Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Encrypt My Site, Please!

    Encrypt My Site, Please!

    By now everyone running a website has heard about how Google gives sites running SSL a bit of a bump with search rankings. It’s been a year since they started doing that. The bump is not significant enough to impact most people, but making all the things HTTPS is still a good idea.

    It’s really all about security. I personally use HTTPS for the backend of my WordPress sites. Logins and wp-admin are all secure. The same is true for my MediaWiki site and my ZenPhoto gallery. I access things securely because the data I transmit could be important. Sure, it’s just passwords and such, but then you look at my site where I sell eBooks.

    That site is on the same server, the same account, and the same WordPress install as this one. You bet your ass I’m making it all secure. But this comes at a cost.

    The invention of SPDY aside, HTTPS is rarely as fast as HTTP. It can be difficult to set up caching or implement terminations like via Pound or Nginx in order to cover for the fact that Varnish doesn’t cache SSL. These things aren’t impossible to do. They’re just harder. And they’re generally going to be slower than plain old HTTP.

    The question has never been if they can or cannot be done, but if they can by entry-level people. Certainly we can say “If they’re not using SSL for all the things, they’re not ready for a great volume of business” and use it as a demarcation for things. And when we’re communicating our private lives, we should certainly consider this. But then, this site, where only I log in?

    Do you need SSL? Would it make you feel better or more secure? All you can do is comment. Do you need the feel-good? Do I need the extra security? If I decide yes, then I have to consider the weight this puts on my site. I have to consider how best to cache the content.

    I also have to think about how to get a certificate and SSL certs can be the biggest Internet scam out there.

    It’s how much for a multi-domain, including subdomain, SSL cert a year? A few hundred? It’s a bigger hassle than the EU Vat drama. It’s expensive, it’s a hassle to get set up, and install. Now thankfully, next month we’re expecting Let’s Encrypt to show up and they’ll make the cost less prohibitive. It doesn’t make the drama of installing the certs any better, but it’ll lower the bar for people who are trying to make things secure.

    Yes, you can get StartSSL for free, but it’s not as simple as all that. When all you need is one certificate, it’s only about $10 a year and that’s fine. When you start getting into the need to secure all the things, it’s a mess.

    What has to happen next, though, is for sever software to step up. Apache and nginx are both far faster now than they have been, but they’re our ultimate breakpoint. PHP has to push itself to handle things better and faster, lest we run over to HHVM. We are getting better of course, but if we want everyone to be on HTTPS, we have to make it easy.

    Not easier.

    Easy.

    The bar is still too high for the majority of people, and that’s a problem. Either we start offering hosting services to handle this or we start making the software easier. But we can’t just say “Oh, it’s simple to make your site HTTPS and fast.” because it’s not.

  • Everything Is Vulnerable

    Everything Is Vulnerable

    Every other day we hear about a tool that has a vulnerability. It’s been the servers we use, Flash, or Silverlight, or the Jeep that was hacked.

    This Is Not New

    The idea that hacking like this is new or novel is, let’s be honest, naive. In the 1800s, people used to hack into the newly born telephone system. Before that, we didn’t call it hacking, we called it conning. Yes, the confidence games people played to get others to trust them and then rip them off is the same idea as a hack.

    A hacker is someone who finds a weakness in a computer system and exploits it to some benefit. Early bank penetration tests, the ones to see if they could get at your money, were as much social engineering as technical skill. A ‘hack’ is simply something taking advantage of an exploitable weakness. This is not new to anyone or anything.

    The Scale Has Changed

    The primary difference between the hacks of old and the ones today is the scale of those hacks. Hacks used to be very personal for a reason: there was no world wide network. Your hacks had to be local and careful, because no one trusted the stranger. You can to build up credibility before taking your win. Of course, now we have near instant communication with the entire world. That means it’s milliseconds to access the server of someone in Africa, all from your happy NYC Starbucks.

    The difference is that now, when someone says “And Flash has a security vulnerability” the number of people impacted is in the millions. And the number of people who can be hurt by it is, similarly, high.

    We’ve spend years trying to create a global internet, and in doing so we’ve quickly shared communicable internet diseases with each other.

    Nothing Is Unhackable

    My boss and I were chatting about the ways one might hack the stock exchange, and he pointed out that one of the ways they slowed down trades was by having a really long cable.

    38-mile coil of fiber-optic cable
    Credit Stefan Ruiz for The New York Times

    This cable, and yes it’s real, is literally used to create a small delay in processing of orders, to level the playing field with traders. In short, it makes sure that the trades from across the ocean run at the same speed as the ones for the people in the room of the New York Stock Exchange. Each additional mile of fiber-optic cable adds 8 microseconds to a transaction, which adds up to 304 microseconds. Among other things this is hard to hack. You can’t send a software signal faster than it goes (physics being what it is), so it made things harder to hack.

