Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • How to Support Plugins

    How to Support Plugins

    This is not meant to be a perfect, will work for everyone, solution. But if you’ve made your first plugin and you’ve no idea how to support it, this is for you!

    I’m going to present this under the assumption that you already understand how to code, even if your coding is about as good as my French. I’m also going to assume that you are a thinking being with the ability to be rational and accept defeat.

    Goliath National Bank - Not a real bank History first. I picked up WordPress back when MovableType decided to change their licenses, and I’ve never looked back. First it was just my blog, then I learned all the cool things I could do to it. The turning point for me was when I decided to rebuild my fansite using WordPress. While I do write code for my day job at a very large bank, I spend an awful lot of time troubleshooting for developers.

    Some very smart people I know!In a nutshell, I take phone calls (and emails) from very smart, very technical savvy people, asking me questions about things I know nothing about and make them work. I support software I don’t use, I support software I don’t understand, and I support software that’s almost as old as I am. It’s a very weird job, but I like it, and I do well at it, which is why I keep my day job and just play with WordPress! And what do I do with WordPress?

    I help in the support forums!
    There's a theme here...

    My job made me accustomed to taking weird questions from smart people about a brand new topic, learning what I need to in order to solve the problem, and hand them the information quickly and in an understandable way. My mom loves this, and knows she can call me about anything computer related, and I’ll find the answer for her. When I started helping on the WordPress forums, this was suddenly a skill whose worth could not be measured. I wasn’t afraid to jump in and help out on topics I was unfamiliar with because I knew I could figure it out.

    Mark Twain knows the secret to success The magic to it, the secret to my power, is that I know how to learn, when to ask for help, and to admit when I don’t know.

    That’s pretty much it. And I’m going to teach you how to do it too, provided you’re willing to think, and to admit that you’re wrong sometimes. Don’t worry, I’ll be wrong right along with you!

    You are not the only user of your plugin, so be available

    Most people who write a plugin do it for a few reasons:

    Andrew Nacin - WordPress maniac
    They need to do something special
    Someone else needs something special
    They want to feel important and praised
    They’re a bored genius maniac (see pic on the right)

    It all boils down to the idea that we do it for ourselves. There’s nothing wrong with that. Remember, as long as that plugin is just yours, sitting on your server, you could do whatever you wanted. The moment you start handing out your cool ‘just for me’ code to other people, there is a level of responsibility that you have to own up to. You’re now a developer and that means you need to help people. If your plugin is up on the WordPress repository, you are no longer making this for you, but for anyone who needs it. They’re going to ask for help, they’re going to tell you that you did it all wrong, and they’re going to be unreasonable.

    Read Me - NOT an option If you’re making a plugin that you don’t want to support, this better be painfully clear on the plugin readme.txt, or you will be in running for my asshat of the year award. There’s nothing wrong with making a plugin and abandoning it, but there is something wrong with not telling people that. For the rest of us who are supporting our plugins, make sure it’s clear how they should contact you.

    The default expectation is that if I post in the forums and tag my topic with your plugin flag, you will see it and reply. There is no law that says this must be the case, but since it is the common way plugins are handled, you must be explicitly clear to people that you want to use a different method. As a forum helper, when I see someone ask for help on a plugin, I always go look at the plugin readme first. If it says ‘for support, go to…’ I always tell people to do that.

    RSS feeds are helpfulNow that said, you still need to remember to add the RSS feed to your reader, because some people don’t read, and sometimes they’ll let you know of something huge in the forums, and not contact you correctly. I’m not saying you need to reply to them, but think of it as a CYA manuver. There’s a great URL that anyone can use for all your plugins: http://wordpress.org/support/view/plugin-committer/YOURHANDLE

    That will update every time anyone posts about any of your plugins. If you need it to email you instead of RSS, I suggest using RSS2Email, FeedBurner or any other web-app that turns feeds into email to alert yourself.

