Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • The Perception of Approachability

    The Perception of Approachability

    I’m speaking at WordCamp US. Someone I don’t know pinged me and said they were happy to see I was speaking, and they’d be there from their country. I haven’t the foggiest idea who they were or why they were telling me this.

    A few years ago, at my first WordCamp San Francisco, someone followed me for a few city blocks. Or at least he tried to. I was going out and he followed me out of the area. I paused, we chatted a moment and as I tried to leave, he kept talking. This pattern repeated until I finally said “I need to go. Good bye.” He kept talking. I spotted a female WordCamper I knew and she immediately came up and told me my wife was on her phone and was mine broken? Not at all. We lied. But I went with it, checked, looked shocked that it didn’t light up, and said it must be dead. I took her phone and proceeded to start a fake conversation that my wife had locked herself out of the car, 3000 miles away.

    In 2015, I was at a WordCamp where someone was very much crowing up in my personal space to talk. I quickly stepped back and when he leaned in, held up my hand and asked for personal space. At another WordCamp later that year, a similar thing happened to a friend of mine. I saw she was agitated and wanted the conversation to end, so I walked up and smiled and said I’d been looking for her. I knew the man, I thanked him, apologized for interrupting, wished him a good day, and he nodded and walked off.

    These are pretty normal events in my life.

    It’s a common, regular occurrence for people like me.

    I talk to hundreds of strangers a day in my work. I email at least 30 people a day with notes about their code. I converse with customers, co-workers, and a lot of random people. I don’t know many of them. We are not friends, these random people and I. We are not besties. We are not people I hang out with on their couch and play rude games. But the perception is, since we’ve had some conversations, we’re somehow closer than normal.

    And yet all four of those people, all men by the way, seemed to assume a level of connection that I did not. They all immediately felt I was ‘one of them’ and monopolized my time, not taking the social cues of ‘no’ until it was stated, and even then I had to be forceful.

    Flip the tables.

    Have I ever felt this way about women? Actually yes. I’ve had women at WordCamps do the exact same thing. 2014 someone kept asking me question after question about being a Woman in WordPress, until I politely turned to another woman and pointed out she too wanted to talk to me. In every case with women, however, they get it when I try to redirect the conversation to ‘I need to leave’ or ‘this conversation should end now’ and they get it without rancor or offense.

    This happens outside WordPress too. It’s actually a great deal worse outside WordPress. But in many cases, people attribute a greater level of friendship to an online social connection than I seem to.

    Of course there are exceptions. Most of my greatest friends came from random internet connections. People who, literally, changed my life with a job recommendation, held me while I sobbed over a death, had a girly sleepover where we giggled until 1am when we totally shouldn’t have since we had to be up at 6am for volunteering, offered me a couch, schwarma, or even just a gentle “Hey, I’m here for you. Are you okay?” They too came from this online place.

    So what’s the difference?

    We’re more approachable online, certainly. We let our barriers down and we engage more because it’s (mostly) safer. We can talk about how we feel, we can sob, and no one sees us. We’re freer. And with this freedom and honesty comes a ‘connection’ that sometimes transforms into true and honest friendship, and sometimes doesn’t.

    But when we move the online relationship into a physical one, we worry. We worry if the person is who they presented themselves to be and we worry if we’re going to get hurt. Many women worry if we’re going to be physically hurt. And we can’t tell. We often have no way to figure this out until it’s too late.

    I don’t have a solution to this problem, but I can tell you this. When I meet new people, even at a WordCamp, and when strangers reach out and tell me they’re excited to meet me, I receive that with a little trepidation and caution. I text my wife to tell her where I am, who I’m with, and if I’m worried. This is unlikely to change any time soon, and has nothing to do with the US political climate. What it has to do with is the understanding of what exactly makes up our connection.

    Comments on this post have been disabled.

  • Hiya: Bye-a Spammers!

    Hiya: Bye-a Spammers!

    Do you get calls from scammers and telemarketers?

    Trick question! We all do!

    I stopped getting so many recently, thanks to Hiya. The claim?

    Hiya identifies the calls you want to pick up and automatically blocks the ones you want to avoid.

    And guess what? As of iOS 10.1 it sure does. I installed it after a day when I had eight scammer credit card calls in a row. In November, a day happened when I got a series of robocalls, and I didn’t answer any of them. My phone flashed, said it had a call, and then it went away, like a hangup. Curious, I popped into my call log to see who’d butt dialed me and saw Hiya flagged the number as a scammer.

