Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Your Username is Not A Secret

    Your Username is Not A Secret

    I keep seeing this pop up. “Your CMS is not secure because it makes your username/id public! Once a hacker has that, they can try to break in!” At one point I snapped “Sure, and your house isn’t secure because someone knows your address.”

    Secret FilesIt’s one of those logical fallacies that seems vaguely accurate on the surface, but really are just plain wrong. On some level, you’d think that if a hacker doesn’t know your ID, they can’t get in, but the reality is most hackers, the surface level idiots who are trying to break into any site available aren’t checking for your user ID/Name, they’re looking specifically for a vulnerability, like they did with the TimThumb accidental (D)DoS.

    In addition, they’re not usually looking for your ID when trying that brute force login attack. The practical difference between someone trying to log in with “admin” and someone trying to log in with “ipstenu” is pretty negligible, since they’re killing my server before they get in anyway.

    As I wrote this, I thought what it would be like if there was a mod_security rule that checks if you’re trying to log into a site with the username ‘admin’ and, if so, blocks you from being able to log in. Of course, there are millions of sites with millions of CMS tools, and for some you actually cannot change the admin account name away from admin.

    WordPress is not alone in thinking your username isn’t a secret. Drupal also thinks disclosure of usernames/id is not a security risk. In fact, Google doesn’t think your ID is a secret. After all, you can log in to Google’s devices with your email, and everyone whom you’ve ever emailed kinda knows that. “Oh, you emailed me from ipstenu@gmail.com? I’ll attack that!”

    Now of course, if you try to log in with that too many times, you lock your IP out. And similarly, if you try to log in to my server via SSH too many times, the same thing happens. Have I ever locked myself out? You bet. Less since I switched to 1Password and SSH keys, but it still is very effective.

    Why isn’t this built into the core of most CMSs? Because a CMS like Drupal and WordPress is not as volatile as, say, the healthcare.gov site. The danger that comes from someone getting into my blog is minimal compared to someone getting into my email. But again, everyone knows my email account, so they’ve always got one half to the puzzle right then and there.

    Top Secret FilesOne of the other primary reasons this isn’t built in to WordPress is that it’s hard to do right, and in a way that will work on all servers, and in a way that will be easy for someone to undo. I said I locked myself out a couple times, right? I can unlock myself with a device on another IP, or I can call up my webhost and tell them my IP and can they please unlock me. Now flip that to your blog. How do you handle it? Who do you call? Do you make this a ‘solvable by the host only’ problem? Can you envision your host being happy about handling that?

    Not that I’m passing the buck here. There are plugins and extensions that do this, but they’re still best used by people who already understand security than by the common man, because the people who know what to do when they have to edit a .htaccess are the ones who probably already know how to pick a secure password, or install two-factor authentication already.

    All this comes back to something blindingly obvious though. Everyone is going to know part of your access. The reason we tell people not to use ‘admin’ as a login ID is not because it’s more or less secure, but because it makes it easy for script kiddies to target. Remember, most of the time when you’re being attacked it’s nothing you did personally, it’s just a script running. When it’s someone who has an absolute vendetta against you, your userID is the least of your concerns.

    The crux of the matter here is that your username is not a point of authentication, it’s a point of identification. Giving you an identification (I am Ipstenu) is not the same as giving you data that can be used to authentication (my mother’s maiden name is Jones; I was born in Battlesboro, VT; My favorite superhero is the Flash). There’s a reason we call them ‘Secret Questions’ as they’re both identification and authentication. Only I would know these things. And no, that’s not true, which is why secret questions are pretty useless. The more obscure they are (my first maths teacher) the less likely I am to remember them correctly. “His name was Smith… Now did I put in Dr. Smith, Mr. Smith, or Smith? Oh wait, how did he spell Smith? Smythe? Smyth? I know people with all those spellings! Which was he?”

    So no. Your user ID is not a secret, nor should it be. I spend no time hiding it.

