Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Chronic Infections: Blacklisted

    Chronic Infections: Blacklisted

    If you use Chrome, you may be used to those warnings about how a site is dangerous (or hacked) and maybe you shouldn’t visit it. If that happened to your site, you’d get an email if you use Google Webmasters (which I recommend you do), and then after you clean it up you can ask for a rescan. Or if you don’t, Google will rescan the site after a while and if it’s clean, carry on.

    That ends.

    Google found out something we’ve all known for a while, and that’s people can be evil and malicious. And what they’ve done is created a ‘repeat offenders’ blacklist, for sites that clean up only to allow themselves to be reinfected. As they say, “Sites that repeatedly switch between compliant and noncompliant behavior within a short window of time will be classified as Repeat Offenders.”.

    This is dangerous for users when a hack is outside their control.

    The number one cause of reinfections is not plugging the hole. In the case of things like WordPress, it’s down to upgrading everything, deleting anything with a known hack or backdoor, and locking down users. Hacks like Pharma, where the database becomes vulnerable and repeatedly re-infects a site, are thankfully rare for WordPress, but the same cannot be said of other CMS applications.

    And far worse than that is this. By which I mean what happens when your ad network is the cause of a hack?

    Recently, a friend of mine was hacked and got upset that his webhost’s scan of his site said it was clean, while Google did not. In looking at the site, I pointed out the hack was from his ads and not the files on the webhost. His webhost’s scanner didn’t hook into Google’s Safe Browsing service so of course it didn’t come up. He was pissed off about the host missing it, but once I explained why, he realized the magnitude of the issue.

    By adding an ad service to your site, you’re effectively trusting their behavior. And some ads are pretty scummy. While Google Adsense (and others) are usually pretty quick to kick-ban those idiots, the damage will be pretty hardcode. It takes but a small moment for a high-traffic site to serve up enough malware to make that attacker’s plan worthwhile. And worse, if the same kind of person get in again and again (which happens) and your site is infected multiple times, you will end of on the shit-list.

    Thats enough FUD on it. Let’s talk about mitigations.

    We’re all going to need to get better at figuring out where the malware is from. All of us. Security companies are going to lose money if they can’t stop repeat attacks, and since even the best firewall can’t stop shitty ads, all our scanner tools are going to need to be better about detecting what the cause is and where it’s from. This is going to be hard, since the ad may be gone by the time the site scan runs.

    Google will need to tell us what they know a lot better. I don’t know if they will, but they’ll need to figure something out. At the same time, I get why they may not want to. It tips the hand to tell malicious people exactly how you caught on to them, but at the same time telling people “Your ads are serving up malware” would be impactful and hopefully not too harmful. I’m on the fence there.

    Finally, we all know ads on the internet are shit. We’re all barely making money off them. So if you get infected by an ad vendor twice, it’s time to turn those ads off and look for something new. If that ad vendor is Google, open a ticket with them and provide evidence that they’re hurting your SEO and could cause you to get on that repeat offender list.

    Yes, this is making a hard decision, but it’s one you must make. If you’re being betrayed by your ads, you need to quit them.

  • Clear Communication

    Clear Communication

    “Your guidelines should be so clear as to not permit so much wriggle room,” he said.

    I started at my screen for a moment, feeling my neck heat up with the sheer arrogance of his implication. Besides the fact that I did spend quite a bit of time trying to make them as transparent and clear as possible, it’s a known impossibility.

    Anyone who’s ever written anything knows that it will always be interpreted by someone in an unintended way. Have a look at the US Constitution, which we’re still arguing about to this day. It’s categorically impossible to write anything in a way that will be perfectly understood by everyone who reads it, past, present, or future.

    Let’s step back though and think about what the post of such a statement might be.

    Everything we write for the purposes of education should be as clear as possible, in order to minimize confusion. We can all agree on that. Guidelines, documentation, how-tos, and the like are all for education. When you write a story, a novel for example, you don’t need to write for clarity but for a different purpose. I won’t get into that today.

    To that end, his statement was correct. We should write our guidelines not to permit wriggle room.

    However when we consider what the guidelines were, and please note they are indeed guidelines and rules, we hit a different situation. Guidelines are meant to direct people into doing what is expected of them. Some can be as clear as “Don’t steal” but others have to be a little more broad like “Don’t hurt people intentionally.” That’s a very big statement, and while it’s certainly a good guideline for any group, enforcing it without specific examples is always going to be problematic.

    The difference between rules and guidelines is that rules can be clear, while guidelines must allow for interpretation. And even with rules, it’s categorically impossible to write them in a way that will never ever be misconstrued.