    It’s your plugin

    At the same time, this is your plugin. You designed it to fill a certain void and damn it, if you don’t want it to have dancing monkeys, then you don’t need to! This has been where I see most developers get into ‘fights’ online. People often have unrealistic expectations for free products, and most of why I charge people for phone/email support is because it gets rid of the stupid requests and keeps me sane. If I answered every email, IM or forum post someone addressed to me with the same attentiveness and response-time I give at my day job, I’d be working 60 hours a week on a free product, with no monetary kick back. I don’t have the time for that. Neither do most people.

    When you say no, don't feel guilty The hardest lesson to learn is how to walk away when you feel responsible for your product. Even though these are your users, and these people rely on you, there is a point at which you cannot explain ‘why’ sufficiently for them to understand it. Either they’re stuck in their world, or you in yours, but regardless, you are at an impasse. And this is when you have to walk away. Tell them ‘I’m sorry, but I’m not going to do that. You’re welcome to fork the plugin if you want.’ And walk. Away. Sometimes things are just outside your scope, and if you don’t want to support the addition, you don’t have to. Don’t let people bully you into things.

    The expectations of ‘free’ plugins are crazy, and we all know that. It’s like not feeding the trolls, though. When people are unrealistic to you, you’re under no obligation to support them. But also, when things are outside the scope of your plugin, you can tell them that and be done. I’ve said no to people who wanted things added in, even after I spent a day down the rabbit hole applying code to implement their feature, because I neither wanted to support it nor did I find it useful. At the end of the day, it’s my plugin. I decide what it should do.

    Don’t forget you have a life!

    Most problems people have with plugins are literacy problems. That is they did not RTFM, or they didn’t pass reading comprehension and are over-thinking a problem. I spent 4 hours once at work talking to a woman who didn’t understand what I meant when I said ‘If the folder’s not there, just make it.’ She was certain I was omitting a crucial step, or secret hand shake. This goes back to what I said about why I have a per-hour price for personal support. I don’t have time to walk someone through the basics of how to FTP or edit a file. That’s not the support you need to offer for plugins, and if someone can’t do it, it’s okay to tell them that they need to hire someone. You have a life! Don’t let them take all your free time.

    Otto likes BBQs I have other hobbies besides WordPress. I write, I play guitar, I ride my bicycle, I’m in the SCA, I do some volunteer work for bicycling, I’m part of a couple fandoms, and so on and so forth. I have a family and friends and interests outside slaving away at a computer all day and night for no compensation. So I try to balance my time and yes, that means sometimes I walk away from a coding frenzy, but sometimes you just have to. There are commitments in life, and you will have to sacrifice them sometimes. Don’t sacrifice your self, though. Embrace your life and don’t let one obsession rule it. That will help you keep it all in perspective.

    Users are people too

    Maintaining a plugin will involve sacrifice. The first thing you’re going to lose is free time, but the second is you will lose face. You’re going to get into a fight with someone on the forums, no matter how well you mean. Part of this is because text is an imperfect medium. My father complains about it, because he says it’s not a discussion, but a debate, and most people in the US never took a debate class.

    RTFM or die It’s really hard to remember to be polite, especially when these people aren’t reading the damned manuals/readme/directions. I fail at it often enough that I used to joke it’s why I’d never be promoted at work or made a forum moderator for WordPress. Ironically enough, both those things happened roughly within weeks of each other. I suspect the reason is that while I do lose my cool sometimes and write angry, I mean well and try hard to be polite and do good.

    Every time I train new people in how to work our tech support, I tell them that from Thanksgiving to New Years, our busiest time of year, everyone will make at least one, massive, giant, phenomenal “Oh dear GOD am I about to be fired!?” magnitude of an error. Without fail, at least one person will promise they won’t, and I write their name on my white-board with the date. Without fail they will make a huge error. The point is that everyone makes mistakes, everyone forgets how to reset a password, everyone forgets something basic, even you. So just remember that.

    It’s okay to not know

    Uncle Sam's youngest son, Citizen Know Nothing. I don’t know how set up domain mapping. I have to read the documentation every time, and often I ask Andrea or Ron. On the flip side, Andrea has remarked more than once that when she sees a weird .htaccess request, she defers to me. I know what I know, I know what I don’t, and I have no shame in telling someone “You know, I don’t use IIS and I really have no idea how to help you here.” If you don’t know how to do something, say so. Maybe the person you’re trying to help actually does know how to code it, or maybe someone reading it will know.