  • Welcome the Warehouse

    Welcome the Warehouse

    It’s January and my ebooks are now located at http://store.halfelf.org/ and managed by Easy Digital Download. The WordPress Multisite books have been seriously updated for WP 3.8, with new screenshots, new plugin recommendations, and some simpler layouts. If you downloaded them before, you may want new copies now (and there’s a new one on plugin support!). But let’s go back to EDD.

    It was really that easy

    About three years ago, I thought about selling my ebooks on a dedicated site (ebooks.ipstenu.org) but it never worked right, and I didn’t like it. Then I tried just tracking the downloads with a plugin, but that was more work and I was getting a little twitchy and obsessive about the metrics. So for most of 2013, the downloads weren’t tracked at all on this site. But when I was redesigning my site, I knew that I really wanted to try this plugin my friend Pippin wrote: Easy Digital Downloads

    I want to note that I had decided to play with the plugin before I read Chris Lema’s post on Easy eCommerce & Membership Sites using WordPress. Which doesn’t have anything to do with anything except that he’s right, it’s easy, and anyone can do this. And as Chris pointed out, the tools can make it fast and easy for me. A couple years ago, I’d tried to make an online store for my wife and ended up telling her “This is too complicated, I can’t do it. Let’s use Etsy.” But that was physical products and this is digital, and we’re in California now which has a different law about selling digital items that is so clear, I understand it at first glance.

    Publication 109, Internet Sales

    Your sale of electronic data products such as software, data, digital books (eBooks), mobile applications, and digital images is generally not taxable when you transmit the data to your customer over the Internet or by modem. However, if as part of the sale you provide your customer with a printed copy of the electronically transferred information or a backup data copy on a physical storage medium such as a CD-ROM, your entire sale is usually taxable.

    That is so much clearer than anything iBooks or KDP ever said, it’s hilarious. Since my stuff is all 100% digital and I live in California, there will not be taxes, which means I can sell things off my site, not have them be ‘donate if you want.’ Don’t panic, now they really are “Pay if you want.”

    About the Warehouse and Pricing

    If you’ve checked it out, you may notice the default price is no longer zero but $7.98 cents. As I started working on this, I really did get all the way through with a zero option before I realized … that was dumb.

    Icon of a BookI had a couple logical reasons for pricing at zero when I started out with this two years ago. First of all, I was entering unknown territory without any information. Secondly, I wanted to get my name out there. Third, I didn’t want a hassle. I still agree with Cory Doctorow about how DRM is evil, and the problem with only selling books is that people don’t really know if they like your writing, or if the book is worth it. Mind you, everyone could read my blog and sort that out for themselves, but I understand there’s a weird leap about paying even $0.99 for something you don’t know about.

    But let’s think about what this means. With a normal book, you buy it, you own it, and if you hate it you can bring it back for a refund. With eBooks on the Kindle or iBookstore, you ask for a refund, they take the book back. Since I’m DRM free, I don’t have any way to revoke the book if you want a refund. Yes, that means if you demand a refund on the Kindle you keep the book and I get bupkis. (Two people in the history of ever have asked for a refund – both accidentally clicked ‘Buy Now’ twice.)

    What am I getting from people not paying for the books? A whole lot of reading, that’s what. 3% of people who got 70 pages of Multisite knowhow paid ‘something’ for the book. And I’m not ungrateful to them. Getting that book out was really part of the whole process that landed me my job, speaking at WordCamps (which I surprisingly enjoy), and I’m incredibly happy with my life. But still, nothing from nothing, carry the nothing, does leave a person feeling a bit grumpy cat.

    So would I incur the wrath of the Internet by saying that, as of 2014, you have to pay for the ebook? I think I would have. Especially since I said I would never force people to pay (even tweeted that whilst working on the site). With that in mind, I decided to do this differently and have it default to pay, but also super easy to not pay. My wife called it the “RTFM Tax” because if you read the site, you’ll see the code, and pay nothing.