    So what do we do?

    We write things as clearly as possible. We state, upfront, that the guidelines have an intended purpose and what that is. We remind people that the guidelines cannot cover each and every possible permutation of events. We admit that some of these will be up to the discretion of the people enforcing them. We write a disclaimer that we are human and we are mortal.

    We do our best. And if someone says “These could be better” we ask “How? Please help.”

    I can tell you from experience, less than 1% of people who complain about your guidelines will help, though.

    Comments on this post have been disabled.

  • The Privilege of Privacy

    The Privilege of Privacy

    Ask 100 women online where the live, and the majority will give you a vague answer.

    California.

    Chicago.

    LA.

    Orange County.

    Those are enormous locations. While you probably could have found me in Chicago, if you asked enough people, you’d need to know a lot more than just the city. And now? Good luck. Most of my neighbors don’t know me. Their kids do, go figure, but it’s not the 1950s anymore.

    The longer a women (or any minority) has been online, the less likely they are to want to talk about their location online. At least not in public. We get used to the constant, low level, shit throwing people say. People will ask what kind of ‘creature’ we are for posting a Vine, or call us ‘the hot one.’ It’s something I’m constantly pushing back at, and being vocally against, but it’s me against the world, and sometimes it’s a Sisyphean struggle.

    But that doesn’t mean some people don’t have my home address. It means the people who do are people I trust and respect. I know that they won’t generally just show up at my house (unless there’s a crisis).

    So what happens when you know, say, that I live in New Jersey and someone mentions WordCamp Jersey in a public chat?

    You shut the hell up and don’t say “Hey, Ipstenu lives there, you should ping her!” No, you ping me directly and say “Hey, Billy was talking about WC Jersey. I thought you mentioned living nearby. Did you know about that?” And that way you give the public information to the private individual.

    This seems to be an odd concept to people who come from a place of general safety and security. Yes, I’m talking about you, heterosexual cisgender white christian men. They tend to be the most flagrant abusers of personal information that I’ve seen online.

    When I ran a forum, I had a rule that basically read like this: People’s personal information is just that, theirs and personal. If they say “I live in Wyoming” that’s cool, but you don’t get to speak for them. And yes, I banned people for violating that after they were warned.

    Most of the time, personal information that is privileged is obvious. If I run a website, I have your IPs and email. I don’t give them away to ad collectors without your consent because that’s just a shitty thing to do. It’s unethical. In some places it’s illegal. That’s why you’ll get disclaimers on what information is tracked, or notes about how to opt-out.

    But less understood is the concept that information you and another person discuss in private is just that. Private. It shouldn’t be. It’s basically the same thing. You are in a place of privilege where by you have access to information others do not. That privilege comes with responsibility.

    So let me lay this out for you.

    If someone tells you a thing in private, it’s not always yours to repeat.

    If someone tells you a personal thing in private, it’s definitely not yours to repeat.

    For example, if someone tells you “Hey, I think I’m gay.” you absolutely, 100%, do not EVER turn around and say “Oh, Bob? He’s gay.” That’s not your information. And that’s an obvious case isn’t it? Well, where I live is also an obvious case.

    The Internet is filled with doxers and harassers and people who jackhammer Hollywood Walk of Fame stars. People are attacked online, usually on Twitter or IRC or 4Chan, every single day.

    It’s your job, as the holder of privileged information, to be the secret keeper. Be the friend. Keep it to yourself. And for god’s sake, if they ask you not to repeat something, either don’t repeat it or tell them outright that you will probably forget, so please don’t tell you.

    Comments on this post are disabled.

  • The Privilege of Default Settings

    The Privilege of Default Settings

    You’ve probably heard the analogy that being a heterosexual, white, cisgender, Christian male is playing the game of life at its easiest setting. Most things are aimed at you, from consumer products on down to expectations. Being those things causes you to come from a place of privilege, even if you’re poor. The world is aimed towards you a little more, and your default assumptions are ‘correct’ because media and everything else reinforces them.

    Sometimes when I look at the choices and decisions we make in Open Source, I think we’re falling prey to the same concept.

    The day after my team lost the World Series in 2016, I found myself struggling through an emotional (and chemical) hangover, whereby I was pretty much half the speed at thinking as I normally am. In this state of mind, I decided it was a dandy idea to sit and do some serious UI testing of products for myself as well as WordPress core. It was surprising, enlightening, and humbling.

