Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Managing User Permissions

    Managing User Permissions

    When it’s just you writing on your site, WordPress user management is incredibly basic. You have one user, you, and you do all the things. If you’re a little neurotic, you have one user who is an editor to write all your posts, and one who is an admin to do the admin things, and you religiously log in as the editor.

    But when you have a site with multiple authors, how do you handle them and their permissions? And what do you do when they leave?

    Lowest Common Denominator

    The most important thing to remember with any CMS or tool is to give users the lowest possible permissions. The people who are admins can do anything so they should be restricted to just the people whom you’ve discussed responsible administration, how to handle things, and who the ultimate top technical boss is. The Roles and Capabilities of WordPress can be very daunting, but the summary is very important:

    • Super Admin – somebody with access to the site network administration features and all other features
    • Administrator – somebody who has access to all the administration features within a single site.
    • Editor – somebody who can publish and manage posts including the posts of other users.
    • Author – somebody who can publish and manage their own posts.
    • Contributor – somebody who can write and manage their own posts but cannot publish them.
    • Subscriber – somebody who can only manage their profile.

    The Administrative

    I strongly recommend limiting your Admin accounts to less than 5. Most people don’t need to be an admin. In fact, the only annoying thing an admin is needed for would be adding new users. Everything else that they can do is, properly, administrative and requires some technical knowhow. You don’t want your copy editor updating a plugin that breaks a site, after all.

    Editors are like your moderators. They can approve posts, edit them, handle comments, and more. They cannot install and upgrade code, however, which is good. Admins (should) have server access, after all, not Editors. If you think of it that way, you may go less crazy.

    The Writers

    Your post writers come in two flavors: Authors and Contributors.

    The difference here is minimal but important. A Contributor cannot publish posts, and more importantly they cannot edit posts once published. That makes Contributor a good role for guest posters, or irregulars. If you need to review and approve every post before it’s live, this is the role for your writers. On the other hand, an Author should be someone you trust won’t go back and make naughty changes to posts after they’re approved and published.

    The biggest ‘flaw’ in Contributors is that they cannot upload files. This can be annoying, I know. If you need more robust tools for your writers, services like CoSchedule and plugins like Edit Flow may be up your alley.

    The Departed

    I don’t mean dead. What happens when your writer quits? You don’t want to delete their posts (probably) but you do want to balance their access with your security. The simplest solution is to make them a Subscriber. This means they can just read and leave comments on your site and nothing more. Their posts will still be attributed to them, but they cannot be edited.

    Of course, it the departure is less than amicable, another solution is to make them a Subscriber, but then change their email and password. If you use Gmail or GSuites, a super quick email fix is to create an alias like blogadmin+username@gmail.com for your users. For example, if the removed user’s login ID is johnsmith then I would create the email blogmaster+johnsmith@example.com and use that to own the ID. This prevents johnsmith from being able to log in and change his password again.

    For cPanel you’ll need to use forwarders and for Plesk you need aliases. Both require setting them up on the server side. Sorry.

    Custom User Roles

    I say this with a heavy heart. Most sites need to stay away from this. The basic five roles will suffice for most situations, and you should really try them for a while before dismissing. Adding in new users roles in WordPress can end with no one having permission to do anything. If you use custom roles, please be very careful and make sure you know how to restore basic user permissions in a pinch.

  • The Perception of Approachability

    The Perception of Approachability

    I’m speaking at WordCamp US. Someone I don’t know pinged me and said they were happy to see I was speaking, and they’d be there from their country. I haven’t the foggiest idea who they were or why they were telling me this.

    A few years ago, at my first WordCamp San Francisco, someone followed me for a few city blocks. Or at least he tried to. I was going out and he followed me out of the area. I paused, we chatted a moment and as I tried to leave, he kept talking. This pattern repeated until I finally said “I need to go. Good bye.” He kept talking. I spotted a female WordCamper I knew and she immediately came up and told me my wife was on her phone and was mine broken? Not at all. We lied. But I went with it, checked, looked shocked that it didn’t light up, and said it must be dead. I took her phone and proceeded to start a fake conversation that my wife had locked herself out of the car, 3000 miles away.

