Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Understanding Zero-Day

    Understanding Zero-Day

    If you run a website or work with computers much at all, you’ve heard the term ‘Zero-Day Exploit’ and you probably had no idea what that meant.

    At its heart, a “zero day” attack or exploit is one that happens before any of the developers are aware of it. It’s pretty straight forward, in that the attacks take place in that window of opportunity between code release and code patch. Logically, you’d think that all exploits are ‘zero day’ because a programmer would never release a product with known vulnerabilities. Right?

    Wrong.

    We already accept the fact that human beings are not perfect and thus, by extension, neither is our code. We cannot make every product work on every setup, otehrwise there wouldn’t be browser and OS wars. Keeping that in mind, we have to accept the fact that there will always be security holes in code. And sometimes we developers are well aware of them, but consider them acceptable risks. brorwser wars - by Shoze This means that when a vulnerability is plastered as a zero day, the question becomes ‘By whose calendar is this a zero day exploit?’

    If you found a zero-day flaw in a product, the ethical thing to do is privately communicate with the product developers ‘Hey, if I do this, I can get access to THAT.’ At that point, the product developers should take the time to craft a fix and quietly push it out to everyone. The public often isn’t told about this until the patch is written and available, and even then, details are withheld a few days so that, during the critical time it takes everyone to upgrade, people aren’t exploited further. This also allows people to apply one patch instead of 17, as multiple fixes can be wrapped up into one install.

    Of course that’s a perfect world scenario. There are multiple cases of exploits being announced in the wild before a fix has been made. Sometimes it’s a case of an over enthusiastic reporter, but also sometimes the people who report the bug get mad at how long it takes to fix it, and release the information in order to speed up the process. There are unprintable words for those fools, and the fact that they can’t understand how they’re making the situation worse is sad.

    By its nature, an exploit no one knows about is the one you can’t protect yourself from. That’s why vulnerability disclosure is such a touchy subject. Sometimes the fixes are really easy, but more often they’re not. Like a vulnerability exploit in your car is the gas tank. Anyone can walk up, unscrew your fill cap, and pour in anything they want. That they don’t has more to do with the fear of retribution than anything else, but they certainly could. Also vulnerable? Your mail. I can’t tell you how many times I see the mailman leave the cart on the sidewalk while she goes in to deliver our mail. Someone could steal the mail, but rarely does that happen.

    In 2008, there a DNS cache poisoning vulnerability was discovered.(ZDNet – Has Halvar figured out super-secret DNS vulnerability? by Ryan Naraine | July 21, 2008, 2:12pm PDT) The details of the exploit itself are inconsequential to this story. When the vulnerability was discovered, the folks ‘in charge’ asked for a thirty-day embargo where no one would ask about it or talk about it, to allow the code to be patched and deployed. This radio-silence would end with a news release and explanation. This did not work as well as one might have hoped. (ZDNet – Vulnerability disclosure gone awry: Understanding the DNS debacle by Ryan Naraine | July 22, 2008, 7:09am PDT) People accused the organizers of performing a bit of media hacking (i.e. social hacking) and spinning the news to make a bigger impact for themselves. Essentially, they claimed there were no altruistic reasons to keep the lid on the issue.

    When you seen a report of a zero-day exploit, the important thing is not to panic. Firstly, check to see if there’s already a patch. Secondly, remember that just because you’re vulnerable does not mean someone’s spiked your gas tank. Thirdly, accept reality for what it is and know that you’ll be impacted at least once in your life, and that’s okay.

    If you know how to recover from this, you’re better off. But that’s another topic.

  • WordPress: Change HTML Editor Font

    WordPress: Change HTML Editor Font

    Starting with 3.2, the WordPress HTML editor has become MonoSpaced. Yay! Problem is that it looks best on a non-Windows PC, so someone of my friends who happen to be Windows users have the grumpy.

    I made an htmleditor.php file and tossed it into my mu-plugins folder. You can use the folder in single and multisite WordPress, and it makes any php files in there act similar to your functions.php. I find it preferable since you don’t have to port to a new theme, should you change it. Read What is the MU-PLUGINS folder? if you need more help.

