know if someone is evil.
31 March, 2021
When It’s (Not?) Burnout
I took 2020 as a break from speaking at conferences, live for obvious reasons, and online for a couple different reasons. It took me until November to get my home office set up in a ‘non-embarassing’ way so that I didn’t feel like I was showing everyone my mess when we video’d. Also I was exhausted and realized how close I was to burn out after the last four+ years of stress and travel.

But there has been one other thing. I’d talked to a number of friends. I’ve broken down sobbing after a coworker mentioned what was going on. I’ve had longs talks with therapists and experts in this sort of thing. The issue wasn’t my workload, it wasn’t even the work I was doing. But I absolutely was burnt out.

… But it’s not for why you’re probably thinking. I’m dead ass burned from being harassed.

Harassment

The largest contributor to my burn-out is an ongoing, over two years, harassment.

A year ago I gave a talk in NYC about how to deal with being attacked online, and the tools you can use to protect yourself. What I didn’t mention in detail in that post was what has been going on since November 2018.

Back then I was watching the Macy Parade (like I do every year), waiting for the oven to heat up, and cleaning out the emails for the plugin review team, when I got pinged by a forum mod. A plugin developer was being cruel to users, making weird threats and claims, and said volunteer wanted to know what to do, since that person had a flag on their account saying “If there are any guideline violations, report to plugins ASAP.” So I threw the turkey in the oven and pulled up the records.

What I found was a series of minor issues, but all repeating. The developer was asked (twice) to change their plugin name to be less spammy (ex. “The world’s greatest slider plugin! Greater than anyone has known! Used by millions!”). There were also multiple emails reminding them not to ask to contact people off the forums.

There was also a strange email from a couple months prior. A woman had emailed the plugins team about this developer, saying that after she left a bad review she was harassed by them on Facebook. At the time, we issued a final warning about behaviour (which is why the flag in the account existed). I had forgotten about it being related to this developer, as it was about their other plugin, but also we get a hundred emails a day, and I don’t memorize everyone’s drama.

In looking at that, and the post the forum mod was worried about, I saw the parallels. This was very obviously repeat behaviour, and at the time I was pretty sure that the developer was account sharing (multiple people using the one dev account), which meant not only did they not understand the message about not being unkind, but they were not making sure everyone who worked for/with them did either, and they didn’t understand basic security (there’s no need to ‘share’ accounts on WordPress.org — you can make new ones and ad them to your plugin as support reps after all).

This meant I did what I hate doing. I closed their plugins, locked the accounts, and emailed them saying that they were banned for repeat abusive behavior. After all, they’d had multiple warnings.

In retrospect, I should have seen this all coming.

Megs of Logs

At this point I’ve amassed megabytes of logs on this drama. I’ve written up a nearly 30 page document (with citations no less) of everything that’s happened before and since. I thought about listing everything they did ‘wrong’ here but honestly it doesn’t matter if I list out everything. That was all ‘normal’ poor behaviour by developers. People make mistakes, and many times they really just do not grasp how serious things are even when the email says “This is your last chance.” Which means I know I have to be the bad guy to tell people “Hey. This ends now.”

Now, banning people, especially existing developers, is not a common thing! It’s not un-common or rare, but it’s not like I do it every day. Around 4 people a year get banned following a final warning. Usually it’s only one person each year (though due to people being people, it may involve multiple accounts — we still consider that one). More often, people get insta-banned for trying to use the directory for malware. Once in a while someone will be banned without warning for lying about being previously banned, but usually we catch those pretty quickly these days. Even so, it’s not an every month thing, or even an every season occurrence! The majority of people get that final warning and stop and rethink their choices. That’s normal.

What was abnormal is what happened after they were banned.

Between November 21st and the 27th, the Plugins team received over 30 emails. The first few replies were replied to in kind, pointing out that they had their fair chance (and a couple extra) and they squandered it. At that point, emails were not replied to for 24 hours, when they were informed again as to their numerous violations, and asked to stop emailing or their actions would be treated as harassment.

The emails did not stop. 21 more were sent following that caution.

Yes that means over 50 emails in a 6 day span. Probably closer to 100, since we only tracked them by subject rather than by how many replies they got.

On the 24th, they tried to bribe me by sending me money via PayPal (it was refunded and reported — and yes, this is why generally I don’t like when developers send me a donation, though I understand most are not trying this). The message asked me to ‘forgive’ them and rescind the ban. At that point I blocked their email on all my personal systems and went on my merry way.