    When you make a BIG change, document the hell out of it

    Recently, W3 Total Cache pushed a new version with a lot of cool features and better tools. The problem was that many people found it broke their site. The fix was really easy. Change the new ‘default’ setting for Minify from ‘Auto’ to ‘Manual’ and set it all up manually. The problem was that the developer didn’t make this clear in an easy to find way. He tweeted about it, certainly, but he didn’t announce anywhere easily (logically) located about this.

    Not a vicious circle, but you get the ideaNow W3TC also fails on one of my critical hallmarks of support: Nowhere in the readme (or on the official WordPress repository page) does he say how to get help. I happen to know that if you want to report a bug, you go to http://yourdomain.com/wp-admin/admin.php?page=w3tc_support and use the form there. He also doesn’t link to his website, or even the plugin page on his website from the repository, nor does he mention that he doesn’t help you configure the site for free.

    While I love this program and use it on all my sites but one (at 60 hits a day, it doesn’t need it), I think he’s wrong to not spell out how support works, and he failed to explain what was happening. All we know is he fixed this:

    Fixed bug with existing installation upgrades: set minify to manual mode by default

    Nothing was clearly documented, nothing was clearly explained, and no one really knew where to go for help, which meant the forums were filled with a lot of angry, ignorant, people, getting no responses from the developer. Simply put, it looks bad, and if people feel that the support is non-existent, they’re going to get angrier, and post things like how you suck and they’re leaving your product, which makes you angry and feel bad, and less inclined to help them at all, the ingrates! It’s a vicious circle, and spirals downhill really fast and segues right into my final point…

    They’re not attacking you

    Take a deep breath. What I just said about W3TC can very easily sound like an attack. A lot of the time, people will argue they’re not attacking, they’re being passionate, and in the same breath accuse you of being overly defensive. You’re going to, rightly, be defensive and proprietary of your plugin because, as we discussed, it’s yours. You put in the sweat equity, you researched, studied and tested, and you made something awesome. It hurts when people tell you it sucks.

    Alas, they’ve forgotten you’re a person too. There isn’t a good/easy way to remind them you should be treated as a human, sadly, so when people start getting fired up and telling you that you suck and the plugin sucks, the best you can do is be the better person. I mentioned before that users are people. This is not a repetition of that fact, but a reminder to yourself that there are days where all this is going to be terrible, awful and you feel like the users have pitchforks and want your head

    When this happens, they’re not attacking you. They don’t hate you, they just don’t know how to explain problems without hurting you, because you’re always going to be too close to the problem. I’m willing to bet Bill Gates and Steve Jobs still feel twinges of pain when people rant about their products. Like a parent, you love what you’ve created, and every slight against it feels like fishhooks in your skin. This cannot be avoided, and the best you can do is recognize that they are a little unreasonable, and that your reply is probably a little unreasonable, and stop.

    If you can’t address the situation without feeling your skin heat up or your blood pressure rise, walk away for a while. We’ll still be here.

    In Summary

    I would never say ‘don’t sweat the small stuff, and it’s all small stuff’ or anything trite like that. I will say the point of all this is to be honest, be upfront, be clear and keep it all in perspective. That way you will have both respect and your sanity.

  • WordPress: EU Compliance

    WordPress: EU Compliance

    ETA: Please check out Trac #19622 – There will be a new way to do this in WP 3.4

    Before I get into this, you do not need to do anything to WordPress to comply with the EU cookie law. The legal whoo-hah is clear: Third party cookies (and cookies which track data across multiple sites) are the only ones they’re talking about. MultiSite installs are, technically, one site, all owned and managed by one person, so it’s fine. Google.com, gmail.com and anything else registered to Google would also be fine internally.

    But if you’re dead set on this…. Let me explain first.