    <?php
/*
Plugin Name: HTML Editor
Plugin URI:  https://halfelf.org/hacks/wordpress-html-editor-font/
Description: I don't like the HTML editor Font on Windows
Version: 1.0
Author: MA Epstein
Author URI: https://ipstenu.org/
*/

function html_editor_admin() {
        ?>
        <style type="text/css">#content #editor, #editorcontainer #content, #editorcontainer textarea#content, #editorcontainer textarea, div#postdivrich.postarea #editorcontainer textarea#content { font: normal 13px/1.5 verdana !important; }</style>
<?php }

add_action('admin_head', 'html_editor_admin');
?>

    You can obviously change font: normal 12px/1.5 Monaco, monospace !important; to whatever you like.

    Enjoy!

  • Introducing HEO

    Introducing HEO

    We all know that SEO is ‘Search Engine Optimization.’ I humbly suggest we pay better attention to HEO – Human Experience Optimization.

    After you spend hours and hours optimizing your site for search engines, you should sit back and think about how the humans who are reading your site. This should be blindingly obvious to everyone, but more and more we hear about how you should make your URLs SEO friendly, or your post excerpts/slugs/format/meta-data the best to get highly ranked in Google. At a certain point, you’re missing the goal of a website.

    A website is not for search engines, a website is for humans.

    Humans like to be able to find what they want relatively painlessly. They like to know when something was written (or when whatever it’s about took place). They like to be able to search, sort, surf and select. They like to know weird things. It’s your job to make sure that when a user hits your site, they stay.

    Fonts

    I’ve mentioned before that font choices matter on your site. Perhaps the most important thing to remember about fonts is that people have to be able to read them. A lot of sites make their fonts very small, which force viewers to hit Ctrl-+. This is one of Jakob Nielsen’s pet peeves. Users should be able to control their font size, but you should also set your font starting size to something legible.

    Imagine my surprise when I went to a site and saw this:
    Example of a site with teeny tiny text

    I had to zoom in to read. That font is set to font: 11px/13px "Lucida Grande"..... Just by changing it to 12px/20px it was easier to read, but to make it a perfect starting point, it should really be 14px/20px. You’ll need to balance on your font choice with the size, though, as too-thick and too-thin fonts are equally painful for people to read.

    Colors

    I’m in my mid-thirties with the best worst vision you’ll find before someone gets classified legally blind (that said, I have fantastic night vision). I cannot read black backgrounds with white text for more than a few seconds without getting after-images. I’m not in the minority of the world. There’s a reason books, eReaders, newspapers and magazines tend to print dark text on light backgrounds, and it’s not just the cost. More people can read that setup. On top of that, don’t use background images. The busier the background, the more difficult it will be to read and you’ll draw the attention away from the text.

    The colors on your site need to be easy to read, and not strain the eyes.

    Layout

    Did you know that users tend to read to the left? This sort of flow makes sense when you consider that most languages are read left-right. Jakob Neilsen points out that people spend “more than twice as much time looking at the left side of the page as they did the right.” (Jakob Nielsen’s Alertbox, April 6, 2010: Horizontal Attention Leans Left) Not only that, but people actually tend to read pages in a pretty distinct F-shaped pattern. (Jakob Nielsen’s Alertbox, April 17, 2006: F-Shaped Pattern For Reading Web Content)

    So how do you best layout your website? I tend to think people read content better if it’s on the left, so I put the body of my text left and the sidebars right. I also take into account that newspapers and magazine break up text into columns for readability reasons, and set a fixed width to my site. That choice is somewhat controversial among my friends, but I like to look at the iPad and Kindle for examples as to why you want to not allow forever-width pages. Monitors are big, browser windows can be huge, but in the human head, eyes are spaced in a certain way. Making your page’s content too wide is a drain.

    Page Length

    There used to be a concept of ‘The fold’, which was basically that people didn’t scroll down on webpages in the early days of the web, so if they didn’t see your important content on the top half of your page (i.e. above the fold), they weren’t going to see it at all. It’s 2011. People know to scroll down a page.(Jakob Nielsen’s Alertbox, March 22, 2010: Scrolling and Attention) But you still need to make sure your site has the most important content ‘above’ the fold.