    Photo of a gateway into Mumbai, India

    On the sidebar is a notice about discounts for either 100% or 50% off. There’s also a ‘secret’ code of PIGS which drops the price of one ebook to $0.99, which is the cost of Angry Birds. I thought it would be funny.

    How did I come up with the price of $7.98? Amazon helped me here. Initially I mathed the average donation to $8, and I adjusted my price on the KDP a couple times before I sussed out that people actually like non-even numbers like $7.98 so I did that and then publicized the discounts. No matter what you pay, you get to download the epub and the pdf. The ebooks are all DRM free. You’re still permitted, no, encouraged to duplicate and give ’em away.

    Think of it like a GPL plugin you bought. Yes, you pay for the code, but once you bought it, it’s yours to use, burn, give away, or expand on. The one thing you can’t do is resell it as if it was yours. Which I hope you think is fair.

    Let’s have fun with ebooks in 2014! After all, my next ebook is about … ebooks.

  • Your Website is Work

    Your Website is Work

    I spend a lot of time teaching people, and also giving directions (which I seem to have to send out repeatedly) only to be faced with a remark that doing all these things to manage a website is hard and time consuming and complicated and painful. It takes a lot of effort for me not to reply like this:

    Life IS pain, highness. Anyone who tells you differently is selling something

    Of course it’s hard. Malcom Gladwell, in his book “Outliers: The Story of Success,” posits that it takes 10,000 hours of work to become an expert at something. Anything. Now, believe that or not (and yes, some people are naturally gifted so maybe they can do these things faster or achieve an even better expert level than you), the fact remains that we all had to learn skills.

    What’s interesting is this is nothing new. We know this. We’ve known it for years that we have to put in the sweat equity. But people look at a website as being “easier” and think it’s really all a ‘set it and forget it.’ But it’s not. It’s never been that way. Making a website and walking away is dangerous not because you might get hacked (which you might), but because people will walk away when there’s nothing new.

    At WordCamp Chicago, I talked about this. There’s a difference between how someone like Ron Popeil sells things and how Julia Child did. No one can argue she wasn’t successful, but she, like Chris Lema sell you on yourself, rather than ‘You need this one thing to be a success.’ If I stick to my food analogy, Emeril sells things but Alton Brown sells you skills.

    This just comes back to the basic understanding of needing skills, some skills, to keep your website up and running. We’re not all going to be hard core coders, nor should we be, but we do need a modicum of technical savvy to use the tools. Our technology gets more complicated, and while I know WordPress is concerned with that, even plain HTML is complicated to figure out that first time. The bar is there, and you have to master jumping it, or even peeking over it, to get through your day.

    A website is work. The health of your website is directly proportional to the work you put in, and as we all know…

    If you haven't got your health, you haven't got anything.
    “If you haven’t got your health, you haven’t got anything.”

    I would like to propose we all, for 2014, be shamelessly honest (to steal a phrase from my company). Be upfront, direct, and truthful. When people say “Is WordPress easy?” we say “It can be, but remember, no matter how easy a tool is, your website is still going to be work.” I would like us to stop selling our tools because they’re so easy a caveman can do it, and start selling truth about how it’s being used. “Everything gets easier the more you use it.” and “The more familiar you get with this, the easier everything becomes.”

    You keep using that word. I do not think it means what you think it means.This is not to say that our tools can’t be easy and shouldn’t be easier, but we have to face the facts that no matter how easy we make WordPress, or Drupal, or any tool, our presence on the Internet will remain work. And work means that sometimes you’re going to have to learn new, harder-for-you, skills to keep up with everything, or spend money to hire someone to do things.

    No one can tell you how easy something will be for you, and I think we need to stop telling people “Don’t worry, it’ll be easy.” When I tell someone they can fix a hacked site, I tell them they can without losing their content, and while it can be overwhelming and scary, if they can copy files between folders, they can do this. By being honest about the work that goes into your website, the more prepared they will be for the inevitable moments of pain and difficulty, and the easier it will be for them to solve those problems.