    I know WordPress. I know it really, really well. I use it daily, I write it in it every day. I monitor and support end users. I review code every day. Rarely has 36 hours passed without me learning something new about it, but also seeing a hundred people making the same mistakes. I often tell people “If I can’t figure out how to use your plugin, based on the readme, you didn’t write it well enough.” A new version of this is that when hungover me can’t figure out what your plugin does, there’s a lot more wrong.

    Related to this is the tone and language in which I am wiring to you this very moment. I write from a place of decent education and intelligence. I use words like obsequious and peradventure from time to time, not because they sound cool (though they do, I like the sound of words) but because they draw your attention to the point in different ways.

    This proves beyond peradventure that the intent of the name of the product was to leverage the name of its competitor.

    I don’t actually send plugin emails with that stuff, no matter how much I think in that way. It would make people think I’m talking down to them.

    Which brings me back to my point.

    We, who create for WordPress, are in a place of exceptionally high privilege. We name drop people like Helen and Mark and Matt and Mike (no, the other Mike) without a second thought because they’re a part of our lives. We’re not trying to seem high and mighty, but these are people with whom we’ve played Cards Against Humanity, or had churros, or sat on a bed giggling like tween girls. We’ve made a tribe with people we see daily, virtually, and they’re a part of our norm.

    But to the average WordPress user? They don’t care. Or if they do, they care jealously. And worse, when we say things like how we talked and made a decision about them without their input, they feel left out. And they were. They were intentionally, mindfully, willfully left out.

    We felt our default assumptions were correct.

    We felt that we knew better.

    We felt, based on our experiences and usage and tests, that we were right.

    Well. We can be wrong. We know this. Often we trust our heads more than our hearts, making amazing mistakes by assuming we know the best from our expertise. And the biggest fallouts when it comes to our work will be in those moments. When we decide “this is right” without taking the time to use our product hung over, or to ask for more help, or to trust that gut feeling.

    This is incredibly hard to do. When you consider WordPress, there are times a feature will make it to Beta and we’ll realize we were wrong. Post Formats UI, anyone?

    As gutting as it was to pull that so late, the decision was wise and sound. Not because this wasn’t something people wanted (and might use) but because it’s implementation wasn’t up to snuff. It was a fundamental feeling of ‘this is wrong.’ And Mark trusted his heart in the moment and said even if the code was fine, there was something off in the using. He understood the implications, too. That how the UI was implemented would influence future work.

    It’s difficult to explain how huge that is without sounding like I’m making a mountain out of molehill or fighting a strawman. The decision we make in WordPress, in any project, do not live their lives out in a vacuum. The decision to make widgets, featured images, categories, custom post types, and on and on all have influenced how future features are designed and built. We know this. So when we introduce a new feature, a new flow for using features, we have to consider the future.

    And that means we need to forget our privilege of someone who knows the code, who knows the system, and who has all the benefits of experience. We need to be the first time user, the uneducated, the newbie. We have to accept that we will be wrong, and we have to be willing to admit our wrongness. To fail to do this means we’ll never learn.

  • Revealing Slides

    Revealing Slides

    I’ve struggled with my slides for years. At first, like a lot of people, I made them showy and crammed with content. Then I had a serendipitous meeting with Laura Legendary and talked to her about the accessibility of slides. Which was, in short, mine sucked. Yours probably do to.

    Over the next 18 months, I’ve transitioned from amusing images and gobs of data to a header with images, to a header and subheader, and maybe a bullet list when needed. The amount of text on the slides are minimal. They’re not there to teach you code, because that’s a futile attempt in the first place. Learning to code from slides was a bad idea in college, and in a 30 minute session with 15 for questions, it’s worse.

    Remember college? Class was where you talked about the theory and the principle and the ideas. You got the history and the concepts and (in math class) the formulas. Sometimes you were told to look in your book because the formula was huge. Then you went to the labs and you talked about it again and did ‘experiments’ to turn the theory into reality.

    Perhaps instead of contributor day we should have lab day. Day one is sitting in presentations. Day two is learning how to apply what we learned, with the presenters as the instructors. Learned about CSS and flex box? Okay, let’s all build a flex box together!

    But we don’t. We try to cram everything into a session, to teach people the theory and the reasons why you’d use responsive CSS. And we try to give people examples and code and links. And we hope we inspire them enough to learn more and try it on their own.

    A year ago, I stopped putting practical code examples in my slides. I still do code, now and then, but I limit it as much as I can. It’ll always be hard for someone to read, it’ll always be hard for someone to understand. And I’m a very haptic learner, I learn by doing and not by reading, so I need that Hello World example to read through and try myself.