    Where’s the fold these days, though? Monitor size is a lot more variable today than it was in 1995, and the break-point on a page is getting pretty difficult to figure out. Unlike a newspaper, where the ‘fold’ is pretty obvious (unless you’re the Chicago Sun Times), you have to take a pretty good guess at where the ‘top’ of your site is. Oddly, this is a lot easier with the iPad, which currently is my benchmark for ‘the fold.’

    Keeping that in mind, page length matters! I try to keep each post no more than 1200 words, because of human attention span. If I happen to dip longer, I’ll consider breaking the post into multiples.

    Permalinks/URLS

    Samuel Wood (aka Otto) said it simply:

    Humans care about dates. Leaving a date identifier (like the year) out
    of the URL is actually de-optimizing the site for humans.

    Not everything should have a date, mind you. Resources like WikiPedia or other sites that act as repositories for static, timeless material (like a book), certainly do not need date stamps. Deciding if your site needs to include the year in the URL (like I do here), or not at all (like I do elsewhere), is something you need to think long and hard about. If you’re making a ‘traditional’ blog, or a newspaper, or some site that acts as a repository for time-based information, the answer is simple: Yes you do.

    In addition to sorting out if you need dates or not on your site, you have to think about the post format. I’m a huge proponent of pretty URLs, so I tend to lean to custom crafted URLs. On WordPress, I always review the permalink and, if I think it could be better shorter, I do so. MediaWiki defaults to whatever you want to name the page and puts that in as your page title(Oddly you can only override this with {{DISPLAYTITLE:Custom title}} , which has weird results in searches.), but WordPress uses the ‘title’ of your post and makes that your page title.

    Permalink Example

    This is pretty easy to change, though. Just click on edit and make it shorter (which I strongly suggest you do in most cases).

    What else?

    I could go on and on. Like how you shouldn’t use too many ads (and whatever you use, they shouldn’t be bigger than your post content!), don’t use flashing images/text, and keep in mind your audience! What are your hot-button topics for making your site human friendly?

  • Manually Customizing the WordPress Admin Bar

    Manually Customizing the WordPress Admin Bar

    FYI – In WordPress 3.3 the Admin Bar was renamed the Toolbar, replacing the header entirely, and now has more hooks to edit it. Please read http://wpdevel.wordpress.com/2011/12/07/admin-bar-api-changes-in-3-3/ for more information.

    Since WordPress 3.1, the Admin Bar has been around and been somewhat controversial. Some people love it, some hate it, and some couldn’t care. A lot of the time in the WP Support Forums I had to remind people that you can turn this off for yourself in your profile.

    My standard replies to people was pretty much this:

    If it’s throwing your theme out of whack, make sure you have a call to wp_footer() in your theme’s footer. The next cause for that is your theme’s css having a conflict. If it’s your avatar size, again, that’s CSS. Wanna turn the admin menu ON for EVERYONE? Use the Always Show Admin Bar Function. Like the bar but not the search? Hide Admin Bar Search Plugin is there. Want to minimise it? Admin Bar Minimiser Plugin. Want to disable it selectively? Admin Bar Disabler Plugin can do that.

    Finally if you MUST turn it off… you can add one of these to your functions.php

    add_filter( 'show_admin_bar', '__return_false' );
show_admin_bar(false);
show_admin_bar(0);

    OR use the Disable Admin Bar plugin.

    FYI, if you put the plugin in a folder called mu-plugins (yes, you can do this on Single Site as well as MultiSite) then your users won’t be able to un-install it unless they go in via FTP. Just put the mu-plugins folder in the same level as themes and plugins (wp-content/mu-plugins) and copy the FILE (not the folder) for the plugin into there. Done.

    Now me? I like having it on. I used to have it turned one for all users, all visitors, everyone all the time. Recently, when I re-designed some sites, I removed that functionality because it was showing too much info to people who were suffering from information overload. Once I pulled the admin bar off for non-logged in users, I realized I wanted to change the way it worked.

    The normal admin bar is actually pretty straight forward. The pretty icon of your user ID with a drop down menu rocks. The problem I had was my site was built to keep people off the backend. I already use the rocking WP Hide Dashboard plugin, and BuddyPress is installed, so I wanted to redirect people from places like ‘My Profile’ on the unbranded WP backend to the pretty BuddyPress front end. And yes, I think all ‘user interface’ plugins should have a front-end version.