Instead, they thought “Well she blocked us on one email, let’s use a different one!” and found my old, only used for Google events, account. By the way, none of those personal emails were ever provided to them. It’s not hard to guess what my email on Gmail might be, though.

On November 27th, a threat was made. They emailed saying they prayed to their god to “take away all your name, fame, respect, wealth everything” and more.

And then it escalated…

Yeah some of you are thinking “Wait, THEN it escalated?”
- From November 24th to the end of the year, 77 separate email chains were sent, using 3 separate emails.
- In 2019 there were over 600 separate email chains from 126 separate email addresses.
- 2020? 34 separate email chains.
- 2021? Only 3 email chains, but it’s only February.
So yeah, 2019 was rough. My Dad died in the start, and this developer had the gall to say Dad’s death was my fault, as I was being punished by their (the developer’s) god. Yes, that really happened.

I did a lot fewer talks in 2019 because I was coping with the world without my dad, and in 2020 …. well. We all took an in-person break, and I took a virtual one as well, because I was tired of prepping myself before talks.

See, every time I would go to a WordCamp, I had to prepare myself. What will I do if they show up? They had made, after all, ‘threats’ to come to California, and they’d already sent physical items to my office. So how would I handle it? The odds of them getting to the United States, given our then administration, seemed unlikely, but what if… What if?

I rehearsed, I practiced not being alone, I made sure at least one trusted person knew why I was nervous. My wife and I talked about strategies. But online? What if he saw something on my backdrop that let him figure out my home? What if he tracked me? What it he did something to put my family in danger? It was all too much to bear, so I simply didn’t.

Somewhat related, my office knew and went way above and beyond what I had any reason to expect to make sure I felt safe there. I love those people.

So … where are we now?

The developer still emails, on average twice a month now. We’ve sent a cease & desist (which was repudiated) and I’ve spent a lot of time literally ignoring everything that comes in. I do have a list of all the various claims made, and all the email subjects. I stopped tracking the content of the emails in mid 2019 because they were so outlandish that I couldn’t even anymore. I mean, does anyone think Alexandria Ocasio-Cortez cares that someone in another country is angry they got banned from a website?

Effectively? I am still being cyberstalked and harassed. And my god, it’s draining.

I sat here, thinking ‘is this even a good idea? It’s just going to make them be bigger annoyances”

After how disastrous 2020 has been? I think it’s right to step up and say “Hey, so this shitshow happens, and people are out there who are going to make it their mission to make you miserable. You’re not alone.”

This is me, walking back into the fire because I’m refusing to let it make me smaller.

What I want?

It’s super simple. I want it to stop. I want them to accept that they’ve burnt every single bridge a human can burn, short of physically attacking me, and now, even if anyone accepted their apology, we cannot unban.

There’s no way to know they won’t start this up again, or use this as the freedom to be a bigger harm to the community. There’s no way to walk back from this level of harassment. And if that means I have to shoulder this to protect everyone else? Well. I’ll do it, but I’ll do it my way, which means I post this. I share to the world “This is a thing.”

And this sucks. I hate telling someone “Buddy, it’s over. You’re done.” But they are. Even if I overstepped or over-reacted, 700 emails, physical packages, cards, threats, accusations of killing people, etc … how do you go back and say “Oops, I was wrong” and expect everything to be okay.

It’s not, because it can’t be. Things don’t just go away and get better because you said you were sorry. I do believe they’re sorry, but I think they’re sorry because they got caught and punished. They aren’t sorry they did harm (if they were, they’d have stopped). Right now, they’re at the point where their argument is “We will stop hurting you when you do exactly what we want.”

And that, I simply cannot do. Not just because I’m standing to protect the rest of the WordPress.org users, but for the principle of the thing.

What I want? I want them to stop trying to contact me in any way, shape, or form. I want them to accept the (painful) fact that they made a massive mistake and acted in a harmful manner. I want them to be grown ups and walk away.

Sadly, this appears to be something they cannot do.

It’s totally Burnout

This absolutely is burnout.

I’m socially burned out in a lot of ways. While I had some phenomenal support from WordPress, from my work, from my friends, from professionals, it was exhausting to have to deal with this. Legally? There isn’t much I can really do. The persons involved don’t live in the US, so our laws are not in play here. International harassment laws don’t really exist. There’s nothing the police can do to stop it unless they show up in the US (which is highly unlikely).