  • Ministry of Silly Plugins

    Ministry of Silly Plugins

    It’s been too serious lately, and this is the last (planned) post for the year, so what are your favorite, totally useless, plugins?

    I wrote one. Rickroll – Changes ever video to RickRoll. It’s useless, pointless, and funny. I don’t actually know anyone who uses it.

    Ministry_of_Silly_WalksFor IE6 users, there’s Graceless Degradation which just punishes IE6 users with Comic Sans. Speaking of, there’s also Comic Sans which does it for everyone and Comic Sans FTW which is when you need it on your admin dashboard.

    Not enough color? Suzette likes Nyan Cat. Just a great big NYAN on the screen. Otto wrote Unicornify which makes your gravatars Unicorns (and would Gravatar please buy/absorb them and make them real? Please? More gravatar options needed!). Similarly he wrote Rainbowify, for the gaudiest toolbar ever.

    Need more snark? My snarky friend Andrew likes Get Snarky – one of the goofiest “Hello Dolly” replacements out there.

    Want to live dangerously? Logout Roulette will randomly log you out! One chance in ten is way better than traditional Russian Roulette of course.

    Finally, how about a good old fart joke? Farticles farts while you scroll.

    Small image of silly walks from Monty PythonSomeone might ask “What is the point of these plugins?” To them I say “The same as for Hello Dolly.”

    The point of a plugin isn’t always to do awesome things and make your site have every feature it needs. It’s also to demonstrate the exponential extendability of WordPress. To show you the myriad ways you can take a site and make it wonderful. If learning by being silly is what it takes, then by all means, make a silly plugin! A silly plugin, much like the intentionally evil plugins I like to make, serve the same sort of purpose. Teaching people how to do things in a better way.

    A silly plugin is way less terrifying than an evil one, though I tried to keep my evil down to a low level of annoying rather than truly evil. You can take the bones of either kind of plugin and legitimately do things that really are not in anyone’s best interests, but you can also take them to see how everything is put together in WordPress.

    How have you learned from weird, silly, code?

  • No Contact Information

    No Contact Information

    Semi related to the theme shakeup is my new business card. My old ones had my name and my email, but they were kind of cute and made in a rush before WordCamp San Francisco 2012, where I was pushing to get a new job and needed them.

    One of my personal rules about a business card is that the back should be writable. I always like to write on the back where I met someone. Like I have a card from Laura Legendary, and on the back it has a scribble of “WCLV’13 – accessibility – REDO SLIDES!” which tells me where I met her, what we talked about, and what a big take away was. My extant cards had a sketch (by me, not the awesome one by Ben Dunkle that I will treasure forever) and some basic information with my personal URL and my techy one. Oh and my email. Which resulted in a lot more email than I wanted at my personal account.

    Bad call on my part. Then I read Bob’s post OMG! I Can’t Find Your Email on Your Business Card. He talks about how the times are changing and how if someone wanted to find him, they would Google “BobWP” and find him! So really all they need is his URL. This is true, and when I revisited what I wanted on a card, I thought “My name, my silly titles, a URL, and a ‘not available for contract work’ note.”

    That last one was really important, since I’m just … not. I don’t like doing it, I don’t need to do it, and I won’t do it for most people. Now I know there are about five people going “But Mika, you do my website stuff!” Hey, there are exceptions. And the small group of people I do ‘consultant work’ for are part of why I don’t do more. I can’t and maintain my hobbies. Since I don’t need do, I don’t do it. But sometimes I do little tradsies. Like I did one for a friend recently who had a plugin break and she was lost. I knew what was wrong, walked her through fixing it, and she replied with an email a week later with the following design that just came to her:

    My new business card - name, URL, titles

    The photo (which is also the background on the new design) is one I took this summer outside my gym of a palm tree. She said it was cheerful and welcoming and established me as being in a warm place. She lives in upstate NY where she already has feet of snow this year, so it may be related. Now unlike Bob, I do put my name there, and on the back are two icons (Twitter and WordPress) above a simple word “ipstenu” but nothing more (leaving massive amounts of white space for notes).