    I could have used something like WP Custom Admin Bar, but I knew I was going to want some pretty weird, granular level, control over the layout and the submenus. In order to make this look how I wanted, I had to remove menus I didn’t want (or need) and add in new ones. I did it all in a file called adminbar.php, which I tossed in the mu-plugins folder (so on a multisite it can never be turned off):

    function ipstenu_admin_bar_remove() {
        global $wp_admin_bar;

        /* Remove their stuff */
        $wp_admin_bar->remove_menu('my-blogs');
        $wp_admin_bar->remove_menu('my-account-with-avatar');
        $wp_admin_bar->remove_menu('appearance');
}

add_action('wp_before_admin_bar_render', 'ipstenu_admin_bar_remove', 0);

    The values like my-blogs and so on are the IDs of the menus you want to yank:

    • my-account-with-avatar / my-account: Links to your account. The ID depends upon if you have avatars enabled or not.
    • my-blogs: My Sites menu. For networks (aka MultiSite) only
    • edit: Post/Page edit link
    • new-content: Add New Content menu
    • comments: Comments link
    • appearance: Appearance menu
    • updates: Updates link
    • get-shortlink: Shortlink to a page

    While some of these menus only show up for the admins, I figured I may as well remove the ones I don’t need right there anyway. I’m also of the (unproven) opinion that the fewer calls I make in that admin menu, the faster my site will be. The only reason I yanked my-account-with-avatar was because I wanted to remove some of the submenus and add in my own. I found it was easier to recreate it on my own, so I did this:

    function ipstenu_admin_bar_add() {
        global $wp_admin_bar, $user_identity;
        $user_id = get_current_user_id();

        /* Add my stuff */
        if ( 0 != $user_id ) {
                $avatar = get_avatar( get_current_user_id(), 16 );
                $id = ( ! empty( $avatar ) ) ? 'ipstenu-account-with-avatar' : 'ipstenu-account';
                $wp_admin_bar->add_menu( array( 'id' => $id, 'title' => $avatar . $user_identity,  'href' => 'https://ipstenu.org/members/'. $user_identity .'/profile/' ) );
                $wp_admin_bar->add_menu( array( 'parent' => $id, 'title' => __( 'Edit My Profile' ), 'href' => 'https://ipstenu.org/members/'. $user_identity .'/profile/edit/' ) );
                if ( current_user_can('manage_options') ) {
                        $wp_admin_bar->add_menu( array( 'parent' => $id, 'title' => __( 'Dashboard' ), 'href' => 'https://ipstenu.org/wp-admin/' ) );
                        $wp_admin_bar->add_menu( array( 'parent' => $id, 'title' => __( 'Network Admin' ), 'href' => 'https://ipstenu.org/wp-admin/network' ) );
                }
                $wp_admin_bar->add_menu( array( 'parent' => $id, 'title' => __( '<strong>Log Out</strong>' ), 'href' => wp_logout_url() ) );
        }
}

add_action( 'admin_bar_menu', 'ipstenu_admin_bar_add', 10 );

    But wait! If you just tried that, you found out the CSS looks like a monkey puked on your site. The avatar icon’s goobered, that pretty sprite that shows the arrow is missing. Well, that’s easily fixed with some CSS.

    In the same adminbar.php file, I put this:

    function link_to_stylesheet() {
    if ( is_user_logged_in() ) {
    ?>


    wp_head you still get the fugly on the admin side. That’s easilly fixed with a second action call: add_action('admin_head', 'link_to_stylesheet');

    Now you can make your admin bar have the menus (or submenus) you want to your heart’s content too!

    While you can take my work for your starting point, here are the links I found helpful when I was kicking all this around:

    SumTips: Customize WordPress Admin Bar by Adding/Removing Links
    WP Engineer: Add Menus to the Admin Bar of WordPress
    Digging Into WordPress: Admin Bar Tricks

  • The Truth In Presentation

    The Truth In Presentation

    By now, the internet knows about how the Gay Girl in Damascus was a hoax and Paula Brooks of Lez Get Real is a straight man. These aren’t the first people to be caught ‘faking it’ to tell a story. In fact, both Tom MacMaster (‘Amina’ from Gay Girl in Damascus) and Bill Graber (‘Paula’) claimed to do what they did with the best intentions. They had seen the way gays are treated and felt that, as men, their point of view would be dismissed. Where this crosses the line from ‘best intentions’ and wanders right into out and out deception, however, is where they begin lying to cover their tracks.