    In 2015, I was at a WordCamp where someone was very much crowing up in my personal space to talk. I quickly stepped back and when he leaned in, held up my hand and asked for personal space. At another WordCamp later that year, a similar thing happened to a friend of mine. I saw she was agitated and wanted the conversation to end, so I walked up and smiled and said I’d been looking for her. I knew the man, I thanked him, apologized for interrupting, wished him a good day, and he nodded and walked off.

    These are pretty normal events in my life.

    It’s a common, regular occurrence for people like me.

    I talk to hundreds of strangers a day in my work. I email at least 30 people a day with notes about their code. I converse with customers, co-workers, and a lot of random people. I don’t know many of them. We are not friends, these random people and I. We are not besties. We are not people I hang out with on their couch and play rude games. But the perception is, since we’ve had some conversations, we’re somehow closer than normal.

    And yet all four of those people, all men by the way, seemed to assume a level of connection that I did not. They all immediately felt I was ‘one of them’ and monopolized my time, not taking the social cues of ‘no’ until it was stated, and even then I had to be forceful.

    Flip the tables.

    Have I ever felt this way about women? Actually yes. I’ve had women at WordCamps do the exact same thing. 2014 someone kept asking me question after question about being a Woman in WordPress, until I politely turned to another woman and pointed out she too wanted to talk to me. In every case with women, however, they get it when I try to redirect the conversation to ‘I need to leave’ or ‘this conversation should end now’ and they get it without rancor or offense.

    This happens outside WordPress too. It’s actually a great deal worse outside WordPress. But in many cases, people attribute a greater level of friendship to an online social connection than I seem to.

    Of course there are exceptions. Most of my greatest friends came from random internet connections. People who, literally, changed my life with a job recommendation, held me while I sobbed over a death, had a girly sleepover where we giggled until 1am when we totally shouldn’t have since we had to be up at 6am for volunteering, offered me a couch, schwarma, or even just a gentle “Hey, I’m here for you. Are you okay?” They too came from this online place.

    So what’s the difference?

    We’re more approachable online, certainly. We let our barriers down and we engage more because it’s (mostly) safer. We can talk about how we feel, we can sob, and no one sees us. We’re freer. And with this freedom and honesty comes a ‘connection’ that sometimes transforms into true and honest friendship, and sometimes doesn’t.

    But when we move the online relationship into a physical one, we worry. We worry if the person is who they presented themselves to be and we worry if we’re going to get hurt. Many women worry if we’re going to be physically hurt. And we can’t tell. We often have no way to figure this out until it’s too late.

    I don’t have a solution to this problem, but I can tell you this. When I meet new people, even at a WordCamp, and when strangers reach out and tell me they’re excited to meet me, I receive that with a little trepidation and caution. I text my wife to tell her where I am, who I’m with, and if I’m worried. This is unlikely to change any time soon, and has nothing to do with the US political climate. What it has to do with is the understanding of what exactly makes up our connection.

    Comments on this post have been disabled.

  • Hiya: Bye-a Spammers!

    Hiya: Bye-a Spammers!

    Do you get calls from scammers and telemarketers?

    Trick question! We all do!

    I stopped getting so many recently, thanks to Hiya. The claim?

    Hiya identifies the calls you want to pick up and automatically blocks the ones you want to avoid.

    And guess what? As of iOS 10.1 it sure does. I installed it after a day when I had eight scammer credit card calls in a row. In November, a day happened when I got a series of robocalls, and I didn’t answer any of them. My phone flashed, said it had a call, and then it went away, like a hangup. Curious, I popped into my call log to see who’d butt dialed me and saw Hiya flagged the number as a scammer.

    They were right. They’ve been nothing but right since I installed it and configured it, and I’ve been unbothered by crazy phone calls.

    Setting up the app is onerous, I’ll warn you. On an iPhone, after I installed Hiya, I had to go in to Settings -> Phone -> Call Blocking & Identification. There I had an option for Hiya to allow the app to block calls and provide caller ID. And once I toggled that on, it took minutes for my phone to sync everything up but … Once it was done, the app worked exactly as expected.

    The bother went away.

    Now for the dark side. Hiya needs access to your contacts. Their privacy policy isn’t fully clear on what they do with it, but they do say they take the numbers in your contacts to build a whitelist. After all, people you add to your contacts aren’t likely to be spammers. But they also claim not to use your information, sell it, or market to your contacts. They also don’t sell to 3rd parties.