    They were right. They’ve been nothing but right since I installed it and configured it, and I’ve been unbothered by crazy phone calls.

    Setting up the app is onerous, I’ll warn you. On an iPhone, after I installed Hiya, I had to go in to Settings -> Phone -> Call Blocking & Identification. There I had an option for Hiya to allow the app to block calls and provide caller ID. And once I toggled that on, it took minutes for my phone to sync everything up but … Once it was done, the app worked exactly as expected.

    The bother went away.

    Now for the dark side. Hiya needs access to your contacts. Their privacy policy isn’t fully clear on what they do with it, but they do say they take the numbers in your contacts to build a whitelist. After all, people you add to your contacts aren’t likely to be spammers. But they also claim not to use your information, sell it, or market to your contacts. They also don’t sell to 3rd parties.

    As a California resident, I can write and request (once a year) for a list of everyone they gave my information to, so I may do that later, but they appear to be on the up and up. They’re FTC governed, though given that the drama with all this started because they’re doing fuck all at stopping spammers, your milage may vary.

    Me? I’m kicking scammers to the curb.

  • Chronic Infections: Blacklisted

    Chronic Infections: Blacklisted

    If you use Chrome, you may be used to those warnings about how a site is dangerous (or hacked) and maybe you shouldn’t visit it. If that happened to your site, you’d get an email if you use Google Webmasters (which I recommend you do), and then after you clean it up you can ask for a rescan. Or if you don’t, Google will rescan the site after a while and if it’s clean, carry on.

    That ends.

    Google found out something we’ve all known for a while, and that’s people can be evil and malicious. And what they’ve done is created a ‘repeat offenders’ blacklist, for sites that clean up only to allow themselves to be reinfected. As they say, “Sites that repeatedly switch between compliant and noncompliant behavior within a short window of time will be classified as Repeat Offenders.”.

    This is dangerous for users when a hack is outside their control.

    The number one cause of reinfections is not plugging the hole. In the case of things like WordPress, it’s down to upgrading everything, deleting anything with a known hack or backdoor, and locking down users. Hacks like Pharma, where the database becomes vulnerable and repeatedly re-infects a site, are thankfully rare for WordPress, but the same cannot be said of other CMS applications.

    And far worse than that is this. By which I mean what happens when your ad network is the cause of a hack?

    Recently, a friend of mine was hacked and got upset that his webhost’s scan of his site said it was clean, while Google did not. In looking at the site, I pointed out the hack was from his ads and not the files on the webhost. His webhost’s scanner didn’t hook into Google’s Safe Browsing service so of course it didn’t come up. He was pissed off about the host missing it, but once I explained why, he realized the magnitude of the issue.

    By adding an ad service to your site, you’re effectively trusting their behavior. And some ads are pretty scummy. While Google Adsense (and others) are usually pretty quick to kick-ban those idiots, the damage will be pretty hardcode. It takes but a small moment for a high-traffic site to serve up enough malware to make that attacker’s plan worthwhile. And worse, if the same kind of person get in again and again (which happens) and your site is infected multiple times, you will end of on the shit-list.

    Thats enough FUD on it. Let’s talk about mitigations.

    We’re all going to need to get better at figuring out where the malware is from. All of us. Security companies are going to lose money if they can’t stop repeat attacks, and since even the best firewall can’t stop shitty ads, all our scanner tools are going to need to be better about detecting what the cause is and where it’s from. This is going to be hard, since the ad may be gone by the time the site scan runs.

    Google will need to tell us what they know a lot better. I don’t know if they will, but they’ll need to figure something out. At the same time, I get why they may not want to. It tips the hand to tell malicious people exactly how you caught on to them, but at the same time telling people “Your ads are serving up malware” would be impactful and hopefully not too harmful. I’m on the fence there.

    Finally, we all know ads on the internet are shit. We’re all barely making money off them. So if you get infected by an ad vendor twice, it’s time to turn those ads off and look for something new. If that ad vendor is Google, open a ticket with them and provide evidence that they’re hurting your SEO and could cause you to get on that repeat offender list.

    Yes, this is making a hard decision, but it’s one you must make. If you’re being betrayed by your ads, you need to quit them.

  • Clear Communication

    Clear Communication

    “Your guidelines should be so clear as to not permit so much wriggle room,” he said.