    Look, this isn’t new. George Eliot (who wrote Silas Marner) was a woman. James Chartrand of Men with Pens fame is actually a woman. George Eliot did it to protect her personal life, James Chartrand did it to make a living. (Her story about the whys, hows and repercussions is pretty awesome.) There’s a long history of people using pen names, and a lot are mentioned in Carmela Ciuraru’s new book Nom De Plume: A Secret History of Pseudonyms.

    Pretending to be someone else is draining. You’re constantly aware of pronouns and speech patterns. Do I sound like who I am supposed to be? I’ve done it before as a social experiment in college, to see if someone can ‘fake’ being a man online so well that no one would know.(Of note – this was in the early 90s, so things were pretty new then.) I did it so well that, when I carried on doing it for a few more years, there was a hilarious point where I was flirting with my girlfriend (she knew the truth behind the ‘character’) on a public forum, and someone felt it was important to tell me that she was both taken and a lesbian.(This may be why so many people think I’m a man online… I guess I ‘write male.’)

    Using a pen name is something we all accept and can understand. It’s when you delve into the complete fake persona that the world gets a little hinky. ‘Paula’ was a deaf lesbian, who had a girlfriend, kids, and a father who answered the phone and ‘interpreted’ for her (most people think the ‘father’ was actually Graber). At some point, ‘Paula’ killed off her girlfriend. And ‘Amina’? She told in depth details about her parents, how she hid in secret rooms (ala Anne Frank), and how most of her family had to leave the country.

    These people became deceitful when they crafted complex dramas for their fake lives, and wrapped in layers upon layers of excuses and explanations as to why they can’t meet you.(My excuse is the truth – I’m really shy and nervous around meeting new people.) The bigger the lie, the more likely they are to get caught. ‘Amina’ was caught because her blog claimed she was arrested and no one in Damascus could find information on her.

    And this is where the technology aspect of the drama unfolds. This becomes a post about technology and not just a rant about deception when you realize how careful you need to be to keep up the lies. If ‘Paula’ left a comment on my blog, her IP address would be logged. If she, subsequently, said ‘I’m in Amsterdam this week and…’ I could look at her IP and sort out where she really was. If she was using something like The Tor Project (aka Onion routing) to hide her location, I would be suspicious.

    Thankfully, for people like me who spend time worrying about impersonators, you can peel back the onion layers of Tor and deduce who people are. Currently, there is no 100% reliable way to back-trace an IP through all the Tor layers, but simply the use of it on common, casual sites would be enough to raise eyebrows and some risks.(If you’re really interested in tracing Tor/Onion users, read Practical Onion Hacking) In 2007, a German blogger acting as a Tor providor was arrested because someone used his service to download child porn.

    Why would someone want to use Tor at all? Tor is great for doing things you aren’t supposed to be doing, and while a lot of the time that means impersonation, trolling and general internet asshollery, it also can be used to allow information to be posted from places where a repressive government doesn’t permit, or where it would be socially unacceptable if you were found out. Like if ‘Amina’ had been real, her use of Tor would make sense. If you really were a persecuted lesbian in a hostile environment, you would use Tor to make your blog posts so the local government couldn’t track you down at your house. Assuming they don’t know how to hack a Tor setup.

    Besides the technical aspects, there’s a lot of social engineering that goes on behind impersonation. ‘Paula’ turned herself in after constant questions from the news(I should mention that the Paula Brooks story is even more intricate and crazy than originally though! Bilerico reports on the inconsistencies and the more we learn the less we seem to know about the ‘real’ person behind Paula Brooks.), but ‘Amina’ was found out only after red flags were raised when people tried to help the poor arrested girl. In both cases, there were enough holes in their stories that people began to question the ‘facts’ as well as the motives. There is a difference between using a pen name to protect yourself (or to advance your career) and creating a whole persona. The difference between James Chartrand and someone like JT LeRoy is that James didn’t create an elaborate backstory, James just wrote under a pseudonym. It’s most likely that no one ever asked if James was really a man, they just assumed. There are a lot of ways, legally, to do that. Get a good lawyer you can trust, and they can act as your proxy in all things. Now no one has to know.