    The one thing I left out was what I do. I mean, yes, I say “Half-Elf Support Rogue” and “DreamHost WordPress Guru” which should explain something, but the goal isn’t really to get more business, but to have a reply to those people who say “Have a card?” Maybe they’ll look at my site and buy an ebook, or whatever. But hey, now they know what’s up.

  • A New Utility

    A New Utility

    I’m more like Brian Gardner than I care to admit.

    I’m often dissatisfied by the feel of a site, my own included, and for a long time I’ve been ‘not quite right’ with the theme here on Half Elf. Oh, sure, it works, and I love the open whitespace, but … I wanted something else. Since I spend a lot of time looking at other sites, and especially Genesis Theme Devs, I had a vague idea of what I wanted. Even if I have no plans to change my site (and frankly I never plan this stuff) I want to be able to help people when they say “I want a theme that does this!”

    My checklist:

    • Less cartoony
    • Font Icons
    • Easy to configure front page sections

    Begin the hunt!

    This was a close race. I’ve been looking at the themes from Web Savvy Marketing for a while, and I was this close to taking one of those and editing it, when I thought “I don’t want a slider.” I will note that if the only thing bad I can say about a theme is that it has a slider, then that theme is doing something right. While I have an idea about that hunter theme or maybe Colin, none of them were quite right. They were all so close it hurt.

    My initial mockup design of my siteThen I stepped back and looked at my list again. Font Icons was easy, since I wrote Genericon’d after all, and everyone else had these photo backgrounds and neatly blocked sections that resized, and while I had something close, I kept screwing it up when I went to edit it. Maybe what I needed was something that stopped me from doing that?

    I doodled out a sketch of what I wanted: Title, menu, welcome box, Call to Action section, list of posts. That’s pretty much what it looked like from the top down, so I needed to find a simple, direct, theme that did all that and let me jiggle the CSS if I wanted to.

    Enter Carrie

    There’s this awesome person I know, Carrie Dils. She fell into my web of friends when she had a horrible experience at a meetup a year ago, and was told she wasn’t welcome to speak because she was someone’s competition. When that post hit my feed, retweeted by a friend I knew and trusted, I remember spinning my righteous anger into full gear and asking this (then) total stranger for information so I could pass it on to the Official WordPress Meetup Peoples.

    Before I did that, though, I read her posts (just to make sure she wasn’t on the wrong of this argument, hey, it happens) and found a delightful, intelligent, witty, and skilled theme dev. Themes! My Kryptonite! Carrie (perhaps accidentally) leveraged her situation into talking about collaboration at WordCamp San Francisco in 2013, and by that time she had ended up on my list of awesome people I want to hear from regularly about things.

    So I thought I’d pop over to her site and see what she’d done with Modern Portfolio (oddly the same theme I was using here at the time). I liked what she did, but it wasn’t quite right for me. I wasn’t enjoying the three column latest posts, since mine kept goofing the alignment with different length post titles and excerpts. But what should my wandering eyes appear? A link to her theme: Utility.

    It does what it says

    Photo of a palm tree near my gym Seriously it does exactly what it says. I picked a photo I took of a palm tree outside my office/gym earlier this year (which a friend was putting on cards for me for something else) and gave the green color a little kick. With built in button CSS classes, I was able to ditch my own and while I do have some of my own custom CSS going on, it’s because I have a couple plugins that need some extra love.

    In the end, it worked how I wanted to, and fast. Normally when I change my sites, I get to a point where I say ‘Eeeeh, close enough.’ With this one, though, I spent about two hours (while working, so really maybe an hour) moving widgets around, replacing a couple plugins, and then I said “Oh. That feels right!”

    This was, I feel, a choice that was well worth the work.