    For WordPress, if someone comments on your blog, cookies are stored on their computer that store three things: name, email and website. Even then, they’re only put in when the user enters then. That would entail implicit agreement to having cookies put on your computer, wouldn’t it? Even if you have no idea what cookies are? That certainly is a problem. People don’t know what cookies are, why they’re on their computers, and what they can do. But is that the responsibility of website owners to educate? Certainly, you can easily add a checkbox to your comment for that says ‘save cookies,’ have it link back to an explanation about what’s going on, and make it required.

    It would be pretty easy to flip WordPress around to not save cookies for non-logged in users.

    First you change your KEYs and SALTS in the wp-config.php (you can get new ones at http://api.wordpress.org/secret-key/1.1/wpmu/salt). This will force all users to log back in.

    Next you change your registration/login page to alert people to the cookies. There are plugins for this, and on BuddyPress you can edit your theme’s template page for registration easily. By having the login/registration page say ‘hey, you’re gonna get cookies if you log in!’ you’re now in compliance with EU law!

    Finally you slap this your header (or functions or a mu-plugin file), to delete cookies on every single page you visit, which will prevent cookies from staying on people’s computer ONLY if they’re not logged in:

    <?php if ( !is_user_logged_in() ) { wp_clear_auth_cookie(); } ?>

    One could go even further, making a check-box to permit cookies or not, though that would be far more complicated to track. This very basic way of making the code you own compliant is enough to get you through the day and keep the enforcers off your back.

  • Website Viewability

    Website Viewability

    The goal to make your site look cool, be easy for people to use, and be available for all, is a holy grail trifecta that is rarely achieved. Many times, you have to sacrifice one leg of the tripod in order to achieve your goals.

    The advent of Typekit has led to a lot of websites using cool custom fonts in a way that is supposed to solve that age old problem of what happens when you design your site with a font the end-user doesn’t have. For a very long time I couldn’t understand what the big deal was, since I often read these sites from work, and their fonts were all jaggedy and ugly. Then I fired up a site from home and was astounded at the difference.

    This is what I normally see when I go to TypeKit:

    This is what you’re supposed to see:

    I know it doesn’t look too bad, but basically what I don’t get are the nice, smooth, edges on fonts, so when I read a whole page like that, it’s hard on the eyes. TypeKit works by javascript, so arguably, it should work on all browsers with JS enabled (which is to say all modern browsers). I’m using Chrome (latest and greatest) and I get crap.

    That’s from Ed Jeavons’ Beyond web-safe fonts with Typekit, which is a great article. But the whole thing is unreadable to me because of that.

    So where is the break down here? TypeKit’s goal is to make their fonts work on every site, regardless of if you have the font installed on your server. Jeavons says “Typekit degrades gracefully so that anyone without JavaScript, or with a browser that doesn’t support the necessary features, will simply revert to your standard CSS rules.” If that was the case, shouldn’t I be seeing a better site?

    According to TypeKit, the problem is that the sites I’m seeing didn’t make good standard CSS rules. My anecdotal evidence suggests otherwise. After all, every site I go to has the exact same problem. So I turned off javascript and went back to the site:

    Now that looks like you’d expect graceful degradation! At this point, my answer is that something TypeKit does is unwelcome on my office computer. Or more likely, my office firewall. That’s a whole new kettle of fish. I can’t reasonably expect everyone to go find an office behind a firewall made of adamantium and test their site. But clearly this is not the fault of the individual site. Is it reasonable to expect TypeKit to look into this? I went on a search and found they have a cool little checker too typecheck which says I’m fine:

    There’s nothing in their FAQ or help desk that mentions Firewalls having this issue, so I decided to check out Google Web Fonts. Lo and behold, I get the same problem. Some more digging and I found someone who ‘fixed’ the problem using css. My Twitter friend @cgrymala suggested I also try ClearType, since I’m on Windows XP at work. That actually helped a lot (seriously, I cannot tell you how much nicer things look) but the main problem is still there.