    Law & Order has done a couple episodes based on this phenomena. Some are about the people who use plastic surgery to hide themselves, another on the woman who hired an actor to ‘play’ her male persona and was betrayed, and so on and so forth. It makes for good TV, I’ll admit, but the truth is that all of those people were found out, and many times before their ‘death.’

    I think the most ironic thing to come from the whole mess is this:

    In the guise of Paula Brooks, Graber corresponded online with Tom MacMaster, thinking he was writing to Amina Arraf. Amina often flirted with Brooks, neither of the men realizing the other was pretending to be a lesbian. (Source: Washington Post – ‘Paula Brooks,’ editor of ‘Lez Get Real,’ also a man)

    Between the technical and social engineering weaknesses, using a pen-name to craft an entirely new identity is something that can get your credibility shot. There’s a reason we leave false identities up to people like WitSec or the CIA. It’s hard, and the costs of being found out are devastating.

  • The Redistribution of Apps

    The Redistribution of Apps

    Mac is going virtual. They’ve finally agreed they’re a hardware company (yay) and they’re trying to make it easier to install software. No longer will you go to the store, but you will logon to the App Store and download. Apparently the App Store is already bigger than Best Buy. The big news of the month was iCloud (and iTunes Match), where you can sync your data across multiple devices. Wirelessly. Okay, that is pretty cool. But the announcements didn’t get everything right.

    The concept of mobile redistribution of applications is not a new one, but Apple, as always, is attempting to do it more elegantly than before. At the very least, the ability to sync (for free) my documents among multiple devices at once is worth the price of admission. I like to write on my iPad and my laptop, after all. While iCloud isn’t out to the public yet (Lion, the next OS 10.7, comes out in July, so I would expect iCloud by Christmas), we can speculate on how it will handle the sharing of more than just data.

    Here’s what I think they need to have to make this a winner:

    Torrent-style downloads

    I have two laptops and three iOS devices. That means I have to run upgrades multiple times, and some of these are pretty big. Do you know what happens if your net craps out in the middle of a 200meg download of iOS 4? You get to start over! The new Lion OS is a 4G install, and it’s a disk-less revolution. Great, that means it’s cheaper ($30 vs $130), but that also means I have to download it for each computer I need to upgrade, and I have to pray my net doesn’t blow up in the middle. Which brings me to…

    Backup to Disk

    I know we’re going diskless, and that’s great, but if I legitimately buy a product, I should be able to sneaker-net if I want to. Frankly, it’s going to be faster than downloading if I have to upgrade more than 10 computers. I won’t bottle neck things with 10 concurrent 4G downloads all at once. While you can’t really do that with the iOS stuff, I wish I could use one download for all my iDevices. Of course, with the new idea of AirDrop we could…

    Copy Between Computers

    Why not come up with a way to flag up to 5 computers as your ‘home network’ and, if they’re all on the same IP range, let them share installs? So I download Lion, and then AirDrop it to my other computer. Done! To a degree, it looks like iCloud will be able to do this, but it seems to only be for data. For photos, music, documents, etc that’s great. Those aren’t all of what I do. I write code. What about webpages I work on? I like to have those backed up too. In fact, the best way to do this would be….

    iCloudShare!

    If I have a Time Capsule, why not let me store all my installers there, register my computers on TC, and then have a local repository of my paid for installs, so I can download them at any time? Think of it as having your own personal little cloud where all your stuff is there, and then when you want to re-install, off you go! Mind you, I already know from experience that if I restore from backup between computers, I can copy over all my apps and preferences. With the new iCloud they’re working on this for iOS apps, which is something they certainly can do. Then you can bring in ….

    MyCloud

    The real replacement for MobileMe would be MyCloud. Work with ISPs so you can plug a Time Capsule (now renamed Cloud Maker) into your network hub, and it automatically makes it so you can connect your registered computers no matter where they are. I would restrict full backups to LAN (local area network – i.e. only at home) only, but you can sync docs and whatever else you want no matter where you are (like DropBox, only at home).

    So what do you say, Apple?