At best, I can file complaints (which I have) and block their contacts (ditto). I can also be proactive, look them up, find out everything that’s them, and block them before they contact me (did that). I’ve done a lot more than I list here, by the way. I don’t want to tip my hand.

People have done everything I could possibly expect from them, and more, but … it’s still going on.

And yes, this is part of why Plugin Team emails went anonymous.

It’s absolutely, 100%, burnout.

And about speaking at events?

I don’t know.

The last two years I just needed a break from all that to process how I felt about the situation. I knew I was tired, but that isn’t really how I feel emotionally. The last year was so hard for everyone, so brutal for us all, that having it sit on top of the pain of loss meant I never really got the chance to process. I don’t feel like it’s been two years since Dad died, I feel like it was yesterday.

What I feel is anger and annoyance and a lot of ‘damn it to hell.’ And I am filled with defiance.

Now that there’s a little less stress in my life (and most of ours), and with the hope that people in charge will be held accountable for their seditious actions, I feel like I’m freer to say that this happens. This happened. This is happening.

Soon, hopefully, I’ll feel like I can safely do interviews and talks again.

Why did I post this on my Tech blog?

The world is angry right now. Everyone’s at their limit for coping, and for most we’re well beyond what our brains can wrap around. Half a million dead in the United States alone? It’s nearly unimaginable. And I think we’re letting our anger get the best of us.

I posted on HalfElf and not my personal me-blog because in tech, we can easily forget there are other people on the screen. I knew, when I banned this person, that I was harming a human. I felt I had run out of other options to get them to understand that they were doing harm to the world in general, and I didn’t want anyone else to get hurt. This is not an excuse, though. I hurt someone. I hate that I did it. I hate that I have to. But there’s literally no way to stop someone from hurting others without hurting them in some way. At least not that I’ve found.

But if I banned someone from a physical location, I could get the cops to do something (in theory, I know). I could get legal help. I could have security escort them from my location and be within my rights.

Online?

We don’t build our tools to handle harassment. We just don’t.

If someone harasses you on Twitter, or Facebook, the ‘solution’ is to turn your account private, because these people will just make more and more accounts. We can’t block by IP, because they can use VPNs. We could ban all VPNs, but that has a negative impact (just for an example, I can’t edit Wikipedia when I’m at my office because we have a firewall and VPN).

Looking at WordPress, how would you stop someone from harassing you? You make use of banned terms and plugins, but did you know most contact form plugins don’t have block tools? Logically it’s so if someone’s accidentally blocked from commenting, they can get a hold of you. But most don’t even have this as an option.

So I post this here to put a human face on the damage being caused by our own negligence, and to make us more aware of the monster we’ve created.

When you write new code, think about how it can be abused. Think about disrupting harassment. Think about allowing people to protect themselves. And, above all, if someone tells you this is going on? Believe them. I was lucky. Everyone believed me. Most people are not.
24 February, 2021
Email Verification and Unsubscribing
If you follow me on Twitter (no you probably don’t want to), you know I’ve been dealing with the messy technical side of death for around 2 years now. My father died, unexpectedly, and I picked up his digital life and dropped it on my laptop in order to untangle things. While my father had shared his login information with me before, I did run into a number of technical issues like needing the phone for an SMS confirmation when I logged in from a new location.

Now all that said… Here’s the technical problem a LOT of companies created for themselves.
1. They don’t require you to verify an email before sending you advertisements
2. Those emails do not have unsubscribe links
Yeah, those two things are killing me, smalls.

Why not delete the account?

Someone’s thinking this…

Because the last time someone emailed it, legit looking for my Dad to tell him something funny/relatable/personal, was December 2020.

Dad was in his 70s. He had a lot of sporadic friends over that time, and sometimes they would randomly think about him and reach out. Many were long-standing friends, some I knew and hadn’t seen since I was in elementary school. He lived in a lot of places. Those people needed to be told he was dead.

Maybe one day I’ll delete his account and his website, but it won’t be any time soon.

How to Fix This

The good news here is all this is fixable if people start caring about data properly.

See the problem here stems from companies wanting your data. They want it so much that they use any excuse to grab it and never let go. But this is wrong both legally and morally.

It’s not their data. It is YOUR data, and you should have a right to it. Per the GDPR, UK’s Right of Removal, and even California’s new laws, my data belongs to me, and I have a right (in most cases) to get it off their system. In the case of my dead father? That data is as useful for you as wings on a mongoose. But as his estate’s legal representative, I legally own Dad’s data, which means I should have control.