    Where’s my problem? My problem is that TypeKit and Google Web Fonts, while they purports to be a one-size-fits-all/degrades-nicely app, are not. If you’re not on the forefront of technology, if you’re behind a firewall, if you’re on a weird setup, these things are not going to work. This is not really TypeKit’s or Google’s fault. They’ve done an amazing job setting things up so it works most of the time. At best, they could have their javascript detect browser and OS (yes, you can do these things) and if it’s IE 6 or Windows XP (for example), revert to the javascriptless version of the site.

    It’s nigh impossible to solve the firewall problem. You can’t detect the firewall easily, and part of the point of them is they obfuscate who and what they are. And if the problem is a combination of OS, browser and firewall, then the best you might be able to do is somehow detect if any one of those three are on the known ‘possible’ trouble list, and shunt them off to a non-js version. And now you’ve added a lot more load to your server.

    The best you can do is to avoid using these cool systems and features until they’re more supported, which is where the whole concept of sacrifice comes in. If it’s more important for you to have your site look cool than to work for everyone, you have to find a way to degrade better. For a long time I had an alert bar on my site to tell you that if you were using IE 6, you needed to upgrade. Going back further, we used to regularly make sites that said ‘Best viewed in Netscape Navigator.’ Thankfully sanity struck, web standards started to stick, and we began to design sites that looked good in most browsers.

    I cannot advocate a return to ‘Best viewed in…’, but I can suggest that if you’re relying heavily on cool, cutting edge, features, you also have a printer-friendly version of your site that runs without any of the bells and whistles.

  • On the EU Cookie Law

    On the EU Cookie Law

    ETA: Please check out Trac #19622 – There will be a new way to do this in WP 3.4

    I’m going to be bold and tell you that the new EU law, that goes into effect in the UK on May 25th, is going to be impossible to track and enforce, it’s being handled backwards, but besides that, it’s actually a pretty good idea.

    For most people outside the EU, we have no real idea about what’s going on, so here’s a short recap. As of May 25th, a change to the EU law will require businesses to request permission from visitors to their websites before they can store information about their identity, history and preferences via third-party cookies. You can read the whole details in the proposal or Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services. Those links are full of legalese.

    Now, I do want to point out that this only affects people who live in the EU. Arguably, it also only affects people who host sites in the EU, and you may be able to skirt around it by hosting in the US or Canada, but that’s a lawyer conversation. Basically, if you live in the EU and have a website that acts as a business, you’re kind of screwed. If you just have a blog with 100% personally controlled content and cookies that only come from your domain, you’re fine. The cookies, including the kind WordPress drops on your site, are not the kind they’re talking about. If your cookie is only tracking information used on your site (login information, recent comments, etc), you’re fine. If the cookie comes from someone else (like Google Analytics or Project Wonderful), then you need to explicitly tell the visitor and obtain their consent.

    This is done for a pretty good reason, when you get down to it. When you go to a restaurant and pay with your credit card, you trust that neither the credit card company nor the restaurant are going to turn around and give your personal information to some other company who uses it for their own purposes. Legally, they have to ask you for permission to use your info, and that’s why sometimes they ask for your zipcode when you’re checking out at a store (and also why you’re totally allowed to say ‘no’ when they ask). Third-party cookies, that is those put down by someone other than the domain you’re visiting, should also be ‘agreed’ to. The EU argues that just visiting a site with Google Ads does not constitute consent.

    Item #66 in the directive:

    Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ware or  viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities

    That’s a pretty hefty thing to get through, but it clearly spells out that third party cookies are when they’re on about. And in that, they’re right. There should be transparency to all this. We should know when we’re being tracked around the internet. But they’re wrong in making this the sole responsibility of the website owners. This is not to say that, as a website owner, I’m not responsible for the cookies my site puts down. And this is not to say that, as a website owner, I’m shouldn’t tell people how cookies and personal information I collect are used on my site. But to say that the ‘solution’ is for me to alert you with “Hi, the EU says I have to tell you about cookies and make sure you’re okay with them on your computer.” or not to use things like Google Ads, Facebook Like buttons, or Twitter integration is unenlightened.