    The next Mission Impossible movie will involve Tom Cruise being slowly lowered into the box with that cable in order to shorten it invisibly. Only Cruise can do it because only he is small enough.

    That was my joke. But it’s actually rather demonstrative to the point. You can physically hack things as well.

    Analyze The Risk

    To quote my father, “What can go wrong? How likely is it? What are the consequences?”

    That’s why I don’t own a wifi pluggable garage door or thermostat. Do I think they’re cool? Yes. Do I think they could make much of my life easier? Yes! But they’re new and they’re toys, which means people spend a lot of time poking at them and digging into the underlayer to see how and why they work. Which means people are finding hacks daily.

    That means the likelihood of someone figuring out how to use my thermostat to drive my budget through the roof is pretty high. Someone already did that to his ex-wife if that review is to be believed. Of course he had the access in the first place, but it proves one point. If you get access, you can do things.

    Change it to my garage door? Or my front door? Say good bye to my things. I know I’d be a target because I’m using the pricy toys to start with.

    Educate Yourself

    If you can not do stupid things, the odds of you being hacked are low.

    By stupid things, I mean using insecure passwords. I mean logging in on public WiFi to do your banking. I mean installing any old plugin on a WordPress site running a store.

    The things you know are dangerous.

    Don’t be stupid. Make backups. Be prepared for disaster.

  • Mailbag: Debugging .Com

    Mailbag: Debugging .Com

    From Wesley:

    It’s a one-word question though so I hope it won’t take you too long: my blog is free, which means it’s a .com, not .org [redacted] so I cannot install plugins, right? And an even quicker follow up, there’s no hope for me to erase post revisions so to free space and upload a page that’s over 200K words and refuses to do so, is there? Thank you so much for your attention. Cheers

    Your site is hosted on wordpress.com so you can’t install plugins (or themes). Even on VIP you can’t, though they may do it for you. It’s a Multisite thing.

    Also you can’t erase post revisions, but you also don’t need to worry about that. It’s not why you can’t upload a page of over 200k words. That’s just WP timing out. I’m assuming it’s hanging and timing out… Hard to know for sure without a description of the error.

    Sadly, since it’s on .com and I don’t work for them, you will have to ask how to handle that here: https://en.forums.wordpress.com/

    My suggestion would be split the post into multiple posts. I’ve found people rarely read a post longer than 1500 words. If it was a self hosted WordPress, I’d tell you that you should check the PHP error logs, and see if it’s a PHP timeout (which would be my guess) or something else like a mod_security error. If it’s PHP, there’s not a lot you can do unless you’re on a VPS or better, but really ‘adding more PHP memory’ is not the best move.

    Storing massive amounts of data is slow. 200k in a post is huge. If you were to space it out, it would make a 580 page book, give or take. I may have done NaNoWriMo before. Anyway, the point is that’s why we invented chapters in the first place. I have a mental image of a guy on an old manual page press, being handed the 580 pages to typeset, and breaking down. He’s sitting in a corner, crying, rocking back and forth.

    Today he’s your database. Your database is sitting in a corner with PHP, crying. “Why are you giving me so much to do at once, PHP?” And poor PHP is sobbing. “I don’t know, I can’t even handle it!”

    Anyway. Smaller posts. People won’t read 200k in one go. Not even speed readers.

  • Making a WP-CLI Plugin

    Making a WP-CLI Plugin

    I love wp-cli. It makes my life so much easier in so many ways.

    I’ve added in some basic commands to some of my plugins because it makes things easier for others. And as it happens, adding wp-cli commands to your plugins isn’t actually all that hard. But did you know you don’t have to?

    The Basic Code

    For our example I’m going to make a command called halfelf and it’s going to have a sub-command called ‘stats’ which outputs that the HalfElf is alive. And that looks like this:

    WP_CLI::add_command( 'halfelf', 'HalfElf_CLI' );

class HalfElf_CLI extends WP_CLI_Command {

	/**
	 * Get HalfElf Stats
	 *
	 * ## EXAMPLES
	 *
	 * wp halfelf stats
	 *
	 */
	public function stats( ) {
		WP_CLI::success( __( 'HalfElf is currently alive.', 'halfelf' ) );
        }
}

    The docblock controls the output for the help screen, which is possibly the most brilliant thing about it.