    As a California resident, I can write and request (once a year) for a list of everyone they gave my information to, so I may do that later, but they appear to be on the up and up. They’re FTC governed, though given that the drama with all this started because they’re doing fuck all at stopping spammers, your milage may vary.

    Me? I’m kicking scammers to the curb.

  • Chronic Infections: Blacklisted

    Chronic Infections: Blacklisted

    If you use Chrome, you may be used to those warnings about how a site is dangerous (or hacked) and maybe you shouldn’t visit it. If that happened to your site, you’d get an email if you use Google Webmasters (which I recommend you do), and then after you clean it up you can ask for a rescan. Or if you don’t, Google will rescan the site after a while and if it’s clean, carry on.

    That ends.

    Google found out something we’ve all known for a while, and that’s people can be evil and malicious. And what they’ve done is created a ‘repeat offenders’ blacklist, for sites that clean up only to allow themselves to be reinfected. As they say, “Sites that repeatedly switch between compliant and noncompliant behavior within a short window of time will be classified as Repeat Offenders.”.

    This is dangerous for users when a hack is outside their control.

    The number one cause of reinfections is not plugging the hole. In the case of things like WordPress, it’s down to upgrading everything, deleting anything with a known hack or backdoor, and locking down users. Hacks like Pharma, where the database becomes vulnerable and repeatedly re-infects a site, are thankfully rare for WordPress, but the same cannot be said of other CMS applications.

    And far worse than that is this. By which I mean what happens when your ad network is the cause of a hack?

    Recently, a friend of mine was hacked and got upset that his webhost’s scan of his site said it was clean, while Google did not. In looking at the site, I pointed out the hack was from his ads and not the files on the webhost. His webhost’s scanner didn’t hook into Google’s Safe Browsing service so of course it didn’t come up. He was pissed off about the host missing it, but once I explained why, he realized the magnitude of the issue.

    By adding an ad service to your site, you’re effectively trusting their behavior. And some ads are pretty scummy. While Google Adsense (and others) are usually pretty quick to kick-ban those idiots, the damage will be pretty hardcode. It takes but a small moment for a high-traffic site to serve up enough malware to make that attacker’s plan worthwhile. And worse, if the same kind of person get in again and again (which happens) and your site is infected multiple times, you will end of on the shit-list.

    Thats enough FUD on it. Let’s talk about mitigations.

    We’re all going to need to get better at figuring out where the malware is from. All of us. Security companies are going to lose money if they can’t stop repeat attacks, and since even the best firewall can’t stop shitty ads, all our scanner tools are going to need to be better about detecting what the cause is and where it’s from. This is going to be hard, since the ad may be gone by the time the site scan runs.

    Google will need to tell us what they know a lot better. I don’t know if they will, but they’ll need to figure something out. At the same time, I get why they may not want to. It tips the hand to tell malicious people exactly how you caught on to them, but at the same time telling people “Your ads are serving up malware” would be impactful and hopefully not too harmful. I’m on the fence there.

    Finally, we all know ads on the internet are shit. We’re all barely making money off them. So if you get infected by an ad vendor twice, it’s time to turn those ads off and look for something new. If that ad vendor is Google, open a ticket with them and provide evidence that they’re hurting your SEO and could cause you to get on that repeat offender list.

    Yes, this is making a hard decision, but it’s one you must make. If you’re being betrayed by your ads, you need to quit them.

  • Clear Communication

    Clear Communication

    “Your guidelines should be so clear as to not permit so much wriggle room,” he said.

    I started at my screen for a moment, feeling my neck heat up with the sheer arrogance of his implication. Besides the fact that I did spend quite a bit of time trying to make them as transparent and clear as possible, it’s a known impossibility.

    Anyone who’s ever written anything knows that it will always be interpreted by someone in an unintended way. Have a look at the US Constitution, which we’re still arguing about to this day. It’s categorically impossible to write anything in a way that will be perfectly understood by everyone who reads it, past, present, or future.

    Let’s step back though and think about what the post of such a statement might be.

    Everything we write for the purposes of education should be as clear as possible, in order to minimize confusion. We can all agree on that. Guidelines, documentation, how-tos, and the like are all for education. When you write a story, a novel for example, you don’t need to write for clarity but for a different purpose. I won’t get into that today.