    The issue is not that I, as website owner, am using third party services, and it’s not even that I’m using those services in an ‘hidden’ way (I use Google Analytics on this site, which you can’t easily tell unless you look at my source code). The issue is that those services are using cookies to track you between sites. But it’s easier to go after you than it is to sort out how to go after them, at the end of the day.

    Arguably, this is also being done to protect the website owners. If a visitor agrees to have the cookies, then you’re not longer on the hook if they complain. How are they going to (1) verify that (a) you did ask first and (b) they did consent, and (2) enforce this at all? The only way this can be enforced is if someone (or a program) goes to every single website hosted in the EU, or owned by someone who lives in the EU, and checks them for cookies without explicit consent. This could be automated, and emails could be automagically sent out to the site-owners, who would in turn have to look at their software and ads and deduce what’s making the cookies. Already, the UK has said they know companies won’t meet the May 25th deadline and don’t plan to enforce the law yet.

    Let’s say that they decide they will enforce the law. How can they verify that a cookie for your site is on someone’s computer? WordPress saves cookies in the name of wordpress_verylonghashkey, where your HASH key is specific to your install. Now they do show up as ‘from’ the website domain.tld but they can be forged. The easiest way is to copy cookies from one computer to another (I just did that when I moved everything from my old desktop to the new laptop). Another way is to take the information I have in my cookie, and tweak it to apply it to someone else’s site. That way requires a lot more savvy, more information than I’m providing here, obviously, and it’s incredibly hard, but it can be done.

    If they only rely on cookies that show up when your site is visited, they have to come up with a way to verify that it’s your site that put down the cookies and the visitor agreed to have the cookies put down. They have yet to explain how they’re going to be checking sites, which means you, as a site owner, still have no idea exactly what is and is not illegal to do. Sort of hard to protect yourself against an unexplained law, and it’s worse when you remember that “ignorance of the law is no excuse.” That should cut both ways. Ignorance in creating the law is no excuse.

    There’s already a way for users to stop cookies from being stored on their computers. Every browser out there has a way to turn off cookies. Most have a way to say ‘Don’t allow third-party cookies.’ If that’s not enough, Don’t Track Us has plugins for most browsers that let you block tracking plugins.

    To make this work, the EU needs to explain how they’re going to determine if you’re in violation of the law, and how they will enforce it. They also need to take this to the streets and tell the third-party cookie makers to stop. There are ways that third party tools can work around this, and one of which could be to tell people when they log in to FaceBook “We reserve the right to use your login credentials and other account information stored in cookies on other sites.” After all, the cookie belongs to FaceBook! Or we could just not use cookies at all for that sort of thing. But that has to change at the source of the matter, the third-party, and many of them don’t tell people that their cookies are used in such a way.

    As it stands, this law won’t be enforceable, it won’t be understandable, and it will cause more hassle with the wrong people without protecting anyone at all. It’s still a great idea, but it’s just not going to work this way. All they’d done is made a law to tell people that their hot coffee is, indeed, hot.

    Further Reading

  • Stopping Stalkers

    Stopping Stalkers

    We’ve all been there. One day you’re out enjoying the net, and the next you have a complete and total turd making your online life hell! What do you do? There are a lot of answers to this, but really it boils down to two types of reactions. You have to change your behavior, and you have to change your online accessibility.

    Changing your behavior is pretty obvious. Once someone starts abusing you online, calling you names, or just angry-ing up your blood, walk away. This is the hardest thing in the world, but do it. Most idiots will stop once you stop feeding them, which is why we always say ‘Don’t feed the trolls.’ When people go past your garden variety gnome moron, however, and start harassing you (and you know there’s a difference), you need to do more than just change how you react. Basically you need to stop making the problem worse. If you’re angry, you log off, walk away and grow the hell up, or you deal with the shit-storm you created.

    On the technical side of things, there’s a lot you need to do. If you’re on Facebook, Twitter, MySpace or any public forum with this person, you block them. If they evade the block by making new accounts, report them. Most sites have a policy about this, and the more you have to report them, the more likely they’ll get banned. Always remember to mention ‘I blocked this guy because as he was harassing me. Now he made to do it again.’ This will take a lot of doing, and a lot of arguing, but it will get things done. Block them on IM, Skype, everything you can think of that they might have.