    I started at my screen for a moment, feeling my neck heat up with the sheer arrogance of his implication. Besides the fact that I did spend quite a bit of time trying to make them as transparent and clear as possible, it’s a known impossibility.

    Anyone who’s ever written anything knows that it will always be interpreted by someone in an unintended way. Have a look at the US Constitution, which we’re still arguing about to this day. It’s categorically impossible to write anything in a way that will be perfectly understood by everyone who reads it, past, present, or future.

    Let’s step back though and think about what the post of such a statement might be.

    Everything we write for the purposes of education should be as clear as possible, in order to minimize confusion. We can all agree on that. Guidelines, documentation, how-tos, and the like are all for education. When you write a story, a novel for example, you don’t need to write for clarity but for a different purpose. I won’t get into that today.

    To that end, his statement was correct. We should write our guidelines not to permit wriggle room.

    However when we consider what the guidelines were, and please note they are indeed guidelines and rules, we hit a different situation. Guidelines are meant to direct people into doing what is expected of them. Some can be as clear as “Don’t steal” but others have to be a little more broad like “Don’t hurt people intentionally.” That’s a very big statement, and while it’s certainly a good guideline for any group, enforcing it without specific examples is always going to be problematic.

    The difference between rules and guidelines is that rules can be clear, while guidelines must allow for interpretation. And even with rules, it’s categorically impossible to write them in a way that will never ever be misconstrued.

    So what do we do?

    We write things as clearly as possible. We state, upfront, that the guidelines have an intended purpose and what that is. We remind people that the guidelines cannot cover each and every possible permutation of events. We admit that some of these will be up to the discretion of the people enforcing them. We write a disclaimer that we are human and we are mortal.

    We do our best. And if someone says “These could be better” we ask “How? Please help.”

    I can tell you from experience, less than 1% of people who complain about your guidelines will help, though.

    Comments on this post have been disabled.

  • The Privilege of Privacy

    The Privilege of Privacy

    Ask 100 women online where the live, and the majority will give you a vague answer.

    California.

    Chicago.

    LA.

    Orange County.

    Those are enormous locations. While you probably could have found me in Chicago, if you asked enough people, you’d need to know a lot more than just the city. And now? Good luck. Most of my neighbors don’t know me. Their kids do, go figure, but it’s not the 1950s anymore.

    The longer a women (or any minority) has been online, the less likely they are to want to talk about their location online. At least not in public. We get used to the constant, low level, shit throwing people say. People will ask what kind of ‘creature’ we are for posting a Vine, or call us ‘the hot one.’ It’s something I’m constantly pushing back at, and being vocally against, but it’s me against the world, and sometimes it’s a Sisyphean struggle.

    But that doesn’t mean some people don’t have my home address. It means the people who do are people I trust and respect. I know that they won’t generally just show up at my house (unless there’s a crisis).

    So what happens when you know, say, that I live in New Jersey and someone mentions WordCamp Jersey in a public chat?

    You shut the hell up and don’t say “Hey, Ipstenu lives there, you should ping her!” No, you ping me directly and say “Hey, Billy was talking about WC Jersey. I thought you mentioned living nearby. Did you know about that?” And that way you give the public information to the private individual.

    This seems to be an odd concept to people who come from a place of general safety and security. Yes, I’m talking about you, heterosexual cisgender white christian men. They tend to be the most flagrant abusers of personal information that I’ve seen online.

    When I ran a forum, I had a rule that basically read like this: People’s personal information is just that, theirs and personal. If they say “I live in Wyoming” that’s cool, but you don’t get to speak for them. And yes, I banned people for violating that after they were warned.

    Most of the time, personal information that is privileged is obvious. If I run a website, I have your IPs and email. I don’t give them away to ad collectors without your consent because that’s just a shitty thing to do. It’s unethical. In some places it’s illegal. That’s why you’ll get disclaimers on what information is tracked, or notes about how to opt-out.

    But less understood is the concept that information you and another person discuss in private is just that. Private. It shouldn’t be. It’s basically the same thing. You are in a place of privilege where by you have access to information others do not. That privilege comes with responsibility.

    So let me lay this out for you.

    If someone tells you a thing in private, it’s not always yours to repeat.

    If someone tells you a personal thing in private, it’s definitely not yours to repeat.

    For example, if someone tells you “Hey, I think I’m gay.” you absolutely, 100%, do not EVER turn around and say “Oh, Bob? He’s gay.” That’s not your information. And that’s an obvious case isn’t it? Well, where I live is also an obvious case.