    To that end, his statement was correct. We should write our guidelines not to permit wriggle room.

    However when we consider what the guidelines were, and please note they are indeed guidelines and rules, we hit a different situation. Guidelines are meant to direct people into doing what is expected of them. Some can be as clear as “Don’t steal” but others have to be a little more broad like “Don’t hurt people intentionally.” That’s a very big statement, and while it’s certainly a good guideline for any group, enforcing it without specific examples is always going to be problematic.

    The difference between rules and guidelines is that rules can be clear, while guidelines must allow for interpretation. And even with rules, it’s categorically impossible to write them in a way that will never ever be misconstrued.

    So what do we do?

    We write things as clearly as possible. We state, upfront, that the guidelines have an intended purpose and what that is. We remind people that the guidelines cannot cover each and every possible permutation of events. We admit that some of these will be up to the discretion of the people enforcing them. We write a disclaimer that we are human and we are mortal.

    We do our best. And if someone says “These could be better” we ask “How? Please help.”

    I can tell you from experience, less than 1% of people who complain about your guidelines will help, though.

    Comments on this post have been disabled.

  • The Privilege of Privacy

    The Privilege of Privacy

    Ask 100 women online where the live, and the majority will give you a vague answer.

    California.

    Chicago.

    LA.

    Orange County.

    Those are enormous locations. While you probably could have found me in Chicago, if you asked enough people, you’d need to know a lot more than just the city. And now? Good luck. Most of my neighbors don’t know me. Their kids do, go figure, but it’s not the 1950s anymore.

    The longer a women (or any minority) has been online, the less likely they are to want to talk about their location online. At least not in public. We get used to the constant, low level, shit throwing people say. People will ask what kind of ‘creature’ we are for posting a Vine, or call us ‘the hot one.’ It’s something I’m constantly pushing back at, and being vocally against, but it’s me against the world, and sometimes it’s a Sisyphean struggle.

    But that doesn’t mean some people don’t have my home address. It means the people who do are people I trust and respect. I know that they won’t generally just show up at my house (unless there’s a crisis).

    So what happens when you know, say, that I live in New Jersey and someone mentions WordCamp Jersey in a public chat?

    You shut the hell up and don’t say “Hey, Ipstenu lives there, you should ping her!” No, you ping me directly and say “Hey, Billy was talking about WC Jersey. I thought you mentioned living nearby. Did you know about that?” And that way you give the public information to the private individual.

    This seems to be an odd concept to people who come from a place of general safety and security. Yes, I’m talking about you, heterosexual cisgender white christian men. They tend to be the most flagrant abusers of personal information that I’ve seen online.

    When I ran a forum, I had a rule that basically read like this: People’s personal information is just that, theirs and personal. If they say “I live in Wyoming” that’s cool, but you don’t get to speak for them. And yes, I banned people for violating that after they were warned.

    Most of the time, personal information that is privileged is obvious. If I run a website, I have your IPs and email. I don’t give them away to ad collectors without your consent because that’s just a shitty thing to do. It’s unethical. In some places it’s illegal. That’s why you’ll get disclaimers on what information is tracked, or notes about how to opt-out.

    But less understood is the concept that information you and another person discuss in private is just that. Private. It shouldn’t be. It’s basically the same thing. You are in a place of privilege where by you have access to information others do not. That privilege comes with responsibility.

    So let me lay this out for you.

    If someone tells you a thing in private, it’s not always yours to repeat.

    If someone tells you a personal thing in private, it’s definitely not yours to repeat.

    For example, if someone tells you “Hey, I think I’m gay.” you absolutely, 100%, do not EVER turn around and say “Oh, Bob? He’s gay.” That’s not your information. And that’s an obvious case isn’t it? Well, where I live is also an obvious case.

    The Internet is filled with doxers and harassers and people who jackhammer Hollywood Walk of Fame stars. People are attacked online, usually on Twitter or IRC or 4Chan, every single day.

    It’s your job, as the holder of privileged information, to be the secret keeper. Be the friend. Keep it to yourself. And for god’s sake, if they ask you not to repeat something, either don’t repeat it or tell them outright that you will probably forget, so please don’t tell you.

    Comments on this post are disabled.