    Once you’ve taken care of them on sites outside your control, let’s look at your site, which is the meat of this post.

    If you have a stalker, you want them to stop being able to contact you, right? If you have a blog, block their email in the comment blacklist. Just turf ’em. You don’t need to see them. If the harassment is bleeding into real life, I would moderate them instead, since you might need the comments for later proof in a legal case, but the effectiveness of that is in doubt right now (it’s too easy to fake that stuff). Make a note of the IP address and block that as well.

    In fact, block the IP from your server via .htaccess:

    order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all

    If you have a firewall on your server, toss the IP in there as well. This servers two purposes. Most importantly, you no longer have to deal with nasty comments, but also, you are no longer feeding the troll, because the troll can’t get in. Of course, this isn’t perfect, as most of us use multiple IPs because our addresses, even with high speed, will change. This will only become more and more futile as we get into IPV6. In fact, you may recall I once said Don’t block IPs. When I said that I was talking, specifically, about spammers and bots. Blocking them by IP is futile. But blocking your stalker? Actually effective in certain cases, because some stalkers aren’t very technical. Alas, it’s only some. When you have a smart stalker, who knows how to use proxy servers to their benefit, you have to start learning tricks like How to Block Proxy Servers via htaccess.

    This won’t stop everything, of course, and I generally spend a bit of time with my firewall (I use CSF), activating the Real Time Block Lists (RBLs) and adding in certain countries to my block list using CC_Deny. I don’t like doing that, but sometimes you have to. I’m a pretty big advocate of Bad Behavior which, while it runs via PHP, can be instrumental in stopping bots. That helps me sort out proxy servers, since once you understand how Bad Behavior works, you can check its logs and weed out the proxy servers. Grown up Geek’s post on How We Block Proxies, Bots, Scrapers, Trolls & Assholes is an invaluable resource here.

    This also doesn’t stop email, and I personally filter all of mine on the server level. This does mean I keep the emails on my server, but again, this is something useful to have if these things ever go to lawyers. If you use IMAP, generally it’s okay to keep the emails up on the server, but it’s also a good idea to save them as .eml files to your computer, as they store all the data needed to trace back the emails. Most of us never need this, but the CYA is worth it.

    When things start to spill over into your ‘real’ life (or at least your physical world), don’t be afraid to go get a lawyer. Yes, this will cost money, but if you’ve done all this and can use it to prove this person is escalating their behavior, a good lawyer will know how to get you a restraining order. If you’re not being stalked today, lucky you! I would strongly suggest you do a few things in advance, though! You already know not to put anything out on the net if you don’t want it found, but I would also say that if you registered a domain, consider making your registration private. That will hide your address and phone number. If they’re calling your phones, the phone company can block them, and it’s definitely worth your while to ask them to do so. Peace of mind is part of the reason, but the other is that if you ever end up in court, you can show them the phone company records.

    A word of legal advice, here. The courts recently ruled that an IP address is not a person. This means that even if you have a bunch of emails and comments and whatever from a specific IP, that alone won’t be just cause for a warrant to break the door down. That’s a good thing for most of us, and means you’ll have to do detecting the old fashioned way.

  • Learning From Failure

    Learning From Failure

    The term criticality accident is what happens when there’s an increase of nuclear chain reactions.  This lets loose a radiation surge that kills people.  This is what happened at Chernobyl, Three Mile Island, Fukushima, and many other places.   To date, twenty-two criticality accidents have occurred outside nuclear reactors (some resulting in deaths), but thus far, none have resulted in explosions.

    When we look at the death of Louis Slotin, we think ‘God, how did we not know that was dangerous?’  When we regard the Trinity Test, we think ‘How did we not know we were unleashing hell on earth?’  The fact is that we cannot see the future, and we cannot predict how far we we go.  Therefore we certainly cannot see when we are too far gone before, indeed, we have gone too far. You cannot divine and magically know the unknown, though that doesn’t mean we’re in complete ignorance of the possibility.