    The Internet is filled with doxers and harassers and people who jackhammer Hollywood Walk of Fame stars. People are attacked online, usually on Twitter or IRC or 4Chan, every single day.

    It’s your job, as the holder of privileged information, to be the secret keeper. Be the friend. Keep it to yourself. And for god’s sake, if they ask you not to repeat something, either don’t repeat it or tell them outright that you will probably forget, so please don’t tell you.

    Comments on this post are disabled.

  • The Privilege of Default Settings

    The Privilege of Default Settings

    You’ve probably heard the analogy that being a heterosexual, white, cisgender, Christian male is playing the game of life at its easiest setting. Most things are aimed at you, from consumer products on down to expectations. Being those things causes you to come from a place of privilege, even if you’re poor. The world is aimed towards you a little more, and your default assumptions are ‘correct’ because media and everything else reinforces them.

    Sometimes when I look at the choices and decisions we make in Open Source, I think we’re falling prey to the same concept.

    The day after my team lost the World Series in 2016, I found myself struggling through an emotional (and chemical) hangover, whereby I was pretty much half the speed at thinking as I normally am. In this state of mind, I decided it was a dandy idea to sit and do some serious UI testing of products for myself as well as WordPress core. It was surprising, enlightening, and humbling.

    I know WordPress. I know it really, really well. I use it daily, I write it in it every day. I monitor and support end users. I review code every day. Rarely has 36 hours passed without me learning something new about it, but also seeing a hundred people making the same mistakes. I often tell people “If I can’t figure out how to use your plugin, based on the readme, you didn’t write it well enough.” A new version of this is that when hungover me can’t figure out what your plugin does, there’s a lot more wrong.

    Related to this is the tone and language in which I am wiring to you this very moment. I write from a place of decent education and intelligence. I use words like obsequious and peradventure from time to time, not because they sound cool (though they do, I like the sound of words) but because they draw your attention to the point in different ways.

    This proves beyond peradventure that the intent of the name of the product was to leverage the name of its competitor.

    I don’t actually send plugin emails with that stuff, no matter how much I think in that way. It would make people think I’m talking down to them.

    Which brings me back to my point.

    We, who create for WordPress, are in a place of exceptionally high privilege. We name drop people like Helen and Mark and Matt and Mike (no, the other Mike) without a second thought because they’re a part of our lives. We’re not trying to seem high and mighty, but these are people with whom we’ve played Cards Against Humanity, or had churros, or sat on a bed giggling like tween girls. We’ve made a tribe with people we see daily, virtually, and they’re a part of our norm.

    But to the average WordPress user? They don’t care. Or if they do, they care jealously. And worse, when we say things like how we talked and made a decision about them without their input, they feel left out. And they were. They were intentionally, mindfully, willfully left out.

    We felt our default assumptions were correct.

    We felt that we knew better.

    We felt, based on our experiences and usage and tests, that we were right.

    Well. We can be wrong. We know this. Often we trust our heads more than our hearts, making amazing mistakes by assuming we know the best from our expertise. And the biggest fallouts when it comes to our work will be in those moments. When we decide “this is right” without taking the time to use our product hung over, or to ask for more help, or to trust that gut feeling.

    This is incredibly hard to do. When you consider WordPress, there are times a feature will make it to Beta and we’ll realize we were wrong. Post Formats UI, anyone?

    As gutting as it was to pull that so late, the decision was wise and sound. Not because this wasn’t something people wanted (and might use) but because it’s implementation wasn’t up to snuff. It was a fundamental feeling of ‘this is wrong.’ And Mark trusted his heart in the moment and said even if the code was fine, there was something off in the using. He understood the implications, too. That how the UI was implemented would influence future work.

    It’s difficult to explain how huge that is without sounding like I’m making a mountain out of molehill or fighting a strawman. The decision we make in WordPress, in any project, do not live their lives out in a vacuum. The decision to make widgets, featured images, categories, custom post types, and on and on all have influenced how future features are designed and built. We know this. So when we introduce a new feature, a new flow for using features, we have to consider the future.

    And that means we need to forget our privilege of someone who knows the code, who knows the system, and who has all the benefits of experience. We need to be the first time user, the uneducated, the newbie. We have to accept that we will be wrong, and we have to be willing to admit our wrongness. To fail to do this means we’ll never learn.