    Once I decided to do that, I slowly started stepping back my images in slides. If I need one for explanatory purposes, I’ll use it, but otherwise I keep it to plain text. And in keeping to plain text, it allowed me to reconsider my slide options.

    I still use Reveal.js and I love it. Reveal.js is clean and direct to use but sometimes it’s a little plain. It’s a little weird to add a header and a footer, and they can get cluttered and annoying and I sat down to decide what I wanted to see in my slides.

    1) The emphasis is on the content
    2) The ‘credit’ to my company isn’t distracting
    3) A handy way for people to see the link to the slides

    The third one makes more sense when you remember that I use this to display my slides live. If I tell people to go to helf.us/wcsea2016 and I want them to remember this halfway through the talk, I need a link. I also want the slides to be there for the blind to follow along. They can plug in their screen reader and hear the slides as I go through. In addition, I have the speaker notes already in my slides. Just for added fun.

    Example Slide with link to DreamHost and the slides

    If you look at my current slides, you’ll see I have a ribbon that looks like the GitHub fork ribbon on the upper right, and a button link to my company, DreamHost, on the lower left. This is done with CSS and an image. The image is the DH logo, but the rest… Well it gets done by this:

    <body>
	<div class="reveal">
		<a class="github-fork-ribbon" href="http://helf.us/wcXX2016" title="http://helf.us/wcXX2016">http://helf.us/wcXX2016</a>
		<div class="powered-by"><a href="https://dreamhost.com/"><img src="../assets/images/dreamhost.svg"></a></div>
		<!-- Any section element inside of this container is displayed as a slide -->
		<div class="slides">

    The ribbon is via Fork me on GitHub CSS ribbon by Simon Whitaker, and it’s a quick line of code. The powered by stuff is my own CSS:

    /* DreamHost Powered By */

.powered-by img,
.powered-by .backlink {
	height: 20px;
    background: #2F323B;
	padding: 5px;
	-moz-border-radius: 5px;
	border-radius: 5px;

}

.powered-by a:hover img {
	background: #2F323B;
	border-color: #268bd2;
	box-shadow: 0 0 20px rgba(0, 0, 0, 0.55);
}

.powered-by {
	display: block;
	position: absolute;
	bottom: 16px;
	left: 16px;
	z-index: 20;
	font-size: 45%!important;
	text-align: center;
}

    I don’t always use it. I have a file called /assets/css/dreamhost-powered.css that I call for this. If I don’t want to use that and instead want to brand differently, I can use any other CSS file because it’s all just HTML.

  • Postbox: Desktop Email That Doesn’t Suck

    Postbox: Desktop Email That Doesn’t Suck

    While I greatly prefer to use Apple’s default apps whenever possible, I’ve been using Postbox for my email for a while now, especially since I switched over to Gmail for my email hosting.

    While you can use Mail.app with Gmail, it has a lot of issues. I’m not a fan of Gmail in a web browser, either, though I do use it for other things. I like having an app separate to my browser where I can read email. Gmail was built for … well … the browser. It’s never really been a happy marriage to Mail.app, and that’s because Gmail’s IMAP isn’t really IMAP.

    Enter Postbox.

    This is an app based on the open source Thunderbird, but I find it much easier to use. It has a Windows and Mac client, and it looks clean. Since the recent update this year, it’s a purchase I’m happy to have made.

    I currently have two email accounts, one is my Gmail account and one is my ipstenu.org email… Except that second email actually houses a dozen aliases. They all get funneled to different folders based on which alias they’re sent to (or who sent the email at all). My goal was to have only my important emails land in my inbox, which basically means my wife or my family.

    Postbox pretty much just works for me. It’s well documented for how to configure for gmail and it lets me use my keyboard to navigate between folders. I love the arrow keys to go up and down and see what my email is.

    About the only thing that annoys me is there’s a random [Gmail] folder I can’t seem to get rid of. Also you have to be careful about the Gmail All Mail folder being too large but that’s really a problem with Gmail more than any app. In fact, it’s most of why Mail.app is so terrible to use with Gmail.

    Postbox isn’t perfect. It can suck up a lot of memory, and there is some hands-on configuration. This is no ‘set it an forget it’ email client, but again, that’s back to Gmail being a giant moron with regards to IMAP. When compared with Mail.App, I find it more reliable if you have multiple accounts, but also if you have a lot of dynamically sorted folders. Like I do.

    If you’re just using one Gmail account, or you don’t have a complex set of filters and rules, this is overkill. But if you do, give Postbox a try. It has a free trial after all.