    There is always a possibility that things can go terribly wrong, in the worst way possible. In a nuclear power plant (NPP), obviously things like a meltdown is up there on the top of the ‘worst outcome’ list. Did the scientists know there was a possibility this could happen? Of course they did. Did they know that it might leak into the ocean, pollute the land, and kill those 50 people who are still working at the plant, and who are all expected to die of radiation poisoning? Again, of course they did.

    Before any NPP is built, they go over the risks and mitigate them as best they can. They review the known risks, and solve as many as possible. But there will be a point where someone will correctly state “We’ve thought up ways to solve every problem we can come up with. Now we need a plan to handle situations where the unexpected arises.” Oh yes, they have a plan for this sort of thing too, but it’s probably really basic.

    I don’t work in NPPs, I work for a bank. We sit around and discuss things like ‘If the city of Chicago is destroyed tomorrow, how would we make sure that everyone can get to their money?’ Given that your money, like mine, is pretty much virtual and stored on computers, we do that via data integrity. Make sure that our data is all safe, secure, and backed up in multiple places. We have multiple data centers across the state, protecting your money. What about the software? It’s written to talk to those data centers. How do we compensate if one of them vanishes? The problem with those meetings, is that people want to know specifics. And I always point out ‘Give me a specific situation example, and I will give you specific steps. But since every situation is different…’ Because the answer to ‘What do we do if our Chicago servers vanish?’ is ‘Route everything to this other location.’ See how that’s really basic?

    The problem with all this is we can only plan for what we can imagine, and we can’t imagine past our abilities. Should we have seen the possibility of someone flying a plane into the World Trade Center? Of course! We should have always thought ‘Hey, this nice big skyscraper sure is an easy target for someone really pissed off!’ But the probability of that happening was so low we didn’t come up with plans for how to handle it. A criticality incident happens at that point when we realize what we should have known all the time, but couldn’t have possibly known because we are not omnipotent. We are not perfect and we cannot know everything.

    In the case of a nuclear power plant, when all hell breaks loose, people die. Even today, we know that the radiation being leaked out is bad for us, for the environment, the water and animals, but we don’t know how bad. We cannot possibly know. We can guess and infer and hypothesize. But we do not know. And the only way to know is to experiment. If that doesn’t scare the pants off you, to realize that all innovation comes from an experiment that could kill us all, well, then you’re probably not aware of the hadron collider and how we all joked about how it would open up a black hole and kill us all.

    Innovation takes risk. It takes huge risks. The people who take the risks, like Louis Slotin, know that things can happen. They know that irradiating themselves to kingdom come ends with a slow and painful death, and not becoming Dr. Manhattan. We won’t become Spider-Man or any sort of godlike superhero. We. Will. Die. And we know it. And we do not stop. We cannot stop. The only way to get better, to make it safer, is to keep trying and keep dying.

    Not to be too heavy handed, but with our code, it’s the same thing. We cannot see where too-far in our code, where danger lies, until it hits us in the face. We will destroy our programs over and over, we will crash our servers, and infuriate our customers, but we will pick up the pieces and learn and make it better the next time. This is human nature, this is human spirit and endeavor. We cannot fear failure, even if it brings death. For most of us, the worst it can bring is being fired, but really that’s not that common. I’ve found that if you step up and accept responsibility for your actions, you get chastised, warned, and you keep your job.

    When everything goes bad, it’s easy to point a finger and blame people. That’s what people do. They complain that the programers suck and didn’t test enough, that the testers didn’t do their job, that everyone is terrible and did this just to piss them off. They rarely stop and go ‘What did I do?’ They rarely say thank you, and they rarely learn from the experience of failure. Thankfully their failures will not end in death. Money loss, certainly, and a great inconvenience to everything in your life, but you learn from this far better than you can learn from anything.

    Learning from extreme failure is not easy. It’s hard to get past that initial moment of absolute terror. It’s harder still to train the end users (clients, readers, whatever) that this is okay. This is normal and it happens to everyone, everywhere, everything. But if we cannot learn from failure, we’ll never have the courage to create again.

    Get messy. Make mistakes.