Check The Email First

Anyone who’s signed up for anything online lately knows that you have to opt-in to getting ads. That’s just how the world works now. But you also have to confirm your email before you can use your account fully.

At the outset, that sounds great, right? It forces people to confirm! The reality though is that by letting people make an account, with or without verification of the email, those companies add the email to their mailing lists. That means that when some moron uses my father’s email to ‘test’ (or because they’re some idiot in the midwest who regularly thinks it’s his email even though Dad made it in the 1990s and has used it since then, seriously buddy, stop it), I get the email. And when they correct the email in the account, they retain access and I keep getting emails that I cannot unsubscribe from.

We’ll get to the lack of links in a minute.

The obvious thought process here is “People wouldn’t put in the wrong email!” but the reality? They do. They totally do. There’s a guy who bought a Ford, has a credit line, and a loan from a bank, and I know a whole lot about all this because he is a total idiot who keeps using the email that was my father’s. Seriously. It’s never been his email. The first owner of the domain was Dad. The second is me. The email he used has been in use, by my father, since March 2, 1995. Not joking.

Now, if you keep along with the (incorrect) thought train, you’d think “Once someone enters their email, I can add it to my mailing lists as I have their consent.” And again, sure. IF the email is actually theirs. And what’s happening is all these sites add in your email to their lists before they confirm (if they confirm at all) that it’s really your email. This means my poor Dad’s email is not just added to an account, it’s added to all their lists as well.

Let Us Unsubscribe

The other (related) issue is there’s no unsubscribe link.

Look, I get it. There are emails that are not unsubscribeable for as long as you have an active account. There are legal reasons why you have to be mailed some things. However all those emails must have a way you can actually close/remove your account. A link would be great, but even an explanation “Hey, we cannot unsubscribe you unless you close your account, here’s how to do that.” would be better than the message from a certain ISP who told me I had to log in to the account… but were unable to provide me with the login info.

In the case of two separate companies, if you do have to legally send out emails to people because they have an active account, you should be including some information like ‘Your account name is X’ or even ‘Your account number is X’ so that we can have a place to start. Instead, I have a bunch of emails that all say they can’t unsubscribe me while I have an active account, please log in …

And what do you think happens when I go to log in? Of course ‘There is no account with this email…’

Which brings me to…

Let Us Recover Accounts

It needs to be ‘easier’ to recover account. Especially if someone’s dead.

Now, I’m not talking about Facebook’s idiocy on locking people out and requiring them to have someone else verify them, only to send another email that bounces and you can never log in. Although that was certainly fun to do with my Dad’s stuff.

Take a hard look around. People are dying by the thousands per day, and those are not ‘expected’ deaths by any means. This means the number of humans who were unprepared and unorganized are stuck trying to find things like account numbers, and have no clue where to start. If we’re lucky, we can get into their email and change the passwords so we can keep it but…

This is not actually very easy! The only reason I had Dad’s email was because I was his email admin. If I wasn’t, I’d have to have logged in while I was still in Japan, from his laptop, and then hoped beyond reason that I was able to change the passwords without knowing the current one.

Think about that for a second. My father lived in Japan, had a Japanese number. He’s dead, the phone number was closed, and I can’t get it back as I’m not a Japanese resident. Which means the methods to recover are … email. But that isn’t enough for some companies.

My ‘favourite’ is someone telling me that there was no way to know what account used my Dad’s email. Yeah, they had no way to connect an email to any account, and required me to provide a local phone number to call me about it. I blocked their emails because I literally have no other solution. They can’t tell me what email uses the address I own, and they can’t help me except by a local-to-them phone call.

Summary? Let People Own Their Data

Okay, here’s your summary:
1. Require email confirmation in all cases where an account is being made. No verification? No account.
2. Allow people to correct the emails if they can’t verify. If someone put in stevejobs@appl.com and forgot that E, they should be able to fix this.
3. Allow people to unsubscribe from all emails with an easy to find method. A link, some explanations, whatever. Make it obvious.
4. If people cannot legally unsubscribe while having an account, then you need to make it possible to cancel accounts when a user DO NOT KNOW the account name. If you’ve verified emails, yo, magic. “I forgot my account name…” — And again, this needs to be easy to find information.
5. If someone sends you a damn death certificate, you should honour it.
This is not going to fix everything, but it would certainly make us hate a couple companies a lot less.
27 January, 2021