    Of course, all that does is make a command that doesn’t rely on any WordPress plugin, which is cool. Here’s a different example. In this one, I’m triggering a command to my logger function to reset the backup log or to view it:

    
	/**
	 * See Log Output
	 *
	 * ## OPTIONS
	 *
	 * empty: Leave it empty to output the log
	 * 
	 * reset: Reset the log
	 *
	 * wp dreamobjects logs
	 * wp dreamobjects logs reset
	 *
	 */

	public function log( $args, $assoc_args  ) {
		if ( isset( $args[0] ) && 'reset' !== $args[0] ) {
			WP_CLI::error( sprintf( __( '%s is not a valid command.', 'dreamobjects' ), $args[0] ) );
		} elseif ( 'reset' == $args[0] ) {
			DHDO::logger('reset');
			WP_CLI::success( 'Backup log reset' );
		} else {
			file_get_contents( './log.txt' );
		}
	}

    Because wp-cli runs as WordPress, it has access to WordPress commands and functions.

    But. Where do we put this file?

    In a WordPress Plugin

    If you want to use that code in a WordPress plugin, you put it in a file called wp-cli.php (or whatever you want) and then call it in your main WordPress plugin file like this:

    if ( defined( 'WP_CLI' ) && WP_CLI ) {
	require_once( 'wp-cli.php' );
}

    If you do that, I would recommend putting this at the top of your wp-cli.php file.

    if (!defined('ABSPATH')) {
    die();
}

// Bail if WP-CLI is not present
if ( !defined( 'WP_CLI' ) ) return;

    That will prevent people from calling the file directly or in other ways.

    In the case of my DHDO code, I added in this check:

    if( class_exists( 'DHDO' ) ) {
	WP_CLI::add_command( 'dreamobjects', 'DreamObjects_Command' );
}

    That means if (for whatever reason) DHDO can’t be found, it prevents you from doing things.

    On It’s Own

    But. That first command doesn’t need a plugin, does it? So if it doesn’t need a plugin, could I still use them? The answer is of course. The wp-cli.php file is the same, but where you put it changes. This will all be done in SSH. You could do it in SFTP if you wanted.

    In your home (or root) directory we have to make a folder called .wp-cli – please note the period, it’s like your .htaccess file. Except it’s a folder. In there you’re going to make a folder called commands and in that folder we’ll put another one for our commands. Like if I’m putting my HalfElf commands out there, I’d make a folder called halfelf and in there I put my command file command.php

    That gives me this: ~/.wp-cli/commands/halfelf/command.php

    However that doesn’t act like plugins or themes or mu-plugins, you have to add the command to another file. I know, I know. Make a file called config.yml and put it in .wp-cli so you have this: ~/.wp-cli/config.yml

    The content of that file is this:

    require:
  - commands/halfelf/command.php
  - commands/some-other/command.php

    And that’s it! Now you’ve got some command line tools for your WordPress site!

  • Don’t Publish Bad Code

    Don’t Publish Bad Code

    I thought it was self evident, but two of my more respected programer friends missed the point or, rather, took notice with one aspect.

    So let me rephrase what I meant when I said it was okay to write bad code.

    Write all the bad code you can. Learn from it. Make it better. But the code you publish should be the goddamned best damn code you’re capable of writing at that moment in time.

    The point I was trying to make was not to let the fear of ‘This code is shit’ stop you from learning and improving. That’s like saying if you can’t play a piece of music the first time out, you should quit. That’s stupid! Few people can do that! The rest of us have to practice and learn and keep going.

    And yes. That means sometimes when we give a public performance we screw up. That doesn’t mean we shouldn’t perform. That doesn’t mean we shouldn’t fail.

    You’re going to fail, okay? Just give up on that wish. Everyone fails. We fail more times than we succeed, and that failure hurts more than the success feels good.

    When you do a thing, do it to the best of your abilities and no less. If you’ve left a comment of “Come back and fix this.” then you damn well go fix it before you release the code. Writing bad code is no excuse to slack off, it’s an acceptance that not everyone gets it right from the start and you’re going to have to learn from it.

    So learn.

  • Rant: Chrome is the New Nanny Browser

    Rant: Chrome is the New Nanny Browser

    Part of my job is to look at possibly naughty and dangerous sites. Usually Chrome gives me an ‘are you sure?’ warning before I look at a hacked site, and I understand why. But see, my job involves me going to known hacked sites, seeing what’s going on, reverse engineering, and fixing. So yes, Chrome, I need that ‘I’m sure’ option.

    Lately Chrome hasn’t been giving me an option. It’s been saying no.

    So I went to the documentation, Can’t download files on Chrome, to find out how to turn it off and I was annoyed.

    If you don’t want Chrome to show you download warnings, you can turn off your phishing and malware protection setting. Turning off these warnings will also turn off other malware and phishing alerts:

    I want phishing protection!

    Actually what I want is Chrome to say “This download may harm your computer. Don’t download it if you have auto-expand or auto-run on for downloaded files. Are you sure you want to download this?” and default to NO.

    And no, I’ve not figured out how to do this yet.